1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_SSL_TLS_C)
15
16 #include "mbedtls/platform.h"
17
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22
23 #include "mbedtls/debug.h"
24 #include "mbedtls/error.h"
25 #include "mbedtls/platform_util.h"
26 #include "mbedtls/version.h"
27 #include "mbedtls/constant_time.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_USE_PSA_CRYPTO)
32 #include "md_psa.h"
33 #include "psa_util_internal.h"
34 #include "psa/crypto.h"
35 #endif
36
37 #if defined(MBEDTLS_X509_CRT_PARSE_C)
38 #include "mbedtls/oid.h"
39 #endif
40
41 #if defined(MBEDTLS_USE_PSA_CRYPTO)
42 /* Define local translating functions to save code size by not using too many
43 * arguments in each translating place. */
local_err_translation(psa_status_t status)44 static int local_err_translation(psa_status_t status)
45 {
46 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
47 ARRAY_LENGTH(psa_to_ssl_errors),
48 psa_generic_status_to_mbedtls);
49 }
50 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
51 #endif
52
53 #if defined(MBEDTLS_TEST_HOOKS)
54 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
55
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)56 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
57 const uint8_t *cur, const uint8_t *end, size_t need)
58 {
59 chk_buf_ptr_fail_args.cur = cur;
60 chk_buf_ptr_fail_args.end = end;
61 chk_buf_ptr_fail_args.need = need;
62 }
63
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)64 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
65 {
66 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
67 }
68
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)69 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
70 {
71 return (chk_buf_ptr_fail_args.cur != args->cur) ||
72 (chk_buf_ptr_fail_args.end != args->end) ||
73 (chk_buf_ptr_fail_args.need != args->need);
74 }
75 #endif /* MBEDTLS_TEST_HOOKS */
76
77 #if defined(MBEDTLS_SSL_PROTO_DTLS)
78
79 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
80 /* Top-level Connection ID API */
81
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)82 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
83 size_t len,
84 int ignore_other_cid)
85 {
86 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
87 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
88 }
89
90 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
91 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
92 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
93 }
94
95 conf->ignore_unexpected_cid = ignore_other_cid;
96 conf->cid_len = len;
97 return 0;
98 }
99
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)100 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
101 int enable,
102 unsigned char const *own_cid,
103 size_t own_cid_len)
104 {
105 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
106 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
107 }
108
109 ssl->negotiate_cid = enable;
110 if (enable == MBEDTLS_SSL_CID_DISABLED) {
111 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
112 return 0;
113 }
114 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
115 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
116
117 if (own_cid_len != ssl->conf->cid_len) {
118 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
119 (unsigned) own_cid_len,
120 (unsigned) ssl->conf->cid_len));
121 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
122 }
123
124 memcpy(ssl->own_cid, own_cid, own_cid_len);
125 /* Truncation is not an issue here because
126 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
127 ssl->own_cid_len = (uint8_t) own_cid_len;
128
129 return 0;
130 }
131
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * own_cid_len)132 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
133 int *enabled,
134 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
135 size_t *own_cid_len)
136 {
137 *enabled = MBEDTLS_SSL_CID_DISABLED;
138
139 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
140 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
141 }
142
143 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
144 * zero as this is indistinguishable from not requesting to use
145 * the CID extension. */
146 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
147 return 0;
148 }
149
150 if (own_cid_len != NULL) {
151 *own_cid_len = ssl->own_cid_len;
152 if (own_cid != NULL) {
153 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
154 }
155 }
156
157 *enabled = MBEDTLS_SSL_CID_ENABLED;
158
159 return 0;
160 }
161
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)162 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
163 int *enabled,
164 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
165 size_t *peer_cid_len)
166 {
167 *enabled = MBEDTLS_SSL_CID_DISABLED;
168
169 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
170 mbedtls_ssl_is_handshake_over(ssl) == 0) {
171 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
172 }
173
174 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
175 * were used, but client and server requested the empty CID.
176 * This is indistinguishable from not using the CID extension
177 * in the first place. */
178 if (ssl->transform_in->in_cid_len == 0 &&
179 ssl->transform_in->out_cid_len == 0) {
180 return 0;
181 }
182
183 if (peer_cid_len != NULL) {
184 *peer_cid_len = ssl->transform_in->out_cid_len;
185 if (peer_cid != NULL) {
186 memcpy(peer_cid, ssl->transform_in->out_cid,
187 ssl->transform_in->out_cid_len);
188 }
189 }
190
191 *enabled = MBEDTLS_SSL_CID_ENABLED;
192
193 return 0;
194 }
195 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
196
197 #endif /* MBEDTLS_SSL_PROTO_DTLS */
198
199 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
200 /*
201 * Convert max_fragment_length codes to length.
202 * RFC 6066 says:
203 * enum{
204 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
205 * } MaxFragmentLength;
206 * and we add 0 -> extension unused
207 */
ssl_mfl_code_to_length(int mfl)208 static unsigned int ssl_mfl_code_to_length(int mfl)
209 {
210 switch (mfl) {
211 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
212 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
213 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
214 return 512;
215 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
216 return 1024;
217 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
218 return 2048;
219 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
220 return 4096;
221 default:
222 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
223 }
224 }
225 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
226
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)227 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
228 const mbedtls_ssl_session *src)
229 {
230 mbedtls_ssl_session_free(dst);
231 memcpy(dst, src, sizeof(mbedtls_ssl_session));
232 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
233 dst->ticket = NULL;
234 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
235 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
236 dst->hostname = NULL;
237 #endif
238 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
239
240 #if defined(MBEDTLS_X509_CRT_PARSE_C)
241
242 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
243 if (src->peer_cert != NULL) {
244 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
245
246 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
247 if (dst->peer_cert == NULL) {
248 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
249 }
250
251 mbedtls_x509_crt_init(dst->peer_cert);
252
253 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
254 src->peer_cert->raw.len)) != 0) {
255 mbedtls_free(dst->peer_cert);
256 dst->peer_cert = NULL;
257 return ret;
258 }
259 }
260 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
261 if (src->peer_cert_digest != NULL) {
262 dst->peer_cert_digest =
263 mbedtls_calloc(1, src->peer_cert_digest_len);
264 if (dst->peer_cert_digest == NULL) {
265 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
266 }
267
268 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
269 src->peer_cert_digest_len);
270 dst->peer_cert_digest_type = src->peer_cert_digest_type;
271 dst->peer_cert_digest_len = src->peer_cert_digest_len;
272 }
273 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
274
275 #endif /* MBEDTLS_X509_CRT_PARSE_C */
276
277 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
278 if (src->ticket != NULL) {
279 dst->ticket = mbedtls_calloc(1, src->ticket_len);
280 if (dst->ticket == NULL) {
281 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
282 }
283
284 memcpy(dst->ticket, src->ticket, src->ticket_len);
285 }
286
287 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
288 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
289 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
290 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
291 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
292 if (ret != 0) {
293 return ret;
294 }
295 }
296 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
297 MBEDTLS_SSL_SERVER_NAME_INDICATION */
298 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
299
300 return 0;
301 }
302
303 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
304 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)305 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
306 {
307 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
308 if (resized_buffer == NULL) {
309 return -1;
310 }
311
312 /* We want to copy len_new bytes when downsizing the buffer, and
313 * len_old bytes when upsizing, so we choose the smaller of two sizes,
314 * to fit one buffer into another. Size checks, ensuring that no data is
315 * lost, are done outside of this function. */
316 memcpy(resized_buffer, *buffer,
317 (len_new < *len_old) ? len_new : *len_old);
318 mbedtls_zeroize_and_free(*buffer, *len_old);
319
320 *buffer = resized_buffer;
321 *len_old = len_new;
322
323 return 0;
324 }
325
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)326 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
327 size_t in_buf_new_len,
328 size_t out_buf_new_len)
329 {
330 int modified = 0;
331 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
332 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
333 if (ssl->in_buf != NULL) {
334 written_in = ssl->in_msg - ssl->in_buf;
335 iv_offset_in = ssl->in_iv - ssl->in_buf;
336 len_offset_in = ssl->in_len - ssl->in_buf;
337 if (downsizing ?
338 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
339 ssl->in_buf_len < in_buf_new_len) {
340 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
341 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
342 } else {
343 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
344 in_buf_new_len));
345 modified = 1;
346 }
347 }
348 }
349
350 if (ssl->out_buf != NULL) {
351 written_out = ssl->out_msg - ssl->out_buf;
352 iv_offset_out = ssl->out_iv - ssl->out_buf;
353 len_offset_out = ssl->out_len - ssl->out_buf;
354 if (downsizing ?
355 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
356 ssl->out_buf_len < out_buf_new_len) {
357 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
358 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
359 } else {
360 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
361 out_buf_new_len));
362 modified = 1;
363 }
364 }
365 }
366 if (modified) {
367 /* Update pointers here to avoid doing it twice. */
368 mbedtls_ssl_reset_in_out_pointers(ssl);
369 /* Fields below might not be properly updated with record
370 * splitting or with CID, so they are manually updated here. */
371 ssl->out_msg = ssl->out_buf + written_out;
372 ssl->out_len = ssl->out_buf + len_offset_out;
373 ssl->out_iv = ssl->out_buf + iv_offset_out;
374
375 ssl->in_msg = ssl->in_buf + written_in;
376 ssl->in_len = ssl->in_buf + len_offset_in;
377 ssl->in_iv = ssl->in_buf + iv_offset_in;
378 }
379 }
380 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
381
382 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
383
384 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
385 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
386 const char *label,
387 const unsigned char *random, size_t rlen,
388 unsigned char *dstbuf, size_t dlen);
389
390 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
391
392 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
393
394 /* Type for the TLS PRF */
395 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
396 const unsigned char *, size_t,
397 unsigned char *, size_t);
398
399 MBEDTLS_CHECK_RETURN_CRITICAL
400 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
401 int ciphersuite,
402 const unsigned char master[48],
403 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
404 int encrypt_then_mac,
405 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
406 ssl_tls_prf_t tls_prf,
407 const unsigned char randbytes[64],
408 mbedtls_ssl_protocol_version tls_version,
409 unsigned endpoint,
410 const mbedtls_ssl_context *ssl);
411
412 #if defined(MBEDTLS_MD_CAN_SHA256)
413 MBEDTLS_CHECK_RETURN_CRITICAL
414 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
415 const char *label,
416 const unsigned char *random, size_t rlen,
417 unsigned char *dstbuf, size_t dlen);
418 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
419 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
420
421 #endif /* MBEDTLS_MD_CAN_SHA256*/
422
423 #if defined(MBEDTLS_MD_CAN_SHA384)
424 MBEDTLS_CHECK_RETURN_CRITICAL
425 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
426 const char *label,
427 const unsigned char *random, size_t rlen,
428 unsigned char *dstbuf, size_t dlen);
429
430 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
431 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
432 #endif /* MBEDTLS_MD_CAN_SHA384*/
433
434 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
435 unsigned char *buf,
436 size_t buf_len);
437
438 MBEDTLS_CHECK_RETURN_CRITICAL
439 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
440 const unsigned char *buf,
441 size_t len);
442 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
443
444 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
445
446 #if defined(MBEDTLS_MD_CAN_SHA256)
447 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
448 #endif /* MBEDTLS_MD_CAN_SHA256*/
449
450 #if defined(MBEDTLS_MD_CAN_SHA384)
451 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
452 #endif /* MBEDTLS_MD_CAN_SHA384*/
453
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)454 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
455 const unsigned char *secret, size_t slen,
456 const char *label,
457 const unsigned char *random, size_t rlen,
458 unsigned char *dstbuf, size_t dlen)
459 {
460 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
461
462 switch (prf) {
463 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
464 #if defined(MBEDTLS_MD_CAN_SHA384)
465 case MBEDTLS_SSL_TLS_PRF_SHA384:
466 tls_prf = tls_prf_sha384;
467 break;
468 #endif /* MBEDTLS_MD_CAN_SHA384*/
469 #if defined(MBEDTLS_MD_CAN_SHA256)
470 case MBEDTLS_SSL_TLS_PRF_SHA256:
471 tls_prf = tls_prf_sha256;
472 break;
473 #endif /* MBEDTLS_MD_CAN_SHA256*/
474 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
475 default:
476 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
477 }
478
479 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
480 }
481
482 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)483 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
484 {
485 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
486 if (session->peer_cert != NULL) {
487 mbedtls_x509_crt_free(session->peer_cert);
488 mbedtls_free(session->peer_cert);
489 session->peer_cert = NULL;
490 }
491 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
492 if (session->peer_cert_digest != NULL) {
493 /* Zeroization is not necessary. */
494 mbedtls_free(session->peer_cert_digest);
495 session->peer_cert_digest = NULL;
496 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
497 session->peer_cert_digest_len = 0;
498 }
499 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
500 }
501 #endif /* MBEDTLS_X509_CRT_PARSE_C */
502
mbedtls_ssl_get_extension_id(unsigned int extension_type)503 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
504 {
505 switch (extension_type) {
506 case MBEDTLS_TLS_EXT_SERVERNAME:
507 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
508
509 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
510 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
511
512 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
513 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
514
515 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
516 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
517
518 case MBEDTLS_TLS_EXT_SIG_ALG:
519 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
520
521 case MBEDTLS_TLS_EXT_USE_SRTP:
522 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
523
524 case MBEDTLS_TLS_EXT_HEARTBEAT:
525 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
526
527 case MBEDTLS_TLS_EXT_ALPN:
528 return MBEDTLS_SSL_EXT_ID_ALPN;
529
530 case MBEDTLS_TLS_EXT_SCT:
531 return MBEDTLS_SSL_EXT_ID_SCT;
532
533 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
534 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
535
536 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
537 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
538
539 case MBEDTLS_TLS_EXT_PADDING:
540 return MBEDTLS_SSL_EXT_ID_PADDING;
541
542 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
543 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
544
545 case MBEDTLS_TLS_EXT_EARLY_DATA:
546 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
547
548 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
549 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
550
551 case MBEDTLS_TLS_EXT_COOKIE:
552 return MBEDTLS_SSL_EXT_ID_COOKIE;
553
554 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
555 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
556
557 case MBEDTLS_TLS_EXT_CERT_AUTH:
558 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
559
560 case MBEDTLS_TLS_EXT_OID_FILTERS:
561 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
562
563 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
564 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
565
566 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
567 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
568
569 case MBEDTLS_TLS_EXT_KEY_SHARE:
570 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
571
572 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
573 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
574
575 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
576 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
577
578 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
579 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
580
581 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
582 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
583
584 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
585 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
586
587 case MBEDTLS_TLS_EXT_SESSION_TICKET:
588 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
589
590 }
591
592 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
593 }
594
mbedtls_ssl_get_extension_mask(unsigned int extension_type)595 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
596 {
597 return 1 << mbedtls_ssl_get_extension_id(extension_type);
598 }
599
600 #if defined(MBEDTLS_DEBUG_C)
601 static const char *extension_name_table[] = {
602 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
603 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
604 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
605 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
606 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
607 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
608 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
609 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
610 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
611 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
612 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
613 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
614 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
615 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
616 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
617 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
618 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
619 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
620 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
621 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
622 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
623 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
624 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
625 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
626 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
627 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
628 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
629 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
630 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
631 };
632
633 static unsigned int extension_type_table[] = {
634 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
635 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
636 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
637 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
639 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
640 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
641 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
642 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
643 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
644 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
645 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
646 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
647 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
648 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
649 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
650 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
651 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
652 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
653 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
654 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
655 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
656 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
657 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
658 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
659 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
660 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
661 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
662 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
663 };
664
mbedtls_ssl_get_extension_name(unsigned int extension_type)665 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
666 {
667 return extension_name_table[
668 mbedtls_ssl_get_extension_id(extension_type)];
669 }
670
ssl_tls13_get_hs_msg_name(int hs_msg_type)671 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
672 {
673 switch (hs_msg_type) {
674 case MBEDTLS_SSL_HS_CLIENT_HELLO:
675 return "ClientHello";
676 case MBEDTLS_SSL_HS_SERVER_HELLO:
677 return "ServerHello";
678 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
679 return "HelloRetryRequest";
680 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
681 return "NewSessionTicket";
682 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
683 return "EncryptedExtensions";
684 case MBEDTLS_SSL_HS_CERTIFICATE:
685 return "Certificate";
686 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
687 return "CertificateRequest";
688 }
689 return "Unknown";
690 }
691
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)692 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
693 int level, const char *file, int line,
694 int hs_msg_type, unsigned int extension_type,
695 const char *extra_msg0, const char *extra_msg1)
696 {
697 const char *extra_msg;
698 if (extra_msg0 && extra_msg1) {
699 mbedtls_debug_print_msg(
700 ssl, level, file, line,
701 "%s: %s(%u) extension %s %s.",
702 ssl_tls13_get_hs_msg_name(hs_msg_type),
703 mbedtls_ssl_get_extension_name(extension_type),
704 extension_type,
705 extra_msg0, extra_msg1);
706 return;
707 }
708
709 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
710 if (extra_msg) {
711 mbedtls_debug_print_msg(
712 ssl, level, file, line,
713 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
714 mbedtls_ssl_get_extension_name(extension_type), extension_type,
715 extra_msg);
716 return;
717 }
718
719 mbedtls_debug_print_msg(
720 ssl, level, file, line,
721 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
722 mbedtls_ssl_get_extension_name(extension_type), extension_type);
723 }
724
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)725 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
726 int level, const char *file, int line,
727 int hs_msg_type, uint32_t extensions_mask,
728 const char *extra)
729 {
730
731 for (unsigned i = 0;
732 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
733 i++) {
734 mbedtls_ssl_print_extension(
735 ssl, level, file, line, hs_msg_type, extension_type_table[i],
736 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
737 }
738 }
739
740 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
741 static const char *ticket_flag_name_table[] =
742 {
743 [0] = "ALLOW_PSK_RESUMPTION",
744 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
745 [3] = "ALLOW_EARLY_DATA",
746 };
747
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)748 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
749 int level, const char *file, int line,
750 unsigned int flags)
751 {
752 size_t i;
753
754 mbedtls_debug_print_msg(ssl, level, file, line,
755 "print ticket_flags (0x%02x)", flags);
756
757 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
758
759 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
760 if ((flags & (1 << i))) {
761 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
762 ticket_flag_name_table[i]);
763 }
764 }
765 }
766 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
767
768 #endif /* MBEDTLS_DEBUG_C */
769
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)770 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
771 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
772 {
773 ((void) ciphersuite_info);
774
775 #if defined(MBEDTLS_MD_CAN_SHA384)
776 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
777 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
778 } else
779 #endif
780 #if defined(MBEDTLS_MD_CAN_SHA256)
781 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
782 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
783 } else
784 #endif
785 {
786 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
787 return;
788 }
789 }
790
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)791 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
792 unsigned hs_type,
793 size_t total_hs_len)
794 {
795 unsigned char hs_hdr[4];
796
797 /* Build HS header for checksum update. */
798 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
799 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
800 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
801 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
802
803 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
804 }
805
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)806 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
807 unsigned hs_type,
808 unsigned char const *msg,
809 size_t msg_len)
810 {
811 int ret;
812 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
813 if (ret != 0) {
814 return ret;
815 }
816 return ssl->handshake->update_checksum(ssl, msg, msg_len);
817 }
818
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)819 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
820 {
821 #if defined(MBEDTLS_MD_CAN_SHA256) || \
822 defined(MBEDTLS_MD_CAN_SHA384)
823 #if defined(MBEDTLS_USE_PSA_CRYPTO)
824 psa_status_t status;
825 #else
826 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
827 #endif
828 #else /* SHA-256 or SHA-384 */
829 ((void) ssl);
830 #endif /* SHA-256 or SHA-384 */
831 #if defined(MBEDTLS_MD_CAN_SHA256)
832 #if defined(MBEDTLS_USE_PSA_CRYPTO)
833 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
834 if (status != PSA_SUCCESS) {
835 return mbedtls_md_error_from_psa(status);
836 }
837 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
838 if (status != PSA_SUCCESS) {
839 return mbedtls_md_error_from_psa(status);
840 }
841 #else
842 mbedtls_md_free(&ssl->handshake->fin_sha256);
843 mbedtls_md_init(&ssl->handshake->fin_sha256);
844 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
845 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
846 0);
847 if (ret != 0) {
848 return ret;
849 }
850 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
851 if (ret != 0) {
852 return ret;
853 }
854 #endif
855 #endif
856 #if defined(MBEDTLS_MD_CAN_SHA384)
857 #if defined(MBEDTLS_USE_PSA_CRYPTO)
858 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
859 if (status != PSA_SUCCESS) {
860 return mbedtls_md_error_from_psa(status);
861 }
862 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
863 if (status != PSA_SUCCESS) {
864 return mbedtls_md_error_from_psa(status);
865 }
866 #else
867 mbedtls_md_free(&ssl->handshake->fin_sha384);
868 mbedtls_md_init(&ssl->handshake->fin_sha384);
869 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
870 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
871 if (ret != 0) {
872 return ret;
873 }
874 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
875 if (ret != 0) {
876 return ret;
877 }
878 #endif
879 #endif
880 return 0;
881 }
882
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)883 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
884 const unsigned char *buf, size_t len)
885 {
886 #if defined(MBEDTLS_MD_CAN_SHA256) || \
887 defined(MBEDTLS_MD_CAN_SHA384)
888 #if defined(MBEDTLS_USE_PSA_CRYPTO)
889 psa_status_t status;
890 #else
891 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
892 #endif
893 #else /* SHA-256 or SHA-384 */
894 ((void) ssl);
895 (void) buf;
896 (void) len;
897 #endif /* SHA-256 or SHA-384 */
898 #if defined(MBEDTLS_MD_CAN_SHA256)
899 #if defined(MBEDTLS_USE_PSA_CRYPTO)
900 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
901 if (status != PSA_SUCCESS) {
902 return mbedtls_md_error_from_psa(status);
903 }
904 #else
905 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
906 if (ret != 0) {
907 return ret;
908 }
909 #endif
910 #endif
911 #if defined(MBEDTLS_MD_CAN_SHA384)
912 #if defined(MBEDTLS_USE_PSA_CRYPTO)
913 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
914 if (status != PSA_SUCCESS) {
915 return mbedtls_md_error_from_psa(status);
916 }
917 #else
918 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
919 if (ret != 0) {
920 return ret;
921 }
922 #endif
923 #endif
924 return 0;
925 }
926
927 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)928 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
929 const unsigned char *buf, size_t len)
930 {
931 #if defined(MBEDTLS_USE_PSA_CRYPTO)
932 return mbedtls_md_error_from_psa(psa_hash_update(
933 &ssl->handshake->fin_sha256_psa, buf, len));
934 #else
935 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
936 #endif
937 }
938 #endif
939
940 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)941 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
942 const unsigned char *buf, size_t len)
943 {
944 #if defined(MBEDTLS_USE_PSA_CRYPTO)
945 return mbedtls_md_error_from_psa(psa_hash_update(
946 &ssl->handshake->fin_sha384_psa, buf, len));
947 #else
948 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
949 #endif
950 }
951 #endif
952
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)953 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
954 {
955 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
956
957 #if defined(MBEDTLS_MD_CAN_SHA256)
958 #if defined(MBEDTLS_USE_PSA_CRYPTO)
959 handshake->fin_sha256_psa = psa_hash_operation_init();
960 #else
961 mbedtls_md_init(&handshake->fin_sha256);
962 #endif
963 #endif
964 #if defined(MBEDTLS_MD_CAN_SHA384)
965 #if defined(MBEDTLS_USE_PSA_CRYPTO)
966 handshake->fin_sha384_psa = psa_hash_operation_init();
967 #else
968 mbedtls_md_init(&handshake->fin_sha384);
969 #endif
970 #endif
971
972 handshake->update_checksum = ssl_update_checksum_start;
973
974 #if defined(MBEDTLS_DHM_C)
975 mbedtls_dhm_init(&handshake->dhm_ctx);
976 #endif
977 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
978 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
979 mbedtls_ecdh_init(&handshake->ecdh_ctx);
980 #endif
981 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
982 #if defined(MBEDTLS_USE_PSA_CRYPTO)
983 handshake->psa_pake_ctx = psa_pake_operation_init();
984 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
985 #else
986 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
987 #endif /* MBEDTLS_USE_PSA_CRYPTO */
988 #if defined(MBEDTLS_SSL_CLI_C)
989 handshake->ecjpake_cache = NULL;
990 handshake->ecjpake_cache_len = 0;
991 #endif
992 #endif
993
994 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
995 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
996 #endif
997
998 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
999 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1000 #endif
1001
1002 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1003 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1004 mbedtls_pk_init(&handshake->peer_pubkey);
1005 #endif
1006 }
1007
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1008 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1009 {
1010 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1011
1012 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1013 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1014 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1015 #else
1016 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1017 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1018 #endif
1019
1020 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1021 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1022 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1023 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1024 #else
1025 mbedtls_md_init(&transform->md_ctx_enc);
1026 mbedtls_md_init(&transform->md_ctx_dec);
1027 #endif
1028 #endif
1029 }
1030
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1031 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1032 {
1033 memset(session, 0, sizeof(mbedtls_ssl_session));
1034 }
1035
1036 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1037 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1038 {
1039 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1040
1041 /* Clear old handshake information if present */
1042 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1043 if (ssl->transform_negotiate) {
1044 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1045 }
1046 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1047 if (ssl->session_negotiate) {
1048 mbedtls_ssl_session_free(ssl->session_negotiate);
1049 }
1050 if (ssl->handshake) {
1051 mbedtls_ssl_handshake_free(ssl);
1052 }
1053
1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1055 /*
1056 * Either the pointers are now NULL or cleared properly and can be freed.
1057 * Now allocate missing structures.
1058 */
1059 if (ssl->transform_negotiate == NULL) {
1060 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1061 }
1062 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1063
1064 if (ssl->session_negotiate == NULL) {
1065 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1066 }
1067
1068 if (ssl->handshake == NULL) {
1069 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1070 }
1071 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1072 /* If the buffers are too small - reallocate */
1073
1074 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1075 MBEDTLS_SSL_OUT_BUFFER_LEN);
1076 #endif
1077
1078 /* All pointers should exist and can be directly freed without issue */
1079 if (ssl->handshake == NULL ||
1080 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1081 ssl->transform_negotiate == NULL ||
1082 #endif
1083 ssl->session_negotiate == NULL) {
1084 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1085
1086 mbedtls_free(ssl->handshake);
1087 ssl->handshake = NULL;
1088
1089 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1090 mbedtls_free(ssl->transform_negotiate);
1091 ssl->transform_negotiate = NULL;
1092 #endif
1093
1094 mbedtls_free(ssl->session_negotiate);
1095 ssl->session_negotiate = NULL;
1096
1097 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1098 }
1099
1100 /* Initialize structures */
1101 mbedtls_ssl_session_init(ssl->session_negotiate);
1102 ssl_handshake_params_init(ssl->handshake);
1103
1104 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1105 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1106 #endif
1107
1108 /* Setup handshake checksums */
1109 ret = mbedtls_ssl_reset_checksum(ssl);
1110 if (ret != 0) {
1111 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1112 return ret;
1113 }
1114
1115 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1116 defined(MBEDTLS_SSL_SRV_C) && \
1117 defined(MBEDTLS_SSL_SESSION_TICKETS)
1118 ssl->handshake->new_session_tickets_count =
1119 ssl->conf->new_session_tickets_count;
1120 #endif
1121
1122 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1123 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1124 ssl->handshake->alt_transform_out = ssl->transform_out;
1125
1126 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1127 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1128 } else {
1129 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1130 }
1131
1132 mbedtls_ssl_set_timer(ssl, 0);
1133 }
1134 #endif
1135
1136 /*
1137 * curve_list is translated to IANA TLS group identifiers here because
1138 * mbedtls_ssl_conf_curves returns void and so can't return
1139 * any error codes.
