1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * http://www.ietf.org/rfc/rfc2246.txt
21 * http://www.ietf.org/rfc/rfc4346.txt
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_SSL_TLS_C)
27
28 #include "mbedtls/platform.h"
29
30 #include "mbedtls/ssl.h"
31 #include "ssl_client.h"
32 #include "ssl_debug_helpers.h"
33 #include "ssl_misc.h"
34
35 #include "mbedtls/debug.h"
36 #include "mbedtls/error.h"
37 #include "mbedtls/platform_util.h"
38 #include "mbedtls/version.h"
39 #include "mbedtls/constant_time.h"
40
41 #include <string.h>
42
43 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 #include "mbedtls/psa_util.h"
45 #include "psa/crypto.h"
46 #endif
47 #include "mbedtls/legacy_or_psa.h"
48
49 #if defined(MBEDTLS_X509_CRT_PARSE_C)
50 #include "mbedtls/oid.h"
51 #endif
52
53 #if defined(MBEDTLS_USE_PSA_CRYPTO)
54 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
55 psa_to_ssl_errors, \
56 psa_generic_status_to_mbedtls)
57 #define PSA_TO_MD_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
58 psa_to_md_errors, \
59 psa_generic_status_to_mbedtls)
60 #endif
61
62 #if defined(MBEDTLS_TEST_HOOKS)
63 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
64
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)65 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
66 const uint8_t *cur, const uint8_t *end, size_t need)
67 {
68 chk_buf_ptr_fail_args.cur = cur;
69 chk_buf_ptr_fail_args.end = end;
70 chk_buf_ptr_fail_args.need = need;
71 }
72
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)73 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
74 {
75 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
76 }
77
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)78 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
79 {
80 return (chk_buf_ptr_fail_args.cur != args->cur) ||
81 (chk_buf_ptr_fail_args.end != args->end) ||
82 (chk_buf_ptr_fail_args.need != args->need);
83 }
84 #endif /* MBEDTLS_TEST_HOOKS */
85
86 #if defined(MBEDTLS_SSL_PROTO_DTLS)
87
88 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
89 /* Top-level Connection ID API */
90
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)91 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
92 size_t len,
93 int ignore_other_cid)
94 {
95 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
96 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
97 }
98
99 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
100 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
101 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
102 }
103
104 conf->ignore_unexpected_cid = ignore_other_cid;
105 conf->cid_len = len;
106 return 0;
107 }
108
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)109 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
110 int enable,
111 unsigned char const *own_cid,
112 size_t own_cid_len)
113 {
114 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
115 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
116 }
117
118 ssl->negotiate_cid = enable;
119 if (enable == MBEDTLS_SSL_CID_DISABLED) {
120 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
121 return 0;
122 }
123 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
124 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
125
126 if (own_cid_len != ssl->conf->cid_len) {
127 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
128 (unsigned) own_cid_len,
129 (unsigned) ssl->conf->cid_len));
130 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
131 }
132
133 memcpy(ssl->own_cid, own_cid, own_cid_len);
134 /* Truncation is not an issue here because
135 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
136 ssl->own_cid_len = (uint8_t) own_cid_len;
137
138 return 0;
139 }
140
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * own_cid_len)141 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
142 int *enabled,
143 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
144 size_t *own_cid_len)
145 {
146 *enabled = MBEDTLS_SSL_CID_DISABLED;
147
148 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
149 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
150 }
151
152 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
153 * zero as this is indistinguishable from not requesting to use
154 * the CID extension. */
155 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
156 return 0;
157 }
158
159 if (own_cid_len != NULL) {
160 *own_cid_len = ssl->own_cid_len;
161 if (own_cid != NULL) {
162 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
163 }
164 }
165
166 *enabled = MBEDTLS_SSL_CID_ENABLED;
167
168 return 0;
169 }
170
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)171 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
172 int *enabled,
173 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
174 size_t *peer_cid_len)
175 {
176 *enabled = MBEDTLS_SSL_CID_DISABLED;
177
178 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
179 mbedtls_ssl_is_handshake_over(ssl) == 0) {
180 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
181 }
182
183 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
184 * were used, but client and server requested the empty CID.
185 * This is indistinguishable from not using the CID extension
186 * in the first place. */
187 if (ssl->transform_in->in_cid_len == 0 &&
188 ssl->transform_in->out_cid_len == 0) {
189 return 0;
190 }
191
192 if (peer_cid_len != NULL) {
193 *peer_cid_len = ssl->transform_in->out_cid_len;
194 if (peer_cid != NULL) {
195 memcpy(peer_cid, ssl->transform_in->out_cid,
196 ssl->transform_in->out_cid_len);
197 }
198 }
199
200 *enabled = MBEDTLS_SSL_CID_ENABLED;
201
202 return 0;
203 }
204 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
205
206 #endif /* MBEDTLS_SSL_PROTO_DTLS */
207
208 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
209 /*
210 * Convert max_fragment_length codes to length.
211 * RFC 6066 says:
212 * enum{
213 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
214 * } MaxFragmentLength;
215 * and we add 0 -> extension unused
216 */
ssl_mfl_code_to_length(int mfl)217 static unsigned int ssl_mfl_code_to_length(int mfl)
218 {
219 switch (mfl) {
220 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
221 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
222 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
223 return 512;
224 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
225 return 1024;
226 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
227 return 2048;
228 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
229 return 4096;
230 default:
231 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
232 }
233 }
234 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
235
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)236 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
237 const mbedtls_ssl_session *src)
238 {
239 mbedtls_ssl_session_free(dst);
240 memcpy(dst, src, sizeof(mbedtls_ssl_session));
241 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
242 dst->ticket = NULL;
243 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
244 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
245 dst->hostname = NULL;
246 #endif
247 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
248
249 #if defined(MBEDTLS_X509_CRT_PARSE_C)
250
251 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
252 if (src->peer_cert != NULL) {
253 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
254
255 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
256 if (dst->peer_cert == NULL) {
257 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
258 }
259
260 mbedtls_x509_crt_init(dst->peer_cert);
261
262 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
263 src->peer_cert->raw.len)) != 0) {
264 mbedtls_free(dst->peer_cert);
265 dst->peer_cert = NULL;
266 return ret;
267 }
268 }
269 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
270 if (src->peer_cert_digest != NULL) {
271 dst->peer_cert_digest =
272 mbedtls_calloc(1, src->peer_cert_digest_len);
273 if (dst->peer_cert_digest == NULL) {
274 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
275 }
276
277 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
278 src->peer_cert_digest_len);
279 dst->peer_cert_digest_type = src->peer_cert_digest_type;
280 dst->peer_cert_digest_len = src->peer_cert_digest_len;
281 }
282 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
283
284 #endif /* MBEDTLS_X509_CRT_PARSE_C */
285
286 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
287 if (src->ticket != NULL) {
288 dst->ticket = mbedtls_calloc(1, src->ticket_len);
289 if (dst->ticket == NULL) {
290 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
291 }
292
293 memcpy(dst->ticket, src->ticket, src->ticket_len);
294 }
295
296 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
297 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
298 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
299 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
300 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
301 if (ret != 0) {
302 return ret;
303 }
304 }
305 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
306 MBEDTLS_SSL_SERVER_NAME_INDICATION */
307 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
308
309 return 0;
310 }
311
312 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
313 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)314 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
315 {
316 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
317 if (resized_buffer == NULL) {
318 return -1;
319 }
320
321 /* We want to copy len_new bytes when downsizing the buffer, and
322 * len_old bytes when upsizing, so we choose the smaller of two sizes,
323 * to fit one buffer into another. Size checks, ensuring that no data is
324 * lost, are done outside of this function. */
325 memcpy(resized_buffer, *buffer,
326 (len_new < *len_old) ? len_new : *len_old);
327 mbedtls_platform_zeroize(*buffer, *len_old);
328 mbedtls_free(*buffer);
329
330 *buffer = resized_buffer;
331 *len_old = len_new;
332
333 return 0;
334 }
335
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)336 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
337 size_t in_buf_new_len,
338 size_t out_buf_new_len)
339 {
340 int modified = 0;
341 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
342 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
343 if (ssl->in_buf != NULL) {
344 written_in = ssl->in_msg - ssl->in_buf;
345 iv_offset_in = ssl->in_iv - ssl->in_buf;
346 len_offset_in = ssl->in_len - ssl->in_buf;
347 if (downsizing ?
348 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
349 ssl->in_buf_len < in_buf_new_len) {
350 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
351 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
352 } else {
353 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
354 in_buf_new_len));
355 modified = 1;
356 }
357 }
358 }
359
360 if (ssl->out_buf != NULL) {
361 written_out = ssl->out_msg - ssl->out_buf;
362 iv_offset_out = ssl->out_iv - ssl->out_buf;
363 len_offset_out = ssl->out_len - ssl->out_buf;
364 if (downsizing ?
365 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
366 ssl->out_buf_len < out_buf_new_len) {
367 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
368 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
369 } else {
370 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
371 out_buf_new_len));
372 modified = 1;
373 }
374 }
375 }
376 if (modified) {
377 /* Update pointers here to avoid doing it twice. */
378 mbedtls_ssl_reset_in_out_pointers(ssl);
379 /* Fields below might not be properly updated with record
380 * splitting or with CID, so they are manually updated here. */
381 ssl->out_msg = ssl->out_buf + written_out;
382 ssl->out_len = ssl->out_buf + len_offset_out;
383 ssl->out_iv = ssl->out_buf + iv_offset_out;
384
385 ssl->in_msg = ssl->in_buf + written_in;
386 ssl->in_len = ssl->in_buf + len_offset_in;
387 ssl->in_iv = ssl->in_buf + iv_offset_in;
388 }
389 }
390 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
391
392 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
393
394 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
395 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
396 const char *label,
397 const unsigned char *random, size_t rlen,
398 unsigned char *dstbuf, size_t dlen);
399
400 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
401
402 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
403
404 /* Type for the TLS PRF */
405 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
406 const unsigned char *, size_t,
407 unsigned char *, size_t);
408
409 MBEDTLS_CHECK_RETURN_CRITICAL
410 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
411 int ciphersuite,
412 const unsigned char master[48],
413 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
414 int encrypt_then_mac,
415 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
416 ssl_tls_prf_t tls_prf,
417 const unsigned char randbytes[64],
418 mbedtls_ssl_protocol_version tls_version,
419 unsigned endpoint,
420 const mbedtls_ssl_context *ssl);
421
422 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
423 MBEDTLS_CHECK_RETURN_CRITICAL
424 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
425 const char *label,
426 const unsigned char *random, size_t rlen,
427 unsigned char *dstbuf, size_t dlen);
428 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
429 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
430
431 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
432
433 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
434 MBEDTLS_CHECK_RETURN_CRITICAL
435 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
436 const char *label,
437 const unsigned char *random, size_t rlen,
438 unsigned char *dstbuf, size_t dlen);
439
440 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
441 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
442 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
443
444 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
445 unsigned char *buf,
446 size_t buf_len);
447
448 MBEDTLS_CHECK_RETURN_CRITICAL
449 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
450 const unsigned char *buf,
451 size_t len);
452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
453
454 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
455
456 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
457 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
458 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
459
460 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
461 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
462 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
463
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)464 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
465 const unsigned char *secret, size_t slen,
466 const char *label,
467 const unsigned char *random, size_t rlen,
468 unsigned char *dstbuf, size_t dlen)
469 {
470 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
471
472 switch (prf) {
473 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
474 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
475 case MBEDTLS_SSL_TLS_PRF_SHA384:
476 tls_prf = tls_prf_sha384;
477 break;
478 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
479 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
480 case MBEDTLS_SSL_TLS_PRF_SHA256:
481 tls_prf = tls_prf_sha256;
482 break;
483 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
485 default:
486 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
487 }
488
489 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
490 }
491
492 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)493 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
494 {
495 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
496 if (session->peer_cert != NULL) {
497 mbedtls_x509_crt_free(session->peer_cert);
498 mbedtls_free(session->peer_cert);
499 session->peer_cert = NULL;
500 }
501 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
502 if (session->peer_cert_digest != NULL) {
503 /* Zeroization is not necessary. */
504 mbedtls_free(session->peer_cert_digest);
505 session->peer_cert_digest = NULL;
506 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
507 session->peer_cert_digest_len = 0;
508 }
509 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
510 }
511 #endif /* MBEDTLS_X509_CRT_PARSE_C */
512
mbedtls_ssl_get_extension_id(unsigned int extension_type)513 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
514 {
515 switch (extension_type) {
516 case MBEDTLS_TLS_EXT_SERVERNAME:
517 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
518
519 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
520 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
521
522 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
523 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
524
525 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
526 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
527
528 case MBEDTLS_TLS_EXT_SIG_ALG:
529 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
530
531 case MBEDTLS_TLS_EXT_USE_SRTP:
532 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
533
534 case MBEDTLS_TLS_EXT_HEARTBEAT:
535 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
536
537 case MBEDTLS_TLS_EXT_ALPN:
538 return MBEDTLS_SSL_EXT_ID_ALPN;
539
540 case MBEDTLS_TLS_EXT_SCT:
541 return MBEDTLS_SSL_EXT_ID_SCT;
542
543 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
544 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
545
546 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
547 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
548
549 case MBEDTLS_TLS_EXT_PADDING:
550 return MBEDTLS_SSL_EXT_ID_PADDING;
551
552 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
553 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
554
555 case MBEDTLS_TLS_EXT_EARLY_DATA:
556 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
557
558 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
559 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
560
561 case MBEDTLS_TLS_EXT_COOKIE:
562 return MBEDTLS_SSL_EXT_ID_COOKIE;
563
564 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
565 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
566
567 case MBEDTLS_TLS_EXT_CERT_AUTH:
568 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
569
570 case MBEDTLS_TLS_EXT_OID_FILTERS:
571 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
572
573 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
574 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
575
576 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
577 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
578
579 case MBEDTLS_TLS_EXT_KEY_SHARE:
580 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
581
582 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
583 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
584
585 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
586 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
587
588 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
589 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
590
591 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
592 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
593
594 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
595 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
596
597 case MBEDTLS_TLS_EXT_SESSION_TICKET:
598 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
599
600 }
601
602 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
603 }
604
mbedtls_ssl_get_extension_mask(unsigned int extension_type)605 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
606 {
607 return 1 << mbedtls_ssl_get_extension_id(extension_type);
608 }
609
610 #if defined(MBEDTLS_DEBUG_C)
611 static const char *extension_name_table[] = {
612 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
613 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
614 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
615 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
616 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
617 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
618 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
619 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
620 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
621 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
622 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
623 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
624 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
625 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
626 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
627 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
628 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
629 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
630 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
631 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
632 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
633 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
634 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
635 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
636 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
637 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
638 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
639 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
640 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
641 };
642
643 static unsigned int extension_type_table[] = {
644 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
645 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
646 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
647 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
648 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
649 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
650 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
651 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
652 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
653 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
654 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
655 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
656 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
657 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
658 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
659 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
660 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
661 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
662 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
663 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
664 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
665 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
666 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
667 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
668 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
669 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
670 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
671 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
672 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
673 };
674
mbedtls_ssl_get_extension_name(unsigned int extension_type)675 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
676 {
677 return extension_name_table[
678 mbedtls_ssl_get_extension_id(extension_type)];
679 }
680
ssl_tls13_get_hs_msg_name(int hs_msg_type)681 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
682 {
683 switch (hs_msg_type) {
684 case MBEDTLS_SSL_HS_CLIENT_HELLO:
685 return "ClientHello";
686 case MBEDTLS_SSL_HS_SERVER_HELLO:
687 return "ServerHello";
688 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
689 return "HelloRetryRequest";
690 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
691 return "NewSessionTicket";
692 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
693 return "EncryptedExtensions";
694 case MBEDTLS_SSL_HS_CERTIFICATE:
695 return "Certificate";
696 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
697 return "CertificateRequest";
698 }
699 return "Unknown";
700 }
701
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)702 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
703 int level, const char *file, int line,
704 int hs_msg_type, unsigned int extension_type,
705 const char *extra_msg0, const char *extra_msg1)
706 {
707 const char *extra_msg;
708 if (extra_msg0 && extra_msg1) {
709 mbedtls_debug_print_msg(
710 ssl, level, file, line,
711 "%s: %s(%u) extension %s %s.",
712 ssl_tls13_get_hs_msg_name(hs_msg_type),
713 mbedtls_ssl_get_extension_name(extension_type),
714 extension_type,
715 extra_msg0, extra_msg1);
716 return;
717 }
718
719 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
720 if (extra_msg) {
721 mbedtls_debug_print_msg(
722 ssl, level, file, line,
723 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
724 mbedtls_ssl_get_extension_name(extension_type), extension_type,
725 extra_msg);
726 return;
727 }
728
729 mbedtls_debug_print_msg(
730 ssl, level, file, line,
731 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
732 mbedtls_ssl_get_extension_name(extension_type), extension_type);
733 }
734
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)735 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
736 int level, const char *file, int line,
737 int hs_msg_type, uint32_t extensions_mask,
738 const char *extra)
739 {
740
741 for (unsigned i = 0;
742 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
743 i++) {
744 mbedtls_ssl_print_extension(
745 ssl, level, file, line, hs_msg_type, extension_type_table[i],
746 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
747 }
748 }
749
750 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
751 #define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a)))
752
753 static const char *ticket_flag_name_table[] =
754 {
755 [0] = "ALLOW_PSK_RESUMPTION",
756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757 [3] = "ALLOW_EARLY_DATA",
758 };
759
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
761 int level, const char *file, int line,
762 unsigned int flags)
763 {
764 size_t i;
765
766 mbedtls_debug_print_msg(ssl, level, file, line,
767 "print ticket_flags (0x%02x)", flags);
768
769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
770
771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
772 if ((flags & (1 << i))) {
773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774 ticket_flag_name_table[i]);
775 }
776 }
777 }
778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779
780 #endif /* MBEDTLS_DEBUG_C */
781
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
784 {
785 ((void) ciphersuite_info);
786
787 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
789 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
790 } else
791 #endif
792 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
794 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
795 } else
796 #endif
797 {
798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
799 return;
800 }
801 }
802
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
804 unsigned hs_type,
805 size_t total_hs_len)
806 {
807 unsigned char hs_hdr[4];
808
809 /* Build HS header for checksum update. */
810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
814
815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
816 }
817
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
819 unsigned hs_type,
820 unsigned char const *msg,
821 size_t msg_len)
822 {
823 int ret;
824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
825 if (ret != 0) {
826 return ret;
827 }
828 return ssl->handshake->update_checksum(ssl, msg, msg_len);
829 }
830
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
832 {
833 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
834 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836 psa_status_t status;
837 #else
838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
839 #endif
840 #else /* SHA-256 or SHA-384 */
841 ((void) ssl);
842 #endif /* SHA-256 or SHA-384 */
843 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
844 #if defined(MBEDTLS_USE_PSA_CRYPTO)
845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
846 if (status != PSA_SUCCESS) {
847 return PSA_TO_MD_ERR(status);
848 }
849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
850 if (status != PSA_SUCCESS) {
851 return PSA_TO_MD_ERR(status);
852 }
853 #else
854 mbedtls_md_free(&ssl->handshake->fin_sha256);
855 mbedtls_md_init(&ssl->handshake->fin_sha256);
856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
858 0);
859 if (ret != 0) {
860 return ret;
861 }
862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
863 if (ret != 0) {
864 return ret;
865 }
866 #endif
867 #endif
868 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
871 if (status != PSA_SUCCESS) {
872 return PSA_TO_MD_ERR(status);
873 }
874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
875 if (status != PSA_SUCCESS) {
876 return PSA_TO_MD_ERR(status);
877 }
878 #else
879 mbedtls_md_free(&ssl->handshake->fin_sha384);
880 mbedtls_md_init(&ssl->handshake->fin_sha384);
881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
883 if (ret != 0) {
884 return ret;
885 }
886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
887 if (ret != 0) {
888 return ret;
889 }
890 #endif
891 #endif
892 return 0;
893 }
894
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
896 const unsigned char *buf, size_t len)
897 {
898 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
899 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
900 #if defined(MBEDTLS_USE_PSA_CRYPTO)
901 psa_status_t status;
902 #else
903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
904 #endif
905 #else /* SHA-256 or SHA-384 */
906 ((void) ssl);
907 (void) buf;
908 (void) len;
909 #endif /* SHA-256 or SHA-384 */
910 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
911 #if defined(MBEDTLS_USE_PSA_CRYPTO)
912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
913 if (status != PSA_SUCCESS) {
914 return PSA_TO_MD_ERR(status);
915 }
916 #else
917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
918 if (ret != 0) {
919 return ret;
920 }
921 #endif
922 #endif
923 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
926 if (status != PSA_SUCCESS) {
927 return PSA_TO_MD_ERR(status);
928 }
929 #else
930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
931 if (ret != 0) {
932 return ret;
933 }
934 #endif
935 #endif
936 return 0;
937 }
938
939 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
941 const unsigned char *buf, size_t len)
942 {
943 #if defined(MBEDTLS_USE_PSA_CRYPTO)
944 return PSA_TO_MD_ERR(psa_hash_update(
945 &ssl->handshake->fin_sha256_psa, buf, len));
946 #else
947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
948 #endif
949 }
950 #endif
951
952 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
954 const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
957 return PSA_TO_MD_ERR(psa_hash_update(
958 &ssl->handshake->fin_sha384_psa, buf, len));
959 #else
960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
961 #endif
962 }
963 #endif
964
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
966 {
967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
968
969 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
970 #if defined(MBEDTLS_USE_PSA_CRYPTO)
971 handshake->fin_sha256_psa = psa_hash_operation_init();
972 #else
973 mbedtls_md_init(&handshake->fin_sha256);
974 #endif
975 #endif
976 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
977 #if defined(MBEDTLS_USE_PSA_CRYPTO)
978 handshake->fin_sha384_psa = psa_hash_operation_init();
979 #else
980 mbedtls_md_init(&handshake->fin_sha384);
981 #endif
982 #endif
983
984 handshake->update_checksum = ssl_update_checksum_start;
985
986 #if defined(MBEDTLS_DHM_C)
987 mbedtls_dhm_init(&handshake->dhm_ctx);
988 #endif
989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
990 mbedtls_ecdh_init(&handshake->ecdh_ctx);
991 #endif
992 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
993 #if defined(MBEDTLS_USE_PSA_CRYPTO)
994 handshake->psa_pake_ctx = psa_pake_operation_init();
995 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
996 #else
997 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
998 #endif /* MBEDTLS_USE_PSA_CRYPTO */
999 #if defined(MBEDTLS_SSL_CLI_C)
1000 handshake->ecjpake_cache = NULL;
1001 handshake->ecjpake_cache_len = 0;
1002 #endif
1003 #endif
1004
1005 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1006 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1007 #endif
1008
1009 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1010 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1011 #endif
1012
1013 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1014 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1015 mbedtls_pk_init(&handshake->peer_pubkey);
1016 #endif
1017 }
1018
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1019 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1020 {
1021 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1022
1023 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1024 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1025 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1026 #else
1027 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1028 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1029 #endif
1030
1031 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1032 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1033 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1034 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1035 #else
1036 mbedtls_md_init(&transform->md_ctx_enc);
1037 mbedtls_md_init(&transform->md_ctx_dec);
1038 #endif
1039 #endif
1040 }
1041
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1042 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1043 {
1044 memset(session, 0, sizeof(mbedtls_ssl_session));
1045 }
1046
1047 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1048 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1049 {
1050 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1051
1052 /* Clear old handshake information if present */
1053 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1054 if (ssl->transform_negotiate) {
1055 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1056 }
1057 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1058 if (ssl->session_negotiate) {
1059 mbedtls_ssl_session_free(ssl->session_negotiate);
1060 }
1061 if (ssl->handshake) {
1062 mbedtls_ssl_handshake_free(ssl);
1063 }
1064
1065 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1066 /*
1067 * Either the pointers are now NULL or cleared properly and can be freed.
1068 * Now allocate missing structures.
1069 */
1070 if (ssl->transform_negotiate == NULL) {
1071 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1072 }
1073 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1074
1075 if (ssl->session_negotiate == NULL) {
1076 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1077 }
1078
1079 if (ssl->handshake == NULL) {
1080 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1081 }
1082 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1083 /* If the buffers are too small - reallocate */
1084
1085 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1086 MBEDTLS_SSL_OUT_BUFFER_LEN);
1087 #endif
1088
1089 /* All pointers should exist and can be directly freed without issue */
1090 if (ssl->handshake == NULL ||
1091 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1092 ssl->transform_negotiate == NULL ||
1093 #endif
1094 ssl->session_negotiate == NULL) {
1095 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1096
1097 mbedtls_free(ssl->handshake);
1098 ssl->handshake = NULL;
1099
1100 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1101 mbedtls_free(ssl->transform_negotiate);
1102 ssl->transform_negotiate = NULL;
1103 #endif
1104
1105 mbedtls_free(ssl->session_negotiate);
1106 ssl->session_negotiate = NULL;
1107
1108 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1109 }
1110
1111 /* Initialize structures */
1112 mbedtls_ssl_session_init(ssl->session_negotiate);
1113 ssl_handshake_params_init(ssl->handshake);
1114
1115 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1116 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1117 #endif
1118
1119 /* Setup handshake checksums */
1120 ret = mbedtls_ssl_reset_checksum(ssl);
1121 if (ret != 0) {
1122 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1123 return ret;
1124 }
1125
1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1127 defined(MBEDTLS_SSL_SRV_C) && \
1128 defined(MBEDTLS_SSL_SESSION_TICKETS)
1129 ssl->handshake->new_session_tickets_count =
1130 ssl->conf->new_session_tickets_count;
1131 #endif
1132
1133 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1134 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1135 ssl->handshake->alt_transform_out = ssl->transform_out;
1136
1137 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1138 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1139 } else {
1140 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1141 }
1142
1143 mbedtls_ssl_set_timer(ssl, 0);
1144 }
1145 #endif
1146
1147 /*
1148 * curve_list is translated to IANA TLS group identifiers here because
1149 * mbedtls_ssl_conf_curves returns void and so can't return
1150 * any error codes.
1151 */
1152 #if defined(MBEDTLS_ECP_C)
1153 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1154 /* Heap allocate and translate curve_list from internal to IANA group ids */
1155 if (ssl->conf->curve_list != NULL) {
1156 size_t length;
1157 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1158
1159 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE) &&
1160 (length < MBEDTLS_ECP_DP_MAX); length++) {
1161 }
1162
1163 /* Leave room for zero termination */
1164 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1165 if (group_list == NULL) {
1166 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1167 }
1168
1169 for (size_t i = 0; i < length; i++) {
1170 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1171 curve_list[i]);
1172 if (tls_id == 0) {
1173 mbedtls_free(group_list);
1174 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1175 }
1176 group_list[i] = tls_id;
1177 }
1178
1179 group_list[length] = 0;
1180
1181 ssl->handshake->group_list = group_list;
1182 ssl->handshake->group_list_heap_allocated = 1;
1183 } else {
1184 ssl->handshake->group_list = ssl->conf->group_list;
1185 ssl->handshake->group_list_heap_allocated = 0;
1186 }
1187 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1188 #endif /* MBEDTLS_ECP_C */
1189
1190 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1191 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1193 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1194 signature algorithms IANA identifiers. */
1195 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1196 ssl->conf->sig_hashes != NULL) {
1197 const int *md;
1198 const int *sig_hashes = ssl->conf->sig_hashes;
1199 size_t sig_algs_len = 0;
1200 uint16_t *p;
1201
1202 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1203 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1204 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1205
1206 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1207 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1208 continue;
1209 }
1210 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
1211 sig_algs_len += sizeof(uint16_t);
1212 #endif
1213
1214 #if defined(MBEDTLS_RSA_C)
1215 sig_algs_len += sizeof(uint16_t);
1216 #endif
1217 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1218 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1219 }
1220 }
1221
1222 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1223 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1224 }
1225
1226 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1227 sizeof(uint16_t));
1228 if (ssl->handshake->sig_algs == NULL) {
1229 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1230 }
1231
1232 p = (uint16_t *) ssl->handshake->sig_algs;
1233 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1234 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1235 if (hash == MBEDTLS_SSL_HASH_NONE) {
1236 continue;
1237 }
1238 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
1239 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1240 p++;
1241 #endif
1242 #if defined(MBEDTLS_RSA_C)
1243 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1244 p++;
1245 #endif
1246 }
1247 *p = MBEDTLS_TLS_SIG_NONE;
1248 ssl->handshake->sig_algs_heap_allocated = 1;
1249 } else
1250 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1251 {
1252 ssl->handshake->sig_algs_heap_allocated = 0;
1253 }
1254 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1255 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1256 return 0;
1257 }
1258
1259 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1260 /* Dummy cookie callbacks for defaults */
1261 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1262 static int ssl_cookie_write_dummy(void *ctx,
1263 unsigned char **p, unsigned char *end,
1264 const unsigned char *cli_id, size_t cli_id_len)
1265 {
1266 ((void) ctx);
1267 ((void) p);
1268 ((void) end);
1269 ((void) cli_id);
1270 ((void) cli_id_len);
1271
1272 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1273 }
1274
1275 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1276 static int ssl_cookie_check_dummy(void *ctx,
1277 const unsigned char *cookie, size_t cookie_len,
1278 const unsigned char *cli_id, size_t cli_id_len)
1279 {
1280 ((void) ctx);
1281 ((void) cookie);
1282 ((void) cookie_len);
1283 ((void) cli_id);
1284 ((void) cli_id_len);
1285
1286 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1287 }
1288 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1289
1290 /*
1291 * Initialize an SSL context
1292 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1293 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1294 {
1295 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1296 }
1297
1298 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1299 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1300 {
1301 const mbedtls_ssl_config *conf = ssl->conf;
1302
1303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1304 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1305 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1306 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1307 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1308 }
1309
1310 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1311 return 0;
1312 }
1313 #endif
1314
1315 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1316 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1317 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1318 return 0;
1319 }
1320 #endif
1321
1322 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1323 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1324 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1325 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1326 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1327 }
1328
1329 if (conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1330 MBEDTLS_SSL_DEBUG_MSG(1, ("TLS 1.3 server is not supported yet."));
1331 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1332 }
1333
1334
1335 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1336 return 0;
1337 }
1338 #endif
1339
1340 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1341 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1342 }
1343
1344 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1345 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1346 {
1347 int ret;
1348 ret = ssl_conf_version_check(ssl);
1349 if (ret != 0) {
1350 return ret;
1351 }
1352
1353 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1354 /* RFC 8446 section 4.4.3
1355 *
1356 * If the verification fails, the receiver MUST terminate the handshake with
1357 * a "decrypt_error" alert.
