1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_SSL_TLS_C)
15
16 #include "mbedtls/platform.h"
17
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22
23 #include "debug_internal.h"
24 #include "mbedtls/error.h"
25 #include "mbedtls/platform_util.h"
26 #include "mbedtls/version.h"
27 #include "mbedtls/constant_time.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_USE_PSA_CRYPTO)
32 #include "mbedtls/psa_util.h"
33 #include "md_psa.h"
34 #include "psa_util_internal.h"
35 #include "psa/crypto.h"
36 #endif
37
38 #if defined(MBEDTLS_X509_CRT_PARSE_C)
39 #include "mbedtls/oid.h"
40 #endif
41
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 /* Define local translating functions to save code size by not using too many
44 * arguments in each translating place. */
local_err_translation(psa_status_t status)45 static int local_err_translation(psa_status_t status)
46 {
47 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
48 ARRAY_LENGTH(psa_to_ssl_errors),
49 psa_generic_status_to_mbedtls);
50 }
51 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
52 #endif
53
54 #if defined(MBEDTLS_TEST_HOOKS)
55 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
56
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)57 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
58 const uint8_t *cur, const uint8_t *end, size_t need)
59 {
60 chk_buf_ptr_fail_args.cur = cur;
61 chk_buf_ptr_fail_args.end = end;
62 chk_buf_ptr_fail_args.need = need;
63 }
64
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)65 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
66 {
67 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
68 }
69
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)70 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
71 {
72 return (chk_buf_ptr_fail_args.cur != args->cur) ||
73 (chk_buf_ptr_fail_args.end != args->end) ||
74 (chk_buf_ptr_fail_args.need != args->need);
75 }
76 #endif /* MBEDTLS_TEST_HOOKS */
77
78 #if defined(MBEDTLS_SSL_PROTO_DTLS)
79
80 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
81 /* Top-level Connection ID API */
82
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)83 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
84 size_t len,
85 int ignore_other_cid)
86 {
87 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
89 }
90
91 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
92 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
93 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
94 }
95
96 conf->ignore_unexpected_cid = ignore_other_cid;
97 conf->cid_len = len;
98 return 0;
99 }
100
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)101 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
102 int enable,
103 unsigned char const *own_cid,
104 size_t own_cid_len)
105 {
106 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
107 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
108 }
109
110 ssl->negotiate_cid = enable;
111 if (enable == MBEDTLS_SSL_CID_DISABLED) {
112 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
113 return 0;
114 }
115 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
116 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
117
118 if (own_cid_len != ssl->conf->cid_len) {
119 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
120 (unsigned) own_cid_len,
121 (unsigned) ssl->conf->cid_len));
122 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
123 }
124
125 memcpy(ssl->own_cid, own_cid, own_cid_len);
126 /* Truncation is not an issue here because
127 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
128 ssl->own_cid_len = (uint8_t) own_cid_len;
129
130 return 0;
131 }
132
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],size_t * own_cid_len)133 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
134 int *enabled,
135 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
136 size_t *own_cid_len)
137 {
138 *enabled = MBEDTLS_SSL_CID_DISABLED;
139
140 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
142 }
143
144 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
145 * zero as this is indistinguishable from not requesting to use
146 * the CID extension. */
147 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
148 return 0;
149 }
150
151 if (own_cid_len != NULL) {
152 *own_cid_len = ssl->own_cid_len;
153 if (own_cid != NULL) {
154 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
155 }
156 }
157
158 *enabled = MBEDTLS_SSL_CID_ENABLED;
159
160 return 0;
161 }
162
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)163 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
164 int *enabled,
165 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
166 size_t *peer_cid_len)
167 {
168 *enabled = MBEDTLS_SSL_CID_DISABLED;
169
170 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
171 mbedtls_ssl_is_handshake_over(ssl) == 0) {
172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
173 }
174
175 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
176 * were used, but client and server requested the empty CID.
177 * This is indistinguishable from not using the CID extension
178 * in the first place. */
179 if (ssl->transform_in->in_cid_len == 0 &&
180 ssl->transform_in->out_cid_len == 0) {
181 return 0;
182 }
183
184 if (peer_cid_len != NULL) {
185 *peer_cid_len = ssl->transform_in->out_cid_len;
186 if (peer_cid != NULL) {
187 memcpy(peer_cid, ssl->transform_in->out_cid,
188 ssl->transform_in->out_cid_len);
189 }
190 }
191
192 *enabled = MBEDTLS_SSL_CID_ENABLED;
193
194 return 0;
195 }
196 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
197
198 #endif /* MBEDTLS_SSL_PROTO_DTLS */
199
200 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
201 /*
202 * Convert max_fragment_length codes to length.
203 * RFC 6066 says:
204 * enum{
205 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
206 * } MaxFragmentLength;
207 * and we add 0 -> extension unused
208 */
ssl_mfl_code_to_length(int mfl)209 static unsigned int ssl_mfl_code_to_length(int mfl)
210 {
211 switch (mfl) {
212 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
213 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
214 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
215 return 512;
216 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
217 return 1024;
218 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
219 return 2048;
220 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
221 return 4096;
222 default:
223 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
224 }
225 }
226 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
227
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)228 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
229 const mbedtls_ssl_session *src)
230 {
231 mbedtls_ssl_session_free(dst);
232 memcpy(dst, src, sizeof(mbedtls_ssl_session));
233 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
234 dst->ticket = NULL;
235 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
236 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
237 dst->hostname = NULL;
238 #endif
239 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
240
241 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
242 defined(MBEDTLS_SSL_EARLY_DATA)
243 dst->ticket_alpn = NULL;
244 #endif
245
246 #if defined(MBEDTLS_X509_CRT_PARSE_C)
247
248 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
249 if (src->peer_cert != NULL) {
250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
251
252 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
253 if (dst->peer_cert == NULL) {
254 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
255 }
256
257 mbedtls_x509_crt_init(dst->peer_cert);
258
259 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
260 src->peer_cert->raw.len)) != 0) {
261 mbedtls_free(dst->peer_cert);
262 dst->peer_cert = NULL;
263 return ret;
264 }
265 }
266 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
267 if (src->peer_cert_digest != NULL) {
268 dst->peer_cert_digest =
269 mbedtls_calloc(1, src->peer_cert_digest_len);
270 if (dst->peer_cert_digest == NULL) {
271 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
272 }
273
274 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
275 src->peer_cert_digest_len);
276 dst->peer_cert_digest_type = src->peer_cert_digest_type;
277 dst->peer_cert_digest_len = src->peer_cert_digest_len;
278 }
279 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
280
281 #endif /* MBEDTLS_X509_CRT_PARSE_C */
282
283 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
284 defined(MBEDTLS_SSL_EARLY_DATA)
285 {
286 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
287 if (ret != 0) {
288 return ret;
289 }
290 }
291 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
292
293 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
294 if (src->ticket != NULL) {
295 dst->ticket = mbedtls_calloc(1, src->ticket_len);
296 if (dst->ticket == NULL) {
297 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
298 }
299
300 memcpy(dst->ticket, src->ticket, src->ticket_len);
301 }
302
303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
305 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
307 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
308 if (ret != 0) {
309 return ret;
310 }
311 }
312 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
313 MBEDTLS_SSL_SERVER_NAME_INDICATION */
314 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
315
316 return 0;
317 }
318
319 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
320 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)321 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
322 {
323 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
324 if (resized_buffer == NULL) {
325 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
326 }
327
328 /* We want to copy len_new bytes when downsizing the buffer, and
329 * len_old bytes when upsizing, so we choose the smaller of two sizes,
330 * to fit one buffer into another. Size checks, ensuring that no data is
331 * lost, are done outside of this function. */
332 memcpy(resized_buffer, *buffer,
333 (len_new < *len_old) ? len_new : *len_old);
334 mbedtls_zeroize_and_free(*buffer, *len_old);
335
336 *buffer = resized_buffer;
337 *len_old = len_new;
338
339 return 0;
340 }
341
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)342 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
343 size_t in_buf_new_len,
344 size_t out_buf_new_len)
345 {
346 int modified = 0;
347 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
348 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
349 if (ssl->in_buf != NULL) {
350 written_in = ssl->in_msg - ssl->in_buf;
351 iv_offset_in = ssl->in_iv - ssl->in_buf;
352 len_offset_in = ssl->in_len - ssl->in_buf;
353 if (downsizing ?
354 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
355 ssl->in_buf_len < in_buf_new_len) {
356 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
357 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
358 } else {
359 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
360 in_buf_new_len));
361 modified = 1;
362 }
363 }
364 }
365
366 if (ssl->out_buf != NULL) {
367 written_out = ssl->out_msg - ssl->out_buf;
368 iv_offset_out = ssl->out_iv - ssl->out_buf;
369 len_offset_out = ssl->out_len - ssl->out_buf;
370 if (downsizing ?
371 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
372 ssl->out_buf_len < out_buf_new_len) {
373 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
374 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
375 } else {
376 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
377 out_buf_new_len));
378 modified = 1;
379 }
380 }
381 }
382 if (modified) {
383 /* Update pointers here to avoid doing it twice. */
384 mbedtls_ssl_reset_in_out_pointers(ssl);
385 /* Fields below might not be properly updated with record
386 * splitting or with CID, so they are manually updated here. */
387 ssl->out_msg = ssl->out_buf + written_out;
388 ssl->out_len = ssl->out_buf + len_offset_out;
389 ssl->out_iv = ssl->out_buf + iv_offset_out;
390
391 ssl->in_msg = ssl->in_buf + written_in;
392 ssl->in_len = ssl->in_buf + len_offset_in;
393 ssl->in_iv = ssl->in_buf + iv_offset_in;
394 }
395 }
396 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
397
398 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
399
400 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
401 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
402 const char *label,
403 const unsigned char *random, size_t rlen,
404 unsigned char *dstbuf, size_t dlen);
405
406 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
407
408 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
409
410 /* Type for the TLS PRF */
411 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
412 const unsigned char *, size_t,
413 unsigned char *, size_t);
414
415 MBEDTLS_CHECK_RETURN_CRITICAL
416 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
417 int ciphersuite,
418 const unsigned char master[48],
419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
420 int encrypt_then_mac,
421 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
422 ssl_tls_prf_t tls_prf,
423 const unsigned char randbytes[64],
424 mbedtls_ssl_protocol_version tls_version,
425 unsigned endpoint,
426 const mbedtls_ssl_context *ssl);
427
428 #if defined(MBEDTLS_MD_CAN_SHA256)
429 MBEDTLS_CHECK_RETURN_CRITICAL
430 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
431 const char *label,
432 const unsigned char *random, size_t rlen,
433 unsigned char *dstbuf, size_t dlen);
434 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
435 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
436
437 #endif /* MBEDTLS_MD_CAN_SHA256*/
438
439 #if defined(MBEDTLS_MD_CAN_SHA384)
440 MBEDTLS_CHECK_RETURN_CRITICAL
441 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
442 const char *label,
443 const unsigned char *random, size_t rlen,
444 unsigned char *dstbuf, size_t dlen);
445
446 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
447 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
448 #endif /* MBEDTLS_MD_CAN_SHA384*/
449
450 MBEDTLS_CHECK_RETURN_CRITICAL
451 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
452 const unsigned char *buf,
453 size_t len);
454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455
456 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
457
458 #if defined(MBEDTLS_MD_CAN_SHA256)
459 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
460 #endif /* MBEDTLS_MD_CAN_SHA256*/
461
462 #if defined(MBEDTLS_MD_CAN_SHA384)
463 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
464 #endif /* MBEDTLS_MD_CAN_SHA384*/
465
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)466 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
467 const unsigned char *secret, size_t slen,
468 const char *label,
469 const unsigned char *random, size_t rlen,
470 unsigned char *dstbuf, size_t dlen)
471 {
472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
473
474 switch (prf) {
475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
476 #if defined(MBEDTLS_MD_CAN_SHA384)
477 case MBEDTLS_SSL_TLS_PRF_SHA384:
478 tls_prf = tls_prf_sha384;
479 break;
480 #endif /* MBEDTLS_MD_CAN_SHA384*/
481 #if defined(MBEDTLS_MD_CAN_SHA256)
482 case MBEDTLS_SSL_TLS_PRF_SHA256:
483 tls_prf = tls_prf_sha256;
484 break;
485 #endif /* MBEDTLS_MD_CAN_SHA256*/
486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
487 default:
488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
489 }
490
491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
492 }
493
494 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)495 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
496 {
497 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
498 if (session->peer_cert != NULL) {
499 mbedtls_x509_crt_free(session->peer_cert);
500 mbedtls_free(session->peer_cert);
501 session->peer_cert = NULL;
502 }
503 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
504 if (session->peer_cert_digest != NULL) {
505 /* Zeroization is not necessary. */
506 mbedtls_free(session->peer_cert_digest);
507 session->peer_cert_digest = NULL;
508 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
509 session->peer_cert_digest_len = 0;
510 }
511 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
512 }
513 #endif /* MBEDTLS_X509_CRT_PARSE_C */
514
mbedtls_ssl_get_extension_id(unsigned int extension_type)515 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
516 {
517 switch (extension_type) {
518 case MBEDTLS_TLS_EXT_SERVERNAME:
519 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
520
521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
523
524 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
526
527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
529
530 case MBEDTLS_TLS_EXT_SIG_ALG:
531 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
532
533 case MBEDTLS_TLS_EXT_USE_SRTP:
534 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
535
536 case MBEDTLS_TLS_EXT_HEARTBEAT:
537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
538
539 case MBEDTLS_TLS_EXT_ALPN:
540 return MBEDTLS_SSL_EXT_ID_ALPN;
541
542 case MBEDTLS_TLS_EXT_SCT:
543 return MBEDTLS_SSL_EXT_ID_SCT;
544
545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
547
548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
550
551 case MBEDTLS_TLS_EXT_PADDING:
552 return MBEDTLS_SSL_EXT_ID_PADDING;
553
554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
556
557 case MBEDTLS_TLS_EXT_EARLY_DATA:
558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
559
560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
562
563 case MBEDTLS_TLS_EXT_COOKIE:
564 return MBEDTLS_SSL_EXT_ID_COOKIE;
565
566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
568
569 case MBEDTLS_TLS_EXT_CERT_AUTH:
570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
571
572 case MBEDTLS_TLS_EXT_OID_FILTERS:
573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
574
575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
577
578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
580
581 case MBEDTLS_TLS_EXT_KEY_SHARE:
582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
583
584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
586
587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
589
590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
592
593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
595
596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
598
599 case MBEDTLS_TLS_EXT_SESSION_TICKET:
600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
601
602 }
603
604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
605 }
606
mbedtls_ssl_get_extension_mask(unsigned int extension_type)607 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
608 {
609 return 1 << mbedtls_ssl_get_extension_id(extension_type);
610 }
611
612 #if defined(MBEDTLS_DEBUG_C)
613 static const char *extension_name_table[] = {
614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
643 };
644
645 static const unsigned int extension_type_table[] = {
646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
675 };
676
mbedtls_ssl_get_extension_name(unsigned int extension_type)677 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
678 {
679 return extension_name_table[
680 mbedtls_ssl_get_extension_id(extension_type)];
681 }
682
ssl_tls13_get_hs_msg_name(int hs_msg_type)683 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
684 {
685 switch (hs_msg_type) {
686 case MBEDTLS_SSL_HS_CLIENT_HELLO:
687 return "ClientHello";
688 case MBEDTLS_SSL_HS_SERVER_HELLO:
689 return "ServerHello";
690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
691 return "HelloRetryRequest";
692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
693 return "NewSessionTicket";
694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
695 return "EncryptedExtensions";
696 case MBEDTLS_SSL_HS_CERTIFICATE:
697 return "Certificate";
698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
699 return "CertificateRequest";
700 }
701 return "Unknown";
702 }
703
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)704 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
705 int level, const char *file, int line,
706 int hs_msg_type, unsigned int extension_type,
707 const char *extra_msg0, const char *extra_msg1)
708 {
709 const char *extra_msg;
710 if (extra_msg0 && extra_msg1) {
711 mbedtls_debug_print_msg(
712 ssl, level, file, line,
713 "%s: %s(%u) extension %s %s.",
714 ssl_tls13_get_hs_msg_name(hs_msg_type),
715 mbedtls_ssl_get_extension_name(extension_type),
716 extension_type,
717 extra_msg0, extra_msg1);
718 return;
719 }
720
721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
722 if (extra_msg) {
723 mbedtls_debug_print_msg(
724 ssl, level, file, line,
725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
726 mbedtls_ssl_get_extension_name(extension_type), extension_type,
727 extra_msg);
728 return;
729 }
730
731 mbedtls_debug_print_msg(
732 ssl, level, file, line,
733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
734 mbedtls_ssl_get_extension_name(extension_type), extension_type);
735 }
736
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)737 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
738 int level, const char *file, int line,
739 int hs_msg_type, uint32_t extensions_mask,
740 const char *extra)
741 {
742
743 for (unsigned i = 0;
744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
745 i++) {
746 mbedtls_ssl_print_extension(
747 ssl, level, file, line, hs_msg_type, extension_type_table[i],
748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
749 }
750 }
751
752 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
753 static const char *ticket_flag_name_table[] =
754 {
755 [0] = "ALLOW_PSK_RESUMPTION",
756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757 [3] = "ALLOW_EARLY_DATA",
758 };
759
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
761 int level, const char *file, int line,
762 unsigned int flags)
763 {
764 size_t i;
765
766 mbedtls_debug_print_msg(ssl, level, file, line,
767 "print ticket_flags (0x%02x)", flags);
768
769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
770
771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
772 if ((flags & (1 << i))) {
773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774 ticket_flag_name_table[i]);
775 }
776 }
777 }
778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779
780 #endif /* MBEDTLS_DEBUG_C */
781
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
784 {
785 ((void) ciphersuite_info);
786
787 #if defined(MBEDTLS_MD_CAN_SHA384)
788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
789 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
790 } else
791 #endif
792 #if defined(MBEDTLS_MD_CAN_SHA256)
793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
794 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
795 } else
796 #endif
797 {
798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
799 return;
800 }
801 }
802
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
804 unsigned hs_type,
805 size_t total_hs_len)
806 {
807 unsigned char hs_hdr[4];
808
809 /* Build HS header for checksum update. */
810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
814
815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
816 }
817
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
819 unsigned hs_type,
820 unsigned char const *msg,
821 size_t msg_len)
822 {
823 int ret;
824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
825 if (ret != 0) {
826 return ret;
827 }
828 return ssl->handshake->update_checksum(ssl, msg, msg_len);
829 }
830
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
832 {
833 #if defined(MBEDTLS_MD_CAN_SHA256) || \
834 defined(MBEDTLS_MD_CAN_SHA384)
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836 psa_status_t status;
837 #else
838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
839 #endif
840 #else /* SHA-256 or SHA-384 */
841 ((void) ssl);
842 #endif /* SHA-256 or SHA-384 */
843 #if defined(MBEDTLS_MD_CAN_SHA256)
844 #if defined(MBEDTLS_USE_PSA_CRYPTO)
845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
846 if (status != PSA_SUCCESS) {
847 return mbedtls_md_error_from_psa(status);
848 }
849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
850 if (status != PSA_SUCCESS) {
851 return mbedtls_md_error_from_psa(status);
852 }
853 #else
854 mbedtls_md_free(&ssl->handshake->fin_sha256);
855 mbedtls_md_init(&ssl->handshake->fin_sha256);
856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
858 0);
859 if (ret != 0) {
860 return ret;
861 }
862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
863 if (ret != 0) {
864 return ret;
865 }
866 #endif
867 #endif
868 #if defined(MBEDTLS_MD_CAN_SHA384)
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
871 if (status != PSA_SUCCESS) {
872 return mbedtls_md_error_from_psa(status);
873 }
874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
875 if (status != PSA_SUCCESS) {
876 return mbedtls_md_error_from_psa(status);
877 }
878 #else
879 mbedtls_md_free(&ssl->handshake->fin_sha384);
880 mbedtls_md_init(&ssl->handshake->fin_sha384);
881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
883 if (ret != 0) {
884 return ret;
885 }
886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
887 if (ret != 0) {
888 return ret;
889 }
890 #endif
891 #endif
892 return 0;
893 }
894
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
896 const unsigned char *buf, size_t len)
897 {
898 #if defined(MBEDTLS_MD_CAN_SHA256) || \
899 defined(MBEDTLS_MD_CAN_SHA384)
900 #if defined(MBEDTLS_USE_PSA_CRYPTO)
901 psa_status_t status;
902 #else
903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
904 #endif
905 #else /* SHA-256 or SHA-384 */
906 ((void) ssl);
907 (void) buf;
908 (void) len;
909 #endif /* SHA-256 or SHA-384 */
910 #if defined(MBEDTLS_MD_CAN_SHA256)
911 #if defined(MBEDTLS_USE_PSA_CRYPTO)
912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
913 if (status != PSA_SUCCESS) {
914 return mbedtls_md_error_from_psa(status);
915 }
916 #else
917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
918 if (ret != 0) {
919 return ret;
920 }
921 #endif
922 #endif
923 #if defined(MBEDTLS_MD_CAN_SHA384)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
926 if (status != PSA_SUCCESS) {
927 return mbedtls_md_error_from_psa(status);
928 }
929 #else
930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
931 if (ret != 0) {
932 return ret;
933 }
934 #endif
935 #endif
936 return 0;
937 }
938
939 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
941 const unsigned char *buf, size_t len)
942 {
943 #if defined(MBEDTLS_USE_PSA_CRYPTO)
944 return mbedtls_md_error_from_psa(psa_hash_update(
945 &ssl->handshake->fin_sha256_psa, buf, len));
946 #else
947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
948 #endif
949 }
950 #endif
951
952 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
954 const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
957 return mbedtls_md_error_from_psa(psa_hash_update(
958 &ssl->handshake->fin_sha384_psa, buf, len));
959 #else
960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
961 #endif
962 }
963 #endif
964
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
966 {
967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
968
969 #if defined(MBEDTLS_MD_CAN_SHA256)
970 #if defined(MBEDTLS_USE_PSA_CRYPTO)
971 handshake->fin_sha256_psa = psa_hash_operation_init();
972 #else
973 mbedtls_md_init(&handshake->fin_sha256);
974 #endif
975 #endif
976 #if defined(MBEDTLS_MD_CAN_SHA384)
977 #if defined(MBEDTLS_USE_PSA_CRYPTO)
978 handshake->fin_sha384_psa = psa_hash_operation_init();
979 #else
980 mbedtls_md_init(&handshake->fin_sha384);
981 #endif
982 #endif
983
984 handshake->update_checksum = ssl_update_checksum_start;
985
986 #if defined(MBEDTLS_DHM_C)
987 mbedtls_dhm_init(&handshake->dhm_ctx);
988 #endif
989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
990 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
991 mbedtls_ecdh_init(&handshake->ecdh_ctx);
992 #endif
993 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
994 #if defined(MBEDTLS_USE_PSA_CRYPTO)
995 handshake->psa_pake_ctx = psa_pake_operation_init();
996 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
997 #else
998 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
999 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1000 #if defined(MBEDTLS_SSL_CLI_C)
1001 handshake->ecjpake_cache = NULL;
1002 handshake->ecjpake_cache_len = 0;
1003 #endif
1004 #endif
1005
1006 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1007 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1008 #endif
1009
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1012 #endif
1013
1014 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1015 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1016 mbedtls_pk_init(&handshake->peer_pubkey);
1017 #endif
1018 }
1019
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1020 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1021 {
1022 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1023
1024 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1025 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1026 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1027 #else
1028 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1029 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1030 #endif
1031
1032 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1034 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1035 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1036 #else
1037 mbedtls_md_init(&transform->md_ctx_enc);
1038 mbedtls_md_init(&transform->md_ctx_dec);
1039 #endif
1040 #endif
1041 }
1042
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1043 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1044 {
1045 memset(session, 0, sizeof(mbedtls_ssl_session));
1046 }
1047
1048 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1049 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1050 {
1051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1052
1053 /* Clear old handshake information if present */
1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1055 if (ssl->transform_negotiate) {
1056 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1057 }
1058 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1059 if (ssl->session_negotiate) {
1060 mbedtls_ssl_session_free(ssl->session_negotiate);
1061 }
1062 if (ssl->handshake) {
1063 mbedtls_ssl_handshake_free(ssl);
1064 }
1065
1066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1067 /*
1068 * Either the pointers are now NULL or cleared properly and can be freed.
1069 * Now allocate missing structures.
1070 */
1071 if (ssl->transform_negotiate == NULL) {
1072 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1073 }
1074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1075
1076 if (ssl->session_negotiate == NULL) {
1077 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1078 }
1079
1080 if (ssl->handshake == NULL) {
1081 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1082 }
1083 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1084 /* If the buffers are too small - reallocate */
1085
1086 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1087 MBEDTLS_SSL_OUT_BUFFER_LEN);
1088 #endif
1089
1090 /* All pointers should exist and can be directly freed without issue */
1091 if (ssl->handshake == NULL ||
1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1093 ssl->transform_negotiate == NULL ||
1094 #endif
1095 ssl->session_negotiate == NULL) {
1096 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1097
1098 mbedtls_free(ssl->handshake);
1099 ssl->handshake = NULL;
1100
1101 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1102 mbedtls_free(ssl->transform_negotiate);
1103 ssl->transform_negotiate = NULL;
1104 #endif
1105
1106 mbedtls_free(ssl->session_negotiate);
1107 ssl->session_negotiate = NULL;
1108
1109 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1110 }
1111
1112 #if defined(MBEDTLS_SSL_EARLY_DATA)
1113 #if defined(MBEDTLS_SSL_CLI_C)
1114 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1115 #endif
1116 #if defined(MBEDTLS_SSL_SRV_C)
1117 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1118 #endif
1119 ssl->total_early_data_size = 0;
1120 #endif /* MBEDTLS_SSL_EARLY_DATA */
1121
1122 /* Initialize structures */
1123 mbedtls_ssl_session_init(ssl->session_negotiate);
1124 ssl_handshake_params_init(ssl->handshake);
1125
1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1127 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1128 #endif
1129
1130 /* Setup handshake checksums */
1131 ret = mbedtls_ssl_reset_checksum(ssl);
1132 if (ret != 0) {
1133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1134 return ret;
1135 }
1136
1137 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1138 defined(MBEDTLS_SSL_SRV_C) && \
1139 defined(MBEDTLS_SSL_SESSION_TICKETS)
1140 ssl->handshake->new_session_tickets_count =
1141 ssl->conf->new_session_tickets_count;
1142 #endif
1143
1144 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1145 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1146 ssl->handshake->alt_transform_out = ssl->transform_out;
1147
1148 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1149 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1150 } else {
1151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1152 }
1153
1154 mbedtls_ssl_set_timer(ssl, 0);
1155 }
1156 #endif
1157
1158 /*
1159 * curve_list is translated to IANA TLS group identifiers here because
1160 * mbedtls_ssl_conf_curves returns void and so can't return
1161 * any error codes.