1140 */
1141 #if defined(MBEDTLS_ECP_C)
1142 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1143 /* Heap allocate and translate curve_list from internal to IANA group ids */
1144 if (ssl->conf->curve_list != NULL) {
1145 size_t length;
1146 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1147
1148 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1149 }
1150
1151 /* Leave room for zero termination */
1152 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1153 if (group_list == NULL) {
1154 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1155 }
1156
1157 for (size_t i = 0; i < length; i++) {
1158 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1159 curve_list[i]);
1160 if (tls_id == 0) {
1161 mbedtls_free(group_list);
1162 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1163 }
1164 group_list[i] = tls_id;
1165 }
1166
1167 group_list[length] = 0;
1168
1169 ssl->handshake->group_list = group_list;
1170 ssl->handshake->group_list_heap_allocated = 1;
1171 } else {
1172 ssl->handshake->group_list = ssl->conf->group_list;
1173 ssl->handshake->group_list_heap_allocated = 0;
1174 }
1175 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1176 #endif /* MBEDTLS_ECP_C */
1177
1178 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1179 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1180 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1181 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1182 signature algorithms IANA identifiers. */
1183 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1184 ssl->conf->sig_hashes != NULL) {
1185 const int *md;
1186 const int *sig_hashes = ssl->conf->sig_hashes;
1187 size_t sig_algs_len = 0;
1188 uint16_t *p;
1189
1190 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1191 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1192 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1193
1194 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1195 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1196 continue;
1197 }
1198 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1199 sig_algs_len += sizeof(uint16_t);
1200 #endif
1201
1202 #if defined(MBEDTLS_RSA_C)
1203 sig_algs_len += sizeof(uint16_t);
1204 #endif
1205 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1206 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1207 }
1208 }
1209
1210 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1211 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1212 }
1213
1214 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1215 sizeof(uint16_t));
1216 if (ssl->handshake->sig_algs == NULL) {
1217 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1218 }
1219
1220 p = (uint16_t *) ssl->handshake->sig_algs;
1221 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1222 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1223 if (hash == MBEDTLS_SSL_HASH_NONE) {
1224 continue;
1225 }
1226 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1227 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1228 p++;
1229 #endif
1230 #if defined(MBEDTLS_RSA_C)
1231 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1232 p++;
1233 #endif
1234 }
1235 *p = MBEDTLS_TLS_SIG_NONE;
1236 ssl->handshake->sig_algs_heap_allocated = 1;
1237 } else
1238 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1239 {
1240 ssl->handshake->sig_algs_heap_allocated = 0;
1241 }
1242 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1243 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1244 return 0;
1245 }
1246
1247 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1248 /* Dummy cookie callbacks for defaults */
1249 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1250 static int ssl_cookie_write_dummy(void *ctx,
1251 unsigned char **p, unsigned char *end,
1252 const unsigned char *cli_id, size_t cli_id_len)
1253 {
1254 ((void) ctx);
1255 ((void) p);
1256 ((void) end);
1257 ((void) cli_id);
1258 ((void) cli_id_len);
1259
1260 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1261 }
1262
1263 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1264 static int ssl_cookie_check_dummy(void *ctx,
1265 const unsigned char *cookie, size_t cookie_len,
1266 const unsigned char *cli_id, size_t cli_id_len)
1267 {
1268 ((void) ctx);
1269 ((void) cookie);
1270 ((void) cookie_len);
1271 ((void) cli_id);
1272 ((void) cli_id_len);
1273
1274 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1275 }
1276 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1277
1278 /*
1279 * Initialize an SSL context
1280 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1281 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1282 {
1283 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1284 }
1285
1286 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1287 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1288 {
1289 const mbedtls_ssl_config *conf = ssl->conf;
1290
1291 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1292 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1293 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1294 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1295 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1296 }
1297
1298 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1299 return 0;
1300 }
1301 #endif
1302
1303 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1304 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1305 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1306 return 0;
1307 }
1308 #endif
1309
1310 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1311 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1312 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1313 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1314 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1315 }
1316
1317 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1318 return 0;
1319 }
1320 #endif
1321
1322 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1323 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1324 }
1325
1326 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1327 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1328 {
1329 int ret;
1330 ret = ssl_conf_version_check(ssl);
1331 if (ret != 0) {
1332 return ret;
1333 }
1334
1335 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1336 /* RFC 8446 section 4.4.3
1337 *
1338 * If the verification fails, the receiver MUST terminate the handshake with
1339 * a "decrypt_error" alert.
1340 *
1341 * If the client is configured as TLS 1.3 only with optional verify, return
1342 * bad config.
1343 *
1344 */
1345 if (mbedtls_ssl_conf_tls13_ephemeral_enabled(
1346 (mbedtls_ssl_context *) ssl) &&
1347 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1348 ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1349 ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1350 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
1351 MBEDTLS_SSL_DEBUG_MSG(
1352 1, ("Optional verify auth mode "
1353 "is not available for TLS 1.3 client"));
1354 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1355 }
1356 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1357
1358 /* Space for further checks */
1359
1360 return 0;
1361 }
1362
1363 /*
1364 * Setup an SSL context
1365 */
1366
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1367 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1368 const mbedtls_ssl_config *conf)
1369 {
1370 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1371 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1372 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1373
1374 ssl->conf = conf;
1375
1376 if ((ret = ssl_conf_check(ssl)) != 0) {
1377 return ret;
1378 }
1379 ssl->tls_version = ssl->conf->max_tls_version;
1380
1381 /*
1382 * Prepare base structures
1383 */
1384
1385 /* Set to NULL in case of an error condition */
1386 ssl->out_buf = NULL;
1387
1388 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1389 ssl->in_buf_len = in_buf_len;
1390 #endif
1391 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1392 if (ssl->in_buf == NULL) {
1393 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1394 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1395 goto error;
1396 }
1397
1398 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1399 ssl->out_buf_len = out_buf_len;
1400 #endif
1401 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1402 if (ssl->out_buf == NULL) {
1403 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1404 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1405 goto error;
1406 }
1407
1408 mbedtls_ssl_reset_in_out_pointers(ssl);
1409
1410 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1411 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1412 #endif
1413
1414 if ((ret = ssl_handshake_init(ssl)) != 0) {
1415 goto error;
1416 }
1417
1418 return 0;
1419
1420 error:
1421 mbedtls_free(ssl->in_buf);
1422 mbedtls_free(ssl->out_buf);
1423
1424 ssl->conf = NULL;
1425
1426 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1427 ssl->in_buf_len = 0;
1428 ssl->out_buf_len = 0;
1429 #endif
1430 ssl->in_buf = NULL;
1431 ssl->out_buf = NULL;
1432
1433 ssl->in_hdr = NULL;
1434 ssl->in_ctr = NULL;
1435 ssl->in_len = NULL;
1436 ssl->in_iv = NULL;
1437 ssl->in_msg = NULL;
1438
1439 ssl->out_hdr = NULL;
1440 ssl->out_ctr = NULL;
1441 ssl->out_len = NULL;
1442 ssl->out_iv = NULL;
1443 ssl->out_msg = NULL;
1444
1445 return ret;
1446 }
1447
1448 /*
1449 * Reset an initialized and used SSL context for re-use while retaining
1450 * all application-set variables, function pointers and data.
1451 *
1452 * If partial is non-zero, keep data in the input buffer and client ID.
1453 * (Use when a DTLS client reconnects from the same port.)
1454 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1455 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1456 int partial)
1457 {
1458 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1459 size_t in_buf_len = ssl->in_buf_len;
1460 size_t out_buf_len = ssl->out_buf_len;
1461 #else
1462 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1463 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1464 #endif
1465
1466 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1467 partial = 0;
1468 #endif
1469
1470 /* Cancel any possibly running timer */
1471 mbedtls_ssl_set_timer(ssl, 0);
1472
1473 mbedtls_ssl_reset_in_out_pointers(ssl);
1474
1475 /* Reset incoming message parsing */
1476 ssl->in_offt = NULL;
1477 ssl->nb_zero = 0;
1478 ssl->in_msgtype = 0;
1479 ssl->in_msglen = 0;
1480 ssl->in_hslen = 0;
1481 ssl->keep_current_message = 0;
1482 ssl->transform_in = NULL;
1483
1484 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1485 ssl->next_record_offset = 0;
1486 ssl->in_epoch = 0;
1487 #endif
1488
1489 /* Keep current datagram if partial == 1 */
1490 if (partial == 0) {
1491 ssl->in_left = 0;
1492 memset(ssl->in_buf, 0, in_buf_len);
1493 }
1494
1495 ssl->send_alert = 0;
1496
1497 /* Reset outgoing message writing */
1498 ssl->out_msgtype = 0;
1499 ssl->out_msglen = 0;
1500 ssl->out_left = 0;
1501 memset(ssl->out_buf, 0, out_buf_len);
1502 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1503 ssl->transform_out = NULL;
1504
1505 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1506 mbedtls_ssl_dtls_replay_reset(ssl);
1507 #endif
1508
1509 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1510 if (ssl->transform) {
1511 mbedtls_ssl_transform_free(ssl->transform);
1512 mbedtls_free(ssl->transform);
1513 ssl->transform = NULL;
1514 }
1515 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1516
1517 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1518 mbedtls_ssl_transform_free(ssl->transform_application);
1519 mbedtls_free(ssl->transform_application);
1520 ssl->transform_application = NULL;
1521
1522 if (ssl->handshake != NULL) {
1523 #if defined(MBEDTLS_SSL_EARLY_DATA)
1524 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1525 mbedtls_free(ssl->handshake->transform_earlydata);
1526 ssl->handshake->transform_earlydata = NULL;
1527 #endif
1528
1529 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1530 mbedtls_free(ssl->handshake->transform_handshake);
1531 ssl->handshake->transform_handshake = NULL;
1532 }
1533
1534 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1535 }
1536
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1537 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1538 {
1539 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1540
1541 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1542
1543 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1544
1545 /* Reset renegotiation state */
1546 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1547 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1548 ssl->renego_records_seen = 0;
1549
1550 ssl->verify_data_len = 0;
1551 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1552 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1553 #endif
1554 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1555
1556 ssl->session_in = NULL;
1557 ssl->session_out = NULL;
1558 if (ssl->session) {
1559 mbedtls_ssl_session_free(ssl->session);
1560 mbedtls_free(ssl->session);
1561 ssl->session = NULL;
1562 }
1563
1564 #if defined(MBEDTLS_SSL_ALPN)
1565 ssl->alpn_chosen = NULL;
1566 #endif
1567
1568 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1569 int free_cli_id = 1;
1570 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1571 free_cli_id = (partial == 0);
1572 #endif
1573 if (free_cli_id) {
1574 mbedtls_free(ssl->cli_id);
1575 ssl->cli_id = NULL;
1576 ssl->cli_id_len = 0;
1577 }
1578 #endif
1579
1580 if ((ret = ssl_handshake_init(ssl)) != 0) {
1581 return ret;
1582 }
1583
1584 return 0;
1585 }
1586
1587 /*
1588 * Reset an initialized and used SSL context for re-use while retaining
1589 * all application-set variables, function pointers and data.
1590 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1591 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1592 {
1593 return mbedtls_ssl_session_reset_int(ssl, 0);
1594 }
1595
1596 /*
1597 * SSL set accessors
1598 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1599 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1600 {
1601 conf->endpoint = endpoint;
1602 }
1603
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1604 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1605 {
1606 conf->transport = transport;
1607 }
1608
1609 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1610 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1611 {
1612 conf->anti_replay = mode;
1613 }
1614 #endif
1615
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1616 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1617 {
1618 conf->badmac_limit = limit;
1619 }
1620
1621 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1622
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1623 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1624 unsigned allow_packing)
1625 {
1626 ssl->disable_datagram_packing = !allow_packing;
1627 }
1628
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1629 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1630 uint32_t min, uint32_t max)
1631 {
1632 conf->hs_timeout_min = min;
1633 conf->hs_timeout_max = max;
1634 }
1635 #endif
1636
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1637 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1638 {
1639 conf->authmode = authmode;
1640 }
1641
1642 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1643 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1644 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1645 void *p_vrfy)
1646 {
1647 conf->f_vrfy = f_vrfy;
1648 conf->p_vrfy = p_vrfy;
1649 }
1650 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1651
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1652 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1653 int (*f_rng)(void *, unsigned char *, size_t),
1654 void *p_rng)
1655 {
1656 conf->f_rng = f_rng;
1657 conf->p_rng = p_rng;
1658 }
1659
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1660 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1661 void (*f_dbg)(void *, int, const char *, int, const char *),
1662 void *p_dbg)
1663 {
1664 conf->f_dbg = f_dbg;
1665 conf->p_dbg = p_dbg;
1666 }
1667
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1668 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1669 void *p_bio,
1670 mbedtls_ssl_send_t *f_send,
1671 mbedtls_ssl_recv_t *f_recv,
1672 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1673 {
1674 ssl->p_bio = p_bio;
1675 ssl->f_send = f_send;
1676 ssl->f_recv = f_recv;
1677 ssl->f_recv_timeout = f_recv_timeout;
1678 }
1679
1680 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1681 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1682 {
1683 ssl->mtu = mtu;
1684 }
1685 #endif
1686
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1687 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1688 {
1689 conf->read_timeout = timeout;
1690 }
1691
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1692 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1693 void *p_timer,
1694 mbedtls_ssl_set_timer_t *f_set_timer,
1695 mbedtls_ssl_get_timer_t *f_get_timer)
1696 {
1697 ssl->p_timer = p_timer;
1698 ssl->f_set_timer = f_set_timer;
1699 ssl->f_get_timer = f_get_timer;
1700
1701 /* Make sure we start with no timer running */
1702 mbedtls_ssl_set_timer(ssl, 0);
1703 }
1704
1705 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1706 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1707 void *p_cache,
1708 mbedtls_ssl_cache_get_t *f_get_cache,
1709 mbedtls_ssl_cache_set_t *f_set_cache)
1710 {
1711 conf->p_cache = p_cache;
1712 conf->f_get_cache = f_get_cache;
1713 conf->f_set_cache = f_set_cache;
1714 }
1715 #endif /* MBEDTLS_SSL_SRV_C */
1716
1717 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1718 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1719 {
1720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1721
1722 if (ssl == NULL ||
1723 session == NULL ||
1724 ssl->session_negotiate == NULL ||
1725 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1726 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1727 }
1728
1729 if (ssl->handshake->resume == 1) {
1730 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1731 }
1732
1733 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1734 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1735 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1736 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1737
1738 if (mbedtls_ssl_validate_ciphersuite(
1739 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1740 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1741 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1742 session->ciphersuite));
1743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1744 }
1745 }
1746 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1747
1748 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1749 session)) != 0) {
1750 return ret;
1751 }
1752
1753 ssl->handshake->resume = 1;
1754
1755 return 0;
1756 }
1757 #endif /* MBEDTLS_SSL_CLI_C */
1758
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1759 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1760 const int *ciphersuites)
1761 {
1762 conf->ciphersuite_list = ciphersuites;
1763 }
1764
1765 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1766 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1767 const int kex_modes)
1768 {
1769 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1770 }
1771
1772 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1773 void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf,
1774 int early_data_enabled)
1775 {
1776 conf->early_data_enabled = early_data_enabled;
1777 }
1778
1779 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_tls13_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1780 void mbedtls_ssl_tls13_conf_max_early_data_size(
1781 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1782 {
1783 conf->max_early_data_size = max_early_data_size;
1784 }
1785 #endif /* MBEDTLS_SSL_SRV_C */
1786
1787 #endif /* MBEDTLS_SSL_EARLY_DATA */
1788 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1789
1790 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1791 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1792 const mbedtls_x509_crt_profile *profile)
1793 {
1794 conf->cert_profile = profile;
1795 }
1796
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1797 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1798 {
1799 mbedtls_ssl_key_cert *cur = key_cert, *next;
1800
1801 while (cur != NULL) {
1802 next = cur->next;
1803 mbedtls_free(cur);
1804 cur = next;
1805 }
1806 }
1807
1808 /* Append a new keycert entry to a (possibly empty) list */
1809 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1810 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1811 mbedtls_x509_crt *cert,
1812 mbedtls_pk_context *key)
1813 {
1814 mbedtls_ssl_key_cert *new_cert;
1815
1816 if (cert == NULL) {
1817 /* Free list if cert is null */
1818 ssl_key_cert_free(*head);
1819 *head = NULL;
1820 return 0;
1821 }
1822
1823 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1824 if (new_cert == NULL) {
1825 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1826 }
1827
1828 new_cert->cert = cert;
1829 new_cert->key = key;
1830 new_cert->next = NULL;
1831
1832 /* Update head if the list was null, else add to the end */
1833 if (*head == NULL) {
1834 *head = new_cert;
1835 } else {
1836 mbedtls_ssl_key_cert *cur = *head;
1837 while (cur->next != NULL) {
1838 cur = cur->next;
1839 }
1840 cur->next = new_cert;
1841 }
1842
1843 return 0;
1844 }
1845
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1846 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1847 mbedtls_x509_crt *own_cert,
1848 mbedtls_pk_context *pk_key)
1849 {
1850 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1851 }
1852
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1853 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1854 mbedtls_x509_crt *ca_chain,
1855 mbedtls_x509_crl *ca_crl)
1856 {
1857 conf->ca_chain = ca_chain;
1858 conf->ca_crl = ca_crl;
1859
1860 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1861 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1862 * cannot be used together. */
1863 conf->f_ca_cb = NULL;
1864 conf->p_ca_cb = NULL;
1865 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1866 }
1867
1868 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1869 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1870 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1871 void *p_ca_cb)
1872 {
1873 conf->f_ca_cb = f_ca_cb;
1874 conf->p_ca_cb = p_ca_cb;
1875
1876 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1877 * cannot be used together. */
1878 conf->ca_chain = NULL;
1879 conf->ca_crl = NULL;
1880 }
1881 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1882 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1883
1884 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1885 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1886 size_t *name_len)
1887 {
1888 *name_len = ssl->handshake->sni_name_len;
1889 return ssl->handshake->sni_name;
1890 }
1891
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1892 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1893 mbedtls_x509_crt *own_cert,
1894 mbedtls_pk_context *pk_key)
1895 {
1896 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1897 own_cert, pk_key);
1898 }
1899
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1900 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1901 mbedtls_x509_crt *ca_chain,
1902 mbedtls_x509_crl *ca_crl)
1903 {
1904 ssl->handshake->sni_ca_chain = ca_chain;
1905 ssl->handshake->sni_ca_crl = ca_crl;
1906 }
1907
1908 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1909 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1910 const mbedtls_x509_crt *crt)
1911 {
1912 ssl->handshake->dn_hints = crt;
1913 }
1914 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1915
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1916 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1917 int authmode)
1918 {
1919 ssl->handshake->sni_authmode = authmode;
1920 }
1921 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1922
1923 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1924 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1925 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1926 void *p_vrfy)
1927 {
1928 ssl->f_vrfy = f_vrfy;
1929 ssl->p_vrfy = p_vrfy;
1930 }
1931 #endif
1932
1933 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1934
1935 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1936 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1937 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1938
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1939 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1940 mbedtls_ssl_context *ssl,
1941 mbedtls_svc_key_id_t pwd)
1942 {
1943 psa_status_t status;
1944 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1945 const uint8_t *user = NULL;
1946 size_t user_len = 0;
1947 const uint8_t *peer = NULL;
1948 size_t peer_len = 0;
1949 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1950 psa_pake_cs_set_primitive(&cipher_suite,
1951 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1952 PSA_ECC_FAMILY_SECP_R1,
1953 256));
1954 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1955
1956 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1957 if (status != PSA_SUCCESS) {
1958 return status;
1959 }
1960
1961 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1962 user = jpake_server_id;
1963 user_len = sizeof(jpake_server_id);
1964 peer = jpake_client_id;
1965 peer_len = sizeof(jpake_client_id);
1966 } else {
1967 user = jpake_client_id;
1968 user_len = sizeof(jpake_client_id);
1969 peer = jpake_server_id;
1970 peer_len = sizeof(jpake_server_id);
1971 }
1972
1973 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1974 if (status != PSA_SUCCESS) {
1975 return status;
1976 }
1977
1978 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
1979 if (status != PSA_SUCCESS) {
1980 return status;
1981 }
1982
1983 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
1984 if (status != PSA_SUCCESS) {
1985 return status;
1986 }
1987
1988 ssl->handshake->psa_pake_ctx_is_ok = 1;
1989
1990 return PSA_SUCCESS;
1991 }
1992
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)1993 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
1994 const unsigned char *pw,
1995 size_t pw_len)
1996 {
1997 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
1998 psa_status_t status;
1999
2000 if (ssl->handshake == NULL || ssl->conf == NULL) {
2001 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2002 }
2003
2004 /* Empty password is not valid */
2005 if ((pw == NULL) || (pw_len == 0)) {
2006 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2007 }
2008
2009 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2010 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2011 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2012
2013 status = psa_import_key(&attributes, pw, pw_len,
2014 &ssl->handshake->psa_pake_password);
2015 if (status != PSA_SUCCESS) {
2016 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2017 }
2018
2019 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2020 ssl->handshake->psa_pake_password);
2021 if (status != PSA_SUCCESS) {
2022 psa_destroy_key(ssl->handshake->psa_pake_password);
2023 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2024 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2025 }
2026
2027 return 0;
2028 }
2029
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2030 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2031 mbedtls_svc_key_id_t pwd)
2032 {
2033 psa_status_t status;
2034
2035 if (ssl->handshake == NULL || ssl->conf == NULL) {
2036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2037 }
2038
2039 if (mbedtls_svc_key_id_is_null(pwd)) {
2040 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2041 }
2042
2043 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2044 if (status != PSA_SUCCESS) {
2045 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2046 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2047 }
2048
2049 return 0;
2050 }
2051 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2052 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2053 const unsigned char *pw,
2054 size_t pw_len)
2055 {
2056 mbedtls_ecjpake_role role;
2057
2058 if (ssl->handshake == NULL || ssl->conf == NULL) {
2059 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2060 }
2061
2062 /* Empty password is not valid */
2063 if ((pw == NULL) || (pw_len == 0)) {
2064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2065 }
2066
2067 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2068 role = MBEDTLS_ECJPAKE_SERVER;
2069 } else {
2070 role = MBEDTLS_ECJPAKE_CLIENT;
2071 }
2072
2073 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2074 role,
2075 MBEDTLS_MD_SHA256,
2076 MBEDTLS_ECP_DP_SECP256R1,
2077 pw, pw_len);
2078 }
2079 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2080 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2081
2082 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2083 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2084 {
2085 if (conf->psk_identity == NULL ||
2086 conf->psk_identity_len == 0) {
2087 return 0;
2088 }
2089
2090 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2091 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2092 return 1;
2093 }
2094 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2095
2096 if (conf->psk != NULL && conf->psk_len != 0) {
2097 return 1;
2098 }
2099
2100 return 0;
2101 }
2102
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2103 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2104 {
2105 /* Remove reference to existing PSK, if any. */
2106 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2107 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2108 /* The maintenance of the PSK key slot is the
2109 * user's responsibility. */
2110 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2111 }
2112 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2113 if (conf->psk != NULL) {
2114 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2115 conf->psk = NULL;
2116 conf->psk_len = 0;
2117 }
2118
2119 /* Remove reference to PSK identity, if any. */
2120 if (conf->psk_identity != NULL) {
2121 mbedtls_free(conf->psk_identity);
2122 conf->psk_identity = NULL;
2123 conf->psk_identity_len = 0;
2124 }
2125 }
2126
2127 /* This function assumes that PSK identity in the SSL config is unset.
2128 * It checks that the provided identity is well-formed and attempts
2129 * to make a copy of it in the SSL config.
2130 * On failure, the PSK identity in the config remains unset. */
2131 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2132 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2133 unsigned char const *psk_identity,
2134 size_t psk_identity_len)
2135 {
2136 /* Identity len will be encoded on two bytes */
2137 if (psk_identity == NULL ||
2138 psk_identity_len == 0 ||
2139 (psk_identity_len >> 16) != 0 ||
2140 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2142 }
2143
2144 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2145 if (conf->psk_identity == NULL) {
2146 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2147 }
2148
2149 conf->psk_identity_len = psk_identity_len;
2150 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2151
2152 return 0;
2153 }
2154
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2155 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2156 const unsigned char *psk, size_t psk_len,
2157 const unsigned char *psk_identity, size_t psk_identity_len)
2158 {
2159 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2160
2161 /* We currently only support one PSK, raw or opaque. */
2162 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2163 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2164 }
2165
2166 /* Check and set raw PSK */
2167 if (psk == NULL) {
2168 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2169 }
2170 if (psk_len == 0) {
2171 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2172 }
2173 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2174 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2175 }
2176
2177 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2178 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2179 }
2180 conf->psk_len = psk_len;
2181 memcpy(conf->psk, psk, conf->psk_len);
2182
2183 /* Check and set PSK Identity */
2184 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2185 if (ret != 0) {
2186 ssl_conf_remove_psk(conf);
2187 }
2188
2189 return ret;
2190 }
2191
ssl_remove_psk(mbedtls_ssl_context * ssl)2192 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2193 {
2194 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2195 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2196 /* The maintenance of the external PSK key slot is the
2197 * user's responsibility. */
2198 if (ssl->handshake->psk_opaque_is_internal) {
2199 psa_destroy_key(ssl->handshake->psk_opaque);
2200 ssl->handshake->psk_opaque_is_internal = 0;
2201 }
2202 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2203 }
2204 #else
2205 if (ssl->handshake->psk != NULL) {
2206 mbedtls_zeroize_and_free(ssl->handshake->psk,
2207 ssl->handshake->psk_len);
2208 ssl->handshake->psk_len = 0;
2209 }
2210 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2211 }
2212
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2213 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2214 const unsigned char *psk, size_t psk_len)
2215 {
2216 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2217 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2218 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2219 psa_algorithm_t alg = PSA_ALG_NONE;
2220 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2221 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2222
2223 if (psk == NULL || ssl->handshake == NULL) {
2224 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2225 }
2226
2227 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2228 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2229 }
2230
2231 ssl_remove_psk(ssl);
2232
2233 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2234 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2235 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2236 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2237 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2238 } else {
2239 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2240 }
2241 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2242 }
2243 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2244
2245 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2246 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2247 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2248 psa_set_key_usage_flags(&key_attributes,
2249 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2250 }
2251 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2252
2253 psa_set_key_algorithm(&key_attributes, alg);
2254 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2255
2256 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2257 if (status != PSA_SUCCESS) {
2258 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2259 }
2260
2261 /* Allow calling psa_destroy_key() on psk remove */
2262 ssl->handshake->psk_opaque_is_internal = 1;
2263 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2264 #else
2265 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2266 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2267 }
2268
2269 ssl->handshake->psk_len = psk_len;
2270 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2271
2272 return 0;
2273 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2274 }
2275
2276 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2277 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2278 mbedtls_svc_key_id_t psk,
2279 const unsigned char *psk_identity,
2280 size_t psk_identity_len)
2281 {
2282 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2283
2284 /* We currently only support one PSK, raw or opaque. */
2285 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2286 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2287 }
2288
2289 /* Check and set opaque PSK */
2290 if (mbedtls_svc_key_id_is_null(psk)) {
2291 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2292 }
2293 conf->psk_opaque = psk;
2294
2295 /* Check and set PSK Identity */
2296 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2297 psk_identity_len);
2298 if (ret != 0) {
2299 ssl_conf_remove_psk(conf);
2300 }
2301
2302 return ret;
2303 }
2304
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2305 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2306 mbedtls_svc_key_id_t psk)
2307 {
2308 if ((mbedtls_svc_key_id_is_null(psk)) ||
2309 (ssl->handshake == NULL)) {
2310 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2311 }
2312
2313 ssl_remove_psk(ssl);
2314 ssl->handshake->psk_opaque = psk;
2315 return 0;
2316 }
2317 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2318
2319 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2320 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2321 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2322 size_t),
2323 void *p_psk)
2324 {
2325 conf->f_psk = f_psk;
2326 conf->p_psk = p_psk;
2327 }
2328 #endif /* MBEDTLS_SSL_SRV_C */
2329
2330 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2331
2332 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2333 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2334 psa_algorithm_t alg)
2335 {
2336 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2337 if (alg == PSA_ALG_CBC_NO_PADDING) {
2338 return MBEDTLS_SSL_MODE_CBC;
2339 }
2340 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2341 if (PSA_ALG_IS_AEAD(alg)) {
2342 return MBEDTLS_SSL_MODE_AEAD;
2343 }
2344 return MBEDTLS_SSL_MODE_STREAM;
2345 }
2346
2347 #else /* MBEDTLS_USE_PSA_CRYPTO */
2348
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2349 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2350 mbedtls_cipher_mode_t mode)
2351 {
2352 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2353 if (mode == MBEDTLS_MODE_CBC) {
2354 return MBEDTLS_SSL_MODE_CBC;
2355 }
2356 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2357
2358 #if defined(MBEDTLS_GCM_C) || \
2359 defined(MBEDTLS_CCM_C) || \
2360 defined(MBEDTLS_CHACHAPOLY_C)
2361 if (mode == MBEDTLS_MODE_GCM ||
2362 mode == MBEDTLS_MODE_CCM ||
2363 mode == MBEDTLS_MODE_CHACHAPOLY) {
2364 return MBEDTLS_SSL_MODE_AEAD;
2365 }
2366 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2367
2368 return MBEDTLS_SSL_MODE_STREAM;
2369 }
2370 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2371
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2372 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2373 mbedtls_ssl_mode_t base_mode,
2374 int encrypt_then_mac)
2375 {
2376 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2377 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2378 base_mode == MBEDTLS_SSL_MODE_CBC) {
2379 return MBEDTLS_SSL_MODE_CBC_ETM;
2380 }
2381 #else
2382 (void) encrypt_then_mac;
2383 #endif
2384 return base_mode;
2385 }
2386
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2387 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2388 const mbedtls_ssl_transform *transform)
2389 {
2390 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2391 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2392 transform->psa_alg
2393 #else
2394 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2395 #endif
2396 );
2397
2398 int encrypt_then_mac = 0;
2399 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2400 encrypt_then_mac = transform->encrypt_then_mac;
2401 #endif
2402 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2403 }
2404
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2405 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2406 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2407 int encrypt_then_mac,
2408 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2409 const mbedtls_ssl_ciphersuite_t *suite)
2410 {
2411 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2412
2413 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2414 psa_status_t status;
2415 psa_algorithm_t alg;
2416 psa_key_type_t type;
2417 size_t size;
2418 status = mbedtls_ssl_cipher_to_psa(suite->cipher, 0, &alg, &type, &size);
2419 if (status == PSA_SUCCESS) {
2420 base_mode = mbedtls_ssl_get_base_mode(alg);
2421 }
2422 #else
2423 const mbedtls_cipher_info_t *cipher =
2424 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2425 if (cipher != NULL) {
2426 base_mode =
2427 mbedtls_ssl_get_base_mode(
2428 mbedtls_cipher_info_get_mode(cipher));
2429 }
2430 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2431
2432 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2433 int encrypt_then_mac = 0;
2434 #endif
2435 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2436 }
2437
2438 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2439
2440 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2441 /* Serialization of TLS 1.3 sessions:
2442 *
2443 * struct {
2444 * opaque hostname<0..2^16-1>;
2445 * uint64 ticket_received;
2446 * uint32 ticket_lifetime;
2447 * opaque ticket<1..2^16-1>;
2448 * } ClientOnlyData;
2449 *
2450 * struct {
2451 * uint8 endpoint;
2452 * uint8 ciphersuite[2];
2453 * uint32 ticket_age_add;
2454 * uint8 ticket_flags;
2455 * opaque resumption_key<0..255>;
2456 * select ( endpoint ) {
2457 * case client: ClientOnlyData;
2458 * case server: uint64 start_time;
2459 * };
2460 * } serialized_session_tls13;
2461 *
2462 */
2463 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2464 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)2465 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
2466 unsigned char *buf,
2467 size_t buf_len,
2468 size_t *olen)
2469 {
2470 unsigned char *p = buf;
2471 #if defined(MBEDTLS_SSL_CLI_C) && \
2472 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2473 size_t hostname_len = (session->hostname == NULL) ?