1358 *
1359 * If the client is configured as TLS 1.3 only with optional verify, return
1360 * bad config.
1361 *
1362 */
1363 if (mbedtls_ssl_conf_tls13_ephemeral_enabled(
1364 (mbedtls_ssl_context *) ssl) &&
1365 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1366 ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1367 ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1368 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
1369 MBEDTLS_SSL_DEBUG_MSG(
1370 1, ("Optional verify auth mode "
1371 "is not available for TLS 1.3 client"));
1372 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1373 }
1374 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1375
1376 /* Space for further checks */
1377
1378 return 0;
1379 }
1380
1381 /*
1382 * Setup an SSL context
1383 */
1384
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1385 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1386 const mbedtls_ssl_config *conf)
1387 {
1388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1389 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1390 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1391
1392 ssl->conf = conf;
1393
1394 if ((ret = ssl_conf_check(ssl)) != 0) {
1395 return ret;
1396 }
1397
1398 /*
1399 * Prepare base structures
1400 */
1401
1402 /* Set to NULL in case of an error condition */
1403 ssl->out_buf = NULL;
1404
1405 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1406 ssl->in_buf_len = in_buf_len;
1407 #endif
1408 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1409 if (ssl->in_buf == NULL) {
1410 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1411 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1412 goto error;
1413 }
1414
1415 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1416 ssl->out_buf_len = out_buf_len;
1417 #endif
1418 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1419 if (ssl->out_buf == NULL) {
1420 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1421 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1422 goto error;
1423 }
1424
1425 mbedtls_ssl_reset_in_out_pointers(ssl);
1426
1427 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1428 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1429 #endif
1430
1431 if ((ret = ssl_handshake_init(ssl)) != 0) {
1432 goto error;
1433 }
1434
1435 return 0;
1436
1437 error:
1438 mbedtls_free(ssl->in_buf);
1439 mbedtls_free(ssl->out_buf);
1440
1441 ssl->conf = NULL;
1442
1443 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1444 ssl->in_buf_len = 0;
1445 ssl->out_buf_len = 0;
1446 #endif
1447 ssl->in_buf = NULL;
1448 ssl->out_buf = NULL;
1449
1450 ssl->in_hdr = NULL;
1451 ssl->in_ctr = NULL;
1452 ssl->in_len = NULL;
1453 ssl->in_iv = NULL;
1454 ssl->in_msg = NULL;
1455
1456 ssl->out_hdr = NULL;
1457 ssl->out_ctr = NULL;
1458 ssl->out_len = NULL;
1459 ssl->out_iv = NULL;
1460 ssl->out_msg = NULL;
1461
1462 return ret;
1463 }
1464
1465 /*
1466 * Reset an initialized and used SSL context for re-use while retaining
1467 * all application-set variables, function pointers and data.
1468 *
1469 * If partial is non-zero, keep data in the input buffer and client ID.
1470 * (Use when a DTLS client reconnects from the same port.)
1471 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1472 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1473 int partial)
1474 {
1475 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1476 size_t in_buf_len = ssl->in_buf_len;
1477 size_t out_buf_len = ssl->out_buf_len;
1478 #else
1479 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1480 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1481 #endif
1482
1483 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1484 partial = 0;
1485 #endif
1486
1487 /* Cancel any possibly running timer */
1488 mbedtls_ssl_set_timer(ssl, 0);
1489
1490 mbedtls_ssl_reset_in_out_pointers(ssl);
1491
1492 /* Reset incoming message parsing */
1493 ssl->in_offt = NULL;
1494 ssl->nb_zero = 0;
1495 ssl->in_msgtype = 0;
1496 ssl->in_msglen = 0;
1497 ssl->in_hslen = 0;
1498 ssl->keep_current_message = 0;
1499 ssl->transform_in = NULL;
1500
1501 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1502 ssl->next_record_offset = 0;
1503 ssl->in_epoch = 0;
1504 #endif
1505
1506 /* Keep current datagram if partial == 1 */
1507 if (partial == 0) {
1508 ssl->in_left = 0;
1509 memset(ssl->in_buf, 0, in_buf_len);
1510 }
1511
1512 ssl->send_alert = 0;
1513
1514 /* Reset outgoing message writing */
1515 ssl->out_msgtype = 0;
1516 ssl->out_msglen = 0;
1517 ssl->out_left = 0;
1518 memset(ssl->out_buf, 0, out_buf_len);
1519 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1520 ssl->transform_out = NULL;
1521
1522 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1523 mbedtls_ssl_dtls_replay_reset(ssl);
1524 #endif
1525
1526 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1527 if (ssl->transform) {
1528 mbedtls_ssl_transform_free(ssl->transform);
1529 mbedtls_free(ssl->transform);
1530 ssl->transform = NULL;
1531 }
1532 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1533
1534 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1535 mbedtls_ssl_transform_free(ssl->transform_application);
1536 mbedtls_free(ssl->transform_application);
1537 ssl->transform_application = NULL;
1538
1539 if (ssl->handshake != NULL) {
1540 #if defined(MBEDTLS_SSL_EARLY_DATA)
1541 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1542 mbedtls_free(ssl->handshake->transform_earlydata);
1543 ssl->handshake->transform_earlydata = NULL;
1544 #endif
1545
1546 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1547 mbedtls_free(ssl->handshake->transform_handshake);
1548 ssl->handshake->transform_handshake = NULL;
1549 }
1550
1551 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1552 }
1553
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1554 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1555 {
1556 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1557
1558 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1559
1560 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1561
1562 /* Reset renegotiation state */
1563 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1564 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1565 ssl->renego_records_seen = 0;
1566
1567 ssl->verify_data_len = 0;
1568 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1569 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1570 #endif
1571 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1572
1573 ssl->session_in = NULL;
1574 ssl->session_out = NULL;
1575 if (ssl->session) {
1576 mbedtls_ssl_session_free(ssl->session);
1577 mbedtls_free(ssl->session);
1578 ssl->session = NULL;
1579 }
1580
1581 #if defined(MBEDTLS_SSL_ALPN)
1582 ssl->alpn_chosen = NULL;
1583 #endif
1584
1585 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1586 int free_cli_id = 1;
1587 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1588 free_cli_id = (partial == 0);
1589 #endif
1590 if (free_cli_id) {
1591 mbedtls_free(ssl->cli_id);
1592 ssl->cli_id = NULL;
1593 ssl->cli_id_len = 0;
1594 }
1595 #endif
1596
1597 if ((ret = ssl_handshake_init(ssl)) != 0) {
1598 return ret;
1599 }
1600
1601 return 0;
1602 }
1603
1604 /*
1605 * Reset an initialized and used SSL context for re-use while retaining
1606 * all application-set variables, function pointers and data.
1607 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1608 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1609 {
1610 return mbedtls_ssl_session_reset_int(ssl, 0);
1611 }
1612
1613 /*
1614 * SSL set accessors
1615 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1616 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1617 {
1618 conf->endpoint = endpoint;
1619 }
1620
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1621 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1622 {
1623 conf->transport = transport;
1624 }
1625
1626 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1627 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1628 {
1629 conf->anti_replay = mode;
1630 }
1631 #endif
1632
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1633 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1634 {
1635 conf->badmac_limit = limit;
1636 }
1637
1638 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1639
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1640 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1641 unsigned allow_packing)
1642 {
1643 ssl->disable_datagram_packing = !allow_packing;
1644 }
1645
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1646 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1647 uint32_t min, uint32_t max)
1648 {
1649 conf->hs_timeout_min = min;
1650 conf->hs_timeout_max = max;
1651 }
1652 #endif
1653
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1654 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1655 {
1656 conf->authmode = authmode;
1657 }
1658
1659 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1660 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1661 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1662 void *p_vrfy)
1663 {
1664 conf->f_vrfy = f_vrfy;
1665 conf->p_vrfy = p_vrfy;
1666 }
1667 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1668
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1669 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1670 int (*f_rng)(void *, unsigned char *, size_t),
1671 void *p_rng)
1672 {
1673 conf->f_rng = f_rng;
1674 conf->p_rng = p_rng;
1675 }
1676
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1677 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1678 void (*f_dbg)(void *, int, const char *, int, const char *),
1679 void *p_dbg)
1680 {
1681 conf->f_dbg = f_dbg;
1682 conf->p_dbg = p_dbg;
1683 }
1684
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1685 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1686 void *p_bio,
1687 mbedtls_ssl_send_t *f_send,
1688 mbedtls_ssl_recv_t *f_recv,
1689 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1690 {
1691 ssl->p_bio = p_bio;
1692 ssl->f_send = f_send;
1693 ssl->f_recv = f_recv;
1694 ssl->f_recv_timeout = f_recv_timeout;
1695 }
1696
1697 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1698 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1699 {
1700 ssl->mtu = mtu;
1701 }
1702 #endif
1703
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1704 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1705 {
1706 conf->read_timeout = timeout;
1707 }
1708
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1709 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1710 void *p_timer,
1711 mbedtls_ssl_set_timer_t *f_set_timer,
1712 mbedtls_ssl_get_timer_t *f_get_timer)
1713 {
1714 ssl->p_timer = p_timer;
1715 ssl->f_set_timer = f_set_timer;
1716 ssl->f_get_timer = f_get_timer;
1717
1718 /* Make sure we start with no timer running */
1719 mbedtls_ssl_set_timer(ssl, 0);
1720 }
1721
1722 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1723 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1724 void *p_cache,
1725 mbedtls_ssl_cache_get_t *f_get_cache,
1726 mbedtls_ssl_cache_set_t *f_set_cache)
1727 {
1728 conf->p_cache = p_cache;
1729 conf->f_get_cache = f_get_cache;
1730 conf->f_set_cache = f_set_cache;
1731 }
1732 #endif /* MBEDTLS_SSL_SRV_C */
1733
1734 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1735 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1736 {
1737 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1738
1739 if (ssl == NULL ||
1740 session == NULL ||
1741 ssl->session_negotiate == NULL ||
1742 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1744 }
1745
1746 if (ssl->handshake->resume == 1) {
1747 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1748 }
1749
1750 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1751 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1752 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1753 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1754
1755 if (mbedtls_ssl_validate_ciphersuite(
1756 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1757 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1758 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1759 session->ciphersuite));
1760 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1761 }
1762 }
1763 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1764
1765 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1766 session)) != 0) {
1767 return ret;
1768 }
1769
1770 ssl->handshake->resume = 1;
1771
1772 return 0;
1773 }
1774 #endif /* MBEDTLS_SSL_CLI_C */
1775
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1776 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1777 const int *ciphersuites)
1778 {
1779 conf->ciphersuite_list = ciphersuites;
1780 }
1781
1782 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1783 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1784 const int kex_modes)
1785 {
1786 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1787 }
1788
1789 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1790 void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf,
1791 int early_data_enabled)
1792 {
1793 conf->early_data_enabled = early_data_enabled;
1794 }
1795
1796 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_tls13_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1797 void mbedtls_ssl_tls13_conf_max_early_data_size(
1798 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1799 {
1800 conf->max_early_data_size = max_early_data_size;
1801 }
1802 #endif /* MBEDTLS_SSL_SRV_C */
1803
1804 #endif /* MBEDTLS_SSL_EARLY_DATA */
1805 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1806
1807 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1808 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1809 const mbedtls_x509_crt_profile *profile)
1810 {
1811 conf->cert_profile = profile;
1812 }
1813
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1814 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1815 {
1816 mbedtls_ssl_key_cert *cur = key_cert, *next;
1817
1818 while (cur != NULL) {
1819 next = cur->next;
1820 mbedtls_free(cur);
1821 cur = next;
1822 }
1823 }
1824
1825 /* Append a new keycert entry to a (possibly empty) list */
1826 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1827 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1828 mbedtls_x509_crt *cert,
1829 mbedtls_pk_context *key)
1830 {
1831 mbedtls_ssl_key_cert *new_cert;
1832
1833 if (cert == NULL) {
1834 /* Free list if cert is null */
1835 ssl_key_cert_free(*head);
1836 *head = NULL;
1837 return 0;
1838 }
1839
1840 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1841 if (new_cert == NULL) {
1842 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1843 }
1844
1845 new_cert->cert = cert;
1846 new_cert->key = key;
1847 new_cert->next = NULL;
1848
1849 /* Update head if the list was null, else add to the end */
1850 if (*head == NULL) {
1851 *head = new_cert;
1852 } else {
1853 mbedtls_ssl_key_cert *cur = *head;
1854 while (cur->next != NULL) {
1855 cur = cur->next;
1856 }
1857 cur->next = new_cert;
1858 }
1859
1860 return 0;
1861 }
1862
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1863 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1864 mbedtls_x509_crt *own_cert,
1865 mbedtls_pk_context *pk_key)
1866 {
1867 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1868 }
1869
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1870 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1871 mbedtls_x509_crt *ca_chain,
1872 mbedtls_x509_crl *ca_crl)
1873 {
1874 conf->ca_chain = ca_chain;
1875 conf->ca_crl = ca_crl;
1876
1877 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1878 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1879 * cannot be used together. */
1880 conf->f_ca_cb = NULL;
1881 conf->p_ca_cb = NULL;
1882 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1883 }
1884
1885 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1886 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1887 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1888 void *p_ca_cb)
1889 {
1890 conf->f_ca_cb = f_ca_cb;
1891 conf->p_ca_cb = p_ca_cb;
1892
1893 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1894 * cannot be used together. */
1895 conf->ca_chain = NULL;
1896 conf->ca_crl = NULL;
1897 }
1898 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1899 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1900
1901 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1902 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1903 size_t *name_len)
1904 {
1905 *name_len = ssl->handshake->sni_name_len;
1906 return ssl->handshake->sni_name;
1907 }
1908
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1909 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1910 mbedtls_x509_crt *own_cert,
1911 mbedtls_pk_context *pk_key)
1912 {
1913 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1914 own_cert, pk_key);
1915 }
1916
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1917 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1918 mbedtls_x509_crt *ca_chain,
1919 mbedtls_x509_crl *ca_crl)
1920 {
1921 ssl->handshake->sni_ca_chain = ca_chain;
1922 ssl->handshake->sni_ca_crl = ca_crl;
1923 }
1924
1925 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1926 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1927 const mbedtls_x509_crt *crt)
1928 {
1929 ssl->handshake->dn_hints = crt;
1930 }
1931 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1932
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1933 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1934 int authmode)
1935 {
1936 ssl->handshake->sni_authmode = authmode;
1937 }
1938 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1939
1940 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1941 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1942 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1943 void *p_vrfy)
1944 {
1945 ssl->f_vrfy = f_vrfy;
1946 ssl->p_vrfy = p_vrfy;
1947 }
1948 #endif
1949
1950 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1951
1952 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1953 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1954 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1955
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1956 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1957 mbedtls_ssl_context *ssl,
1958 mbedtls_svc_key_id_t pwd)
1959 {
1960 psa_status_t status;
1961 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1962 const uint8_t *user = NULL;
1963 size_t user_len = 0;
1964 const uint8_t *peer = NULL;
1965 size_t peer_len = 0;
1966 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1967 psa_pake_cs_set_primitive(&cipher_suite,
1968 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1969 PSA_ECC_FAMILY_SECP_R1,
1970 256));
1971 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1972
1973 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1974 if (status != PSA_SUCCESS) {
1975 return status;
1976 }
1977
1978 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1979 user = jpake_server_id;
1980 user_len = sizeof(jpake_server_id);
1981 peer = jpake_client_id;
1982 peer_len = sizeof(jpake_client_id);
1983 } else {
1984 user = jpake_client_id;
1985 user_len = sizeof(jpake_client_id);
1986 peer = jpake_server_id;
1987 peer_len = sizeof(jpake_server_id);
1988 }
1989
1990 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1991 if (status != PSA_SUCCESS) {
1992 return status;
1993 }
1994
1995 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
1996 if (status != PSA_SUCCESS) {
1997 return status;
1998 }
1999
2000 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
2001 if (status != PSA_SUCCESS) {
2002 return status;
2003 }
2004
2005 ssl->handshake->psa_pake_ctx_is_ok = 1;
2006
2007 return PSA_SUCCESS;
2008 }
2009
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2010 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2011 const unsigned char *pw,
2012 size_t pw_len)
2013 {
2014 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2015 psa_status_t status;
2016
2017 if (ssl->handshake == NULL || ssl->conf == NULL) {
2018 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2019 }
2020
2021 /* Empty password is not valid */
2022 if ((pw == NULL) || (pw_len == 0)) {
2023 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2024 }
2025
2026 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2027 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2028 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2029
2030 status = psa_import_key(&attributes, pw, pw_len,
2031 &ssl->handshake->psa_pake_password);
2032 if (status != PSA_SUCCESS) {
2033 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2034 }
2035
2036 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2037 ssl->handshake->psa_pake_password);
2038 if (status != PSA_SUCCESS) {
2039 psa_destroy_key(ssl->handshake->psa_pake_password);
2040 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2041 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2042 }
2043
2044 return 0;
2045 }
2046
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2047 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2048 mbedtls_svc_key_id_t pwd)
2049 {
2050 psa_status_t status;
2051
2052 if (ssl->handshake == NULL || ssl->conf == NULL) {
2053 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2054 }
2055
2056 if (mbedtls_svc_key_id_is_null(pwd)) {
2057 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2058 }
2059
2060 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2061 if (status != PSA_SUCCESS) {
2062 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2063 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2064 }
2065
2066 return 0;
2067 }
2068 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2069 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2070 const unsigned char *pw,
2071 size_t pw_len)
2072 {
2073 mbedtls_ecjpake_role role;
2074
2075 if (ssl->handshake == NULL || ssl->conf == NULL) {
2076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2077 }
2078
2079 /* Empty password is not valid */
2080 if ((pw == NULL) || (pw_len == 0)) {
2081 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2082 }
2083
2084 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2085 role = MBEDTLS_ECJPAKE_SERVER;
2086 } else {
2087 role = MBEDTLS_ECJPAKE_CLIENT;
2088 }
2089
2090 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2091 role,
2092 MBEDTLS_MD_SHA256,
2093 MBEDTLS_ECP_DP_SECP256R1,
2094 pw, pw_len);
2095 }
2096 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2097 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2098
2099 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2100 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2101 {
2102 if (conf->psk_identity == NULL ||
2103 conf->psk_identity_len == 0) {
2104 return 0;
2105 }
2106
2107 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2108 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2109 return 1;
2110 }
2111 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2112
2113 if (conf->psk != NULL && conf->psk_len != 0) {
2114 return 1;
2115 }
2116
2117 return 0;
2118 }
2119
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2120 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2121 {
2122 /* Remove reference to existing PSK, if any. */
2123 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2124 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2125 /* The maintenance of the PSK key slot is the
2126 * user's responsibility. */
2127 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2128 }
2129 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2130 if (conf->psk != NULL) {
2131 mbedtls_platform_zeroize(conf->psk, conf->psk_len);
2132
2133 mbedtls_free(conf->psk);
2134 conf->psk = NULL;
2135 conf->psk_len = 0;
2136 }
2137
2138 /* Remove reference to PSK identity, if any. */
2139 if (conf->psk_identity != NULL) {
2140 mbedtls_free(conf->psk_identity);
2141 conf->psk_identity = NULL;
2142 conf->psk_identity_len = 0;
2143 }
2144 }
2145
2146 /* This function assumes that PSK identity in the SSL config is unset.
2147 * It checks that the provided identity is well-formed and attempts
2148 * to make a copy of it in the SSL config.
2149 * On failure, the PSK identity in the config remains unset. */
2150 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2151 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2152 unsigned char const *psk_identity,
2153 size_t psk_identity_len)
2154 {
2155 /* Identity len will be encoded on two bytes */
2156 if (psk_identity == NULL ||
2157 psk_identity_len == 0 ||
2158 (psk_identity_len >> 16) != 0 ||
2159 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2160 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2161 }
2162
2163 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2164 if (conf->psk_identity == NULL) {
2165 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2166 }
2167
2168 conf->psk_identity_len = psk_identity_len;
2169 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2170
2171 return 0;
2172 }
2173
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2174 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2175 const unsigned char *psk, size_t psk_len,
2176 const unsigned char *psk_identity, size_t psk_identity_len)
2177 {
2178 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2179
2180 /* We currently only support one PSK, raw or opaque. */
2181 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2182 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2183 }
2184
2185 /* Check and set raw PSK */
2186 if (psk == NULL) {
2187 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2188 }
2189 if (psk_len == 0) {
2190 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2191 }
2192 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2193 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2194 }
2195
2196 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2197 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2198 }
2199 conf->psk_len = psk_len;
2200 memcpy(conf->psk, psk, conf->psk_len);
2201
2202 /* Check and set PSK Identity */
2203 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2204 if (ret != 0) {
2205 ssl_conf_remove_psk(conf);
2206 }
2207
2208 return ret;
2209 }
2210
ssl_remove_psk(mbedtls_ssl_context * ssl)2211 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2212 {
2213 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2214 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2215 /* The maintenance of the external PSK key slot is the
2216 * user's responsibility. */
2217 if (ssl->handshake->psk_opaque_is_internal) {
2218 psa_destroy_key(ssl->handshake->psk_opaque);
2219 ssl->handshake->psk_opaque_is_internal = 0;
2220 }
2221 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2222 }
2223 #else
2224 if (ssl->handshake->psk != NULL) {
2225 mbedtls_platform_zeroize(ssl->handshake->psk,
2226 ssl->handshake->psk_len);
2227 mbedtls_free(ssl->handshake->psk);
2228 ssl->handshake->psk_len = 0;
2229 }
2230 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2231 }
2232
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2233 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2234 const unsigned char *psk, size_t psk_len)
2235 {
2236 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2237 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2238 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2239 psa_algorithm_t alg = PSA_ALG_NONE;
2240 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2241 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2242
2243 if (psk == NULL || ssl->handshake == NULL) {
2244 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2245 }
2246
2247 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2248 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2249 }
2250
2251 ssl_remove_psk(ssl);
2252
2253 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2254 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2255 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2256 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2257 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2258 } else {
2259 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2260 }
2261 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2262 }
2263 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2264
2265 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2266 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2267 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2268 psa_set_key_usage_flags(&key_attributes,
2269 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2270 }
2271 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2272
2273 psa_set_key_algorithm(&key_attributes, alg);
2274 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2275
2276 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2277 if (status != PSA_SUCCESS) {
2278 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2279 }
2280
2281 /* Allow calling psa_destroy_key() on psk remove */
2282 ssl->handshake->psk_opaque_is_internal = 1;
2283 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2284 #else
2285 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2286 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2287 }
2288
2289 ssl->handshake->psk_len = psk_len;
2290 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2291
2292 return 0;
2293 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2294 }
2295
2296 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2297 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2298 mbedtls_svc_key_id_t psk,
2299 const unsigned char *psk_identity,
2300 size_t psk_identity_len)
2301 {
2302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2303
2304 /* We currently only support one PSK, raw or opaque. */
2305 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2306 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2307 }
2308
2309 /* Check and set opaque PSK */
2310 if (mbedtls_svc_key_id_is_null(psk)) {
2311 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2312 }
2313 conf->psk_opaque = psk;
2314
2315 /* Check and set PSK Identity */
2316 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2317 psk_identity_len);
2318 if (ret != 0) {
2319 ssl_conf_remove_psk(conf);
2320 }
2321
2322 return ret;
2323 }
2324
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2325 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2326 mbedtls_svc_key_id_t psk)
2327 {
2328 if ((mbedtls_svc_key_id_is_null(psk)) ||
2329 (ssl->handshake == NULL)) {
2330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2331 }
2332
2333 ssl_remove_psk(ssl);
2334 ssl->handshake->psk_opaque = psk;
2335 return 0;
2336 }
2337 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2338
2339 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2340 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2341 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2342 size_t),
2343 void *p_psk)
2344 {
2345 conf->f_psk = f_psk;
2346 conf->p_psk = p_psk;
2347 }
2348 #endif /* MBEDTLS_SSL_SRV_C */
2349
2350 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2351
2352 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2353 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2354 psa_algorithm_t alg)
2355 {
2356 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2357 if (alg == PSA_ALG_CBC_NO_PADDING) {
2358 return MBEDTLS_SSL_MODE_CBC;
2359 }
2360 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2361 if (PSA_ALG_IS_AEAD(alg)) {
2362 return MBEDTLS_SSL_MODE_AEAD;
2363 }
2364 return MBEDTLS_SSL_MODE_STREAM;
2365 }
2366
2367 #else /* MBEDTLS_USE_PSA_CRYPTO */
2368
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2369 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2370 mbedtls_cipher_mode_t mode)
2371 {
2372 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2373 if (mode == MBEDTLS_MODE_CBC) {
2374 return MBEDTLS_SSL_MODE_CBC;
2375 }
2376 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2377
2378 #if defined(MBEDTLS_GCM_C) || \
2379 defined(MBEDTLS_CCM_C) || \
2380 defined(MBEDTLS_CHACHAPOLY_C)
2381 if (mode == MBEDTLS_MODE_GCM ||
2382 mode == MBEDTLS_MODE_CCM ||
2383 mode == MBEDTLS_MODE_CHACHAPOLY) {
2384 return MBEDTLS_SSL_MODE_AEAD;
2385 }
2386 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2387
2388 return MBEDTLS_SSL_MODE_STREAM;
2389 }
2390 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2391
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2392 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2393 mbedtls_ssl_mode_t base_mode,
2394 int encrypt_then_mac)
2395 {
2396 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2397 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2398 base_mode == MBEDTLS_SSL_MODE_CBC) {
2399 return MBEDTLS_SSL_MODE_CBC_ETM;
2400 }
2401 #else
2402 (void) encrypt_then_mac;
2403 #endif
2404 return base_mode;
2405 }
2406
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2407 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2408 const mbedtls_ssl_transform *transform)
2409 {
2410 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2411 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2412 transform->psa_alg
2413 #else
2414 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2415 #endif
2416 );
2417
2418 int encrypt_then_mac = 0;
2419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2420 encrypt_then_mac = transform->encrypt_then_mac;
2421 #endif
2422 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2423 }
2424
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2425 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2426 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2427 int encrypt_then_mac,
2428 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2429 const mbedtls_ssl_ciphersuite_t *suite)
2430 {
2431 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2432
2433 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2434 psa_status_t status;
2435 psa_algorithm_t alg;
2436 psa_key_type_t type;
2437 size_t size;
2438 status = mbedtls_ssl_cipher_to_psa(suite->cipher, 0, &alg, &type, &size);
2439 if (status == PSA_SUCCESS) {
2440 base_mode = mbedtls_ssl_get_base_mode(alg);
2441 }
2442 #else
2443 const mbedtls_cipher_info_t *cipher =
2444 mbedtls_cipher_info_from_type(suite->cipher);
2445 if (cipher != NULL) {
2446 base_mode =
2447 mbedtls_ssl_get_base_mode(
2448 mbedtls_cipher_info_get_mode(cipher));
2449 }
2450 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2451
2452 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2453 int encrypt_then_mac = 0;
2454 #endif
2455 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2456 }
2457
2458 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2459
2460 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2461 /* Serialization of TLS 1.3 sessions:
2462 *
2463 * struct {
2464 * opaque hostname<0..2^16-1>;
2465 * uint64 ticket_received;
2466 * uint32 ticket_lifetime;
2467 * opaque ticket<1..2^16-1>;
2468 * } ClientOnlyData;
2469 *
2470 * struct {
2471 * uint8 endpoint;
2472 * uint8 ciphersuite[2];
2473 * uint32 ticket_age_add;
2474 * uint8 ticket_flags;
2475 * opaque resumption_key<0..255>;
2476 * select ( endpoint ) {
2477 * case client: ClientOnlyData;
2478 * case server: uint64 start_time;
2479 * };
2480 * } serialized_session_tls13;
2481 *
2482 */
2483 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2484 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)2485 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
2486 unsigned char *buf,
2487 size_t buf_len,
2488 size_t *olen)
2489 {
2490 unsigned char *p = buf;
2491 #if defined(MBEDTLS_SSL_CLI_C) && \
2492 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2493 size_t hostname_len = (session->hostname == NULL) ?