1162 */
1163 #if defined(MBEDTLS_ECP_C)
1164 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1165 /* Heap allocate and translate curve_list from internal to IANA group ids */
1166 if (ssl->conf->curve_list != NULL) {
1167 size_t length;
1168 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1169
1170 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1171 }
1172
1173 /* Leave room for zero termination */
1174 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1175 if (group_list == NULL) {
1176 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1177 }
1178
1179 for (size_t i = 0; i < length; i++) {
1180 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1181 curve_list[i]);
1182 if (tls_id == 0) {
1183 mbedtls_free(group_list);
1184 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1185 }
1186 group_list[i] = tls_id;
1187 }
1188
1189 group_list[length] = 0;
1190
1191 ssl->handshake->group_list = group_list;
1192 ssl->handshake->group_list_heap_allocated = 1;
1193 } else {
1194 ssl->handshake->group_list = ssl->conf->group_list;
1195 ssl->handshake->group_list_heap_allocated = 0;
1196 }
1197 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1198 #endif /* MBEDTLS_ECP_C */
1199
1200 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1201 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1203 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1204 signature algorithms IANA identifiers. */
1205 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1206 ssl->conf->sig_hashes != NULL) {
1207 const int *md;
1208 const int *sig_hashes = ssl->conf->sig_hashes;
1209 size_t sig_algs_len = 0;
1210 uint16_t *p;
1211
1212 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1213 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1214 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1215
1216 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1217 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1218 continue;
1219 }
1220 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1221 sig_algs_len += sizeof(uint16_t);
1222 #endif
1223
1224 #if defined(MBEDTLS_RSA_C)
1225 sig_algs_len += sizeof(uint16_t);
1226 #endif
1227 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1228 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1229 }
1230 }
1231
1232 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1233 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1234 }
1235
1236 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1237 sizeof(uint16_t));
1238 if (ssl->handshake->sig_algs == NULL) {
1239 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1240 }
1241
1242 p = (uint16_t *) ssl->handshake->sig_algs;
1243 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1244 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1245 if (hash == MBEDTLS_SSL_HASH_NONE) {
1246 continue;
1247 }
1248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1249 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1250 p++;
1251 #endif
1252 #if defined(MBEDTLS_RSA_C)
1253 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1254 p++;
1255 #endif
1256 }
1257 *p = MBEDTLS_TLS_SIG_NONE;
1258 ssl->handshake->sig_algs_heap_allocated = 1;
1259 } else
1260 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1261 {
1262 ssl->handshake->sig_algs_heap_allocated = 0;
1263 }
1264 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1265 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1266 return 0;
1267 }
1268
1269 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1270 /* Dummy cookie callbacks for defaults */
1271 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1272 static int ssl_cookie_write_dummy(void *ctx,
1273 unsigned char **p, unsigned char *end,
1274 const unsigned char *cli_id, size_t cli_id_len)
1275 {
1276 ((void) ctx);
1277 ((void) p);
1278 ((void) end);
1279 ((void) cli_id);
1280 ((void) cli_id_len);
1281
1282 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1283 }
1284
1285 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1286 static int ssl_cookie_check_dummy(void *ctx,
1287 const unsigned char *cookie, size_t cookie_len,
1288 const unsigned char *cli_id, size_t cli_id_len)
1289 {
1290 ((void) ctx);
1291 ((void) cookie);
1292 ((void) cookie_len);
1293 ((void) cli_id);
1294 ((void) cli_id_len);
1295
1296 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1297 }
1298 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1299
1300 /*
1301 * Initialize an SSL context
1302 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1303 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1304 {
1305 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1306 }
1307
1308 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1309 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1310 {
1311 const mbedtls_ssl_config *conf = ssl->conf;
1312
1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1314 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1315 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1316 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1317 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1318 }
1319
1320 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1321 return 0;
1322 }
1323 #endif
1324
1325 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1326 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1327 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1328 return 0;
1329 }
1330 #endif
1331
1332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1333 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1334 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1335 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1336 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1337 }
1338
1339 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1340 return 0;
1341 }
1342 #endif
1343
1344 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1345 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1346 }
1347
1348 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1349 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1350 {
1351 int ret;
1352 ret = ssl_conf_version_check(ssl);
1353 if (ret != 0) {
1354 return ret;
1355 }
1356
1357 if (ssl->conf->f_rng == NULL) {
1358 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1359 return MBEDTLS_ERR_SSL_NO_RNG;
1360 }
1361
1362 /* Space for further checks */
1363
1364 return 0;
1365 }
1366
1367 /*
1368 * Setup an SSL context
1369 */
1370
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1371 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1372 const mbedtls_ssl_config *conf)
1373 {
1374 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1375 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1376 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1377
1378 ssl->conf = conf;
1379
1380 if ((ret = ssl_conf_check(ssl)) != 0) {
1381 return ret;
1382 }
1383 ssl->tls_version = ssl->conf->max_tls_version;
1384
1385 /*
1386 * Prepare base structures
1387 */
1388
1389 /* Set to NULL in case of an error condition */
1390 ssl->out_buf = NULL;
1391
1392 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1393 ssl->in_buf_len = in_buf_len;
1394 #endif
1395 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1396 if (ssl->in_buf == NULL) {
1397 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1398 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1399 goto error;
1400 }
1401
1402 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1403 ssl->out_buf_len = out_buf_len;
1404 #endif
1405 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1406 if (ssl->out_buf == NULL) {
1407 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1408 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1409 goto error;
1410 }
1411
1412 mbedtls_ssl_reset_in_out_pointers(ssl);
1413
1414 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1415 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1416 #endif
1417
1418 if ((ret = ssl_handshake_init(ssl)) != 0) {
1419 goto error;
1420 }
1421
1422 return 0;
1423
1424 error:
1425 mbedtls_free(ssl->in_buf);
1426 mbedtls_free(ssl->out_buf);
1427
1428 ssl->conf = NULL;
1429
1430 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1431 ssl->in_buf_len = 0;
1432 ssl->out_buf_len = 0;
1433 #endif
1434 ssl->in_buf = NULL;
1435 ssl->out_buf = NULL;
1436
1437 ssl->in_hdr = NULL;
1438 ssl->in_ctr = NULL;
1439 ssl->in_len = NULL;
1440 ssl->in_iv = NULL;
1441 ssl->in_msg = NULL;
1442
1443 ssl->out_hdr = NULL;
1444 ssl->out_ctr = NULL;
1445 ssl->out_len = NULL;
1446 ssl->out_iv = NULL;
1447 ssl->out_msg = NULL;
1448
1449 return ret;
1450 }
1451
1452 /*
1453 * Reset an initialized and used SSL context for re-use while retaining
1454 * all application-set variables, function pointers and data.
1455 *
1456 * If partial is non-zero, keep data in the input buffer and client ID.
1457 * (Use when a DTLS client reconnects from the same port.)
1458 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1459 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1460 int partial)
1461 {
1462 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1463 size_t in_buf_len = ssl->in_buf_len;
1464 size_t out_buf_len = ssl->out_buf_len;
1465 #else
1466 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1467 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1468 #endif
1469
1470 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1471 partial = 0;
1472 #endif
1473
1474 /* Cancel any possibly running timer */
1475 mbedtls_ssl_set_timer(ssl, 0);
1476
1477 mbedtls_ssl_reset_in_out_pointers(ssl);
1478
1479 /* Reset incoming message parsing */
1480 ssl->in_offt = NULL;
1481 ssl->nb_zero = 0;
1482 ssl->in_msgtype = 0;
1483 ssl->in_msglen = 0;
1484 ssl->in_hslen = 0;
1485 ssl->keep_current_message = 0;
1486 ssl->transform_in = NULL;
1487
1488 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1489 ssl->next_record_offset = 0;
1490 ssl->in_epoch = 0;
1491 #endif
1492
1493 /* Keep current datagram if partial == 1 */
1494 if (partial == 0) {
1495 ssl->in_left = 0;
1496 memset(ssl->in_buf, 0, in_buf_len);
1497 }
1498
1499 ssl->send_alert = 0;
1500
1501 /* Reset outgoing message writing */
1502 ssl->out_msgtype = 0;
1503 ssl->out_msglen = 0;
1504 ssl->out_left = 0;
1505 memset(ssl->out_buf, 0, out_buf_len);
1506 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1507 ssl->transform_out = NULL;
1508
1509 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1510 mbedtls_ssl_dtls_replay_reset(ssl);
1511 #endif
1512
1513 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1514 if (ssl->transform) {
1515 mbedtls_ssl_transform_free(ssl->transform);
1516 mbedtls_free(ssl->transform);
1517 ssl->transform = NULL;
1518 }
1519 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1520
1521 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1522 mbedtls_ssl_transform_free(ssl->transform_application);
1523 mbedtls_free(ssl->transform_application);
1524 ssl->transform_application = NULL;
1525
1526 if (ssl->handshake != NULL) {
1527 #if defined(MBEDTLS_SSL_EARLY_DATA)
1528 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1529 mbedtls_free(ssl->handshake->transform_earlydata);
1530 ssl->handshake->transform_earlydata = NULL;
1531 #endif
1532
1533 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1534 mbedtls_free(ssl->handshake->transform_handshake);
1535 ssl->handshake->transform_handshake = NULL;
1536 }
1537
1538 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1539 }
1540
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1541 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1542 {
1543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1544
1545 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1546 ssl->tls_version = ssl->conf->max_tls_version;
1547
1548 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1549
1550 /* Reset renegotiation state */
1551 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1552 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1553 ssl->renego_records_seen = 0;
1554
1555 ssl->verify_data_len = 0;
1556 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1557 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1558 #endif
1559 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1560
1561 ssl->session_in = NULL;
1562 ssl->session_out = NULL;
1563 if (ssl->session) {
1564 mbedtls_ssl_session_free(ssl->session);
1565 mbedtls_free(ssl->session);
1566 ssl->session = NULL;
1567 }
1568
1569 #if defined(MBEDTLS_SSL_ALPN)
1570 ssl->alpn_chosen = NULL;
1571 #endif
1572
1573 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1574 int free_cli_id = 1;
1575 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1576 free_cli_id = (partial == 0);
1577 #endif
1578 if (free_cli_id) {
1579 mbedtls_free(ssl->cli_id);
1580 ssl->cli_id = NULL;
1581 ssl->cli_id_len = 0;
1582 }
1583 #endif
1584
1585 if ((ret = ssl_handshake_init(ssl)) != 0) {
1586 return ret;
1587 }
1588
1589 return 0;
1590 }
1591
1592 /*
1593 * Reset an initialized and used SSL context for re-use while retaining
1594 * all application-set variables, function pointers and data.
1595 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1596 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1597 {
1598 return mbedtls_ssl_session_reset_int(ssl, 0);
1599 }
1600
1601 /*
1602 * SSL set accessors
1603 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1604 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1605 {
1606 conf->endpoint = endpoint;
1607 }
1608
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1609 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1610 {
1611 conf->transport = transport;
1612 }
1613
1614 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1615 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1616 {
1617 conf->anti_replay = mode;
1618 }
1619 #endif
1620
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1621 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1622 {
1623 conf->badmac_limit = limit;
1624 }
1625
1626 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1627
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1628 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1629 unsigned allow_packing)
1630 {
1631 ssl->disable_datagram_packing = !allow_packing;
1632 }
1633
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1634 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1635 uint32_t min, uint32_t max)
1636 {
1637 conf->hs_timeout_min = min;
1638 conf->hs_timeout_max = max;
1639 }
1640 #endif
1641
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1642 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1643 {
1644 conf->authmode = authmode;
1645 }
1646
1647 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1648 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1649 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1650 void *p_vrfy)
1651 {
1652 conf->f_vrfy = f_vrfy;
1653 conf->p_vrfy = p_vrfy;
1654 }
1655 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1656
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1657 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1658 int (*f_rng)(void *, unsigned char *, size_t),
1659 void *p_rng)
1660 {
1661 conf->f_rng = f_rng;
1662 conf->p_rng = p_rng;
1663 }
1664
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1665 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1666 void (*f_dbg)(void *, int, const char *, int, const char *),
1667 void *p_dbg)
1668 {
1669 conf->f_dbg = f_dbg;
1670 conf->p_dbg = p_dbg;
1671 }
1672
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1673 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1674 void *p_bio,
1675 mbedtls_ssl_send_t *f_send,
1676 mbedtls_ssl_recv_t *f_recv,
1677 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1678 {
1679 ssl->p_bio = p_bio;
1680 ssl->f_send = f_send;
1681 ssl->f_recv = f_recv;
1682 ssl->f_recv_timeout = f_recv_timeout;
1683 }
1684
1685 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1686 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1687 {
1688 ssl->mtu = mtu;
1689 }
1690 #endif
1691
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1692 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1693 {
1694 conf->read_timeout = timeout;
1695 }
1696
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1697 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1698 void *p_timer,
1699 mbedtls_ssl_set_timer_t *f_set_timer,
1700 mbedtls_ssl_get_timer_t *f_get_timer)
1701 {
1702 ssl->p_timer = p_timer;
1703 ssl->f_set_timer = f_set_timer;
1704 ssl->f_get_timer = f_get_timer;
1705
1706 /* Make sure we start with no timer running */
1707 mbedtls_ssl_set_timer(ssl, 0);
1708 }
1709
1710 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1711 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1712 void *p_cache,
1713 mbedtls_ssl_cache_get_t *f_get_cache,
1714 mbedtls_ssl_cache_set_t *f_set_cache)
1715 {
1716 conf->p_cache = p_cache;
1717 conf->f_get_cache = f_get_cache;
1718 conf->f_set_cache = f_set_cache;
1719 }
1720 #endif /* MBEDTLS_SSL_SRV_C */
1721
1722 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1723 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1724 {
1725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1726
1727 if (ssl == NULL ||
1728 session == NULL ||
1729 ssl->session_negotiate == NULL ||
1730 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1732 }
1733
1734 if (ssl->handshake->resume == 1) {
1735 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1736 }
1737
1738 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1739 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1740 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1741 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1742 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1743
1744 if (mbedtls_ssl_validate_ciphersuite(
1745 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1746 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1747 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1748 session->ciphersuite));
1749 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1750 }
1751 #else
1752 /*
1753 * If session tickets are not enabled, it is not possible to resume a
1754 * TLS 1.3 session, thus do not make any change to the SSL context in
1755 * the first place.
1756 */
1757 return 0;
1758 #endif
1759 }
1760 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1761
1762 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1763 session)) != 0) {
1764 return ret;
1765 }
1766
1767 ssl->handshake->resume = 1;
1768
1769 return 0;
1770 }
1771 #endif /* MBEDTLS_SSL_CLI_C */
1772
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1773 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1774 const int *ciphersuites)
1775 {
1776 conf->ciphersuite_list = ciphersuites;
1777 }
1778
1779 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1780 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1781 const int kex_modes)
1782 {
1783 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1784 }
1785
1786 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1787 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1788 int early_data_enabled)
1789 {
1790 conf->early_data_enabled = early_data_enabled;
1791 }
1792
1793 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1794 void mbedtls_ssl_conf_max_early_data_size(
1795 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1796 {
1797 conf->max_early_data_size = max_early_data_size;
1798 }
1799 #endif /* MBEDTLS_SSL_SRV_C */
1800
1801 #endif /* MBEDTLS_SSL_EARLY_DATA */
1802 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1803
1804 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1805 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1806 const mbedtls_x509_crt_profile *profile)
1807 {
1808 conf->cert_profile = profile;
1809 }
1810
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1811 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1812 {
1813 mbedtls_ssl_key_cert *cur = key_cert, *next;
1814
1815 while (cur != NULL) {
1816 next = cur->next;
1817 mbedtls_free(cur);
1818 cur = next;
1819 }
1820 }
1821
1822 /* Append a new keycert entry to a (possibly empty) list */
1823 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1824 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1825 mbedtls_x509_crt *cert,
1826 mbedtls_pk_context *key)
1827 {
1828 mbedtls_ssl_key_cert *new_cert;
1829
1830 if (cert == NULL) {
1831 /* Free list if cert is null */
1832 ssl_key_cert_free(*head);
1833 *head = NULL;
1834 return 0;
1835 }
1836
1837 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1838 if (new_cert == NULL) {
1839 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1840 }
1841
1842 new_cert->cert = cert;
1843 new_cert->key = key;
1844 new_cert->next = NULL;
1845
1846 /* Update head if the list was null, else add to the end */
1847 if (*head == NULL) {
1848 *head = new_cert;
1849 } else {
1850 mbedtls_ssl_key_cert *cur = *head;
1851 while (cur->next != NULL) {
1852 cur = cur->next;
1853 }
1854 cur->next = new_cert;
1855 }
1856
1857 return 0;
1858 }
1859
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1860 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1861 mbedtls_x509_crt *own_cert,
1862 mbedtls_pk_context *pk_key)
1863 {
1864 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1865 }
1866
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1867 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1868 mbedtls_x509_crt *ca_chain,
1869 mbedtls_x509_crl *ca_crl)
1870 {
1871 conf->ca_chain = ca_chain;
1872 conf->ca_crl = ca_crl;
1873
1874 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1875 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1876 * cannot be used together. */
1877 conf->f_ca_cb = NULL;
1878 conf->p_ca_cb = NULL;
1879 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1880 }
1881
1882 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1883 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1884 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1885 void *p_ca_cb)
1886 {
1887 conf->f_ca_cb = f_ca_cb;
1888 conf->p_ca_cb = p_ca_cb;
1889
1890 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1891 * cannot be used together. */
1892 conf->ca_chain = NULL;
1893 conf->ca_crl = NULL;
1894 }
1895 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1896 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1897
1898 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1899 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1900 size_t *name_len)
1901 {
1902 *name_len = ssl->handshake->sni_name_len;
1903 return ssl->handshake->sni_name;
1904 }
1905
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1906 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1907 mbedtls_x509_crt *own_cert,
1908 mbedtls_pk_context *pk_key)
1909 {
1910 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1911 own_cert, pk_key);
1912 }
1913
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1914 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1915 mbedtls_x509_crt *ca_chain,
1916 mbedtls_x509_crl *ca_crl)
1917 {
1918 ssl->handshake->sni_ca_chain = ca_chain;
1919 ssl->handshake->sni_ca_crl = ca_crl;
1920 }
1921
1922 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1923 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1924 const mbedtls_x509_crt *crt)
1925 {
1926 ssl->handshake->dn_hints = crt;
1927 }
1928 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1929
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1930 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1931 int authmode)
1932 {
1933 ssl->handshake->sni_authmode = authmode;
1934 }
1935 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1936
1937 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1938 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1939 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1940 void *p_vrfy)
1941 {
1942 ssl->f_vrfy = f_vrfy;
1943 ssl->p_vrfy = p_vrfy;
1944 }
1945 #endif
1946
1947 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1948
1949 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1950 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1951 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1952
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1953 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1954 mbedtls_ssl_context *ssl,
1955 mbedtls_svc_key_id_t pwd)
1956 {
1957 psa_status_t status;
1958 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1959 const uint8_t *user = NULL;
1960 size_t user_len = 0;
1961 const uint8_t *peer = NULL;
1962 size_t peer_len = 0;
1963 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1964 psa_pake_cs_set_primitive(&cipher_suite,
1965 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1966 PSA_ECC_FAMILY_SECP_R1,
1967 256));
1968 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1969
1970 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1971 if (status != PSA_SUCCESS) {
1972 return status;
1973 }
1974
1975 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1976 user = jpake_server_id;
1977 user_len = sizeof(jpake_server_id);
1978 peer = jpake_client_id;
1979 peer_len = sizeof(jpake_client_id);
1980 } else {
1981 user = jpake_client_id;
1982 user_len = sizeof(jpake_client_id);
1983 peer = jpake_server_id;
1984 peer_len = sizeof(jpake_server_id);
1985 }
1986
1987 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1988 if (status != PSA_SUCCESS) {
1989 return status;
1990 }
1991
1992 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
1993 if (status != PSA_SUCCESS) {
1994 return status;
1995 }
1996
1997 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
1998 if (status != PSA_SUCCESS) {
1999 return status;
2000 }
2001
2002 ssl->handshake->psa_pake_ctx_is_ok = 1;
2003
2004 return PSA_SUCCESS;
2005 }
2006
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2007 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2008 const unsigned char *pw,
2009 size_t pw_len)
2010 {
2011 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2012 psa_status_t status;
2013
2014 if (ssl->handshake == NULL || ssl->conf == NULL) {
2015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2016 }
2017
2018 /* Empty password is not valid */
2019 if ((pw == NULL) || (pw_len == 0)) {
2020 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2021 }
2022
2023 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2024 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2025 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2026
2027 status = psa_import_key(&attributes, pw, pw_len,
2028 &ssl->handshake->psa_pake_password);
2029 if (status != PSA_SUCCESS) {
2030 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2031 }
2032
2033 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2034 ssl->handshake->psa_pake_password);
2035 if (status != PSA_SUCCESS) {
2036 psa_destroy_key(ssl->handshake->psa_pake_password);
2037 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2038 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2039 }
2040
2041 return 0;
2042 }
2043
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2044 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2045 mbedtls_svc_key_id_t pwd)
2046 {
2047 psa_status_t status;
2048
2049 if (ssl->handshake == NULL || ssl->conf == NULL) {
2050 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2051 }
2052
2053 if (mbedtls_svc_key_id_is_null(pwd)) {
2054 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2055 }
2056
2057 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2058 if (status != PSA_SUCCESS) {
2059 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2060 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2061 }
2062
2063 return 0;
2064 }
2065 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2066 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2067 const unsigned char *pw,
2068 size_t pw_len)
2069 {
2070 mbedtls_ecjpake_role role;
2071
2072 if (ssl->handshake == NULL || ssl->conf == NULL) {
2073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2074 }
2075
2076 /* Empty password is not valid */
2077 if ((pw == NULL) || (pw_len == 0)) {
2078 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2079 }
2080
2081 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2082 role = MBEDTLS_ECJPAKE_SERVER;
2083 } else {
2084 role = MBEDTLS_ECJPAKE_CLIENT;
2085 }
2086
2087 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2088 role,
2089 MBEDTLS_MD_SHA256,
2090 MBEDTLS_ECP_DP_SECP256R1,
2091 pw, pw_len);
2092 }
2093 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2094 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2095
2096 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2097 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2098 {
2099 if (conf->psk_identity == NULL ||
2100 conf->psk_identity_len == 0) {
2101 return 0;
2102 }
2103
2104 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2105 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2106 return 1;
2107 }
2108 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2109
2110 if (conf->psk != NULL && conf->psk_len != 0) {
2111 return 1;
2112 }
2113
2114 return 0;
2115 }
2116
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2117 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2118 {
2119 /* Remove reference to existing PSK, if any. */
2120 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2121 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2122 /* The maintenance of the PSK key slot is the
2123 * user's responsibility. */
2124 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2125 }
2126 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2127 if (conf->psk != NULL) {
2128 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2129 conf->psk = NULL;
2130 conf->psk_len = 0;
2131 }
2132
2133 /* Remove reference to PSK identity, if any. */
2134 if (conf->psk_identity != NULL) {
2135 mbedtls_free(conf->psk_identity);
2136 conf->psk_identity = NULL;
2137 conf->psk_identity_len = 0;
2138 }
2139 }
2140
2141 /* This function assumes that PSK identity in the SSL config is unset.
2142 * It checks that the provided identity is well-formed and attempts
2143 * to make a copy of it in the SSL config.