2474 0 : strlen(session->hostname) + 1;
2475 #endif
2476 size_t needed = 1 /* endpoint */
2477 + 2 /* ciphersuite */
2478 + 4 /* ticket_age_add */
2479 + 1 /* ticket_flags */
2480 + 1; /* resumption_key length */
2481 *olen = 0;
2482
2483 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
2484 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2485 }
2486 needed += session->resumption_key_len; /* resumption_key */
2487
2488 #if defined(MBEDTLS_HAVE_TIME)
2489 needed += 8; /* start_time or ticket_received */
2490 #endif
2491
2492 #if defined(MBEDTLS_SSL_CLI_C)
2493 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2494 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2495 needed += 2 /* hostname_len */
2496 + hostname_len; /* hostname */
2497 #endif
2498
2499 needed += 4 /* ticket_lifetime */
2500 + 2; /* ticket_len */
2501
2502 /* Check size_t overflow */
2503 if (session->ticket_len > SIZE_MAX - needed) {
2504 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2505 }
2506
2507 needed += session->ticket_len; /* ticket */
2508 }
2509 #endif /* MBEDTLS_SSL_CLI_C */
2510
2511 *olen = needed;
2512 if (needed > buf_len) {
2513 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2514 }
2515
2516 p[0] = session->endpoint;
2517 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 1);
2518 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 3);
2519 p[7] = session->ticket_flags;
2520
2521 /* save resumption_key */
2522 p[8] = session->resumption_key_len;
2523 p += 9;
2524 memcpy(p, session->resumption_key, session->resumption_key_len);
2525 p += session->resumption_key_len;
2526
2527 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
2528 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
2529 MBEDTLS_PUT_UINT64_BE((uint64_t) session->start, p, 0);
2530 p += 8;
2531 }
2532 #endif /* MBEDTLS_HAVE_TIME */
2533
2534 #if defined(MBEDTLS_SSL_CLI_C)
2535 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2536 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2537 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
2538 p += 2;
2539 if (hostname_len > 0) {
2540 /* save host name */
2541 memcpy(p, session->hostname, hostname_len);
2542 p += hostname_len;
2543 }
2544 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2545
2546 #if defined(MBEDTLS_HAVE_TIME)
2547 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_received, p, 0);
2548 p += 8;
2549 #endif
2550 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
2551 p += 4;
2552
2553 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
2554 p += 2;
2555
2556 if (session->ticket != NULL && session->ticket_len > 0) {
2557 memcpy(p, session->ticket, session->ticket_len);
2558 p += session->ticket_len;
2559 }
2560 }
2561 #endif /* MBEDTLS_SSL_CLI_C */
2562 return 0;
2563 }
2564
2565 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)2566 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
2567 const unsigned char *buf,
2568 size_t len)
2569 {
2570 const unsigned char *p = buf;
2571 const unsigned char *end = buf + len;
2572
2573 if (end - p < 9) {
2574 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2575 }
2576 session->endpoint = p[0];
2577 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 1);
2578 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 3);
2579 session->ticket_flags = p[7];
2580
2581 /* load resumption_key */
2582 session->resumption_key_len = p[8];
2583 p += 9;
2584
2585 if (end - p < session->resumption_key_len) {
2586 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2587 }
2588
2589 if (sizeof(session->resumption_key) < session->resumption_key_len) {
2590 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2591 }
2592 memcpy(session->resumption_key, p, session->resumption_key_len);
2593 p += session->resumption_key_len;
2594
2595 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
2596 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
2597 if (end - p < 8) {
2598 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2599 }
2600 session->start = MBEDTLS_GET_UINT64_BE(p, 0);
2601 p += 8;
2602 }
2603 #endif /* MBEDTLS_HAVE_TIME */
2604
2605 #if defined(MBEDTLS_SSL_CLI_C)
2606 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2607 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2608 defined(MBEDTLS_SSL_SESSION_TICKETS)
2609 size_t hostname_len;
2610 /* load host name */
2611 if (end - p < 2) {
2612 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2613 }
2614 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
2615 p += 2;
2616
2617 if (end - p < (long int) hostname_len) {
2618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2619 }
2620 if (hostname_len > 0) {
2621 session->hostname = mbedtls_calloc(1, hostname_len);
2622 if (session->hostname == NULL) {
2623 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2624 }
2625 memcpy(session->hostname, p, hostname_len);
2626 p += hostname_len;
2627 }
2628 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
2629 MBEDTLS_SSL_SESSION_TICKETS */
2630
2631 #if defined(MBEDTLS_HAVE_TIME)
2632 if (end - p < 8) {
2633 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2634 }
2635 session->ticket_received = MBEDTLS_GET_UINT64_BE(p, 0);
2636 p += 8;
2637 #endif
2638 if (end - p < 4) {
2639 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2640 }
2641 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2642 p += 4;
2643
2644 if (end - p < 2) {
2645 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2646 }
2647 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
2648 p += 2;
2649
2650 if (end - p < (long int) session->ticket_len) {
2651 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2652 }
2653 if (session->ticket_len > 0) {
2654 session->ticket = mbedtls_calloc(1, session->ticket_len);
2655 if (session->ticket == NULL) {
2656 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2657 }
2658 memcpy(session->ticket, p, session->ticket_len);
2659 p += session->ticket_len;
2660 }
2661 }
2662 #endif /* MBEDTLS_SSL_CLI_C */
2663
2664 return 0;
2665
2666 }
2667 #else /* MBEDTLS_SSL_SESSION_TICKETS */
2668 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)2669 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
2670 unsigned char *buf,
2671 size_t buf_len,
2672 size_t *olen)
2673 {
2674 ((void) session);
2675 ((void) buf);
2676 ((void) buf_len);
2677 *olen = 0;
2678 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2679 }
2680
ssl_tls13_session_load(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)2681 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
2682 unsigned char *buf,
2683 size_t buf_len)
2684 {
2685 ((void) session);
2686 ((void) buf);
2687 ((void) buf_len);
2688 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2689 }
2690 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
2691 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2692
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2693 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2694 size_t taglen,
2695 psa_algorithm_t *alg,
2696 psa_key_type_t *key_type,
2697 size_t *key_size)
2698 {
2699 switch (mbedtls_cipher_type) {
2700 case MBEDTLS_CIPHER_AES_128_CBC:
2701 *alg = PSA_ALG_CBC_NO_PADDING;
2702 *key_type = PSA_KEY_TYPE_AES;
2703 *key_size = 128;
2704 break;
2705 case MBEDTLS_CIPHER_AES_128_CCM:
2706 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2707 *key_type = PSA_KEY_TYPE_AES;
2708 *key_size = 128;
2709 break;
2710 case MBEDTLS_CIPHER_AES_128_GCM:
2711 *alg = PSA_ALG_GCM;
2712 *key_type = PSA_KEY_TYPE_AES;
2713 *key_size = 128;
2714 break;
2715 case MBEDTLS_CIPHER_AES_192_CCM:
2716 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2717 *key_type = PSA_KEY_TYPE_AES;
2718 *key_size = 192;
2719 break;
2720 case MBEDTLS_CIPHER_AES_192_GCM:
2721 *alg = PSA_ALG_GCM;
2722 *key_type = PSA_KEY_TYPE_AES;
2723 *key_size = 192;
2724 break;
2725 case MBEDTLS_CIPHER_AES_256_CBC:
2726 *alg = PSA_ALG_CBC_NO_PADDING;
2727 *key_type = PSA_KEY_TYPE_AES;
2728 *key_size = 256;
2729 break;
2730 case MBEDTLS_CIPHER_AES_256_CCM:
2731 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2732 *key_type = PSA_KEY_TYPE_AES;
2733 *key_size = 256;
2734 break;
2735 case MBEDTLS_CIPHER_AES_256_GCM:
2736 *alg = PSA_ALG_GCM;
2737 *key_type = PSA_KEY_TYPE_AES;
2738 *key_size = 256;
2739 break;
2740 case MBEDTLS_CIPHER_ARIA_128_CBC:
2741 *alg = PSA_ALG_CBC_NO_PADDING;
2742 *key_type = PSA_KEY_TYPE_ARIA;
2743 *key_size = 128;
2744 break;
2745 case MBEDTLS_CIPHER_ARIA_128_CCM:
2746 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2747 *key_type = PSA_KEY_TYPE_ARIA;
2748 *key_size = 128;
2749 break;
2750 case MBEDTLS_CIPHER_ARIA_128_GCM:
2751 *alg = PSA_ALG_GCM;
2752 *key_type = PSA_KEY_TYPE_ARIA;
2753 *key_size = 128;
2754 break;
2755 case MBEDTLS_CIPHER_ARIA_192_CCM:
2756 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2757 *key_type = PSA_KEY_TYPE_ARIA;
2758 *key_size = 192;
2759 break;
2760 case MBEDTLS_CIPHER_ARIA_192_GCM:
2761 *alg = PSA_ALG_GCM;
2762 *key_type = PSA_KEY_TYPE_ARIA;
2763 *key_size = 192;
2764 break;
2765 case MBEDTLS_CIPHER_ARIA_256_CBC:
2766 *alg = PSA_ALG_CBC_NO_PADDING;
2767 *key_type = PSA_KEY_TYPE_ARIA;
2768 *key_size = 256;
2769 break;
2770 case MBEDTLS_CIPHER_ARIA_256_CCM:
2771 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2772 *key_type = PSA_KEY_TYPE_ARIA;
2773 *key_size = 256;
2774 break;
2775 case MBEDTLS_CIPHER_ARIA_256_GCM:
2776 *alg = PSA_ALG_GCM;
2777 *key_type = PSA_KEY_TYPE_ARIA;
2778 *key_size = 256;
2779 break;
2780 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2781 *alg = PSA_ALG_CBC_NO_PADDING;
2782 *key_type = PSA_KEY_TYPE_CAMELLIA;
2783 *key_size = 128;
2784 break;
2785 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2786 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2787 *key_type = PSA_KEY_TYPE_CAMELLIA;
2788 *key_size = 128;
2789 break;
2790 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2791 *alg = PSA_ALG_GCM;
2792 *key_type = PSA_KEY_TYPE_CAMELLIA;
2793 *key_size = 128;
2794 break;
2795 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2796 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2797 *key_type = PSA_KEY_TYPE_CAMELLIA;
2798 *key_size = 192;
2799 break;
2800 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2801 *alg = PSA_ALG_GCM;
2802 *key_type = PSA_KEY_TYPE_CAMELLIA;
2803 *key_size = 192;
2804 break;
2805 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2806 *alg = PSA_ALG_CBC_NO_PADDING;
2807 *key_type = PSA_KEY_TYPE_CAMELLIA;
2808 *key_size = 256;
2809 break;
2810 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2811 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2812 *key_type = PSA_KEY_TYPE_CAMELLIA;
2813 *key_size = 256;
2814 break;
2815 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2816 *alg = PSA_ALG_GCM;
2817 *key_type = PSA_KEY_TYPE_CAMELLIA;
2818 *key_size = 256;
2819 break;
2820 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2821 *alg = PSA_ALG_CHACHA20_POLY1305;
2822 *key_type = PSA_KEY_TYPE_CHACHA20;
2823 *key_size = 256;
2824 break;
2825 case MBEDTLS_CIPHER_NULL:
2826 *alg = MBEDTLS_SSL_NULL_CIPHER;
2827 *key_type = 0;
2828 *key_size = 0;
2829 break;
2830 default:
2831 return PSA_ERROR_NOT_SUPPORTED;
2832 }
2833
2834 return PSA_SUCCESS;
2835 }
2836 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2837
2838 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2839 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2840 const unsigned char *dhm_P, size_t P_len,
2841 const unsigned char *dhm_G, size_t G_len)
2842 {
2843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2844
2845 mbedtls_mpi_free(&conf->dhm_P);
2846 mbedtls_mpi_free(&conf->dhm_G);
2847
2848 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2849 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2850 mbedtls_mpi_free(&conf->dhm_P);
2851 mbedtls_mpi_free(&conf->dhm_G);
2852 return ret;
2853 }
2854
2855 return 0;
2856 }
2857
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2858 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2859 {
2860 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2861
2862 mbedtls_mpi_free(&conf->dhm_P);
2863 mbedtls_mpi_free(&conf->dhm_G);
2864
2865 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2866 &conf->dhm_P)) != 0 ||
2867 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2868 &conf->dhm_G)) != 0) {
2869 mbedtls_mpi_free(&conf->dhm_P);
2870 mbedtls_mpi_free(&conf->dhm_G);
2871 return ret;
2872 }
2873
2874 return 0;
2875 }
2876 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2877
2878 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2879 /*
2880 * Set the minimum length for Diffie-Hellman parameters
2881 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2882 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2883 unsigned int bitlen)
2884 {
2885 conf->dhm_min_bitlen = bitlen;
2886 }
2887 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2888
2889 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2890 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2891 /*
2892 * Set allowed/preferred hashes for handshake signatures
2893 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2894 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2895 const int *hashes)
2896 {
2897 conf->sig_hashes = hashes;
2898 }
2899 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2900
2901 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2902 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2903 const uint16_t *sig_algs)
2904 {
2905 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2906 conf->sig_hashes = NULL;
2907 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2908 conf->sig_algs = sig_algs;
2909 }
2910 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2911
2912 #if defined(MBEDTLS_ECP_C)
2913 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2914 /*
2915 * Set the allowed elliptic curves
2916 *
2917 * mbedtls_ssl_setup() takes the provided list
2918 * and translates it to a list of IANA TLS group identifiers,
2919 * stored in ssl->handshake->group_list.
2920 *
2921 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2922 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2923 const mbedtls_ecp_group_id *curve_list)
2924 {
2925 conf->curve_list = curve_list;
2926 conf->group_list = NULL;
2927 }
2928 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2929 #endif /* MBEDTLS_ECP_C */
2930
2931 /*
2932 * Set the allowed groups
2933 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2934 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2935 const uint16_t *group_list)
2936 {
2937 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2938 conf->curve_list = NULL;
2939 #endif
2940 conf->group_list = group_list;
2941 }
2942
2943 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2944 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2945 {
2946 /* Initialize to suppress unnecessary compiler warning */
2947 size_t hostname_len = 0;
2948
2949 /* Check if new hostname is valid before
2950 * making any change to current one */
2951 if (hostname != NULL) {
2952 hostname_len = strlen(hostname);
2953
2954 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2955 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2956 }
2957 }
2958
2959 /* Now it's clear that we will overwrite the old hostname,
2960 * so we can free it safely */
2961
2962 if (ssl->hostname != NULL) {
2963 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2964 }
2965
2966 /* Passing NULL as hostname shall clear the old one */
2967
2968 if (hostname == NULL) {
2969 ssl->hostname = NULL;
2970 } else {
2971 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2972 if (ssl->hostname == NULL) {
2973 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2974 }
2975
2976 memcpy(ssl->hostname, hostname, hostname_len);
2977
2978 ssl->hostname[hostname_len] = '\0';
2979 }
2980
2981 return 0;
2982 }
2983 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2984
2985 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)2986 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2987 int (*f_sni)(void *, mbedtls_ssl_context *,
2988 const unsigned char *, size_t),
2989 void *p_sni)
2990 {
2991 conf->f_sni = f_sni;
2992 conf->p_sni = p_sni;
2993 }
2994 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2995
2996 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)2997 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2998 {
2999 size_t cur_len, tot_len;
3000 const char **p;
3001
3002 /*
3003 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
3004 * MUST NOT be truncated."
3005 * We check lengths now rather than later.
3006 */
3007 tot_len = 0;
3008 for (p = protos; *p != NULL; p++) {
3009 cur_len = strlen(*p);
3010 tot_len += cur_len;
3011
3012 if ((cur_len == 0) ||
3013 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
3014 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
3015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3016 }
3017 }
3018
3019 conf->alpn_list = protos;
3020
3021 return 0;
3022 }
3023
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)3024 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
3025 {
3026 return ssl->alpn_chosen;
3027 }
3028 #endif /* MBEDTLS_SSL_ALPN */
3029
3030 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)3031 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
3032 int support_mki_value)
3033 {
3034 conf->dtls_srtp_mki_support = support_mki_value;
3035 }
3036
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)3037 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
3038 unsigned char *mki_value,
3039 uint16_t mki_len)
3040 {
3041 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
3042 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3043 }
3044
3045 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
3046 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3047 }
3048
3049 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
3050 ssl->dtls_srtp_info.mki_len = mki_len;
3051 return 0;
3052 }
3053
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)3054 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
3055 const mbedtls_ssl_srtp_profile *profiles)
3056 {
3057 const mbedtls_ssl_srtp_profile *p;
3058 size_t list_size = 0;
3059
3060 /* check the profiles list: all entry must be valid,
3061 * its size cannot be more than the total number of supported profiles, currently 4 */
3062 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
3063 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
3064 p++) {
3065 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
3066 list_size++;
3067 } else {
3068 /* unsupported value, stop parsing and set the size to an error value */
3069 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
3070 }
3071 }
3072
3073 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
3074 conf->dtls_srtp_profile_list = NULL;
3075 conf->dtls_srtp_profile_list_len = 0;
3076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3077 }
3078
3079 conf->dtls_srtp_profile_list = profiles;
3080 conf->dtls_srtp_profile_list_len = list_size;
3081
3082 return 0;
3083 }
3084
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)3085 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
3086 mbedtls_dtls_srtp_info *dtls_srtp_info)
3087 {
3088 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
3089 /* do not copy the mki value if there is no chosen profile */
3090 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
3091 dtls_srtp_info->mki_len = 0;
3092 } else {
3093 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
3094 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
3095 ssl->dtls_srtp_info.mki_len);
3096 }
3097 }
3098 #endif /* MBEDTLS_SSL_DTLS_SRTP */
3099
3100 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)3101 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
3102 {
3103 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
3104 }
3105
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)3106 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
3107 {
3108 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
3109 }
3110 #endif /* MBEDTLS_DEPRECATED_REMOVED */
3111
3112 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)3113 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
3114 char cert_req_ca_list)
3115 {
3116 conf->cert_req_ca_list = cert_req_ca_list;
3117 }
3118 #endif
3119
3120 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)3121 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
3122 {
3123 conf->encrypt_then_mac = etm;
3124 }
3125 #endif
3126
3127 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)3128 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
3129 {
3130 conf->extended_ms = ems;
3131 }
3132 #endif
3133
3134 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)3135 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
3136 {
3137 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
3138 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
3139 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3140 }
3141
3142 conf->mfl_code = mfl_code;
3143
3144 return 0;
3145 }
3146 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3147
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)3148 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3149 {
3150 conf->allow_legacy_renegotiation = allow_legacy;
3151 }
3152
3153 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)3154 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3155 {
3156 conf->disable_renegotiation = renegotiation;
3157 }
3158
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)3159 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3160 {
3161 conf->renego_max_records = max_records;
3162 }
3163
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])3164 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3165 const unsigned char period[8])
3166 {
3167 memcpy(conf->renego_period, period, 8);
3168 }
3169 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3170
3171 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3172 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)3173 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3174 {
3175 conf->session_tickets = use_tickets;
3176 }
3177 #endif
3178
3179 #if defined(MBEDTLS_SSL_SRV_C)
3180
3181 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)3182 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3183 uint16_t num_tickets)
3184 {
3185 conf->new_session_tickets_count = num_tickets;
3186 }
3187 #endif
3188
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)3189 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3190 mbedtls_ssl_ticket_write_t *f_ticket_write,
3191 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3192 void *p_ticket)
3193 {
3194 conf->f_ticket_write = f_ticket_write;
3195 conf->f_ticket_parse = f_ticket_parse;
3196 conf->p_ticket = p_ticket;
3197 }
3198 #endif
3199 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3200
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3201 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3202 mbedtls_ssl_export_keys_t *f_export_keys,
3203 void *p_export_keys)
3204 {
3205 ssl->f_export_keys = f_export_keys;
3206 ssl->p_export_keys = p_export_keys;
3207 }
3208
3209 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3210 void mbedtls_ssl_conf_async_private_cb(
3211 mbedtls_ssl_config *conf,
3212 mbedtls_ssl_async_sign_t *f_async_sign,
3213 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3214 mbedtls_ssl_async_resume_t *f_async_resume,
3215 mbedtls_ssl_async_cancel_t *f_async_cancel,
3216 void *async_config_data)
3217 {
3218 conf->f_async_sign_start = f_async_sign;
3219 conf->f_async_decrypt_start = f_async_decrypt;
3220 conf->f_async_resume = f_async_resume;
3221 conf->f_async_cancel = f_async_cancel;
3222 conf->p_async_config_data = async_config_data;
3223 }
3224
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3225 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3226 {
3227 return conf->p_async_config_data;
3228 }
3229
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3230 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3231 {
3232 if (ssl->handshake == NULL) {
3233 return NULL;
3234 } else {
3235 return ssl->handshake->user_async_ctx;
3236 }
3237 }
3238
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3239 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3240 void *ctx)
3241 {
3242 if (ssl->handshake != NULL) {
3243 ssl->handshake->user_async_ctx = ctx;
3244 }
3245 }
3246 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3247
3248 /*
3249 * SSL get accessors
3250 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3251 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3252 {
3253 if (ssl->session != NULL) {
3254 return ssl->session->verify_result;
3255 }
3256
3257 if (ssl->session_negotiate != NULL) {
3258 return ssl->session_negotiate->verify_result;
3259 }
3260
3261 return 0xFFFFFFFF;
3262 }
3263
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3264 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3265 {
3266 if (ssl == NULL || ssl->session == NULL) {
3267 return 0;
3268 }
3269
3270 return ssl->session->ciphersuite;
3271 }
3272
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3273 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3274 {
3275 if (ssl == NULL || ssl->session == NULL) {
3276 return NULL;
3277 }
3278
3279 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3280 }
3281
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3282 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3283 {
3284 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3285 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3286 switch (ssl->tls_version) {
3287 case MBEDTLS_SSL_VERSION_TLS1_2:
3288 return "DTLSv1.2";
3289 default:
3290 return "unknown (DTLS)";
3291 }
3292 }
3293 #endif
3294
3295 switch (ssl->tls_version) {
3296 case MBEDTLS_SSL_VERSION_TLS1_2:
3297 return "TLSv1.2";
3298 case MBEDTLS_SSL_VERSION_TLS1_3:
3299 return "TLSv1.3";
3300 default:
3301 return "unknown";
3302 }
3303 }
3304
3305 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3306 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3307 {
3308 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3309 size_t read_mfl;
3310
3311 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3312 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3313 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3314 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3315 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3316 }
3317 #endif
3318
3319 /* Check if a smaller max length was negotiated */
3320 if (ssl->session_out != NULL) {
3321 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3322 if (read_mfl < max_len) {
3323 max_len = read_mfl;
3324 }
3325 }
3326
3327 /* During a handshake, use the value being negotiated */
3328 if (ssl->session_negotiate != NULL) {
3329 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3330 if (read_mfl < max_len) {
3331 max_len = read_mfl;
3332 }
3333 }
3334
3335 return max_len;
3336 }
3337
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3338 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3339 {
3340 size_t max_len;
3341
3342 /*
3343 * Assume mfl_code is correct since it was checked when set
3344 */
3345 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3346
3347 /* Check if a smaller max length was negotiated */
3348 if (ssl->session_out != NULL &&
3349 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3350 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3351 }
3352
3353 /* During a handshake, use the value being negotiated */
3354 if (ssl->session_negotiate != NULL &&
3355 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3356 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3357 }
3358
3359 return max_len;
3360 }
3361 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3362
3363 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3364 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3365 {
3366 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3367 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3368 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3369 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3370 return 0;
3371 }
3372
3373 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3374 return ssl->mtu;
3375 }
3376
3377 if (ssl->mtu == 0) {
3378 return ssl->handshake->mtu;
3379 }
3380
3381 return ssl->mtu < ssl->handshake->mtu ?
3382 ssl->mtu : ssl->handshake->mtu;
3383 }
3384 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3385
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3386 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3387 {
3388 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3389
3390 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3391 !defined(MBEDTLS_SSL_PROTO_DTLS)
3392 (void) ssl;
3393 #endif
3394
3395 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3396 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3397
3398 if (max_len > mfl) {
3399 max_len = mfl;
3400 }
3401 #endif
3402
3403 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3404 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3405 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3406 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3407 const size_t overhead = (size_t) ret;
3408
3409 if (ret < 0) {
3410 return ret;
3411 }
3412
3413 if (mtu <= overhead) {
3414 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3415 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3416 }
3417
3418 if (max_len > mtu - overhead) {
3419 max_len = mtu - overhead;
3420 }
3421 }
3422 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3423
3424 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3425 !defined(MBEDTLS_SSL_PROTO_DTLS)
3426 ((void) ssl);
3427 #endif
3428
3429 return (int) max_len;
3430 }
3431
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3432 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3433 {
3434 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3435
3436 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3437 (void) ssl;
3438 #endif
3439
3440 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3441 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3442
3443 if (max_len > mfl) {
3444 max_len = mfl;
3445 }
3446 #endif
3447
3448 return (int) max_len;
3449 }
3450
3451 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3452 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3453 {
3454 if (ssl == NULL || ssl->session == NULL) {
3455 return NULL;
3456 }
3457
3458 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3459 return ssl->session->peer_cert;
3460 #else
3461 return NULL;
3462 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3463 }
3464 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3465
3466 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3467 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3468 mbedtls_ssl_session *dst)
3469 {
3470 int ret;
3471
3472 if (ssl == NULL ||
3473 dst == NULL ||
3474 ssl->session == NULL ||
3475 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3476 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3477 }
3478
3479 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3480 * idempotent: Each session can only be exported once.
3481 *
3482 * (This is in preparation for TLS 1.3 support where we will
3483 * need the ability to export multiple sessions (aka tickets),
3484 * which will be achieved by calling mbedtls_ssl_get_session()
3485 * multiple times until it fails.)
3486 *
3487 * Check whether we have already exported the current session,
3488 * and fail if so.
3489 */
3490 if (ssl->session->exported == 1) {
3491 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3492 }
3493
3494 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3495 if (ret != 0) {
3496 return ret;
3497 }
3498
3499 /* Remember that we've exported the session. */
3500 ssl->session->exported = 1;
3501 return 0;
3502 }
3503 #endif /* MBEDTLS_SSL_CLI_C */
3504
3505 /*
3506 * Define ticket header determining Mbed TLS version
3507 * and structure of the ticket.
3508 */
3509
3510 /*
3511 * Define bitflag determining compile-time settings influencing
3512 * structure of serialized SSL sessions.
3513 */
3514
3515 #if defined(MBEDTLS_HAVE_TIME)
3516 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
3517 #else
3518 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
3519 #endif /* MBEDTLS_HAVE_TIME */
3520
3521 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3522 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
3523 #else
3524 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
3525 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3526
3527 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
3528 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
3529 #else
3530 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
3531 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
3532
3533 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3534 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
3535 #else
3536 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
3537 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3538
3539 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3540 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
3541 #else
3542 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
3543 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
3544
3545 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3546 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
3547 #else
3548 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
3549 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3550
3551 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
3552 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
3553 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
3554 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
3555 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
3556 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
3557
3558 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
3559 ((uint16_t) ( \
3560 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
3561 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
3562 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
3563 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
3564 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
3565 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
3566 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT)))
3567
3568 static unsigned char ssl_serialized_session_header[] = {
3569 MBEDTLS_VERSION_MAJOR,
3570 MBEDTLS_VERSION_MINOR,
3571 MBEDTLS_VERSION_PATCH,
3572 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3573 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3574 };
3575
3576 /*
3577 * Serialize a session in the following format:
3578 * (in the presentation language of TLS, RFC 8446 section 3)
3579 *
3580 * struct {
3581 *
3582 * opaque mbedtls_version[3]; // library version: major, minor, patch
3583 * opaque session_format[2]; // library-version specific 16-bit field
3584 * // determining the format of the remaining
3585 * // serialized data.