2494 0 : strlen(session->hostname) + 1;
2495 #endif
2496 size_t needed = 1 /* endpoint */
2497 + 2 /* ciphersuite */
2498 + 4 /* ticket_age_add */
2499 + 1 /* ticket_flags */
2500 + 1; /* resumption_key length */
2501 *olen = 0;
2502
2503 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
2504 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2505 }
2506 needed += session->resumption_key_len; /* resumption_key */
2507
2508 #if defined(MBEDTLS_HAVE_TIME)
2509 needed += 8; /* start_time or ticket_received */
2510 #endif
2511
2512 #if defined(MBEDTLS_SSL_CLI_C)
2513 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2514 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2515 needed += 2 /* hostname_len */
2516 + hostname_len; /* hostname */
2517 #endif
2518
2519 needed += 4 /* ticket_lifetime */
2520 + 2; /* ticket_len */
2521
2522 /* Check size_t overflow */
2523 if (session->ticket_len > SIZE_MAX - needed) {
2524 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2525 }
2526
2527 needed += session->ticket_len; /* ticket */
2528 }
2529 #endif /* MBEDTLS_SSL_CLI_C */
2530
2531 *olen = needed;
2532 if (needed > buf_len) {
2533 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2534 }
2535
2536 p[0] = session->endpoint;
2537 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 1);
2538 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 3);
2539 p[7] = session->ticket_flags;
2540
2541 /* save resumption_key */
2542 p[8] = session->resumption_key_len;
2543 p += 9;
2544 memcpy(p, session->resumption_key, session->resumption_key_len);
2545 p += session->resumption_key_len;
2546
2547 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
2548 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
2549 MBEDTLS_PUT_UINT64_BE((uint64_t) session->start, p, 0);
2550 p += 8;
2551 }
2552 #endif /* MBEDTLS_HAVE_TIME */
2553
2554 #if defined(MBEDTLS_SSL_CLI_C)
2555 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2556 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2557 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
2558 p += 2;
2559 if (hostname_len > 0) {
2560 /* save host name */
2561 memcpy(p, session->hostname, hostname_len);
2562 p += hostname_len;
2563 }
2564 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2565
2566 #if defined(MBEDTLS_HAVE_TIME)
2567 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_received, p, 0);
2568 p += 8;
2569 #endif
2570 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
2571 p += 4;
2572
2573 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
2574 p += 2;
2575
2576 if (session->ticket != NULL && session->ticket_len > 0) {
2577 memcpy(p, session->ticket, session->ticket_len);
2578 p += session->ticket_len;
2579 }
2580 }
2581 #endif /* MBEDTLS_SSL_CLI_C */
2582 return 0;
2583 }
2584
2585 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)2586 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
2587 const unsigned char *buf,
2588 size_t len)
2589 {
2590 const unsigned char *p = buf;
2591 const unsigned char *end = buf + len;
2592
2593 if (end - p < 9) {
2594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2595 }
2596 session->endpoint = p[0];
2597 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 1);
2598 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 3);
2599 session->ticket_flags = p[7];
2600
2601 /* load resumption_key */
2602 session->resumption_key_len = p[8];
2603 p += 9;
2604
2605 if (end - p < session->resumption_key_len) {
2606 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2607 }
2608
2609 if (sizeof(session->resumption_key) < session->resumption_key_len) {
2610 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2611 }
2612 memcpy(session->resumption_key, p, session->resumption_key_len);
2613 p += session->resumption_key_len;
2614
2615 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
2616 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
2617 if (end - p < 8) {
2618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2619 }
2620 session->start = MBEDTLS_GET_UINT64_BE(p, 0);
2621 p += 8;
2622 }
2623 #endif /* MBEDTLS_HAVE_TIME */
2624
2625 #if defined(MBEDTLS_SSL_CLI_C)
2626 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
2627 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2628 defined(MBEDTLS_SSL_SESSION_TICKETS)
2629 size_t hostname_len;
2630 /* load host name */
2631 if (end - p < 2) {
2632 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2633 }
2634 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
2635 p += 2;
2636
2637 if (end - p < (long int) hostname_len) {
2638 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2639 }
2640 if (hostname_len > 0) {
2641 session->hostname = mbedtls_calloc(1, hostname_len);
2642 if (session->hostname == NULL) {
2643 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2644 }
2645 memcpy(session->hostname, p, hostname_len);
2646 p += hostname_len;
2647 }
2648 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION &&
2649 MBEDTLS_SSL_SESSION_TICKETS */
2650
2651 #if defined(MBEDTLS_HAVE_TIME)
2652 if (end - p < 8) {
2653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2654 }
2655 session->ticket_received = MBEDTLS_GET_UINT64_BE(p, 0);
2656 p += 8;
2657 #endif
2658 if (end - p < 4) {
2659 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2660 }
2661 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
2662 p += 4;
2663
2664 if (end - p < 2) {
2665 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2666 }
2667 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
2668 p += 2;
2669
2670 if (end - p < (long int) session->ticket_len) {
2671 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2672 }
2673 if (session->ticket_len > 0) {
2674 session->ticket = mbedtls_calloc(1, session->ticket_len);
2675 if (session->ticket == NULL) {
2676 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2677 }
2678 memcpy(session->ticket, p, session->ticket_len);
2679 p += session->ticket_len;
2680 }
2681 }
2682 #endif /* MBEDTLS_SSL_CLI_C */
2683
2684 return 0;
2685
2686 }
2687 #else /* MBEDTLS_SSL_SESSION_TICKETS */
2688 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)2689 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
2690 unsigned char *buf,
2691 size_t buf_len,
2692 size_t *olen)
2693 {
2694 ((void) session);
2695 ((void) buf);
2696 ((void) buf_len);
2697 *olen = 0;
2698 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2699 }
2700
ssl_tls13_session_load(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)2701 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
2702 unsigned char *buf,
2703 size_t buf_len)
2704 {
2705 ((void) session);
2706 ((void) buf);
2707 ((void) buf_len);
2708 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2709 }
2710 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
2711 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2712
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2713 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2714 size_t taglen,
2715 psa_algorithm_t *alg,
2716 psa_key_type_t *key_type,
2717 size_t *key_size)
2718 {
2719 switch (mbedtls_cipher_type) {
2720 case MBEDTLS_CIPHER_AES_128_CBC:
2721 *alg = PSA_ALG_CBC_NO_PADDING;
2722 *key_type = PSA_KEY_TYPE_AES;
2723 *key_size = 128;
2724 break;
2725 case MBEDTLS_CIPHER_AES_128_CCM:
2726 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2727 *key_type = PSA_KEY_TYPE_AES;
2728 *key_size = 128;
2729 break;
2730 case MBEDTLS_CIPHER_AES_128_GCM:
2731 *alg = PSA_ALG_GCM;
2732 *key_type = PSA_KEY_TYPE_AES;
2733 *key_size = 128;
2734 break;
2735 case MBEDTLS_CIPHER_AES_192_CCM:
2736 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2737 *key_type = PSA_KEY_TYPE_AES;
2738 *key_size = 192;
2739 break;
2740 case MBEDTLS_CIPHER_AES_192_GCM:
2741 *alg = PSA_ALG_GCM;
2742 *key_type = PSA_KEY_TYPE_AES;
2743 *key_size = 192;
2744 break;
2745 case MBEDTLS_CIPHER_AES_256_CBC:
2746 *alg = PSA_ALG_CBC_NO_PADDING;
2747 *key_type = PSA_KEY_TYPE_AES;
2748 *key_size = 256;
2749 break;
2750 case MBEDTLS_CIPHER_AES_256_CCM:
2751 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2752 *key_type = PSA_KEY_TYPE_AES;
2753 *key_size = 256;
2754 break;
2755 case MBEDTLS_CIPHER_AES_256_GCM:
2756 *alg = PSA_ALG_GCM;
2757 *key_type = PSA_KEY_TYPE_AES;
2758 *key_size = 256;
2759 break;
2760 case MBEDTLS_CIPHER_ARIA_128_CBC:
2761 *alg = PSA_ALG_CBC_NO_PADDING;
2762 *key_type = PSA_KEY_TYPE_ARIA;
2763 *key_size = 128;
2764 break;
2765 case MBEDTLS_CIPHER_ARIA_128_CCM:
2766 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2767 *key_type = PSA_KEY_TYPE_ARIA;
2768 *key_size = 128;
2769 break;
2770 case MBEDTLS_CIPHER_ARIA_128_GCM:
2771 *alg = PSA_ALG_GCM;
2772 *key_type = PSA_KEY_TYPE_ARIA;
2773 *key_size = 128;
2774 break;
2775 case MBEDTLS_CIPHER_ARIA_192_CCM:
2776 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2777 *key_type = PSA_KEY_TYPE_ARIA;
2778 *key_size = 192;
2779 break;
2780 case MBEDTLS_CIPHER_ARIA_192_GCM:
2781 *alg = PSA_ALG_GCM;
2782 *key_type = PSA_KEY_TYPE_ARIA;
2783 *key_size = 192;
2784 break;
2785 case MBEDTLS_CIPHER_ARIA_256_CBC:
2786 *alg = PSA_ALG_CBC_NO_PADDING;
2787 *key_type = PSA_KEY_TYPE_ARIA;
2788 *key_size = 256;
2789 break;
2790 case MBEDTLS_CIPHER_ARIA_256_CCM:
2791 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2792 *key_type = PSA_KEY_TYPE_ARIA;
2793 *key_size = 256;
2794 break;
2795 case MBEDTLS_CIPHER_ARIA_256_GCM:
2796 *alg = PSA_ALG_GCM;
2797 *key_type = PSA_KEY_TYPE_ARIA;
2798 *key_size = 256;
2799 break;
2800 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2801 *alg = PSA_ALG_CBC_NO_PADDING;
2802 *key_type = PSA_KEY_TYPE_CAMELLIA;
2803 *key_size = 128;
2804 break;
2805 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2806 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2807 *key_type = PSA_KEY_TYPE_CAMELLIA;
2808 *key_size = 128;
2809 break;
2810 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2811 *alg = PSA_ALG_GCM;
2812 *key_type = PSA_KEY_TYPE_CAMELLIA;
2813 *key_size = 128;
2814 break;
2815 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2816 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2817 *key_type = PSA_KEY_TYPE_CAMELLIA;
2818 *key_size = 192;
2819 break;
2820 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2821 *alg = PSA_ALG_GCM;
2822 *key_type = PSA_KEY_TYPE_CAMELLIA;
2823 *key_size = 192;
2824 break;
2825 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2826 *alg = PSA_ALG_CBC_NO_PADDING;
2827 *key_type = PSA_KEY_TYPE_CAMELLIA;
2828 *key_size = 256;
2829 break;
2830 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2831 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2832 *key_type = PSA_KEY_TYPE_CAMELLIA;
2833 *key_size = 256;
2834 break;
2835 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2836 *alg = PSA_ALG_GCM;
2837 *key_type = PSA_KEY_TYPE_CAMELLIA;
2838 *key_size = 256;
2839 break;
2840 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2841 *alg = PSA_ALG_CHACHA20_POLY1305;
2842 *key_type = PSA_KEY_TYPE_CHACHA20;
2843 *key_size = 256;
2844 break;
2845 case MBEDTLS_CIPHER_NULL:
2846 *alg = MBEDTLS_SSL_NULL_CIPHER;
2847 *key_type = 0;
2848 *key_size = 0;
2849 break;
2850 default:
2851 return PSA_ERROR_NOT_SUPPORTED;
2852 }
2853
2854 return PSA_SUCCESS;
2855 }
2856 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2857
2858 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2859 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2860 const unsigned char *dhm_P, size_t P_len,
2861 const unsigned char *dhm_G, size_t G_len)
2862 {
2863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2864
2865 mbedtls_mpi_free(&conf->dhm_P);
2866 mbedtls_mpi_free(&conf->dhm_G);
2867
2868 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2869 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2870 mbedtls_mpi_free(&conf->dhm_P);
2871 mbedtls_mpi_free(&conf->dhm_G);
2872 return ret;
2873 }
2874
2875 return 0;
2876 }
2877
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2878 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2879 {
2880 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2881
2882 mbedtls_mpi_free(&conf->dhm_P);
2883 mbedtls_mpi_free(&conf->dhm_G);
2884
2885 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2886 &conf->dhm_P)) != 0 ||
2887 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2888 &conf->dhm_G)) != 0) {
2889 mbedtls_mpi_free(&conf->dhm_P);
2890 mbedtls_mpi_free(&conf->dhm_G);
2891 return ret;
2892 }
2893
2894 return 0;
2895 }
2896 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2897
2898 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2899 /*
2900 * Set the minimum length for Diffie-Hellman parameters
2901 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2902 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2903 unsigned int bitlen)
2904 {
2905 conf->dhm_min_bitlen = bitlen;
2906 }
2907 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2908
2909 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2910 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2911 /*
2912 * Set allowed/preferred hashes for handshake signatures
2913 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2914 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2915 const int *hashes)
2916 {
2917 conf->sig_hashes = hashes;
2918 }
2919 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2920
2921 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2922 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2923 const uint16_t *sig_algs)
2924 {
2925 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2926 conf->sig_hashes = NULL;
2927 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2928 conf->sig_algs = sig_algs;
2929 }
2930 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2931
2932 #if defined(MBEDTLS_ECP_C)
2933 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2934 /*
2935 * Set the allowed elliptic curves
2936 *
2937 * mbedtls_ssl_setup() takes the provided list
2938 * and translates it to a list of IANA TLS group identifiers,
2939 * stored in ssl->handshake->group_list.
2940 *
2941 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2942 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2943 const mbedtls_ecp_group_id *curve_list)
2944 {
2945 conf->curve_list = curve_list;
2946 conf->group_list = NULL;
2947 }
2948 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2949 #endif /* MBEDTLS_ECP_C */
2950
2951 /*
2952 * Set the allowed groups
2953 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2954 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2955 const uint16_t *group_list)
2956 {
2957 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2958 conf->curve_list = NULL;
2959 #endif
2960 conf->group_list = group_list;
2961 }
2962
2963 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2964 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2965 {
2966 /* Initialize to suppress unnecessary compiler warning */
2967 size_t hostname_len = 0;
2968
2969 /* Check if new hostname is valid before
2970 * making any change to current one */
2971 if (hostname != NULL) {
2972 hostname_len = strlen(hostname);
2973
2974 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2975 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2976 }
2977 }
2978
2979 /* Now it's clear that we will overwrite the old hostname,
2980 * so we can free it safely */
2981
2982 if (ssl->hostname != NULL) {
2983 mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
2984 mbedtls_free(ssl->hostname);
2985 }
2986
2987 /* Passing NULL as hostname shall clear the old one */
2988
2989 if (hostname == NULL) {
2990 ssl->hostname = NULL;
2991 } else {
2992 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2993 if (ssl->hostname == NULL) {
2994 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2995 }
2996
2997 memcpy(ssl->hostname, hostname, hostname_len);
2998
2999 ssl->hostname[hostname_len] = '\0';
3000 }
3001
3002 return 0;
3003 }
3004 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3005
3006 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)3007 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
3008 int (*f_sni)(void *, mbedtls_ssl_context *,
3009 const unsigned char *, size_t),
3010 void *p_sni)
3011 {
3012 conf->f_sni = f_sni;
3013 conf->p_sni = p_sni;
3014 }
3015 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3016
3017 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)3018 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
3019 {
3020 size_t cur_len, tot_len;
3021 const char **p;
3022
3023 /*
3024 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
3025 * MUST NOT be truncated."
3026 * We check lengths now rather than later.
3027 */
3028 tot_len = 0;
3029 for (p = protos; *p != NULL; p++) {
3030 cur_len = strlen(*p);
3031 tot_len += cur_len;
3032
3033 if ((cur_len == 0) ||
3034 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
3035 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
3036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3037 }
3038 }
3039
3040 conf->alpn_list = protos;
3041
3042 return 0;
3043 }
3044
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)3045 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
3046 {
3047 return ssl->alpn_chosen;
3048 }
3049 #endif /* MBEDTLS_SSL_ALPN */
3050
3051 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)3052 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
3053 int support_mki_value)
3054 {
3055 conf->dtls_srtp_mki_support = support_mki_value;
3056 }
3057
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)3058 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
3059 unsigned char *mki_value,
3060 uint16_t mki_len)
3061 {
3062 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
3063 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3064 }
3065
3066 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
3067 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3068 }
3069
3070 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
3071 ssl->dtls_srtp_info.mki_len = mki_len;
3072 return 0;
3073 }
3074
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)3075 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
3076 const mbedtls_ssl_srtp_profile *profiles)
3077 {
3078 const mbedtls_ssl_srtp_profile *p;
3079 size_t list_size = 0;
3080
3081 /* check the profiles list: all entry must be valid,
3082 * its size cannot be more than the total number of supported profiles, currently 4 */
3083 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
3084 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
3085 p++) {
3086 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
3087 list_size++;
3088 } else {
3089 /* unsupported value, stop parsing and set the size to an error value */
3090 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
3091 }
3092 }
3093
3094 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
3095 conf->dtls_srtp_profile_list = NULL;
3096 conf->dtls_srtp_profile_list_len = 0;
3097 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3098 }
3099
3100 conf->dtls_srtp_profile_list = profiles;
3101 conf->dtls_srtp_profile_list_len = list_size;
3102
3103 return 0;
3104 }
3105
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)3106 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
3107 mbedtls_dtls_srtp_info *dtls_srtp_info)
3108 {
3109 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
3110 /* do not copy the mki value if there is no chosen profile */
3111 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
3112 dtls_srtp_info->mki_len = 0;
3113 } else {
3114 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
3115 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
3116 ssl->dtls_srtp_info.mki_len);
3117 }
3118 }
3119 #endif /* MBEDTLS_SSL_DTLS_SRTP */
3120
3121 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)3122 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
3123 {
3124 conf->max_tls_version = (major << 8) | minor;
3125 }
3126
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)3127 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
3128 {
3129 conf->min_tls_version = (major << 8) | minor;
3130 }
3131 #endif /* MBEDTLS_DEPRECATED_REMOVED */
3132
3133 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)3134 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
3135 char cert_req_ca_list)
3136 {
3137 conf->cert_req_ca_list = cert_req_ca_list;
3138 }
3139 #endif
3140
3141 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)3142 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
3143 {
3144 conf->encrypt_then_mac = etm;
3145 }
3146 #endif
3147
3148 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)3149 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
3150 {
3151 conf->extended_ms = ems;
3152 }
3153 #endif
3154
3155 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)3156 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
3157 {
3158 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
3159 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
3160 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3161 }
3162
3163 conf->mfl_code = mfl_code;
3164
3165 return 0;
3166 }
3167 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3168
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)3169 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3170 {
3171 conf->allow_legacy_renegotiation = allow_legacy;
3172 }
3173
3174 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)3175 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3176 {
3177 conf->disable_renegotiation = renegotiation;
3178 }
3179
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)3180 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3181 {
3182 conf->renego_max_records = max_records;
3183 }
3184
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])3185 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3186 const unsigned char period[8])
3187 {
3188 memcpy(conf->renego_period, period, 8);
3189 }
3190 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3191
3192 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3193 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)3194 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3195 {
3196 conf->session_tickets = use_tickets;
3197 }
3198 #endif
3199
3200 #if defined(MBEDTLS_SSL_SRV_C)
3201
3202 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)3203 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3204 uint16_t num_tickets)
3205 {
3206 conf->new_session_tickets_count = num_tickets;
3207 }
3208 #endif
3209
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)3210 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3211 mbedtls_ssl_ticket_write_t *f_ticket_write,
3212 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3213 void *p_ticket)
3214 {
3215 conf->f_ticket_write = f_ticket_write;
3216 conf->f_ticket_parse = f_ticket_parse;
3217 conf->p_ticket = p_ticket;
3218 }
3219 #endif
3220 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3221
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3222 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3223 mbedtls_ssl_export_keys_t *f_export_keys,
3224 void *p_export_keys)
3225 {
3226 ssl->f_export_keys = f_export_keys;
3227 ssl->p_export_keys = p_export_keys;
3228 }
3229
3230 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3231 void mbedtls_ssl_conf_async_private_cb(
3232 mbedtls_ssl_config *conf,
3233 mbedtls_ssl_async_sign_t *f_async_sign,
3234 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3235 mbedtls_ssl_async_resume_t *f_async_resume,
3236 mbedtls_ssl_async_cancel_t *f_async_cancel,
3237 void *async_config_data)
3238 {
3239 conf->f_async_sign_start = f_async_sign;
3240 conf->f_async_decrypt_start = f_async_decrypt;
3241 conf->f_async_resume = f_async_resume;
3242 conf->f_async_cancel = f_async_cancel;
3243 conf->p_async_config_data = async_config_data;
3244 }
3245
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3246 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3247 {
3248 return conf->p_async_config_data;
3249 }
3250
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3251 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3252 {
3253 if (ssl->handshake == NULL) {
3254 return NULL;
3255 } else {
3256 return ssl->handshake->user_async_ctx;
3257 }
3258 }
3259
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3260 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3261 void *ctx)
3262 {
3263 if (ssl->handshake != NULL) {
3264 ssl->handshake->user_async_ctx = ctx;
3265 }
3266 }
3267 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3268
3269 /*
3270 * SSL get accessors
3271 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3272 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3273 {
3274 if (ssl->session != NULL) {
3275 return ssl->session->verify_result;
3276 }
3277
3278 if (ssl->session_negotiate != NULL) {
3279 return ssl->session_negotiate->verify_result;
3280 }
3281
3282 return 0xFFFFFFFF;
3283 }
3284
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3285 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3286 {
3287 if (ssl == NULL || ssl->session == NULL) {
3288 return 0;
3289 }
3290
3291 return ssl->session->ciphersuite;
3292 }
3293
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3294 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3295 {
3296 if (ssl == NULL || ssl->session == NULL) {
3297 return NULL;
3298 }
3299
3300 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3301 }
3302
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3303 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3304 {
3305 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3306 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3307 switch (ssl->tls_version) {
3308 case MBEDTLS_SSL_VERSION_TLS1_2:
3309 return "DTLSv1.2";
3310 default:
3311 return "unknown (DTLS)";
3312 }
3313 }
3314 #endif
3315
3316 switch (ssl->tls_version) {
3317 case MBEDTLS_SSL_VERSION_TLS1_2:
3318 return "TLSv1.2";
3319 case MBEDTLS_SSL_VERSION_TLS1_3:
3320 return "TLSv1.3";
3321 default:
3322 return "unknown";
3323 }
3324 }
3325
3326 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3327 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3328 {
3329 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3330 size_t read_mfl;
3331
3332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3333 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3334 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3335 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3336 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3337 }
3338 #endif
3339
3340 /* Check if a smaller max length was negotiated */
3341 if (ssl->session_out != NULL) {
3342 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3343 if (read_mfl < max_len) {
3344 max_len = read_mfl;
3345 }
3346 }
3347
3348 /* During a handshake, use the value being negotiated */
3349 if (ssl->session_negotiate != NULL) {
3350 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3351 if (read_mfl < max_len) {
3352 max_len = read_mfl;
3353 }
3354 }
3355
3356 return max_len;
3357 }
3358
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3359 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3360 {
3361 size_t max_len;
3362
3363 /*
3364 * Assume mfl_code is correct since it was checked when set
3365 */
3366 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3367
3368 /* Check if a smaller max length was negotiated */
3369 if (ssl->session_out != NULL &&
3370 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3371 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3372 }
3373
3374 /* During a handshake, use the value being negotiated */
3375 if (ssl->session_negotiate != NULL &&
3376 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3377 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3378 }
3379
3380 return max_len;
3381 }
3382 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3383
3384 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3385 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3386 {
3387 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3388 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3389 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3390 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3391 return 0;
3392 }
3393
3394 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3395 return ssl->mtu;
3396 }
3397
3398 if (ssl->mtu == 0) {
3399 return ssl->handshake->mtu;
3400 }
3401
3402 return ssl->mtu < ssl->handshake->mtu ?
3403 ssl->mtu : ssl->handshake->mtu;
3404 }
3405 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3406
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3407 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3408 {
3409 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3410
3411 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3412 !defined(MBEDTLS_SSL_PROTO_DTLS)
3413 (void) ssl;
3414 #endif
3415
3416 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3417 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3418
3419 if (max_len > mfl) {
3420 max_len = mfl;
3421 }
3422 #endif
3423
3424 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3425 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3426 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3427 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3428 const size_t overhead = (size_t) ret;
3429
3430 if (ret < 0) {
3431 return ret;
3432 }
3433
3434 if (mtu <= overhead) {
3435 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3436 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3437 }
3438
3439 if (max_len > mtu - overhead) {
3440 max_len = mtu - overhead;
3441 }
3442 }
3443 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3444
3445 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3446 !defined(MBEDTLS_SSL_PROTO_DTLS)
3447 ((void) ssl);
3448 #endif
3449
3450 return (int) max_len;
3451 }
3452
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3453 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3454 {
3455 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3456
3457 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3458 (void) ssl;
3459 #endif
3460
3461 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3462 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3463
3464 if (max_len > mfl) {
3465 max_len = mfl;
3466 }
3467 #endif
3468
3469 return (int) max_len;
3470 }
3471
3472 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3473 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3474 {
3475 if (ssl == NULL || ssl->session == NULL) {
3476 return NULL;
3477 }
3478
3479 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3480 return ssl->session->peer_cert;
3481 #else
3482 return NULL;
3483 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3484 }
3485 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3486
3487 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3488 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3489 mbedtls_ssl_session *dst)
3490 {
3491 int ret;
3492
3493 if (ssl == NULL ||
3494 dst == NULL ||
3495 ssl->session == NULL ||
3496 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3497 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3498 }
3499
3500 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3501 * idempotent: Each session can only be exported once.
3502 *
3503 * (This is in preparation for TLS 1.3 support where we will
3504 * need the ability to export multiple sessions (aka tickets),
3505 * which will be achieved by calling mbedtls_ssl_get_session()
3506 * multiple times until it fails.)
3507 *
3508 * Check whether we have already exported the current session,
3509 * and fail if so.
3510 */
3511 if (ssl->session->exported == 1) {
3512 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3513 }
3514
3515 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3516 if (ret != 0) {
3517 return ret;
3518 }
3519
3520 /* Remember that we've exported the session. */
3521 ssl->session->exported = 1;
3522 return 0;
3523 }
3524 #endif /* MBEDTLS_SSL_CLI_C */
3525
3526 /*
3527 * Define ticket header determining Mbed TLS version
3528 * and structure of the ticket.
3529 */
3530
3531 /*
3532 * Define bitflag determining compile-time settings influencing
3533 * structure of serialized SSL sessions.
3534 */
3535
3536 #if defined(MBEDTLS_HAVE_TIME)
3537 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
3538 #else
3539 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
3540 #endif /* MBEDTLS_HAVE_TIME */
3541
3542 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3543 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
3544 #else
3545 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
3546 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3547
3548 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
3549 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
3550 #else
3551 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
3552 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
3553
3554 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3555 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
3556 #else
3557 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
3558 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3559
3560 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3561 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
3562 #else
3563 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
3564 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
3565
3566 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3567 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
3568 #else
3569 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
3570 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3571
3572 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
3573 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
3574 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
3575 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
3576 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
3577 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
3578
3579 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
3580 ((uint16_t) ( \
3581 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
3582 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
3583 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
3584 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
3585 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
3586 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
3587 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT)))
3588
3589 static unsigned char ssl_serialized_session_header[] = {
3590 MBEDTLS_VERSION_MAJOR,
3591 MBEDTLS_VERSION_MINOR,
3592 MBEDTLS_VERSION_PATCH,
3593 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3594 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
3595 };
3596
3597 /*
3598 * Serialize a session in the following format:
3599 * (in the presentation language of TLS, RFC 8446 section 3)
3600 *
3601 * struct {
3602 *
3603 * opaque mbedtls_version[3]; // library version: major, minor, patch
3604 * opaque session_format[2]; // library-version specific 16-bit field
3605 * // determining the format of the remaining
3606 * // serialized data.
3607 *
3608 * Note: When updating the format, remember to keep
3609 * these version+format bytes.
3610 *
3611 * // In this version, `session_format` determines
3612 * // the setting of those compile-time
3613 * // configuration options which influence
3614 * // the structure of mbedtls_ssl_session.