2144 * On failure, the PSK identity in the config remains unset. */
2145 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2146 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2147 unsigned char const *psk_identity,
2148 size_t psk_identity_len)
2149 {
2150 /* Identity len will be encoded on two bytes */
2151 if (psk_identity == NULL ||
2152 psk_identity_len == 0 ||
2153 (psk_identity_len >> 16) != 0 ||
2154 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2156 }
2157
2158 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2159 if (conf->psk_identity == NULL) {
2160 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2161 }
2162
2163 conf->psk_identity_len = psk_identity_len;
2164 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2165
2166 return 0;
2167 }
2168
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2169 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2170 const unsigned char *psk, size_t psk_len,
2171 const unsigned char *psk_identity, size_t psk_identity_len)
2172 {
2173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2174
2175 /* We currently only support one PSK, raw or opaque. */
2176 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2177 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2178 }
2179
2180 /* Check and set raw PSK */
2181 if (psk == NULL) {
2182 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2183 }
2184 if (psk_len == 0) {
2185 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2186 }
2187 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2188 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2189 }
2190
2191 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2192 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2193 }
2194 conf->psk_len = psk_len;
2195 memcpy(conf->psk, psk, conf->psk_len);
2196
2197 /* Check and set PSK Identity */
2198 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2199 if (ret != 0) {
2200 ssl_conf_remove_psk(conf);
2201 }
2202
2203 return ret;
2204 }
2205
ssl_remove_psk(mbedtls_ssl_context * ssl)2206 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2207 {
2208 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2209 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2210 /* The maintenance of the external PSK key slot is the
2211 * user's responsibility. */
2212 if (ssl->handshake->psk_opaque_is_internal) {
2213 psa_destroy_key(ssl->handshake->psk_opaque);
2214 ssl->handshake->psk_opaque_is_internal = 0;
2215 }
2216 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2217 }
2218 #else
2219 if (ssl->handshake->psk != NULL) {
2220 mbedtls_zeroize_and_free(ssl->handshake->psk,
2221 ssl->handshake->psk_len);
2222 ssl->handshake->psk_len = 0;
2223 ssl->handshake->psk = NULL;
2224 }
2225 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2226 }
2227
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2228 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2229 const unsigned char *psk, size_t psk_len)
2230 {
2231 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2232 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2233 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2234 psa_algorithm_t alg = PSA_ALG_NONE;
2235 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2236 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2237
2238 if (psk == NULL || ssl->handshake == NULL) {
2239 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2240 }
2241
2242 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2243 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2244 }
2245
2246 ssl_remove_psk(ssl);
2247
2248 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2249 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2250 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2251 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2252 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2253 } else {
2254 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2255 }
2256 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2257 }
2258 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2259
2260 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2261 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2262 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2263 psa_set_key_usage_flags(&key_attributes,
2264 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2265 }
2266 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2267
2268 psa_set_key_algorithm(&key_attributes, alg);
2269 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2270
2271 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2272 if (status != PSA_SUCCESS) {
2273 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2274 }
2275
2276 /* Allow calling psa_destroy_key() on psk remove */
2277 ssl->handshake->psk_opaque_is_internal = 1;
2278 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2279 #else
2280 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2281 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2282 }
2283
2284 ssl->handshake->psk_len = psk_len;
2285 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2286
2287 return 0;
2288 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2289 }
2290
2291 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2292 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2293 mbedtls_svc_key_id_t psk,
2294 const unsigned char *psk_identity,
2295 size_t psk_identity_len)
2296 {
2297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2298
2299 /* We currently only support one PSK, raw or opaque. */
2300 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2301 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2302 }
2303
2304 /* Check and set opaque PSK */
2305 if (mbedtls_svc_key_id_is_null(psk)) {
2306 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2307 }
2308 conf->psk_opaque = psk;
2309
2310 /* Check and set PSK Identity */
2311 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2312 psk_identity_len);
2313 if (ret != 0) {
2314 ssl_conf_remove_psk(conf);
2315 }
2316
2317 return ret;
2318 }
2319
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2320 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2321 mbedtls_svc_key_id_t psk)
2322 {
2323 if ((mbedtls_svc_key_id_is_null(psk)) ||
2324 (ssl->handshake == NULL)) {
2325 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2326 }
2327
2328 ssl_remove_psk(ssl);
2329 ssl->handshake->psk_opaque = psk;
2330 return 0;
2331 }
2332 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2333
2334 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2335 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2336 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2337 size_t),
2338 void *p_psk)
2339 {
2340 conf->f_psk = f_psk;
2341 conf->p_psk = p_psk;
2342 }
2343 #endif /* MBEDTLS_SSL_SRV_C */
2344
2345 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2346
2347 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2348 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2349 psa_algorithm_t alg)
2350 {
2351 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2352 if (alg == PSA_ALG_CBC_NO_PADDING) {
2353 return MBEDTLS_SSL_MODE_CBC;
2354 }
2355 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2356 if (PSA_ALG_IS_AEAD(alg)) {
2357 return MBEDTLS_SSL_MODE_AEAD;
2358 }
2359 return MBEDTLS_SSL_MODE_STREAM;
2360 }
2361
2362 #else /* MBEDTLS_USE_PSA_CRYPTO */
2363
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2364 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2365 mbedtls_cipher_mode_t mode)
2366 {
2367 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2368 if (mode == MBEDTLS_MODE_CBC) {
2369 return MBEDTLS_SSL_MODE_CBC;
2370 }
2371 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2372
2373 #if defined(MBEDTLS_GCM_C) || \
2374 defined(MBEDTLS_CCM_C) || \
2375 defined(MBEDTLS_CHACHAPOLY_C)
2376 if (mode == MBEDTLS_MODE_GCM ||
2377 mode == MBEDTLS_MODE_CCM ||
2378 mode == MBEDTLS_MODE_CHACHAPOLY) {
2379 return MBEDTLS_SSL_MODE_AEAD;
2380 }
2381 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2382
2383 return MBEDTLS_SSL_MODE_STREAM;
2384 }
2385 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2386
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2387 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2388 mbedtls_ssl_mode_t base_mode,
2389 int encrypt_then_mac)
2390 {
2391 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2392 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2393 base_mode == MBEDTLS_SSL_MODE_CBC) {
2394 return MBEDTLS_SSL_MODE_CBC_ETM;
2395 }
2396 #else
2397 (void) encrypt_then_mac;
2398 #endif
2399 return base_mode;
2400 }
2401
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2402 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2403 const mbedtls_ssl_transform *transform)
2404 {
2405 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2406 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2407 transform->psa_alg
2408 #else
2409 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2410 #endif
2411 );
2412
2413 int encrypt_then_mac = 0;
2414 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2415 encrypt_then_mac = transform->encrypt_then_mac;
2416 #endif
2417 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2418 }
2419
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2420 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2421 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2422 int encrypt_then_mac,
2423 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2424 const mbedtls_ssl_ciphersuite_t *suite)
2425 {
2426 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2427
2428 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2429 psa_status_t status;
2430 psa_algorithm_t alg;
2431 psa_key_type_t type;
2432 size_t size;
2433 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2434 0, &alg, &type, &size);
2435 if (status == PSA_SUCCESS) {
2436 base_mode = mbedtls_ssl_get_base_mode(alg);
2437 }
2438 #else
2439 const mbedtls_cipher_info_t *cipher =
2440 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2441 if (cipher != NULL) {
2442 base_mode =
2443 mbedtls_ssl_get_base_mode(
2444 mbedtls_cipher_info_get_mode(cipher));
2445 }
2446 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2447
2448 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2449 int encrypt_then_mac = 0;
2450 #endif
2451 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2452 }
2453
2454 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2455
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2456 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2457 size_t taglen,
2458 psa_algorithm_t *alg,
2459 psa_key_type_t *key_type,
2460 size_t *key_size)
2461 {
2462 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2463 (void) taglen;
2464 #endif
2465 switch (mbedtls_cipher_type) {
2466 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2467 case MBEDTLS_CIPHER_AES_128_CBC:
2468 *alg = PSA_ALG_CBC_NO_PADDING;
2469 *key_type = PSA_KEY_TYPE_AES;
2470 *key_size = 128;
2471 break;
2472 #endif
2473 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2474 case MBEDTLS_CIPHER_AES_128_CCM:
2475 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2476 *key_type = PSA_KEY_TYPE_AES;
2477 *key_size = 128;
2478 break;
2479 #endif
2480 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2481 case MBEDTLS_CIPHER_AES_128_GCM:
2482 *alg = PSA_ALG_GCM;
2483 *key_type = PSA_KEY_TYPE_AES;
2484 *key_size = 128;
2485 break;
2486 #endif
2487 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2488 case MBEDTLS_CIPHER_AES_192_CCM:
2489 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2490 *key_type = PSA_KEY_TYPE_AES;
2491 *key_size = 192;
2492 break;
2493 #endif
2494 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2495 case MBEDTLS_CIPHER_AES_192_GCM:
2496 *alg = PSA_ALG_GCM;
2497 *key_type = PSA_KEY_TYPE_AES;
2498 *key_size = 192;
2499 break;
2500 #endif
2501 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2502 case MBEDTLS_CIPHER_AES_256_CBC:
2503 *alg = PSA_ALG_CBC_NO_PADDING;
2504 *key_type = PSA_KEY_TYPE_AES;
2505 *key_size = 256;
2506 break;
2507 #endif
2508 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2509 case MBEDTLS_CIPHER_AES_256_CCM:
2510 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2511 *key_type = PSA_KEY_TYPE_AES;
2512 *key_size = 256;
2513 break;
2514 #endif
2515 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2516 case MBEDTLS_CIPHER_AES_256_GCM:
2517 *alg = PSA_ALG_GCM;
2518 *key_type = PSA_KEY_TYPE_AES;
2519 *key_size = 256;
2520 break;
2521 #endif
2522 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2523 case MBEDTLS_CIPHER_ARIA_128_CBC:
2524 *alg = PSA_ALG_CBC_NO_PADDING;
2525 *key_type = PSA_KEY_TYPE_ARIA;
2526 *key_size = 128;
2527 break;
2528 #endif
2529 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2530 case MBEDTLS_CIPHER_ARIA_128_CCM:
2531 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2532 *key_type = PSA_KEY_TYPE_ARIA;
2533 *key_size = 128;
2534 break;
2535 #endif
2536 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2537 case MBEDTLS_CIPHER_ARIA_128_GCM:
2538 *alg = PSA_ALG_GCM;
2539 *key_type = PSA_KEY_TYPE_ARIA;
2540 *key_size = 128;
2541 break;
2542 #endif
2543 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2544 case MBEDTLS_CIPHER_ARIA_192_CCM:
2545 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2546 *key_type = PSA_KEY_TYPE_ARIA;
2547 *key_size = 192;
2548 break;
2549 #endif
2550 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2551 case MBEDTLS_CIPHER_ARIA_192_GCM:
2552 *alg = PSA_ALG_GCM;
2553 *key_type = PSA_KEY_TYPE_ARIA;
2554 *key_size = 192;
2555 break;
2556 #endif
2557 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2558 case MBEDTLS_CIPHER_ARIA_256_CBC:
2559 *alg = PSA_ALG_CBC_NO_PADDING;
2560 *key_type = PSA_KEY_TYPE_ARIA;
2561 *key_size = 256;
2562 break;
2563 #endif
2564 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2565 case MBEDTLS_CIPHER_ARIA_256_CCM:
2566 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2567 *key_type = PSA_KEY_TYPE_ARIA;
2568 *key_size = 256;
2569 break;
2570 #endif
2571 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2572 case MBEDTLS_CIPHER_ARIA_256_GCM:
2573 *alg = PSA_ALG_GCM;
2574 *key_type = PSA_KEY_TYPE_ARIA;
2575 *key_size = 256;
2576 break;
2577 #endif
2578 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2579 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2580 *alg = PSA_ALG_CBC_NO_PADDING;
2581 *key_type = PSA_KEY_TYPE_CAMELLIA;
2582 *key_size = 128;
2583 break;
2584 #endif
2585 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2586 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2587 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2588 *key_type = PSA_KEY_TYPE_CAMELLIA;
2589 *key_size = 128;
2590 break;
2591 #endif
2592 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2593 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2594 *alg = PSA_ALG_GCM;
2595 *key_type = PSA_KEY_TYPE_CAMELLIA;
2596 *key_size = 128;
2597 break;
2598 #endif
2599 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2600 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2601 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2602 *key_type = PSA_KEY_TYPE_CAMELLIA;
2603 *key_size = 192;
2604 break;
2605 #endif
2606 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2607 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2608 *alg = PSA_ALG_GCM;
2609 *key_type = PSA_KEY_TYPE_CAMELLIA;
2610 *key_size = 192;
2611 break;
2612 #endif
2613 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2614 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2615 *alg = PSA_ALG_CBC_NO_PADDING;
2616 *key_type = PSA_KEY_TYPE_CAMELLIA;
2617 *key_size = 256;
2618 break;
2619 #endif
2620 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2621 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2622 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2623 *key_type = PSA_KEY_TYPE_CAMELLIA;
2624 *key_size = 256;
2625 break;
2626 #endif
2627 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2628 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2629 *alg = PSA_ALG_GCM;
2630 *key_type = PSA_KEY_TYPE_CAMELLIA;
2631 *key_size = 256;
2632 break;
2633 #endif
2634 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2635 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2636 *alg = PSA_ALG_CHACHA20_POLY1305;
2637 *key_type = PSA_KEY_TYPE_CHACHA20;
2638 *key_size = 256;
2639 break;
2640 #endif
2641 case MBEDTLS_CIPHER_NULL:
2642 *alg = MBEDTLS_SSL_NULL_CIPHER;
2643 *key_type = 0;
2644 *key_size = 0;
2645 break;
2646 default:
2647 return PSA_ERROR_NOT_SUPPORTED;
2648 }
2649
2650 return PSA_SUCCESS;
2651 }
2652 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2653
2654 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2655 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2656 const unsigned char *dhm_P, size_t P_len,
2657 const unsigned char *dhm_G, size_t G_len)
2658 {
2659 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2660
2661 mbedtls_mpi_free(&conf->dhm_P);
2662 mbedtls_mpi_free(&conf->dhm_G);
2663
2664 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2665 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2666 mbedtls_mpi_free(&conf->dhm_P);
2667 mbedtls_mpi_free(&conf->dhm_G);
2668 return ret;
2669 }
2670
2671 return 0;
2672 }
2673
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2674 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2675 {
2676 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2677
2678 mbedtls_mpi_free(&conf->dhm_P);
2679 mbedtls_mpi_free(&conf->dhm_G);
2680
2681 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2682 &conf->dhm_P)) != 0 ||
2683 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2684 &conf->dhm_G)) != 0) {
2685 mbedtls_mpi_free(&conf->dhm_P);
2686 mbedtls_mpi_free(&conf->dhm_G);
2687 return ret;
2688 }
2689
2690 return 0;
2691 }
2692 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2693
2694 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2695 /*
2696 * Set the minimum length for Diffie-Hellman parameters
2697 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2698 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2699 unsigned int bitlen)
2700 {
2701 conf->dhm_min_bitlen = bitlen;
2702 }
2703 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2704
2705 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2706 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2707 /*
2708 * Set allowed/preferred hashes for handshake signatures
2709 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2710 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2711 const int *hashes)
2712 {
2713 conf->sig_hashes = hashes;
2714 }
2715 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2716
2717 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2718 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2719 const uint16_t *sig_algs)
2720 {
2721 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2722 conf->sig_hashes = NULL;
2723 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2724 conf->sig_algs = sig_algs;
2725 }
2726 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2727
2728 #if defined(MBEDTLS_ECP_C)
2729 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2730 /*
2731 * Set the allowed elliptic curves
2732 *
2733 * mbedtls_ssl_setup() takes the provided list
2734 * and translates it to a list of IANA TLS group identifiers,
2735 * stored in ssl->handshake->group_list.
2736 *
2737 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2738 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2739 const mbedtls_ecp_group_id *curve_list)
2740 {
2741 conf->curve_list = curve_list;
2742 conf->group_list = NULL;
2743 }
2744 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2745 #endif /* MBEDTLS_ECP_C */
2746
2747 /*
2748 * Set the allowed groups
2749 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2750 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2751 const uint16_t *group_list)
2752 {
2753 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2754 conf->curve_list = NULL;
2755 #endif
2756 conf->group_list = group_list;
2757 }
2758
2759 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2760 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2761 {
2762 /* Initialize to suppress unnecessary compiler warning */
2763 size_t hostname_len = 0;
2764
2765 /* Check if new hostname is valid before
2766 * making any change to current one */
2767 if (hostname != NULL) {
2768 hostname_len = strlen(hostname);
2769
2770 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2771 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2772 }
2773 }
2774
2775 /* Now it's clear that we will overwrite the old hostname,
2776 * so we can free it safely */
2777
2778 if (ssl->hostname != NULL) {
2779 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2780 }
2781
2782 /* Passing NULL as hostname shall clear the old one */
2783
2784 if (hostname == NULL) {
2785 ssl->hostname = NULL;
2786 } else {
2787 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2788 if (ssl->hostname == NULL) {
2789 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2790 }
2791
2792 memcpy(ssl->hostname, hostname, hostname_len);
2793
2794 ssl->hostname[hostname_len] = '\0';
2795 }
2796
2797 return 0;
2798 }
2799 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2800
2801 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)2802 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2803 int (*f_sni)(void *, mbedtls_ssl_context *,
2804 const unsigned char *, size_t),
2805 void *p_sni)
2806 {
2807 conf->f_sni = f_sni;
2808 conf->p_sni = p_sni;
2809 }
2810 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2811
2812 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)2813 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2814 {
2815 size_t cur_len, tot_len;
2816 const char **p;
2817
2818 /*
2819 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2820 * MUST NOT be truncated."
2821 * We check lengths now rather than later.
2822 */
2823 tot_len = 0;
2824 for (p = protos; *p != NULL; p++) {
2825 cur_len = strlen(*p);
2826 tot_len += cur_len;
2827
2828 if ((cur_len == 0) ||
2829 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2830 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2831 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2832 }
2833 }
2834
2835 conf->alpn_list = protos;
2836
2837 return 0;
2838 }
2839
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)2840 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2841 {
2842 return ssl->alpn_chosen;
2843 }
2844 #endif /* MBEDTLS_SSL_ALPN */
2845
2846 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)2847 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2848 int support_mki_value)
2849 {
2850 conf->dtls_srtp_mki_support = support_mki_value;
2851 }
2852
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)2853 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2854 unsigned char *mki_value,
2855 uint16_t mki_len)
2856 {
2857 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2858 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2859 }
2860
2861 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2862 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2863 }
2864
2865 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2866 ssl->dtls_srtp_info.mki_len = mki_len;
2867 return 0;
2868 }
2869
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)2870 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2871 const mbedtls_ssl_srtp_profile *profiles)
2872 {
2873 const mbedtls_ssl_srtp_profile *p;
2874 size_t list_size = 0;
2875
2876 /* check the profiles list: all entry must be valid,
2877 * its size cannot be more than the total number of supported profiles, currently 4 */
2878 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2879 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2880 p++) {
2881 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2882 list_size++;
2883 } else {
2884 /* unsupported value, stop parsing and set the size to an error value */
2885 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2886 }
2887 }
2888
2889 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2890 conf->dtls_srtp_profile_list = NULL;
2891 conf->dtls_srtp_profile_list_len = 0;
2892 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2893 }
2894
2895 conf->dtls_srtp_profile_list = profiles;
2896 conf->dtls_srtp_profile_list_len = list_size;
2897
2898 return 0;
2899 }
2900
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)2901 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2902 mbedtls_dtls_srtp_info *dtls_srtp_info)
2903 {
2904 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2905 /* do not copy the mki value if there is no chosen profile */
2906 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2907 dtls_srtp_info->mki_len = 0;
2908 } else {
2909 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2910 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2911 ssl->dtls_srtp_info.mki_len);
2912 }
2913 }
2914 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2915
2916 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)2917 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2918 {
2919 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2920 }
2921
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)2922 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2923 {
2924 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2925 }
2926 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2927
2928 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)2929 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2930 char cert_req_ca_list)
2931 {
2932 conf->cert_req_ca_list = cert_req_ca_list;
2933 }
2934 #endif
2935
2936 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)2937 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
2938 {
2939 conf->encrypt_then_mac = etm;
2940 }
2941 #endif
2942
2943 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)2944 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
2945 {
2946 conf->extended_ms = ems;
2947 }
2948 #endif
2949
2950 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)2951 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
2952 {
2953 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2954 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2955 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2956 }
2957
2958 conf->mfl_code = mfl_code;
2959
2960 return 0;
2961 }
2962 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2963
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)2964 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
2965 {
2966 conf->allow_legacy_renegotiation = allow_legacy;
2967 }
2968
2969 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)2970 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
2971 {
2972 conf->disable_renegotiation = renegotiation;
2973 }
2974
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)2975 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
2976 {
2977 conf->renego_max_records = max_records;
2978 }
2979
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])2980 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
2981 const unsigned char period[8])
2982 {
2983 memcpy(conf->renego_period, period, 8);
2984 }
2985 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2986
2987 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2988 #if defined(MBEDTLS_SSL_CLI_C)
2989
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)2990 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
2991 {
2992 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
2993 conf->session_tickets |= (use_tickets != 0) <<
2994 MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
2995 }
2996
2997 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(mbedtls_ssl_config * conf,int signal_new_session_tickets)2998 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
2999 mbedtls_ssl_config *conf, int signal_new_session_tickets)
3000 {
3001 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
3002 conf->session_tickets |= (signal_new_session_tickets != 0) <<
3003 MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
3004 }
3005 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3006 #endif /* MBEDTLS_SSL_CLI_C */
3007
3008 #if defined(MBEDTLS_SSL_SRV_C)
3009
3010 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)3011 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3012 uint16_t num_tickets)
3013 {
3014 conf->new_session_tickets_count = num_tickets;
3015 }
3016 #endif
3017
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)3018 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3019 mbedtls_ssl_ticket_write_t *f_ticket_write,
3020 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3021 void *p_ticket)
3022 {
3023 conf->f_ticket_write = f_ticket_write;
3024 conf->f_ticket_parse = f_ticket_parse;
3025 conf->p_ticket = p_ticket;
3026 }
3027 #endif
3028 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3029
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3030 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3031 mbedtls_ssl_export_keys_t *f_export_keys,
3032 void *p_export_keys)
3033 {
3034 ssl->f_export_keys = f_export_keys;
3035 ssl->p_export_keys = p_export_keys;
3036 }
3037
3038 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3039 void mbedtls_ssl_conf_async_private_cb(
3040 mbedtls_ssl_config *conf,
3041 mbedtls_ssl_async_sign_t *f_async_sign,
3042 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3043 mbedtls_ssl_async_resume_t *f_async_resume,
3044 mbedtls_ssl_async_cancel_t *f_async_cancel,
3045 void *async_config_data)
3046 {
3047 conf->f_async_sign_start = f_async_sign;
3048 conf->f_async_decrypt_start = f_async_decrypt;
3049 conf->f_async_resume = f_async_resume;
3050 conf->f_async_cancel = f_async_cancel;
3051 conf->p_async_config_data = async_config_data;
3052 }
3053
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3054 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3055 {
3056 return conf->p_async_config_data;
3057 }
3058
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3059 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3060 {
3061 if (ssl->handshake == NULL) {
3062 return NULL;
3063 } else {
3064 return ssl->handshake->user_async_ctx;
3065 }
3066 }
3067
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3068 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3069 void *ctx)
3070 {
3071 if (ssl->handshake != NULL) {
3072 ssl->handshake->user_async_ctx = ctx;
3073 }
3074 }
3075 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3076
3077 /*
3078 * SSL get accessors
3079 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3080 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3081 {
3082 if (ssl->session != NULL) {
3083 return ssl->session->verify_result;
3084 }
3085
3086 if (ssl->session_negotiate != NULL) {
3087 return ssl->session_negotiate->verify_result;
3088 }
3089
3090 return 0xFFFFFFFF;
3091 }
3092
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3093 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3094 {
3095 if (ssl == NULL || ssl->session == NULL) {
3096 return 0;
3097 }
3098
3099 return ssl->session->ciphersuite;
3100 }
3101
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3102 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3103 {
3104 if (ssl == NULL || ssl->session == NULL) {
3105 return NULL;
3106 }
3107
3108 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3109 }
3110
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3111 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3112 {
3113 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3114 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3115 switch (ssl->tls_version) {
3116 case MBEDTLS_SSL_VERSION_TLS1_2:
3117 return "DTLSv1.2";
3118 default:
3119 return "unknown (DTLS)";
3120 }
3121 }
3122 #endif
3123
3124 switch (ssl->tls_version) {
3125 case MBEDTLS_SSL_VERSION_TLS1_2:
3126 return "TLSv1.2";
3127 case MBEDTLS_SSL_VERSION_TLS1_3:
3128 return "TLSv1.3";
3129 default:
3130 return "unknown";
3131 }
3132 }
3133
3134 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3135
mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context * ssl)3136 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3137 {
3138 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3139 size_t record_size_limit = max_len;
3140
3141 if (ssl->session != NULL &&
3142 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3143 ssl->session->record_size_limit < max_len) {
3144 record_size_limit = ssl->session->record_size_limit;
3145 }
3146
3147 // TODO: this is currently untested
3148 /* During a handshake, use the value being negotiated */
3149 if (ssl->session_negotiate != NULL &&
3150 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3151 ssl->session_negotiate->record_size_limit < max_len) {
3152 record_size_limit = ssl->session_negotiate->record_size_limit;
3153 }
3154
3155 return record_size_limit;
3156 }
3157 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3158
3159 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3160 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3161 {
3162 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3163 size_t read_mfl;
3164
3165 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3166 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3167 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3168 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3169 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3170 }
3171 #endif
3172
3173 /* Check if a smaller max length was negotiated */
3174 if (ssl->session_out != NULL) {
3175 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3176 if (read_mfl < max_len) {
3177 max_len = read_mfl;
3178 }
3179 }
3180
3181 /* During a handshake, use the value being negotiated */
3182 if (ssl->session_negotiate != NULL) {
3183 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3184 if (read_mfl < max_len) {
3185 max_len = read_mfl;
3186 }
3187 }
3188
3189 return max_len;
3190 }
3191
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3192 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3193 {
3194 size_t max_len;
3195
3196 /*
3197 * Assume mfl_code is correct since it was checked when set
3198 */
3199 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3200
3201 /* Check if a smaller max length was negotiated */
3202 if (ssl->session_out != NULL &&
3203 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3204 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3205 }
3206
3207 /* During a handshake, use the value being negotiated */
3208 if (ssl->session_negotiate != NULL &&
3209 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3210 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3211 }
3212
3213 return max_len;
3214 }
3215 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3216
3217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3218 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3219 {
3220 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3221 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3222 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3223 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3224 return 0;
3225 }
3226
3227 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3228 return ssl->mtu;
3229 }
3230
3231 if (ssl->mtu == 0) {
3232 return ssl->handshake->mtu;
3233 }
3234
3235 return ssl->mtu < ssl->handshake->mtu ?