3586 *
3587 * Note: When updating the format, remember to keep
3588 * these version+format bytes.
3589 *
3590 * // In this version, `session_format` determines
3591 * // the setting of those compile-time
3592 * // configuration options which influence
3593 * // the structure of mbedtls_ssl_session.
3594 *
3595 * uint8_t minor_ver; // Protocol minor version. Possible values:
3596 * // - TLS 1.2 (0x0303)
3597 * // - TLS 1.3 (0x0304)
3598 *
3599 * select (serialized_session.tls_version) {
3600 *
3601 * case MBEDTLS_SSL_VERSION_TLS1_2:
3602 * serialized_session_tls12 data;
3603 * case MBEDTLS_SSL_VERSION_TLS1_3:
3604 * serialized_session_tls13 data;
3605 *
3606 * };
3607 *
3608 * } serialized_session;
3609 *
3610 */
3611
3612 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)3613 static int ssl_session_save(const mbedtls_ssl_session *session,
3614 unsigned char omit_header,
3615 unsigned char *buf,
3616 size_t buf_len,
3617 size_t *olen)
3618 {
3619 unsigned char *p = buf;
3620 size_t used = 0;
3621 size_t remaining_len;
3622 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3623 size_t out_len;
3624 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3625 #endif
3626 if (session == NULL) {
3627 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3628 }
3629
3630 if (!omit_header) {
3631 /*
3632 * Add Mbed TLS version identifier
3633 */
3634 used += sizeof(ssl_serialized_session_header);
3635
3636 if (used <= buf_len) {
3637 memcpy(p, ssl_serialized_session_header,
3638 sizeof(ssl_serialized_session_header));
3639 p += sizeof(ssl_serialized_session_header);
3640 }
3641 }
3642
3643 /*
3644 * TLS version identifier
3645 */
3646 used += 1;
3647 if (used <= buf_len) {
3648 *p++ = MBEDTLS_BYTE_0(session->tls_version);
3649 }
3650
3651 /* Forward to version-specific serialization routine. */
3652 remaining_len = (buf_len >= used) ? buf_len - used : 0;
3653 switch (session->tls_version) {
3654 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3655 case MBEDTLS_SSL_VERSION_TLS1_2:
3656 used += ssl_tls12_session_save(session, p, remaining_len);
3657 break;
3658 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3659
3660 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3661 case MBEDTLS_SSL_VERSION_TLS1_3:
3662 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
3663 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
3664 return ret;
3665 }
3666 used += out_len;
3667 break;
3668 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3669
3670 default:
3671 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3672 }
3673
3674 *olen = used;
3675 if (used > buf_len) {
3676 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3677 }
3678
3679 return 0;
3680 }
3681
3682 /*
3683 * Public wrapper for ssl_session_save()
3684 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3685 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
3686 unsigned char *buf,
3687 size_t buf_len,
3688 size_t *olen)
3689 {
3690 return ssl_session_save(session, 0, buf, buf_len, olen);
3691 }
3692
3693 /*
3694 * Deserialize session, see mbedtls_ssl_session_save() for format.
3695 *
3696 * This internal version is wrapped by a public function that cleans up in
3697 * case of error, and has an extra option omit_header.
3698 */
3699 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)3700 static int ssl_session_load(mbedtls_ssl_session *session,
3701 unsigned char omit_header,
3702 const unsigned char *buf,
3703 size_t len)
3704 {
3705 const unsigned char *p = buf;
3706 const unsigned char * const end = buf + len;
3707 size_t remaining_len;
3708
3709
3710 if (session == NULL) {
3711 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3712 }
3713
3714 if (!omit_header) {
3715 /*
3716 * Check Mbed TLS version identifier
3717 */
3718
3719 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
3720 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3721 }
3722
3723 if (memcmp(p, ssl_serialized_session_header,
3724 sizeof(ssl_serialized_session_header)) != 0) {
3725 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
3726 }
3727 p += sizeof(ssl_serialized_session_header);
3728 }
3729
3730 /*
3731 * TLS version identifier
3732 */
3733 if (1 > (size_t) (end - p)) {
3734 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3735 }
3736 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
3737
3738 /* Dispatch according to TLS version. */
3739 remaining_len = (end - p);
3740 switch (session->tls_version) {
3741 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3742 case MBEDTLS_SSL_VERSION_TLS1_2:
3743 return ssl_tls12_session_load(session, p, remaining_len);
3744 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3745
3746 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3747 case MBEDTLS_SSL_VERSION_TLS1_3:
3748 return ssl_tls13_session_load(session, p, remaining_len);
3749 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3750
3751 default:
3752 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3753 }
3754 }
3755
3756 /*
3757 * Deserialize session: public wrapper for error cleaning
3758 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3759 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
3760 const unsigned char *buf,
3761 size_t len)
3762 {
3763 int ret = ssl_session_load(session, 0, buf, len);
3764
3765 if (ret != 0) {
3766 mbedtls_ssl_session_free(session);
3767 }
3768
3769 return ret;
3770 }
3771
3772 /*
3773 * Perform a single step of the SSL handshake
3774 */
3775 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)3776 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
3777 {
3778 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3779
3780 /*
3781 * We may have not been able to send to the peer all the handshake data
3782 * that were written into the output buffer by the previous handshake step,
3783 * if the write to the network callback returned with the
3784 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
3785 * We proceed to the next handshake step only when all data from the
3786 * previous one have been sent to the peer, thus we make sure that this is
3787 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
3788 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
3789 * we have to wait before to go ahead.
3790 * In the case of TLS 1.3, handshake step handlers do not send data to the
3791 * peer. Data are only sent here and through
3792 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
3793 * alert occurred.
3794 */
3795 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
3796 return ret;
3797 }
3798
3799 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3800 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3801 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
3802 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3803 return ret;
3804 }
3805 }
3806 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3807
3808 return ret;
3809 }
3810
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)3811 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
3812 {
3813 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3814
3815 if (ssl == NULL ||
3816 ssl->conf == NULL ||
3817 ssl->handshake == NULL ||
3818 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
3819 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3820 }
3821
3822 ret = ssl_prepare_handshake_step(ssl);
3823 if (ret != 0) {
3824 return ret;
3825 }
3826
3827 ret = mbedtls_ssl_handle_pending_alert(ssl);
3828 if (ret != 0) {
3829 goto cleanup;
3830 }
3831
3832 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
3833 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
3834 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3835
3836 #if defined(MBEDTLS_SSL_CLI_C)
3837 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3838 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
3839 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
3840
3841 switch (ssl->state) {
3842 case MBEDTLS_SSL_HELLO_REQUEST:
3843 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3844 ret = 0;
3845 break;
3846
3847 case MBEDTLS_SSL_CLIENT_HELLO:
3848 ret = mbedtls_ssl_write_client_hello(ssl);
3849 break;
3850
3851 default:
3852 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
3853 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3854 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
3855 } else {
3856 ret = mbedtls_ssl_handshake_client_step(ssl);
3857 }
3858 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
3859 ret = mbedtls_ssl_handshake_client_step(ssl);
3860 #else
3861 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
3862 #endif
3863 }
3864 }
3865 #endif /* MBEDTLS_SSL_CLI_C */
3866
3867 #if defined(MBEDTLS_SSL_SRV_C)
3868 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
3869 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
3870 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3871 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
3872 } else {
3873 ret = mbedtls_ssl_handshake_server_step(ssl);
3874 }
3875 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
3876 ret = mbedtls_ssl_handshake_server_step(ssl);
3877 #else
3878 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
3879 #endif
3880 }
3881 #endif /* MBEDTLS_SSL_SRV_C */
3882
3883 if (ret != 0) {
3884 /* handshake_step return error. And it is same
3885 * with alert_reason.
3886 */
3887 if (ssl->send_alert) {
3888 ret = mbedtls_ssl_handle_pending_alert(ssl);
3889 goto cleanup;
3890 }
3891 }
3892
3893 cleanup:
3894 return ret;
3895 }
3896
3897 /*
3898 * Perform the SSL handshake
3899 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)3900 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
3901 {
3902 int ret = 0;
3903
3904 /* Sanity checks */
3905
3906 if (ssl == NULL || ssl->conf == NULL) {
3907 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3908 }
3909
3910 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3911 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3912 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
3913 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
3914 "mbedtls_ssl_set_timer_cb() for DTLS"));
3915 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3916 }
3917 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3918
3919 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
3920
3921 /* Main handshake loop */
3922 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
3923 ret = mbedtls_ssl_handshake_step(ssl);
3924
3925 if (ret != 0) {
3926 break;
3927 }
3928 }
3929
3930 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
3931
3932 return ret;
3933 }
3934
3935 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3936 #if defined(MBEDTLS_SSL_SRV_C)
3937 /*
3938 * Write HelloRequest to request renegotiation on server
3939 */
3940 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)3941 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
3942 {
3943 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3944
3945 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
3946
3947 ssl->out_msglen = 4;
3948 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3949 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
3950
3951 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3952 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3953 return ret;
3954 }
3955
3956 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
3957
3958 return 0;
3959 }
3960 #endif /* MBEDTLS_SSL_SRV_C */
3961
3962 /*
3963 * Actually renegotiate current connection, triggered by either:
3964 * - any side: calling mbedtls_ssl_renegotiate(),
3965 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
3966 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
3967 * the initial handshake is completed.
3968 * If the handshake doesn't complete due to waiting for I/O, it will continue
3969 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
3970 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)3971 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
3972 {
3973 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3974
3975 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
3976
3977 if ((ret = ssl_handshake_init(ssl)) != 0) {
3978 return ret;
3979 }
3980
3981 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
3982 * the ServerHello will have message_seq = 1" */
3983 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3984 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3985 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
3986 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
3987 ssl->handshake->out_msg_seq = 1;
3988 } else {
3989 ssl->handshake->in_msg_seq = 1;
3990 }
3991 }
3992 #endif
3993
3994 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
3995 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
3996
3997 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
3998 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
3999 return ret;
4000 }
4001
4002 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4003
4004 return 0;
4005 }
4006
4007 /*
4008 * Renegotiate current connection on client,
4009 * or request renegotiation on server
4010 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4011 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4012 {
4013 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4014
4015 if (ssl == NULL || ssl->conf == NULL) {
4016 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4017 }
4018
4019 #if defined(MBEDTLS_SSL_SRV_C)
4020 /* On server, just send the request */
4021 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4022 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4023 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4024 }
4025
4026 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4027
4028 /* Did we already try/start sending HelloRequest? */
4029 if (ssl->out_left != 0) {
4030 return mbedtls_ssl_flush_output(ssl);
4031 }
4032
4033 return ssl_write_hello_request(ssl);
4034 }
4035 #endif /* MBEDTLS_SSL_SRV_C */
4036
4037 #if defined(MBEDTLS_SSL_CLI_C)
4038 /*
4039 * On client, either start the renegotiation process or,
4040 * if already in progress, continue the handshake
4041 */
4042 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4043 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4044 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4045 }
4046
4047 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4048 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4049 return ret;
4050 }
4051 } else {
4052 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4053 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4054 return ret;
4055 }
4056 }
4057 #endif /* MBEDTLS_SSL_CLI_C */
4058
4059 return ret;
4060 }
4061 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4062
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4063 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4064 {
4065 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4066
4067 if (handshake == NULL) {
4068 return;
4069 }
4070
4071 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4072 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4073 if (ssl->handshake->group_list_heap_allocated) {
4074 mbedtls_free((void *) handshake->group_list);
4075 }
4076 handshake->group_list = NULL;
4077 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4078 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4079
4080 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4081 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4082 if (ssl->handshake->sig_algs_heap_allocated) {
4083 mbedtls_free((void *) handshake->sig_algs);
4084 }
4085 handshake->sig_algs = NULL;
4086 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4087 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4088 if (ssl->handshake->certificate_request_context) {
4089 mbedtls_free((void *) handshake->certificate_request_context);
4090 }
4091 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4092 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4093
4094 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4095 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4096 ssl->conf->f_async_cancel(ssl);
4097 handshake->async_in_progress = 0;
4098 }
4099 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4100
4101 #if defined(MBEDTLS_MD_CAN_SHA256)
4102 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4103 psa_hash_abort(&handshake->fin_sha256_psa);
4104 #else
4105 mbedtls_md_free(&handshake->fin_sha256);
4106 #endif
4107 #endif
4108 #if defined(MBEDTLS_MD_CAN_SHA384)
4109 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4110 psa_hash_abort(&handshake->fin_sha384_psa);
4111 #else
4112 mbedtls_md_free(&handshake->fin_sha384);
4113 #endif
4114 #endif
4115
4116 #if defined(MBEDTLS_DHM_C)
4117 mbedtls_dhm_free(&handshake->dhm_ctx);
4118 #endif
4119 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4120 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4121 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4122 #endif
4123
4124 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4125 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4126 psa_pake_abort(&handshake->psa_pake_ctx);
4127 /*
4128 * Opaque keys are not stored in the handshake's data and it's the user
4129 * responsibility to destroy them. Clear ones, instead, are created by
4130 * the TLS library and should be destroyed at the same level
4131 */
4132 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4133 psa_destroy_key(handshake->psa_pake_password);
4134 }
4135 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4136 #else
4137 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4138 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4139 #if defined(MBEDTLS_SSL_CLI_C)
4140 mbedtls_free(handshake->ecjpake_cache);
4141 handshake->ecjpake_cache = NULL;
4142 handshake->ecjpake_cache_len = 0;
4143 #endif
4144 #endif
4145
4146 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4147 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4148 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4149 /* explicit void pointer cast for buggy MS compiler */
4150 mbedtls_free((void *) handshake->curves_tls_id);
4151 #endif
4152
4153 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4154 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4155 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4156 /* The maintenance of the external PSK key slot is the
4157 * user's responsibility. */
4158 if (ssl->handshake->psk_opaque_is_internal) {
4159 psa_destroy_key(ssl->handshake->psk_opaque);
4160 ssl->handshake->psk_opaque_is_internal = 0;
4161 }
4162 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4163 }
4164 #else
4165 if (handshake->psk != NULL) {
4166 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4167 }
4168 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4169 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4170
4171 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4172 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4173 /*
4174 * Free only the linked list wrapper, not the keys themselves
4175 * since the belong to the SNI callback
4176 */
4177 ssl_key_cert_free(handshake->sni_key_cert);
4178 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4179
4180 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4181 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4182 if (handshake->ecrs_peer_cert != NULL) {
4183 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4184 mbedtls_free(handshake->ecrs_peer_cert);
4185 }
4186 #endif
4187
4188 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4189 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4190 mbedtls_pk_free(&handshake->peer_pubkey);
4191 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4192
4193 #if defined(MBEDTLS_SSL_CLI_C) && \
4194 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4195 mbedtls_free(handshake->cookie);
4196 #endif /* MBEDTLS_SSL_CLI_C &&
4197 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4198
4199 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4200 mbedtls_ssl_flight_free(handshake->flight);
4201 mbedtls_ssl_buffering_free(ssl);
4202 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4203
4204 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4205 if (handshake->xxdh_psa_privkey_is_external == 0) {
4206 psa_destroy_key(handshake->xxdh_psa_privkey);
4207 }
4208 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4209
4210 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4211 mbedtls_ssl_transform_free(handshake->transform_handshake);
4212 mbedtls_free(handshake->transform_handshake);
4213 #if defined(MBEDTLS_SSL_EARLY_DATA)
4214 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4215 mbedtls_free(handshake->transform_earlydata);
4216 #endif
4217 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4218
4219
4220 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4221 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4222 * processes datagrams and the fact that a datagram is allowed to have
4223 * several records in it, it is possible that the I/O buffers are not
4224 * empty at this stage */
4225 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4226 mbedtls_ssl_get_output_buflen(ssl));
4227 #endif
4228
4229 /* mbedtls_platform_zeroize MUST be last one in this function */
4230 mbedtls_platform_zeroize(handshake,
4231 sizeof(mbedtls_ssl_handshake_params));
4232 }
4233
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4234 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4235 {
4236 if (session == NULL) {
4237 return;
4238 }
4239
4240 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4241 ssl_clear_peer_cert(session);
4242 #endif
4243
4244 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4245 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4246 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4247 mbedtls_free(session->hostname);
4248 #endif
4249 mbedtls_free(session->ticket);
4250 #endif
4251
4252 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
4253 }
4254
4255 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4256
4257 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4258 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4259 #else
4260 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4261 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4262
4263 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4264
4265 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4266 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4267 #else
4268 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4269 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4270
4271 #if defined(MBEDTLS_SSL_ALPN)
4272 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4273 #else
4274 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4275 #endif /* MBEDTLS_SSL_ALPN */
4276
4277 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4278 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4279 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4280 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4281
4282 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
4283 ((uint32_t) ( \
4284 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4285 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4286 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4287 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4288 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4289 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4290 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4291 0u))
4292
4293 static unsigned char ssl_serialized_context_header[] = {
4294 MBEDTLS_VERSION_MAJOR,
4295 MBEDTLS_VERSION_MINOR,
4296 MBEDTLS_VERSION_PATCH,
4297 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4298 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4299 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4300 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4301 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4302 };
4303
4304 /*
4305 * Serialize a full SSL context
4306 *
4307 * The format of the serialized data is:
4308 * (in the presentation language of TLS, RFC 8446 section 3)
4309 *
4310 * // header
4311 * opaque mbedtls_version[3]; // major, minor, patch
4312 * opaque context_format[5]; // version-specific field determining
4313 * // the format of the remaining
4314 * // serialized data.
4315 * Note: When updating the format, remember to keep these
4316 * version+format bytes. (We may make their size part of the API.)
4317 *
4318 * // session sub-structure
4319 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
4320 * // transform sub-structure
4321 * uint8 random[64]; // ServerHello.random+ClientHello.random
4322 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
4323 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
4324 * // fields from ssl_context
4325 * uint32 badmac_seen; // DTLS: number of records with failing MAC
4326 * uint64 in_window_top; // DTLS: last validated record seq_num
4327 * uint64 in_window; // DTLS: bitmask for replay protection
4328 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
4329 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
4330 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
4331 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
4332 *
4333 * Note that many fields of the ssl_context or sub-structures are not
4334 * serialized, as they fall in one of the following categories:
4335 *
4336 * 1. forced value (eg in_left must be 0)
4337 * 2. pointer to dynamically-allocated memory (eg session, transform)
4338 * 3. value can be re-derived from other data (eg session keys from MS)
4339 * 4. value was temporary (eg content of input buffer)
4340 * 5. value will be provided by the user again (eg I/O callbacks and context)
4341 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)4342 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
4343 unsigned char *buf,
4344 size_t buf_len,
4345 size_t *olen)
4346 {
4347 unsigned char *p = buf;
4348 size_t used = 0;
4349 size_t session_len;
4350 int ret = 0;
4351
4352 /*
4353 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
4354 * this function's documentation.
4355 *
4356 * These are due to assumptions/limitations in the implementation. Some of
4357 * them are likely to stay (no handshake in progress) some might go away
4358 * (only DTLS) but are currently used to simplify the implementation.
4359 */
4360 /* The initial handshake must be over */
4361 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4362 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
4363 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4364 }
4365 if (ssl->handshake != NULL) {
4366 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
4367 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4368 }
4369 /* Double-check that sub-structures are indeed ready */
4370 if (ssl->transform == NULL || ssl->session == NULL) {
4371 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
4372 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4373 }
4374 /* There must be no pending incoming or outgoing data */
4375 if (mbedtls_ssl_check_pending(ssl) != 0) {
4376 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
4377 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4378 }
4379 if (ssl->out_left != 0) {
4380 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
4381 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4382 }
4383 /* Protocol must be DTLS, not TLS */
4384 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
4385 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
4386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4387 }
4388 /* Version must be 1.2 */
4389 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
4390 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
4391 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4392 }
4393 /* We must be using an AEAD ciphersuite */
4394 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
4395 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
4396 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4397 }
4398 /* Renegotiation must not be enabled */
4399 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4400 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
4401 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
4402 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4403 }
4404 #endif
4405
4406 /*
4407 * Version and format identifier
4408 */
4409 used += sizeof(ssl_serialized_context_header);
4410
4411 if (used <= buf_len) {
4412 memcpy(p, ssl_serialized_context_header,
4413 sizeof(ssl_serialized_context_header));
4414 p += sizeof(ssl_serialized_context_header);
4415 }
4416
4417 /*
4418 * Session (length + data)
4419 */
4420 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
4421 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4422 return ret;
4423 }
4424
4425 used += 4 + session_len;
4426 if (used <= buf_len) {
4427 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
4428 p += 4;
4429
4430 ret = ssl_session_save(ssl->session, 1,
4431 p, session_len, &session_len);
4432 if (ret != 0) {
4433 return ret;
4434 }
4435
4436 p += session_len;
4437 }
4438
4439 /*
4440 * Transform
4441 */
4442 used += sizeof(ssl->transform->randbytes);
4443 if (used <= buf_len) {
4444 memcpy(p, ssl->transform->randbytes,
4445 sizeof(ssl->transform->randbytes));
4446 p += sizeof(ssl->transform->randbytes);
4447 }
4448
4449 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4450 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
4451 if (used <= buf_len) {
4452 *p++ = ssl->transform->in_cid_len;
4453 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
4454 p += ssl->transform->in_cid_len;
4455
4456 *p++ = ssl->transform->out_cid_len;
4457 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
4458 p += ssl->transform->out_cid_len;
4459 }
4460 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4461
4462 /*
4463 * Saved fields from top-level ssl_context structure
4464 */
4465 used += 4;
4466 if (used <= buf_len) {
4467 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
4468 p += 4;
4469 }
4470
4471 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4472 used += 16;
4473 if (used <= buf_len) {
4474 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
4475 p += 8;
4476
4477 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
4478 p += 8;
4479 }
4480 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4481
4482 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4483 used += 1;
4484 if (used <= buf_len) {
4485 *p++ = ssl->disable_datagram_packing;
4486 }
4487 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4488
4489 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4490 if (used <= buf_len) {
4491 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
4492 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4493 }
4494
4495 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4496 used += 2;
4497 if (used <= buf_len) {
4498 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
4499 p += 2;
4500 }
4501 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4502
4503 #if defined(MBEDTLS_SSL_ALPN)
4504 {
4505 const uint8_t alpn_len = ssl->alpn_chosen
4506 ? (uint8_t) strlen(ssl->alpn_chosen)
4507 : 0;
4508
4509 used += 1 + alpn_len;
4510 if (used <= buf_len) {
4511 *p++ = alpn_len;
4512
4513 if (ssl->alpn_chosen != NULL) {
4514 memcpy(p, ssl->alpn_chosen, alpn_len);
4515 p += alpn_len;
4516 }
4517 }
4518 }
4519 #endif /* MBEDTLS_SSL_ALPN */
4520
4521 /*
4522 * Done
4523 */
4524 *olen = used;
4525
4526 if (used > buf_len) {
4527 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4528 }
4529
4530 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
4531
4532 return mbedtls_ssl_session_reset_int(ssl, 0);
4533 }
4534
4535 /*
4536 * Deserialize context, see mbedtls_ssl_context_save() for format.
4537 *
4538 * This internal version is wrapped by a public function that cleans up in
4539 * case of error.
4540 */
4541 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)4542 static int ssl_context_load(mbedtls_ssl_context *ssl,
4543 const unsigned char *buf,
4544 size_t len)
4545 {
4546 const unsigned char *p = buf;
4547 const unsigned char * const end = buf + len;
4548 size_t session_len;
4549 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4550 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4551 tls_prf_fn prf_func = NULL;
4552 #endif
4553
4554 /*
4555 * The context should have been freshly setup or reset.
4556 * Give the user an error in case of obvious misuse.
4557 * (Checking session is useful because it won't be NULL if we're
4558 * renegotiating, or if the user mistakenly loaded a session first.)
4559 */
4560 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
4561 ssl->session != NULL) {
4562 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4563 }
4564
4565 /*
4566 * We can't check that the config matches the initial one, but we can at
4567 * least check it matches the requirements for serializing.
4568 */
4569 if (
4570 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4571 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
4572 #endif
4573 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
4574 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
4575 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
4576 ) {
4577 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4578 }
4579
4580 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
4581
4582 /*
4583 * Check version identifier
4584 */
4585 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
4586 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4587 }
4588
4589 if (memcmp(p, ssl_serialized_context_header,
4590 sizeof(ssl_serialized_context_header)) != 0) {
4591 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4592 }
4593 p += sizeof(ssl_serialized_context_header);
4594
4595 /*
4596 * Session
4597 */
4598 if ((size_t) (end - p) < 4) {
4599 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4600 }
4601
4602 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
4603 p += 4;
4604
4605 /* This has been allocated by ssl_handshake_init(), called by
4606 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
4607 ssl->session = ssl->session_negotiate;
4608 ssl->session_in = ssl->session;
4609 ssl->session_out = ssl->session;
4610 ssl->session_negotiate = NULL;
4611
4612 if ((size_t) (end - p) < session_len) {
4613 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4614 }
4615
4616 ret = ssl_session_load(ssl->session, 1, p, session_len);
4617 if (ret != 0) {
4618 mbedtls_ssl_session_free(ssl->session);
4619 return ret;
4620 }
4621
4622 p += session_len;
4623
4624 /*
4625 * Transform
4626 */
4627
4628 /* This has been allocated by ssl_handshake_init(), called by
4629 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
4630 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4631 ssl->transform = ssl->transform_negotiate;
4632 ssl->transform_in = ssl->transform;
4633 ssl->transform_out = ssl->transform;
4634 ssl->transform_negotiate = NULL;
4635 #endif
4636
4637 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4638 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
4639 if (prf_func == NULL) {
4640 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4641 }
4642
4643 /* Read random bytes and populate structure */
4644 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
4645 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4646 }
4647
4648 ret = ssl_tls12_populate_transform(ssl->transform,
4649 ssl->session->ciphersuite,
4650 ssl->session->master,
4651 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
4652 ssl->session->encrypt_then_mac,
4653 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
4654 prf_func,
4655 p, /* currently pointing to randbytes */
4656 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
4657 ssl->conf->endpoint,
4658 ssl);
4659 if (ret != 0) {
4660 return ret;
4661 }
4662 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4663 p += sizeof(ssl->transform->randbytes);
4664
4665 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4666 /* Read connection IDs and store them */
4667 if ((size_t) (end - p) < 1) {
4668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4669 }
4670
4671 ssl->transform->in_cid_len = *p++;
4672
4673 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
4674 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4675 }
4676
4677 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
4678 p += ssl->transform->in_cid_len;
4679
4680 ssl->transform->out_cid_len = *p++;
4681
4682 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
4683 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4684 }
4685
4686 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
4687 p += ssl->transform->out_cid_len;
4688 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4689
4690 /*
4691 * Saved fields from top-level ssl_context structure
4692 */
4693 if ((size_t) (end - p) < 4) {
4694 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4695 }
4696
4697 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
4698 p += 4;
4699
4700 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4701 if ((size_t) (end - p) < 16) {
4702 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4703 }
4704
4705 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
4706 p += 8;
4707
4708 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
4709 p += 8;
4710 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4711
4712 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4713 if ((size_t) (end - p) < 1) {
4714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4715 }
4716
4717 ssl->disable_datagram_packing = *p++;
4718 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4719
4720 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
4721 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4722 }
4723 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
4724 p += sizeof(ssl->cur_out_ctr);
4725
4726 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4727 if ((size_t) (end - p) < 2) {
4728 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4729 }
4730
4731 ssl->mtu = (p[0] << 8) | p[1];
4732 p += 2;
4733 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4734
4735 #if defined(MBEDTLS_SSL_ALPN)
4736 {
4737 uint8_t alpn_len;
4738 const char **cur;
4739
4740 if ((size_t) (end - p) < 1) {
4741 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4742 }
4743
4744 alpn_len = *p++;
4745
4746 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
4747 /* alpn_chosen should point to an item in the configured list */
4748 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
4749 if (strlen(*cur) == alpn_len &&
4750 memcmp(p, cur, alpn_len) == 0) {
4751 ssl->alpn_chosen = *cur;
4752 break;
4753 }
4754 }
4755 }
4756
4757 /* can only happen on conf mismatch */
4758 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
4759 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4760 }
4761
4762 p += alpn_len;
4763 }
4764 #endif /* MBEDTLS_SSL_ALPN */
4765
4766 /*
4767 * Forced fields from top-level ssl_context structure
4768 *
4769 * Most of them already set to the correct value by mbedtls_ssl_init() and
4770 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
4771 */
4772 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
4773 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
4774
4775 /* Adjust pointers for header fields of outgoing records to
4776 * the given transform, accounting for explicit IV and CID. */
4777 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
4778
4779 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4780 ssl->in_epoch = 1;
4781 #endif
4782
4783 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
4784 * which we don't want - otherwise we'd end up freeing the wrong transform
4785 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
4786 * inappropriately. */
4787 if (ssl->handshake != NULL) {
4788 mbedtls_ssl_handshake_free(ssl);
4789 mbedtls_free(ssl->handshake);
4790 ssl->handshake = NULL;
4791 }
4792
4793 /*
4794 * Done - should have consumed entire buffer
4795 */
4796 if (p != end) {
4797 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4798 }
4799
4800 return 0;
4801 }
4802
4803 /*
4804 * Deserialize context: public wrapper for error cleaning
4805 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)4806 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
4807 const unsigned char *buf,
4808 size_t len)
4809 {
4810 int ret = ssl_context_load(context, buf, len);
4811
4812 if (ret != 0) {
4813 mbedtls_ssl_free(context);
4814 }
4815
4816 return ret;
4817 }
4818 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
4819
4820 /*
4821 * Free an SSL context
4822 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)4823 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
4824 {
4825 if (ssl == NULL) {
4826 return;
4827 }
4828
4829 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
4830
4831 if (ssl->out_buf != NULL) {
4832 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4833 size_t out_buf_len = ssl->out_buf_len;
4834 #else
4835 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
4836 #endif
4837
4838 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
4839 ssl->out_buf = NULL;
4840 }
4841
4842 if (ssl->in_buf != NULL) {
4843 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4844 size_t in_buf_len = ssl->in_buf_len;
4845 #else
4846 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4847 #endif
4848
4849 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
4850 ssl->in_buf = NULL;
4851 }
4852
4853 if (ssl->transform) {
4854 mbedtls_ssl_transform_free(ssl->transform);
4855 mbedtls_free(ssl->transform);
4856 }
4857
4858 if (ssl->handshake) {
4859 mbedtls_ssl_handshake_free(ssl);
4860 mbedtls_free(ssl->handshake);
4861
4862 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4863 mbedtls_ssl_transform_free(ssl->transform_negotiate);
4864 mbedtls_free(ssl->transform_negotiate);
4865 #endif
4866
4867 mbedtls_ssl_session_free(ssl->session_negotiate);
4868 mbedtls_free(ssl->session_negotiate);
4869 }
4870
4871 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4872 mbedtls_ssl_transform_free(ssl->transform_application);
4873 mbedtls_free(ssl->transform_application);
4874 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4875
4876 if (ssl->session) {
4877 mbedtls_ssl_session_free(ssl->session);
4878 mbedtls_free(ssl->session);
4879 }
4880
4881 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4882 if (ssl->hostname != NULL) {
4883 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
4884 }
4885 #endif
4886
4887 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
4888 mbedtls_free(ssl->cli_id);
4889 #endif
4890
4891 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
4892
4893 /* Actually clear after last debug message */
4894 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
4895 }
4896
4897 /*
4898 * Initialize mbedtls_ssl_config
4899 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)4900 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
4901 {
4902 memset(conf, 0, sizeof(mbedtls_ssl_config));
4903 }
4904
4905 /* The selection should be the same as mbedtls_x509_crt_profile_default in
4906 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
4907 * curves with a lower resource usage come first.