3615 *
3616 * uint8_t minor_ver; // Protocol minor version. Possible values:
3617 * // - TLS 1.2 (0x0303)
3618 * // - TLS 1.3 (0x0304)
3619 *
3620 * select (serialized_session.tls_version) {
3621 *
3622 * case MBEDTLS_SSL_VERSION_TLS1_2:
3623 * serialized_session_tls12 data;
3624 * case MBEDTLS_SSL_VERSION_TLS1_3:
3625 * serialized_session_tls13 data;
3626 *
3627 * };
3628 *
3629 * } serialized_session;
3630 *
3631 */
3632
3633 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)3634 static int ssl_session_save(const mbedtls_ssl_session *session,
3635 unsigned char omit_header,
3636 unsigned char *buf,
3637 size_t buf_len,
3638 size_t *olen)
3639 {
3640 unsigned char *p = buf;
3641 size_t used = 0;
3642 size_t remaining_len;
3643 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3644 size_t out_len;
3645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3646 #endif
3647 if (session == NULL) {
3648 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3649 }
3650
3651 if (!omit_header) {
3652 /*
3653 * Add Mbed TLS version identifier
3654 */
3655 used += sizeof(ssl_serialized_session_header);
3656
3657 if (used <= buf_len) {
3658 memcpy(p, ssl_serialized_session_header,
3659 sizeof(ssl_serialized_session_header));
3660 p += sizeof(ssl_serialized_session_header);
3661 }
3662 }
3663
3664 /*
3665 * TLS version identifier
3666 */
3667 used += 1;
3668 if (used <= buf_len) {
3669 *p++ = MBEDTLS_BYTE_0(session->tls_version);
3670 }
3671
3672 /* Forward to version-specific serialization routine. */
3673 remaining_len = (buf_len >= used) ? buf_len - used : 0;
3674 switch (session->tls_version) {
3675 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3676 case MBEDTLS_SSL_VERSION_TLS1_2:
3677 used += ssl_tls12_session_save(session, p, remaining_len);
3678 break;
3679 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3680
3681 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3682 case MBEDTLS_SSL_VERSION_TLS1_3:
3683 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
3684 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
3685 return ret;
3686 }
3687 used += out_len;
3688 break;
3689 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3690
3691 default:
3692 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3693 }
3694
3695 *olen = used;
3696 if (used > buf_len) {
3697 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3698 }
3699
3700 return 0;
3701 }
3702
3703 /*
3704 * Public wrapper for ssl_session_save()
3705 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3706 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
3707 unsigned char *buf,
3708 size_t buf_len,
3709 size_t *olen)
3710 {
3711 return ssl_session_save(session, 0, buf, buf_len, olen);
3712 }
3713
3714 /*
3715 * Deserialize session, see mbedtls_ssl_session_save() for format.
3716 *
3717 * This internal version is wrapped by a public function that cleans up in
3718 * case of error, and has an extra option omit_header.
3719 */
3720 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)3721 static int ssl_session_load(mbedtls_ssl_session *session,
3722 unsigned char omit_header,
3723 const unsigned char *buf,
3724 size_t len)
3725 {
3726 const unsigned char *p = buf;
3727 const unsigned char * const end = buf + len;
3728 size_t remaining_len;
3729
3730
3731 if (session == NULL) {
3732 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
3733 }
3734
3735 if (!omit_header) {
3736 /*
3737 * Check Mbed TLS version identifier
3738 */
3739
3740 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
3741 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3742 }
3743
3744 if (memcmp(p, ssl_serialized_session_header,
3745 sizeof(ssl_serialized_session_header)) != 0) {
3746 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
3747 }
3748 p += sizeof(ssl_serialized_session_header);
3749 }
3750
3751 /*
3752 * TLS version identifier
3753 */
3754 if (1 > (size_t) (end - p)) {
3755 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3756 }
3757 session->tls_version = 0x0300 | *p++;
3758
3759 /* Dispatch according to TLS version. */
3760 remaining_len = (end - p);
3761 switch (session->tls_version) {
3762 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3763 case MBEDTLS_SSL_VERSION_TLS1_2:
3764 return ssl_tls12_session_load(session, p, remaining_len);
3765 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3766
3767 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3768 case MBEDTLS_SSL_VERSION_TLS1_3:
3769 return ssl_tls13_session_load(session, p, remaining_len);
3770 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3771
3772 default:
3773 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3774 }
3775 }
3776
3777 /*
3778 * Deserialize session: public wrapper for error cleaning
3779 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3780 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
3781 const unsigned char *buf,
3782 size_t len)
3783 {
3784 int ret = ssl_session_load(session, 0, buf, len);
3785
3786 if (ret != 0) {
3787 mbedtls_ssl_session_free(session);
3788 }
3789
3790 return ret;
3791 }
3792
3793 /*
3794 * Perform a single step of the SSL handshake
3795 */
3796 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)3797 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
3798 {
3799 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3800
3801 /*
3802 * We may have not been able to send to the peer all the handshake data
3803 * that were written into the output buffer by the previous handshake step,
3804 * if the write to the network callback returned with the
3805 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
3806 * We proceed to the next handshake step only when all data from the
3807 * previous one have been sent to the peer, thus we make sure that this is
3808 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
3809 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
3810 * we have to wait before to go ahead.
3811 * In the case of TLS 1.3, handshake step handlers do not send data to the
3812 * peer. Data are only sent here and through
3813 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
3814 * alert occurred.
3815 */
3816 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
3817 return ret;
3818 }
3819
3820 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3821 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3822 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
3823 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
3824 return ret;
3825 }
3826 }
3827 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3828
3829 return ret;
3830 }
3831
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)3832 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
3833 {
3834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3835
3836 if (ssl == NULL ||
3837 ssl->conf == NULL ||
3838 ssl->handshake == NULL ||
3839 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
3840 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3841 }
3842
3843 ret = ssl_prepare_handshake_step(ssl);
3844 if (ret != 0) {
3845 return ret;
3846 }
3847
3848 ret = mbedtls_ssl_handle_pending_alert(ssl);
3849 if (ret != 0) {
3850 goto cleanup;
3851 }
3852
3853 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
3854 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
3855 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3856
3857 #if defined(MBEDTLS_SSL_CLI_C)
3858 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3859 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
3860 mbedtls_ssl_states_str(ssl->state)));
3861
3862 switch (ssl->state) {
3863 case MBEDTLS_SSL_HELLO_REQUEST:
3864 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
3865 ret = 0;
3866 break;
3867
3868 case MBEDTLS_SSL_CLIENT_HELLO:
3869 ret = mbedtls_ssl_write_client_hello(ssl);
3870 break;
3871
3872 default:
3873 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
3874 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3875 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
3876 } else {
3877 ret = mbedtls_ssl_handshake_client_step(ssl);
3878 }
3879 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
3880 ret = mbedtls_ssl_handshake_client_step(ssl);
3881 #else
3882 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
3883 #endif
3884 }
3885 }
3886 #endif
3887 #if defined(MBEDTLS_SSL_SRV_C)
3888 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
3889 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3890 if (mbedtls_ssl_conf_is_tls13_only(ssl->conf)) {
3891 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
3892 }
3893 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3894
3895 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3896 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf)) {
3897 ret = mbedtls_ssl_handshake_server_step(ssl);
3898 }
3899 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3900 }
3901 #endif
3902
3903 if (ret != 0) {
3904 /* handshake_step return error. And it is same
3905 * with alert_reason.
3906 */
3907 if (ssl->send_alert) {
3908 ret = mbedtls_ssl_handle_pending_alert(ssl);
3909 goto cleanup;
3910 }
3911 }
3912
3913 cleanup:
3914 return ret;
3915 }
3916
3917 /*
3918 * Perform the SSL handshake
3919 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)3920 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
3921 {
3922 int ret = 0;
3923
3924 /* Sanity checks */
3925
3926 if (ssl == NULL || ssl->conf == NULL) {
3927 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3928 }
3929
3930 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3931 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3932 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
3933 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
3934 "mbedtls_ssl_set_timer_cb() for DTLS"));
3935 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3936 }
3937 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3938
3939 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
3940
3941 /* Main handshake loop */
3942 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
3943 ret = mbedtls_ssl_handshake_step(ssl);
3944
3945 if (ret != 0) {
3946 break;
3947 }
3948 }
3949
3950 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
3951
3952 return ret;
3953 }
3954
3955 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3956 #if defined(MBEDTLS_SSL_SRV_C)
3957 /*
3958 * Write HelloRequest to request renegotiation on server
3959 */
3960 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)3961 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
3962 {
3963 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3964
3965 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
3966
3967 ssl->out_msglen = 4;
3968 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3969 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
3970
3971 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
3972 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
3973 return ret;
3974 }
3975
3976 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
3977
3978 return 0;
3979 }
3980 #endif /* MBEDTLS_SSL_SRV_C */
3981
3982 /*
3983 * Actually renegotiate current connection, triggered by either:
3984 * - any side: calling mbedtls_ssl_renegotiate(),
3985 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
3986 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
3987 * the initial handshake is completed.
3988 * If the handshake doesn't complete due to waiting for I/O, it will continue
3989 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
3990 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)3991 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
3992 {
3993 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3994
3995 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
3996
3997 if ((ret = ssl_handshake_init(ssl)) != 0) {
3998 return ret;
3999 }
4000
4001 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4002 * the ServerHello will have message_seq = 1" */
4003 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4004 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4005 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4006 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4007 ssl->handshake->out_msg_seq = 1;
4008 } else {
4009 ssl->handshake->in_msg_seq = 1;
4010 }
4011 }
4012 #endif
4013
4014 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4015 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4016
4017 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4018 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4019 return ret;
4020 }
4021
4022 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4023
4024 return 0;
4025 }
4026
4027 /*
4028 * Renegotiate current connection on client,
4029 * or request renegotiation on server
4030 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4031 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4032 {
4033 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4034
4035 if (ssl == NULL || ssl->conf == NULL) {
4036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4037 }
4038
4039 #if defined(MBEDTLS_SSL_SRV_C)
4040 /* On server, just send the request */
4041 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4042 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4043 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4044 }
4045
4046 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4047
4048 /* Did we already try/start sending HelloRequest? */
4049 if (ssl->out_left != 0) {
4050 return mbedtls_ssl_flush_output(ssl);
4051 }
4052
4053 return ssl_write_hello_request(ssl);
4054 }
4055 #endif /* MBEDTLS_SSL_SRV_C */
4056
4057 #if defined(MBEDTLS_SSL_CLI_C)
4058 /*
4059 * On client, either start the renegotiation process or,
4060 * if already in progress, continue the handshake
4061 */
4062 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4063 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4065 }
4066
4067 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4068 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4069 return ret;
4070 }
4071 } else {
4072 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4073 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4074 return ret;
4075 }
4076 }
4077 #endif /* MBEDTLS_SSL_CLI_C */
4078
4079 return ret;
4080 }
4081 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4082
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4083 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4084 {
4085 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4086
4087 if (handshake == NULL) {
4088 return;
4089 }
4090
4091 #if defined(MBEDTLS_ECP_C)
4092 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4093 if (ssl->handshake->group_list_heap_allocated) {
4094 mbedtls_free((void *) handshake->group_list);
4095 }
4096 handshake->group_list = NULL;
4097 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4098 #endif /* MBEDTLS_ECP_C */
4099
4100 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4101 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4102 if (ssl->handshake->sig_algs_heap_allocated) {
4103 mbedtls_free((void *) handshake->sig_algs);
4104 }
4105 handshake->sig_algs = NULL;
4106 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4107 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4108 if (ssl->handshake->certificate_request_context) {
4109 mbedtls_free((void *) handshake->certificate_request_context);
4110 }
4111 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4112 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4113
4114 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4115 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4116 ssl->conf->f_async_cancel(ssl);
4117 handshake->async_in_progress = 0;
4118 }
4119 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4120
4121 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
4122 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4123 psa_hash_abort(&handshake->fin_sha256_psa);
4124 #else
4125 mbedtls_md_free(&handshake->fin_sha256);
4126 #endif
4127 #endif
4128 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
4129 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4130 psa_hash_abort(&handshake->fin_sha384_psa);
4131 #else
4132 mbedtls_md_free(&handshake->fin_sha384);
4133 #endif
4134 #endif
4135
4136 #if defined(MBEDTLS_DHM_C)
4137 mbedtls_dhm_free(&handshake->dhm_ctx);
4138 #endif
4139 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C)
4140 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4141 #endif
4142
4143 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4144 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4145 psa_pake_abort(&handshake->psa_pake_ctx);
4146 /*
4147 * Opaque keys are not stored in the handshake's data and it's the user
4148 * responsibility to destroy them. Clear ones, instead, are created by
4149 * the TLS library and should be destroyed at the same level
4150 */
4151 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4152 psa_destroy_key(handshake->psa_pake_password);
4153 }
4154 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4155 #else
4156 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4157 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4158 #if defined(MBEDTLS_SSL_CLI_C)
4159 mbedtls_free(handshake->ecjpake_cache);
4160 handshake->ecjpake_cache = NULL;
4161 handshake->ecjpake_cache_len = 0;
4162 #endif
4163 #endif
4164
4165 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
4166 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4167 /* explicit void pointer cast for buggy MS compiler */
4168 mbedtls_free((void *) handshake->curves_tls_id);
4169 #endif
4170
4171 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4172 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4173 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4174 /* The maintenance of the external PSK key slot is the
4175 * user's responsibility. */
4176 if (ssl->handshake->psk_opaque_is_internal) {
4177 psa_destroy_key(ssl->handshake->psk_opaque);
4178 ssl->handshake->psk_opaque_is_internal = 0;
4179 }
4180 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4181 }
4182 #else
4183 if (handshake->psk != NULL) {
4184 mbedtls_platform_zeroize(handshake->psk, handshake->psk_len);
4185 mbedtls_free(handshake->psk);
4186 }
4187 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4188 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4189
4190 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4191 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4192 /*
4193 * Free only the linked list wrapper, not the keys themselves
4194 * since the belong to the SNI callback
4195 */
4196 ssl_key_cert_free(handshake->sni_key_cert);
4197 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4198
4199 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4200 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4201 if (handshake->ecrs_peer_cert != NULL) {
4202 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4203 mbedtls_free(handshake->ecrs_peer_cert);
4204 }
4205 #endif
4206
4207 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4208 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4209 mbedtls_pk_free(&handshake->peer_pubkey);
4210 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4211
4212 #if defined(MBEDTLS_SSL_CLI_C) && \
4213 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4214 mbedtls_free(handshake->cookie);
4215 #endif /* MBEDTLS_SSL_CLI_C &&
4216 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4217
4218 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4219 mbedtls_ssl_flight_free(handshake->flight);
4220 mbedtls_ssl_buffering_free(ssl);
4221 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4222
4223 #if defined(MBEDTLS_ECDH_C) && \
4224 (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4225 if (handshake->ecdh_psa_privkey_is_external == 0) {
4226 psa_destroy_key(handshake->ecdh_psa_privkey);
4227 }
4228 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
4229
4230 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4231 mbedtls_ssl_transform_free(handshake->transform_handshake);
4232 mbedtls_free(handshake->transform_handshake);
4233 #if defined(MBEDTLS_SSL_EARLY_DATA)
4234 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4235 mbedtls_free(handshake->transform_earlydata);
4236 #endif
4237 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4238
4239
4240 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4241 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4242 * processes datagrams and the fact that a datagram is allowed to have
4243 * several records in it, it is possible that the I/O buffers are not
4244 * empty at this stage */
4245 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4246 mbedtls_ssl_get_output_buflen(ssl));
4247 #endif
4248
4249 /* mbedtls_platform_zeroize MUST be last one in this function */
4250 mbedtls_platform_zeroize(handshake,
4251 sizeof(mbedtls_ssl_handshake_params));
4252 }
4253
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4254 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4255 {
4256 if (session == NULL) {
4257 return;
4258 }
4259
4260 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4261 ssl_clear_peer_cert(session);
4262 #endif
4263
4264 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4265 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4266 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4267 mbedtls_free(session->hostname);
4268 #endif
4269 mbedtls_free(session->ticket);
4270 #endif
4271
4272 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
4273 }
4274
4275 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4276
4277 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4278 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4279 #else
4280 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4281 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4282
4283 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4284
4285 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4286 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4287 #else
4288 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4289 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4290
4291 #if defined(MBEDTLS_SSL_ALPN)
4292 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4293 #else
4294 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4295 #endif /* MBEDTLS_SSL_ALPN */
4296
4297 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4298 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4299 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4300 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4301
4302 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
4303 ((uint32_t) ( \
4304 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4305 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4306 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4307 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4308 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4309 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4310 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4311 0u))
4312
4313 static unsigned char ssl_serialized_context_header[] = {
4314 MBEDTLS_VERSION_MAJOR,
4315 MBEDTLS_VERSION_MINOR,
4316 MBEDTLS_VERSION_PATCH,
4317 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4318 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4319 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4320 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4321 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4322 };
4323
4324 /*
4325 * Serialize a full SSL context
4326 *
4327 * The format of the serialized data is:
4328 * (in the presentation language of TLS, RFC 8446 section 3)
4329 *
4330 * // header
4331 * opaque mbedtls_version[3]; // major, minor, patch
4332 * opaque context_format[5]; // version-specific field determining
4333 * // the format of the remaining
4334 * // serialized data.
4335 * Note: When updating the format, remember to keep these
4336 * version+format bytes. (We may make their size part of the API.)
4337 *
4338 * // session sub-structure
4339 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
4340 * // transform sub-structure
4341 * uint8 random[64]; // ServerHello.random+ClientHello.random
4342 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
4343 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
4344 * // fields from ssl_context
4345 * uint32 badmac_seen; // DTLS: number of records with failing MAC
4346 * uint64 in_window_top; // DTLS: last validated record seq_num
4347 * uint64 in_window; // DTLS: bitmask for replay protection
4348 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
4349 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
4350 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
4351 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
4352 *
4353 * Note that many fields of the ssl_context or sub-structures are not
4354 * serialized, as they fall in one of the following categories:
4355 *
4356 * 1. forced value (eg in_left must be 0)
4357 * 2. pointer to dynamically-allocated memory (eg session, transform)
4358 * 3. value can be re-derived from other data (eg session keys from MS)
4359 * 4. value was temporary (eg content of input buffer)
4360 * 5. value will be provided by the user again (eg I/O callbacks and context)
4361 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)4362 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
4363 unsigned char *buf,
4364 size_t buf_len,
4365 size_t *olen)
4366 {
4367 unsigned char *p = buf;
4368 size_t used = 0;
4369 size_t session_len;
4370 int ret = 0;
4371
4372 /*
4373 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
4374 * this function's documentation.
4375 *
4376 * These are due to assumptions/limitations in the implementation. Some of
4377 * them are likely to stay (no handshake in progress) some might go away
4378 * (only DTLS) but are currently used to simplify the implementation.
4379 */
4380 /* The initial handshake must be over */
4381 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4382 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
4383 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4384 }
4385 if (ssl->handshake != NULL) {
4386 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
4387 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4388 }
4389 /* Double-check that sub-structures are indeed ready */
4390 if (ssl->transform == NULL || ssl->session == NULL) {
4391 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
4392 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4393 }
4394 /* There must be no pending incoming or outgoing data */
4395 if (mbedtls_ssl_check_pending(ssl) != 0) {
4396 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
4397 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4398 }
4399 if (ssl->out_left != 0) {
4400 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
4401 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4402 }
4403 /* Protocol must be DTLS, not TLS */
4404 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
4405 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
4406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4407 }
4408 /* Version must be 1.2 */
4409 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
4410 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
4411 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4412 }
4413 /* We must be using an AEAD ciphersuite */
4414 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
4415 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
4416 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4417 }
4418 /* Renegotiation must not be enabled */
4419 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4420 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
4421 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
4422 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4423 }
4424 #endif
4425
4426 /*
4427 * Version and format identifier
4428 */
4429 used += sizeof(ssl_serialized_context_header);
4430
4431 if (used <= buf_len) {
4432 memcpy(p, ssl_serialized_context_header,
4433 sizeof(ssl_serialized_context_header));
4434 p += sizeof(ssl_serialized_context_header);
4435 }
4436
4437 /*
4438 * Session (length + data)
4439 */
4440 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
4441 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4442 return ret;
4443 }
4444
4445 used += 4 + session_len;
4446 if (used <= buf_len) {
4447 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
4448 p += 4;
4449
4450 ret = ssl_session_save(ssl->session, 1,
4451 p, session_len, &session_len);
4452 if (ret != 0) {
4453 return ret;
4454 }
4455
4456 p += session_len;
4457 }
4458
4459 /*
4460 * Transform
4461 */
4462 used += sizeof(ssl->transform->randbytes);
4463 if (used <= buf_len) {
4464 memcpy(p, ssl->transform->randbytes,
4465 sizeof(ssl->transform->randbytes));
4466 p += sizeof(ssl->transform->randbytes);
4467 }
4468
4469 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4470 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
4471 if (used <= buf_len) {
4472 *p++ = ssl->transform->in_cid_len;
4473 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
4474 p += ssl->transform->in_cid_len;
4475
4476 *p++ = ssl->transform->out_cid_len;
4477 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
4478 p += ssl->transform->out_cid_len;
4479 }
4480 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4481
4482 /*
4483 * Saved fields from top-level ssl_context structure
4484 */
4485 used += 4;
4486 if (used <= buf_len) {
4487 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
4488 p += 4;
4489 }
4490
4491 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4492 used += 16;
4493 if (used <= buf_len) {
4494 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
4495 p += 8;
4496
4497 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
4498 p += 8;
4499 }
4500 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4501
4502 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4503 used += 1;
4504 if (used <= buf_len) {
4505 *p++ = ssl->disable_datagram_packing;
4506 }
4507 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4508
4509 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4510 if (used <= buf_len) {
4511 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
4512 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4513 }
4514
4515 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4516 used += 2;
4517 if (used <= buf_len) {
4518 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
4519 p += 2;
4520 }
4521 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4522
4523 #if defined(MBEDTLS_SSL_ALPN)
4524 {
4525 const uint8_t alpn_len = ssl->alpn_chosen
4526 ? (uint8_t) strlen(ssl->alpn_chosen)
4527 : 0;
4528
4529 used += 1 + alpn_len;
4530 if (used <= buf_len) {
4531 *p++ = alpn_len;
4532
4533 if (ssl->alpn_chosen != NULL) {
4534 memcpy(p, ssl->alpn_chosen, alpn_len);
4535 p += alpn_len;
4536 }
4537 }
4538 }
4539 #endif /* MBEDTLS_SSL_ALPN */
4540
4541 /*
4542 * Done
4543 */
4544 *olen = used;
4545
4546 if (used > buf_len) {
4547 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4548 }
4549
4550 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
4551
4552 return mbedtls_ssl_session_reset_int(ssl, 0);
4553 }
4554
4555 /*
4556 * Deserialize context, see mbedtls_ssl_context_save() for format.
4557 *
4558 * This internal version is wrapped by a public function that cleans up in
4559 * case of error.
4560 */
4561 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)4562 static int ssl_context_load(mbedtls_ssl_context *ssl,
4563 const unsigned char *buf,
4564 size_t len)
4565 {
4566 const unsigned char *p = buf;
4567 const unsigned char * const end = buf + len;
4568 size_t session_len;
4569 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4570 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4571 tls_prf_fn prf_func = NULL;
4572 #endif
4573
4574 /*
4575 * The context should have been freshly setup or reset.
4576 * Give the user an error in case of obvious misuse.
4577 * (Checking session is useful because it won't be NULL if we're
4578 * renegotiating, or if the user mistakenly loaded a session first.)
4579 */
4580 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
4581 ssl->session != NULL) {
4582 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4583 }
4584
4585 /*
4586 * We can't check that the config matches the initial one, but we can at
4587 * least check it matches the requirements for serializing.
4588 */
4589 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
4590 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
4591 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 ||
4592 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4593 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
4594 #endif
4595 0) {
4596 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4597 }
4598
4599 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
4600
4601 /*
4602 * Check version identifier
4603 */
4604 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
4605 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4606 }
4607
4608 if (memcmp(p, ssl_serialized_context_header,
4609 sizeof(ssl_serialized_context_header)) != 0) {
4610 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4611 }
4612 p += sizeof(ssl_serialized_context_header);
4613
4614 /*
4615 * Session
4616 */
4617 if ((size_t) (end - p) < 4) {
4618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4619 }
4620
4621 session_len = ((size_t) p[0] << 24) |
4622 ((size_t) p[1] << 16) |
4623 ((size_t) p[2] << 8) |
4624 ((size_t) p[3]);
4625 p += 4;
4626
4627 /* This has been allocated by ssl_handshake_init(), called by
4628 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
4629 ssl->session = ssl->session_negotiate;
4630 ssl->session_in = ssl->session;
4631 ssl->session_out = ssl->session;
4632 ssl->session_negotiate = NULL;
4633
4634 if ((size_t) (end - p) < session_len) {
4635 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4636 }
4637
4638 ret = ssl_session_load(ssl->session, 1, p, session_len);
4639 if (ret != 0) {
4640 mbedtls_ssl_session_free(ssl->session);
4641 return ret;
4642 }
4643
4644 p += session_len;
4645
4646 /*
4647 * Transform
4648 */
4649
4650 /* This has been allocated by ssl_handshake_init(), called by
4651 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
4652 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4653 ssl->transform = ssl->transform_negotiate;
4654 ssl->transform_in = ssl->transform;
4655 ssl->transform_out = ssl->transform;
4656 ssl->transform_negotiate = NULL;
4657 #endif
4658
4659 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4660 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
4661 if (prf_func == NULL) {
4662 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4663 }
4664
4665 /* Read random bytes and populate structure */
4666 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
4667 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4668 }
4669
4670 ret = ssl_tls12_populate_transform(ssl->transform,
4671 ssl->session->ciphersuite,
4672 ssl->session->master,
4673 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
4674 ssl->session->encrypt_then_mac,
4675 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
4676 prf_func,
4677 p, /* currently pointing to randbytes */
4678 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
4679 ssl->conf->endpoint,
4680 ssl);
4681 if (ret != 0) {
4682 return ret;
4683 }
4684 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4685 p += sizeof(ssl->transform->randbytes);
4686
4687 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4688 /* Read connection IDs and store them */
4689 if ((size_t) (end - p) < 1) {
4690 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4691 }
4692
4693 ssl->transform->in_cid_len = *p++;
4694
4695 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
4696 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4697 }
4698
4699 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
4700 p += ssl->transform->in_cid_len;
4701
4702 ssl->transform->out_cid_len = *p++;
4703
4704 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
4705 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4706 }
4707
4708 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
4709 p += ssl->transform->out_cid_len;
4710 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4711
4712 /*
4713 * Saved fields from top-level ssl_context structure
4714 */
4715 if ((size_t) (end - p) < 4) {
4716 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4717 }
4718
4719 ssl->badmac_seen = ((uint32_t) p[0] << 24) |
4720 ((uint32_t) p[1] << 16) |
4721 ((uint32_t) p[2] << 8) |
4722 ((uint32_t) p[3]);
4723 p += 4;
4724
4725 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4726 if ((size_t) (end - p) < 16) {
4727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4728 }
4729
4730 ssl->in_window_top = ((uint64_t) p[0] << 56) |
4731 ((uint64_t) p[1] << 48) |
4732 ((uint64_t) p[2] << 40) |
4733 ((uint64_t) p[3] << 32) |
4734 ((uint64_t) p[4] << 24) |
4735 ((uint64_t) p[5] << 16) |
4736 ((uint64_t) p[6] << 8) |
4737 ((uint64_t) p[7]);
4738 p += 8;
4739
4740 ssl->in_window = ((uint64_t) p[0] << 56) |
4741 ((uint64_t) p[1] << 48) |
4742 ((uint64_t) p[2] << 40) |
4743 ((uint64_t) p[3] << 32) |
4744 ((uint64_t) p[4] << 24) |
4745 ((uint64_t) p[5] << 16) |
4746 ((uint64_t) p[6] << 8) |
4747 ((uint64_t) p[7]);
4748 p += 8;
4749 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4750
4751 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4752 if ((size_t) (end - p) < 1) {
4753 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4754 }
4755
4756 ssl->disable_datagram_packing = *p++;
4757 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4758
4759 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
4760 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4761 }
4762 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
4763 p += sizeof(ssl->cur_out_ctr);
4764
4765 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4766 if ((size_t) (end - p) < 2) {
4767 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4768 }
4769
4770 ssl->mtu = (p[0] << 8) | p[1];
4771 p += 2;
4772 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4773
4774 #if defined(MBEDTLS_SSL_ALPN)
4775 {
4776 uint8_t alpn_len;
4777 const char **cur;
4778
4779 if ((size_t) (end - p) < 1) {
4780 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4781 }
4782
4783 alpn_len = *p++;
4784
4785 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
4786 /* alpn_chosen should point to an item in the configured list */
4787 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
4788 if (strlen(*cur) == alpn_len &&
4789 memcmp(p, cur, alpn_len) == 0) {
4790 ssl->alpn_chosen = *cur;
4791 break;
4792 }
4793 }
4794 }
4795
4796 /* can only happen on conf mismatch */
4797 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
4798 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4799 }
4800
4801 p += alpn_len;
4802 }
4803 #endif /* MBEDTLS_SSL_ALPN */
4804
4805 /*
4806 * Forced fields from top-level ssl_context structure
4807 *
4808 * Most of them already set to the correct value by mbedtls_ssl_init() and
4809 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
4810 */
4811 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
4812 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
4813
4814 /* Adjust pointers for header fields of outgoing records to
4815 * the given transform, accounting for explicit IV and CID. */
4816 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
4817
4818 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4819 ssl->in_epoch = 1;
4820 #endif
4821
4822 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
4823 * which we don't want - otherwise we'd end up freeing the wrong transform
4824 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
4825 * inappropriately. */
4826 if (ssl->handshake != NULL) {
4827 mbedtls_ssl_handshake_free(ssl);
4828 mbedtls_free(ssl->handshake);
4829 ssl->handshake = NULL;
4830 }
4831
4832 /*
4833 * Done - should have consumed entire buffer
4834 */
4835 if (p != end) {
4836 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4837 }
4838
4839 return 0;
4840 }
4841
4842 /*
4843 * Deserialize context: public wrapper for error cleaning
4844 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)4845 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
4846 const unsigned char *buf,
4847 size_t len)
4848 {
4849 int ret = ssl_context_load(context, buf, len);
4850
4851 if (ret != 0) {
4852 mbedtls_ssl_free(context);
4853 }
4854
4855 return ret;
4856 }
4857 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
4858
4859 /*
4860 * Free an SSL context
4861 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)4862 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
4863 {
4864 if (ssl == NULL) {
4865 return;
4866 }
4867
4868 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
4869
4870 if (ssl->out_buf != NULL) {
4871 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4872 size_t out_buf_len = ssl->out_buf_len;
4873 #else
4874 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
4875 #endif
4876
4877 mbedtls_platform_zeroize(ssl->out_buf, out_buf_len);
4878 mbedtls_free(ssl->out_buf);
4879 ssl->out_buf = NULL;
4880 }
4881
4882 if (ssl->in_buf != NULL) {
4883 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4884 size_t in_buf_len = ssl->in_buf_len;
4885 #else
4886 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4887 #endif
4888
4889 mbedtls_platform_zeroize(ssl->in_buf, in_buf_len);
4890 mbedtls_free(ssl->in_buf);
4891 ssl->in_buf = NULL;
4892 }
4893
4894 if (ssl->transform) {
4895 mbedtls_ssl_transform_free(ssl->transform);
4896 mbedtls_free(ssl->transform);
4897 }
4898
4899 if (ssl->handshake) {
4900 mbedtls_ssl_handshake_free(ssl);
4901 mbedtls_free(ssl->handshake);
4902
4903 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4904 mbedtls_ssl_transform_free(ssl->transform_negotiate);
4905 mbedtls_free(ssl->transform_negotiate);
4906 #endif
4907
4908 mbedtls_ssl_session_free(ssl->session_negotiate);
4909 mbedtls_free(ssl->session_negotiate);
4910 }
4911
4912 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4913 mbedtls_ssl_transform_free(ssl->transform_application);
4914 mbedtls_free(ssl->transform_application);
4915 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4916
4917 if (ssl->session) {
4918 mbedtls_ssl_session_free(ssl->session);
4919 mbedtls_free(ssl->session);
4920 }
4921
4922 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4923 if (ssl->hostname != NULL) {
4924 mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname));
4925 mbedtls_free(ssl->hostname);
4926 }
4927 #endif
4928
4929 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
4930 mbedtls_free(ssl->cli_id);
4931 #endif
4932
4933 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
4934
4935 /* Actually clear after last debug message */
4936 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
4937 }
4938
4939 /*
4940 * Initialize mbedtls_ssl_config
4941 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)4942 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
4943 {
4944 memset(conf, 0, sizeof(mbedtls_ssl_config));
4945 }
4946
4947 /* The selection should be the same as mbedtls_x509_crt_profile_default in
4948 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
4949 * curves with a lower resource usage come first.