3236 ssl->mtu : ssl->handshake->mtu;
3237 }
3238 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3239
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3240 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3241 {
3242 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3243
3244 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3245 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3246 !defined(MBEDTLS_SSL_PROTO_DTLS)
3247 (void) ssl;
3248 #endif
3249
3250 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3251 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3252
3253 if (max_len > mfl) {
3254 max_len = mfl;
3255 }
3256 #endif
3257
3258 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3259 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3260
3261 if (max_len > record_size_limit) {
3262 max_len = record_size_limit;
3263 }
3264 #endif
3265
3266 if (ssl->transform_out != NULL &&
3267 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3268 /*
3269 * In TLS 1.3 case, when records are protected, `max_len` as computed
3270 * above is the maximum length of the TLSInnerPlaintext structure that
3271 * along the plaintext payload contains the inner content type (one byte)
3272 * and some zero padding. Given the algorithm used for padding
3273 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3274 * the plaintext payload. Round down to a multiple of
3275 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3276 * subtract 1.
3277 */
3278 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3279 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3280 }
3281
3282 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3283 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3284 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3285 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3286 const size_t overhead = (size_t) ret;
3287
3288 if (ret < 0) {
3289 return ret;
3290 }
3291
3292 if (mtu <= overhead) {
3293 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3294 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3295 }
3296
3297 if (max_len > mtu - overhead) {
3298 max_len = mtu - overhead;
3299 }
3300 }
3301 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3302
3303 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3304 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3305 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3306 ((void) ssl);
3307 #endif
3308
3309 return (int) max_len;
3310 }
3311
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3312 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3313 {
3314 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3315
3316 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3317 (void) ssl;
3318 #endif
3319
3320 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3321 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3322
3323 if (max_len > mfl) {
3324 max_len = mfl;
3325 }
3326 #endif
3327
3328 return (int) max_len;
3329 }
3330
3331 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3332 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3333 {
3334 if (ssl == NULL || ssl->session == NULL) {
3335 return NULL;
3336 }
3337
3338 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3339 return ssl->session->peer_cert;
3340 #else
3341 return NULL;
3342 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3343 }
3344 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3345
3346 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3347 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3348 mbedtls_ssl_session *dst)
3349 {
3350 int ret;
3351
3352 if (ssl == NULL ||
3353 dst == NULL ||
3354 ssl->session == NULL ||
3355 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3357 }
3358
3359 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3360 * idempotent: Each session can only be exported once.
3361 *
3362 * (This is in preparation for TLS 1.3 support where we will
3363 * need the ability to export multiple sessions (aka tickets),
3364 * which will be achieved by calling mbedtls_ssl_get_session()
3365 * multiple times until it fails.)
3366 *
3367 * Check whether we have already exported the current session,
3368 * and fail if so.
3369 */
3370 if (ssl->session->exported == 1) {
3371 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3372 }
3373
3374 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3375 if (ret != 0) {
3376 return ret;
3377 }
3378
3379 /* Remember that we've exported the session. */
3380 ssl->session->exported = 1;
3381 return 0;
3382 }
3383 #endif /* MBEDTLS_SSL_CLI_C */
3384
3385 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3386
3387 /* Serialization of TLS 1.2 sessions
3388 *
3389 * For more detail, see the description of ssl_session_save().
3390 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)3391 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3392 unsigned char *buf,
3393 size_t buf_len)
3394 {
3395 unsigned char *p = buf;
3396 size_t used = 0;
3397
3398 #if defined(MBEDTLS_HAVE_TIME)
3399 uint64_t start;
3400 #endif
3401 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3402 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3403 size_t cert_len;
3404 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3405 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3406
3407 /*
3408 * Time
3409 */
3410 #if defined(MBEDTLS_HAVE_TIME)
3411 used += 8;
3412
3413 if (used <= buf_len) {
3414 start = (uint64_t) session->start;
3415
3416 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3417 p += 8;
3418 }
3419 #endif /* MBEDTLS_HAVE_TIME */
3420
3421 /*
3422 * Basic mandatory fields
3423 */
3424 used += 1 /* id_len */
3425 + sizeof(session->id)
3426 + sizeof(session->master)
3427 + 4; /* verify_result */
3428
3429 if (used <= buf_len) {
3430 *p++ = MBEDTLS_BYTE_0(session->id_len);
3431 memcpy(p, session->id, 32);
3432 p += 32;
3433
3434 memcpy(p, session->master, 48);
3435 p += 48;
3436
3437 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3438 p += 4;
3439 }
3440
3441 /*
3442 * Peer's end-entity certificate
3443 */
3444 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3445 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3446 if (session->peer_cert == NULL) {
3447 cert_len = 0;
3448 } else {
3449 cert_len = session->peer_cert->raw.len;
3450 }
3451
3452 used += 3 + cert_len;
3453
3454 if (used <= buf_len) {
3455 *p++ = MBEDTLS_BYTE_2(cert_len);
3456 *p++ = MBEDTLS_BYTE_1(cert_len);
3457 *p++ = MBEDTLS_BYTE_0(cert_len);
3458
3459 if (session->peer_cert != NULL) {
3460 memcpy(p, session->peer_cert->raw.p, cert_len);
3461 p += cert_len;
3462 }
3463 }
3464 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3465 if (session->peer_cert_digest != NULL) {
3466 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3467 if (used <= buf_len) {
3468 *p++ = (unsigned char) session->peer_cert_digest_type;
3469 *p++ = (unsigned char) session->peer_cert_digest_len;
3470 memcpy(p, session->peer_cert_digest,
3471 session->peer_cert_digest_len);
3472 p += session->peer_cert_digest_len;
3473 }
3474 } else {
3475 used += 2;
3476 if (used <= buf_len) {
3477 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3478 *p++ = 0;
3479 }
3480 }
3481 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3482 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3483
3484 /*
3485 * Session ticket if any, plus associated data
3486 */
3487 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3488 #if defined(MBEDTLS_SSL_CLI_C)
3489 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3490 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3491
3492 if (used <= buf_len) {
3493 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3494 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3495 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3496
3497 if (session->ticket != NULL) {
3498 memcpy(p, session->ticket, session->ticket_len);
3499 p += session->ticket_len;
3500 }
3501
3502 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3503 p += 4;
3504 }
3505 }
3506 #endif /* MBEDTLS_SSL_CLI_C */
3507 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3508 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3509 used += 8;
3510
3511 if (used <= buf_len) {
3512 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3513 p += 8;
3514 }
3515 }
3516 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3517 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3518
3519 /*
3520 * Misc extension-related info
3521 */
3522 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3523 used += 1;
3524
3525 if (used <= buf_len) {
3526 *p++ = session->mfl_code;
3527 }
3528 #endif
3529
3530 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3531 used += 1;
3532
3533 if (used <= buf_len) {
3534 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3535 }
3536 #endif
3537
3538 return used;
3539 }
3540
3541 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3542 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3543 const unsigned char *buf,
3544 size_t len)
3545 {
3546 #if defined(MBEDTLS_HAVE_TIME)
3547 uint64_t start;
3548 #endif
3549 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3550 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3551 size_t cert_len;
3552 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3553 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3554
3555 const unsigned char *p = buf;
3556 const unsigned char * const end = buf + len;
3557
3558 /*
3559 * Time
3560 */
3561 #if defined(MBEDTLS_HAVE_TIME)
3562 if (8 > (size_t) (end - p)) {
3563 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3564 }
3565
3566 start = MBEDTLS_GET_UINT64_BE(p, 0);
3567 p += 8;
3568
3569 session->start = (time_t) start;
3570 #endif /* MBEDTLS_HAVE_TIME */
3571
3572 /*
3573 * Basic mandatory fields
3574 */
3575 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3576 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3577 }
3578
3579 session->id_len = *p++;
3580 memcpy(session->id, p, 32);
3581 p += 32;
3582
3583 memcpy(session->master, p, 48);
3584 p += 48;
3585
3586 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3587 p += 4;
3588
3589 /* Immediately clear invalid pointer values that have been read, in case
3590 * we exit early before we replaced them with valid ones. */
3591 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3592 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3593 session->peer_cert = NULL;
3594 #else
3595 session->peer_cert_digest = NULL;
3596 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3597 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3598 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3599 session->ticket = NULL;
3600 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3601
3602 /*
3603 * Peer certificate
3604 */
3605 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3606 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3607 /* Deserialize CRT from the end of the ticket. */
3608 if (3 > (size_t) (end - p)) {
3609 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3610 }
3611
3612 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3613 p += 3;
3614
3615 if (cert_len != 0) {
3616 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3617
3618 if (cert_len > (size_t) (end - p)) {
3619 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3620 }
3621
3622 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3623
3624 if (session->peer_cert == NULL) {
3625 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3626 }
3627
3628 mbedtls_x509_crt_init(session->peer_cert);
3629
3630 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3631 p, cert_len)) != 0) {
3632 mbedtls_x509_crt_free(session->peer_cert);
3633 mbedtls_free(session->peer_cert);
3634 session->peer_cert = NULL;
3635 return ret;
3636 }
3637
3638 p += cert_len;
3639 }
3640 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3641 /* Deserialize CRT digest from the end of the ticket. */
3642 if (2 > (size_t) (end - p)) {
3643 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3644 }
3645
3646 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3647 session->peer_cert_digest_len = (size_t) *p++;
3648
3649 if (session->peer_cert_digest_len != 0) {
3650 const mbedtls_md_info_t *md_info =
3651 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3652 if (md_info == NULL) {
3653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3654 }
3655 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3656 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3657 }
3658
3659 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3660 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3661 }
3662
3663 session->peer_cert_digest =
3664 mbedtls_calloc(1, session->peer_cert_digest_len);
3665 if (session->peer_cert_digest == NULL) {
3666 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3667 }
3668
3669 memcpy(session->peer_cert_digest, p,
3670 session->peer_cert_digest_len);
3671 p += session->peer_cert_digest_len;
3672 }
3673 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3674 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3675
3676 /*
3677 * Session ticket and associated data
3678 */
3679 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3680 #if defined(MBEDTLS_SSL_CLI_C)
3681 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3682 if (3 > (size_t) (end - p)) {
3683 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3684 }
3685
3686 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3687 p += 3;
3688
3689 if (session->ticket_len != 0) {
3690 if (session->ticket_len > (size_t) (end - p)) {
3691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3692 }
3693
3694 session->ticket = mbedtls_calloc(1, session->ticket_len);
3695 if (session->ticket == NULL) {
3696 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3697 }
3698
3699 memcpy(session->ticket, p, session->ticket_len);
3700 p += session->ticket_len;
3701 }
3702
3703 if (4 > (size_t) (end - p)) {
3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3705 }
3706
3707 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3708 p += 4;
3709 }
3710 #endif /* MBEDTLS_SSL_CLI_C */
3711 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3712 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3713 if (8 > (size_t) (end - p)) {
3714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3715 }
3716 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3717 p += 8;
3718 }
3719 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3720 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3721
3722 /*
3723 * Misc extension-related info
3724 */
3725 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3726 if (1 > (size_t) (end - p)) {
3727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3728 }
3729
3730 session->mfl_code = *p++;
3731 #endif
3732
3733 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3734 if (1 > (size_t) (end - p)) {
3735 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3736 }
3737
3738 session->encrypt_then_mac = *p++;
3739 #endif
3740
3741 /* Done, should have consumed entire buffer */
3742 if (p != end) {
3743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3744 }
3745
3746 return 0;
3747 }
3748
3749 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3750
3751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3752 /* Serialization of TLS 1.3 sessions:
3753 *
3754 * For more detail, see the description of ssl_session_save().
3755 */
3756 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3757 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3758 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3759 unsigned char *buf,
3760 size_t buf_len,
3761 size_t *olen)
3762 {
3763 unsigned char *p = buf;
3764 #if defined(MBEDTLS_SSL_CLI_C) && \
3765 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3766 size_t hostname_len = (session->hostname == NULL) ?
3767 0 : strlen(session->hostname) + 1;
3768 #endif
3769
3770 #if defined(MBEDTLS_SSL_SRV_C) && \
3771 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3772 const size_t alpn_len = (session->ticket_alpn == NULL) ?
3773 0 : strlen(session->ticket_alpn) + 1;
3774 #endif
3775 size_t needed = 4 /* ticket_age_add */
3776 + 1 /* ticket_flags */
3777 + 1; /* resumption_key length */
3778
3779 *olen = 0;
3780
3781 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3782 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3783 }
3784 needed += session->resumption_key_len; /* resumption_key */
3785
3786 #if defined(MBEDTLS_SSL_EARLY_DATA)
3787 needed += 4; /* max_early_data_size */
3788 #endif
3789 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3790 needed += 2; /* record_size_limit */
3791 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3792
3793 #if defined(MBEDTLS_HAVE_TIME)
3794 needed += 8; /* ticket_creation_time or ticket_reception_time */
3795 #endif
3796
3797 #if defined(MBEDTLS_SSL_SRV_C)
3798 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3799 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3800 needed += 2 /* alpn_len */
3801 + alpn_len; /* alpn */
3802 #endif
3803 }
3804 #endif /* MBEDTLS_SSL_SRV_C */
3805
3806 #if defined(MBEDTLS_SSL_CLI_C)
3807 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3808 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3809 needed += 2 /* hostname_len */
3810 + hostname_len; /* hostname */
3811 #endif
3812
3813 needed += 4 /* ticket_lifetime */
3814 + 2; /* ticket_len */
3815
3816 /* Check size_t overflow */
3817 if (session->ticket_len > SIZE_MAX - needed) {
3818 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3819 }
3820
3821 needed += session->ticket_len; /* ticket */
3822 }
3823 #endif /* MBEDTLS_SSL_CLI_C */
3824
3825 *olen = needed;
3826 if (needed > buf_len) {
3827 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3828 }
3829
3830 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3831 p[4] = session->ticket_flags;
3832
3833 /* save resumption_key */
3834 p[5] = session->resumption_key_len;
3835 p += 6;
3836 memcpy(p, session->resumption_key, session->resumption_key_len);
3837 p += session->resumption_key_len;
3838
3839 #if defined(MBEDTLS_SSL_EARLY_DATA)
3840 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3841 p += 4;
3842 #endif
3843 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3844 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3845 p += 2;
3846 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3847
3848 #if defined(MBEDTLS_SSL_SRV_C)
3849 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3850 #if defined(MBEDTLS_HAVE_TIME)
3851 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3852 p += 8;
3853 #endif /* MBEDTLS_HAVE_TIME */
3854
3855 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3856 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3857 p += 2;
3858
3859 if (alpn_len > 0) {
3860 /* save chosen alpn */
3861 memcpy(p, session->ticket_alpn, alpn_len);
3862 p += alpn_len;
3863 }
3864 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3865 }
3866 #endif /* MBEDTLS_SSL_SRV_C */
3867
3868 #if defined(MBEDTLS_SSL_CLI_C)
3869 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3870 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3871 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3872 p += 2;
3873 if (hostname_len > 0) {
3874 /* save host name */
3875 memcpy(p, session->hostname, hostname_len);
3876 p += hostname_len;
3877 }
3878 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3879
3880 #if defined(MBEDTLS_HAVE_TIME)
3881 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3882 p += 8;
3883 #endif
3884 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3885 p += 4;
3886
3887 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3888 p += 2;
3889
3890 if (session->ticket != NULL && session->ticket_len > 0) {
3891 memcpy(p, session->ticket, session->ticket_len);
3892 p += session->ticket_len;
3893 }
3894 }
3895 #endif /* MBEDTLS_SSL_CLI_C */
3896 return 0;
3897 }
3898
3899 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3900 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3901 const unsigned char *buf,
3902 size_t len)
3903 {
3904 const unsigned char *p = buf;
3905 const unsigned char *end = buf + len;
3906
3907 if (end - p < 6) {
3908 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3909 }
3910 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3911 session->ticket_flags = p[4];
3912
3913 /* load resumption_key */
3914 session->resumption_key_len = p[5];
3915 p += 6;
3916
3917 if (end - p < session->resumption_key_len) {
3918 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3919 }
3920
3921 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3922 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3923 }
3924 memcpy(session->resumption_key, p, session->resumption_key_len);
3925 p += session->resumption_key_len;
3926
3927 #if defined(MBEDTLS_SSL_EARLY_DATA)
3928 if (end - p < 4) {
3929 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3930 }
3931 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3932 p += 4;
3933 #endif
3934 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3935 if (end - p < 2) {
3936 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3937 }
3938 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3939 p += 2;
3940 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3941
3942 #if defined(MBEDTLS_SSL_SRV_C)
3943 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3944 #if defined(MBEDTLS_HAVE_TIME)
3945 if (end - p < 8) {
3946 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3947 }
3948 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3949 p += 8;
3950 #endif /* MBEDTLS_HAVE_TIME */
3951
3952 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3953 size_t alpn_len;
3954
3955 if (end - p < 2) {
3956 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3957 }
3958
3959 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3960 p += 2;
3961
3962 if (end - p < (long int) alpn_len) {
3963 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3964 }
3965
3966 if (alpn_len > 0) {
3967 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3968 if (ret != 0) {
3969 return ret;
3970 }
3971 p += alpn_len;
3972 }
3973 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3974 }
3975 #endif /* MBEDTLS_SSL_SRV_C */
3976
3977 #if defined(MBEDTLS_SSL_CLI_C)
3978 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3979 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3980 size_t hostname_len;
3981 /* load host name */
3982 if (end - p < 2) {
3983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3984 }
3985 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
3986 p += 2;
3987
3988 if (end - p < (long int) hostname_len) {
3989 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3990 }
3991 if (hostname_len > 0) {
3992 session->hostname = mbedtls_calloc(1, hostname_len);
3993 if (session->hostname == NULL) {
3994 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3995 }
3996 memcpy(session->hostname, p, hostname_len);
3997 p += hostname_len;
3998 }
3999 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4000
4001 #if defined(MBEDTLS_HAVE_TIME)
4002 if (end - p < 8) {
4003 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4004 }
4005 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
4006 p += 8;
4007 #endif
4008 if (end - p < 4) {
4009 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4010 }
4011 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
4012 p += 4;
4013
4014 if (end - p < 2) {
4015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4016 }
4017 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
4018 p += 2;
4019
4020 if (end - p < (long int) session->ticket_len) {
4021 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4022 }
4023 if (session->ticket_len > 0) {
4024 session->ticket = mbedtls_calloc(1, session->ticket_len);
4025 if (session->ticket == NULL) {
4026 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4027 }
4028 memcpy(session->ticket, p, session->ticket_len);
4029 p += session->ticket_len;
4030 }
4031 }
4032 #endif /* MBEDTLS_SSL_CLI_C */
4033
4034 return 0;
4035
4036 }
4037 #else /* MBEDTLS_SSL_SESSION_TICKETS */
4038 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4039 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4040 unsigned char *buf,
4041 size_t buf_len,
4042 size_t *olen)
4043 {
4044 ((void) session);
4045 ((void) buf);
4046 ((void) buf_len);
4047 *olen = 0;
4048 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4049 }
4050
ssl_tls13_session_load(const mbedtls_ssl_session * session,const unsigned char * buf,size_t buf_len)4051 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4052 const unsigned char *buf,
4053 size_t buf_len)
4054 {
4055 ((void) session);
4056 ((void) buf);
4057 ((void) buf_len);
4058 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4059 }
4060 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4061 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4062
4063 /*
4064 * Define ticket header determining Mbed TLS version
4065 * and structure of the ticket.
4066 */
4067
4068 /*
4069 * Define bitflag determining compile-time settings influencing
4070 * structure of serialized SSL sessions.
4071 */
4072
4073 #if defined(MBEDTLS_HAVE_TIME)
4074 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4075 #else
4076 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4077 #endif /* MBEDTLS_HAVE_TIME */
4078
4079 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4080 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4081 #else
4082 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4083 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4084
4085 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4086 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4087 #else
4088 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4089 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4090
4091 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4092 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4093 #else
4094 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4095 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4096
4097 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4098 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4099 #else
4100 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4101 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4102
4103 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4104 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4105 #else
4106 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4107 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4108
4109 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4110 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4111 #else
4112 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4113 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4114
4115 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4116 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4117 #else
4118 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4119 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4120
4121 #if defined(MBEDTLS_SSL_EARLY_DATA)
4122 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4123 #else
4124 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4125 #endif /* MBEDTLS_SSL_EARLY_DATA */
4126
4127 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4128 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4129 #else
4130 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4131 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4132
4133 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4134 defined(MBEDTLS_SSL_EARLY_DATA)
4135 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4136 #else
4137 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4138 #endif /* MBEDTLS_SSL_ALPN */
4139
4140 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4141 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4142 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4143 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4144 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4145 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4146 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4147 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4148 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4149 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4150 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4151
4152 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4153 ((uint16_t) ( \
4154 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4155 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4156 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4157 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4158 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4159 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4160 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4161 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4162 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4163 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4164 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4165 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4166 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4167 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4168 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4169 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4170
4171 static const unsigned char ssl_serialized_session_header[] = {
4172 MBEDTLS_VERSION_MAJOR,
4173 MBEDTLS_VERSION_MINOR,
4174 MBEDTLS_VERSION_PATCH,
4175 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4176 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4177 };
4178
4179 /*
4180 * Serialize a session in the following format:
4181 * (in the presentation language of TLS, RFC 8446 section 3)
4182 *
4183 * TLS 1.2 session:
4184 *
4185 * struct {
4186 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4187 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4188 * uint32 ticket_lifetime;
4189 * #endif
4190 * } ClientOnlyData;
4191 *
4192 * struct {
4193 * #if defined(MBEDTLS_HAVE_TIME)
4194 * uint64 start_time;
4195 * #endif
4196 * uint8 session_id_len; // at most 32
4197 * opaque session_id[32];
4198 * opaque master[48]; // fixed length in the standard
4199 * uint32 verify_result;
4200 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4201 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4202 * #else
4203 * uint8 peer_cert_digest_type;
4204 * opaque peer_cert_digest<0..2^8-1>
4205 * #endif
4206 * select (endpoint) {
4207 * case client: ClientOnlyData;
4208 * case server: uint64 ticket_creation_time;
4209 * };
4210 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4211 * uint8 mfl_code; // up to 255 according to standard
4212 * #endif
4213 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4214 * uint8 encrypt_then_mac; // 0 or 1
4215 * #endif
4216 * } serialized_session_tls12;
4217 *
4218 *
4219 * TLS 1.3 Session:
4220 *
4221 * struct {
4222 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4223 * opaque hostname<0..2^16-1>;
4224 * #endif
4225 * #if defined(MBEDTLS_HAVE_TIME)
4226 * uint64 ticket_reception_time;
4227 * #endif
4228 * uint32 ticket_lifetime;
4229 * opaque ticket<1..2^16-1>;
4230 * } ClientOnlyData;
4231 *
4232 * struct {
4233 * uint32 ticket_age_add;
4234 * uint8 ticket_flags;
4235 * opaque resumption_key<0..255>;
4236 * #if defined(MBEDTLS_SSL_EARLY_DATA)
4237 * uint32 max_early_data_size;
4238 * #endif
4239 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4240 * uint16 record_size_limit;
4241 * #endif
4242 * select ( endpoint ) {
4243 * case client: ClientOnlyData;
4244 * case server:
4245 * #if defined(MBEDTLS_HAVE_TIME)
4246 * uint64 ticket_creation_time;
4247 * #endif
4248 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4249 * opaque ticket_alpn<0..256>;
4250 * #endif
4251 * };
4252 * } serialized_session_tls13;
4253 *
4254 *
4255 * SSL session:
4256 *
4257 * struct {
4258 *
4259 * opaque mbedtls_version[3]; // library version: major, minor, patch
4260 * opaque session_format[2]; // library-version specific 16-bit field
4261 * // determining the format of the remaining
4262 * // serialized data.
4263 *
4264 * Note: When updating the format, remember to keep
4265 * these version+format bytes.
4266 *
4267 * // In this version, `session_format` determines
4268 * // the setting of those compile-time
4269 * // configuration options which influence
4270 * // the structure of mbedtls_ssl_session.