4908 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
4909 * about this list.
4910 */
4911 static uint16_t ssl_preset_default_groups[] = {
4912 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
4913 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
4914 #endif
4915 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
4916 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
4917 #endif
4918 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
4919 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
4920 #endif
4921 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
4922 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
4923 #endif
4924 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
4925 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
4926 #endif
4927 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
4928 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
4929 #endif
4930 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
4931 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
4932 #endif
4933 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
4934 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
4935 #endif
4936 #if defined(PSA_WANT_ALG_FFDH)
4937 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
4938 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
4939 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
4940 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
4941 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
4942 #endif
4943 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
4944 };
4945
4946 static const int ssl_preset_suiteb_ciphersuites[] = {
4947 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
4948 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
4949 0
4950 };
4951
4952 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4953
4954 /* NOTICE:
4955 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
4956 * rules SHOULD be upheld.
4957 * - No duplicate entries.
4958 * - But if there is a good reason, do not change the order of the algorithms.
4959 * - ssl_tls12_preset* is for TLS 1.2 use only.
4960 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
4961 */
4962 static uint16_t ssl_preset_default_sig_algs[] = {
4963
4964 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
4965 defined(MBEDTLS_MD_CAN_SHA256) && \
4966 defined(PSA_WANT_ECC_SECP_R1_256)
4967 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
4968 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
4969 #endif
4970
4971 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
4972 defined(MBEDTLS_MD_CAN_SHA384) && \
4973 defined(PSA_WANT_ECC_SECP_R1_384)
4974 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
4975 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
4976 #endif
4977
4978 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
4979 defined(MBEDTLS_MD_CAN_SHA512) && \
4980 defined(PSA_WANT_ECC_SECP_R1_521)
4981 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
4982 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
4983 #endif
4984
4985 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
4986 defined(MBEDTLS_MD_CAN_SHA512)
4987 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
4988 #endif \
4989 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA512 */
4990
4991 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
4992 defined(MBEDTLS_MD_CAN_SHA384)
4993 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
4994 #endif \
4995 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA384 */
4996
4997 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
4998 defined(MBEDTLS_MD_CAN_SHA256)
4999 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5000 #endif \
5001 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256 */
5002
5003 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5004 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5005 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5006
5007 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5008 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5009 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5010
5011 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5012 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5013 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5014
5015 MBEDTLS_TLS_SIG_NONE
5016 };
5017
5018 /* NOTICE: see above */
5019 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5020 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5021 #if defined(MBEDTLS_MD_CAN_SHA512)
5022 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5023 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5024 #endif
5025 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5026 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5027 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5028 #if defined(MBEDTLS_RSA_C)
5029 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5030 #endif
5031 #endif /* MBEDTLS_MD_CAN_SHA512*/
5032 #if defined(MBEDTLS_MD_CAN_SHA384)
5033 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5034 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5035 #endif
5036 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5037 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5038 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5039 #if defined(MBEDTLS_RSA_C)
5040 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5041 #endif
5042 #endif /* MBEDTLS_MD_CAN_SHA384*/
5043 #if defined(MBEDTLS_MD_CAN_SHA256)
5044 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5045 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5046 #endif
5047 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5048 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5049 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5050 #if defined(MBEDTLS_RSA_C)
5051 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5052 #endif
5053 #endif /* MBEDTLS_MD_CAN_SHA256*/
5054 MBEDTLS_TLS_SIG_NONE
5055 };
5056 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5057 /* NOTICE: see above */
5058 static uint16_t ssl_preset_suiteb_sig_algs[] = {
5059
5060 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5061 defined(MBEDTLS_MD_CAN_SHA256) && \
5062 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5063 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5064 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5065 #endif
5066
5067 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5068 defined(MBEDTLS_MD_CAN_SHA384) && \
5069 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5070 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5071 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5072 #endif
5073
5074 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
5075 defined(MBEDTLS_MD_CAN_SHA256)
5076 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5077 #endif \
5078 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_MD_CAN_SHA256*/
5079
5080 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5081 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5082 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256*/
5083
5084 MBEDTLS_TLS_SIG_NONE
5085 };
5086
5087 /* NOTICE: see above */
5088 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5089 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5090 #if defined(MBEDTLS_MD_CAN_SHA256)
5091 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5092 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5093 #endif
5094 #if defined(MBEDTLS_RSA_C)
5095 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5096 #endif
5097 #endif /* MBEDTLS_MD_CAN_SHA256*/
5098 #if defined(MBEDTLS_MD_CAN_SHA384)
5099 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5100 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5101 #endif
5102 #if defined(MBEDTLS_RSA_C)
5103 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5104 #endif
5105 #endif /* MBEDTLS_MD_CAN_SHA256*/
5106 MBEDTLS_TLS_SIG_NONE
5107 };
5108 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5109
5110 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5111
5112 static uint16_t ssl_preset_suiteb_groups[] = {
5113 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5114 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5115 #endif
5116 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5117 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5118 #endif
5119 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5120 };
5121
5122 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5123 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5124 * to make sure there are no duplicated signature algorithm entries. */
5125 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(uint16_t * sig_algs)5126 static int ssl_check_no_sig_alg_duplication(uint16_t *sig_algs)
5127 {
5128 size_t i, j;
5129 int ret = 0;
5130
5131 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5132 for (j = 0; j < i; j++) {
5133 if (sig_algs[i] != sig_algs[j]) {
5134 continue;
5135 }
5136 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5137 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5138 sig_algs[i], j, i);
5139 ret = -1;
5140 }
5141 }
5142 return ret;
5143 }
5144
5145 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5146
5147 /*
5148 * Load default in mbedtls_ssl_config
5149 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5150 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5151 int endpoint, int transport, int preset)
5152 {
5153 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5154 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5155 #endif
5156
5157 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5158 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5159 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5160 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5161 }
5162
5163 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5164 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5165 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5166 }
5167
5168 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5169 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5170 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5171 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5172 }
5173
5174 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5175 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5176 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5177 }
5178 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5179 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5180
5181 /* Use the functions here so that they are covered in tests,
5182 * but otherwise access member directly for efficiency */
5183 mbedtls_ssl_conf_endpoint(conf, endpoint);
5184 mbedtls_ssl_conf_transport(conf, transport);
5185
5186 /*
5187 * Things that are common to all presets
5188 */
5189 #if defined(MBEDTLS_SSL_CLI_C)
5190 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5191 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5192 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5193 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5194 #endif
5195 }
5196 #endif
5197
5198 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5199 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5200 #endif
5201
5202 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5203 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5204 #endif
5205
5206 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5207 conf->f_cookie_write = ssl_cookie_write_dummy;
5208 conf->f_cookie_check = ssl_cookie_check_dummy;
5209 #endif
5210
5211 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5212 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5213 #endif
5214
5215 #if defined(MBEDTLS_SSL_SRV_C)
5216 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5217 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5218 #endif
5219
5220 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5221 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5222 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5223 #endif
5224
5225 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5226 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5227 memset(conf->renego_period, 0x00, 2);
5228 memset(conf->renego_period + 2, 0xFF, 6);
5229 #endif
5230
5231 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5232 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5233 const unsigned char dhm_p[] =
5234 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5235 const unsigned char dhm_g[] =
5236 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
5237
5238 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5239 dhm_p, sizeof(dhm_p),
5240 dhm_g, sizeof(dhm_g))) != 0) {
5241 return ret;
5242 }
5243 }
5244 #endif
5245
5246 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5247
5248 #if defined(MBEDTLS_SSL_EARLY_DATA)
5249 mbedtls_ssl_tls13_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5250 #if defined(MBEDTLS_SSL_SRV_C)
5251 mbedtls_ssl_tls13_conf_max_early_data_size(
5252 conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5253 #endif
5254 #endif /* MBEDTLS_SSL_EARLY_DATA */
5255
5256 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5257 mbedtls_ssl_conf_new_session_tickets(
5258 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
5259 #endif
5260 /*
5261 * Allow all TLS 1.3 key exchange modes by default.
5262 */
5263 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5264 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5265
5266 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5268 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5269 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5270 #else
5271 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5272 #endif
5273 } else {
5274 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5275 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5276 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5277 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5278 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5279 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5280 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5281 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5282 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5283 #else
5284 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5285 #endif
5286 }
5287
5288 /*
5289 * Preset-specific defaults
5290 */
5291 switch (preset) {
5292 /*
5293 * NSA Suite B
5294 */
5295 case MBEDTLS_SSL_PRESET_SUITEB:
5296
5297 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
5298
5299 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5300 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
5301 #endif
5302
5303 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5304 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5305 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5306 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
5307 } else
5308 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5309 conf->sig_algs = ssl_preset_suiteb_sig_algs;
5310 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5311
5312 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5313 conf->curve_list = NULL;
5314 #endif
5315 conf->group_list = ssl_preset_suiteb_groups;
5316 break;
5317
5318 /*
5319 * Default
5320 */
5321 default:
5322
5323 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
5324
5325 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5326 conf->cert_profile = &mbedtls_x509_crt_profile_default;
5327 #endif
5328
5329 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5330 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5331 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5332 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
5333 } else
5334 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5335 conf->sig_algs = ssl_preset_default_sig_algs;
5336 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5337
5338 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5339 conf->curve_list = NULL;
5340 #endif
5341 conf->group_list = ssl_preset_default_groups;
5342
5343 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
5344 conf->dhm_min_bitlen = 1024;
5345 #endif
5346 }
5347
5348 return 0;
5349 }
5350
5351 /*
5352 * Free mbedtls_ssl_config
5353 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)5354 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
5355 {
5356 #if defined(MBEDTLS_DHM_C)
5357 mbedtls_mpi_free(&conf->dhm_P);
5358 mbedtls_mpi_free(&conf->dhm_G);
5359 #endif
5360
5361 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
5362 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5363 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
5364 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
5365 }
5366 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5367 if (conf->psk != NULL) {
5368 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
5369 conf->psk = NULL;
5370 conf->psk_len = 0;
5371 }
5372
5373 if (conf->psk_identity != NULL) {
5374 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
5375 conf->psk_identity = NULL;
5376 conf->psk_identity_len = 0;
5377 }
5378 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
5379
5380 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5381 ssl_key_cert_free(conf->key_cert);
5382 #endif
5383
5384 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
5385 }
5386
5387 #if defined(MBEDTLS_PK_C) && \
5388 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
5389 /*
5390 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
5391 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)5392 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
5393 {
5394 #if defined(MBEDTLS_RSA_C)
5395 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
5396 return MBEDTLS_SSL_SIG_RSA;
5397 }
5398 #endif
5399 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
5400 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
5401 return MBEDTLS_SSL_SIG_ECDSA;
5402 }
5403 #endif
5404 return MBEDTLS_SSL_SIG_ANON;
5405 }
5406
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)5407 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
5408 {
5409 switch (type) {
5410 case MBEDTLS_PK_RSA:
5411 return MBEDTLS_SSL_SIG_RSA;
5412 case MBEDTLS_PK_ECDSA:
5413 case MBEDTLS_PK_ECKEY:
5414 return MBEDTLS_SSL_SIG_ECDSA;
5415 default:
5416 return MBEDTLS_SSL_SIG_ANON;
5417 }
5418 }
5419
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)5420 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
5421 {
5422 switch (sig) {
5423 #if defined(MBEDTLS_RSA_C)
5424 case MBEDTLS_SSL_SIG_RSA:
5425 return MBEDTLS_PK_RSA;
5426 #endif
5427 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
5428 case MBEDTLS_SSL_SIG_ECDSA:
5429 return MBEDTLS_PK_ECDSA;
5430 #endif
5431 default:
5432 return MBEDTLS_PK_NONE;
5433 }
5434 }
5435 #endif /* MBEDTLS_PK_C &&
5436 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
5437
5438 /*
5439 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
5440 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)5441 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
5442 {
5443 switch (hash) {
5444 #if defined(MBEDTLS_MD_CAN_MD5)
5445 case MBEDTLS_SSL_HASH_MD5:
5446 return MBEDTLS_MD_MD5;
5447 #endif
5448 #if defined(MBEDTLS_MD_CAN_SHA1)
5449 case MBEDTLS_SSL_HASH_SHA1:
5450 return MBEDTLS_MD_SHA1;
5451 #endif
5452 #if defined(MBEDTLS_MD_CAN_SHA224)
5453 case MBEDTLS_SSL_HASH_SHA224:
5454 return MBEDTLS_MD_SHA224;
5455 #endif
5456 #if defined(MBEDTLS_MD_CAN_SHA256)
5457 case MBEDTLS_SSL_HASH_SHA256:
5458 return MBEDTLS_MD_SHA256;
5459 #endif
5460 #if defined(MBEDTLS_MD_CAN_SHA384)
5461 case MBEDTLS_SSL_HASH_SHA384:
5462 return MBEDTLS_MD_SHA384;
5463 #endif
5464 #if defined(MBEDTLS_MD_CAN_SHA512)
5465 case MBEDTLS_SSL_HASH_SHA512:
5466 return MBEDTLS_MD_SHA512;
5467 #endif
5468 default:
5469 return MBEDTLS_MD_NONE;
5470 }
5471 }
5472
5473 /*
5474 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
5475 */
mbedtls_ssl_hash_from_md_alg(int md)5476 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
5477 {
5478 switch (md) {
5479 #if defined(MBEDTLS_MD_CAN_MD5)
5480 case MBEDTLS_MD_MD5:
5481 return MBEDTLS_SSL_HASH_MD5;
5482 #endif
5483 #if defined(MBEDTLS_MD_CAN_SHA1)
5484 case MBEDTLS_MD_SHA1:
5485 return MBEDTLS_SSL_HASH_SHA1;
5486 #endif
5487 #if defined(MBEDTLS_MD_CAN_SHA224)
5488 case MBEDTLS_MD_SHA224:
5489 return MBEDTLS_SSL_HASH_SHA224;
5490 #endif
5491 #if defined(MBEDTLS_MD_CAN_SHA256)
5492 case MBEDTLS_MD_SHA256:
5493 return MBEDTLS_SSL_HASH_SHA256;
5494 #endif
5495 #if defined(MBEDTLS_MD_CAN_SHA384)
5496 case MBEDTLS_MD_SHA384:
5497 return MBEDTLS_SSL_HASH_SHA384;
5498 #endif
5499 #if defined(MBEDTLS_MD_CAN_SHA512)
5500 case MBEDTLS_MD_SHA512:
5501 return MBEDTLS_SSL_HASH_SHA512;
5502 #endif
5503 default:
5504 return MBEDTLS_SSL_HASH_NONE;
5505 }
5506 }
5507
5508 /*
5509 * Check if a curve proposed by the peer is in our list.
5510 * Return 0 if we're willing to use it, -1 otherwise.
5511 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)5512 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
5513 {
5514 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
5515
5516 if (group_list == NULL) {
5517 return -1;
5518 }
5519
5520 for (; *group_list != 0; group_list++) {
5521 if (*group_list == tls_id) {
5522 return 0;
5523 }
5524 }
5525
5526 return -1;
5527 }
5528
5529 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
5530 /*
5531 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
5532 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)5533 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
5534 {
5535 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
5536
5537 if (tls_id == 0) {
5538 return -1;
5539 }
5540
5541 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
5542 }
5543 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
5544
5545 static const struct {
5546 uint16_t tls_id;
5547 mbedtls_ecp_group_id ecp_group_id;
5548 psa_ecc_family_t psa_family;
5549 uint16_t bits;
5550 } tls_id_match_table[] =
5551 {
5552 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5553 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
5554 #endif
5555 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5556 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
5557 #endif
5558 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5559 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
5560 #endif
5561 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5562 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
5563 #endif
5564 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5565 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
5566 #endif
5567 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
5568 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
5569 #endif
5570 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5571 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
5572 #endif
5573 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
5574 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
5575 #endif
5576 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
5577 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
5578 #endif
5579 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
5580 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
5581 #endif
5582 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
5583 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
5584 #endif
5585 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5586 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
5587 #endif
5588 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5589 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
5590 #endif
5591 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
5592 };
5593
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_key_type_t * type,size_t * bits)5594 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
5595 psa_key_type_t *type,
5596 size_t *bits)
5597 {
5598 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5599 if (tls_id_match_table[i].tls_id == tls_id) {
5600 if (type != NULL) {
5601 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
5602 }
5603 if (bits != NULL) {
5604 *bits = tls_id_match_table[i].bits;
5605 }
5606 return PSA_SUCCESS;
5607 }
5608 }
5609
5610 return PSA_ERROR_NOT_SUPPORTED;
5611 }
5612
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)5613 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
5614 {
5615 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5616 if (tls_id_match_table[i].tls_id == tls_id) {
5617 return tls_id_match_table[i].ecp_group_id;
5618 }
5619 }
5620
5621 return MBEDTLS_ECP_DP_NONE;
5622 }
5623
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)5624 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
5625 {
5626 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
5627 i++) {
5628 if (tls_id_match_table[i].ecp_group_id == grp_id) {
5629 return tls_id_match_table[i].tls_id;
5630 }
5631 }
5632
5633 return 0;
5634 }
5635
5636 #if defined(MBEDTLS_DEBUG_C)
5637 static const struct {
5638 uint16_t tls_id;
5639 const char *name;
5640 } tls_id_curve_name_table[] =
5641 {
5642 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
5643 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
5644 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
5645 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
5646 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
5647 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
5648 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
5649 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
5650 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
5651 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
5652 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
5653 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
5654 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
5655 { 0, NULL },
5656 };
5657
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)5658 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
5659 {
5660 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
5661 if (tls_id_curve_name_table[i].tls_id == tls_id) {
5662 return tls_id_curve_name_table[i].name;
5663 }
5664 }
5665
5666 return NULL;
5667 }
5668 #endif
5669
5670 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int cert_endpoint,uint32_t * flags)5671 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
5672 const mbedtls_ssl_ciphersuite_t *ciphersuite,
5673 int cert_endpoint,
5674 uint32_t *flags)
5675 {
5676 int ret = 0;
5677 int usage = 0;
5678 const char *ext_oid;
5679 size_t ext_len;
5680
5681 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
5682 /* Server part of the key exchange */
5683 switch (ciphersuite->key_exchange) {
5684 case MBEDTLS_KEY_EXCHANGE_RSA:
5685 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
5686 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
5687 break;
5688
5689 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
5690 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
5691 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
5692 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
5693 break;
5694
5695 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
5696 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
5697 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
5698 break;
5699
5700 /* Don't use default: we want warnings when adding new values */
5701 case MBEDTLS_KEY_EXCHANGE_NONE:
5702 case MBEDTLS_KEY_EXCHANGE_PSK:
5703 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
5704 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
5705 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
5706 usage = 0;
5707 }
5708 } else {
5709 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
5710 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
5711 }
5712
5713 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
5714 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
5715 ret = -1;
5716 }
5717
5718 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
5719 ext_oid = MBEDTLS_OID_SERVER_AUTH;
5720 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
5721 } else {
5722 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
5723 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
5724 }
5725
5726 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
5727 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
5728 ret = -1;
5729 }
5730
5731 return ret;
5732 }
5733 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5734
5735 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)5736 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5737 const mbedtls_md_type_t md,
5738 unsigned char *dst,
5739 size_t dst_len,
5740 size_t *olen)
5741 {
5742 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5743 psa_hash_operation_t *hash_operation_to_clone;
5744 psa_hash_operation_t hash_operation = psa_hash_operation_init();
5745
5746 *olen = 0;
5747
5748 switch (md) {
5749 #if defined(MBEDTLS_MD_CAN_SHA384)
5750 case MBEDTLS_MD_SHA384:
5751 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
5752 break;
5753 #endif
5754
5755 #if defined(MBEDTLS_MD_CAN_SHA256)
5756 case MBEDTLS_MD_SHA256:
5757 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
5758 break;
5759 #endif
5760
5761 default:
5762 goto exit;
5763 }
5764
5765 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
5766 if (status != PSA_SUCCESS) {
5767 goto exit;
5768 }
5769
5770 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
5771 if (status != PSA_SUCCESS) {
5772 goto exit;
5773 }
5774
5775 exit:
5776 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
5777 !defined(MBEDTLS_MD_CAN_SHA256)
5778 (void) ssl;
5779 #endif
5780 return PSA_TO_MBEDTLS_ERR(status);
5781 }
5782 #else /* MBEDTLS_USE_PSA_CRYPTO */
5783
5784 #if defined(MBEDTLS_MD_CAN_SHA384)
5785 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)5786 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
5787 unsigned char *dst,
5788 size_t dst_len,
5789 size_t *olen)
5790 {
5791 int ret;
5792 mbedtls_md_context_t sha384;
5793
5794 if (dst_len < 48) {
5795 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5796 }
5797
5798 mbedtls_md_init(&sha384);
5799 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
5800 if (ret != 0) {
5801 goto exit;
5802 }
5803 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
5804 if (ret != 0) {
5805 goto exit;
5806 }
5807
5808 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
5809 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
5810 goto exit;
5811 }
5812
5813 *olen = 48;
5814
5815 exit:
5816
5817 mbedtls_md_free(&sha384);
5818 return ret;
5819 }
5820 #endif /* MBEDTLS_MD_CAN_SHA384 */
5821
5822 #if defined(MBEDTLS_MD_CAN_SHA256)
5823 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)5824 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
5825 unsigned char *dst,
5826 size_t dst_len,
5827 size_t *olen)
5828 {
5829 int ret;
5830 mbedtls_md_context_t sha256;
5831
5832 if (dst_len < 32) {
5833 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5834 }
5835
5836 mbedtls_md_init(&sha256);
5837 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
5838 if (ret != 0) {
5839 goto exit;
5840 }
5841 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
5842 if (ret != 0) {
5843 goto exit;
5844 }
5845
5846 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
5847 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
5848 goto exit;
5849 }
5850
5851 *olen = 32;
5852
5853 exit:
5854
5855 mbedtls_md_free(&sha256);
5856 return ret;
5857 }
5858 #endif /* MBEDTLS_MD_CAN_SHA256 */
5859
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)5860 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5861 const mbedtls_md_type_t md,
5862 unsigned char *dst,
5863 size_t dst_len,
5864 size_t *olen)
5865 {
5866 switch (md) {
5867
5868 #if defined(MBEDTLS_MD_CAN_SHA384)
5869 case MBEDTLS_MD_SHA384:
5870 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
5871 #endif /* MBEDTLS_MD_CAN_SHA384*/
5872
5873 #if defined(MBEDTLS_MD_CAN_SHA256)
5874 case MBEDTLS_MD_SHA256:
5875 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
5876 #endif /* MBEDTLS_MD_CAN_SHA256*/
5877
5878 default:
5879 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
5880 !defined(MBEDTLS_MD_CAN_SHA256)
5881 (void) ssl;
5882 (void) dst;
5883 (void) dst_len;
5884 (void) olen;
5885 #endif
5886 break;
5887 }
5888 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5889 }
5890
5891 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
5892
5893 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5894 /* mbedtls_ssl_parse_sig_alg_ext()
5895 *
5896 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
5897 * value (TLS 1.3 RFC8446):
5898 * enum {
5899 * ....
5900 * ecdsa_secp256r1_sha256( 0x0403 ),
5901 * ecdsa_secp384r1_sha384( 0x0503 ),
5902 * ecdsa_secp521r1_sha512( 0x0603 ),
5903 * ....
5904 * } SignatureScheme;
5905 *
5906 * struct {
5907 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
5908 * } SignatureSchemeList;
5909 *
5910 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
5911 * value (TLS 1.2 RFC5246):
5912 * enum {
5913 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
5914 * sha512(6), (255)
5915 * } HashAlgorithm;
5916 *
5917 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
5918 * SignatureAlgorithm;
5919 *
5920 * struct {
5921 * HashAlgorithm hash;
5922 * SignatureAlgorithm signature;
5923 * } SignatureAndHashAlgorithm;
5924 *
5925 * SignatureAndHashAlgorithm
5926 * supported_signature_algorithms<2..2^16-2>;
5927 *
5928 * The TLS 1.3 signature algorithm extension was defined to be a compatible
5929 * generalization of the TLS 1.2 signature algorithm extension.
5930 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
5931 * `SignatureScheme` field of TLS 1.3
5932 *
5933 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)5934 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
5935 const unsigned char *buf,
5936 const unsigned char *end)
5937 {
5938 const unsigned char *p = buf;
5939 size_t supported_sig_algs_len = 0;
5940 const unsigned char *supported_sig_algs_end;
5941 uint16_t sig_alg;
5942 uint32_t common_idx = 0;
5943
5944 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
5945 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
5946 p += 2;
5947
5948 memset(ssl->handshake->received_sig_algs, 0,
5949 sizeof(ssl->handshake->received_sig_algs));
5950
5951 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
5952 supported_sig_algs_end = p + supported_sig_algs_len;
5953 while (p < supported_sig_algs_end) {
5954 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
5955 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
5956 p += 2;
5957 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
5958 sig_alg,
5959 mbedtls_ssl_sig_alg_to_str(sig_alg)));
5960 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5961 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
5962 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
5963 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
5964 continue;
5965 }
5966 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5967
5968 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
5969 mbedtls_ssl_sig_alg_to_str(sig_alg)));
5970
5971 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
5972 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
5973 common_idx += 1;
5974 }
5975 }
5976 /* Check that we consumed all the message. */
5977 if (p != end) {
5978 MBEDTLS_SSL_DEBUG_MSG(1,
5979 ("Signature algorithms extension length misaligned"));
5980 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
5981 MBEDTLS_ERR_SSL_DECODE_ERROR);
5982 return MBEDTLS_ERR_SSL_DECODE_ERROR;
5983 }
5984
5985 if (common_idx == 0) {
5986 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
5987 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
5988 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
5989 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
5990 }
5991
5992 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
5993 return 0;
5994 }
5995
5996 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5997
5998 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5999
6000 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6001
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6002 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6003 mbedtls_svc_key_id_t key,
6004 psa_algorithm_t alg,
6005 const unsigned char *raw_psk, size_t raw_psk_length,
6006 const unsigned char *seed, size_t seed_length,
6007 const unsigned char *label, size_t label_length,
6008 const unsigned char *other_secret,
6009 size_t other_secret_length,
6010 size_t capacity)
6011 {
6012 psa_status_t status;
6013
6014 status = psa_key_derivation_setup(derivation, alg);
6015 if (status != PSA_SUCCESS) {
6016 return status;
6017 }
6018
6019 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6020 status = psa_key_derivation_input_bytes(derivation,
6021 PSA_KEY_DERIVATION_INPUT_SEED,
6022 seed, seed_length);
6023 if (status != PSA_SUCCESS) {
6024 return status;
6025 }
6026
6027 if (other_secret != NULL) {
6028 status = psa_key_derivation_input_bytes(derivation,
6029 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6030 other_secret, other_secret_length);
6031 if (status != PSA_SUCCESS) {
6032 return status;
6033 }
6034 }
6035
6036 if (mbedtls_svc_key_id_is_null(key)) {
6037 status = psa_key_derivation_input_bytes(
6038 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6039 raw_psk, raw_psk_length);
6040 } else {
6041 status = psa_key_derivation_input_key(
6042 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6043 }
6044 if (status != PSA_SUCCESS) {
6045 return status;
6046 }
6047
6048 status = psa_key_derivation_input_bytes(derivation,
6049 PSA_KEY_DERIVATION_INPUT_LABEL,
6050 label, label_length);
6051 if (status != PSA_SUCCESS) {
6052 return status;
6053 }
6054 } else {
6055 return PSA_ERROR_NOT_SUPPORTED;
6056 }
6057
6058 status = psa_key_derivation_set_capacity(derivation, capacity);
6059 if (status != PSA_SUCCESS) {
6060 return status;
6061 }
6062
6063 return PSA_SUCCESS;
6064 }
6065
6066 #if defined(PSA_WANT_ALG_SHA_384) || \
6067 defined(PSA_WANT_ALG_SHA_256)
6068 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6069 static int tls_prf_generic(mbedtls_md_type_t md_type,
6070 const unsigned char *secret, size_t slen,
6071 const char *label,
6072 const unsigned char *random, size_t rlen,
6073 unsigned char *dstbuf, size_t dlen)
6074 {
6075 psa_status_t status;
6076 psa_algorithm_t alg;
6077 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6078 psa_key_derivation_operation_t derivation =
6079 PSA_KEY_DERIVATION_OPERATION_INIT;
6080
6081 if (md_type == MBEDTLS_MD_SHA384) {
6082 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6083 } else {
6084 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6085 }
6086
6087 /* Normally a "secret" should be long enough to be impossible to
6088 * find by brute force, and in particular should not be empty. But
6089 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6090 * and for this use case it makes sense to have a 0-length "secret".