4950 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
4951 * about this list.
4952 */
4953 static uint16_t ssl_preset_default_groups[] = {
4954 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
4955 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
4956 #endif
4957 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
4958 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
4959 #endif
4960 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
4961 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
4962 #endif
4963 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
4964 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
4965 #endif
4966 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
4967 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
4968 #endif
4969 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
4970 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
4971 #endif
4972 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
4973 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
4974 #endif
4975 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
4976 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
4977 #endif
4978 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
4979 };
4980
4981 static int ssl_preset_suiteb_ciphersuites[] = {
4982 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
4983 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
4984 0
4985 };
4986
4987 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4988
4989 /* NOTICE:
4990 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
4991 * rules SHOULD be upheld.
4992 * - No duplicate entries.
4993 * - But if there is a good reason, do not change the order of the algorithms.
4994 * - ssl_tls12_preset* is for TLS 1.2 use only.
4995 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
4996 */
4997 static uint16_t ssl_preset_default_sig_algs[] = {
4998
4999 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
5000 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5001 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
5002 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5003 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA &&
5004 MBEDTLS_ECP_DP_SECP256R1_ENABLED */
5005
5006 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
5007 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5008 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
5009 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5010 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&&
5011 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
5012
5013 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
5014 defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5015 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
5016 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5017 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&&
5018 MBEDTLS_ECP_DP_SECP521R1_ENABLED */
5019
5020 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
5021 defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5022 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5023 #endif \
5024 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
5025
5026 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
5027 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5028 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5029 #endif \
5030 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
5031
5032 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
5033 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5034 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5035 #endif \
5036 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
5037
5038 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5039 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5040 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */
5041
5042 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5043 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5044 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */
5045
5046 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5047 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5048 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
5049
5050 MBEDTLS_TLS_SIG_NONE
5051 };
5052
5053 /* NOTICE: see above */
5054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5055 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5056 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5057 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
5058 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5059 #endif
5060 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5061 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5062 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5063 #if defined(MBEDTLS_RSA_C)
5064 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5065 #endif
5066 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5067 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5068 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
5069 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5070 #endif
5071 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5072 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5073 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5074 #if defined(MBEDTLS_RSA_C)
5075 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5076 #endif
5077 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5078 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5079 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
5080 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5081 #endif
5082 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5083 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5084 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */
5085 #if defined(MBEDTLS_RSA_C)
5086 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5087 #endif
5088 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5089 MBEDTLS_TLS_SIG_NONE
5090 };
5091 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5092 /* NOTICE: see above */
5093 static uint16_t ssl_preset_suiteb_sig_algs[] = {
5094
5095 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5096 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
5097 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5098 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA&&
5099 MBEDTLS_ECP_DP_SECP256R1_ENABLED */
5100
5101 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5102 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
5103 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5104 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&&
5105 MBEDTLS_ECP_DP_SECP384R1_ENABLED */
5106
5107 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
5108 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5109 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5110 #endif \
5111 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5112
5113 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5114 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5115 #endif /* MBEDTLS_RSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5116
5117 MBEDTLS_TLS_SIG_NONE
5118 };
5119
5120 /* NOTICE: see above */
5121 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5122 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5123 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5124 #if defined(MBEDTLS_ECDSA_C)
5125 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5126 #endif
5127 #if defined(MBEDTLS_RSA_C)
5128 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5129 #endif
5130 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5131 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5132 #if defined(MBEDTLS_ECDSA_C)
5133 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5134 #endif
5135 #if defined(MBEDTLS_RSA_C)
5136 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5137 #endif
5138 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5139 MBEDTLS_TLS_SIG_NONE
5140 };
5141 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5142
5143 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5144
5145 static uint16_t ssl_preset_suiteb_groups[] = {
5146 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
5147 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5148 #endif
5149 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
5150 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5151 #endif
5152 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5153 };
5154
5155 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5156 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5157 * to make sure there are no duplicated signature algorithm entries. */
5158 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(uint16_t * sig_algs)5159 static int ssl_check_no_sig_alg_duplication(uint16_t *sig_algs)
5160 {
5161 size_t i, j;
5162 int ret = 0;
5163
5164 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5165 for (j = 0; j < i; j++) {
5166 if (sig_algs[i] != sig_algs[j]) {
5167 continue;
5168 }
5169 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5170 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5171 sig_algs[i], j, i);
5172 ret = -1;
5173 }
5174 }
5175 return ret;
5176 }
5177
5178 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5179
5180 /*
5181 * Load default in mbedtls_ssl_config
5182 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5183 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5184 int endpoint, int transport, int preset)
5185 {
5186 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5188 #endif
5189
5190 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5191 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5192 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5193 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5194 }
5195
5196 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5197 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5198 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5199 }
5200
5201 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5202 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5203 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5204 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5205 }
5206
5207 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5208 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5209 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5210 }
5211 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5212 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5213
5214 /* Use the functions here so that they are covered in tests,
5215 * but otherwise access member directly for efficiency */
5216 mbedtls_ssl_conf_endpoint(conf, endpoint);
5217 mbedtls_ssl_conf_transport(conf, transport);
5218
5219 /*
5220 * Things that are common to all presets
5221 */
5222 #if defined(MBEDTLS_SSL_CLI_C)
5223 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5224 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5225 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5226 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5227 #endif
5228 }
5229 #endif
5230
5231 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5232 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5233 #endif
5234
5235 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5236 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5237 #endif
5238
5239 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5240 conf->f_cookie_write = ssl_cookie_write_dummy;
5241 conf->f_cookie_check = ssl_cookie_check_dummy;
5242 #endif
5243
5244 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5245 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5246 #endif
5247
5248 #if defined(MBEDTLS_SSL_SRV_C)
5249 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5250 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5251 #endif
5252
5253 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5254 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5255 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5256 #endif
5257
5258 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5259 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5260 memset(conf->renego_period, 0x00, 2);
5261 memset(conf->renego_period + 2, 0xFF, 6);
5262 #endif
5263
5264 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5265 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5266 const unsigned char dhm_p[] =
5267 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5268 const unsigned char dhm_g[] =
5269 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
5270
5271 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5272 dhm_p, sizeof(dhm_p),
5273 dhm_g, sizeof(dhm_g))) != 0) {
5274 return ret;
5275 }
5276 }
5277 #endif
5278
5279 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5280
5281 #if defined(MBEDTLS_SSL_EARLY_DATA)
5282 mbedtls_ssl_tls13_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5283 #if defined(MBEDTLS_SSL_SRV_C)
5284 mbedtls_ssl_tls13_conf_max_early_data_size(
5285 conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5286 #endif
5287 #endif /* MBEDTLS_SSL_EARLY_DATA */
5288
5289 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5290 mbedtls_ssl_conf_new_session_tickets(
5291 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
5292 #endif
5293 /*
5294 * Allow all TLS 1.3 key exchange modes by default.
5295 */
5296 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5297 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5298
5299 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5300 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5301 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5302 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5303 #else
5304 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5305 #endif
5306 } else {
5307 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5308 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5309 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5310 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5311 } else {
5312 /* Hybrid TLS 1.2 / 1.3 is not supported on server side yet */
5313 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5314 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5315 }
5316 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5317 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5318 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5319 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5320 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5321 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5322 #else
5323 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5324 #endif
5325 }
5326
5327 /*
5328 * Preset-specific defaults
5329 */
5330 switch (preset) {
5331 /*
5332 * NSA Suite B
5333 */
5334 case MBEDTLS_SSL_PRESET_SUITEB:
5335
5336 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
5337
5338 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5339 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
5340 #endif
5341
5342 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5343 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5344 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5345 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
5346 } else
5347 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5348 conf->sig_algs = ssl_preset_suiteb_sig_algs;
5349 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5350
5351 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5352 conf->curve_list = NULL;
5353 #endif
5354 conf->group_list = ssl_preset_suiteb_groups;
5355 break;
5356
5357 /*
5358 * Default
5359 */
5360 default:
5361
5362 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
5363
5364 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5365 conf->cert_profile = &mbedtls_x509_crt_profile_default;
5366 #endif
5367
5368 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5369 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5370 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5371 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
5372 } else
5373 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5374 conf->sig_algs = ssl_preset_default_sig_algs;
5375 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5376
5377 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5378 conf->curve_list = NULL;
5379 #endif
5380 conf->group_list = ssl_preset_default_groups;
5381
5382 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
5383 conf->dhm_min_bitlen = 1024;
5384 #endif
5385 }
5386
5387 return 0;
5388 }
5389
5390 /*
5391 * Free mbedtls_ssl_config
5392 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)5393 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
5394 {
5395 #if defined(MBEDTLS_DHM_C)
5396 mbedtls_mpi_free(&conf->dhm_P);
5397 mbedtls_mpi_free(&conf->dhm_G);
5398 #endif
5399
5400 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
5401 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5402 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
5403 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
5404 }
5405 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5406 if (conf->psk != NULL) {
5407 mbedtls_platform_zeroize(conf->psk, conf->psk_len);
5408 mbedtls_free(conf->psk);
5409 conf->psk = NULL;
5410 conf->psk_len = 0;
5411 }
5412
5413 if (conf->psk_identity != NULL) {
5414 mbedtls_platform_zeroize(conf->psk_identity, conf->psk_identity_len);
5415 mbedtls_free(conf->psk_identity);
5416 conf->psk_identity = NULL;
5417 conf->psk_identity_len = 0;
5418 }
5419 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
5420
5421 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5422 ssl_key_cert_free(conf->key_cert);
5423 #endif
5424
5425 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
5426 }
5427
5428 #if defined(MBEDTLS_PK_C) && \
5429 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME))
5430 /*
5431 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
5432 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)5433 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
5434 {
5435 #if defined(MBEDTLS_RSA_C)
5436 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
5437 return MBEDTLS_SSL_SIG_RSA;
5438 }
5439 #endif
5440 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
5441 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
5442 return MBEDTLS_SSL_SIG_ECDSA;
5443 }
5444 #endif
5445 return MBEDTLS_SSL_SIG_ANON;
5446 }
5447
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)5448 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
5449 {
5450 switch (type) {
5451 case MBEDTLS_PK_RSA:
5452 return MBEDTLS_SSL_SIG_RSA;
5453 case MBEDTLS_PK_ECDSA:
5454 case MBEDTLS_PK_ECKEY:
5455 return MBEDTLS_SSL_SIG_ECDSA;
5456 default:
5457 return MBEDTLS_SSL_SIG_ANON;
5458 }
5459 }
5460
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)5461 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
5462 {
5463 switch (sig) {
5464 #if defined(MBEDTLS_RSA_C)
5465 case MBEDTLS_SSL_SIG_RSA:
5466 return MBEDTLS_PK_RSA;
5467 #endif
5468 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
5469 case MBEDTLS_SSL_SIG_ECDSA:
5470 return MBEDTLS_PK_ECDSA;
5471 #endif
5472 default:
5473 return MBEDTLS_PK_NONE;
5474 }
5475 }
5476 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_PK_CAN_ECDSA_SOME ) */
5477
5478 /*
5479 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
5480 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)5481 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
5482 {
5483 switch (hash) {
5484 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5485 case MBEDTLS_SSL_HASH_MD5:
5486 return MBEDTLS_MD_MD5;
5487 #endif
5488 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5489 case MBEDTLS_SSL_HASH_SHA1:
5490 return MBEDTLS_MD_SHA1;
5491 #endif
5492 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5493 case MBEDTLS_SSL_HASH_SHA224:
5494 return MBEDTLS_MD_SHA224;
5495 #endif
5496 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5497 case MBEDTLS_SSL_HASH_SHA256:
5498 return MBEDTLS_MD_SHA256;
5499 #endif
5500 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5501 case MBEDTLS_SSL_HASH_SHA384:
5502 return MBEDTLS_MD_SHA384;
5503 #endif
5504 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5505 case MBEDTLS_SSL_HASH_SHA512:
5506 return MBEDTLS_MD_SHA512;
5507 #endif
5508 default:
5509 return MBEDTLS_MD_NONE;
5510 }
5511 }
5512
5513 /*
5514 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
5515 */
mbedtls_ssl_hash_from_md_alg(int md)5516 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
5517 {
5518 switch (md) {
5519 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5520 case MBEDTLS_MD_MD5:
5521 return MBEDTLS_SSL_HASH_MD5;
5522 #endif
5523 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5524 case MBEDTLS_MD_SHA1:
5525 return MBEDTLS_SSL_HASH_SHA1;
5526 #endif
5527 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5528 case MBEDTLS_MD_SHA224:
5529 return MBEDTLS_SSL_HASH_SHA224;
5530 #endif
5531 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5532 case MBEDTLS_MD_SHA256:
5533 return MBEDTLS_SSL_HASH_SHA256;
5534 #endif
5535 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5536 case MBEDTLS_MD_SHA384:
5537 return MBEDTLS_SSL_HASH_SHA384;
5538 #endif
5539 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5540 case MBEDTLS_MD_SHA512:
5541 return MBEDTLS_SSL_HASH_SHA512;
5542 #endif
5543 default:
5544 return MBEDTLS_SSL_HASH_NONE;
5545 }
5546 }
5547
5548 /*
5549 * Check if a curve proposed by the peer is in our list.
5550 * Return 0 if we're willing to use it, -1 otherwise.
5551 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)5552 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
5553 {
5554 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
5555
5556 if (group_list == NULL) {
5557 return -1;
5558 }
5559
5560 for (; *group_list != 0; group_list++) {
5561 if (*group_list == tls_id) {
5562 return 0;
5563 }
5564 }
5565
5566 return -1;
5567 }
5568
5569 #if defined(MBEDTLS_ECP_C)
5570 /*
5571 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
5572 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)5573 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
5574 {
5575 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
5576
5577 if (tls_id == 0) {
5578 return -1;
5579 }
5580
5581 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
5582 }
5583 #endif /* MBEDTLS_ECP_C */
5584
5585 #if defined(MBEDTLS_DEBUG_C)
5586 #define EC_NAME(_name_) _name_
5587 #else
5588 #define EC_NAME(_name_) NULL
5589 #endif
5590
5591 static const struct {
5592 uint16_t tls_id;
5593 mbedtls_ecp_group_id ecp_group_id;
5594 psa_ecc_family_t psa_family;
5595 uint16_t bits;
5596 const char *name;
5597 } tls_id_match_table[] =
5598 {
5599 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
5600 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521, EC_NAME("secp521r1") },
5601 #endif
5602 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
5603 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, EC_NAME("brainpoolP512r1") },
5604 #endif
5605 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384)
5606 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384, EC_NAME("secp384r1") },
5607 #endif
5608 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
5609 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, EC_NAME("brainpoolP384r1") },
5610 #endif
5611 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256)
5612 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256, EC_NAME("secp256r1") },
5613 #endif
5614 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256)
5615 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256, EC_NAME("secp256k1") },
5616 #endif
5617 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
5618 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, EC_NAME("brainpoolP256r1") },
5619 #endif
5620 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224)
5621 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224, EC_NAME("secp224r1") },
5622 #endif
5623 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224)
5624 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224, EC_NAME("secp224k1") },
5625 #endif
5626 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192)
5627 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192, EC_NAME("secp192r1") },
5628 #endif
5629 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192)
5630 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192, EC_NAME("secp192k1") },
5631 #endif
5632 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255)
5633 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255, EC_NAME("x25519") },
5634 #endif
5635 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448)
5636 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448, EC_NAME("x448") },
5637 #endif
5638 { 0, MBEDTLS_ECP_DP_NONE, 0, 0, NULL },
5639 };
5640
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_ecc_family_t * family,size_t * bits)5641 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
5642 psa_ecc_family_t *family,
5643 size_t *bits)
5644 {
5645 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5646 if (tls_id_match_table[i].tls_id == tls_id) {
5647 if (family != NULL) {
5648 *family = tls_id_match_table[i].psa_family;
5649 }
5650 if (bits != NULL) {
5651 *bits = tls_id_match_table[i].bits;
5652 }
5653 return PSA_SUCCESS;
5654 }
5655 }
5656
5657 return PSA_ERROR_NOT_SUPPORTED;
5658 }
5659
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)5660 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
5661 {
5662 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5663 if (tls_id_match_table[i].tls_id == tls_id) {
5664 return tls_id_match_table[i].ecp_group_id;
5665 }
5666 }
5667
5668 return MBEDTLS_ECP_DP_NONE;
5669 }
5670
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)5671 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
5672 {
5673 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
5674 i++) {
5675 if (tls_id_match_table[i].ecp_group_id == grp_id) {
5676 return tls_id_match_table[i].tls_id;
5677 }
5678 }
5679
5680 return 0;
5681 }
5682
5683 #if defined(MBEDTLS_DEBUG_C)
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)5684 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
5685 {
5686 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
5687 if (tls_id_match_table[i].tls_id == tls_id) {
5688 return tls_id_match_table[i].name;
5689 }
5690 }
5691
5692 return NULL;
5693 }
5694 #endif
5695
5696 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int cert_endpoint,uint32_t * flags)5697 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
5698 const mbedtls_ssl_ciphersuite_t *ciphersuite,
5699 int cert_endpoint,
5700 uint32_t *flags)
5701 {
5702 int ret = 0;
5703 int usage = 0;
5704 const char *ext_oid;
5705 size_t ext_len;
5706
5707 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
5708 /* Server part of the key exchange */
5709 switch (ciphersuite->key_exchange) {
5710 case MBEDTLS_KEY_EXCHANGE_RSA:
5711 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
5712 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
5713 break;
5714
5715 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
5716 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
5717 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
5718 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
5719 break;
5720
5721 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
5722 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
5723 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
5724 break;
5725
5726 /* Don't use default: we want warnings when adding new values */
5727 case MBEDTLS_KEY_EXCHANGE_NONE:
5728 case MBEDTLS_KEY_EXCHANGE_PSK:
5729 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
5730 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
5731 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
5732 usage = 0;
5733 }
5734 } else {
5735 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
5736 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
5737 }
5738
5739 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
5740 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
5741 ret = -1;
5742 }
5743
5744 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
5745 ext_oid = MBEDTLS_OID_SERVER_AUTH;
5746 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
5747 } else {
5748 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
5749 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
5750 }
5751
5752 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
5753 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
5754 ret = -1;
5755 }
5756
5757 return ret;
5758 }
5759 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5760
5761 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)5762 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5763 const mbedtls_md_type_t md,
5764 unsigned char *dst,
5765 size_t dst_len,
5766 size_t *olen)
5767 {
5768 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
5769 psa_hash_operation_t *hash_operation_to_clone;
5770 psa_hash_operation_t hash_operation = psa_hash_operation_init();
5771
5772 *olen = 0;
5773
5774 switch (md) {
5775 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5776 case MBEDTLS_MD_SHA384:
5777 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
5778 break;
5779 #endif
5780
5781 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5782 case MBEDTLS_MD_SHA256:
5783 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
5784 break;
5785 #endif
5786
5787 default:
5788 goto exit;
5789 }
5790
5791 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
5792 if (status != PSA_SUCCESS) {
5793 goto exit;
5794 }
5795
5796 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
5797 if (status != PSA_SUCCESS) {
5798 goto exit;
5799 }
5800
5801 exit:
5802 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5803 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5804 (void) ssl;
5805 #endif
5806 return PSA_TO_MBEDTLS_ERR(status);
5807 }
5808 #else /* MBEDTLS_USE_PSA_CRYPTO */
5809
5810 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5811 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)5812 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
5813 unsigned char *dst,
5814 size_t dst_len,
5815 size_t *olen)
5816 {
5817 int ret;
5818 mbedtls_md_context_t sha384;
5819
5820 if (dst_len < 48) {
5821 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5822 }
5823
5824 mbedtls_md_init(&sha384);
5825 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
5826 if (ret != 0) {
5827 goto exit;
5828 }
5829 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
5830 if (ret != 0) {
5831 goto exit;
5832 }
5833
5834 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
5835 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
5836 goto exit;
5837 }
5838
5839 *olen = 48;
5840
5841 exit:
5842
5843 mbedtls_md_free(&sha384);
5844 return ret;
5845 }
5846 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
5847
5848 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5849 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)5850 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
5851 unsigned char *dst,
5852 size_t dst_len,
5853 size_t *olen)
5854 {
5855 int ret;
5856 mbedtls_md_context_t sha256;
5857
5858 if (dst_len < 32) {
5859 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5860 }
5861
5862 mbedtls_md_init(&sha256);
5863 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
5864 if (ret != 0) {
5865 goto exit;
5866 }
5867 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
5868 if (ret != 0) {
5869 goto exit;
5870 }
5871
5872 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
5873 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
5874 goto exit;
5875 }
5876
5877 *olen = 32;
5878
5879 exit:
5880
5881 mbedtls_md_free(&sha256);
5882 return ret;
5883 }
5884 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
5885
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)5886 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
5887 const mbedtls_md_type_t md,
5888 unsigned char *dst,
5889 size_t dst_len,
5890 size_t *olen)
5891 {
5892 switch (md) {
5893
5894 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5895 case MBEDTLS_MD_SHA384:
5896 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
5897 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5898
5899 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5900 case MBEDTLS_MD_SHA256:
5901 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
5902 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
5903
5904 default:
5905 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
5906 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
5907 (void) ssl;
5908 (void) dst;
5909 (void) dst_len;
5910 (void) olen;
5911 #endif
5912 break;
5913 }
5914 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
5915 }
5916
5917 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
5918
5919 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5920 /* mbedtls_ssl_parse_sig_alg_ext()
5921 *
5922 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
5923 * value (TLS 1.3 RFC8446):
5924 * enum {
5925 * ....
5926 * ecdsa_secp256r1_sha256( 0x0403 ),
5927 * ecdsa_secp384r1_sha384( 0x0503 ),
5928 * ecdsa_secp521r1_sha512( 0x0603 ),
5929 * ....
5930 * } SignatureScheme;
5931 *
5932 * struct {
5933 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
5934 * } SignatureSchemeList;
5935 *
5936 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
5937 * value (TLS 1.2 RFC5246):
5938 * enum {
5939 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
5940 * sha512(6), (255)
5941 * } HashAlgorithm;
5942 *
5943 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
5944 * SignatureAlgorithm;
5945 *
5946 * struct {
5947 * HashAlgorithm hash;
5948 * SignatureAlgorithm signature;
5949 * } SignatureAndHashAlgorithm;
5950 *
5951 * SignatureAndHashAlgorithm
5952 * supported_signature_algorithms<2..2^16-2>;
5953 *
5954 * The TLS 1.3 signature algorithm extension was defined to be a compatible
5955 * generalization of the TLS 1.2 signature algorithm extension.
5956 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
5957 * `SignatureScheme` field of TLS 1.3
5958 *
5959 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)5960 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
5961 const unsigned char *buf,
5962 const unsigned char *end)
5963 {
5964 const unsigned char *p = buf;
5965 size_t supported_sig_algs_len = 0;
5966 const unsigned char *supported_sig_algs_end;
5967 uint16_t sig_alg;
5968 uint32_t common_idx = 0;
5969
5970 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
5971 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
5972 p += 2;
5973
5974 memset(ssl->handshake->received_sig_algs, 0,
5975 sizeof(ssl->handshake->received_sig_algs));
5976
5977 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
5978 supported_sig_algs_end = p + supported_sig_algs_len;
5979 while (p < supported_sig_algs_end) {
5980 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
5981 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
5982 p += 2;
5983 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
5984 sig_alg,
5985 mbedtls_ssl_sig_alg_to_str(sig_alg)));
5986 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5987 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
5988 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
5989 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
5990 continue;
5991 }
5992 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5993
5994 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
5995 mbedtls_ssl_sig_alg_to_str(sig_alg)));
5996
5997 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
5998 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
5999 common_idx += 1;
6000 }
6001 }
6002 /* Check that we consumed all the message. */
6003 if (p != end) {
6004 MBEDTLS_SSL_DEBUG_MSG(1,
6005 ("Signature algorithms extension length misaligned"));
6006 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6007 MBEDTLS_ERR_SSL_DECODE_ERROR);
6008 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6009 }
6010
6011 if (common_idx == 0) {
6012 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6013 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6014 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6015 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6016 }
6017
6018 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6019 return 0;
6020 }
6021
6022 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6023
6024 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6025
6026 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6027
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6028 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6029 mbedtls_svc_key_id_t key,
6030 psa_algorithm_t alg,
6031 const unsigned char *raw_psk, size_t raw_psk_length,
6032 const unsigned char *seed, size_t seed_length,
6033 const unsigned char *label, size_t label_length,
6034 const unsigned char *other_secret,
6035 size_t other_secret_length,
6036 size_t capacity)
6037 {
6038 psa_status_t status;
6039
6040 status = psa_key_derivation_setup(derivation, alg);
6041 if (status != PSA_SUCCESS) {
6042 return status;
6043 }
6044
6045 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6046 status = psa_key_derivation_input_bytes(derivation,
6047 PSA_KEY_DERIVATION_INPUT_SEED,
6048 seed, seed_length);
6049 if (status != PSA_SUCCESS) {
6050 return status;
6051 }
6052
6053 if (other_secret != NULL) {
6054 status = psa_key_derivation_input_bytes(derivation,
6055 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6056 other_secret, other_secret_length);
6057 if (status != PSA_SUCCESS) {
6058 return status;
6059 }
6060 }
6061
6062 if (mbedtls_svc_key_id_is_null(key)) {
6063 status = psa_key_derivation_input_bytes(
6064 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6065 raw_psk, raw_psk_length);
6066 } else {
6067 status = psa_key_derivation_input_key(
6068 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6069 }
6070 if (status != PSA_SUCCESS) {
6071 return status;
6072 }
6073
6074 status = psa_key_derivation_input_bytes(derivation,
6075 PSA_KEY_DERIVATION_INPUT_LABEL,
6076 label, label_length);
6077 if (status != PSA_SUCCESS) {
6078 return status;
6079 }
6080 } else {
6081 return PSA_ERROR_NOT_SUPPORTED;
6082 }
6083
6084 status = psa_key_derivation_set_capacity(derivation, capacity);
6085 if (status != PSA_SUCCESS) {
6086 return status;
6087 }
6088
6089 return PSA_SUCCESS;
6090 }
6091
6092 #if defined(PSA_WANT_ALG_SHA_384) || \
6093 defined(PSA_WANT_ALG_SHA_256)
6094 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6095 static int tls_prf_generic(mbedtls_md_type_t md_type,
6096 const unsigned char *secret, size_t slen,
6097 const char *label,
6098 const unsigned char *random, size_t rlen,
6099 unsigned char *dstbuf, size_t dlen)
6100 {
6101 psa_status_t status;
6102 psa_algorithm_t alg;
6103 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6104 psa_key_derivation_operation_t derivation =
6105 PSA_KEY_DERIVATION_OPERATION_INIT;
6106
6107 if (md_type == MBEDTLS_MD_SHA384) {
6108 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6109 } else {
6110 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6111 }
6112
6113 /* Normally a "secret" should be long enough to be impossible to
6114 * find by brute force, and in particular should not be empty. But
6115 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6116 * and for this use case it makes sense to have a 0-length "secret".