4271 *
4272 * uint8_t minor_ver; // Protocol minor version. Possible values:
4273 * // - TLS 1.2 (0x0303)
4274 * // - TLS 1.3 (0x0304)
4275 * uint8_t endpoint;
4276 * uint16_t ciphersuite;
4277 *
4278 * select (serialized_session.tls_version) {
4279 *
4280 * case MBEDTLS_SSL_VERSION_TLS1_2:
4281 * serialized_session_tls12 data;
4282 * case MBEDTLS_SSL_VERSION_TLS1_3:
4283 * serialized_session_tls13 data;
4284 *
4285 * };
4286 *
4287 * } serialized_session;
4288 *
4289 */
4290
4291 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)4292 static int ssl_session_save(const mbedtls_ssl_session *session,
4293 unsigned char omit_header,
4294 unsigned char *buf,
4295 size_t buf_len,
4296 size_t *olen)
4297 {
4298 unsigned char *p = buf;
4299 size_t used = 0;
4300 size_t remaining_len;
4301 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4302 size_t out_len;
4303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4304 #endif
4305 if (session == NULL) {
4306 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4307 }
4308
4309 if (!omit_header) {
4310 /*
4311 * Add Mbed TLS version identifier
4312 */
4313 used += sizeof(ssl_serialized_session_header);
4314
4315 if (used <= buf_len) {
4316 memcpy(p, ssl_serialized_session_header,
4317 sizeof(ssl_serialized_session_header));
4318 p += sizeof(ssl_serialized_session_header);
4319 }
4320 }
4321
4322 /*
4323 * TLS version identifier, endpoint, ciphersuite
4324 */
4325 used += 1 /* TLS version */
4326 + 1 /* endpoint */
4327 + 2; /* ciphersuite */
4328 if (used <= buf_len) {
4329 *p++ = MBEDTLS_BYTE_0(session->tls_version);
4330 *p++ = session->endpoint;
4331 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4332 p += 2;
4333 }
4334
4335 /* Forward to version-specific serialization routine. */
4336 remaining_len = (buf_len >= used) ? buf_len - used : 0;
4337 switch (session->tls_version) {
4338 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4339 case MBEDTLS_SSL_VERSION_TLS1_2:
4340 used += ssl_tls12_session_save(session, p, remaining_len);
4341 break;
4342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4343
4344 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4345 case MBEDTLS_SSL_VERSION_TLS1_3:
4346 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4347 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4348 return ret;
4349 }
4350 used += out_len;
4351 break;
4352 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4353
4354 default:
4355 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4356 }
4357
4358 *olen = used;
4359 if (used > buf_len) {
4360 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4361 }
4362
4363 return 0;
4364 }
4365
4366 /*
4367 * Public wrapper for ssl_session_save()
4368 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4369 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4370 unsigned char *buf,
4371 size_t buf_len,
4372 size_t *olen)
4373 {
4374 return ssl_session_save(session, 0, buf, buf_len, olen);
4375 }
4376
4377 /*
4378 * Deserialize session, see mbedtls_ssl_session_save() for format.
4379 *
4380 * This internal version is wrapped by a public function that cleans up in
4381 * case of error, and has an extra option omit_header.
4382 */
4383 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)4384 static int ssl_session_load(mbedtls_ssl_session *session,
4385 unsigned char omit_header,
4386 const unsigned char *buf,
4387 size_t len)
4388 {
4389 const unsigned char *p = buf;
4390 const unsigned char * const end = buf + len;
4391 size_t remaining_len;
4392
4393
4394 if (session == NULL) {
4395 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4396 }
4397
4398 if (!omit_header) {
4399 /*
4400 * Check Mbed TLS version identifier
4401 */
4402
4403 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4404 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4405 }
4406
4407 if (memcmp(p, ssl_serialized_session_header,
4408 sizeof(ssl_serialized_session_header)) != 0) {
4409 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4410 }
4411 p += sizeof(ssl_serialized_session_header);
4412 }
4413
4414 /*
4415 * TLS version identifier, endpoint, ciphersuite
4416 */
4417 if (4 > (size_t) (end - p)) {
4418 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4419 }
4420 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4421 session->endpoint = *p++;
4422 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4423 p += 2;
4424
4425 /* Dispatch according to TLS version. */
4426 remaining_len = (size_t) (end - p);
4427 switch (session->tls_version) {
4428 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4429 case MBEDTLS_SSL_VERSION_TLS1_2:
4430 return ssl_tls12_session_load(session, p, remaining_len);
4431 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4432
4433 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4434 case MBEDTLS_SSL_VERSION_TLS1_3:
4435 return ssl_tls13_session_load(session, p, remaining_len);
4436 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4437
4438 default:
4439 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4440 }
4441 }
4442
4443 /*
4444 * Deserialize session: public wrapper for error cleaning
4445 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)4446 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4447 const unsigned char *buf,
4448 size_t len)
4449 {
4450 int ret = ssl_session_load(session, 0, buf, len);
4451
4452 if (ret != 0) {
4453 mbedtls_ssl_session_free(session);
4454 }
4455
4456 return ret;
4457 }
4458
4459 /*
4460 * Perform a single step of the SSL handshake
4461 */
4462 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)4463 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4464 {
4465 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4466
4467 /*
4468 * We may have not been able to send to the peer all the handshake data
4469 * that were written into the output buffer by the previous handshake step,
4470 * if the write to the network callback returned with the
4471 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4472 * We proceed to the next handshake step only when all data from the
4473 * previous one have been sent to the peer, thus we make sure that this is
4474 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4475 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4476 * we have to wait before to go ahead.
4477 * In the case of TLS 1.3, handshake step handlers do not send data to the
4478 * peer. Data are only sent here and through
4479 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4480 * alert occurred.
4481 */
4482 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4483 return ret;
4484 }
4485
4486 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4487 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4488 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4489 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4490 return ret;
4491 }
4492 }
4493 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4494
4495 return ret;
4496 }
4497
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)4498 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
4499 {
4500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4501
4502 if (ssl == NULL ||
4503 ssl->conf == NULL ||
4504 ssl->handshake == NULL ||
4505 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4506 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4507 }
4508
4509 ret = ssl_prepare_handshake_step(ssl);
4510 if (ret != 0) {
4511 return ret;
4512 }
4513
4514 ret = mbedtls_ssl_handle_pending_alert(ssl);
4515 if (ret != 0) {
4516 goto cleanup;
4517 }
4518
4519 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4520 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4521 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4522
4523 #if defined(MBEDTLS_SSL_CLI_C)
4524 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4525 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4526 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
4527
4528 switch (ssl->state) {
4529 case MBEDTLS_SSL_HELLO_REQUEST:
4530 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4531 ret = 0;
4532 break;
4533
4534 case MBEDTLS_SSL_CLIENT_HELLO:
4535 ret = mbedtls_ssl_write_client_hello(ssl);
4536 break;
4537
4538 default:
4539 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4540 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4541 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4542 } else {
4543 ret = mbedtls_ssl_handshake_client_step(ssl);
4544 }
4545 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4546 ret = mbedtls_ssl_handshake_client_step(ssl);
4547 #else
4548 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4549 #endif
4550 }
4551 }
4552 #endif /* MBEDTLS_SSL_CLI_C */
4553
4554 #if defined(MBEDTLS_SSL_SRV_C)
4555 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4556 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4557 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4558 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4559 } else {
4560 ret = mbedtls_ssl_handshake_server_step(ssl);
4561 }
4562 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4563 ret = mbedtls_ssl_handshake_server_step(ssl);
4564 #else
4565 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4566 #endif
4567 }
4568 #endif /* MBEDTLS_SSL_SRV_C */
4569
4570 if (ret != 0) {
4571 /* handshake_step return error. And it is same
4572 * with alert_reason.
4573 */
4574 if (ssl->send_alert) {
4575 ret = mbedtls_ssl_handle_pending_alert(ssl);
4576 goto cleanup;
4577 }
4578 }
4579
4580 cleanup:
4581 return ret;
4582 }
4583
4584 /*
4585 * Perform the SSL handshake
4586 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)4587 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
4588 {
4589 int ret = 0;
4590
4591 /* Sanity checks */
4592
4593 if (ssl == NULL || ssl->conf == NULL) {
4594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4595 }
4596
4597 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4598 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4599 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4600 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4601 "mbedtls_ssl_set_timer_cb() for DTLS"));
4602 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4603 }
4604 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4605
4606 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4607
4608 /* Main handshake loop */
4609 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4610 ret = mbedtls_ssl_handshake_step(ssl);
4611
4612 if (ret != 0) {
4613 break;
4614 }
4615 }
4616
4617 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4618
4619 return ret;
4620 }
4621
4622 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4623 #if defined(MBEDTLS_SSL_SRV_C)
4624 /*
4625 * Write HelloRequest to request renegotiation on server
4626 */
4627 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)4628 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4629 {
4630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4631
4632 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4633
4634 ssl->out_msglen = 4;
4635 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4636 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4637
4638 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4639 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4640 return ret;
4641 }
4642
4643 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4644
4645 return 0;
4646 }
4647 #endif /* MBEDTLS_SSL_SRV_C */
4648
4649 /*
4650 * Actually renegotiate current connection, triggered by either:
4651 * - any side: calling mbedtls_ssl_renegotiate(),
4652 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4653 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4654 * the initial handshake is completed.
4655 * If the handshake doesn't complete due to waiting for I/O, it will continue
4656 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4657 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)4658 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
4659 {
4660 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4661
4662 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4663
4664 if ((ret = ssl_handshake_init(ssl)) != 0) {
4665 return ret;
4666 }
4667
4668 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4669 * the ServerHello will have message_seq = 1" */
4670 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4671 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4672 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4673 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4674 ssl->handshake->out_msg_seq = 1;
4675 } else {
4676 ssl->handshake->in_msg_seq = 1;
4677 }
4678 }
4679 #endif
4680
4681 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4682 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4683
4684 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4686 return ret;
4687 }
4688
4689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4690
4691 return 0;
4692 }
4693
4694 /*
4695 * Renegotiate current connection on client,
4696 * or request renegotiation on server
4697 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4698 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4699 {
4700 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4701
4702 if (ssl == NULL || ssl->conf == NULL) {
4703 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4704 }
4705
4706 #if defined(MBEDTLS_SSL_SRV_C)
4707 /* On server, just send the request */
4708 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4709 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4710 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4711 }
4712
4713 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4714
4715 /* Did we already try/start sending HelloRequest? */
4716 if (ssl->out_left != 0) {
4717 return mbedtls_ssl_flush_output(ssl);
4718 }
4719
4720 return ssl_write_hello_request(ssl);
4721 }
4722 #endif /* MBEDTLS_SSL_SRV_C */
4723
4724 #if defined(MBEDTLS_SSL_CLI_C)
4725 /*
4726 * On client, either start the renegotiation process or,
4727 * if already in progress, continue the handshake
4728 */
4729 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4730 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4732 }
4733
4734 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4735 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4736 return ret;
4737 }
4738 } else {
4739 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4740 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4741 return ret;
4742 }
4743 }
4744 #endif /* MBEDTLS_SSL_CLI_C */
4745
4746 return ret;
4747 }
4748 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4749
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4750 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4751 {
4752 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4753
4754 if (handshake == NULL) {
4755 return;
4756 }
4757
4758 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4759 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4760 if (ssl->handshake->group_list_heap_allocated) {
4761 mbedtls_free((void *) handshake->group_list);
4762 }
4763 handshake->group_list = NULL;
4764 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4765 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4766
4767 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4768 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4769 if (ssl->handshake->sig_algs_heap_allocated) {
4770 mbedtls_free((void *) handshake->sig_algs);
4771 }
4772 handshake->sig_algs = NULL;
4773 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4774 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4775 if (ssl->handshake->certificate_request_context) {
4776 mbedtls_free((void *) handshake->certificate_request_context);
4777 }
4778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4779 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4780
4781 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4782 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4783 ssl->conf->f_async_cancel(ssl);
4784 handshake->async_in_progress = 0;
4785 }
4786 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4787
4788 #if defined(MBEDTLS_MD_CAN_SHA256)
4789 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4790 psa_hash_abort(&handshake->fin_sha256_psa);
4791 #else
4792 mbedtls_md_free(&handshake->fin_sha256);
4793 #endif
4794 #endif
4795 #if defined(MBEDTLS_MD_CAN_SHA384)
4796 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4797 psa_hash_abort(&handshake->fin_sha384_psa);
4798 #else
4799 mbedtls_md_free(&handshake->fin_sha384);
4800 #endif
4801 #endif
4802
4803 #if defined(MBEDTLS_DHM_C)
4804 mbedtls_dhm_free(&handshake->dhm_ctx);
4805 #endif
4806 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4807 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4808 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4809 #endif
4810
4811 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4812 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4813 psa_pake_abort(&handshake->psa_pake_ctx);
4814 /*
4815 * Opaque keys are not stored in the handshake's data and it's the user
4816 * responsibility to destroy them. Clear ones, instead, are created by
4817 * the TLS library and should be destroyed at the same level
4818 */
4819 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4820 psa_destroy_key(handshake->psa_pake_password);
4821 }
4822 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4823 #else
4824 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4825 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4826 #if defined(MBEDTLS_SSL_CLI_C)
4827 mbedtls_free(handshake->ecjpake_cache);
4828 handshake->ecjpake_cache = NULL;
4829 handshake->ecjpake_cache_len = 0;
4830 #endif
4831 #endif
4832
4833 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4834 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4835 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4836 /* explicit void pointer cast for buggy MS compiler */
4837 mbedtls_free((void *) handshake->curves_tls_id);
4838 #endif
4839
4840 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4841 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4842 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4843 /* The maintenance of the external PSK key slot is the
4844 * user's responsibility. */
4845 if (ssl->handshake->psk_opaque_is_internal) {
4846 psa_destroy_key(ssl->handshake->psk_opaque);
4847 ssl->handshake->psk_opaque_is_internal = 0;
4848 }
4849 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4850 }
4851 #else
4852 if (handshake->psk != NULL) {
4853 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4854 }
4855 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4856 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4857
4858 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4859 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4860 /*
4861 * Free only the linked list wrapper, not the keys themselves
4862 * since the belong to the SNI callback
4863 */
4864 ssl_key_cert_free(handshake->sni_key_cert);
4865 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4866
4867 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4868 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4869 if (handshake->ecrs_peer_cert != NULL) {
4870 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4871 mbedtls_free(handshake->ecrs_peer_cert);
4872 }
4873 #endif
4874
4875 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4876 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4877 mbedtls_pk_free(&handshake->peer_pubkey);
4878 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4879
4880 #if defined(MBEDTLS_SSL_CLI_C) && \
4881 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4882 mbedtls_free(handshake->cookie);
4883 #endif /* MBEDTLS_SSL_CLI_C &&
4884 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4885
4886 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4887 mbedtls_ssl_flight_free(handshake->flight);
4888 mbedtls_ssl_buffering_free(ssl);
4889 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4890
4891 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4892 if (handshake->xxdh_psa_privkey_is_external == 0) {
4893 psa_destroy_key(handshake->xxdh_psa_privkey);
4894 }
4895 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4896
4897 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4898 mbedtls_ssl_transform_free(handshake->transform_handshake);
4899 mbedtls_free(handshake->transform_handshake);
4900 #if defined(MBEDTLS_SSL_EARLY_DATA)
4901 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4902 mbedtls_free(handshake->transform_earlydata);
4903 #endif
4904 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4905
4906
4907 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4908 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4909 * processes datagrams and the fact that a datagram is allowed to have
4910 * several records in it, it is possible that the I/O buffers are not
4911 * empty at this stage */
4912 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4913 mbedtls_ssl_get_output_buflen(ssl));
4914 #endif
4915
4916 /* mbedtls_platform_zeroize MUST be last one in this function */
4917 mbedtls_platform_zeroize(handshake,
4918 sizeof(mbedtls_ssl_handshake_params));
4919 }
4920
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4921 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4922 {
4923 if (session == NULL) {
4924 return;
4925 }
4926
4927 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4928 ssl_clear_peer_cert(session);
4929 #endif
4930
4931 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4932 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4933 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4934 mbedtls_free(session->hostname);
4935 #endif
4936 mbedtls_free(session->ticket);
4937 #endif
4938
4939 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4940 defined(MBEDTLS_SSL_SRV_C)
4941 mbedtls_free(session->ticket_alpn);
4942 #endif
4943
4944 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
4945 }
4946
4947 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4948
4949 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4950 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4951 #else
4952 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4953 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4954
4955 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4956
4957 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4958 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4959 #else
4960 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4961 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4962
4963 #if defined(MBEDTLS_SSL_ALPN)
4964 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4965 #else
4966 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4967 #endif /* MBEDTLS_SSL_ALPN */
4968
4969 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4970 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4971 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4972 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4973
4974 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
4975 ((uint32_t) ( \
4976 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4977 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4978 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4979 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4980 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4981 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4982 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4983 0u))
4984
4985 static const unsigned char ssl_serialized_context_header[] = {
4986 MBEDTLS_VERSION_MAJOR,
4987 MBEDTLS_VERSION_MINOR,
4988 MBEDTLS_VERSION_PATCH,
4989 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4990 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4991 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4992 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4993 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4994 };
4995
4996 /*
4997 * Serialize a full SSL context
4998 *
4999 * The format of the serialized data is:
5000 * (in the presentation language of TLS, RFC 8446 section 3)
5001 *
5002 * // header
5003 * opaque mbedtls_version[3]; // major, minor, patch
5004 * opaque context_format[5]; // version-specific field determining
5005 * // the format of the remaining
5006 * // serialized data.
5007 * Note: When updating the format, remember to keep these
5008 * version+format bytes. (We may make their size part of the API.)
5009 *
5010 * // session sub-structure
5011 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5012 * // transform sub-structure
5013 * uint8 random[64]; // ServerHello.random+ClientHello.random
5014 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5015 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5016 * // fields from ssl_context
5017 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5018 * uint64 in_window_top; // DTLS: last validated record seq_num
5019 * uint64 in_window; // DTLS: bitmask for replay protection
5020 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5021 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5022 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5023 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5024 *
5025 * Note that many fields of the ssl_context or sub-structures are not
5026 * serialized, as they fall in one of the following categories:
5027 *
5028 * 1. forced value (eg in_left must be 0)
5029 * 2. pointer to dynamically-allocated memory (eg session, transform)
5030 * 3. value can be re-derived from other data (eg session keys from MS)
5031 * 4. value was temporary (eg content of input buffer)
5032 * 5. value will be provided by the user again (eg I/O callbacks and context)
5033 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)5034 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
5035 unsigned char *buf,
5036 size_t buf_len,
5037 size_t *olen)
5038 {
5039 unsigned char *p = buf;
5040 size_t used = 0;
5041 size_t session_len;
5042 int ret = 0;
5043
5044 /*
5045 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5046 * this function's documentation.
5047 *
5048 * These are due to assumptions/limitations in the implementation. Some of
5049 * them are likely to stay (no handshake in progress) some might go away
5050 * (only DTLS) but are currently used to simplify the implementation.
5051 */
5052 /* The initial handshake must be over */
5053 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5054 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5055 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5056 }
5057 if (ssl->handshake != NULL) {
5058 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5059 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5060 }
5061 /* Double-check that sub-structures are indeed ready */
5062 if (ssl->transform == NULL || ssl->session == NULL) {
5063 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5065 }
5066 /* There must be no pending incoming or outgoing data */
5067 if (mbedtls_ssl_check_pending(ssl) != 0) {
5068 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5070 }
5071 if (ssl->out_left != 0) {
5072 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5074 }
5075 /* Protocol must be DTLS, not TLS */
5076 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5077 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5078 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5079 }
5080 /* Version must be 1.2 */
5081 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5082 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5083 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5084 }
5085 /* We must be using an AEAD ciphersuite */
5086 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5087 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5088 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5089 }
5090 /* Renegotiation must not be enabled */
5091 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5092 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5093 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5094 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5095 }
5096 #endif
5097
5098 /*
5099 * Version and format identifier
5100 */
5101 used += sizeof(ssl_serialized_context_header);
5102
5103 if (used <= buf_len) {
5104 memcpy(p, ssl_serialized_context_header,
5105 sizeof(ssl_serialized_context_header));
5106 p += sizeof(ssl_serialized_context_header);
5107 }
5108
5109 /*
5110 * Session (length + data)
5111 */
5112 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5113 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5114 return ret;
5115 }
5116
5117 used += 4 + session_len;
5118 if (used <= buf_len) {
5119 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5120 p += 4;
5121
5122 ret = ssl_session_save(ssl->session, 1,
5123 p, session_len, &session_len);
5124 if (ret != 0) {
5125 return ret;
5126 }
5127
5128 p += session_len;
5129 }
5130
5131 /*
5132 * Transform
5133 */
5134 used += sizeof(ssl->transform->randbytes);
5135 if (used <= buf_len) {
5136 memcpy(p, ssl->transform->randbytes,
5137 sizeof(ssl->transform->randbytes));
5138 p += sizeof(ssl->transform->randbytes);
5139 }
5140
5141 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5142 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5143 if (used <= buf_len) {
5144 *p++ = ssl->transform->in_cid_len;
5145 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5146 p += ssl->transform->in_cid_len;
5147
5148 *p++ = ssl->transform->out_cid_len;
5149 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5150 p += ssl->transform->out_cid_len;
5151 }
5152 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5153
5154 /*
5155 * Saved fields from top-level ssl_context structure
5156 */
5157 used += 4;
5158 if (used <= buf_len) {
5159 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
5160 p += 4;
5161 }
5162
5163 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5164 used += 16;
5165 if (used <= buf_len) {
5166 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5167 p += 8;
5168
5169 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5170 p += 8;
5171 }
5172 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5173
5174 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5175 used += 1;
5176 if (used <= buf_len) {
5177 *p++ = ssl->disable_datagram_packing;
5178 }
5179 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5180
5181 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5182 if (used <= buf_len) {
5183 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5184 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5185 }
5186
5187 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5188 used += 2;
5189 if (used <= buf_len) {
5190 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5191 p += 2;
5192 }
5193 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5194
5195 #if defined(MBEDTLS_SSL_ALPN)
5196 {
5197 const uint8_t alpn_len = ssl->alpn_chosen
5198 ? (uint8_t) strlen(ssl->alpn_chosen)
5199 : 0;
5200
5201 used += 1 + alpn_len;
5202 if (used <= buf_len) {
5203 *p++ = alpn_len;
5204
5205 if (ssl->alpn_chosen != NULL) {
5206 memcpy(p, ssl->alpn_chosen, alpn_len);
5207 p += alpn_len;
5208 }
5209 }
5210 }
5211 #endif /* MBEDTLS_SSL_ALPN */
5212
5213 /*
5214 * Done
5215 */
5216 *olen = used;
5217
5218 if (used > buf_len) {
5219 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5220 }
5221
5222 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5223
5224 return mbedtls_ssl_session_reset_int(ssl, 0);
5225 }
5226
5227 /*
5228 * Deserialize context, see mbedtls_ssl_context_save() for format.
5229 *
5230 * This internal version is wrapped by a public function that cleans up in
5231 * case of error.
5232 */
5233 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5234 static int ssl_context_load(mbedtls_ssl_context *ssl,
5235 const unsigned char *buf,
5236 size_t len)
5237 {
5238 const unsigned char *p = buf;
5239 const unsigned char * const end = buf + len;
5240 size_t session_len;
5241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5242 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5243 tls_prf_fn prf_func = NULL;
5244 #endif
5245
5246 /*
5247 * The context should have been freshly setup or reset.
5248 * Give the user an error in case of obvious misuse.
5249 * (Checking session is useful because it won't be NULL if we're
5250 * renegotiating, or if the user mistakenly loaded a session first.)
5251 */
5252 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5253 ssl->session != NULL) {
5254 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5255 }
5256
5257 /*
5258 * We can't check that the config matches the initial one, but we can at
5259 * least check it matches the requirements for serializing.