6091 * Since the key API doesn't allow importing a key of length 0,
6092 * keep master_key=0, which setup_psa_key_derivation() understands
6093 * to mean a 0-length "secret" input. */
6094 if (slen != 0) {
6095 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6096 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6097 psa_set_key_algorithm(&key_attributes, alg);
6098 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6099
6100 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6101 if (status != PSA_SUCCESS) {
6102 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6103 }
6104 }
6105
6106 status = setup_psa_key_derivation(&derivation,
6107 master_key, alg,
6108 NULL, 0,
6109 random, rlen,
6110 (unsigned char const *) label,
6111 (size_t) strlen(label),
6112 NULL, 0,
6113 dlen);
6114 if (status != PSA_SUCCESS) {
6115 psa_key_derivation_abort(&derivation);
6116 psa_destroy_key(master_key);
6117 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6118 }
6119
6120 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6121 if (status != PSA_SUCCESS) {
6122 psa_key_derivation_abort(&derivation);
6123 psa_destroy_key(master_key);
6124 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6125 }
6126
6127 status = psa_key_derivation_abort(&derivation);
6128 if (status != PSA_SUCCESS) {
6129 psa_destroy_key(master_key);
6130 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6131 }
6132
6133 if (!mbedtls_svc_key_id_is_null(master_key)) {
6134 status = psa_destroy_key(master_key);
6135 }
6136 if (status != PSA_SUCCESS) {
6137 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6138 }
6139
6140 return 0;
6141 }
6142 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6143 #else /* MBEDTLS_USE_PSA_CRYPTO */
6144
6145 #if defined(MBEDTLS_MD_C) && \
6146 (defined(MBEDTLS_MD_CAN_SHA256) || \
6147 defined(MBEDTLS_MD_CAN_SHA384))
6148 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6149 static int tls_prf_generic(mbedtls_md_type_t md_type,
6150 const unsigned char *secret, size_t slen,
6151 const char *label,
6152 const unsigned char *random, size_t rlen,
6153 unsigned char *dstbuf, size_t dlen)
6154 {
6155 size_t nb;
6156 size_t i, j, k, md_len;
6157 unsigned char *tmp;
6158 size_t tmp_len = 0;
6159 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6160 const mbedtls_md_info_t *md_info;
6161 mbedtls_md_context_t md_ctx;
6162 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6163
6164 mbedtls_md_init(&md_ctx);
6165
6166 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6167 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6168 }
6169
6170 md_len = mbedtls_md_get_size(md_info);
6171
6172 tmp_len = md_len + strlen(label) + rlen;
6173 tmp = mbedtls_calloc(1, tmp_len);
6174 if (tmp == NULL) {
6175 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6176 goto exit;
6177 }
6178
6179 nb = strlen(label);
6180 memcpy(tmp + md_len, label, nb);
6181 memcpy(tmp + md_len + nb, random, rlen);
6182 nb += rlen;
6183
6184 /*
6185 * Compute P_<hash>(secret, label + random)[0..dlen]
6186 */
6187 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6188 goto exit;
6189 }
6190
6191 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6192 if (ret != 0) {
6193 goto exit;
6194 }
6195 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6196 if (ret != 0) {
6197 goto exit;
6198 }
6199 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6200 if (ret != 0) {
6201 goto exit;
6202 }
6203
6204 for (i = 0; i < dlen; i += md_len) {
6205 ret = mbedtls_md_hmac_reset(&md_ctx);
6206 if (ret != 0) {
6207 goto exit;
6208 }
6209 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6210 if (ret != 0) {
6211 goto exit;
6212 }
6213 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6214 if (ret != 0) {
6215 goto exit;
6216 }
6217
6218 ret = mbedtls_md_hmac_reset(&md_ctx);
6219 if (ret != 0) {
6220 goto exit;
6221 }
6222 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6223 if (ret != 0) {
6224 goto exit;
6225 }
6226 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6227 if (ret != 0) {
6228 goto exit;
6229 }
6230
6231 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6232
6233 for (j = 0; j < k; j++) {
6234 dstbuf[i + j] = h_i[j];
6235 }
6236 }
6237
6238 exit:
6239 mbedtls_md_free(&md_ctx);
6240
6241 if (tmp != NULL) {
6242 mbedtls_platform_zeroize(tmp, tmp_len);
6243 }
6244
6245 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6246
6247 mbedtls_free(tmp);
6248
6249 return ret;
6250 }
6251 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6252 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6253
6254 #if defined(MBEDTLS_MD_CAN_SHA256)
6255 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6256 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6257 const char *label,
6258 const unsigned char *random, size_t rlen,
6259 unsigned char *dstbuf, size_t dlen)
6260 {
6261 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6262 label, random, rlen, dstbuf, dlen);
6263 }
6264 #endif /* MBEDTLS_MD_CAN_SHA256*/
6265
6266 #if defined(MBEDTLS_MD_CAN_SHA384)
6267 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6268 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6269 const char *label,
6270 const unsigned char *random, size_t rlen,
6271 unsigned char *dstbuf, size_t dlen)
6272 {
6273 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6274 label, random, rlen, dstbuf, dlen);
6275 }
6276 #endif /* MBEDTLS_MD_CAN_SHA384*/
6277
6278 /*
6279 * Set appropriate PRF function and other SSL / TLS1.2 functions
6280 *
6281 * Inputs:
6282 * - hash associated with the ciphersuite (only used by TLS 1.2)
6283 *
6284 * Outputs:
6285 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6286 */
6287 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6288 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6289 mbedtls_md_type_t hash)
6290 {
6291 #if defined(MBEDTLS_MD_CAN_SHA384)
6292 if (hash == MBEDTLS_MD_SHA384) {
6293 handshake->tls_prf = tls_prf_sha384;
6294 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6295 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6296 } else
6297 #endif
6298 #if defined(MBEDTLS_MD_CAN_SHA256)
6299 {
6300 (void) hash;
6301 handshake->tls_prf = tls_prf_sha256;
6302 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6303 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6304 }
6305 #else
6306 {
6307 (void) handshake;
6308 (void) hash;
6309 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6310 }
6311 #endif
6312
6313 return 0;
6314 }
6315
6316 /*
6317 * Compute master secret if needed
6318 *
6319 * Parameters:
6320 * [in/out] handshake
6321 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6322 * (PSA-PSK) ciphersuite_info, psk_opaque
6323 * [out] premaster (cleared)
6324 * [out] master
6325 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6326 * debug: conf->f_dbg, conf->p_dbg
6327 * EMS: passed to calc_verify (debug + session_negotiate)
6328 * PSA-PSA: conf
6329 */
6330 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)6331 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6332 unsigned char *master,
6333 const mbedtls_ssl_context *ssl)
6334 {
6335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6336
6337 /* cf. RFC 5246, Section 8.1:
6338 * "The master secret is always exactly 48 bytes in length." */
6339 size_t const master_secret_len = 48;
6340
6341 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6342 unsigned char session_hash[48];
6343 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6344
6345 /* The label for the KDF used for key expansion.
6346 * This is either "master secret" or "extended master secret"
6347 * depending on whether the Extended Master Secret extension
6348 * is used. */
6349 char const *lbl = "master secret";
6350
6351 /* The seed for the KDF used for key expansion.
6352 * - If the Extended Master Secret extension is not used,
6353 * this is ClientHello.Random + ServerHello.Random
6354 * (see Sect. 8.1 in RFC 5246).
6355 * - If the Extended Master Secret extension is used,
6356 * this is the transcript of the handshake so far.
6357 * (see Sect. 4 in RFC 7627). */
6358 unsigned char const *seed = handshake->randbytes;
6359 size_t seed_len = 64;
6360
6361 #if !defined(MBEDTLS_DEBUG_C) && \
6362 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
6363 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
6364 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
6365 ssl = NULL; /* make sure we don't use it except for those cases */
6366 (void) ssl;
6367 #endif
6368
6369 if (handshake->resume != 0) {
6370 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
6371 return 0;
6372 }
6373
6374 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6375 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
6376 lbl = "extended master secret";
6377 seed = session_hash;
6378 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
6379 if (ret != 0) {
6380 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
6381 }
6382
6383 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
6384 session_hash, seed_len);
6385 }
6386 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6387
6388 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
6389 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
6390 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
6391 /* Perform PSK-to-MS expansion in a single step. */
6392 psa_status_t status;
6393 psa_algorithm_t alg;
6394 mbedtls_svc_key_id_t psk;
6395 psa_key_derivation_operation_t derivation =
6396 PSA_KEY_DERIVATION_OPERATION_INIT;
6397 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
6398
6399 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
6400
6401 psk = mbedtls_ssl_get_opaque_psk(ssl);
6402
6403 if (hash_alg == MBEDTLS_MD_SHA384) {
6404 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
6405 } else {
6406 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
6407 }
6408
6409 size_t other_secret_len = 0;
6410 unsigned char *other_secret = NULL;
6411
6412 switch (handshake->ciphersuite_info->key_exchange) {
6413 /* Provide other secret.
6414 * Other secret is stored in premaster, where first 2 bytes hold the
6415 * length of the other key.
6416 */
6417 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
6418 /* For RSA-PSK other key length is always 48 bytes. */
6419 other_secret_len = 48;
6420 other_secret = handshake->premaster + 2;
6421 break;
6422 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
6423 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6424 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
6425 other_secret = handshake->premaster + 2;
6426 break;
6427 default:
6428 break;
6429 }
6430
6431 status = setup_psa_key_derivation(&derivation, psk, alg,
6432 ssl->conf->psk, ssl->conf->psk_len,
6433 seed, seed_len,
6434 (unsigned char const *) lbl,
6435 (size_t) strlen(lbl),
6436 other_secret, other_secret_len,
6437 master_secret_len);
6438 if (status != PSA_SUCCESS) {
6439 psa_key_derivation_abort(&derivation);
6440 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6441 }
6442
6443 status = psa_key_derivation_output_bytes(&derivation,
6444 master,
6445 master_secret_len);
6446 if (status != PSA_SUCCESS) {
6447 psa_key_derivation_abort(&derivation);
6448 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6449 }
6450
6451 status = psa_key_derivation_abort(&derivation);
6452 if (status != PSA_SUCCESS) {
6453 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6454 }
6455 } else
6456 #endif
6457 {
6458 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
6459 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6460 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
6461 psa_status_t status;
6462 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
6463 psa_key_derivation_operation_t derivation =
6464 PSA_KEY_DERIVATION_OPERATION_INIT;
6465
6466 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
6467
6468 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
6469
6470 status = psa_key_derivation_setup(&derivation, alg);
6471 if (status != PSA_SUCCESS) {
6472 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6473 }
6474
6475 status = psa_key_derivation_set_capacity(&derivation,
6476 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
6477 if (status != PSA_SUCCESS) {
6478 psa_key_derivation_abort(&derivation);
6479 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6480 }
6481
6482 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
6483 &derivation);
6484 if (status != PSA_SUCCESS) {
6485 psa_key_derivation_abort(&derivation);
6486 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6487 }
6488
6489 status = psa_key_derivation_output_bytes(&derivation,
6490 handshake->premaster,
6491 handshake->pmslen);
6492 if (status != PSA_SUCCESS) {
6493 psa_key_derivation_abort(&derivation);
6494 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6495 }
6496
6497 status = psa_key_derivation_abort(&derivation);
6498 if (status != PSA_SUCCESS) {
6499 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6500 }
6501 }
6502 #endif
6503 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
6504 lbl, seed, seed_len,
6505 master,
6506 master_secret_len);
6507 if (ret != 0) {
6508 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
6509 return ret;
6510 }
6511
6512 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
6513 handshake->premaster,
6514 handshake->pmslen);
6515
6516 mbedtls_platform_zeroize(handshake->premaster,
6517 sizeof(handshake->premaster));
6518 }
6519
6520 return 0;
6521 }
6522
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)6523 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
6524 {
6525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6526 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
6527 ssl->handshake->ciphersuite_info;
6528
6529 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
6530
6531 /* Set PRF, calc_verify and calc_finished function pointers */
6532 ret = ssl_set_handshake_prfs(ssl->handshake,
6533 (mbedtls_md_type_t) ciphersuite_info->mac);
6534 if (ret != 0) {
6535 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
6536 return ret;
6537 }
6538
6539 /* Compute master secret if needed */
6540 ret = ssl_compute_master(ssl->handshake,
6541 ssl->session_negotiate->master,
6542 ssl);
6543 if (ret != 0) {
6544 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
6545 return ret;
6546 }
6547
6548 /* Swap the client and server random values:
6549 * - MS derivation wanted client+server (RFC 5246 8.1)
6550 * - key derivation wants server+client (RFC 5246 6.3) */
6551 {
6552 unsigned char tmp[64];
6553 memcpy(tmp, ssl->handshake->randbytes, 64);
6554 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
6555 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
6556 mbedtls_platform_zeroize(tmp, sizeof(tmp));
6557 }
6558
6559 /* Populate transform structure */
6560 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
6561 ssl->session_negotiate->ciphersuite,
6562 ssl->session_negotiate->master,
6563 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
6564 ssl->session_negotiate->encrypt_then_mac,
6565 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
6566 ssl->handshake->tls_prf,
6567 ssl->handshake->randbytes,
6568 ssl->tls_version,
6569 ssl->conf->endpoint,
6570 ssl);
6571 if (ret != 0) {
6572 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
6573 return ret;
6574 }
6575
6576 /* We no longer need Server/ClientHello.random values */
6577 mbedtls_platform_zeroize(ssl->handshake->randbytes,
6578 sizeof(ssl->handshake->randbytes));
6579
6580 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
6581
6582 return 0;
6583 }
6584
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)6585 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
6586 {
6587 switch (md) {
6588 #if defined(MBEDTLS_MD_CAN_SHA384)
6589 case MBEDTLS_SSL_HASH_SHA384:
6590 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6591 break;
6592 #endif
6593 #if defined(MBEDTLS_MD_CAN_SHA256)
6594 case MBEDTLS_SSL_HASH_SHA256:
6595 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6596 break;
6597 #endif
6598 default:
6599 return -1;
6600 }
6601 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6602 !defined(MBEDTLS_MD_CAN_SHA256)
6603 (void) ssl;
6604 #endif
6605 return 0;
6606 }
6607
6608 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_calc_verify_tls_psa(const mbedtls_ssl_context * ssl,const psa_hash_operation_t * hs_op,size_t buffer_size,unsigned char * hash,size_t * hlen)6609 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
6610 const psa_hash_operation_t *hs_op,
6611 size_t buffer_size,
6612 unsigned char *hash,
6613 size_t *hlen)
6614 {
6615 psa_status_t status;
6616 psa_hash_operation_t cloned_op = psa_hash_operation_init();
6617
6618 #if !defined(MBEDTLS_DEBUG_C)
6619 (void) ssl;
6620 #endif
6621 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
6622 status = psa_hash_clone(hs_op, &cloned_op);
6623 if (status != PSA_SUCCESS) {
6624 goto exit;
6625 }
6626
6627 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
6628 if (status != PSA_SUCCESS) {
6629 goto exit;
6630 }
6631
6632 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
6633 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
6634
6635 exit:
6636 psa_hash_abort(&cloned_op);
6637 return mbedtls_md_error_from_psa(status);
6638 }
6639 #else
ssl_calc_verify_tls_legacy(const mbedtls_ssl_context * ssl,const mbedtls_md_context_t * hs_ctx,unsigned char * hash,size_t * hlen)6640 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
6641 const mbedtls_md_context_t *hs_ctx,
6642 unsigned char *hash,
6643 size_t *hlen)
6644 {
6645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6646 mbedtls_md_context_t cloned_ctx;
6647
6648 mbedtls_md_init(&cloned_ctx);
6649
6650 #if !defined(MBEDTLS_DEBUG_C)
6651 (void) ssl;
6652 #endif
6653 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
6654
6655 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
6656 if (ret != 0) {
6657 goto exit;
6658 }
6659 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
6660 if (ret != 0) {
6661 goto exit;
6662 }
6663
6664 ret = mbedtls_md_finish(&cloned_ctx, hash);
6665 if (ret != 0) {
6666 goto exit;
6667 }
6668
6669 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
6670
6671 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
6672 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
6673
6674 exit:
6675 mbedtls_md_free(&cloned_ctx);
6676 return ret;
6677 }
6678 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6679
6680 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)6681 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
6682 unsigned char *hash,
6683 size_t *hlen)
6684 {
6685 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6686 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
6687 hash, hlen);
6688 #else
6689 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
6690 hash, hlen);
6691 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6692 }
6693 #endif /* MBEDTLS_MD_CAN_SHA256 */
6694
6695 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)6696 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
6697 unsigned char *hash,
6698 size_t *hlen)
6699 {
6700 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6701 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
6702 hash, hlen);
6703 #else
6704 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
6705 hash, hlen);
6706 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6707 }
6708 #endif /* MBEDTLS_MD_CAN_SHA384 */
6709
6710 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
6711 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)6712 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
6713 {
6714 unsigned char *p = ssl->handshake->premaster;
6715 unsigned char *end = p + sizeof(ssl->handshake->premaster);
6716 const unsigned char *psk = NULL;
6717 size_t psk_len = 0;
6718 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
6719
6720 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
6721 /*
6722 * This should never happen because the existence of a PSK is always
6723 * checked before calling this function.
6724 *
6725 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
6726 * the shared secret without PSK.
6727 */
6728 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
6729 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6730 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6731 }
6732 }
6733
6734 /*
6735 * PMS = struct {
6736 * opaque other_secret<0..2^16-1>;
6737 * opaque psk<0..2^16-1>;
6738 * };
6739 * with "other_secret" depending on the particular key exchange
6740 */
6741 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
6742 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
6743 if (end - p < 2) {
6744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6745 }
6746
6747 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
6748 p += 2;
6749
6750 if (end < p || (size_t) (end - p) < psk_len) {
6751 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6752 }
6753
6754 memset(p, 0, psk_len);
6755 p += psk_len;
6756 } else
6757 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
6758 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
6759 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
6760 /*
6761 * other_secret already set by the ClientKeyExchange message,
6762 * and is 48 bytes long
6763 */
6764 if (end - p < 2) {
6765 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6766 }
6767
6768 *p++ = 0;
6769 *p++ = 48;
6770 p += 48;
6771 } else
6772 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
6773 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
6774 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
6775 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6776 size_t len;
6777
6778 /* Write length only when we know the actual value */
6779 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
6780 p + 2, end - (p + 2), &len,
6781 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
6782 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
6783 return ret;
6784 }
6785 MBEDTLS_PUT_UINT16_BE(len, p, 0);
6786 p += 2 + len;
6787
6788 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
6789 } else
6790 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
6791 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
6792 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
6793 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6794 size_t zlen;
6795
6796 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
6797 p + 2, end - (p + 2),
6798 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
6799 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
6800 return ret;
6801 }
6802
6803 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
6804 p += 2 + zlen;
6805
6806 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
6807 MBEDTLS_DEBUG_ECDH_Z);
6808 } else
6809 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
6810 {
6811 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6812 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6813 }
6814
6815 /* opaque psk<0..2^16-1>; */
6816 if (end - p < 2) {
6817 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6818 }
6819
6820 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
6821 p += 2;
6822
6823 if (end < p || (size_t) (end - p) < psk_len) {
6824 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6825 }
6826
6827 memcpy(p, psk, psk_len);
6828 p += psk_len;
6829
6830 ssl->handshake->pmslen = p - ssl->handshake->premaster;
6831
6832 return 0;
6833 }
6834 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
6835
6836 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
6837 MBEDTLS_CHECK_RETURN_CRITICAL
6838 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
6839
6840 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)6841 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
6842 {
6843 /* If renegotiation is not enforced, retransmit until we would reach max
6844 * timeout if we were using the usual handshake doubling scheme */
6845 if (ssl->conf->renego_max_records < 0) {
6846 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
6847 unsigned char doublings = 1;
6848
6849 while (ratio != 0) {
6850 ++doublings;
6851 ratio >>= 1;
6852 }
6853
6854 if (++ssl->renego_records_seen > doublings) {
6855 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
6856 return 0;
6857 }
6858 }
6859
6860 return ssl_write_hello_request(ssl);
6861 }
6862 #endif
6863 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
6864
6865 /*
6866 * Handshake functions
6867 */
6868 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6869 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)6870 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
6871 {
6872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6873 ssl->handshake->ciphersuite_info;
6874
6875 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
6876
6877 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6878 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6879 ssl->state++;
6880 return 0;
6881 }
6882
6883 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6884 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6885 }
6886
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)6887 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
6888 {
6889 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6890 ssl->handshake->ciphersuite_info;
6891
6892 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
6893
6894 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6895 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
6896 ssl->state++;
6897 return 0;
6898 }
6899
6900 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6901 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6902 }
6903
6904 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6905 /* Some certificate support -> implement write and parse */
6906
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)6907 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
6908 {
6909 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6910 size_t i, n;
6911 const mbedtls_x509_crt *crt;
6912 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6913 ssl->handshake->ciphersuite_info;
6914
6915 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
6916
6917 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6918 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6919 ssl->state++;
6920 return 0;
6921 }
6922
6923 #if defined(MBEDTLS_SSL_CLI_C)
6924 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
6925 if (ssl->handshake->client_auth == 0) {
6926 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6927 ssl->state++;
6928 return 0;
6929 }
6930 }
6931 #endif /* MBEDTLS_SSL_CLI_C */
6932 #if defined(MBEDTLS_SSL_SRV_C)
6933 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
6934 if (mbedtls_ssl_own_cert(ssl) == NULL) {
6935 /* Should never happen because we shouldn't have picked the
6936 * ciphersuite if we don't have a certificate. */
6937 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6938 }
6939 }
6940 #endif
6941
6942 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
6943
6944 /*
6945 * 0 . 0 handshake type
6946 * 1 . 3 handshake length
6947 * 4 . 6 length of all certs
6948 * 7 . 9 length of cert. 1
6949 * 10 . n-1 peer certificate
6950 * n . n+2 length of cert. 2
6951 * n+3 . ... upper level cert, etc.
6952 */
6953 i = 7;
6954 crt = mbedtls_ssl_own_cert(ssl);
6955
6956 while (crt != NULL) {
6957 n = crt->raw.len;
6958 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
6959 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
6960 " > %" MBEDTLS_PRINTF_SIZET,
6961 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
6962 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
6963 }
6964
6965 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
6966 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
6967 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
6968
6969 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
6970 i += n; crt = crt->next;
6971 }
6972
6973 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
6974 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
6975 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
6976
6977 ssl->out_msglen = i;
6978 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6979 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
6980
6981 ssl->state++;
6982
6983 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
6984 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
6985 return ret;
6986 }
6987
6988 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
6989
6990 return ret;
6991 }
6992
6993 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
6994
6995 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
6996 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)6997 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
6998 unsigned char *crt_buf,
6999 size_t crt_buf_len)
7000 {
7001 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7002
7003 if (peer_crt == NULL) {
7004 return -1;
7005 }
7006
7007 if (peer_crt->raw.len != crt_buf_len) {
7008 return -1;
7009 }
7010
7011 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7012 }
7013 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7014 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7015 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7016 unsigned char *crt_buf,
7017 size_t crt_buf_len)
7018 {
7019 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7020 unsigned char const * const peer_cert_digest =
7021 ssl->session->peer_cert_digest;
7022 mbedtls_md_type_t const peer_cert_digest_type =
7023 ssl->session->peer_cert_digest_type;
7024 mbedtls_md_info_t const * const digest_info =
7025 mbedtls_md_info_from_type(peer_cert_digest_type);
7026 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7027 size_t digest_len;
7028
7029 if (peer_cert_digest == NULL || digest_info == NULL) {
7030 return -1;
7031 }
7032
7033 digest_len = mbedtls_md_get_size(digest_info);
7034 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7035 return -1;
7036 }
7037
7038 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7039 if (ret != 0) {
7040 return -1;
7041 }
7042
7043 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7044 }
7045 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7046 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7047
7048 /*
7049 * Once the certificate message is read, parse it into a cert chain and
7050 * perform basic checks, but leave actual verification to the caller
7051 */
7052 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7053 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7054 mbedtls_x509_crt *chain)
7055 {
7056 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7057 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7058 int crt_cnt = 0;
7059 #endif
7060 size_t i, n;
7061 uint8_t alert;
7062
7063 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7064 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7065 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7066 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7067 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7068 }
7069
7070 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7071 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7072 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7073 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7074 }
7075
7076 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7077 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7078 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7079 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7080 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7081 }
7082
7083 i = mbedtls_ssl_hs_hdr_len(ssl);
7084
7085 /*
7086 * Same message structure as in mbedtls_ssl_write_certificate()
7087 */
7088 n = (ssl->in_msg[i+1] << 8) | ssl->in_msg[i+2];
7089
7090 if (ssl->in_msg[i] != 0 ||
7091 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7092 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7093 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7094 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7095 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7096 }
7097
7098 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7099 i += 3;
7100
7101 /* Iterate through and parse the CRTs in the provided chain. */
7102 while (i < ssl->in_hslen) {
7103 /* Check that there's room for the next CRT's length fields. */
7104 if (i + 3 > ssl->in_hslen) {
7105 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7106 mbedtls_ssl_send_alert_message(ssl,
7107 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7108 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7109 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7110 }
7111 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7112 * anything beyond 2**16 ~ 64K. */
7113 if (ssl->in_msg[i] != 0) {
7114 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7115 mbedtls_ssl_send_alert_message(ssl,
7116 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7117 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7118 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7119 }
7120
7121 /* Read length of the next CRT in the chain. */
7122 n = ((unsigned int) ssl->in_msg[i + 1] << 8)
7123 | (unsigned int) ssl->in_msg[i + 2];
7124 i += 3;
7125
7126 if (n < 128 || i + n > ssl->in_hslen) {
7127 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7128 mbedtls_ssl_send_alert_message(ssl,
7129 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7130 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7131 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7132 }
7133
7134 /* Check if we're handling the first CRT in the chain. */
7135 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7136 if (crt_cnt++ == 0 &&
7137 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7138 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7139 /* During client-side renegotiation, check that the server's
7140 * end-CRTs hasn't changed compared to the initial handshake,
7141 * mitigating the triple handshake attack. On success, reuse
7142 * the original end-CRT instead of parsing it again. */
7143 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7144 if (ssl_check_peer_crt_unchanged(ssl,
7145 &ssl->in_msg[i],
7146 n) != 0) {
7147 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7148 mbedtls_ssl_send_alert_message(ssl,
7149 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7150 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7151 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7152 }
7153
7154 /* Now we can safely free the original chain. */
7155 ssl_clear_peer_cert(ssl->session);
7156 }
7157 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7158
7159 /* Parse the next certificate in the chain. */
7160 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7161 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7162 #else
7163 /* If we don't need to store the CRT chain permanently, parse
7164 * it in-place from the input buffer instead of making a copy. */
7165 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7166 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7167 switch (ret) {
7168 case 0: /*ok*/
7169 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7170 /* Ignore certificate with an unknown algorithm: maybe a
7171 prior certificate was already trusted. */
7172 break;
7173
7174 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7175 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7176 goto crt_parse_der_failed;
7177
7178 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7179 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7180 goto crt_parse_der_failed;
7181
7182 default:
7183 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7184 crt_parse_der_failed:
7185 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7186 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7187 return ret;
7188 }
7189
7190 i += n;
7191 }
7192
7193 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7194 return 0;
7195 }
7196
7197 #if defined(MBEDTLS_SSL_SRV_C)
7198 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7199 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7200 {
7201 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7202 return -1;
7203 }
7204
7205 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7206 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7207 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7208 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7209 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7210 return 0;
7211 }
7212 return -1;
7213 }
7214 #endif /* MBEDTLS_SSL_SRV_C */
7215
7216 /* Check if a certificate message is expected.