6117 * Since the key API doesn't allow importing a key of length 0,
6118 * keep master_key=0, which setup_psa_key_derivation() understands
6119 * to mean a 0-length "secret" input. */
6120 if (slen != 0) {
6121 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6122 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6123 psa_set_key_algorithm(&key_attributes, alg);
6124 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6125
6126 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6127 if (status != PSA_SUCCESS) {
6128 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6129 }
6130 }
6131
6132 status = setup_psa_key_derivation(&derivation,
6133 master_key, alg,
6134 NULL, 0,
6135 random, rlen,
6136 (unsigned char const *) label,
6137 (size_t) strlen(label),
6138 NULL, 0,
6139 dlen);
6140 if (status != PSA_SUCCESS) {
6141 psa_key_derivation_abort(&derivation);
6142 psa_destroy_key(master_key);
6143 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6144 }
6145
6146 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6147 if (status != PSA_SUCCESS) {
6148 psa_key_derivation_abort(&derivation);
6149 psa_destroy_key(master_key);
6150 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6151 }
6152
6153 status = psa_key_derivation_abort(&derivation);
6154 if (status != PSA_SUCCESS) {
6155 psa_destroy_key(master_key);
6156 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6157 }
6158
6159 if (!mbedtls_svc_key_id_is_null(master_key)) {
6160 status = psa_destroy_key(master_key);
6161 }
6162 if (status != PSA_SUCCESS) {
6163 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6164 }
6165
6166 return 0;
6167 }
6168 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6169 #else /* MBEDTLS_USE_PSA_CRYPTO */
6170
6171 #if defined(MBEDTLS_MD_C) && \
6172 (defined(MBEDTLS_SHA256_C) || \
6173 defined(MBEDTLS_SHA384_C))
6174 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6175 static int tls_prf_generic(mbedtls_md_type_t md_type,
6176 const unsigned char *secret, size_t slen,
6177 const char *label,
6178 const unsigned char *random, size_t rlen,
6179 unsigned char *dstbuf, size_t dlen)
6180 {
6181 size_t nb;
6182 size_t i, j, k, md_len;
6183 unsigned char *tmp;
6184 size_t tmp_len = 0;
6185 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6186 const mbedtls_md_info_t *md_info;
6187 mbedtls_md_context_t md_ctx;
6188 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6189
6190 mbedtls_md_init(&md_ctx);
6191
6192 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6193 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6194 }
6195
6196 md_len = mbedtls_md_get_size(md_info);
6197
6198 tmp_len = md_len + strlen(label) + rlen;
6199 tmp = mbedtls_calloc(1, tmp_len);
6200 if (tmp == NULL) {
6201 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6202 goto exit;
6203 }
6204
6205 nb = strlen(label);
6206 memcpy(tmp + md_len, label, nb);
6207 memcpy(tmp + md_len + nb, random, rlen);
6208 nb += rlen;
6209
6210 /*
6211 * Compute P_<hash>(secret, label + random)[0..dlen]
6212 */
6213 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6214 goto exit;
6215 }
6216
6217 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6218 if (ret != 0) {
6219 goto exit;
6220 }
6221 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6222 if (ret != 0) {
6223 goto exit;
6224 }
6225 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6226 if (ret != 0) {
6227 goto exit;
6228 }
6229
6230 for (i = 0; i < dlen; i += md_len) {
6231 ret = mbedtls_md_hmac_reset(&md_ctx);
6232 if (ret != 0) {
6233 goto exit;
6234 }
6235 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6236 if (ret != 0) {
6237 goto exit;
6238 }
6239 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6240 if (ret != 0) {
6241 goto exit;
6242 }
6243
6244 ret = mbedtls_md_hmac_reset(&md_ctx);
6245 if (ret != 0) {
6246 goto exit;
6247 }
6248 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6249 if (ret != 0) {
6250 goto exit;
6251 }
6252 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6253 if (ret != 0) {
6254 goto exit;
6255 }
6256
6257 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6258
6259 for (j = 0; j < k; j++) {
6260 dstbuf[i + j] = h_i[j];
6261 }
6262 }
6263
6264 exit:
6265 mbedtls_md_free(&md_ctx);
6266
6267 if (tmp != NULL) {
6268 mbedtls_platform_zeroize(tmp, tmp_len);
6269 }
6270
6271 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6272
6273 mbedtls_free(tmp);
6274
6275 return ret;
6276 }
6277 #endif /* MBEDTLS_MD_C && ( MBEDTLS_SHA256_C || MBEDTLS_SHA384_C ) */
6278 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6279
6280 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6281 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6282 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6283 const char *label,
6284 const unsigned char *random, size_t rlen,
6285 unsigned char *dstbuf, size_t dlen)
6286 {
6287 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6288 label, random, rlen, dstbuf, dlen);
6289 }
6290 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
6291
6292 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6293 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6294 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6295 const char *label,
6296 const unsigned char *random, size_t rlen,
6297 unsigned char *dstbuf, size_t dlen)
6298 {
6299 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6300 label, random, rlen, dstbuf, dlen);
6301 }
6302 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
6303
6304 /*
6305 * Set appropriate PRF function and other SSL / TLS1.2 functions
6306 *
6307 * Inputs:
6308 * - hash associated with the ciphersuite (only used by TLS 1.2)
6309 *
6310 * Outputs:
6311 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6312 */
6313 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6314 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6315 mbedtls_md_type_t hash)
6316 {
6317 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6318 if (hash == MBEDTLS_MD_SHA384) {
6319 handshake->tls_prf = tls_prf_sha384;
6320 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6321 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6322 } else
6323 #endif
6324 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6325 {
6326 (void) hash;
6327 handshake->tls_prf = tls_prf_sha256;
6328 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6329 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6330 }
6331 #else
6332 {
6333 (void) handshake;
6334 (void) hash;
6335 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6336 }
6337 #endif
6338
6339 return 0;
6340 }
6341
6342 /*
6343 * Compute master secret if needed
6344 *
6345 * Parameters:
6346 * [in/out] handshake
6347 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6348 * (PSA-PSK) ciphersuite_info, psk_opaque
6349 * [out] premaster (cleared)
6350 * [out] master
6351 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6352 * debug: conf->f_dbg, conf->p_dbg
6353 * EMS: passed to calc_verify (debug + session_negotiate)
6354 * PSA-PSA: conf
6355 */
6356 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)6357 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6358 unsigned char *master,
6359 const mbedtls_ssl_context *ssl)
6360 {
6361 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6362
6363 /* cf. RFC 5246, Section 8.1:
6364 * "The master secret is always exactly 48 bytes in length." */
6365 size_t const master_secret_len = 48;
6366
6367 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6368 unsigned char session_hash[48];
6369 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6370
6371 /* The label for the KDF used for key expansion.
6372 * This is either "master secret" or "extended master secret"
6373 * depending on whether the Extended Master Secret extension
6374 * is used. */
6375 char const *lbl = "master secret";
6376
6377 /* The seed for the KDF used for key expansion.
6378 * - If the Extended Master Secret extension is not used,
6379 * this is ClientHello.Random + ServerHello.Random
6380 * (see Sect. 8.1 in RFC 5246).
6381 * - If the Extended Master Secret extension is used,
6382 * this is the transcript of the handshake so far.
6383 * (see Sect. 4 in RFC 7627). */
6384 unsigned char const *seed = handshake->randbytes;
6385 size_t seed_len = 64;
6386
6387 #if !defined(MBEDTLS_DEBUG_C) && \
6388 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
6389 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
6390 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
6391 ssl = NULL; /* make sure we don't use it except for those cases */
6392 (void) ssl;
6393 #endif
6394
6395 if (handshake->resume != 0) {
6396 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
6397 return 0;
6398 }
6399
6400 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6401 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
6402 lbl = "extended master secret";
6403 seed = session_hash;
6404 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
6405 if (ret != 0) {
6406 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
6407 }
6408
6409 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
6410 session_hash, seed_len);
6411 }
6412 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6413
6414 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
6415 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
6416 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
6417 /* Perform PSK-to-MS expansion in a single step. */
6418 psa_status_t status;
6419 psa_algorithm_t alg;
6420 mbedtls_svc_key_id_t psk;
6421 psa_key_derivation_operation_t derivation =
6422 PSA_KEY_DERIVATION_OPERATION_INIT;
6423 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
6424
6425 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
6426
6427 psk = mbedtls_ssl_get_opaque_psk(ssl);
6428
6429 if (hash_alg == MBEDTLS_MD_SHA384) {
6430 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
6431 } else {
6432 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
6433 }
6434
6435 size_t other_secret_len = 0;
6436 unsigned char *other_secret = NULL;
6437
6438 switch (handshake->ciphersuite_info->key_exchange) {
6439 /* Provide other secret.
6440 * Other secret is stored in premaster, where first 2 bytes hold the
6441 * length of the other key.
6442 */
6443 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
6444 /* For RSA-PSK other key length is always 48 bytes. */
6445 other_secret_len = 48;
6446 other_secret = handshake->premaster + 2;
6447 break;
6448 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
6449 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6450 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
6451 other_secret = handshake->premaster + 2;
6452 break;
6453 default:
6454 break;
6455 }
6456
6457 status = setup_psa_key_derivation(&derivation, psk, alg,
6458 ssl->conf->psk, ssl->conf->psk_len,
6459 seed, seed_len,
6460 (unsigned char const *) lbl,
6461 (size_t) strlen(lbl),
6462 other_secret, other_secret_len,
6463 master_secret_len);
6464 if (status != PSA_SUCCESS) {
6465 psa_key_derivation_abort(&derivation);
6466 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6467 }
6468
6469 status = psa_key_derivation_output_bytes(&derivation,
6470 master,
6471 master_secret_len);
6472 if (status != PSA_SUCCESS) {
6473 psa_key_derivation_abort(&derivation);
6474 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6475 }
6476
6477 status = psa_key_derivation_abort(&derivation);
6478 if (status != PSA_SUCCESS) {
6479 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6480 }
6481 } else
6482 #endif
6483 {
6484 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
6485 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6486 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
6487 psa_status_t status;
6488 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
6489 psa_key_derivation_operation_t derivation =
6490 PSA_KEY_DERIVATION_OPERATION_INIT;
6491
6492 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
6493
6494 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
6495
6496 status = psa_key_derivation_setup(&derivation, alg);
6497 if (status != PSA_SUCCESS) {
6498 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6499 }
6500
6501 status = psa_key_derivation_set_capacity(&derivation,
6502 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
6503 if (status != PSA_SUCCESS) {
6504 psa_key_derivation_abort(&derivation);
6505 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6506 }
6507
6508 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
6509 &derivation);
6510 if (status != PSA_SUCCESS) {
6511 psa_key_derivation_abort(&derivation);
6512 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6513 }
6514
6515 status = psa_key_derivation_output_bytes(&derivation,
6516 handshake->premaster,
6517 handshake->pmslen);
6518 if (status != PSA_SUCCESS) {
6519 psa_key_derivation_abort(&derivation);
6520 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6521 }
6522
6523 status = psa_key_derivation_abort(&derivation);
6524 if (status != PSA_SUCCESS) {
6525 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6526 }
6527 }
6528 #endif
6529 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
6530 lbl, seed, seed_len,
6531 master,
6532 master_secret_len);
6533 if (ret != 0) {
6534 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
6535 return ret;
6536 }
6537
6538 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
6539 handshake->premaster,
6540 handshake->pmslen);
6541
6542 mbedtls_platform_zeroize(handshake->premaster,
6543 sizeof(handshake->premaster));
6544 }
6545
6546 return 0;
6547 }
6548
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)6549 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
6550 {
6551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6552 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
6553 ssl->handshake->ciphersuite_info;
6554
6555 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
6556
6557 /* Set PRF, calc_verify and calc_finished function pointers */
6558 ret = ssl_set_handshake_prfs(ssl->handshake,
6559 ciphersuite_info->mac);
6560 if (ret != 0) {
6561 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
6562 return ret;
6563 }
6564
6565 /* Compute master secret if needed */
6566 ret = ssl_compute_master(ssl->handshake,
6567 ssl->session_negotiate->master,
6568 ssl);
6569 if (ret != 0) {
6570 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
6571 return ret;
6572 }
6573
6574 /* Swap the client and server random values:
6575 * - MS derivation wanted client+server (RFC 5246 8.1)
6576 * - key derivation wants server+client (RFC 5246 6.3) */
6577 {
6578 unsigned char tmp[64];
6579 memcpy(tmp, ssl->handshake->randbytes, 64);
6580 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
6581 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
6582 mbedtls_platform_zeroize(tmp, sizeof(tmp));
6583 }
6584
6585 /* Populate transform structure */
6586 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
6587 ssl->session_negotiate->ciphersuite,
6588 ssl->session_negotiate->master,
6589 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
6590 ssl->session_negotiate->encrypt_then_mac,
6591 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
6592 ssl->handshake->tls_prf,
6593 ssl->handshake->randbytes,
6594 ssl->tls_version,
6595 ssl->conf->endpoint,
6596 ssl);
6597 if (ret != 0) {
6598 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
6599 return ret;
6600 }
6601
6602 /* We no longer need Server/ClientHello.random values */
6603 mbedtls_platform_zeroize(ssl->handshake->randbytes,
6604 sizeof(ssl->handshake->randbytes));
6605
6606 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
6607
6608 return 0;
6609 }
6610
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)6611 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
6612 {
6613 switch (md) {
6614 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6615 case MBEDTLS_SSL_HASH_SHA384:
6616 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6617 break;
6618 #endif
6619 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6620 case MBEDTLS_SSL_HASH_SHA256:
6621 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6622 break;
6623 #endif
6624 default:
6625 return -1;
6626 }
6627 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
6628 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
6629 (void) ssl;
6630 #endif
6631 return 0;
6632 }
6633
6634 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)6635 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
6636 unsigned char *hash,
6637 size_t *hlen)
6638 {
6639 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6640 size_t hash_size;
6641 psa_status_t status;
6642 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
6643
6644 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
6645 status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
6646 if (status != PSA_SUCCESS) {
6647 goto exit;
6648 }
6649
6650 status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
6651 if (status != PSA_SUCCESS) {
6652 goto exit;
6653 }
6654
6655 *hlen = 32;
6656 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
6657 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
6658
6659 exit:
6660 psa_hash_abort(&sha256_psa);
6661 return PSA_TO_MD_ERR(status);
6662 #else
6663 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6664 mbedtls_md_context_t sha256;
6665
6666 mbedtls_md_init(&sha256);
6667
6668 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
6669
6670 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6671 if (ret != 0) {
6672 goto exit;
6673 }
6674 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6675 if (ret != 0) {
6676 goto exit;
6677 }
6678
6679 ret = mbedtls_md_finish(&sha256, hash);
6680 if (ret != 0) {
6681 goto exit;
6682 }
6683
6684 *hlen = 32;
6685
6686 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
6687 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
6688
6689 exit:
6690 mbedtls_md_free(&sha256);
6691 return ret;
6692 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6693 }
6694 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
6695
6696 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)6697 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
6698 unsigned char *hash,
6699 size_t *hlen)
6700 {
6701 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6702 size_t hash_size;
6703 psa_status_t status;
6704 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
6705
6706 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
6707 status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
6708 if (status != PSA_SUCCESS) {
6709 goto exit;
6710 }
6711
6712 status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
6713 if (status != PSA_SUCCESS) {
6714 goto exit;
6715 }
6716
6717 *hlen = 48;
6718 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
6719 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
6720
6721 exit:
6722 psa_hash_abort(&sha384_psa);
6723 return PSA_TO_MD_ERR(status);
6724 #else
6725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6726 mbedtls_md_context_t sha384;
6727
6728 mbedtls_md_init(&sha384);
6729
6730 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
6731
6732 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6733 if (ret != 0) {
6734 goto exit;
6735 }
6736 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6737 if (ret != 0) {
6738 goto exit;
6739 }
6740
6741 ret = mbedtls_md_finish(&sha384, hash);
6742 if (ret != 0) {
6743 goto exit;
6744 }
6745
6746 *hlen = 48;
6747
6748 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
6749 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
6750
6751 exit:
6752 mbedtls_md_free(&sha384);
6753 return ret;
6754 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6755 }
6756 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
6757
6758 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
6759 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)6760 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
6761 {
6762 unsigned char *p = ssl->handshake->premaster;
6763 unsigned char *end = p + sizeof(ssl->handshake->premaster);
6764 const unsigned char *psk = NULL;
6765 size_t psk_len = 0;
6766 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
6767
6768 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
6769 /*
6770 * This should never happen because the existence of a PSK is always
6771 * checked before calling this function.
6772 *
6773 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
6774 * the shared secret without PSK.
6775 */
6776 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
6777 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6778 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6779 }
6780 }
6781
6782 /*
6783 * PMS = struct {
6784 * opaque other_secret<0..2^16-1>;
6785 * opaque psk<0..2^16-1>;
6786 * };
6787 * with "other_secret" depending on the particular key exchange
6788 */
6789 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
6790 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
6791 if (end - p < 2) {
6792 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6793 }
6794
6795 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
6796 p += 2;
6797
6798 if (end < p || (size_t) (end - p) < psk_len) {
6799 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6800 }
6801
6802 memset(p, 0, psk_len);
6803 p += psk_len;
6804 } else
6805 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
6806 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
6807 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
6808 /*
6809 * other_secret already set by the ClientKeyExchange message,
6810 * and is 48 bytes long
6811 */
6812 if (end - p < 2) {
6813 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6814 }
6815
6816 *p++ = 0;
6817 *p++ = 48;
6818 p += 48;
6819 } else
6820 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
6821 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
6822 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
6823 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6824 size_t len;
6825
6826 /* Write length only when we know the actual value */
6827 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
6828 p + 2, end - (p + 2), &len,
6829 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
6830 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
6831 return ret;
6832 }
6833 MBEDTLS_PUT_UINT16_BE(len, p, 0);
6834 p += 2 + len;
6835
6836 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
6837 } else
6838 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
6839 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
6840 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
6841 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6842 size_t zlen;
6843
6844 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
6845 p + 2, end - (p + 2),
6846 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
6847 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
6848 return ret;
6849 }
6850
6851 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
6852 p += 2 + zlen;
6853
6854 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
6855 MBEDTLS_DEBUG_ECDH_Z);
6856 } else
6857 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
6858 {
6859 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6860 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6861 }
6862
6863 /* opaque psk<0..2^16-1>; */
6864 if (end - p < 2) {
6865 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6866 }
6867
6868 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
6869 p += 2;
6870
6871 if (end < p || (size_t) (end - p) < psk_len) {
6872 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
6873 }
6874
6875 memcpy(p, psk, psk_len);
6876 p += psk_len;
6877
6878 ssl->handshake->pmslen = p - ssl->handshake->premaster;
6879
6880 return 0;
6881 }
6882 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
6883
6884 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
6885 MBEDTLS_CHECK_RETURN_CRITICAL
6886 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
6887
6888 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)6889 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
6890 {
6891 /* If renegotiation is not enforced, retransmit until we would reach max
6892 * timeout if we were using the usual handshake doubling scheme */
6893 if (ssl->conf->renego_max_records < 0) {
6894 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
6895 unsigned char doublings = 1;
6896
6897 while (ratio != 0) {
6898 ++doublings;
6899 ratio >>= 1;
6900 }
6901
6902 if (++ssl->renego_records_seen > doublings) {
6903 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
6904 return 0;
6905 }
6906 }
6907
6908 return ssl_write_hello_request(ssl);
6909 }
6910 #endif
6911 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
6912
6913 /*
6914 * Handshake functions
6915 */
6916 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6917 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)6918 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
6919 {
6920 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6921 ssl->handshake->ciphersuite_info;
6922
6923 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
6924
6925 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6926 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6927 ssl->state++;
6928 return 0;
6929 }
6930
6931 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6932 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6933 }
6934
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)6935 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
6936 {
6937 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6938 ssl->handshake->ciphersuite_info;
6939
6940 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
6941
6942 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6943 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
6944 ssl->state++;
6945 return 0;
6946 }
6947
6948 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
6949 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6950 }
6951
6952 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6953 /* Some certificate support -> implement write and parse */
6954
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)6955 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
6956 {
6957 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6958 size_t i, n;
6959 const mbedtls_x509_crt *crt;
6960 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
6961 ssl->handshake->ciphersuite_info;
6962
6963 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
6964
6965 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
6966 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6967 ssl->state++;
6968 return 0;
6969 }
6970
6971 #if defined(MBEDTLS_SSL_CLI_C)
6972 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
6973 if (ssl->handshake->client_auth == 0) {
6974 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
6975 ssl->state++;
6976 return 0;
6977 }
6978 }
6979 #endif /* MBEDTLS_SSL_CLI_C */
6980 #if defined(MBEDTLS_SSL_SRV_C)
6981 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
6982 if (mbedtls_ssl_own_cert(ssl) == NULL) {
6983 /* Should never happen because we shouldn't have picked the
6984 * ciphersuite if we don't have a certificate. */
6985 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6986 }
6987 }
6988 #endif
6989
6990 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
6991
6992 /*
6993 * 0 . 0 handshake type
6994 * 1 . 3 handshake length
6995 * 4 . 6 length of all certs
6996 * 7 . 9 length of cert. 1
6997 * 10 . n-1 peer certificate
6998 * n . n+2 length of cert. 2
6999 * n+3 . ... upper level cert, etc.
7000 */
7001 i = 7;
7002 crt = mbedtls_ssl_own_cert(ssl);
7003
7004 while (crt != NULL) {
7005 n = crt->raw.len;
7006 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7007 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7008 " > %" MBEDTLS_PRINTF_SIZET,
7009 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7010 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7011 }
7012
7013 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7014 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7015 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7016
7017 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7018 i += n; crt = crt->next;
7019 }
7020
7021 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7022 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7023 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7024
7025 ssl->out_msglen = i;
7026 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7027 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7028
7029 ssl->state++;
7030
7031 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7032 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7033 return ret;
7034 }
7035
7036 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7037
7038 return ret;
7039 }
7040
7041 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7042
7043 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7044 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7045 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7046 unsigned char *crt_buf,
7047 size_t crt_buf_len)
7048 {
7049 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7050
7051 if (peer_crt == NULL) {
7052 return -1;
7053 }
7054
7055 if (peer_crt->raw.len != crt_buf_len) {
7056 return -1;
7057 }
7058
7059 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7060 }
7061 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7062 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7063 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7064 unsigned char *crt_buf,
7065 size_t crt_buf_len)
7066 {
7067 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7068 unsigned char const * const peer_cert_digest =
7069 ssl->session->peer_cert_digest;
7070 mbedtls_md_type_t const peer_cert_digest_type =
7071 ssl->session->peer_cert_digest_type;
7072 mbedtls_md_info_t const * const digest_info =
7073 mbedtls_md_info_from_type(peer_cert_digest_type);
7074 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7075 size_t digest_len;
7076
7077 if (peer_cert_digest == NULL || digest_info == NULL) {
7078 return -1;
7079 }
7080
7081 digest_len = mbedtls_md_get_size(digest_info);
7082 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7083 return -1;
7084 }
7085
7086 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7087 if (ret != 0) {
7088 return -1;
7089 }
7090
7091 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7092 }
7093 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7094 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7095
7096 /*
7097 * Once the certificate message is read, parse it into a cert chain and
7098 * perform basic checks, but leave actual verification to the caller
7099 */
7100 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7101 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7102 mbedtls_x509_crt *chain)
7103 {
7104 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7105 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7106 int crt_cnt = 0;
7107 #endif
7108 size_t i, n;
7109 uint8_t alert;
7110
7111 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7112 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7113 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7114 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7115 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7116 }
7117
7118 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7120 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7121 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7122 }
7123
7124 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7125 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7126 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7127 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7128 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7129 }
7130
7131 i = mbedtls_ssl_hs_hdr_len(ssl);
7132
7133 /*
7134 * Same message structure as in mbedtls_ssl_write_certificate()
7135 */
7136 n = (ssl->in_msg[i+1] << 8) | ssl->in_msg[i+2];
7137
7138 if (ssl->in_msg[i] != 0 ||
7139 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7140 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7141 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7142 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7143 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7144 }
7145
7146 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7147 i += 3;
7148
7149 /* Iterate through and parse the CRTs in the provided chain. */
7150 while (i < ssl->in_hslen) {
7151 /* Check that there's room for the next CRT's length fields. */
7152 if (i + 3 > ssl->in_hslen) {
7153 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7154 mbedtls_ssl_send_alert_message(ssl,
7155 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7156 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7157 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7158 }
7159 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7160 * anything beyond 2**16 ~ 64K. */
7161 if (ssl->in_msg[i] != 0) {
7162 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7163 mbedtls_ssl_send_alert_message(ssl,
7164 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7165 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7166 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7167 }
7168
7169 /* Read length of the next CRT in the chain. */
7170 n = ((unsigned int) ssl->in_msg[i + 1] << 8)
7171 | (unsigned int) ssl->in_msg[i + 2];
7172 i += 3;
7173
7174 if (n < 128 || i + n > ssl->in_hslen) {
7175 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7176 mbedtls_ssl_send_alert_message(ssl,
7177 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7178 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7179 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7180 }
7181
7182 /* Check if we're handling the first CRT in the chain. */
7183 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7184 if (crt_cnt++ == 0 &&
7185 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7186 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7187 /* During client-side renegotiation, check that the server's
7188 * end-CRTs hasn't changed compared to the initial handshake,
7189 * mitigating the triple handshake attack. On success, reuse
7190 * the original end-CRT instead of parsing it again. */
7191 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7192 if (ssl_check_peer_crt_unchanged(ssl,
7193 &ssl->in_msg[i],
7194 n) != 0) {
7195 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7196 mbedtls_ssl_send_alert_message(ssl,
7197 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7198 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7199 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7200 }
7201
7202 /* Now we can safely free the original chain. */
7203 ssl_clear_peer_cert(ssl->session);
7204 }
7205 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7206
7207 /* Parse the next certificate in the chain. */
7208 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7209 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7210 #else
7211 /* If we don't need to store the CRT chain permanently, parse
7212 * it in-place from the input buffer instead of making a copy. */
7213 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7214 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7215 switch (ret) {
7216 case 0: /*ok*/
7217 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7218 /* Ignore certificate with an unknown algorithm: maybe a
7219 prior certificate was already trusted. */
7220 break;
7221
7222 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7223 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7224 goto crt_parse_der_failed;
7225
7226 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7227 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7228 goto crt_parse_der_failed;
7229
7230 default:
7231 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7232 crt_parse_der_failed:
7233 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7234 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7235 return ret;
7236 }
7237
7238 i += n;
7239 }
7240
7241 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7242 return 0;
7243 }
7244
7245 #if defined(MBEDTLS_SSL_SRV_C)
7246 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7247 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7248 {
7249 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7250 return -1;
7251 }
7252
7253 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7254 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7255 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7256 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7257 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7258 return 0;
7259 }
7260 return -1;
7261 }
7262 #endif /* MBEDTLS_SSL_SRV_C */
7263
7264 /* Check if a certificate message is expected.
7265 * Return either
7266 * - SSL_CERTIFICATE_EXPECTED, or
7267 * - SSL_CERTIFICATE_SKIP
7268 * indicating whether a Certificate message is expected or not.