5260 */
5261 if (
5262 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5263 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5264 #endif
5265 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5266 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5267 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5268 ) {
5269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5270 }
5271
5272 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5273
5274 /*
5275 * Check version identifier
5276 */
5277 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5278 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5279 }
5280
5281 if (memcmp(p, ssl_serialized_context_header,
5282 sizeof(ssl_serialized_context_header)) != 0) {
5283 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
5284 }
5285 p += sizeof(ssl_serialized_context_header);
5286
5287 /*
5288 * Session
5289 */
5290 if ((size_t) (end - p) < 4) {
5291 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5292 }
5293
5294 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5295 p += 4;
5296
5297 /* This has been allocated by ssl_handshake_init(), called by
5298 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5299 ssl->session = ssl->session_negotiate;
5300 ssl->session_in = ssl->session;
5301 ssl->session_out = ssl->session;
5302 ssl->session_negotiate = NULL;
5303
5304 if ((size_t) (end - p) < session_len) {
5305 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5306 }
5307
5308 ret = ssl_session_load(ssl->session, 1, p, session_len);
5309 if (ret != 0) {
5310 mbedtls_ssl_session_free(ssl->session);
5311 return ret;
5312 }
5313
5314 p += session_len;
5315
5316 /*
5317 * Transform
5318 */
5319
5320 /* This has been allocated by ssl_handshake_init(), called by
5321 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5322 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5323 ssl->transform = ssl->transform_negotiate;
5324 ssl->transform_in = ssl->transform;
5325 ssl->transform_out = ssl->transform;
5326 ssl->transform_negotiate = NULL;
5327 #endif
5328
5329 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5330 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5331 if (prf_func == NULL) {
5332 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5333 }
5334
5335 /* Read random bytes and populate structure */
5336 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5337 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5338 }
5339
5340 ret = ssl_tls12_populate_transform(ssl->transform,
5341 ssl->session->ciphersuite,
5342 ssl->session->master,
5343 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5344 ssl->session->encrypt_then_mac,
5345 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5346 prf_func,
5347 p, /* currently pointing to randbytes */
5348 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5349 ssl->conf->endpoint,
5350 ssl);
5351 if (ret != 0) {
5352 return ret;
5353 }
5354 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5355 p += sizeof(ssl->transform->randbytes);
5356
5357 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5358 /* Read connection IDs and store them */
5359 if ((size_t) (end - p) < 1) {
5360 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5361 }
5362
5363 ssl->transform->in_cid_len = *p++;
5364
5365 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5366 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5367 }
5368
5369 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5370 p += ssl->transform->in_cid_len;
5371
5372 ssl->transform->out_cid_len = *p++;
5373
5374 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5375 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5376 }
5377
5378 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5379 p += ssl->transform->out_cid_len;
5380 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5381
5382 /*
5383 * Saved fields from top-level ssl_context structure
5384 */
5385 if ((size_t) (end - p) < 4) {
5386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5387 }
5388
5389 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
5390 p += 4;
5391
5392 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5393 if ((size_t) (end - p) < 16) {
5394 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5395 }
5396
5397 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5398 p += 8;
5399
5400 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5401 p += 8;
5402 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5403
5404 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5405 if ((size_t) (end - p) < 1) {
5406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5407 }
5408
5409 ssl->disable_datagram_packing = *p++;
5410 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5411
5412 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5413 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5414 }
5415 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5416 p += sizeof(ssl->cur_out_ctr);
5417
5418 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5419 if ((size_t) (end - p) < 2) {
5420 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5421 }
5422
5423 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5424 p += 2;
5425 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5426
5427 #if defined(MBEDTLS_SSL_ALPN)
5428 {
5429 uint8_t alpn_len;
5430 const char **cur;
5431
5432 if ((size_t) (end - p) < 1) {
5433 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5434 }
5435
5436 alpn_len = *p++;
5437
5438 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5439 /* alpn_chosen should point to an item in the configured list */
5440 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5441 if (strlen(*cur) == alpn_len &&
5442 memcmp(p, *cur, alpn_len) == 0) {
5443 ssl->alpn_chosen = *cur;
5444 break;
5445 }
5446 }
5447 }
5448
5449 /* can only happen on conf mismatch */
5450 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5451 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5452 }
5453
5454 p += alpn_len;
5455 }
5456 #endif /* MBEDTLS_SSL_ALPN */
5457
5458 /*
5459 * Forced fields from top-level ssl_context structure
5460 *
5461 * Most of them already set to the correct value by mbedtls_ssl_init() and
5462 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5463 */
5464 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
5465 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5466
5467 /* Adjust pointers for header fields of outgoing records to
5468 * the given transform, accounting for explicit IV and CID. */
5469 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5470
5471 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5472 ssl->in_epoch = 1;
5473 #endif
5474
5475 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5476 * which we don't want - otherwise we'd end up freeing the wrong transform
5477 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5478 * inappropriately. */
5479 if (ssl->handshake != NULL) {
5480 mbedtls_ssl_handshake_free(ssl);
5481 mbedtls_free(ssl->handshake);
5482 ssl->handshake = NULL;
5483 }
5484
5485 /*
5486 * Done - should have consumed entire buffer
5487 */
5488 if (p != end) {
5489 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5490 }
5491
5492 return 0;
5493 }
5494
5495 /*
5496 * Deserialize context: public wrapper for error cleaning
5497 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)5498 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5499 const unsigned char *buf,
5500 size_t len)
5501 {
5502 int ret = ssl_context_load(context, buf, len);
5503
5504 if (ret != 0) {
5505 mbedtls_ssl_free(context);
5506 }
5507
5508 return ret;
5509 }
5510 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5511
5512 /*
5513 * Free an SSL context
5514 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)5515 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
5516 {
5517 if (ssl == NULL) {
5518 return;
5519 }
5520
5521 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5522
5523 if (ssl->out_buf != NULL) {
5524 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5525 size_t out_buf_len = ssl->out_buf_len;
5526 #else
5527 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5528 #endif
5529
5530 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5531 ssl->out_buf = NULL;
5532 }
5533
5534 if (ssl->in_buf != NULL) {
5535 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5536 size_t in_buf_len = ssl->in_buf_len;
5537 #else
5538 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5539 #endif
5540
5541 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5542 ssl->in_buf = NULL;
5543 }
5544
5545 if (ssl->transform) {
5546 mbedtls_ssl_transform_free(ssl->transform);
5547 mbedtls_free(ssl->transform);
5548 }
5549
5550 if (ssl->handshake) {
5551 mbedtls_ssl_handshake_free(ssl);
5552 mbedtls_free(ssl->handshake);
5553
5554 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5555 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5556 mbedtls_free(ssl->transform_negotiate);
5557 #endif
5558
5559 mbedtls_ssl_session_free(ssl->session_negotiate);
5560 mbedtls_free(ssl->session_negotiate);
5561 }
5562
5563 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5564 mbedtls_ssl_transform_free(ssl->transform_application);
5565 mbedtls_free(ssl->transform_application);
5566 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5567
5568 if (ssl->session) {
5569 mbedtls_ssl_session_free(ssl->session);
5570 mbedtls_free(ssl->session);
5571 }
5572
5573 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5574 if (ssl->hostname != NULL) {
5575 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
5576 }
5577 #endif
5578
5579 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5580 mbedtls_free(ssl->cli_id);
5581 #endif
5582
5583 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5584
5585 /* Actually clear after last debug message */
5586 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
5587 }
5588
5589 /*
5590 * Initialize mbedtls_ssl_config
5591 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)5592 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
5593 {
5594 memset(conf, 0, sizeof(mbedtls_ssl_config));
5595 }
5596
5597 /* The selection should be the same as mbedtls_x509_crt_profile_default in
5598 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5599 * curves with a lower resource usage come first.
5600 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5601 * about this list.
5602 */
5603 static const uint16_t ssl_preset_default_groups[] = {
5604 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5605 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
5606 #endif
5607 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5608 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5609 #endif
5610 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5611 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5612 #endif
5613 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5614 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
5615 #endif
5616 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5617 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
5618 #endif
5619 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5620 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
5621 #endif
5622 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5623 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
5624 #endif
5625 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5626 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
5627 #endif
5628 #if defined(PSA_WANT_ALG_FFDH)
5629 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5630 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5631 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5632 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5633 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5634 #endif
5635 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5636 };
5637
5638 static const int ssl_preset_suiteb_ciphersuites[] = {
5639 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5640 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5641 0
5642 };
5643
5644 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5645
5646 /* NOTICE:
5647 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5648 * rules SHOULD be upheld.
5649 * - No duplicate entries.
5650 * - But if there is a good reason, do not change the order of the algorithms.
5651 * - ssl_tls12_preset* is for TLS 1.2 use only.
5652 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5653 */
5654 static const uint16_t ssl_preset_default_sig_algs[] = {
5655
5656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5657 defined(MBEDTLS_MD_CAN_SHA256) && \
5658 defined(PSA_WANT_ECC_SECP_R1_256)
5659 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5660 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5661 #endif
5662
5663 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5664 defined(MBEDTLS_MD_CAN_SHA384) && \
5665 defined(PSA_WANT_ECC_SECP_R1_384)
5666 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5667 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5668 #endif
5669
5670 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5671 defined(MBEDTLS_MD_CAN_SHA512) && \
5672 defined(PSA_WANT_ECC_SECP_R1_521)
5673 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5674 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5675 #endif
5676
5677 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5678 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5679 #endif
5680
5681 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5682 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5683 #endif
5684
5685 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5686 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5687 #endif
5688
5689 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5690 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5691 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5692
5693 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5694 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5695 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5696
5697 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5698 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5699 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5700
5701 MBEDTLS_TLS_SIG_NONE
5702 };
5703
5704 /* NOTICE: see above */
5705 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5706 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5707
5708 #if defined(MBEDTLS_MD_CAN_SHA512)
5709 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5710 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5711 #endif
5712 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5713 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5714 #endif
5715 #if defined(MBEDTLS_RSA_C)
5716 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5717 #endif
5718 #endif /* MBEDTLS_MD_CAN_SHA512 */
5719
5720 #if defined(MBEDTLS_MD_CAN_SHA384)
5721 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5722 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5723 #endif
5724 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5725 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5726 #endif
5727 #if defined(MBEDTLS_RSA_C)
5728 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5729 #endif
5730 #endif /* MBEDTLS_MD_CAN_SHA384 */
5731
5732 #if defined(MBEDTLS_MD_CAN_SHA256)
5733 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5734 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5735 #endif
5736 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5737 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5738 #endif
5739 #if defined(MBEDTLS_RSA_C)
5740 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5741 #endif
5742 #endif /* MBEDTLS_MD_CAN_SHA256 */
5743
5744 MBEDTLS_TLS_SIG_NONE
5745 };
5746 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5747
5748 /* NOTICE: see above */
5749 static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5750
5751 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5752 defined(MBEDTLS_MD_CAN_SHA256) && \
5753 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5754 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5755 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5756 #endif
5757
5758 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5759 defined(MBEDTLS_MD_CAN_SHA384) && \
5760 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5761 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5762 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5763 #endif
5764
5765 MBEDTLS_TLS_SIG_NONE
5766 };
5767
5768 /* NOTICE: see above */
5769 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5770 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5771
5772 #if defined(MBEDTLS_MD_CAN_SHA256)
5773 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5774 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5775 #endif
5776 #endif /* MBEDTLS_MD_CAN_SHA256 */
5777
5778 #if defined(MBEDTLS_MD_CAN_SHA384)
5779 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5780 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5781 #endif
5782 #endif /* MBEDTLS_MD_CAN_SHA384 */
5783
5784 MBEDTLS_TLS_SIG_NONE
5785 };
5786 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5787
5788 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5789
5790 static const uint16_t ssl_preset_suiteb_groups[] = {
5791 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5792 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5793 #endif
5794 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5795 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5796 #endif
5797 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5798 };
5799
5800 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5801 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5802 * to make sure there are no duplicated signature algorithm entries. */
5803 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(const uint16_t * sig_algs)5804 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5805 {
5806 size_t i, j;
5807 int ret = 0;
5808
5809 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5810 for (j = 0; j < i; j++) {
5811 if (sig_algs[i] != sig_algs[j]) {
5812 continue;
5813 }
5814 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5815 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5816 sig_algs[i], j, i);
5817 ret = -1;
5818 }
5819 }
5820 return ret;
5821 }
5822
5823 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5824
5825 /*
5826 * Load default in mbedtls_ssl_config
5827 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5828 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5829 int endpoint, int transport, int preset)
5830 {
5831 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5833 #endif
5834
5835 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5836 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5837 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5838 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5839 }
5840
5841 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5842 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5843 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5844 }
5845
5846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5847 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5848 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5849 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5850 }
5851
5852 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5853 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5854 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5855 }
5856 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5857 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5858
5859 /* Use the functions here so that they are covered in tests,
5860 * but otherwise access member directly for efficiency */
5861 mbedtls_ssl_conf_endpoint(conf, endpoint);
5862 mbedtls_ssl_conf_transport(conf, transport);
5863
5864 /*
5865 * Things that are common to all presets
5866 */
5867 #if defined(MBEDTLS_SSL_CLI_C)
5868 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5869 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5870 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5871 mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
5872 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5873 /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
5874 * handling is disabled by default in Mbed TLS 3.6.x for backward
5875 * compatibility with client applications developed using Mbed TLS 3.5
5876 * or earlier with the default configuration.
5877 *
5878 * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
5879 * disabled, and a Mbed TLS client with the default configuration would
5880 * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
5881 * server.
5882 *
5883 * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
5884 * an Mbed TLS client with the default configuration establishes a
5885 * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
5886 * following the handshake the TLS 1.3 server sends NewSessionTicket
5887 * messages and the Mbed TLS client processes them, this results in
5888 * Mbed TLS high level APIs (mbedtls_ssl_read(),
5889 * mbedtls_ssl_handshake(), ...) to eventually return an
5890 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
5891 * (see the documentation of mbedtls_ssl_read() for more information on
5892 * that error code). Applications unaware of that TLS 1.3 specific non
5893 * fatal error code are then failing.
5894 */
5895 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
5896 conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
5897 #endif
5898 #endif
5899 }
5900 #endif
5901
5902 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5903 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5904 #endif
5905
5906 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5907 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5908 #endif
5909
5910 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5911 conf->f_cookie_write = ssl_cookie_write_dummy;
5912 conf->f_cookie_check = ssl_cookie_check_dummy;
5913 #endif
5914
5915 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5916 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5917 #endif
5918
5919 #if defined(MBEDTLS_SSL_SRV_C)
5920 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5921 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5922 #endif
5923
5924 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5925 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5926 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5927 #endif
5928
5929 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5930 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5931 memset(conf->renego_period, 0x00, 2);
5932 memset(conf->renego_period + 2, 0xFF, 6);
5933 #endif
5934
5935 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5936 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5937 const unsigned char dhm_p[] =
5938 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5939 const unsigned char dhm_g[] =
5940 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
5941
5942 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5943 dhm_p, sizeof(dhm_p),
5944 dhm_g, sizeof(dhm_g))) != 0) {
5945 return ret;
5946 }
5947 }
5948 #endif
5949
5950 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5951
5952 #if defined(MBEDTLS_SSL_EARLY_DATA)
5953 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5954 #if defined(MBEDTLS_SSL_SRV_C)
5955 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5956 #endif
5957 #endif /* MBEDTLS_SSL_EARLY_DATA */
5958
5959 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5960 mbedtls_ssl_conf_new_session_tickets(
5961 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
5962 #endif
5963 /*
5964 * Allow all TLS 1.3 key exchange modes by default.
5965 */
5966 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5967 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5968
5969 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5970 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5971 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5972 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5973 #else
5974 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5975 #endif
5976 } else {
5977 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5978 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5979 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5980 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5981 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5982 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5983 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5984 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5985 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5986 #else
5987 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5988 #endif
5989 }
5990
5991 /*
5992 * Preset-specific defaults
5993 */
5994 switch (preset) {
5995 /*
5996 * NSA Suite B
5997 */
5998 case MBEDTLS_SSL_PRESET_SUITEB:
5999
6000 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
6001
6002 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6003 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
6004 #endif
6005
6006 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6007 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6008 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6009 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
6010 } else
6011 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6012 conf->sig_algs = ssl_preset_suiteb_sig_algs;
6013 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6014
6015 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6016 conf->curve_list = NULL;
6017 #endif
6018 conf->group_list = ssl_preset_suiteb_groups;
6019 break;
6020
6021 /*
6022 * Default
6023 */
6024 default:
6025
6026 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6027
6028 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6029 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6030 #endif
6031
6032 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6033 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6034 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6035 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
6036 } else
6037 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6038 conf->sig_algs = ssl_preset_default_sig_algs;
6039 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6040
6041 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6042 conf->curve_list = NULL;
6043 #endif
6044 conf->group_list = ssl_preset_default_groups;
6045
6046 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6047 conf->dhm_min_bitlen = 1024;
6048 #endif
6049 }
6050
6051 return 0;
6052 }
6053
6054 /*
6055 * Free mbedtls_ssl_config
6056 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)6057 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
6058 {
6059 if (conf == NULL) {
6060 return;
6061 }
6062
6063 #if defined(MBEDTLS_DHM_C)
6064 mbedtls_mpi_free(&conf->dhm_P);
6065 mbedtls_mpi_free(&conf->dhm_G);
6066 #endif
6067
6068 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6069 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6070 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6071 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6072 }
6073 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6074 if (conf->psk != NULL) {
6075 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6076 conf->psk = NULL;
6077 conf->psk_len = 0;
6078 }
6079
6080 if (conf->psk_identity != NULL) {
6081 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6082 conf->psk_identity = NULL;
6083 conf->psk_identity_len = 0;
6084 }
6085 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6086
6087 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6088 ssl_key_cert_free(conf->key_cert);
6089 #endif
6090
6091 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
6092 }
6093
6094 #if defined(MBEDTLS_PK_C) && \
6095 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6096 /*
6097 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6098 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)6099 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
6100 {
6101 #if defined(MBEDTLS_RSA_C)
6102 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6103 return MBEDTLS_SSL_SIG_RSA;
6104 }
6105 #endif
6106 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6107 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
6108 return MBEDTLS_SSL_SIG_ECDSA;
6109 }
6110 #endif
6111 return MBEDTLS_SSL_SIG_ANON;
6112 }
6113
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)6114 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
6115 {
6116 switch (type) {
6117 case MBEDTLS_PK_RSA:
6118 return MBEDTLS_SSL_SIG_RSA;
6119 case MBEDTLS_PK_ECDSA:
6120 case MBEDTLS_PK_ECKEY:
6121 return MBEDTLS_SSL_SIG_ECDSA;
6122 default:
6123 return MBEDTLS_SSL_SIG_ANON;
6124 }
6125 }
6126
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)6127 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
6128 {
6129 switch (sig) {
6130 #if defined(MBEDTLS_RSA_C)
6131 case MBEDTLS_SSL_SIG_RSA:
6132 return MBEDTLS_PK_RSA;
6133 #endif
6134 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6135 case MBEDTLS_SSL_SIG_ECDSA:
6136 return MBEDTLS_PK_ECDSA;
6137 #endif
6138 default:
6139 return MBEDTLS_PK_NONE;
6140 }
6141 }
6142 #endif /* MBEDTLS_PK_C &&
6143 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6144
6145 /*
6146 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6147 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)6148 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
6149 {
6150 switch (hash) {
6151 #if defined(MBEDTLS_MD_CAN_MD5)
6152 case MBEDTLS_SSL_HASH_MD5:
6153 return MBEDTLS_MD_MD5;
6154 #endif
6155 #if defined(MBEDTLS_MD_CAN_SHA1)
6156 case MBEDTLS_SSL_HASH_SHA1:
6157 return MBEDTLS_MD_SHA1;
6158 #endif
6159 #if defined(MBEDTLS_MD_CAN_SHA224)
6160 case MBEDTLS_SSL_HASH_SHA224:
6161 return MBEDTLS_MD_SHA224;
6162 #endif
6163 #if defined(MBEDTLS_MD_CAN_SHA256)
6164 case MBEDTLS_SSL_HASH_SHA256:
6165 return MBEDTLS_MD_SHA256;
6166 #endif
6167 #if defined(MBEDTLS_MD_CAN_SHA384)
6168 case MBEDTLS_SSL_HASH_SHA384:
6169 return MBEDTLS_MD_SHA384;
6170 #endif
6171 #if defined(MBEDTLS_MD_CAN_SHA512)
6172 case MBEDTLS_SSL_HASH_SHA512:
6173 return MBEDTLS_MD_SHA512;
6174 #endif
6175 default:
6176 return MBEDTLS_MD_NONE;
6177 }
6178 }
6179
6180 /*
6181 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6182 */
mbedtls_ssl_hash_from_md_alg(int md)6183 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6184 {
6185 switch (md) {
6186 #if defined(MBEDTLS_MD_CAN_MD5)
6187 case MBEDTLS_MD_MD5:
6188 return MBEDTLS_SSL_HASH_MD5;
6189 #endif
6190 #if defined(MBEDTLS_MD_CAN_SHA1)
6191 case MBEDTLS_MD_SHA1:
6192 return MBEDTLS_SSL_HASH_SHA1;
6193 #endif
6194 #if defined(MBEDTLS_MD_CAN_SHA224)
6195 case MBEDTLS_MD_SHA224:
6196 return MBEDTLS_SSL_HASH_SHA224;
6197 #endif
6198 #if defined(MBEDTLS_MD_CAN_SHA256)
6199 case MBEDTLS_MD_SHA256:
6200 return MBEDTLS_SSL_HASH_SHA256;
6201 #endif
6202 #if defined(MBEDTLS_MD_CAN_SHA384)
6203 case MBEDTLS_MD_SHA384:
6204 return MBEDTLS_SSL_HASH_SHA384;
6205 #endif
6206 #if defined(MBEDTLS_MD_CAN_SHA512)
6207 case MBEDTLS_MD_SHA512:
6208 return MBEDTLS_SSL_HASH_SHA512;
6209 #endif
6210 default:
6211 return MBEDTLS_SSL_HASH_NONE;
6212 }
6213 }
6214
6215 /*
6216 * Check if a curve proposed by the peer is in our list.
6217 * Return 0 if we're willing to use it, -1 otherwise.
6218 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)6219 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
6220 {
6221 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6222
6223 if (group_list == NULL) {
6224 return -1;
6225 }
6226
6227 for (; *group_list != 0; group_list++) {
6228 if (*group_list == tls_id) {
6229 return 0;
6230 }
6231 }
6232
6233 return -1;
6234 }
6235
6236 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6237 /*
6238 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6239 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)6240 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
6241 {
6242 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
6243
6244 if (tls_id == 0) {
6245 return -1;
6246 }
6247
6248 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6249 }
6250 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6251
6252 static const struct {
6253 uint16_t tls_id;
6254 mbedtls_ecp_group_id ecp_group_id;
6255 psa_ecc_family_t psa_family;
6256 uint16_t bits;
6257 } tls_id_match_table[] =
6258 {
6259 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6260 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
6261 #endif
6262 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
6263 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
6264 #endif
6265 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6266 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
6267 #endif
6268 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
6269 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
6270 #endif
6271 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6272 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
6273 #endif
6274 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6275 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
6276 #endif
6277 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
6278 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
6279 #endif
6280 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6281 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
6282 #endif
6283 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6284 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
6285 #endif
6286 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6287 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
6288 #endif
6289 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6290 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
6291 #endif
6292 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6293 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
6294 #endif
6295 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
6296 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
6297 #endif
6298 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6299 };
6300
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_key_type_t * type,size_t * bits)6301 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
6302 psa_key_type_t *type,
6303 size_t *bits)
6304 {
6305 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6306 if (tls_id_match_table[i].tls_id == tls_id) {
6307 if (type != NULL) {
6308 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6309 }
6310 if (bits != NULL) {
6311 *bits = tls_id_match_table[i].bits;
6312 }
6313 return PSA_SUCCESS;
6314 }
6315 }
6316
6317 return PSA_ERROR_NOT_SUPPORTED;
6318 }
6319
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)6320 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
6321 {
6322 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6323 if (tls_id_match_table[i].tls_id == tls_id) {
6324 return tls_id_match_table[i].ecp_group_id;
6325 }
6326 }
6327
6328 return MBEDTLS_ECP_DP_NONE;
6329 }
6330
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)6331 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
6332 {
6333 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
6334 i++) {
6335 if (tls_id_match_table[i].ecp_group_id == grp_id) {
6336 return tls_id_match_table[i].tls_id;
6337 }
6338 }
6339
6340 return 0;
6341 }
6342
6343 #if defined(MBEDTLS_DEBUG_C)
6344 static const struct {
6345 uint16_t tls_id;
6346 const char *name;
6347 } tls_id_curve_name_table[] =
6348 {
6349 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
6350 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
6351 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
6352 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
6353 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
6354 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
6355 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
6356 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
6357 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
6358 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
6359 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
6360 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
6361 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
6362 { 0, NULL },
6363 };
6364
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)6365 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
6366 {
6367 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
6368 if (tls_id_curve_name_table[i].tls_id == tls_id) {
6369 return tls_id_curve_name_table[i].name;
6370 }
6371 }
6372
6373 return NULL;
6374 }
6375 #endif
6376
6377 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6378 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6379 const mbedtls_md_type_t md,
6380 unsigned char *dst,
6381 size_t dst_len,
6382 size_t *olen)
6383 {
6384 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6385 psa_hash_operation_t *hash_operation_to_clone;
6386 psa_hash_operation_t hash_operation = psa_hash_operation_init();
6387
6388 *olen = 0;
6389
6390 switch (md) {
6391 #if defined(MBEDTLS_MD_CAN_SHA384)
6392 case MBEDTLS_MD_SHA384:
6393 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
6394 break;
6395 #endif
6396
6397 #if defined(MBEDTLS_MD_CAN_SHA256)
6398 case MBEDTLS_MD_SHA256:
6399 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
6400 break;
6401 #endif
6402
6403 default:
6404 goto exit;
6405 }
6406
6407 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6408 if (status != PSA_SUCCESS) {
6409 goto exit;
6410 }
6411
6412 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6413 if (status != PSA_SUCCESS) {
6414 goto exit;
6415 }
6416
6417 exit:
6418 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6419 !defined(MBEDTLS_MD_CAN_SHA256)
6420 (void) ssl;
6421 #endif
6422 return PSA_TO_MBEDTLS_ERR(status);
6423 }
6424 #else /* MBEDTLS_USE_PSA_CRYPTO */
6425
6426 #if defined(MBEDTLS_MD_CAN_SHA384)
6427 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6428 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
6429 unsigned char *dst,
6430 size_t dst_len,
6431 size_t *olen)
6432 {
6433 int ret;
6434 mbedtls_md_context_t sha384;
6435
6436 if (dst_len < 48) {
6437 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6438 }
6439
6440 mbedtls_md_init(&sha384);
6441 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6442 if (ret != 0) {
6443 goto exit;
6444 }
6445 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6446 if (ret != 0) {
6447 goto exit;
6448 }
6449
6450 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
6451 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6452 goto exit;
6453 }
6454
6455 *olen = 48;
6456
6457 exit:
6458
6459 mbedtls_md_free(&sha384);
6460 return ret;
6461 }
6462 #endif /* MBEDTLS_MD_CAN_SHA384 */
6463
6464 #if defined(MBEDTLS_MD_CAN_SHA256)
6465 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6466 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
6467 unsigned char *dst,
6468 size_t dst_len,
6469 size_t *olen)
6470 {
6471 int ret;
6472 mbedtls_md_context_t sha256;
6473
6474 if (dst_len < 32) {
6475 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6476 }
6477
6478 mbedtls_md_init(&sha256);
6479 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6480 if (ret != 0) {
6481 goto exit;
6482 }
6483 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6484 if (ret != 0) {
6485 goto exit;
6486 }
6487
6488 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
6489 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6490 goto exit;
6491 }
6492
6493 *olen = 32;
6494
6495 exit:
6496
6497 mbedtls_md_free(&sha256);
6498 return ret;
6499 }
6500 #endif /* MBEDTLS_MD_CAN_SHA256 */
6501
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6502 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6503 const mbedtls_md_type_t md,
6504 unsigned char *dst,
6505 size_t dst_len,
6506 size_t *olen)
6507 {
6508 switch (md) {
6509
6510 #if defined(MBEDTLS_MD_CAN_SHA384)
6511 case MBEDTLS_MD_SHA384:
6512 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
6513 #endif /* MBEDTLS_MD_CAN_SHA384*/
6514
6515 #if defined(MBEDTLS_MD_CAN_SHA256)
6516 case MBEDTLS_MD_SHA256:
6517 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
6518 #endif /* MBEDTLS_MD_CAN_SHA256*/
6519
6520 default:
6521 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6522 !defined(MBEDTLS_MD_CAN_SHA256)
6523 (void) ssl;
6524 (void) dst;
6525 (void) dst_len;
6526 (void) olen;
6527 #endif
6528 break;
6529 }
6530 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6531 }
6532
6533 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
6534
6535 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6536 /* mbedtls_ssl_parse_sig_alg_ext()
6537 *
6538 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6539 * value (TLS 1.3 RFC8446):
6540 * enum {
6541 * ....