7217 * Return either
7218 * - SSL_CERTIFICATE_EXPECTED, or
7219 * - SSL_CERTIFICATE_SKIP
7220 * indicating whether a Certificate message is expected or not.
7221 */
7222 #define SSL_CERTIFICATE_EXPECTED 0
7223 #define SSL_CERTIFICATE_SKIP 1
7224 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7225 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7226 int authmode)
7227 {
7228 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7229 ssl->handshake->ciphersuite_info;
7230
7231 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7232 return SSL_CERTIFICATE_SKIP;
7233 }
7234
7235 #if defined(MBEDTLS_SSL_SRV_C)
7236 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7237 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7238 return SSL_CERTIFICATE_SKIP;
7239 }
7240
7241 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7242 ssl->session_negotiate->verify_result =
7243 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7244 return SSL_CERTIFICATE_SKIP;
7245 }
7246 }
7247 #else
7248 ((void) authmode);
7249 #endif /* MBEDTLS_SSL_SRV_C */
7250
7251 return SSL_CERTIFICATE_EXPECTED;
7252 }
7253
7254 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,void * rs_ctx)7255 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
7256 int authmode,
7257 mbedtls_x509_crt *chain,
7258 void *rs_ctx)
7259 {
7260 int ret = 0;
7261 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7262 ssl->handshake->ciphersuite_info;
7263 int have_ca_chain = 0;
7264
7265 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
7266 void *p_vrfy;
7267
7268 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7269 return 0;
7270 }
7271
7272 if (ssl->f_vrfy != NULL) {
7273 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
7274 f_vrfy = ssl->f_vrfy;
7275 p_vrfy = ssl->p_vrfy;
7276 } else {
7277 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
7278 f_vrfy = ssl->conf->f_vrfy;
7279 p_vrfy = ssl->conf->p_vrfy;
7280 }
7281
7282 /*
7283 * Main check: verify certificate
7284 */
7285 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7286 if (ssl->conf->f_ca_cb != NULL) {
7287 ((void) rs_ctx);
7288 have_ca_chain = 1;
7289
7290 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
7291 ret = mbedtls_x509_crt_verify_with_ca_cb(
7292 chain,
7293 ssl->conf->f_ca_cb,
7294 ssl->conf->p_ca_cb,
7295 ssl->conf->cert_profile,
7296 ssl->hostname,
7297 &ssl->session_negotiate->verify_result,
7298 f_vrfy, p_vrfy);
7299 } else
7300 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
7301 {
7302 mbedtls_x509_crt *ca_chain;
7303 mbedtls_x509_crl *ca_crl;
7304
7305 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7306 if (ssl->handshake->sni_ca_chain != NULL) {
7307 ca_chain = ssl->handshake->sni_ca_chain;
7308 ca_crl = ssl->handshake->sni_ca_crl;
7309 } else
7310 #endif
7311 {
7312 ca_chain = ssl->conf->ca_chain;
7313 ca_crl = ssl->conf->ca_crl;
7314 }
7315
7316 if (ca_chain != NULL) {
7317 have_ca_chain = 1;
7318 }
7319
7320 ret = mbedtls_x509_crt_verify_restartable(
7321 chain,
7322 ca_chain, ca_crl,
7323 ssl->conf->cert_profile,
7324 ssl->hostname,
7325 &ssl->session_negotiate->verify_result,
7326 f_vrfy, p_vrfy, rs_ctx);
7327 }
7328
7329 if (ret != 0) {
7330 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
7331 }
7332
7333 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7334 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
7335 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
7336 }
7337 #endif
7338
7339 /*
7340 * Secondary checks: always done, but change 'ret' only if it was 0
7341 */
7342
7343 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
7344 {
7345 const mbedtls_pk_context *pk = &chain->pk;
7346
7347 /* If certificate uses an EC key, make sure the curve is OK.
7348 * This is a public key, so it can't be opaque, so can_do() is a good
7349 * enough check to ensure pk_ec() is safe to use here. */
7350 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
7351 /* and in the unlikely case the above assumption no longer holds
7352 * we are making sure that pk_ec() here does not return a NULL
7353 */
7354 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
7355 if (grp_id == MBEDTLS_ECP_DP_NONE) {
7356 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
7357 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7358 }
7359 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
7360 ssl->session_negotiate->verify_result |=
7361 MBEDTLS_X509_BADCERT_BAD_KEY;
7362
7363 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
7364 if (ret == 0) {
7365 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7366 }
7367 }
7368 }
7369 }
7370 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
7371
7372 if (mbedtls_ssl_check_cert_usage(chain,
7373 ciphersuite_info,
7374 !ssl->conf->endpoint,
7375 &ssl->session_negotiate->verify_result) != 0) {
7376 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
7377 if (ret == 0) {
7378 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7379 }
7380 }
7381
7382 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
7383 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
7384 * with details encoded in the verification flags. All other kinds
7385 * of error codes, including those from the user provided f_vrfy
7386 * functions, are treated as fatal and lead to a failure of
7387 * ssl_parse_certificate even if verification was optional. */
7388 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
7389 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
7390 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
7391 ret = 0;
7392 }
7393
7394 if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
7395 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
7396 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
7397 }
7398
7399 if (ret != 0) {
7400 uint8_t alert;
7401
7402 /* The certificate may have been rejected for several reasons.
7403 Pick one and send the corresponding alert. Which alert to send
7404 may be a subject of debate in some cases. */
7405 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
7406 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
7407 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
7408 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7409 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
7410 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7411 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
7412 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7413 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) {
7414 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7415 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
7416 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7417 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
7418 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7419 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
7420 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
7421 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
7422 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
7423 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
7424 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
7425 } else {
7426 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
7427 }
7428 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7429 alert);
7430 }
7431
7432 #if defined(MBEDTLS_DEBUG_C)
7433 if (ssl->session_negotiate->verify_result != 0) {
7434 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
7435 (unsigned int) ssl->session_negotiate->verify_result));
7436 } else {
7437 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
7438 }
7439 #endif /* MBEDTLS_DEBUG_C */
7440
7441 return ret;
7442 }
7443
7444 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7445 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7446 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7447 unsigned char *start, size_t len)
7448 {
7449 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7450 /* Remember digest of the peer's end-CRT. */
7451 ssl->session_negotiate->peer_cert_digest =
7452 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7453 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7454 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7455 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7456 mbedtls_ssl_send_alert_message(ssl,
7457 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7458 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7459
7460 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7461 }
7462
7463 ret = mbedtls_md(mbedtls_md_info_from_type(
7464 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7465 start, len,
7466 ssl->session_negotiate->peer_cert_digest);
7467
7468 ssl->session_negotiate->peer_cert_digest_type =
7469 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7470 ssl->session_negotiate->peer_cert_digest_len =
7471 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7472
7473 return ret;
7474 }
7475
7476 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7477 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7478 unsigned char *start, size_t len)
7479 {
7480 unsigned char *end = start + len;
7481 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7482
7483 /* Make a copy of the peer's raw public key. */
7484 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7485 ret = mbedtls_pk_parse_subpubkey(&start, end,
7486 &ssl->handshake->peer_pubkey);
7487 if (ret != 0) {
7488 /* We should have parsed the public key before. */
7489 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7490 }
7491
7492 return 0;
7493 }
7494 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7495
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7496 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7497 {
7498 int ret = 0;
7499 int crt_expected;
7500 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7501 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7502 ? ssl->handshake->sni_authmode
7503 : ssl->conf->authmode;
7504 #else
7505 const int authmode = ssl->conf->authmode;
7506 #endif
7507 void *rs_ctx = NULL;
7508 mbedtls_x509_crt *chain = NULL;
7509
7510 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7511
7512 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7513 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7514 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7515 goto exit;
7516 }
7517
7518 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7519 if (ssl->handshake->ecrs_enabled &&
7520 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
7521 chain = ssl->handshake->ecrs_peer_cert;
7522 ssl->handshake->ecrs_peer_cert = NULL;
7523 goto crt_verify;
7524 }
7525 #endif
7526
7527 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7528 /* mbedtls_ssl_read_record may have sent an alert already. We
7529 let it decide whether to alert. */
7530 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7531 goto exit;
7532 }
7533
7534 #if defined(MBEDTLS_SSL_SRV_C)
7535 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
7536 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7537
7538 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
7539 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
7540 }
7541
7542 goto exit;
7543 }
7544 #endif /* MBEDTLS_SSL_SRV_C */
7545
7546 /* Clear existing peer CRT structure in case we tried to
7547 * reuse a session but it failed, and allocate a new one. */
7548 ssl_clear_peer_cert(ssl->session_negotiate);
7549
7550 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7551 if (chain == NULL) {
7552 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7553 sizeof(mbedtls_x509_crt)));
7554 mbedtls_ssl_send_alert_message(ssl,
7555 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7556 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7557
7558 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7559 goto exit;
7560 }
7561 mbedtls_x509_crt_init(chain);
7562
7563 ret = ssl_parse_certificate_chain(ssl, chain);
7564 if (ret != 0) {
7565 goto exit;
7566 }
7567
7568 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7569 if (ssl->handshake->ecrs_enabled) {
7570 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
7571 }
7572
7573 crt_verify:
7574 if (ssl->handshake->ecrs_enabled) {
7575 rs_ctx = &ssl->handshake->ecrs_ctx;
7576 }
7577 #endif
7578
7579 ret = ssl_parse_certificate_verify(ssl, authmode,
7580 chain, rs_ctx);
7581 if (ret != 0) {
7582 goto exit;
7583 }
7584
7585 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7586 {
7587 unsigned char *crt_start, *pk_start;
7588 size_t crt_len, pk_len;
7589
7590 /* We parse the CRT chain without copying, so
7591 * these pointers point into the input buffer,
7592 * and are hence still valid after freeing the
7593 * CRT chain. */
7594
7595 crt_start = chain->raw.p;
7596 crt_len = chain->raw.len;
7597
7598 pk_start = chain->pk_raw.p;
7599 pk_len = chain->pk_raw.len;
7600
7601 /* Free the CRT structures before computing
7602 * digest and copying the peer's public key. */
7603 mbedtls_x509_crt_free(chain);
7604 mbedtls_free(chain);
7605 chain = NULL;
7606
7607 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
7608 if (ret != 0) {
7609 goto exit;
7610 }
7611
7612 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
7613 if (ret != 0) {
7614 goto exit;
7615 }
7616 }
7617 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7618 /* Pass ownership to session structure. */
7619 ssl->session_negotiate->peer_cert = chain;
7620 chain = NULL;
7621 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7622
7623 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
7624
7625 exit:
7626
7627 if (ret == 0) {
7628 ssl->state++;
7629 }
7630
7631 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7632 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
7633 ssl->handshake->ecrs_peer_cert = chain;
7634 chain = NULL;
7635 }
7636 #endif
7637
7638 if (chain != NULL) {
7639 mbedtls_x509_crt_free(chain);
7640 mbedtls_free(chain);
7641 }
7642
7643 return ret;
7644 }
7645 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7646
ssl_calc_finished_tls_generic(mbedtls_ssl_context * ssl,void * ctx,unsigned char * padbuf,size_t hlen,unsigned char * buf,int from)7647 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
7648 unsigned char *padbuf, size_t hlen,
7649 unsigned char *buf, int from)
7650 {
7651 int len = 12;
7652 const char *sender;
7653 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7654 psa_status_t status;
7655 psa_hash_operation_t *hs_op = ctx;
7656 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
7657 size_t hash_size;
7658 #else
7659 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7660 mbedtls_md_context_t *hs_ctx = ctx;
7661 mbedtls_md_context_t cloned_ctx;
7662 mbedtls_md_init(&cloned_ctx);
7663 #endif
7664
7665 mbedtls_ssl_session *session = ssl->session_negotiate;
7666 if (!session) {
7667 session = ssl->session;
7668 }
7669
7670 sender = (from == MBEDTLS_SSL_IS_CLIENT)
7671 ? "client finished"
7672 : "server finished";
7673
7674 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7675 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
7676
7677 status = psa_hash_clone(hs_op, &cloned_op);
7678 if (status != PSA_SUCCESS) {
7679 goto exit;
7680 }
7681
7682 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
7683 if (status != PSA_SUCCESS) {
7684 goto exit;
7685 }
7686 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
7687 #else
7688 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
7689
7690 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7691 if (ret != 0) {
7692 goto exit;
7693 }
7694 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7695 if (ret != 0) {
7696 goto exit;
7697 }
7698
7699 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
7700 if (ret != 0) {
7701 goto exit;
7702 }
7703 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7704
7705 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
7706
7707 /*
7708 * TLSv1.2:
7709 * hash = PRF( master, finished_label,
7710 * Hash( handshake ) )[0.11]
7711 */
7712 ssl->handshake->tls_prf(session->master, 48, sender,
7713 padbuf, hlen, buf, len);
7714
7715 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
7716
7717 mbedtls_platform_zeroize(padbuf, hlen);
7718
7719 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
7720
7721 exit:
7722 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7723 psa_hash_abort(&cloned_op);
7724 return mbedtls_md_error_from_psa(status);
7725 #else
7726 mbedtls_md_free(&cloned_ctx);
7727 return ret;
7728 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7729 }
7730
7731 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)7732 static int ssl_calc_finished_tls_sha256(
7733 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7734 {
7735 unsigned char padbuf[32];
7736 return ssl_calc_finished_tls_generic(ssl,
7737 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7738 &ssl->handshake->fin_sha256_psa,
7739 #else
7740 &ssl->handshake->fin_sha256,
7741 #endif
7742 padbuf, sizeof(padbuf),
7743 buf, from);
7744 }
7745 #endif /* MBEDTLS_MD_CAN_SHA256*/
7746
7747
7748 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)7749 static int ssl_calc_finished_tls_sha384(
7750 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7751 {
7752 unsigned char padbuf[48];
7753 return ssl_calc_finished_tls_generic(ssl,
7754 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7755 &ssl->handshake->fin_sha384_psa,
7756 #else
7757 &ssl->handshake->fin_sha384,
7758 #endif
7759 padbuf, sizeof(padbuf),
7760 buf, from);
7761 }
7762 #endif /* MBEDTLS_MD_CAN_SHA384*/
7763
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)7764 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
7765 {
7766 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
7767
7768 /*
7769 * Free our handshake params
7770 */
7771 mbedtls_ssl_handshake_free(ssl);
7772 mbedtls_free(ssl->handshake);
7773 ssl->handshake = NULL;
7774
7775 /*
7776 * Free the previous transform and switch in the current one
7777 */
7778 if (ssl->transform) {
7779 mbedtls_ssl_transform_free(ssl->transform);
7780 mbedtls_free(ssl->transform);
7781 }
7782 ssl->transform = ssl->transform_negotiate;
7783 ssl->transform_negotiate = NULL;
7784
7785 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
7786 }
7787
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)7788 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
7789 {
7790 int resume = ssl->handshake->resume;
7791
7792 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
7793
7794 #if defined(MBEDTLS_SSL_RENEGOTIATION)
7795 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7796 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
7797 ssl->renego_records_seen = 0;
7798 }
7799 #endif
7800
7801 /*
7802 * Free the previous session and switch in the current one
7803 */
7804 if (ssl->session) {
7805 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7806 /* RFC 7366 3.1: keep the EtM state */
7807 ssl->session_negotiate->encrypt_then_mac =
7808 ssl->session->encrypt_then_mac;
7809 #endif
7810
7811 mbedtls_ssl_session_free(ssl->session);
7812 mbedtls_free(ssl->session);
7813 }
7814 ssl->session = ssl->session_negotiate;
7815 ssl->session_negotiate = NULL;
7816
7817 /*
7818 * Add cache entry
7819 */
7820 if (ssl->conf->f_set_cache != NULL &&
7821 ssl->session->id_len != 0 &&
7822 resume == 0) {
7823 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
7824 ssl->session->id,
7825 ssl->session->id_len,
7826 ssl->session) != 0) {
7827 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
7828 }
7829 }
7830
7831 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7832 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7833 ssl->handshake->flight != NULL) {
7834 /* Cancel handshake timer */
7835 mbedtls_ssl_set_timer(ssl, 0);
7836
7837 /* Keep last flight around in case we need to resend it:
7838 * we need the handshake and transform structures for that */
7839 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
7840 } else
7841 #endif
7842 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
7843
7844 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
7845
7846 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
7847 }
7848
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)7849 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
7850 {
7851 int ret, hash_len;
7852
7853 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
7854
7855 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
7856
7857 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
7858 if (ret != 0) {
7859 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
7860 }
7861
7862 /*
7863 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7864 * may define some other value. Currently (early 2016), no defined
7865 * ciphersuite does this (and this is unlikely to change as activity has
7866 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7867 */
7868 hash_len = 12;
7869
7870 #if defined(MBEDTLS_SSL_RENEGOTIATION)
7871 ssl->verify_data_len = hash_len;
7872 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
7873 #endif
7874
7875 ssl->out_msglen = 4 + hash_len;
7876 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7877 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
7878
7879 /*
7880 * In case of session resuming, invert the client and server
7881 * ChangeCipherSpec messages order.
7882 */
7883 if (ssl->handshake->resume != 0) {
7884 #if defined(MBEDTLS_SSL_CLI_C)
7885 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7886 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
7887 }
7888 #endif
7889 #if defined(MBEDTLS_SSL_SRV_C)
7890 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7891 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
7892 }
7893 #endif
7894 } else {
7895 ssl->state++;
7896 }
7897
7898 /*
7899 * Switch to our negotiated transform and session parameters for outbound
7900 * data.
7901 */
7902 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
7903
7904 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7905 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7906 unsigned char i;
7907
7908 /* Remember current epoch settings for resending */
7909 ssl->handshake->alt_transform_out = ssl->transform_out;
7910 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
7911 sizeof(ssl->handshake->alt_out_ctr));
7912
7913 /* Set sequence_number to zero */
7914 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
7915
7916
7917 /* Increment epoch */
7918 for (i = 2; i > 0; i--) {
7919 if (++ssl->cur_out_ctr[i - 1] != 0) {
7920 break;
7921 }
7922 }
7923
7924 /* The loop goes to its end iff the counter is wrapping */
7925 if (i == 0) {
7926 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
7927 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
7928 }
7929 } else
7930 #endif /* MBEDTLS_SSL_PROTO_DTLS */
7931 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
7932
7933 ssl->transform_out = ssl->transform_negotiate;
7934 ssl->session_out = ssl->session_negotiate;
7935
7936 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7937 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
7938 mbedtls_ssl_send_flight_completed(ssl);
7939 }
7940 #endif
7941
7942 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7943 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7944 return ret;
7945 }
7946
7947 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7948 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7949 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
7950 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
7951 return ret;
7952 }
7953 #endif
7954
7955 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
7956
7957 return 0;
7958 }
7959
7960 #define SSL_MAX_HASH_LEN 12
7961
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)7962 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
7963 {
7964 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7965 unsigned int hash_len = 12;
7966 unsigned char buf[SSL_MAX_HASH_LEN];
7967
7968 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
7969
7970 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
7971 if (ret != 0) {
7972 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
7973 }
7974
7975 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7976 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7977 goto exit;
7978 }
7979
7980 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7981 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7982 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7983 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7984 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7985 goto exit;
7986 }
7987
7988 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
7989 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7990 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7991 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7992 goto exit;
7993 }
7994
7995 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
7996 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
7997 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7998 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7999 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8000 goto exit;
8001 }
8002
8003 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8004 buf, hash_len) != 0) {
8005 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8006 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8007 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8008 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8009 goto exit;
8010 }
8011
8012 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8013 ssl->verify_data_len = hash_len;
8014 memcpy(ssl->peer_verify_data, buf, hash_len);
8015 #endif
8016
8017 if (ssl->handshake->resume != 0) {
8018 #if defined(MBEDTLS_SSL_CLI_C)
8019 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8020 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8021 }
8022 #endif
8023 #if defined(MBEDTLS_SSL_SRV_C)
8024 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8025 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8026 }
8027 #endif
8028 } else {
8029 ssl->state++;
8030 }
8031
8032 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8033 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8034 mbedtls_ssl_recv_flight_completed(ssl);
8035 }
8036 #endif
8037
8038 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8039
8040 exit:
8041 mbedtls_platform_zeroize(buf, hash_len);
8042 return ret;
8043 }
8044
8045 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8046 /*
8047 * Helper to get TLS 1.2 PRF from ciphersuite
8048 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8049 */
ssl_tls12prf_from_cs(int ciphersuite_id)8050 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8051 {
8052 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8053 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8054 #if defined(MBEDTLS_MD_CAN_SHA384)
8055 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8056 return tls_prf_sha384;
8057 } else
8058 #endif
8059 #if defined(MBEDTLS_MD_CAN_SHA256)
8060 {
8061 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8062 return tls_prf_sha256;
8063 }
8064 }
8065 #endif
8066 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
8067 !defined(MBEDTLS_MD_CAN_SHA256)
8068 (void) ciphersuite_info;
8069 #endif
8070
8071 return NULL;
8072 }
8073 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8074
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8075 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8076 {
8077 ((void) tls_prf);
8078 #if defined(MBEDTLS_MD_CAN_SHA384)
8079 if (tls_prf == tls_prf_sha384) {
8080 return MBEDTLS_SSL_TLS_PRF_SHA384;
8081 } else
8082 #endif
8083 #if defined(MBEDTLS_MD_CAN_SHA256)
8084 if (tls_prf == tls_prf_sha256) {
8085 return MBEDTLS_SSL_TLS_PRF_SHA256;
8086 } else
8087 #endif
8088 return MBEDTLS_SSL_TLS_PRF_NONE;
8089 }
8090
8091 /*
8092 * Populate a transform structure with session keys and all the other
8093 * necessary information.
8094 *
8095 * Parameters:
8096 * - [in/out]: transform: structure to populate
8097 * [in] must be just initialised with mbedtls_ssl_transform_init()
8098 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8099 * - [in] ciphersuite
8100 * - [in] master
8101 * - [in] encrypt_then_mac
8102 * - [in] tls_prf: pointer to PRF to use for key derivation
8103 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8104 * - [in] tls_version: TLS version
8105 * - [in] endpoint: client or server
8106 * - [in] ssl: used for:
8107 * - ssl->conf->{f,p}_export_keys
8108 * [in] optionally used for:
8109 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8110 */
8111 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8112 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8113 int ciphersuite,
8114 const unsigned char master[48],
8115 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8116 int encrypt_then_mac,
8117 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8118 ssl_tls_prf_t tls_prf,
8119 const unsigned char randbytes[64],
8120 mbedtls_ssl_protocol_version tls_version,
8121 unsigned endpoint,
8122 const mbedtls_ssl_context *ssl)
8123 {
8124 int ret = 0;
8125 unsigned char keyblk[256];
8126 unsigned char *key1;
8127 unsigned char *key2;
8128 unsigned char *mac_enc;
8129 unsigned char *mac_dec;
8130 size_t mac_key_len = 0;
8131 size_t iv_copy_len;
8132 size_t keylen;
8133 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8134 mbedtls_ssl_mode_t ssl_mode;
8135 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8136 const mbedtls_cipher_info_t *cipher_info;
8137 const mbedtls_md_info_t *md_info;
8138 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8139
8140 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8141 psa_key_type_t key_type;
8142 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8143 psa_algorithm_t alg;
8144 psa_algorithm_t mac_alg = 0;
8145 size_t key_bits;
8146 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8147 #endif
8148
8149 #if !defined(MBEDTLS_DEBUG_C) && \
8150 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8151 if (ssl->f_export_keys == NULL) {
8152 ssl = NULL; /* make sure we don't use it except for these cases */
8153 (void) ssl;
8154 }
8155 #endif
8156
8157 /*
8158 * Some data just needs copying into the structure
8159 */
8160 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8161 transform->encrypt_then_mac = encrypt_then_mac;
8162 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8163 transform->tls_version = tls_version;
8164
8165 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8166 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8167 #endif
8168
8169 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8170 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8171 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8172 * generation separate. This should never happen. */
8173 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8174 }
8175 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8176
8177 /*
8178 * Get various info structures
8179 */
8180 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8181 if (ciphersuite_info == NULL) {
8182 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8183 ciphersuite));
8184 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8185 }
8186
8187 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8188 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8189 encrypt_then_mac,
8190 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8191 ciphersuite_info);
8192
8193 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8194 transform->taglen =
8195 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8196 }
8197
8198 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8199 if ((status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher,
8200 transform->taglen,
8201 &alg,
8202 &key_type,
8203 &key_bits)) != PSA_SUCCESS) {
8204 ret = PSA_TO_MBEDTLS_ERR(status);
8205 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8206 goto end;
8207 }
8208 #else
8209 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8210 if (cipher_info == NULL) {
8211 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8212 ciphersuite_info->cipher));
8213 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8214 }
8215 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8216
8217 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8218 mac_alg = mbedtls_md_psa_alg_from_type(ciphersuite_info->mac);
8219 if (mac_alg == 0) {
8220 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8221 (unsigned) ciphersuite_info->mac));
8222 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8223 }
8224 #else
8225 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8226 if (md_info == NULL) {
8227 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8228 (unsigned) ciphersuite_info->mac));
8229 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8230 }
8231 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8232
8233 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8234 /* Copy own and peer's CID if the use of the CID
8235 * extension has been negotiated. */
8236 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8237 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8238
8239 transform->in_cid_len = ssl->own_cid_len;
8240 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8241 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8242 transform->in_cid_len);
8243
8244 transform->out_cid_len = ssl->handshake->peer_cid_len;
8245 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8246 ssl->handshake->peer_cid_len);
8247 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8248 transform->out_cid_len);
8249 }
8250 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8251
8252 /*
8253 * Compute key block using the PRF
8254 */
8255 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8256 if (ret != 0) {
8257 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8258 return ret;
8259 }
8260
8261 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8262 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8263 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8264 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8265 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8266
8267 /*
8268 * Determine the appropriate key, IV and MAC length.
8269 */
8270
8271 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8272 keylen = PSA_BITS_TO_BYTES(key_bits);
8273 #else
8274 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8275 #endif
8276
8277 #if defined(MBEDTLS_GCM_C) || \
8278 defined(MBEDTLS_CCM_C) || \
8279 defined(MBEDTLS_CHACHAPOLY_C)
8280 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8281 size_t explicit_ivlen;
8282
8283 transform->maclen = 0;
8284 mac_key_len = 0;
8285
8286 /* All modes haves 96-bit IVs, but the length of the static parts vary
8287 * with mode and version:
8288 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8289 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8290 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8291 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8292 * sequence number).
8293 */
8294 transform->ivlen = 12;
8295
8296 int is_chachapoly = 0;
8297 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8298 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8299 #else
8300 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8301 == MBEDTLS_MODE_CHACHAPOLY);
8302 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8303
8304 if (is_chachapoly) {
8305 transform->fixed_ivlen = 12;
8306 } else {
8307 transform->fixed_ivlen = 4;
8308 }
8309
8310 /* Minimum length of encrypted record */
8311 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8312 transform->minlen = explicit_ivlen + transform->taglen;
8313 } else
8314 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
8315 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8316 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8317 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8318 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8319 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8320 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8321 #else
8322 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8323 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8324
8325 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8326 /* Get MAC length */
8327 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8328 #else
8329 /* Initialize HMAC contexts */
8330 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8331 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8332 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8333 goto end;
8334 }
8335
8336 /* Get MAC length */
8337 mac_key_len = mbedtls_md_get_size(md_info);
8338 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8339 transform->maclen = mac_key_len;
8340
8341 /* IV length */
8342 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8343 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8344 #else
8345 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8346 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8347
8348 /* Minimum length */
8349 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8350 transform->minlen = transform->maclen;
8351 } else {
8352 /*
8353 * GenericBlockCipher:
8354 * 1. if EtM is in use: one block plus MAC
8355 * otherwise: * first multiple of blocklen greater than maclen
8356 * 2. IV
8357 */
8358 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8359 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8360 transform->minlen = transform->maclen
8361 + block_size;
8362 } else
8363 #endif
8364 {
8365 transform->minlen = transform->maclen
8366 + block_size
8367 - transform->maclen % block_size;
8368 }
8369
8370 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8371 transform->minlen += transform->ivlen;
8372 } else {
8373 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8374 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8375 goto end;
8376 }
8377 }
8378 } else
8379 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8380 {
8381 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8382 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8383 }
8384
8385 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8386 (unsigned) keylen,
8387 (unsigned) transform->minlen,
8388 (unsigned) transform->ivlen,
8389 (unsigned) transform->maclen));
8390
8391 /*
8392 * Finally setup the cipher contexts, IVs and MAC secrets.
8393 */
8394 #if defined(MBEDTLS_SSL_CLI_C)
8395 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8396 key1 = keyblk + mac_key_len * 2;
8397 key2 = keyblk + mac_key_len * 2 + keylen;
8398
8399 mac_enc = keyblk;
8400 mac_dec = keyblk + mac_key_len;
8401
8402 iv_copy_len = (transform->fixed_ivlen) ?