7269 */
7270 #define SSL_CERTIFICATE_EXPECTED 0
7271 #define SSL_CERTIFICATE_SKIP 1
7272 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7273 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7274 int authmode)
7275 {
7276 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7277 ssl->handshake->ciphersuite_info;
7278
7279 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7280 return SSL_CERTIFICATE_SKIP;
7281 }
7282
7283 #if defined(MBEDTLS_SSL_SRV_C)
7284 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7285 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7286 return SSL_CERTIFICATE_SKIP;
7287 }
7288
7289 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7290 ssl->session_negotiate->verify_result =
7291 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7292 return SSL_CERTIFICATE_SKIP;
7293 }
7294 }
7295 #else
7296 ((void) authmode);
7297 #endif /* MBEDTLS_SSL_SRV_C */
7298
7299 return SSL_CERTIFICATE_EXPECTED;
7300 }
7301
7302 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,void * rs_ctx)7303 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
7304 int authmode,
7305 mbedtls_x509_crt *chain,
7306 void *rs_ctx)
7307 {
7308 int ret = 0;
7309 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7310 ssl->handshake->ciphersuite_info;
7311 int have_ca_chain = 0;
7312
7313 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
7314 void *p_vrfy;
7315
7316 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7317 return 0;
7318 }
7319
7320 if (ssl->f_vrfy != NULL) {
7321 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
7322 f_vrfy = ssl->f_vrfy;
7323 p_vrfy = ssl->p_vrfy;
7324 } else {
7325 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
7326 f_vrfy = ssl->conf->f_vrfy;
7327 p_vrfy = ssl->conf->p_vrfy;
7328 }
7329
7330 /*
7331 * Main check: verify certificate
7332 */
7333 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
7334 if (ssl->conf->f_ca_cb != NULL) {
7335 ((void) rs_ctx);
7336 have_ca_chain = 1;
7337
7338 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
7339 ret = mbedtls_x509_crt_verify_with_ca_cb(
7340 chain,
7341 ssl->conf->f_ca_cb,
7342 ssl->conf->p_ca_cb,
7343 ssl->conf->cert_profile,
7344 ssl->hostname,
7345 &ssl->session_negotiate->verify_result,
7346 f_vrfy, p_vrfy);
7347 } else
7348 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
7349 {
7350 mbedtls_x509_crt *ca_chain;
7351 mbedtls_x509_crl *ca_crl;
7352
7353 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7354 if (ssl->handshake->sni_ca_chain != NULL) {
7355 ca_chain = ssl->handshake->sni_ca_chain;
7356 ca_crl = ssl->handshake->sni_ca_crl;
7357 } else
7358 #endif
7359 {
7360 ca_chain = ssl->conf->ca_chain;
7361 ca_crl = ssl->conf->ca_crl;
7362 }
7363
7364 if (ca_chain != NULL) {
7365 have_ca_chain = 1;
7366 }
7367
7368 ret = mbedtls_x509_crt_verify_restartable(
7369 chain,
7370 ca_chain, ca_crl,
7371 ssl->conf->cert_profile,
7372 ssl->hostname,
7373 &ssl->session_negotiate->verify_result,
7374 f_vrfy, p_vrfy, rs_ctx);
7375 }
7376
7377 if (ret != 0) {
7378 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
7379 }
7380
7381 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7382 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
7383 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
7384 }
7385 #endif
7386
7387 /*
7388 * Secondary checks: always done, but change 'ret' only if it was 0
7389 */
7390
7391 #if defined(MBEDTLS_ECP_C)
7392 {
7393 const mbedtls_pk_context *pk = &chain->pk;
7394
7395 /* If certificate uses an EC key, make sure the curve is OK.
7396 * This is a public key, so it can't be opaque, so can_do() is a good
7397 * enough check to ensure pk_ec() is safe to use here. */
7398 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) {
7399 /* and in the unlikely case the above assumption no longer holds
7400 * we are making sure that pk_ec() here does not return a NULL
7401 */
7402 const mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk);
7403 if (ec == NULL) {
7404 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec() returned NULL"));
7405 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7406 }
7407
7408 if (mbedtls_ssl_check_curve(ssl, ec->grp.id) != 0) {
7409 ssl->session_negotiate->verify_result |=
7410 MBEDTLS_X509_BADCERT_BAD_KEY;
7411
7412 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
7413 if (ret == 0) {
7414 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7415 }
7416 }
7417 }
7418 }
7419 #endif /* MBEDTLS_ECP_C */
7420
7421 if (mbedtls_ssl_check_cert_usage(chain,
7422 ciphersuite_info,
7423 !ssl->conf->endpoint,
7424 &ssl->session_negotiate->verify_result) != 0) {
7425 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
7426 if (ret == 0) {
7427 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7428 }
7429 }
7430
7431 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
7432 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
7433 * with details encoded in the verification flags. All other kinds
7434 * of error codes, including those from the user provided f_vrfy
7435 * functions, are treated as fatal and lead to a failure of
7436 * ssl_parse_certificate even if verification was optional. */
7437 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
7438 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
7439 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
7440 ret = 0;
7441 }
7442
7443 if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
7444 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
7445 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
7446 }
7447
7448 if (ret != 0) {
7449 uint8_t alert;
7450
7451 /* The certificate may have been rejected for several reasons.
7452 Pick one and send the corresponding alert. Which alert to send
7453 may be a subject of debate in some cases. */
7454 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
7455 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
7456 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
7457 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7458 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
7459 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7460 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
7461 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7462 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) {
7463 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7464 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
7465 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7466 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
7467 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7468 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
7469 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
7470 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
7471 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
7472 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
7473 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
7474 } else {
7475 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
7476 }
7477 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7478 alert);
7479 }
7480
7481 #if defined(MBEDTLS_DEBUG_C)
7482 if (ssl->session_negotiate->verify_result != 0) {
7483 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
7484 (unsigned int) ssl->session_negotiate->verify_result));
7485 } else {
7486 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
7487 }
7488 #endif /* MBEDTLS_DEBUG_C */
7489
7490 return ret;
7491 }
7492
7493 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7494 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7495 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7496 unsigned char *start, size_t len)
7497 {
7498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7499 /* Remember digest of the peer's end-CRT. */
7500 ssl->session_negotiate->peer_cert_digest =
7501 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7502 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7503 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7504 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7505 mbedtls_ssl_send_alert_message(ssl,
7506 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7507 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7508
7509 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7510 }
7511
7512 ret = mbedtls_md(mbedtls_md_info_from_type(
7513 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7514 start, len,
7515 ssl->session_negotiate->peer_cert_digest);
7516
7517 ssl->session_negotiate->peer_cert_digest_type =
7518 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7519 ssl->session_negotiate->peer_cert_digest_len =
7520 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7521
7522 return ret;
7523 }
7524
7525 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7526 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7527 unsigned char *start, size_t len)
7528 {
7529 unsigned char *end = start + len;
7530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7531
7532 /* Make a copy of the peer's raw public key. */
7533 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7534 ret = mbedtls_pk_parse_subpubkey(&start, end,
7535 &ssl->handshake->peer_pubkey);
7536 if (ret != 0) {
7537 /* We should have parsed the public key before. */
7538 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7539 }
7540
7541 return 0;
7542 }
7543 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7544
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7545 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7546 {
7547 int ret = 0;
7548 int crt_expected;
7549 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7550 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7551 ? ssl->handshake->sni_authmode
7552 : ssl->conf->authmode;
7553 #else
7554 const int authmode = ssl->conf->authmode;
7555 #endif
7556 void *rs_ctx = NULL;
7557 mbedtls_x509_crt *chain = NULL;
7558
7559 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7560
7561 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7562 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7563 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7564 goto exit;
7565 }
7566
7567 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7568 if (ssl->handshake->ecrs_enabled &&
7569 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
7570 chain = ssl->handshake->ecrs_peer_cert;
7571 ssl->handshake->ecrs_peer_cert = NULL;
7572 goto crt_verify;
7573 }
7574 #endif
7575
7576 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7577 /* mbedtls_ssl_read_record may have sent an alert already. We
7578 let it decide whether to alert. */
7579 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7580 goto exit;
7581 }
7582
7583 #if defined(MBEDTLS_SSL_SRV_C)
7584 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
7585 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7586
7587 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
7588 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
7589 }
7590
7591 goto exit;
7592 }
7593 #endif /* MBEDTLS_SSL_SRV_C */
7594
7595 /* Clear existing peer CRT structure in case we tried to
7596 * reuse a session but it failed, and allocate a new one. */
7597 ssl_clear_peer_cert(ssl->session_negotiate);
7598
7599 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7600 if (chain == NULL) {
7601 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7602 sizeof(mbedtls_x509_crt)));
7603 mbedtls_ssl_send_alert_message(ssl,
7604 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7605 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7606
7607 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7608 goto exit;
7609 }
7610 mbedtls_x509_crt_init(chain);
7611
7612 ret = ssl_parse_certificate_chain(ssl, chain);
7613 if (ret != 0) {
7614 goto exit;
7615 }
7616
7617 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7618 if (ssl->handshake->ecrs_enabled) {
7619 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
7620 }
7621
7622 crt_verify:
7623 if (ssl->handshake->ecrs_enabled) {
7624 rs_ctx = &ssl->handshake->ecrs_ctx;
7625 }
7626 #endif
7627
7628 ret = ssl_parse_certificate_verify(ssl, authmode,
7629 chain, rs_ctx);
7630 if (ret != 0) {
7631 goto exit;
7632 }
7633
7634 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7635 {
7636 unsigned char *crt_start, *pk_start;
7637 size_t crt_len, pk_len;
7638
7639 /* We parse the CRT chain without copying, so
7640 * these pointers point into the input buffer,
7641 * and are hence still valid after freeing the
7642 * CRT chain. */
7643
7644 crt_start = chain->raw.p;
7645 crt_len = chain->raw.len;
7646
7647 pk_start = chain->pk_raw.p;
7648 pk_len = chain->pk_raw.len;
7649
7650 /* Free the CRT structures before computing
7651 * digest and copying the peer's public key. */
7652 mbedtls_x509_crt_free(chain);
7653 mbedtls_free(chain);
7654 chain = NULL;
7655
7656 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
7657 if (ret != 0) {
7658 goto exit;
7659 }
7660
7661 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
7662 if (ret != 0) {
7663 goto exit;
7664 }
7665 }
7666 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7667 /* Pass ownership to session structure. */
7668 ssl->session_negotiate->peer_cert = chain;
7669 chain = NULL;
7670 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7671
7672 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
7673
7674 exit:
7675
7676 if (ret == 0) {
7677 ssl->state++;
7678 }
7679
7680 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7681 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
7682 ssl->handshake->ecrs_peer_cert = chain;
7683 chain = NULL;
7684 }
7685 #endif
7686
7687 if (chain != NULL) {
7688 mbedtls_x509_crt_free(chain);
7689 mbedtls_free(chain);
7690 }
7691
7692 return ret;
7693 }
7694 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7695
7696 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)7697 static int ssl_calc_finished_tls_sha256(
7698 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7699 {
7700 int len = 12;
7701 const char *sender;
7702 unsigned char padbuf[32];
7703 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7704 size_t hash_size;
7705 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
7706 psa_status_t status;
7707 #else
7708 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7709 mbedtls_md_context_t sha256;
7710 #endif
7711
7712 mbedtls_ssl_session *session = ssl->session_negotiate;
7713 if (!session) {
7714 session = ssl->session;
7715 }
7716
7717 sender = (from == MBEDTLS_SSL_IS_CLIENT)
7718 ? "client finished"
7719 : "server finished";
7720
7721 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7722 sha256_psa = psa_hash_operation_init();
7723
7724 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256"));
7725
7726 status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
7727 if (status != PSA_SUCCESS) {
7728 goto exit;
7729 }
7730
7731 status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
7732 if (status != PSA_SUCCESS) {
7733 goto exit;
7734 }
7735 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
7736 #else
7737
7738 mbedtls_md_init(&sha256);
7739
7740 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256"));
7741
7742 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
7743 if (ret != 0) {
7744 goto exit;
7745 }
7746 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
7747 if (ret != 0) {
7748 goto exit;
7749 }
7750
7751 /*
7752 * TLSv1.2:
7753 * hash = PRF( master, finished_label,
7754 * Hash( handshake ) )[0.11]
7755 */
7756
7757 ret = mbedtls_md_finish(&sha256, padbuf);
7758 if (ret != 0) {
7759 goto exit;
7760 }
7761 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7762
7763 MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 output", padbuf, 32);
7764
7765 ssl->handshake->tls_prf(session->master, 48, sender,
7766 padbuf, 32, buf, len);
7767
7768 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
7769
7770 mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
7771
7772 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
7773
7774 exit:
7775 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7776 psa_hash_abort(&sha256_psa);
7777 return PSA_TO_MD_ERR(status);
7778 #else
7779 mbedtls_md_free(&sha256);
7780 return ret;
7781 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7782 }
7783 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
7784
7785
7786 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)7787 static int ssl_calc_finished_tls_sha384(
7788 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
7789 {
7790 int len = 12;
7791 const char *sender;
7792 unsigned char padbuf[48];
7793 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7794 size_t hash_size;
7795 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
7796 psa_status_t status;
7797 #else
7798 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7799 mbedtls_md_context_t sha384;
7800 #endif
7801
7802 mbedtls_ssl_session *session = ssl->session_negotiate;
7803 if (!session) {
7804 session = ssl->session;
7805 }
7806
7807 sender = (from == MBEDTLS_SSL_IS_CLIENT)
7808 ? "client finished"
7809 : "server finished";
7810
7811 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7812 sha384_psa = psa_hash_operation_init();
7813
7814 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384"));
7815
7816 status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
7817 if (status != PSA_SUCCESS) {
7818 goto exit;
7819 }
7820
7821 status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
7822 if (status != PSA_SUCCESS) {
7823 goto exit;
7824 }
7825 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
7826 #else
7827 mbedtls_md_init(&sha384);
7828
7829 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384"));
7830
7831 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
7832 if (ret != 0) {
7833 goto exit;
7834 }
7835 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
7836 if (ret != 0) {
7837 goto exit;
7838 }
7839
7840 /*
7841 * TLSv1.2:
7842 * hash = PRF( master, finished_label,
7843 * Hash( handshake ) )[0.11]
7844 */
7845
7846 ret = mbedtls_md_finish(&sha384, padbuf);
7847 if (ret != 0) {
7848 goto exit;
7849 }
7850 #endif
7851
7852 MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 output", padbuf, 48);
7853
7854 ssl->handshake->tls_prf(session->master, 48, sender,
7855 padbuf, 48, buf, len);
7856
7857 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
7858
7859 mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
7860
7861 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
7862
7863 exit:
7864 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7865 psa_hash_abort(&sha384_psa);
7866 return PSA_TO_MD_ERR(status);
7867 #else
7868 mbedtls_md_free(&sha384);
7869 return ret;
7870 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7871 }
7872 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
7873
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)7874 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
7875 {
7876 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
7877
7878 /*
7879 * Free our handshake params
7880 */
7881 mbedtls_ssl_handshake_free(ssl);
7882 mbedtls_free(ssl->handshake);
7883 ssl->handshake = NULL;
7884
7885 /*
7886 * Free the previous transform and switch in the current one
7887 */
7888 if (ssl->transform) {
7889 mbedtls_ssl_transform_free(ssl->transform);
7890 mbedtls_free(ssl->transform);
7891 }
7892 ssl->transform = ssl->transform_negotiate;
7893 ssl->transform_negotiate = NULL;
7894
7895 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
7896 }
7897
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)7898 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
7899 {
7900 int resume = ssl->handshake->resume;
7901
7902 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
7903
7904 #if defined(MBEDTLS_SSL_RENEGOTIATION)
7905 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7906 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
7907 ssl->renego_records_seen = 0;
7908 }
7909 #endif
7910
7911 /*
7912 * Free the previous session and switch in the current one
7913 */
7914 if (ssl->session) {
7915 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7916 /* RFC 7366 3.1: keep the EtM state */
7917 ssl->session_negotiate->encrypt_then_mac =
7918 ssl->session->encrypt_then_mac;
7919 #endif
7920
7921 mbedtls_ssl_session_free(ssl->session);
7922 mbedtls_free(ssl->session);
7923 }
7924 ssl->session = ssl->session_negotiate;
7925 ssl->session_negotiate = NULL;
7926
7927 /*
7928 * Add cache entry
7929 */
7930 if (ssl->conf->f_set_cache != NULL &&
7931 ssl->session->id_len != 0 &&
7932 resume == 0) {
7933 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
7934 ssl->session->id,
7935 ssl->session->id_len,
7936 ssl->session) != 0) {
7937 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
7938 }
7939 }
7940
7941 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7942 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7943 ssl->handshake->flight != NULL) {
7944 /* Cancel handshake timer */
7945 mbedtls_ssl_set_timer(ssl, 0);
7946
7947 /* Keep last flight around in case we need to resend it:
7948 * we need the handshake and transform structures for that */
7949 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
7950 } else
7951 #endif
7952 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
7953
7954 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
7955
7956 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
7957 }
7958
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)7959 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
7960 {
7961 int ret, hash_len;
7962
7963 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
7964
7965 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
7966
7967 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
7968 if (ret != 0) {
7969 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
7970 }
7971
7972 /*
7973 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
7974 * may define some other value. Currently (early 2016), no defined
7975 * ciphersuite does this (and this is unlikely to change as activity has
7976 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
7977 */
7978 hash_len = 12;
7979
7980 #if defined(MBEDTLS_SSL_RENEGOTIATION)
7981 ssl->verify_data_len = hash_len;
7982 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
7983 #endif
7984
7985 ssl->out_msglen = 4 + hash_len;
7986 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7987 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
7988
7989 /*
7990 * In case of session resuming, invert the client and server
7991 * ChangeCipherSpec messages order.
7992 */
7993 if (ssl->handshake->resume != 0) {
7994 #if defined(MBEDTLS_SSL_CLI_C)
7995 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7996 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
7997 }
7998 #endif
7999 #if defined(MBEDTLS_SSL_SRV_C)
8000 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8001 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8002 }
8003 #endif
8004 } else {
8005 ssl->state++;
8006 }
8007
8008 /*
8009 * Switch to our negotiated transform and session parameters for outbound
8010 * data.
8011 */
8012 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8013
8014 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8015 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8016 unsigned char i;
8017
8018 /* Remember current epoch settings for resending */
8019 ssl->handshake->alt_transform_out = ssl->transform_out;
8020 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8021 sizeof(ssl->handshake->alt_out_ctr));
8022
8023 /* Set sequence_number to zero */
8024 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8025
8026
8027 /* Increment epoch */
8028 for (i = 2; i > 0; i--) {
8029 if (++ssl->cur_out_ctr[i - 1] != 0) {
8030 break;
8031 }
8032 }
8033
8034 /* The loop goes to its end iff the counter is wrapping */
8035 if (i == 0) {
8036 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8037 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8038 }
8039 } else
8040 #endif /* MBEDTLS_SSL_PROTO_DTLS */
8041 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8042
8043 ssl->transform_out = ssl->transform_negotiate;
8044 ssl->session_out = ssl->session_negotiate;
8045
8046 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8047 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8048 mbedtls_ssl_send_flight_completed(ssl);
8049 }
8050 #endif
8051
8052 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8053 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8054 return ret;
8055 }
8056
8057 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8058 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8059 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8060 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8061 return ret;
8062 }
8063 #endif
8064
8065 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8066
8067 return 0;
8068 }
8069
8070 #define SSL_MAX_HASH_LEN 12
8071
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)8072 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8073 {
8074 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8075 unsigned int hash_len = 12;
8076 unsigned char buf[SSL_MAX_HASH_LEN];
8077
8078 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8079
8080 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8081 if (ret != 0) {
8082 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8083 }
8084
8085 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8086 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8087 goto exit;
8088 }
8089
8090 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8091 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8092 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8093 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8094 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8095 goto exit;
8096 }
8097
8098 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8099 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8100 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8101 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8102 goto exit;
8103 }
8104
8105 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8106 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8107 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8108 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8109 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8110 goto exit;
8111 }
8112
8113 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8114 buf, hash_len) != 0) {
8115 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8116 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8117 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8118 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8119 goto exit;
8120 }
8121
8122 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8123 ssl->verify_data_len = hash_len;
8124 memcpy(ssl->peer_verify_data, buf, hash_len);
8125 #endif
8126
8127 if (ssl->handshake->resume != 0) {
8128 #if defined(MBEDTLS_SSL_CLI_C)
8129 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8130 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8131 }
8132 #endif
8133 #if defined(MBEDTLS_SSL_SRV_C)
8134 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8135 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8136 }
8137 #endif
8138 } else {
8139 ssl->state++;
8140 }
8141
8142 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8143 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8144 mbedtls_ssl_recv_flight_completed(ssl);
8145 }
8146 #endif
8147
8148 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8149
8150 exit:
8151 mbedtls_platform_zeroize(buf, hash_len);
8152 return ret;
8153 }
8154
8155 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8156 /*
8157 * Helper to get TLS 1.2 PRF from ciphersuite
8158 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8159 */
ssl_tls12prf_from_cs(int ciphersuite_id)8160 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8161 {
8162 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8163 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8164 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
8165 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8166 return tls_prf_sha384;
8167 } else
8168 #endif
8169 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
8170 {
8171 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8172 return tls_prf_sha256;
8173 }
8174 }
8175 #endif
8176 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
8177 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
8178 (void) ciphersuite_info;
8179 #endif
8180
8181 return NULL;
8182 }
8183 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8184
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8185 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8186 {
8187 ((void) tls_prf);
8188 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
8189 if (tls_prf == tls_prf_sha384) {
8190 return MBEDTLS_SSL_TLS_PRF_SHA384;
8191 } else
8192 #endif
8193 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
8194 if (tls_prf == tls_prf_sha256) {
8195 return MBEDTLS_SSL_TLS_PRF_SHA256;
8196 } else
8197 #endif
8198 return MBEDTLS_SSL_TLS_PRF_NONE;
8199 }
8200
8201 /*
8202 * Populate a transform structure with session keys and all the other
8203 * necessary information.
8204 *
8205 * Parameters:
8206 * - [in/out]: transform: structure to populate
8207 * [in] must be just initialised with mbedtls_ssl_transform_init()
8208 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8209 * - [in] ciphersuite
8210 * - [in] master
8211 * - [in] encrypt_then_mac
8212 * - [in] tls_prf: pointer to PRF to use for key derivation
8213 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8214 * - [in] tls_version: TLS version
8215 * - [in] endpoint: client or server
8216 * - [in] ssl: used for:
8217 * - ssl->conf->{f,p}_export_keys
8218 * [in] optionally used for:
8219 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8220 */
8221 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8222 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8223 int ciphersuite,
8224 const unsigned char master[48],
8225 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8226 int encrypt_then_mac,
8227 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8228 ssl_tls_prf_t tls_prf,
8229 const unsigned char randbytes[64],
8230 mbedtls_ssl_protocol_version tls_version,
8231 unsigned endpoint,
8232 const mbedtls_ssl_context *ssl)
8233 {
8234 int ret = 0;
8235 unsigned char keyblk[256];
8236 unsigned char *key1;
8237 unsigned char *key2;
8238 unsigned char *mac_enc;
8239 unsigned char *mac_dec;
8240 size_t mac_key_len = 0;
8241 size_t iv_copy_len;
8242 size_t keylen;
8243 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8244 mbedtls_ssl_mode_t ssl_mode;
8245 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8246 const mbedtls_cipher_info_t *cipher_info;
8247 const mbedtls_md_info_t *md_info;
8248 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8249
8250 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8251 psa_key_type_t key_type;
8252 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8253 psa_algorithm_t alg;
8254 psa_algorithm_t mac_alg = 0;
8255 size_t key_bits;
8256 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8257 #endif
8258
8259 #if !defined(MBEDTLS_DEBUG_C) && \
8260 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8261 if (ssl->f_export_keys == NULL) {
8262 ssl = NULL; /* make sure we don't use it except for these cases */
8263 (void) ssl;
8264 }
8265 #endif
8266
8267 /*
8268 * Some data just needs copying into the structure
8269 */
8270 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8271 transform->encrypt_then_mac = encrypt_then_mac;
8272 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8273 transform->tls_version = tls_version;
8274
8275 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8276 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8277 #endif
8278
8279 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8280 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8281 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8282 * generation separate. This should never happen. */
8283 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8284 }
8285 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8286
8287 /*
8288 * Get various info structures
8289 */
8290 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8291 if (ciphersuite_info == NULL) {
8292 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8293 ciphersuite));
8294 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8295 }
8296
8297 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8298 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8299 encrypt_then_mac,
8300 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8301 ciphersuite_info);
8302
8303 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8304 transform->taglen =
8305 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8306 }
8307
8308 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8309 if ((status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher,
8310 transform->taglen,
8311 &alg,
8312 &key_type,
8313 &key_bits)) != PSA_SUCCESS) {
8314 ret = PSA_TO_MBEDTLS_ERR(status);
8315 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8316 goto end;
8317 }
8318 #else
8319 cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher);
8320 if (cipher_info == NULL) {
8321 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8322 ciphersuite_info->cipher));
8323 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8324 }
8325 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8326
8327 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8328 mac_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac);
8329 if (mac_alg == 0) {
8330 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_info_psa_from_md for %u not found",
8331 (unsigned) ciphersuite_info->mac));
8332 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8333 }
8334 #else
8335 md_info = mbedtls_md_info_from_type(ciphersuite_info->mac);
8336 if (md_info == NULL) {
8337 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8338 (unsigned) ciphersuite_info->mac));
8339 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8340 }
8341 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8342
8343 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8344 /* Copy own and peer's CID if the use of the CID
8345 * extension has been negotiated. */
8346 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8347 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8348
8349 transform->in_cid_len = ssl->own_cid_len;
8350 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8351 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8352 transform->in_cid_len);
8353
8354 transform->out_cid_len = ssl->handshake->peer_cid_len;
8355 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8356 ssl->handshake->peer_cid_len);
8357 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8358 transform->out_cid_len);
8359 }
8360 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8361
8362 /*
8363 * Compute key block using the PRF
8364 */
8365 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8366 if (ret != 0) {
8367 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8368 return ret;
8369 }
8370
8371 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8372 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8373 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8374 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8375 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8376
8377 /*
8378 * Determine the appropriate key, IV and MAC length.
8379 */
8380
8381 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8382 keylen = PSA_BITS_TO_BYTES(key_bits);
8383 #else
8384 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8385 #endif
8386
8387 #if defined(MBEDTLS_GCM_C) || \
8388 defined(MBEDTLS_CCM_C) || \
8389 defined(MBEDTLS_CHACHAPOLY_C)
8390 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8391 size_t explicit_ivlen;
8392
8393 transform->maclen = 0;
8394 mac_key_len = 0;
8395
8396 /* All modes haves 96-bit IVs, but the length of the static parts vary
8397 * with mode and version:
8398 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8399 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8400 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8401 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8402 * sequence number).
8403 */
8404 transform->ivlen = 12;
8405
8406 int is_chachapoly = 0;
8407 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8408 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8409 #else
8410 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8411 == MBEDTLS_MODE_CHACHAPOLY);
8412 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8413
8414 if (is_chachapoly) {
8415 transform->fixed_ivlen = 12;
8416 } else {
8417 transform->fixed_ivlen = 4;
8418 }
8419
8420 /* Minimum length of encrypted record */
8421 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8422 transform->minlen = explicit_ivlen + transform->taglen;
8423 } else
8424 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
8425 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8426 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8427 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8428 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8429 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8430 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8431 #else
8432 size_t block_size = cipher_info->block_size;
8433 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8434
8435 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8436 /* Get MAC length */
8437 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8438 #else
8439 /* Initialize HMAC contexts */
8440 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8441 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8442 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8443 goto end;
8444 }
8445
8446 /* Get MAC length */
8447 mac_key_len = mbedtls_md_get_size(md_info);
8448 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8449 transform->maclen = mac_key_len;
8450
8451 /* IV length */
8452 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8453 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8454 #else
8455 transform->ivlen = cipher_info->iv_size;
8456 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8457
8458 /* Minimum length */
8459 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8460 transform->minlen = transform->maclen;
8461 } else {
8462 /*
8463 * GenericBlockCipher:
8464 * 1. if EtM is in use: one block plus MAC
8465 * otherwise: * first multiple of blocklen greater than maclen
8466 * 2. IV
8467 */
8468 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8469 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8470 transform->minlen = transform->maclen
8471 + block_size;
8472 } else
8473 #endif
8474 {
8475 transform->minlen = transform->maclen
8476 + block_size
8477 - transform->maclen % block_size;
8478 }
8479
8480 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8481 transform->minlen += transform->ivlen;
8482 } else {
8483 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8484 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8485 goto end;
8486 }
8487 }
8488 } else
8489 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8490 {
8491 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8492 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8493 }
8494
8495 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8496 (unsigned) keylen,
8497 (unsigned) transform->minlen,
8498 (unsigned) transform->ivlen,
8499 (unsigned) transform->maclen));
8500
8501 /*
8502 * Finally setup the cipher contexts, IVs and MAC secrets.
8503 */
8504 #if defined(MBEDTLS_SSL_CLI_C)
8505 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8506 key1 = keyblk + mac_key_len * 2;
8507 key2 = keyblk + mac_key_len * 2 + keylen;
8508
8509 mac_enc = keyblk;
8510 mac_dec = keyblk + mac_key_len;
8511
8512 iv_copy_len = (transform->fixed_ivlen) ?
8513 transform->fixed_ivlen : transform->ivlen;
8514 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8515 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8516 iv_copy_len);
8517 } else
8518 #endif /* MBEDTLS_SSL_CLI_C */
8519 #if defined(MBEDTLS_SSL_SRV_C)
8520 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8521 key1 = keyblk + mac_key_len * 2 + keylen;
8522 key2 = keyblk + mac_key_len * 2;
8523
8524 mac_enc = keyblk + mac_key_len;
8525 mac_dec = keyblk;
8526
8527 iv_copy_len = (transform->fixed_ivlen) ?