6542 * ecdsa_secp256r1_sha256( 0x0403 ),
6543 * ecdsa_secp384r1_sha384( 0x0503 ),
6544 * ecdsa_secp521r1_sha512( 0x0603 ),
6545 * ....
6546 * } SignatureScheme;
6547 *
6548 * struct {
6549 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6550 * } SignatureSchemeList;
6551 *
6552 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6553 * value (TLS 1.2 RFC5246):
6554 * enum {
6555 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6556 * sha512(6), (255)
6557 * } HashAlgorithm;
6558 *
6559 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6560 * SignatureAlgorithm;
6561 *
6562 * struct {
6563 * HashAlgorithm hash;
6564 * SignatureAlgorithm signature;
6565 * } SignatureAndHashAlgorithm;
6566 *
6567 * SignatureAndHashAlgorithm
6568 * supported_signature_algorithms<2..2^16-2>;
6569 *
6570 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6571 * generalization of the TLS 1.2 signature algorithm extension.
6572 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6573 * `SignatureScheme` field of TLS 1.3
6574 *
6575 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)6576 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6577 const unsigned char *buf,
6578 const unsigned char *end)
6579 {
6580 const unsigned char *p = buf;
6581 size_t supported_sig_algs_len = 0;
6582 const unsigned char *supported_sig_algs_end;
6583 uint16_t sig_alg;
6584 uint32_t common_idx = 0;
6585
6586 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6587 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
6588 p += 2;
6589
6590 memset(ssl->handshake->received_sig_algs, 0,
6591 sizeof(ssl->handshake->received_sig_algs));
6592
6593 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
6594 supported_sig_algs_end = p + supported_sig_algs_len;
6595 while (p < supported_sig_algs_end) {
6596 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6597 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
6598 p += 2;
6599 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6600 sig_alg,
6601 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6602 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6603 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6604 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6605 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
6606 continue;
6607 }
6608 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6609
6610 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6611 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6612
6613 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
6614 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6615 common_idx += 1;
6616 }
6617 }
6618 /* Check that we consumed all the message. */
6619 if (p != end) {
6620 MBEDTLS_SSL_DEBUG_MSG(1,
6621 ("Signature algorithms extension length misaligned"));
6622 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6623 MBEDTLS_ERR_SSL_DECODE_ERROR);
6624 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6625 }
6626
6627 if (common_idx == 0) {
6628 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6629 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6630 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6631 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6632 }
6633
6634 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6635 return 0;
6636 }
6637
6638 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6639
6640 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6641
6642 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6643
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6644 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6645 mbedtls_svc_key_id_t key,
6646 psa_algorithm_t alg,
6647 const unsigned char *raw_psk, size_t raw_psk_length,
6648 const unsigned char *seed, size_t seed_length,
6649 const unsigned char *label, size_t label_length,
6650 const unsigned char *other_secret,
6651 size_t other_secret_length,
6652 size_t capacity)
6653 {
6654 psa_status_t status;
6655
6656 status = psa_key_derivation_setup(derivation, alg);
6657 if (status != PSA_SUCCESS) {
6658 return status;
6659 }
6660
6661 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6662 status = psa_key_derivation_input_bytes(derivation,
6663 PSA_KEY_DERIVATION_INPUT_SEED,
6664 seed, seed_length);
6665 if (status != PSA_SUCCESS) {
6666 return status;
6667 }
6668
6669 if (other_secret != NULL) {
6670 status = psa_key_derivation_input_bytes(derivation,
6671 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6672 other_secret, other_secret_length);
6673 if (status != PSA_SUCCESS) {
6674 return status;
6675 }
6676 }
6677
6678 if (mbedtls_svc_key_id_is_null(key)) {
6679 status = psa_key_derivation_input_bytes(
6680 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6681 raw_psk, raw_psk_length);
6682 } else {
6683 status = psa_key_derivation_input_key(
6684 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6685 }
6686 if (status != PSA_SUCCESS) {
6687 return status;
6688 }
6689
6690 status = psa_key_derivation_input_bytes(derivation,
6691 PSA_KEY_DERIVATION_INPUT_LABEL,
6692 label, label_length);
6693 if (status != PSA_SUCCESS) {
6694 return status;
6695 }
6696 } else {
6697 return PSA_ERROR_NOT_SUPPORTED;
6698 }
6699
6700 status = psa_key_derivation_set_capacity(derivation, capacity);
6701 if (status != PSA_SUCCESS) {
6702 return status;
6703 }
6704
6705 return PSA_SUCCESS;
6706 }
6707
6708 #if defined(PSA_WANT_ALG_SHA_384) || \
6709 defined(PSA_WANT_ALG_SHA_256)
6710 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6711 static int tls_prf_generic(mbedtls_md_type_t md_type,
6712 const unsigned char *secret, size_t slen,
6713 const char *label,
6714 const unsigned char *random, size_t rlen,
6715 unsigned char *dstbuf, size_t dlen)
6716 {
6717 psa_status_t status;
6718 psa_algorithm_t alg;
6719 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6720 psa_key_derivation_operation_t derivation =
6721 PSA_KEY_DERIVATION_OPERATION_INIT;
6722
6723 if (md_type == MBEDTLS_MD_SHA384) {
6724 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6725 } else {
6726 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6727 }
6728
6729 /* Normally a "secret" should be long enough to be impossible to
6730 * find by brute force, and in particular should not be empty. But
6731 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6732 * and for this use case it makes sense to have a 0-length "secret".
6733 * Since the key API doesn't allow importing a key of length 0,
6734 * keep master_key=0, which setup_psa_key_derivation() understands
6735 * to mean a 0-length "secret" input. */
6736 if (slen != 0) {
6737 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6738 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6739 psa_set_key_algorithm(&key_attributes, alg);
6740 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6741
6742 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6743 if (status != PSA_SUCCESS) {
6744 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6745 }
6746 }
6747
6748 status = setup_psa_key_derivation(&derivation,
6749 master_key, alg,
6750 NULL, 0,
6751 random, rlen,
6752 (unsigned char const *) label,
6753 (size_t) strlen(label),
6754 NULL, 0,
6755 dlen);
6756 if (status != PSA_SUCCESS) {
6757 psa_key_derivation_abort(&derivation);
6758 psa_destroy_key(master_key);
6759 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6760 }
6761
6762 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6763 if (status != PSA_SUCCESS) {
6764 psa_key_derivation_abort(&derivation);
6765 psa_destroy_key(master_key);
6766 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6767 }
6768
6769 status = psa_key_derivation_abort(&derivation);
6770 if (status != PSA_SUCCESS) {
6771 psa_destroy_key(master_key);
6772 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6773 }
6774
6775 if (!mbedtls_svc_key_id_is_null(master_key)) {
6776 status = psa_destroy_key(master_key);
6777 }
6778 if (status != PSA_SUCCESS) {
6779 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6780 }
6781
6782 return 0;
6783 }
6784 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6785 #else /* MBEDTLS_USE_PSA_CRYPTO */
6786
6787 #if defined(MBEDTLS_MD_C) && \
6788 (defined(MBEDTLS_MD_CAN_SHA256) || \
6789 defined(MBEDTLS_MD_CAN_SHA384))
6790 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6791 static int tls_prf_generic(mbedtls_md_type_t md_type,
6792 const unsigned char *secret, size_t slen,
6793 const char *label,
6794 const unsigned char *random, size_t rlen,
6795 unsigned char *dstbuf, size_t dlen)
6796 {
6797 size_t nb;
6798 size_t i, j, k, md_len;
6799 unsigned char *tmp;
6800 size_t tmp_len = 0;
6801 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6802 const mbedtls_md_info_t *md_info;
6803 mbedtls_md_context_t md_ctx;
6804 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6805
6806 mbedtls_md_init(&md_ctx);
6807
6808 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6809 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6810 }
6811
6812 md_len = mbedtls_md_get_size(md_info);
6813
6814 tmp_len = md_len + strlen(label) + rlen;
6815 tmp = mbedtls_calloc(1, tmp_len);
6816 if (tmp == NULL) {
6817 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6818 goto exit;
6819 }
6820
6821 nb = strlen(label);
6822 memcpy(tmp + md_len, label, nb);
6823 memcpy(tmp + md_len + nb, random, rlen);
6824 nb += rlen;
6825
6826 /*
6827 * Compute P_<hash>(secret, label + random)[0..dlen]
6828 */
6829 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6830 goto exit;
6831 }
6832
6833 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6834 if (ret != 0) {
6835 goto exit;
6836 }
6837 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6838 if (ret != 0) {
6839 goto exit;
6840 }
6841 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6842 if (ret != 0) {
6843 goto exit;
6844 }
6845
6846 for (i = 0; i < dlen; i += md_len) {
6847 ret = mbedtls_md_hmac_reset(&md_ctx);
6848 if (ret != 0) {
6849 goto exit;
6850 }
6851 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6852 if (ret != 0) {
6853 goto exit;
6854 }
6855 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6856 if (ret != 0) {
6857 goto exit;
6858 }
6859
6860 ret = mbedtls_md_hmac_reset(&md_ctx);
6861 if (ret != 0) {
6862 goto exit;
6863 }
6864 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6865 if (ret != 0) {
6866 goto exit;
6867 }
6868 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6869 if (ret != 0) {
6870 goto exit;
6871 }
6872
6873 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6874
6875 for (j = 0; j < k; j++) {
6876 dstbuf[i + j] = h_i[j];
6877 }
6878 }
6879
6880 exit:
6881 mbedtls_md_free(&md_ctx);
6882
6883 if (tmp != NULL) {
6884 mbedtls_platform_zeroize(tmp, tmp_len);
6885 }
6886
6887 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6888
6889 mbedtls_free(tmp);
6890
6891 return ret;
6892 }
6893 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6894 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6895
6896 #if defined(MBEDTLS_MD_CAN_SHA256)
6897 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6898 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6899 const char *label,
6900 const unsigned char *random, size_t rlen,
6901 unsigned char *dstbuf, size_t dlen)
6902 {
6903 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6904 label, random, rlen, dstbuf, dlen);
6905 }
6906 #endif /* MBEDTLS_MD_CAN_SHA256*/
6907
6908 #if defined(MBEDTLS_MD_CAN_SHA384)
6909 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6910 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6911 const char *label,
6912 const unsigned char *random, size_t rlen,
6913 unsigned char *dstbuf, size_t dlen)
6914 {
6915 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6916 label, random, rlen, dstbuf, dlen);
6917 }
6918 #endif /* MBEDTLS_MD_CAN_SHA384*/
6919
6920 /*
6921 * Set appropriate PRF function and other SSL / TLS1.2 functions
6922 *
6923 * Inputs:
6924 * - hash associated with the ciphersuite (only used by TLS 1.2)
6925 *
6926 * Outputs:
6927 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6928 */
6929 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6930 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6931 mbedtls_md_type_t hash)
6932 {
6933 #if defined(MBEDTLS_MD_CAN_SHA384)
6934 if (hash == MBEDTLS_MD_SHA384) {
6935 handshake->tls_prf = tls_prf_sha384;
6936 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6937 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6938 } else
6939 #endif
6940 #if defined(MBEDTLS_MD_CAN_SHA256)
6941 {
6942 (void) hash;
6943 handshake->tls_prf = tls_prf_sha256;
6944 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6945 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6946 }
6947 #else
6948 {
6949 (void) handshake;
6950 (void) hash;
6951 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6952 }
6953 #endif
6954
6955 return 0;
6956 }
6957
6958 /*
6959 * Compute master secret if needed
6960 *
6961 * Parameters:
6962 * [in/out] handshake
6963 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6964 * (PSA-PSK) ciphersuite_info, psk_opaque
6965 * [out] premaster (cleared)
6966 * [out] master
6967 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6968 * debug: conf->f_dbg, conf->p_dbg
6969 * EMS: passed to calc_verify (debug + session_negotiate)
6970 * PSA-PSA: conf
6971 */
6972 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)6973 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6974 unsigned char *master,
6975 const mbedtls_ssl_context *ssl)
6976 {
6977 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6978
6979 /* cf. RFC 5246, Section 8.1:
6980 * "The master secret is always exactly 48 bytes in length." */
6981 size_t const master_secret_len = 48;
6982
6983 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6984 unsigned char session_hash[48];
6985 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6986
6987 /* The label for the KDF used for key expansion.
6988 * This is either "master secret" or "extended master secret"
6989 * depending on whether the Extended Master Secret extension
6990 * is used. */
6991 char const *lbl = "master secret";
6992
6993 /* The seed for the KDF used for key expansion.
6994 * - If the Extended Master Secret extension is not used,
6995 * this is ClientHello.Random + ServerHello.Random
6996 * (see Sect. 8.1 in RFC 5246).
6997 * - If the Extended Master Secret extension is used,
6998 * this is the transcript of the handshake so far.
6999 * (see Sect. 4 in RFC 7627). */
7000 unsigned char const *seed = handshake->randbytes;
7001 size_t seed_len = 64;
7002
7003 #if !defined(MBEDTLS_DEBUG_C) && \
7004 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
7005 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
7006 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
7007 ssl = NULL; /* make sure we don't use it except for those cases */
7008 (void) ssl;
7009 #endif
7010
7011 if (handshake->resume != 0) {
7012 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
7013 return 0;
7014 }
7015
7016 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7017 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
7018 lbl = "extended master secret";
7019 seed = session_hash;
7020 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
7021 if (ret != 0) {
7022 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
7023 }
7024
7025 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
7026 session_hash, seed_len);
7027 }
7028 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7029
7030 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7031 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
7032 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
7033 /* Perform PSK-to-MS expansion in a single step. */
7034 psa_status_t status;
7035 psa_algorithm_t alg;
7036 mbedtls_svc_key_id_t psk;
7037 psa_key_derivation_operation_t derivation =
7038 PSA_KEY_DERIVATION_OPERATION_INIT;
7039 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
7040
7041 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
7042
7043 psk = mbedtls_ssl_get_opaque_psk(ssl);
7044
7045 if (hash_alg == MBEDTLS_MD_SHA384) {
7046 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
7047 } else {
7048 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
7049 }
7050
7051 size_t other_secret_len = 0;
7052 unsigned char *other_secret = NULL;
7053
7054 switch (handshake->ciphersuite_info->key_exchange) {
7055 /* Provide other secret.
7056 * Other secret is stored in premaster, where first 2 bytes hold the
7057 * length of the other key.
7058 */
7059 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7060 /* For RSA-PSK other key length is always 48 bytes. */
7061 other_secret_len = 48;
7062 other_secret = handshake->premaster + 2;
7063 break;
7064 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7065 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7066 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
7067 other_secret = handshake->premaster + 2;
7068 break;
7069 default:
7070 break;
7071 }
7072
7073 status = setup_psa_key_derivation(&derivation, psk, alg,
7074 ssl->conf->psk, ssl->conf->psk_len,
7075 seed, seed_len,
7076 (unsigned char const *) lbl,
7077 (size_t) strlen(lbl),
7078 other_secret, other_secret_len,
7079 master_secret_len);
7080 if (status != PSA_SUCCESS) {
7081 psa_key_derivation_abort(&derivation);
7082 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7083 }
7084
7085 status = psa_key_derivation_output_bytes(&derivation,
7086 master,
7087 master_secret_len);
7088 if (status != PSA_SUCCESS) {
7089 psa_key_derivation_abort(&derivation);
7090 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7091 }
7092
7093 status = psa_key_derivation_abort(&derivation);
7094 if (status != PSA_SUCCESS) {
7095 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7096 }
7097 } else
7098 #endif
7099 {
7100 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7101 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7102 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
7103 psa_status_t status;
7104 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
7105 psa_key_derivation_operation_t derivation =
7106 PSA_KEY_DERIVATION_OPERATION_INIT;
7107
7108 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
7109
7110 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
7111
7112 status = psa_key_derivation_setup(&derivation, alg);
7113 if (status != PSA_SUCCESS) {
7114 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7115 }
7116
7117 status = psa_key_derivation_set_capacity(&derivation,
7118 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7119 if (status != PSA_SUCCESS) {
7120 psa_key_derivation_abort(&derivation);
7121 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7122 }
7123
7124 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
7125 &derivation);
7126 if (status != PSA_SUCCESS) {
7127 psa_key_derivation_abort(&derivation);
7128 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7129 }
7130
7131 status = psa_key_derivation_output_bytes(&derivation,
7132 handshake->premaster,
7133 handshake->pmslen);
7134 if (status != PSA_SUCCESS) {
7135 psa_key_derivation_abort(&derivation);
7136 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7137 }
7138
7139 status = psa_key_derivation_abort(&derivation);
7140 if (status != PSA_SUCCESS) {
7141 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7142 }
7143 }
7144 #endif
7145 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
7146 lbl, seed, seed_len,
7147 master,
7148 master_secret_len);
7149 if (ret != 0) {
7150 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7151 return ret;
7152 }
7153
7154 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
7155 handshake->premaster,
7156 handshake->pmslen);
7157
7158 mbedtls_platform_zeroize(handshake->premaster,
7159 sizeof(handshake->premaster));
7160 }
7161
7162 return 0;
7163 }
7164
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)7165 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
7166 {
7167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7168 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
7169 ssl->handshake->ciphersuite_info;
7170
7171 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
7172
7173 /* Set PRF, calc_verify and calc_finished function pointers */
7174 ret = ssl_set_handshake_prfs(ssl->handshake,
7175 (mbedtls_md_type_t) ciphersuite_info->mac);
7176 if (ret != 0) {
7177 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
7178 return ret;
7179 }
7180
7181 /* Compute master secret if needed */
7182 ret = ssl_compute_master(ssl->handshake,
7183 ssl->session_negotiate->master,
7184 ssl);
7185 if (ret != 0) {
7186 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
7187 return ret;
7188 }
7189
7190 /* Swap the client and server random values:
7191 * - MS derivation wanted client+server (RFC 5246 8.1)
7192 * - key derivation wants server+client (RFC 5246 6.3) */
7193 {
7194 unsigned char tmp[64];
7195 memcpy(tmp, ssl->handshake->randbytes, 64);
7196 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
7197 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
7198 mbedtls_platform_zeroize(tmp, sizeof(tmp));
7199 }
7200
7201 /* Populate transform structure */
7202 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
7203 ssl->session_negotiate->ciphersuite,
7204 ssl->session_negotiate->master,
7205 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
7206 ssl->session_negotiate->encrypt_then_mac,
7207 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
7208 ssl->handshake->tls_prf,
7209 ssl->handshake->randbytes,
7210 ssl->tls_version,
7211 ssl->conf->endpoint,
7212 ssl);
7213 if (ret != 0) {
7214 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
7215 return ret;
7216 }
7217
7218 /* We no longer need Server/ClientHello.random values */
7219 mbedtls_platform_zeroize(ssl->handshake->randbytes,
7220 sizeof(ssl->handshake->randbytes));
7221
7222 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
7223
7224 return 0;
7225 }
7226
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)7227 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
7228 {
7229 switch (md) {
7230 #if defined(MBEDTLS_MD_CAN_SHA384)
7231 case MBEDTLS_SSL_HASH_SHA384:
7232 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7233 break;
7234 #endif
7235 #if defined(MBEDTLS_MD_CAN_SHA256)
7236 case MBEDTLS_SSL_HASH_SHA256:
7237 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7238 break;
7239 #endif
7240 default:
7241 return -1;
7242 }
7243 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
7244 !defined(MBEDTLS_MD_CAN_SHA256)
7245 (void) ssl;
7246 #endif
7247 return 0;
7248 }
7249
7250 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_calc_verify_tls_psa(const mbedtls_ssl_context * ssl,const psa_hash_operation_t * hs_op,size_t buffer_size,unsigned char * hash,size_t * hlen)7251 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
7252 const psa_hash_operation_t *hs_op,
7253 size_t buffer_size,
7254 unsigned char *hash,
7255 size_t *hlen)
7256 {
7257 psa_status_t status;
7258 psa_hash_operation_t cloned_op = psa_hash_operation_init();
7259
7260 #if !defined(MBEDTLS_DEBUG_C)
7261 (void) ssl;
7262 #endif
7263 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
7264 status = psa_hash_clone(hs_op, &cloned_op);
7265 if (status != PSA_SUCCESS) {
7266 goto exit;
7267 }
7268
7269 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
7270 if (status != PSA_SUCCESS) {
7271 goto exit;
7272 }
7273
7274 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
7275 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
7276
7277 exit:
7278 psa_hash_abort(&cloned_op);
7279 return mbedtls_md_error_from_psa(status);
7280 }
7281 #else
ssl_calc_verify_tls_legacy(const mbedtls_ssl_context * ssl,const mbedtls_md_context_t * hs_ctx,unsigned char * hash,size_t * hlen)7282 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
7283 const mbedtls_md_context_t *hs_ctx,
7284 unsigned char *hash,
7285 size_t *hlen)
7286 {
7287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7288 mbedtls_md_context_t cloned_ctx;
7289
7290 mbedtls_md_init(&cloned_ctx);
7291
7292 #if !defined(MBEDTLS_DEBUG_C)
7293 (void) ssl;
7294 #endif
7295 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
7296
7297 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7298 if (ret != 0) {
7299 goto exit;
7300 }
7301 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7302 if (ret != 0) {
7303 goto exit;
7304 }
7305
7306 ret = mbedtls_md_finish(&cloned_ctx, hash);
7307 if (ret != 0) {
7308 goto exit;
7309 }
7310
7311 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
7312
7313 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
7314 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
7315
7316 exit:
7317 mbedtls_md_free(&cloned_ctx);
7318 return ret;
7319 }
7320 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7321
7322 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7323 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
7324 unsigned char *hash,
7325 size_t *hlen)
7326 {
7327 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7328 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
7329 hash, hlen);
7330 #else
7331 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
7332 hash, hlen);
7333 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7334 }
7335 #endif /* MBEDTLS_MD_CAN_SHA256 */
7336
7337 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7338 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
7339 unsigned char *hash,
7340 size_t *hlen)
7341 {
7342 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7343 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
7344 hash, hlen);
7345 #else
7346 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
7347 hash, hlen);
7348 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7349 }
7350 #endif /* MBEDTLS_MD_CAN_SHA384 */
7351
7352 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
7353 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)7354 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
7355 {
7356 unsigned char *p = ssl->handshake->premaster;
7357 unsigned char *end = p + sizeof(ssl->handshake->premaster);
7358 const unsigned char *psk = NULL;
7359 size_t psk_len = 0;
7360 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
7361
7362 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
7363 /*
7364 * This should never happen because the existence of a PSK is always
7365 * checked before calling this function.
7366 *
7367 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
7368 * the shared secret without PSK.
7369 */
7370 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7371 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7372 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7373 }
7374 }
7375
7376 /*
7377 * PMS = struct {
7378 * opaque other_secret<0..2^16-1>;
7379 * opaque psk<0..2^16-1>;
7380 * };
7381 * with "other_secret" depending on the particular key exchange
7382 */
7383 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
7384 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
7385 if (end - p < 2) {
7386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7387 }
7388
7389 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7390 p += 2;
7391
7392 if (end < p || (size_t) (end - p) < psk_len) {
7393 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7394 }
7395
7396 memset(p, 0, psk_len);
7397 p += psk_len;
7398 } else
7399 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
7400 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
7401 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7402 /*
7403 * other_secret already set by the ClientKeyExchange message,
7404 * and is 48 bytes long
7405 */
7406 if (end - p < 2) {
7407 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7408 }
7409
7410 *p++ = 0;
7411 *p++ = 48;
7412 p += 48;
7413 } else
7414 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
7415 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
7416 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7418 size_t len;
7419
7420 /* Write length only when we know the actual value */
7421 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
7422 p + 2, (size_t) (end - (p + 2)), &len,
7423 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7424 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
7425 return ret;
7426 }
7427 MBEDTLS_PUT_UINT16_BE(len, p, 0);
7428 p += 2 + len;
7429
7430 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
7431 } else
7432 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
7433 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
7434 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
7435 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7436 size_t zlen;
7437
7438 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
7439 p + 2, (size_t) (end - (p + 2)),
7440 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7441 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
7442 return ret;
7443 }
7444
7445 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
7446 p += 2 + zlen;
7447
7448 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
7449 MBEDTLS_DEBUG_ECDH_Z);
7450 } else
7451 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
7452 {
7453 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7454 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7455 }
7456
7457 /* opaque psk<0..2^16-1>; */
7458 if (end - p < 2) {
7459 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7460 }
7461
7462 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7463 p += 2;
7464
7465 if (end < p || (size_t) (end - p) < psk_len) {
7466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7467 }
7468
7469 memcpy(p, psk, psk_len);
7470 p += psk_len;
7471
7472 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
7473
7474 return 0;
7475 }
7476 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
7477
7478 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
7479 MBEDTLS_CHECK_RETURN_CRITICAL
7480 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
7481
7482 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)7483 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
7484 {
7485 /* If renegotiation is not enforced, retransmit until we would reach max
7486 * timeout if we were using the usual handshake doubling scheme */
7487 if (ssl->conf->renego_max_records < 0) {
7488 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
7489 unsigned char doublings = 1;
7490
7491 while (ratio != 0) {
7492 ++doublings;
7493 ratio >>= 1;
7494 }
7495
7496 if (++ssl->renego_records_seen > doublings) {
7497 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
7498 return 0;
7499 }
7500 }
7501
7502 return ssl_write_hello_request(ssl);
7503 }
7504 #endif
7505 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
7506
7507 /*
7508 * Handshake functions
7509 */
7510 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7511 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7512 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7513 {
7514 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7515 ssl->handshake->ciphersuite_info;
7516
7517 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7518
7519 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7520 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7521 ssl->state++;
7522 return 0;
7523 }
7524
7525 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7526 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7527 }
7528
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7529 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7530 {
7531 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7532 ssl->handshake->ciphersuite_info;
7533
7534 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7535
7536 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7537 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7538 ssl->state++;
7539 return 0;
7540 }
7541
7542 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7543 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7544 }
7545
7546 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7547 /* Some certificate support -> implement write and parse */
7548
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7549 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7550 {
7551 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
7552 size_t i, n;
7553 const mbedtls_x509_crt *crt;
7554 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7555 ssl->handshake->ciphersuite_info;
7556
7557 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7558
7559 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7560 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7561 ssl->state++;
7562 return 0;
7563 }
7564
7565 #if defined(MBEDTLS_SSL_CLI_C)
7566 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7567 if (ssl->handshake->client_auth == 0) {
7568 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7569 ssl->state++;
7570 return 0;
7571 }
7572 }
7573 #endif /* MBEDTLS_SSL_CLI_C */
7574 #if defined(MBEDTLS_SSL_SRV_C)
7575 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7576 if (mbedtls_ssl_own_cert(ssl) == NULL) {
7577 /* Should never happen because we shouldn't have picked the
7578 * ciphersuite if we don't have a certificate. */
7579 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7580 }
7581 }
7582 #endif
7583
7584 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
7585
7586 /*
7587 * 0 . 0 handshake type
7588 * 1 . 3 handshake length
7589 * 4 . 6 length of all certs
7590 * 7 . 9 length of cert. 1
7591 * 10 . n-1 peer certificate
7592 * n . n+2 length of cert. 2
7593 * n+3 . ... upper level cert, etc.