8403 transform->fixed_ivlen : transform->ivlen;
8404 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8405 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8406 iv_copy_len);
8407 } else
8408 #endif /* MBEDTLS_SSL_CLI_C */
8409 #if defined(MBEDTLS_SSL_SRV_C)
8410 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8411 key1 = keyblk + mac_key_len * 2 + keylen;
8412 key2 = keyblk + mac_key_len * 2;
8413
8414 mac_enc = keyblk + mac_key_len;
8415 mac_dec = keyblk;
8416
8417 iv_copy_len = (transform->fixed_ivlen) ?
8418 transform->fixed_ivlen : transform->ivlen;
8419 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8420 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8421 iv_copy_len);
8422 } else
8423 #endif /* MBEDTLS_SSL_SRV_C */
8424 {
8425 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8426 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8427 goto end;
8428 }
8429
8430 if (ssl != NULL && ssl->f_export_keys != NULL) {
8431 ssl->f_export_keys(ssl->p_export_keys,
8432 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8433 master, 48,
8434 randbytes + 32,
8435 randbytes,
8436 tls_prf_get_type(tls_prf));
8437 }
8438
8439 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8440 transform->psa_alg = alg;
8441
8442 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8443 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8444 psa_set_key_algorithm(&attributes, alg);
8445 psa_set_key_type(&attributes, key_type);
8446
8447 if ((status = psa_import_key(&attributes,
8448 key1,
8449 PSA_BITS_TO_BYTES(key_bits),
8450 &transform->psa_key_enc)) != PSA_SUCCESS) {
8451 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8452 ret = PSA_TO_MBEDTLS_ERR(status);
8453 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8454 goto end;
8455 }
8456
8457 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8458
8459 if ((status = psa_import_key(&attributes,
8460 key2,
8461 PSA_BITS_TO_BYTES(key_bits),
8462 &transform->psa_key_dec)) != PSA_SUCCESS) {
8463 ret = PSA_TO_MBEDTLS_ERR(status);
8464 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8465 goto end;
8466 }
8467 }
8468 #else
8469 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8470 cipher_info)) != 0) {
8471 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8472 goto end;
8473 }
8474
8475 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8476 cipher_info)) != 0) {
8477 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8478 goto end;
8479 }
8480
8481 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8482 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8483 MBEDTLS_ENCRYPT)) != 0) {
8484 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8485 goto end;
8486 }
8487
8488 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8489 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8490 MBEDTLS_DECRYPT)) != 0) {
8491 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8492 goto end;
8493 }
8494
8495 #if defined(MBEDTLS_CIPHER_MODE_CBC)
8496 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
8497 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
8498 MBEDTLS_PADDING_NONE)) != 0) {
8499 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8500 goto end;
8501 }
8502
8503 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
8504 MBEDTLS_PADDING_NONE)) != 0) {
8505 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8506 goto end;
8507 }
8508 }
8509 #endif /* MBEDTLS_CIPHER_MODE_CBC */
8510 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8511
8512 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8513 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8514 For AEAD-based ciphersuites, there is nothing to do here. */
8515 if (mac_key_len != 0) {
8516 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8517 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
8518
8519 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8520 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8521 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
8522
8523 if ((status = psa_import_key(&attributes,
8524 mac_enc, mac_key_len,
8525 &transform->psa_mac_enc)) != PSA_SUCCESS) {
8526 ret = PSA_TO_MBEDTLS_ERR(status);
8527 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8528 goto end;
8529 }
8530
8531 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8532 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
8533 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8534 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
8535 #endif
8536 )) {
8537 /* mbedtls_ct_hmac() requires the key to be exportable */
8538 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8539 PSA_KEY_USAGE_VERIFY_HASH);
8540 } else {
8541 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8542 }
8543
8544 if ((status = psa_import_key(&attributes,
8545 mac_dec, mac_key_len,
8546 &transform->psa_mac_dec)) != PSA_SUCCESS) {
8547 ret = PSA_TO_MBEDTLS_ERR(status);
8548 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8549 goto end;
8550 }
8551 #else
8552 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
8553 if (ret != 0) {
8554 goto end;
8555 }
8556 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
8557 if (ret != 0) {
8558 goto end;
8559 }
8560 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8561 }
8562 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8563
8564 ((void) mac_dec);
8565 ((void) mac_enc);
8566
8567 end:
8568 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
8569 return ret;
8570 }
8571
8572 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
8573 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)8574 int mbedtls_psa_ecjpake_read_round(
8575 psa_pake_operation_t *pake_ctx,
8576 const unsigned char *buf,
8577 size_t len, mbedtls_ecjpake_rounds_t round)
8578 {
8579 psa_status_t status;
8580 size_t input_offset = 0;
8581 /*
8582 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8583 * At round two perform a single cycle
8584 */
8585 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
8586
8587 for (; remaining_steps > 0; remaining_steps--) {
8588 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8589 step <= PSA_PAKE_STEP_ZK_PROOF;
8590 ++step) {
8591 /* Length is stored at the first byte */
8592 size_t length = buf[input_offset];
8593 input_offset += 1;
8594
8595 if (input_offset + length > len) {
8596 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8597 }
8598
8599 status = psa_pake_input(pake_ctx, step,
8600 buf + input_offset, length);
8601 if (status != PSA_SUCCESS) {
8602 return PSA_TO_MBEDTLS_ERR(status);
8603 }
8604
8605 input_offset += length;
8606 }
8607 }
8608
8609 if (input_offset != len) {
8610 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8611 }
8612
8613 return 0;
8614 }
8615
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)8616 int mbedtls_psa_ecjpake_write_round(
8617 psa_pake_operation_t *pake_ctx,
8618 unsigned char *buf,
8619 size_t len, size_t *olen,
8620 mbedtls_ecjpake_rounds_t round)
8621 {
8622 psa_status_t status;
8623 size_t output_offset = 0;
8624 size_t output_len;
8625 /*
8626 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8627 * At round two perform a single cycle
8628 */
8629 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
8630
8631 for (; remaining_steps > 0; remaining_steps--) {
8632 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8633 step <= PSA_PAKE_STEP_ZK_PROOF;
8634 ++step) {
8635 /*
8636 * For each step, prepend 1 byte with the length of the data as
8637 * given by psa_pake_output().
8638 */
8639 status = psa_pake_output(pake_ctx, step,
8640 buf + output_offset + 1,
8641 len - output_offset - 1,
8642 &output_len);
8643 if (status != PSA_SUCCESS) {
8644 return PSA_TO_MBEDTLS_ERR(status);
8645 }
8646
8647 *(buf + output_offset) = (uint8_t) output_len;
8648
8649 output_offset += output_len + 1;
8650 }
8651 }
8652
8653 *olen = output_offset;
8654
8655 return 0;
8656 }
8657 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
8658
8659 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)8660 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8661 unsigned char *hash, size_t *hashlen,
8662 unsigned char *data, size_t data_len,
8663 mbedtls_md_type_t md_alg)
8664 {
8665 psa_status_t status;
8666 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
8667 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
8668
8669 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
8670
8671 if ((status = psa_hash_setup(&hash_operation,
8672 hash_alg)) != PSA_SUCCESS) {
8673 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
8674 goto exit;
8675 }
8676
8677 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
8678 64)) != PSA_SUCCESS) {
8679 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
8680 goto exit;
8681 }
8682
8683 if ((status = psa_hash_update(&hash_operation,
8684 data, data_len)) != PSA_SUCCESS) {
8685 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
8686 goto exit;
8687 }
8688
8689 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
8690 hashlen)) != PSA_SUCCESS) {
8691 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
8692 goto exit;
8693 }
8694
8695 exit:
8696 if (status != PSA_SUCCESS) {
8697 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8698 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8699 switch (status) {
8700 case PSA_ERROR_NOT_SUPPORTED:
8701 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
8702 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
8703 case PSA_ERROR_BUFFER_TOO_SMALL:
8704 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
8705 case PSA_ERROR_INSUFFICIENT_MEMORY:
8706 return MBEDTLS_ERR_MD_ALLOC_FAILED;
8707 default:
8708 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
8709 }
8710 }
8711 return 0;
8712 }
8713
8714 #else
8715
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)8716 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8717 unsigned char *hash, size_t *hashlen,
8718 unsigned char *data, size_t data_len,
8719 mbedtls_md_type_t md_alg)
8720 {
8721 int ret = 0;
8722 mbedtls_md_context_t ctx;
8723 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
8724 *hashlen = mbedtls_md_get_size(md_info);
8725
8726 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
8727
8728 mbedtls_md_init(&ctx);
8729
8730 /*
8731 * digitally-signed struct {
8732 * opaque client_random[32];
8733 * opaque server_random[32];
8734 * ServerDHParams params;
8735 * };
8736 */
8737 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
8738 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8739 goto exit;
8740 }
8741 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
8742 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
8743 goto exit;
8744 }
8745 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
8746 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
8747 goto exit;
8748 }
8749 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
8750 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
8751 goto exit;
8752 }
8753 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
8754 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
8755 goto exit;
8756 }
8757
8758 exit:
8759 mbedtls_md_free(&ctx);
8760
8761 if (ret != 0) {
8762 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8763 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8764 }
8765
8766 return ret;
8767 }
8768 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8769
8770 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
8771
8772 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)8773 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
8774 mbedtls_ssl_context *ssl,
8775 unsigned int sig_alg)
8776 {
8777 unsigned int i;
8778 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
8779
8780 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
8781 return MBEDTLS_SSL_HASH_NONE;
8782 }
8783
8784 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
8785 unsigned int hash_alg_received =
8786 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
8787 received_sig_algs[i]);
8788 unsigned int sig_alg_received =
8789 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
8790 received_sig_algs[i]);
8791
8792 mbedtls_md_type_t md_alg =
8793 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
8794 if (md_alg == MBEDTLS_MD_NONE) {
8795 continue;
8796 }
8797
8798 if (sig_alg == sig_alg_received) {
8799 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8800 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
8801 psa_algorithm_t psa_hash_alg =
8802 mbedtls_md_psa_alg_from_type(md_alg);
8803
8804 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
8805 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8806 PSA_ALG_ECDSA(psa_hash_alg),
8807 PSA_KEY_USAGE_SIGN_HASH)) {
8808 continue;
8809 }
8810
8811 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
8812 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8813 PSA_ALG_RSA_PKCS1V15_SIGN(
8814 psa_hash_alg),
8815 PSA_KEY_USAGE_SIGN_HASH)) {
8816 continue;
8817 }
8818 }
8819 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8820
8821 return hash_alg_received;
8822 }
8823 }
8824
8825 return MBEDTLS_SSL_HASH_NONE;
8826 }
8827
8828 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8829
8830 /* Serialization of TLS 1.2 sessions:
8831 *
8832 * struct {
8833 * uint64 start_time;
8834 * uint8 ciphersuite[2]; // defined by the standard
8835 * uint8 session_id_len; // at most 32
8836 * opaque session_id[32];
8837 * opaque master[48]; // fixed length in the standard
8838 * uint32 verify_result;
8839 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
8840 * opaque ticket<0..2^24-1>; // length 0 means no ticket
8841 * uint32 ticket_lifetime;
8842 * uint8 mfl_code; // up to 255 according to standard
8843 * uint8 encrypt_then_mac; // 0 or 1
8844 * } serialized_session_tls12;
8845 *
8846 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)8847 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
8848 unsigned char *buf,
8849 size_t buf_len)
8850 {
8851 unsigned char *p = buf;
8852 size_t used = 0;
8853
8854 #if defined(MBEDTLS_HAVE_TIME)
8855 uint64_t start;
8856 #endif
8857 #if defined(MBEDTLS_X509_CRT_PARSE_C)
8858 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8859 size_t cert_len;
8860 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8861 #endif /* MBEDTLS_X509_CRT_PARSE_C */
8862
8863 /*
8864 * Time
8865 */
8866 #if defined(MBEDTLS_HAVE_TIME)
8867 used += 8;
8868
8869 if (used <= buf_len) {
8870 start = (uint64_t) session->start;
8871
8872 MBEDTLS_PUT_UINT64_BE(start, p, 0);
8873 p += 8;
8874 }
8875 #endif /* MBEDTLS_HAVE_TIME */
8876
8877 /*
8878 * Basic mandatory fields
8879 */
8880 used += 2 /* ciphersuite */
8881 + 1 /* id_len */
8882 + sizeof(session->id)
8883 + sizeof(session->master)
8884 + 4; /* verify_result */
8885
8886 if (used <= buf_len) {
8887 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
8888 p += 2;
8889
8890 *p++ = MBEDTLS_BYTE_0(session->id_len);
8891 memcpy(p, session->id, 32);
8892 p += 32;
8893
8894 memcpy(p, session->master, 48);
8895 p += 48;
8896
8897 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
8898 p += 4;
8899 }
8900
8901 /*
8902 * Peer's end-entity certificate
8903 */
8904 #if defined(MBEDTLS_X509_CRT_PARSE_C)
8905 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8906 if (session->peer_cert == NULL) {
8907 cert_len = 0;
8908 } else {
8909 cert_len = session->peer_cert->raw.len;
8910 }
8911
8912 used += 3 + cert_len;
8913
8914 if (used <= buf_len) {
8915 *p++ = MBEDTLS_BYTE_2(cert_len);
8916 *p++ = MBEDTLS_BYTE_1(cert_len);
8917 *p++ = MBEDTLS_BYTE_0(cert_len);
8918
8919 if (session->peer_cert != NULL) {
8920 memcpy(p, session->peer_cert->raw.p, cert_len);
8921 p += cert_len;
8922 }
8923 }
8924 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8925 if (session->peer_cert_digest != NULL) {
8926 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
8927 if (used <= buf_len) {
8928 *p++ = (unsigned char) session->peer_cert_digest_type;
8929 *p++ = (unsigned char) session->peer_cert_digest_len;
8930 memcpy(p, session->peer_cert_digest,
8931 session->peer_cert_digest_len);
8932 p += session->peer_cert_digest_len;
8933 }
8934 } else {
8935 used += 2;
8936 if (used <= buf_len) {
8937 *p++ = (unsigned char) MBEDTLS_MD_NONE;
8938 *p++ = 0;
8939 }
8940 }
8941 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8942 #endif /* MBEDTLS_X509_CRT_PARSE_C */
8943
8944 /*
8945 * Session ticket if any, plus associated data
8946 */
8947 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
8948 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
8949
8950 if (used <= buf_len) {
8951 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
8952 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
8953 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
8954
8955 if (session->ticket != NULL) {
8956 memcpy(p, session->ticket, session->ticket_len);
8957 p += session->ticket_len;
8958 }
8959
8960 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
8961 p += 4;
8962 }
8963 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
8964
8965 /*
8966 * Misc extension-related info
8967 */
8968 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8969 used += 1;
8970
8971 if (used <= buf_len) {
8972 *p++ = session->mfl_code;
8973 }
8974 #endif
8975
8976 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8977 used += 1;
8978
8979 if (used <= buf_len) {
8980 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
8981 }
8982 #endif
8983
8984 return used;
8985 }
8986
8987 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)8988 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
8989 const unsigned char *buf,
8990 size_t len)
8991 {
8992 #if defined(MBEDTLS_HAVE_TIME)
8993 uint64_t start;
8994 #endif
8995 #if defined(MBEDTLS_X509_CRT_PARSE_C)
8996 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8997 size_t cert_len;
8998 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8999 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9000
9001 const unsigned char *p = buf;
9002 const unsigned char * const end = buf + len;
9003
9004 /*
9005 * Time
9006 */
9007 #if defined(MBEDTLS_HAVE_TIME)
9008 if (8 > (size_t) (end - p)) {
9009 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9010 }
9011
9012 start = MBEDTLS_GET_UINT64_BE(p, 0);
9013 p += 8;
9014
9015 session->start = (time_t) start;
9016 #endif /* MBEDTLS_HAVE_TIME */
9017
9018 /*
9019 * Basic mandatory fields
9020 */
9021 if (2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) {
9022 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9023 }
9024
9025 session->ciphersuite = (p[0] << 8) | p[1];
9026 p += 2;
9027
9028 session->id_len = *p++;
9029 memcpy(session->id, p, 32);
9030 p += 32;
9031
9032 memcpy(session->master, p, 48);
9033 p += 48;
9034
9035 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
9036 p += 4;
9037
9038 /* Immediately clear invalid pointer values that have been read, in case
9039 * we exit early before we replaced them with valid ones. */
9040 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9041 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9042 session->peer_cert = NULL;
9043 #else
9044 session->peer_cert_digest = NULL;
9045 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9046 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9047 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9048 session->ticket = NULL;
9049 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
9050
9051 /*
9052 * Peer certificate
9053 */
9054 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9055 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9056 /* Deserialize CRT from the end of the ticket. */
9057 if (3 > (size_t) (end - p)) {
9058 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9059 }
9060
9061 cert_len = (p[0] << 16) | (p[1] << 8) | p[2];
9062 p += 3;
9063
9064 if (cert_len != 0) {
9065 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9066
9067 if (cert_len > (size_t) (end - p)) {
9068 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9069 }
9070
9071 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
9072
9073 if (session->peer_cert == NULL) {
9074 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9075 }
9076
9077 mbedtls_x509_crt_init(session->peer_cert);
9078
9079 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
9080 p, cert_len)) != 0) {
9081 mbedtls_x509_crt_free(session->peer_cert);
9082 mbedtls_free(session->peer_cert);
9083 session->peer_cert = NULL;
9084 return ret;
9085 }
9086
9087 p += cert_len;
9088 }
9089 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9090 /* Deserialize CRT digest from the end of the ticket. */
9091 if (2 > (size_t) (end - p)) {
9092 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9093 }
9094
9095 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
9096 session->peer_cert_digest_len = (size_t) *p++;
9097
9098 if (session->peer_cert_digest_len != 0) {
9099 const mbedtls_md_info_t *md_info =
9100 mbedtls_md_info_from_type(session->peer_cert_digest_type);
9101 if (md_info == NULL) {
9102 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9103 }
9104 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
9105 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9106 }
9107
9108 if (session->peer_cert_digest_len > (size_t) (end - p)) {
9109 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9110 }
9111
9112 session->peer_cert_digest =
9113 mbedtls_calloc(1, session->peer_cert_digest_len);
9114 if (session->peer_cert_digest == NULL) {
9115 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9116 }
9117
9118 memcpy(session->peer_cert_digest, p,
9119 session->peer_cert_digest_len);
9120 p += session->peer_cert_digest_len;
9121 }
9122 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9123 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9124
9125 /*
9126 * Session ticket and associated data
9127 */
9128 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9129 if (3 > (size_t) (end - p)) {
9130 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9131 }
9132
9133 session->ticket_len = (p[0] << 16) | (p[1] << 8) | p[2];
9134 p += 3;
9135
9136 if (session->ticket_len != 0) {
9137 if (session->ticket_len > (size_t) (end - p)) {
9138 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9139 }
9140
9141 session->ticket = mbedtls_calloc(1, session->ticket_len);
9142 if (session->ticket == NULL) {
9143 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9144 }
9145
9146 memcpy(session->ticket, p, session->ticket_len);
9147 p += session->ticket_len;
9148 }
9149
9150 if (4 > (size_t) (end - p)) {
9151 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9152 }
9153
9154 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
9155 p += 4;
9156 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
9157
9158 /*
9159 * Misc extension-related info
9160 */
9161 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
9162 if (1 > (size_t) (end - p)) {
9163 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9164 }
9165
9166 session->mfl_code = *p++;
9167 #endif
9168
9169 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9170 if (1 > (size_t) (end - p)) {
9171 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9172 }
9173
9174 session->encrypt_then_mac = *p++;
9175 #endif
9176
9177 /* Done, should have consumed entire buffer */
9178 if (p != end) {
9179 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9180 }
9181
9182 return 0;
9183 }
9184 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9185
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9186 int mbedtls_ssl_validate_ciphersuite(
9187 const mbedtls_ssl_context *ssl,
9188 const mbedtls_ssl_ciphersuite_t *suite_info,
9189 mbedtls_ssl_protocol_version min_tls_version,
9190 mbedtls_ssl_protocol_version max_tls_version)
9191 {
9192 (void) ssl;
9193
9194 if (suite_info == NULL) {
9195 return -1;
9196 }
9197
9198 if ((suite_info->min_tls_version > max_tls_version) ||
9199 (suite_info->max_tls_version < min_tls_version)) {
9200 return -1;
9201 }
9202
9203 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9204 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9205 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9206 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9207 ssl->handshake->psa_pake_ctx_is_ok != 1)
9208 #else
9209 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9210 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9211 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9212 {
9213 return -1;
9214 }
9215 #endif
9216
9217 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9218 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9219 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9220 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9221 return -1;
9222 }
9223 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9224 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9225
9226 return 0;
9227 }
9228
9229 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9230 /*
9231 * Function for writing a signature algorithm extension.
9232 *
9233 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9234 * value (TLS 1.3 RFC8446):
9235 * enum {
9236 * ....
9237 * ecdsa_secp256r1_sha256( 0x0403 ),
9238 * ecdsa_secp384r1_sha384( 0x0503 ),
9239 * ecdsa_secp521r1_sha512( 0x0603 ),
9240 * ....
9241 * } SignatureScheme;
9242 *
9243 * struct {
9244 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9245 * } SignatureSchemeList;
9246 *
9247 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9248 * value (TLS 1.2 RFC5246):
9249 * enum {
9250 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9251 * sha512(6), (255)
9252 * } HashAlgorithm;
9253 *
9254 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9255 * SignatureAlgorithm;
9256 *
9257 * struct {
9258 * HashAlgorithm hash;
9259 * SignatureAlgorithm signature;
9260 * } SignatureAndHashAlgorithm;
9261 *
9262 * SignatureAndHashAlgorithm
9263 * supported_signature_algorithms<2..2^16-2>;
9264 *
9265 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9266 * generalization of the TLS 1.2 signature algorithm extension.
9267 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9268 * `SignatureScheme` field of TLS 1.3
9269 *
9270 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9271 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9272 const unsigned char *end, size_t *out_len)
9273 {
9274 unsigned char *p = buf;
9275 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9276 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9277
9278 *out_len = 0;
9279
9280 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9281
9282 /* Check if we have space for header and length field:
9283 * - extension_type (2 bytes)
9284 * - extension_data_length (2 bytes)
9285 * - supported_signature_algorithms_length (2 bytes)
9286 */
9287 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9288 p += 6;
9289
9290 /*
9291 * Write supported_signature_algorithms
9292 */
9293 supported_sig_alg = p;
9294 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9295 if (sig_alg == NULL) {
9296 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9297 }
9298
9299 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9300 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9301 *sig_alg,
9302 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9303 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9304 continue;
9305 }
9306 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9307 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9308 p += 2;
9309 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9310 *sig_alg,
9311 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9312 }
9313
9314 /* Length of supported_signature_algorithms */
9315 supported_sig_alg_len = p - supported_sig_alg;
9316 if (supported_sig_alg_len == 0) {
9317 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9318 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9319 }
9320
9321 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9322 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9323 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9324
9325 *out_len = p - buf;
9326
9327 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9328 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9329 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9330
9331 return 0;
9332 }
9333 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9334
9335 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9336 /*
9337 * mbedtls_ssl_parse_server_name_ext
9338 *
9339 * Structure of server_name extension:
9340 *
9341 * enum {
9342 * host_name(0), (255)
9343 * } NameType;
9344 * opaque HostName<1..2^16-1>;
9345 *
9346 * struct {
9347 * NameType name_type;
9348 * select (name_type) {
9349 * case host_name: HostName;
9350 * } name;
9351 * } ServerName;
9352 * struct {
9353 * ServerName server_name_list<1..2^16-1>
9354 * } ServerNameList;
9355 */
9356 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9357 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9358 const unsigned char *buf,
9359 const unsigned char *end)
9360 {
9361 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9362 const unsigned char *p = buf;
9363 size_t server_name_list_len, hostname_len;
9364 const unsigned char *server_name_list_end;
9365
9366 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9367
9368 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9369 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9370 p += 2;
9371
9372 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9373 server_name_list_end = p + server_name_list_len;
9374 while (p < server_name_list_end) {
9375 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9376 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9377 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9378 hostname_len + 3);
9379
9380 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9381 /* sni_name is intended to be used only during the parsing of the
9382 * ClientHello message (it is reset to NULL before the end of
9383 * the message parsing). Thus it is ok to just point to the
9384 * reception buffer and not make a copy of it.
9385 */
9386 ssl->handshake->sni_name = p + 3;
9387 ssl->handshake->sni_name_len = hostname_len;
9388 if (ssl->conf->f_sni == NULL) {
9389 return 0;
9390 }
9391 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9392 ssl, p + 3, hostname_len);
9393 if (ret != 0) {
9394 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9395 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9396 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9397 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9398 }
9399 return 0;
9400 }
9401
9402 p += hostname_len + 3;
9403 }
9404
9405 return 0;
9406 }
9407 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9408
9409 #if defined(MBEDTLS_SSL_ALPN)
9410 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9411 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9412 const unsigned char *buf,
9413 const unsigned char *end)
9414 {
9415 const unsigned char *p = buf;
9416 size_t protocol_name_list_len;
9417 const unsigned char *protocol_name_list;
9418 const unsigned char *protocol_name_list_end;
9419 size_t protocol_name_len;
9420
9421 /* If ALPN not configured, just ignore the extension */
9422 if (ssl->conf->alpn_list == NULL) {
9423 return 0;
9424 }
9425
9426 /*
9427 * RFC7301, section 3.1
9428 * opaque ProtocolName<1..2^8-1>;
9429 *
9430 * struct {
9431 * ProtocolName protocol_name_list<2..2^16-1>
9432 * } ProtocolNameList;
9433 */
9434
9435 /*
9436 * protocol_name_list_len 2 bytes
9437 * protocol_name_len 1 bytes
9438 * protocol_name >=1 byte
9439 */
9440 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9441
9442 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9443 p += 2;
9444 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9445 protocol_name_list = p;
9446 protocol_name_list_end = p + protocol_name_list_len;
9447
9448 /* Validate peer's list (lengths) */
9449 while (p < protocol_name_list_end) {
9450 protocol_name_len = *p++;
9451 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9452 protocol_name_len);
9453 if (protocol_name_len == 0) {
9454 MBEDTLS_SSL_PEND_FATAL_ALERT(
9455 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9456 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9457 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9458 }
9459
9460 p += protocol_name_len;
9461 }
9462
9463 /* Use our order of preference */
9464 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9465 size_t const alpn_len = strlen(*alpn);
9466 p = protocol_name_list;
9467 while (p < protocol_name_list_end) {
9468 protocol_name_len = *p++;
9469 if (protocol_name_len == alpn_len &&
9470 memcmp(p, *alpn, alpn_len) == 0) {
9471 ssl->alpn_chosen = *alpn;
9472 return 0;
9473 }
9474
9475 p += protocol_name_len;
9476 }
9477 }
9478
9479 /* If we get here, no match was found */
9480 MBEDTLS_SSL_PEND_FATAL_ALERT(
9481 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9482 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9483 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9484 }
9485
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9486 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9487 unsigned char *buf,
9488 unsigned char *end,
9489 size_t *out_len)
9490 {
9491 unsigned char *p = buf;
9492 size_t protocol_name_len;
9493 *out_len = 0;
9494
9495 if (ssl->alpn_chosen == NULL) {
9496 return 0;
9497 }
9498
9499 protocol_name_len = strlen(ssl->alpn_chosen);
9500 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9501
9502 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9503 /*
9504 * 0 . 1 ext identifier
9505 * 2 . 3 ext length
9506 * 4 . 5 protocol list length
9507 * 6 . 6 protocol name length
9508 * 7 . 7+n protocol name
9509 */
9510 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9511
9512 *out_len = 7 + protocol_name_len;
9513
9514 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9515 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9516 /* Note: the length of the chosen protocol has been checked to be less
9517 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9518 */
9519 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9520
9521 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9522
9523 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9524 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9525 #endif
9526
9527 return 0;
9528 }
9529 #endif /* MBEDTLS_SSL_ALPN */
9530
9531 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9532 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9533 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9534 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9535 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9536 const char *hostname)
9537 {
9538 /* Initialize to suppress unnecessary compiler warning */
9539 size_t hostname_len = 0;
9540
9541 /* Check if new hostname is valid before
9542 * making any change to current one */
9543 if (hostname != NULL) {
9544 hostname_len = strlen(hostname);
9545
9546 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9547 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9548 }
9549 }
9550
9551 /* Now it's clear that we will overwrite the old hostname,
9552 * so we can free it safely */
9553 if (session->hostname != NULL) {
9554 mbedtls_zeroize_and_free(session->hostname,
9555 strlen(session->hostname));
9556 }
9557
9558 /* Passing NULL as hostname shall clear the old one */
9559 if (hostname == NULL) {
9560 session->hostname = NULL;
9561 } else {
9562 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9563 if (session->hostname == NULL) {
9564 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9565 }
9566
9567 memcpy(session->hostname, hostname, hostname_len);
9568 }
9569
9570 return 0;
9571 }
9572 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9573 MBEDTLS_SSL_SESSION_TICKETS &&
9574 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9575 MBEDTLS_SSL_CLI_C */
9576
9577 #endif /* MBEDTLS_SSL_TLS_C */
9578