8528 transform->fixed_ivlen : transform->ivlen;
8529 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8530 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8531 iv_copy_len);
8532 } else
8533 #endif /* MBEDTLS_SSL_SRV_C */
8534 {
8535 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8536 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8537 goto end;
8538 }
8539
8540 if (ssl != NULL && ssl->f_export_keys != NULL) {
8541 ssl->f_export_keys(ssl->p_export_keys,
8542 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8543 master, 48,
8544 randbytes + 32,
8545 randbytes,
8546 tls_prf_get_type(tls_prf));
8547 }
8548
8549 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8550 transform->psa_alg = alg;
8551
8552 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8553 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8554 psa_set_key_algorithm(&attributes, alg);
8555 psa_set_key_type(&attributes, key_type);
8556
8557 if ((status = psa_import_key(&attributes,
8558 key1,
8559 PSA_BITS_TO_BYTES(key_bits),
8560 &transform->psa_key_enc)) != PSA_SUCCESS) {
8561 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8562 ret = PSA_TO_MBEDTLS_ERR(status);
8563 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8564 goto end;
8565 }
8566
8567 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8568
8569 if ((status = psa_import_key(&attributes,
8570 key2,
8571 PSA_BITS_TO_BYTES(key_bits),
8572 &transform->psa_key_dec)) != PSA_SUCCESS) {
8573 ret = PSA_TO_MBEDTLS_ERR(status);
8574 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8575 goto end;
8576 }
8577 }
8578 #else
8579 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8580 cipher_info)) != 0) {
8581 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8582 goto end;
8583 }
8584
8585 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8586 cipher_info)) != 0) {
8587 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8588 goto end;
8589 }
8590
8591 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8592 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8593 MBEDTLS_ENCRYPT)) != 0) {
8594 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8595 goto end;
8596 }
8597
8598 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8599 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8600 MBEDTLS_DECRYPT)) != 0) {
8601 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8602 goto end;
8603 }
8604
8605 #if defined(MBEDTLS_CIPHER_MODE_CBC)
8606 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
8607 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
8608 MBEDTLS_PADDING_NONE)) != 0) {
8609 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8610 goto end;
8611 }
8612
8613 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
8614 MBEDTLS_PADDING_NONE)) != 0) {
8615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8616 goto end;
8617 }
8618 }
8619 #endif /* MBEDTLS_CIPHER_MODE_CBC */
8620 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8621
8622 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8623 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8624 For AEAD-based ciphersuites, there is nothing to do here. */
8625 if (mac_key_len != 0) {
8626 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8627 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
8628
8629 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8630 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8631 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
8632
8633 if ((status = psa_import_key(&attributes,
8634 mac_enc, mac_key_len,
8635 &transform->psa_mac_enc)) != PSA_SUCCESS) {
8636 ret = PSA_TO_MBEDTLS_ERR(status);
8637 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8638 goto end;
8639 }
8640
8641 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8642 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
8643 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8644 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
8645 #endif
8646 )) {
8647 /* mbedtls_ct_hmac() requires the key to be exportable */
8648 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8649 PSA_KEY_USAGE_VERIFY_HASH);
8650 } else {
8651 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8652 }
8653
8654 if ((status = psa_import_key(&attributes,
8655 mac_dec, mac_key_len,
8656 &transform->psa_mac_dec)) != PSA_SUCCESS) {
8657 ret = PSA_TO_MBEDTLS_ERR(status);
8658 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8659 goto end;
8660 }
8661 #else
8662 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
8663 if (ret != 0) {
8664 goto end;
8665 }
8666 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
8667 if (ret != 0) {
8668 goto end;
8669 }
8670 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8671 }
8672 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8673
8674 ((void) mac_dec);
8675 ((void) mac_enc);
8676
8677 end:
8678 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
8679 return ret;
8680 }
8681
8682 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
8683 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)8684 int mbedtls_psa_ecjpake_read_round(
8685 psa_pake_operation_t *pake_ctx,
8686 const unsigned char *buf,
8687 size_t len, mbedtls_ecjpake_rounds_t round)
8688 {
8689 psa_status_t status;
8690 size_t input_offset = 0;
8691 /*
8692 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8693 * At round two perform a single cycle
8694 */
8695 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
8696
8697 for (; remaining_steps > 0; remaining_steps--) {
8698 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8699 step <= PSA_PAKE_STEP_ZK_PROOF;
8700 ++step) {
8701 /* Length is stored at the first byte */
8702 size_t length = buf[input_offset];
8703 input_offset += 1;
8704
8705 if (input_offset + length > len) {
8706 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8707 }
8708
8709 status = psa_pake_input(pake_ctx, step,
8710 buf + input_offset, length);
8711 if (status != PSA_SUCCESS) {
8712 return PSA_TO_MBEDTLS_ERR(status);
8713 }
8714
8715 input_offset += length;
8716 }
8717 }
8718
8719 if (input_offset != len) {
8720 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8721 }
8722
8723 return 0;
8724 }
8725
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)8726 int mbedtls_psa_ecjpake_write_round(
8727 psa_pake_operation_t *pake_ctx,
8728 unsigned char *buf,
8729 size_t len, size_t *olen,
8730 mbedtls_ecjpake_rounds_t round)
8731 {
8732 psa_status_t status;
8733 size_t output_offset = 0;
8734 size_t output_len;
8735 /*
8736 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8737 * At round two perform a single cycle
8738 */
8739 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
8740
8741 for (; remaining_steps > 0; remaining_steps--) {
8742 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8743 step <= PSA_PAKE_STEP_ZK_PROOF;
8744 ++step) {
8745 /*
8746 * For each step, prepend 1 byte with the length of the data as
8747 * given by psa_pake_output().
8748 */
8749 status = psa_pake_output(pake_ctx, step,
8750 buf + output_offset + 1,
8751 len - output_offset - 1,
8752 &output_len);
8753 if (status != PSA_SUCCESS) {
8754 return PSA_TO_MBEDTLS_ERR(status);
8755 }
8756
8757 *(buf + output_offset) = (uint8_t) output_len;
8758
8759 output_offset += output_len + 1;
8760 }
8761 }
8762
8763 *olen = output_offset;
8764
8765 return 0;
8766 }
8767 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
8768
8769 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)8770 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8771 unsigned char *hash, size_t *hashlen,
8772 unsigned char *data, size_t data_len,
8773 mbedtls_md_type_t md_alg)
8774 {
8775 psa_status_t status;
8776 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
8777 psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(md_alg);
8778
8779 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
8780
8781 if ((status = psa_hash_setup(&hash_operation,
8782 hash_alg)) != PSA_SUCCESS) {
8783 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
8784 goto exit;
8785 }
8786
8787 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
8788 64)) != PSA_SUCCESS) {
8789 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
8790 goto exit;
8791 }
8792
8793 if ((status = psa_hash_update(&hash_operation,
8794 data, data_len)) != PSA_SUCCESS) {
8795 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
8796 goto exit;
8797 }
8798
8799 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
8800 hashlen)) != PSA_SUCCESS) {
8801 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
8802 goto exit;
8803 }
8804
8805 exit:
8806 if (status != PSA_SUCCESS) {
8807 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8808 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8809 switch (status) {
8810 case PSA_ERROR_NOT_SUPPORTED:
8811 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
8812 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
8813 case PSA_ERROR_BUFFER_TOO_SMALL:
8814 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
8815 case PSA_ERROR_INSUFFICIENT_MEMORY:
8816 return MBEDTLS_ERR_MD_ALLOC_FAILED;
8817 default:
8818 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
8819 }
8820 }
8821 return 0;
8822 }
8823
8824 #else
8825
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)8826 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
8827 unsigned char *hash, size_t *hashlen,
8828 unsigned char *data, size_t data_len,
8829 mbedtls_md_type_t md_alg)
8830 {
8831 int ret = 0;
8832 mbedtls_md_context_t ctx;
8833 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
8834 *hashlen = mbedtls_md_get_size(md_info);
8835
8836 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
8837
8838 mbedtls_md_init(&ctx);
8839
8840 /*
8841 * digitally-signed struct {
8842 * opaque client_random[32];
8843 * opaque server_random[32];
8844 * ServerDHParams params;
8845 * };
8846 */
8847 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
8848 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8849 goto exit;
8850 }
8851 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
8852 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
8853 goto exit;
8854 }
8855 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
8856 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
8857 goto exit;
8858 }
8859 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
8860 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
8861 goto exit;
8862 }
8863 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
8864 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
8865 goto exit;
8866 }
8867
8868 exit:
8869 mbedtls_md_free(&ctx);
8870
8871 if (ret != 0) {
8872 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8873 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8874 }
8875
8876 return ret;
8877 }
8878 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8879
8880 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
8881
8882 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)8883 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
8884 mbedtls_ssl_context *ssl,
8885 unsigned int sig_alg)
8886 {
8887 unsigned int i;
8888 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
8889
8890 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
8891 return MBEDTLS_SSL_HASH_NONE;
8892 }
8893
8894 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
8895 unsigned int hash_alg_received =
8896 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
8897 received_sig_algs[i]);
8898 unsigned int sig_alg_received =
8899 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
8900 received_sig_algs[i]);
8901
8902 if (sig_alg == sig_alg_received) {
8903 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8904 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
8905 psa_algorithm_t psa_hash_alg =
8906 mbedtls_hash_info_psa_from_md(hash_alg_received);
8907
8908 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
8909 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8910 PSA_ALG_ECDSA(psa_hash_alg),
8911 PSA_KEY_USAGE_SIGN_HASH)) {
8912 continue;
8913 }
8914
8915 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
8916 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
8917 PSA_ALG_RSA_PKCS1V15_SIGN(
8918 psa_hash_alg),
8919 PSA_KEY_USAGE_SIGN_HASH)) {
8920 continue;
8921 }
8922 }
8923 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8924
8925 return hash_alg_received;
8926 }
8927 }
8928
8929 return MBEDTLS_SSL_HASH_NONE;
8930 }
8931
8932 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8933
8934 /* Serialization of TLS 1.2 sessions:
8935 *
8936 * struct {
8937 * uint64 start_time;
8938 * uint8 ciphersuite[2]; // defined by the standard
8939 * uint8 session_id_len; // at most 32
8940 * opaque session_id[32];
8941 * opaque master[48]; // fixed length in the standard
8942 * uint32 verify_result;
8943 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
8944 * opaque ticket<0..2^24-1>; // length 0 means no ticket
8945 * uint32 ticket_lifetime;
8946 * uint8 mfl_code; // up to 255 according to standard
8947 * uint8 encrypt_then_mac; // 0 or 1
8948 * } serialized_session_tls12;
8949 *
8950 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)8951 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
8952 unsigned char *buf,
8953 size_t buf_len)
8954 {
8955 unsigned char *p = buf;
8956 size_t used = 0;
8957
8958 #if defined(MBEDTLS_HAVE_TIME)
8959 uint64_t start;
8960 #endif
8961 #if defined(MBEDTLS_X509_CRT_PARSE_C)
8962 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8963 size_t cert_len;
8964 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8965 #endif /* MBEDTLS_X509_CRT_PARSE_C */
8966
8967 /*
8968 * Time
8969 */
8970 #if defined(MBEDTLS_HAVE_TIME)
8971 used += 8;
8972
8973 if (used <= buf_len) {
8974 start = (uint64_t) session->start;
8975
8976 MBEDTLS_PUT_UINT64_BE(start, p, 0);
8977 p += 8;
8978 }
8979 #endif /* MBEDTLS_HAVE_TIME */
8980
8981 /*
8982 * Basic mandatory fields
8983 */
8984 used += 2 /* ciphersuite */
8985 + 1 /* id_len */
8986 + sizeof(session->id)
8987 + sizeof(session->master)
8988 + 4; /* verify_result */
8989
8990 if (used <= buf_len) {
8991 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
8992 p += 2;
8993
8994 *p++ = MBEDTLS_BYTE_0(session->id_len);
8995 memcpy(p, session->id, 32);
8996 p += 32;
8997
8998 memcpy(p, session->master, 48);
8999 p += 48;
9000
9001 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
9002 p += 4;
9003 }
9004
9005 /*
9006 * Peer's end-entity certificate
9007 */
9008 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9009 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9010 if (session->peer_cert == NULL) {
9011 cert_len = 0;
9012 } else {
9013 cert_len = session->peer_cert->raw.len;
9014 }
9015
9016 used += 3 + cert_len;
9017
9018 if (used <= buf_len) {
9019 *p++ = MBEDTLS_BYTE_2(cert_len);
9020 *p++ = MBEDTLS_BYTE_1(cert_len);
9021 *p++ = MBEDTLS_BYTE_0(cert_len);
9022
9023 if (session->peer_cert != NULL) {
9024 memcpy(p, session->peer_cert->raw.p, cert_len);
9025 p += cert_len;
9026 }
9027 }
9028 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9029 if (session->peer_cert_digest != NULL) {
9030 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
9031 if (used <= buf_len) {
9032 *p++ = (unsigned char) session->peer_cert_digest_type;
9033 *p++ = (unsigned char) session->peer_cert_digest_len;
9034 memcpy(p, session->peer_cert_digest,
9035 session->peer_cert_digest_len);
9036 p += session->peer_cert_digest_len;
9037 }
9038 } else {
9039 used += 2;
9040 if (used <= buf_len) {
9041 *p++ = (unsigned char) MBEDTLS_MD_NONE;
9042 *p++ = 0;
9043 }
9044 }
9045 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9046 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9047
9048 /*
9049 * Session ticket if any, plus associated data
9050 */
9051 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9052 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
9053
9054 if (used <= buf_len) {
9055 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
9056 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
9057 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
9058
9059 if (session->ticket != NULL) {
9060 memcpy(p, session->ticket, session->ticket_len);
9061 p += session->ticket_len;
9062 }
9063
9064 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
9065 p += 4;
9066 }
9067 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
9068
9069 /*
9070 * Misc extension-related info
9071 */
9072 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
9073 used += 1;
9074
9075 if (used <= buf_len) {
9076 *p++ = session->mfl_code;
9077 }
9078 #endif
9079
9080 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9081 used += 1;
9082
9083 if (used <= buf_len) {
9084 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
9085 }
9086 #endif
9087
9088 return used;
9089 }
9090
9091 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)9092 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
9093 const unsigned char *buf,
9094 size_t len)
9095 {
9096 #if defined(MBEDTLS_HAVE_TIME)
9097 uint64_t start;
9098 #endif
9099 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9100 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9101 size_t cert_len;
9102 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9103 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9104
9105 const unsigned char *p = buf;
9106 const unsigned char * const end = buf + len;
9107
9108 /*
9109 * Time
9110 */
9111 #if defined(MBEDTLS_HAVE_TIME)
9112 if (8 > (size_t) (end - p)) {
9113 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9114 }
9115
9116 start = ((uint64_t) p[0] << 56) |
9117 ((uint64_t) p[1] << 48) |
9118 ((uint64_t) p[2] << 40) |
9119 ((uint64_t) p[3] << 32) |
9120 ((uint64_t) p[4] << 24) |
9121 ((uint64_t) p[5] << 16) |
9122 ((uint64_t) p[6] << 8) |
9123 ((uint64_t) p[7]);
9124 p += 8;
9125
9126 session->start = (time_t) start;
9127 #endif /* MBEDTLS_HAVE_TIME */
9128
9129 /*
9130 * Basic mandatory fields
9131 */
9132 if (2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) {
9133 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9134 }
9135
9136 session->ciphersuite = (p[0] << 8) | p[1];
9137 p += 2;
9138
9139 session->id_len = *p++;
9140 memcpy(session->id, p, 32);
9141 p += 32;
9142
9143 memcpy(session->master, p, 48);
9144 p += 48;
9145
9146 session->verify_result = ((uint32_t) p[0] << 24) |
9147 ((uint32_t) p[1] << 16) |
9148 ((uint32_t) p[2] << 8) |
9149 ((uint32_t) p[3]);
9150 p += 4;
9151
9152 /* Immediately clear invalid pointer values that have been read, in case
9153 * we exit early before we replaced them with valid ones. */
9154 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9155 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9156 session->peer_cert = NULL;
9157 #else
9158 session->peer_cert_digest = NULL;
9159 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9160 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9161 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9162 session->ticket = NULL;
9163 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
9164
9165 /*
9166 * Peer certificate
9167 */
9168 #if defined(MBEDTLS_X509_CRT_PARSE_C)
9169 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
9170 /* Deserialize CRT from the end of the ticket. */
9171 if (3 > (size_t) (end - p)) {
9172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9173 }
9174
9175 cert_len = (p[0] << 16) | (p[1] << 8) | p[2];
9176 p += 3;
9177
9178 if (cert_len != 0) {
9179 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9180
9181 if (cert_len > (size_t) (end - p)) {
9182 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9183 }
9184
9185 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
9186
9187 if (session->peer_cert == NULL) {
9188 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9189 }
9190
9191 mbedtls_x509_crt_init(session->peer_cert);
9192
9193 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
9194 p, cert_len)) != 0) {
9195 mbedtls_x509_crt_free(session->peer_cert);
9196 mbedtls_free(session->peer_cert);
9197 session->peer_cert = NULL;
9198 return ret;
9199 }
9200
9201 p += cert_len;
9202 }
9203 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9204 /* Deserialize CRT digest from the end of the ticket. */
9205 if (2 > (size_t) (end - p)) {
9206 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9207 }
9208
9209 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
9210 session->peer_cert_digest_len = (size_t) *p++;
9211
9212 if (session->peer_cert_digest_len != 0) {
9213 const mbedtls_md_info_t *md_info =
9214 mbedtls_md_info_from_type(session->peer_cert_digest_type);
9215 if (md_info == NULL) {
9216 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9217 }
9218 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
9219 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9220 }
9221
9222 if (session->peer_cert_digest_len > (size_t) (end - p)) {
9223 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9224 }
9225
9226 session->peer_cert_digest =
9227 mbedtls_calloc(1, session->peer_cert_digest_len);
9228 if (session->peer_cert_digest == NULL) {
9229 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9230 }
9231
9232 memcpy(session->peer_cert_digest, p,
9233 session->peer_cert_digest_len);
9234 p += session->peer_cert_digest_len;
9235 }
9236 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
9237 #endif /* MBEDTLS_X509_CRT_PARSE_C */
9238
9239 /*
9240 * Session ticket and associated data
9241 */
9242 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9243 if (3 > (size_t) (end - p)) {
9244 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9245 }
9246
9247 session->ticket_len = (p[0] << 16) | (p[1] << 8) | p[2];
9248 p += 3;
9249
9250 if (session->ticket_len != 0) {
9251 if (session->ticket_len > (size_t) (end - p)) {
9252 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9253 }
9254
9255 session->ticket = mbedtls_calloc(1, session->ticket_len);
9256 if (session->ticket == NULL) {
9257 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9258 }
9259
9260 memcpy(session->ticket, p, session->ticket_len);
9261 p += session->ticket_len;
9262 }
9263
9264 if (4 > (size_t) (end - p)) {
9265 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9266 }
9267
9268 session->ticket_lifetime = ((uint32_t) p[0] << 24) |
9269 ((uint32_t) p[1] << 16) |
9270 ((uint32_t) p[2] << 8) |
9271 ((uint32_t) p[3]);
9272 p += 4;
9273 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
9274
9275 /*
9276 * Misc extension-related info
9277 */
9278 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
9279 if (1 > (size_t) (end - p)) {
9280 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9281 }
9282
9283 session->mfl_code = *p++;
9284 #endif
9285
9286 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9287 if (1 > (size_t) (end - p)) {
9288 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9289 }
9290
9291 session->encrypt_then_mac = *p++;
9292 #endif
9293
9294 /* Done, should have consumed entire buffer */
9295 if (p != end) {
9296 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9297 }
9298
9299 return 0;
9300 }
9301 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9302
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9303 int mbedtls_ssl_validate_ciphersuite(
9304 const mbedtls_ssl_context *ssl,
9305 const mbedtls_ssl_ciphersuite_t *suite_info,
9306 mbedtls_ssl_protocol_version min_tls_version,
9307 mbedtls_ssl_protocol_version max_tls_version)
9308 {
9309 (void) ssl;
9310
9311 if (suite_info == NULL) {
9312 return -1;
9313 }
9314
9315 if ((suite_info->min_tls_version > max_tls_version) ||
9316 (suite_info->max_tls_version < min_tls_version)) {
9317 return -1;
9318 }
9319
9320 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9321 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9322 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9323 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9324 ssl->handshake->psa_pake_ctx_is_ok != 1)
9325 #else
9326 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9327 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9328 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9329 {
9330 return -1;
9331 }
9332 #endif
9333
9334 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9335 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9336 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9337 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9338 return -1;
9339 }
9340 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9341 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9342
9343 return 0;
9344 }
9345
9346 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9347 /*
9348 * Function for writing a signature algorithm extension.
9349 *
9350 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9351 * value (TLS 1.3 RFC8446):
9352 * enum {
9353 * ....
9354 * ecdsa_secp256r1_sha256( 0x0403 ),
9355 * ecdsa_secp384r1_sha384( 0x0503 ),
9356 * ecdsa_secp521r1_sha512( 0x0603 ),
9357 * ....
9358 * } SignatureScheme;
9359 *
9360 * struct {
9361 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9362 * } SignatureSchemeList;
9363 *
9364 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9365 * value (TLS 1.2 RFC5246):
9366 * enum {
9367 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9368 * sha512(6), (255)
9369 * } HashAlgorithm;
9370 *
9371 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9372 * SignatureAlgorithm;
9373 *
9374 * struct {
9375 * HashAlgorithm hash;
9376 * SignatureAlgorithm signature;
9377 * } SignatureAndHashAlgorithm;
9378 *
9379 * SignatureAndHashAlgorithm
9380 * supported_signature_algorithms<2..2^16-2>;
9381 *
9382 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9383 * generalization of the TLS 1.2 signature algorithm extension.
9384 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9385 * `SignatureScheme` field of TLS 1.3
9386 *
9387 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9388 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9389 const unsigned char *end, size_t *out_len)
9390 {
9391 unsigned char *p = buf;
9392 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9393 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9394
9395 *out_len = 0;
9396
9397 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9398
9399 /* Check if we have space for header and length field:
9400 * - extension_type (2 bytes)
9401 * - extension_data_length (2 bytes)
9402 * - supported_signature_algorithms_length (2 bytes)
9403 */
9404 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9405 p += 6;
9406
9407 /*
9408 * Write supported_signature_algorithms
9409 */
9410 supported_sig_alg = p;
9411 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9412 if (sig_alg == NULL) {
9413 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9414 }
9415
9416 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9417 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9418 *sig_alg,
9419 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9420 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9421 continue;
9422 }
9423 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9424 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9425 p += 2;
9426 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9427 *sig_alg,
9428 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9429 }
9430
9431 /* Length of supported_signature_algorithms */
9432 supported_sig_alg_len = p - supported_sig_alg;
9433 if (supported_sig_alg_len == 0) {
9434 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9435 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9436 }
9437
9438 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9439 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9440 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9441
9442 *out_len = p - buf;
9443
9444 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9445 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9446 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9447
9448 return 0;
9449 }
9450 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9451
9452 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9453 /*
9454 * mbedtls_ssl_parse_server_name_ext
9455 *
9456 * Structure of server_name extension:
9457 *
9458 * enum {
9459 * host_name(0), (255)
9460 * } NameType;
9461 * opaque HostName<1..2^16-1>;
9462 *
9463 * struct {
9464 * NameType name_type;
9465 * select (name_type) {
9466 * case host_name: HostName;
9467 * } name;
9468 * } ServerName;
9469 * struct {
9470 * ServerName server_name_list<1..2^16-1>
9471 * } ServerNameList;
9472 */
9473 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9474 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9475 const unsigned char *buf,
9476 const unsigned char *end)
9477 {
9478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9479 const unsigned char *p = buf;
9480 size_t server_name_list_len, hostname_len;
9481 const unsigned char *server_name_list_end;
9482
9483 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9484
9485 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9486 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9487 p += 2;
9488
9489 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9490 server_name_list_end = p + server_name_list_len;
9491 while (p < server_name_list_end) {
9492 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9493 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9494 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9495 hostname_len + 3);
9496
9497 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9498 /* sni_name is intended to be used only during the parsing of the
9499 * ClientHello message (it is reset to NULL before the end of
9500 * the message parsing). Thus it is ok to just point to the
9501 * reception buffer and not make a copy of it.
9502 */
9503 ssl->handshake->sni_name = p + 3;
9504 ssl->handshake->sni_name_len = hostname_len;
9505 if (ssl->conf->f_sni == NULL) {
9506 return 0;
9507 }
9508 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9509 ssl, p + 3, hostname_len);
9510 if (ret != 0) {
9511 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9512 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9513 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9514 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9515 }
9516 return 0;
9517 }
9518
9519 p += hostname_len + 3;
9520 }
9521
9522 return 0;
9523 }
9524 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9525
9526 #if defined(MBEDTLS_SSL_ALPN)
9527 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9528 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9529 const unsigned char *buf,
9530 const unsigned char *end)
9531 {
9532 const unsigned char *p = buf;
9533 size_t protocol_name_list_len;
9534 const unsigned char *protocol_name_list;
9535 const unsigned char *protocol_name_list_end;
9536 size_t protocol_name_len;
9537
9538 /* If ALPN not configured, just ignore the extension */
9539 if (ssl->conf->alpn_list == NULL) {
9540 return 0;
9541 }
9542
9543 /*
9544 * RFC7301, section 3.1
9545 * opaque ProtocolName<1..2^8-1>;
9546 *
9547 * struct {
9548 * ProtocolName protocol_name_list<2..2^16-1>
9549 * } ProtocolNameList;
9550 */
9551
9552 /*
9553 * protocol_name_list_len 2 bytes
9554 * protocol_name_len 1 bytes
9555 * protocol_name >=1 byte
9556 */
9557 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9558
9559 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9560 p += 2;
9561 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9562 protocol_name_list = p;
9563 protocol_name_list_end = p + protocol_name_list_len;
9564
9565 /* Validate peer's list (lengths) */
9566 while (p < protocol_name_list_end) {
9567 protocol_name_len = *p++;
9568 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9569 protocol_name_len);
9570 if (protocol_name_len == 0) {
9571 MBEDTLS_SSL_PEND_FATAL_ALERT(
9572 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9573 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9574 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9575 }
9576
9577 p += protocol_name_len;
9578 }
9579
9580 /* Use our order of preference */
9581 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9582 size_t const alpn_len = strlen(*alpn);
9583 p = protocol_name_list;
9584 while (p < protocol_name_list_end) {
9585 protocol_name_len = *p++;
9586 if (protocol_name_len == alpn_len &&
9587 memcmp(p, *alpn, alpn_len) == 0) {
9588 ssl->alpn_chosen = *alpn;
9589 return 0;
9590 }
9591
9592 p += protocol_name_len;
9593 }
9594 }
9595
9596 /* If we get here, no match was found */
9597 MBEDTLS_SSL_PEND_FATAL_ALERT(
9598 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9599 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9600 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9601 }
9602
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9603 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9604 unsigned char *buf,
9605 unsigned char *end,
9606 size_t *out_len)
9607 {
9608 unsigned char *p = buf;
9609 size_t protocol_name_len;
9610 *out_len = 0;
9611
9612 if (ssl->alpn_chosen == NULL) {
9613 return 0;
9614 }
9615
9616 protocol_name_len = strlen(ssl->alpn_chosen);
9617 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9618
9619 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9620 /*
9621 * 0 . 1 ext identifier
9622 * 2 . 3 ext length
9623 * 4 . 5 protocol list length
9624 * 6 . 6 protocol name length
9625 * 7 . 7+n protocol name
9626 */
9627 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9628
9629 *out_len = 7 + protocol_name_len;
9630
9631 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9632 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9633 /* Note: the length of the chosen protocol has been checked to be less
9634 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9635 */
9636 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9637
9638 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9639
9640 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9641 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9642 #endif
9643
9644 return 0;
9645 }
9646 #endif /* MBEDTLS_SSL_ALPN */
9647
9648 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9649 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9650 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9651 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9652 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9653 const char *hostname)
9654 {
9655 /* Initialize to suppress unnecessary compiler warning */
9656 size_t hostname_len = 0;
9657
9658 /* Check if new hostname is valid before
9659 * making any change to current one */
9660 if (hostname != NULL) {
9661 hostname_len = strlen(hostname);
9662
9663 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9664 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9665 }
9666 }
9667
9668 /* Now it's clear that we will overwrite the old hostname,
9669 * so we can free it safely */
9670 if (session->hostname != NULL) {
9671 mbedtls_platform_zeroize(session->hostname,
9672 strlen(session->hostname));
9673 mbedtls_free(session->hostname);
9674 }
9675
9676 /* Passing NULL as hostname shall clear the old one */
9677 if (hostname == NULL) {
9678 session->hostname = NULL;
9679 } else {
9680 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9681 if (session->hostname == NULL) {
9682 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9683 }
9684
9685 memcpy(session->hostname, hostname, hostname_len);
9686 }
9687
9688 return 0;
9689 }
9690 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9691 MBEDTLS_SSL_SESSION_TICKETS &&
9692 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9693 MBEDTLS_SSL_CLI_C */
9694
9695 #endif /* MBEDTLS_SSL_TLS_C */
9696