7594 */
7595 i = 7;
7596 crt = mbedtls_ssl_own_cert(ssl);
7597
7598 while (crt != NULL) {
7599 n = crt->raw.len;
7600 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7601 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7602 " > %" MBEDTLS_PRINTF_SIZET,
7603 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7604 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7605 }
7606
7607 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7608 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7609 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7610
7611 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7612 i += n; crt = crt->next;
7613 }
7614
7615 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7616 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7617 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7618
7619 ssl->out_msglen = i;
7620 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7621 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7622
7623 ssl->state++;
7624
7625 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7626 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7627 return ret;
7628 }
7629
7630 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7631
7632 return ret;
7633 }
7634
7635 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7636
7637 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7638 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7639 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7640 unsigned char *crt_buf,
7641 size_t crt_buf_len)
7642 {
7643 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7644
7645 if (peer_crt == NULL) {
7646 return -1;
7647 }
7648
7649 if (peer_crt->raw.len != crt_buf_len) {
7650 return -1;
7651 }
7652
7653 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7654 }
7655 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7656 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7657 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7658 unsigned char *crt_buf,
7659 size_t crt_buf_len)
7660 {
7661 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7662 unsigned char const * const peer_cert_digest =
7663 ssl->session->peer_cert_digest;
7664 mbedtls_md_type_t const peer_cert_digest_type =
7665 ssl->session->peer_cert_digest_type;
7666 mbedtls_md_info_t const * const digest_info =
7667 mbedtls_md_info_from_type(peer_cert_digest_type);
7668 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7669 size_t digest_len;
7670
7671 if (peer_cert_digest == NULL || digest_info == NULL) {
7672 return -1;
7673 }
7674
7675 digest_len = mbedtls_md_get_size(digest_info);
7676 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7677 return -1;
7678 }
7679
7680 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7681 if (ret != 0) {
7682 return -1;
7683 }
7684
7685 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7686 }
7687 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7688 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7689
7690 /*
7691 * Once the certificate message is read, parse it into a cert chain and
7692 * perform basic checks, but leave actual verification to the caller
7693 */
7694 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7695 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7696 mbedtls_x509_crt *chain)
7697 {
7698 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7699 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7700 int crt_cnt = 0;
7701 #endif
7702 size_t i, n;
7703 uint8_t alert;
7704
7705 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7706 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7707 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7708 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7709 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7710 }
7711
7712 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7713 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7714 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7715 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7716 }
7717
7718 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7719 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7720 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7721 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7722 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7723 }
7724
7725 i = mbedtls_ssl_hs_hdr_len(ssl);
7726
7727 /*
7728 * Same message structure as in mbedtls_ssl_write_certificate()
7729 */
7730 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7731
7732 if (ssl->in_msg[i] != 0 ||
7733 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7734 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7735 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7736 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7737 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7738 }
7739
7740 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7741 i += 3;
7742
7743 /* Iterate through and parse the CRTs in the provided chain. */
7744 while (i < ssl->in_hslen) {
7745 /* Check that there's room for the next CRT's length fields. */
7746 if (i + 3 > ssl->in_hslen) {
7747 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7748 mbedtls_ssl_send_alert_message(ssl,
7749 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7750 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7751 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7752 }
7753 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7754 * anything beyond 2**16 ~ 64K. */
7755 if (ssl->in_msg[i] != 0) {
7756 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7757 mbedtls_ssl_send_alert_message(ssl,
7758 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7759 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7760 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7761 }
7762
7763 /* Read length of the next CRT in the chain. */
7764 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7765 i += 3;
7766
7767 if (n < 128 || i + n > ssl->in_hslen) {
7768 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7769 mbedtls_ssl_send_alert_message(ssl,
7770 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7771 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7772 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7773 }
7774
7775 /* Check if we're handling the first CRT in the chain. */
7776 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7777 if (crt_cnt++ == 0 &&
7778 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7779 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7780 /* During client-side renegotiation, check that the server's
7781 * end-CRTs hasn't changed compared to the initial handshake,
7782 * mitigating the triple handshake attack. On success, reuse
7783 * the original end-CRT instead of parsing it again. */
7784 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7785 if (ssl_check_peer_crt_unchanged(ssl,
7786 &ssl->in_msg[i],
7787 n) != 0) {
7788 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7789 mbedtls_ssl_send_alert_message(ssl,
7790 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7791 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7792 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7793 }
7794
7795 /* Now we can safely free the original chain. */
7796 ssl_clear_peer_cert(ssl->session);
7797 }
7798 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7799
7800 /* Parse the next certificate in the chain. */
7801 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7802 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7803 #else
7804 /* If we don't need to store the CRT chain permanently, parse
7805 * it in-place from the input buffer instead of making a copy. */
7806 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7807 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7808 switch (ret) {
7809 case 0: /*ok*/
7810 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7811 /* Ignore certificate with an unknown algorithm: maybe a
7812 prior certificate was already trusted. */
7813 break;
7814
7815 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7816 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7817 goto crt_parse_der_failed;
7818
7819 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7820 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7821 goto crt_parse_der_failed;
7822
7823 default:
7824 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7825 crt_parse_der_failed:
7826 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7827 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7828 return ret;
7829 }
7830
7831 i += n;
7832 }
7833
7834 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7835 return 0;
7836 }
7837
7838 #if defined(MBEDTLS_SSL_SRV_C)
7839 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7840 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7841 {
7842 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7843 return -1;
7844 }
7845
7846 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7847 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7848 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7849 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7850 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7851 return 0;
7852 }
7853 return -1;
7854 }
7855 #endif /* MBEDTLS_SSL_SRV_C */
7856
7857 /* Check if a certificate message is expected.
7858 * Return either
7859 * - SSL_CERTIFICATE_EXPECTED, or
7860 * - SSL_CERTIFICATE_SKIP
7861 * indicating whether a Certificate message is expected or not.
7862 */
7863 #define SSL_CERTIFICATE_EXPECTED 0
7864 #define SSL_CERTIFICATE_SKIP 1
7865 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7866 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7867 int authmode)
7868 {
7869 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7870 ssl->handshake->ciphersuite_info;
7871
7872 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7873 return SSL_CERTIFICATE_SKIP;
7874 }
7875
7876 #if defined(MBEDTLS_SSL_SRV_C)
7877 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7878 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7879 return SSL_CERTIFICATE_SKIP;
7880 }
7881
7882 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7883 ssl->session_negotiate->verify_result =
7884 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7885 return SSL_CERTIFICATE_SKIP;
7886 }
7887 }
7888 #else
7889 ((void) authmode);
7890 #endif /* MBEDTLS_SSL_SRV_C */
7891
7892 return SSL_CERTIFICATE_EXPECTED;
7893 }
7894
7895 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7896 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7897 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7898 unsigned char *start, size_t len)
7899 {
7900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7901 /* Remember digest of the peer's end-CRT. */
7902 ssl->session_negotiate->peer_cert_digest =
7903 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7904 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7905 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7906 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7907 mbedtls_ssl_send_alert_message(ssl,
7908 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7909 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7910
7911 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7912 }
7913
7914 ret = mbedtls_md(mbedtls_md_info_from_type(
7915 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7916 start, len,
7917 ssl->session_negotiate->peer_cert_digest);
7918
7919 ssl->session_negotiate->peer_cert_digest_type =
7920 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7921 ssl->session_negotiate->peer_cert_digest_len =
7922 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7923
7924 return ret;
7925 }
7926
7927 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7928 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7929 unsigned char *start, size_t len)
7930 {
7931 unsigned char *end = start + len;
7932 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7933
7934 /* Make a copy of the peer's raw public key. */
7935 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7936 ret = mbedtls_pk_parse_subpubkey(&start, end,
7937 &ssl->handshake->peer_pubkey);
7938 if (ret != 0) {
7939 /* We should have parsed the public key before. */
7940 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7941 }
7942
7943 return 0;
7944 }
7945 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7946
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7947 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7948 {
7949 int ret = 0;
7950 int crt_expected;
7951 /* Authmode: precedence order is SNI if used else configuration */
7952 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7953 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7954 ? ssl->handshake->sni_authmode
7955 : ssl->conf->authmode;
7956 #else
7957 const int authmode = ssl->conf->authmode;
7958 #endif
7959 void *rs_ctx = NULL;
7960 mbedtls_x509_crt *chain = NULL;
7961
7962 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7963
7964 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7965 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7966 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7967 goto exit;
7968 }
7969
7970 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7971 if (ssl->handshake->ecrs_enabled &&
7972 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
7973 chain = ssl->handshake->ecrs_peer_cert;
7974 ssl->handshake->ecrs_peer_cert = NULL;
7975 goto crt_verify;
7976 }
7977 #endif
7978
7979 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7980 /* mbedtls_ssl_read_record may have sent an alert already. We
7981 let it decide whether to alert. */
7982 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7983 goto exit;
7984 }
7985
7986 #if defined(MBEDTLS_SSL_SRV_C)
7987 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
7988 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7989
7990 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
7991 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
7992 }
7993
7994 goto exit;
7995 }
7996 #endif /* MBEDTLS_SSL_SRV_C */
7997
7998 /* Clear existing peer CRT structure in case we tried to
7999 * reuse a session but it failed, and allocate a new one. */
8000 ssl_clear_peer_cert(ssl->session_negotiate);
8001
8002 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
8003 if (chain == NULL) {
8004 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
8005 sizeof(mbedtls_x509_crt)));
8006 mbedtls_ssl_send_alert_message(ssl,
8007 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8008 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8009
8010 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
8011 goto exit;
8012 }
8013 mbedtls_x509_crt_init(chain);
8014
8015 ret = ssl_parse_certificate_chain(ssl, chain);
8016 if (ret != 0) {
8017 goto exit;
8018 }
8019
8020 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8021 if (ssl->handshake->ecrs_enabled) {
8022 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
8023 }
8024
8025 crt_verify:
8026 if (ssl->handshake->ecrs_enabled) {
8027 rs_ctx = &ssl->handshake->ecrs_ctx;
8028 }
8029 #endif
8030
8031 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
8032 ssl->handshake->ciphersuite_info,
8033 rs_ctx);
8034 if (ret != 0) {
8035 goto exit;
8036 }
8037
8038 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8039 {
8040 unsigned char *crt_start, *pk_start;
8041 size_t crt_len, pk_len;
8042
8043 /* We parse the CRT chain without copying, so
8044 * these pointers point into the input buffer,
8045 * and are hence still valid after freeing the
8046 * CRT chain. */
8047
8048 crt_start = chain->raw.p;
8049 crt_len = chain->raw.len;
8050
8051 pk_start = chain->pk_raw.p;
8052 pk_len = chain->pk_raw.len;
8053
8054 /* Free the CRT structures before computing
8055 * digest and copying the peer's public key. */
8056 mbedtls_x509_crt_free(chain);
8057 mbedtls_free(chain);
8058 chain = NULL;
8059
8060 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
8061 if (ret != 0) {
8062 goto exit;
8063 }
8064
8065 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
8066 if (ret != 0) {
8067 goto exit;
8068 }
8069 }
8070 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8071 /* Pass ownership to session structure. */
8072 ssl->session_negotiate->peer_cert = chain;
8073 chain = NULL;
8074 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8075
8076 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
8077
8078 exit:
8079
8080 if (ret == 0) {
8081 ssl->state++;
8082 }
8083
8084 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8085 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
8086 ssl->handshake->ecrs_peer_cert = chain;
8087 chain = NULL;
8088 }
8089 #endif
8090
8091 if (chain != NULL) {
8092 mbedtls_x509_crt_free(chain);
8093 mbedtls_free(chain);
8094 }
8095
8096 return ret;
8097 }
8098 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8099
ssl_calc_finished_tls_generic(mbedtls_ssl_context * ssl,void * ctx,unsigned char * padbuf,size_t hlen,unsigned char * buf,int from)8100 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
8101 unsigned char *padbuf, size_t hlen,
8102 unsigned char *buf, int from)
8103 {
8104 unsigned int len = 12;
8105 const char *sender;
8106 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8107 psa_status_t status;
8108 psa_hash_operation_t *hs_op = ctx;
8109 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
8110 size_t hash_size;
8111 #else
8112 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8113 mbedtls_md_context_t *hs_ctx = ctx;
8114 mbedtls_md_context_t cloned_ctx;
8115 mbedtls_md_init(&cloned_ctx);
8116 #endif
8117
8118 mbedtls_ssl_session *session = ssl->session_negotiate;
8119 if (!session) {
8120 session = ssl->session;
8121 }
8122
8123 sender = (from == MBEDTLS_SSL_IS_CLIENT)
8124 ? "client finished"
8125 : "server finished";
8126
8127 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8128 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
8129
8130 status = psa_hash_clone(hs_op, &cloned_op);
8131 if (status != PSA_SUCCESS) {
8132 goto exit;
8133 }
8134
8135 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
8136 if (status != PSA_SUCCESS) {
8137 goto exit;
8138 }
8139 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
8140 #else
8141 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
8142
8143 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
8144 if (ret != 0) {
8145 goto exit;
8146 }
8147 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
8148 if (ret != 0) {
8149 goto exit;
8150 }
8151
8152 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
8153 if (ret != 0) {
8154 goto exit;
8155 }
8156 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8157
8158 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
8159
8160 /*
8161 * TLSv1.2:
8162 * hash = PRF( master, finished_label,
8163 * Hash( handshake ) )[0.11]
8164 */
8165 ssl->handshake->tls_prf(session->master, 48, sender,
8166 padbuf, hlen, buf, len);
8167
8168 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
8169
8170 mbedtls_platform_zeroize(padbuf, hlen);
8171
8172 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
8173
8174 exit:
8175 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8176 psa_hash_abort(&cloned_op);
8177 return mbedtls_md_error_from_psa(status);
8178 #else
8179 mbedtls_md_free(&cloned_ctx);
8180 return ret;
8181 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8182 }
8183
8184 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8185 static int ssl_calc_finished_tls_sha256(
8186 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8187 {
8188 unsigned char padbuf[32];
8189 return ssl_calc_finished_tls_generic(ssl,
8190 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8191 &ssl->handshake->fin_sha256_psa,
8192 #else
8193 &ssl->handshake->fin_sha256,
8194 #endif
8195 padbuf, sizeof(padbuf),
8196 buf, from);
8197 }
8198 #endif /* MBEDTLS_MD_CAN_SHA256*/
8199
8200
8201 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8202 static int ssl_calc_finished_tls_sha384(
8203 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8204 {
8205 unsigned char padbuf[48];
8206 return ssl_calc_finished_tls_generic(ssl,
8207 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8208 &ssl->handshake->fin_sha384_psa,
8209 #else
8210 &ssl->handshake->fin_sha384,
8211 #endif
8212 padbuf, sizeof(padbuf),
8213 buf, from);
8214 }
8215 #endif /* MBEDTLS_MD_CAN_SHA384*/
8216
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)8217 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
8218 {
8219 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
8220
8221 /*
8222 * Free our handshake params
8223 */
8224 mbedtls_ssl_handshake_free(ssl);
8225 mbedtls_free(ssl->handshake);
8226 ssl->handshake = NULL;
8227
8228 /*
8229 * Free the previous transform and switch in the current one
8230 */
8231 if (ssl->transform) {
8232 mbedtls_ssl_transform_free(ssl->transform);
8233 mbedtls_free(ssl->transform);
8234 }
8235 ssl->transform = ssl->transform_negotiate;
8236 ssl->transform_negotiate = NULL;
8237
8238 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
8239 }
8240
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)8241 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
8242 {
8243 int resume = ssl->handshake->resume;
8244
8245 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
8246
8247 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8248 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
8249 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
8250 ssl->renego_records_seen = 0;
8251 }
8252 #endif
8253
8254 /*
8255 * Free the previous session and switch in the current one
8256 */
8257 if (ssl->session) {
8258 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8259 /* RFC 7366 3.1: keep the EtM state */
8260 ssl->session_negotiate->encrypt_then_mac =
8261 ssl->session->encrypt_then_mac;
8262 #endif
8263
8264 mbedtls_ssl_session_free(ssl->session);
8265 mbedtls_free(ssl->session);
8266 }
8267 ssl->session = ssl->session_negotiate;
8268 ssl->session_negotiate = NULL;
8269
8270 /*
8271 * Add cache entry
8272 */
8273 if (ssl->conf->f_set_cache != NULL &&
8274 ssl->session->id_len != 0 &&
8275 resume == 0) {
8276 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
8277 ssl->session->id,
8278 ssl->session->id_len,
8279 ssl->session) != 0) {
8280 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
8281 }
8282 }
8283
8284 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8285 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8286 ssl->handshake->flight != NULL) {
8287 /* Cancel handshake timer */
8288 mbedtls_ssl_set_timer(ssl, 0);
8289
8290 /* Keep last flight around in case we need to resend it:
8291 * we need the handshake and transform structures for that */
8292 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
8293 } else
8294 #endif
8295 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
8296
8297 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
8298
8299 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
8300 }
8301
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)8302 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
8303 {
8304 int ret;
8305 unsigned int hash_len;
8306
8307 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
8308
8309 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
8310
8311 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
8312 if (ret != 0) {
8313 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8314 }
8315
8316 /*
8317 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
8318 * may define some other value. Currently (early 2016), no defined
8319 * ciphersuite does this (and this is unlikely to change as activity has
8320 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
8321 */
8322 hash_len = 12;
8323
8324 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8325 ssl->verify_data_len = hash_len;
8326 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
8327 #endif
8328
8329 ssl->out_msglen = 4 + hash_len;
8330 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8331 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
8332
8333 /*
8334 * In case of session resuming, invert the client and server
8335 * ChangeCipherSpec messages order.
8336 */
8337 if (ssl->handshake->resume != 0) {
8338 #if defined(MBEDTLS_SSL_CLI_C)
8339 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8340 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8341 }
8342 #endif
8343 #if defined(MBEDTLS_SSL_SRV_C)
8344 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8345 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8346 }
8347 #endif
8348 } else {
8349 ssl->state++;
8350 }
8351
8352 /*
8353 * Switch to our negotiated transform and session parameters for outbound
8354 * data.
8355 */
8356 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8357
8358 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8359 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8360 unsigned char i;
8361
8362 /* Remember current epoch settings for resending */
8363 ssl->handshake->alt_transform_out = ssl->transform_out;
8364 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8365 sizeof(ssl->handshake->alt_out_ctr));
8366
8367 /* Set sequence_number to zero */
8368 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8369
8370
8371 /* Increment epoch */
8372 for (i = 2; i > 0; i--) {
8373 if (++ssl->cur_out_ctr[i - 1] != 0) {
8374 break;
8375 }
8376 }
8377
8378 /* The loop goes to its end iff the counter is wrapping */
8379 if (i == 0) {
8380 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8381 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8382 }
8383 } else
8384 #endif /* MBEDTLS_SSL_PROTO_DTLS */
8385 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8386
8387 ssl->transform_out = ssl->transform_negotiate;
8388 ssl->session_out = ssl->session_negotiate;
8389
8390 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8391 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8392 mbedtls_ssl_send_flight_completed(ssl);
8393 }
8394 #endif
8395
8396 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8397 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8398 return ret;
8399 }
8400
8401 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8402 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8403 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8404 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8405 return ret;
8406 }
8407 #endif
8408
8409 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8410
8411 return 0;
8412 }
8413
8414 #define SSL_MAX_HASH_LEN 12
8415
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)8416 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8417 {
8418 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8419 unsigned int hash_len = 12;
8420 unsigned char buf[SSL_MAX_HASH_LEN];
8421
8422 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8423
8424 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8425 if (ret != 0) {
8426 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8427 }
8428
8429 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8430 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8431 goto exit;
8432 }
8433
8434 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8435 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8436 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8437 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8438 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8439 goto exit;
8440 }
8441
8442 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8443 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8444 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8445 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8446 goto exit;
8447 }
8448
8449 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8450 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8451 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8452 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8453 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8454 goto exit;
8455 }
8456
8457 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8458 buf, hash_len) != 0) {
8459 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8460 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8461 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8462 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8463 goto exit;
8464 }
8465
8466 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8467 ssl->verify_data_len = hash_len;
8468 memcpy(ssl->peer_verify_data, buf, hash_len);
8469 #endif
8470
8471 if (ssl->handshake->resume != 0) {
8472 #if defined(MBEDTLS_SSL_CLI_C)
8473 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8474 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8475 }
8476 #endif
8477 #if defined(MBEDTLS_SSL_SRV_C)
8478 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8479 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8480 }
8481 #endif
8482 } else {
8483 ssl->state++;
8484 }
8485
8486 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8487 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8488 mbedtls_ssl_recv_flight_completed(ssl);
8489 }
8490 #endif
8491
8492 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8493
8494 exit:
8495 mbedtls_platform_zeroize(buf, hash_len);
8496 return ret;
8497 }
8498
8499 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8500 /*
8501 * Helper to get TLS 1.2 PRF from ciphersuite
8502 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8503 */
ssl_tls12prf_from_cs(int ciphersuite_id)8504 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8505 {
8506 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8507 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8508 #if defined(MBEDTLS_MD_CAN_SHA384)
8509 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8510 return tls_prf_sha384;
8511 } else
8512 #endif
8513 #if defined(MBEDTLS_MD_CAN_SHA256)
8514 {
8515 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8516 return tls_prf_sha256;
8517 }
8518 }
8519 #endif
8520 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
8521 !defined(MBEDTLS_MD_CAN_SHA256)
8522 (void) ciphersuite_info;
8523 #endif
8524
8525 return NULL;
8526 }
8527 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8528
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8529 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8530 {
8531 ((void) tls_prf);
8532 #if defined(MBEDTLS_MD_CAN_SHA384)
8533 if (tls_prf == tls_prf_sha384) {
8534 return MBEDTLS_SSL_TLS_PRF_SHA384;
8535 } else
8536 #endif
8537 #if defined(MBEDTLS_MD_CAN_SHA256)
8538 if (tls_prf == tls_prf_sha256) {
8539 return MBEDTLS_SSL_TLS_PRF_SHA256;
8540 } else
8541 #endif
8542 return MBEDTLS_SSL_TLS_PRF_NONE;
8543 }
8544
8545 /*
8546 * Populate a transform structure with session keys and all the other
8547 * necessary information.
8548 *
8549 * Parameters:
8550 * - [in/out]: transform: structure to populate
8551 * [in] must be just initialised with mbedtls_ssl_transform_init()
8552 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8553 * - [in] ciphersuite
8554 * - [in] master
8555 * - [in] encrypt_then_mac
8556 * - [in] tls_prf: pointer to PRF to use for key derivation
8557 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8558 * - [in] tls_version: TLS version
8559 * - [in] endpoint: client or server
8560 * - [in] ssl: used for:
8561 * - ssl->conf->{f,p}_export_keys
8562 * [in] optionally used for:
8563 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8564 */
8565 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8566 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8567 int ciphersuite,
8568 const unsigned char master[48],
8569 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8570 int encrypt_then_mac,
8571 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8572 ssl_tls_prf_t tls_prf,
8573 const unsigned char randbytes[64],
8574 mbedtls_ssl_protocol_version tls_version,
8575 unsigned endpoint,
8576 const mbedtls_ssl_context *ssl)
8577 {
8578 int ret = 0;
8579 unsigned char keyblk[256];
8580 unsigned char *key1;
8581 unsigned char *key2;
8582 unsigned char *mac_enc;
8583 unsigned char *mac_dec;
8584 size_t mac_key_len = 0;
8585 size_t iv_copy_len;
8586 size_t keylen;
8587 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8588 mbedtls_ssl_mode_t ssl_mode;
8589 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8590 const mbedtls_cipher_info_t *cipher_info;
8591 const mbedtls_md_info_t *md_info;
8592 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8593
8594 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8595 psa_key_type_t key_type;
8596 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8597 psa_algorithm_t alg;
8598 psa_algorithm_t mac_alg = 0;
8599 size_t key_bits;
8600 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8601 #endif
8602
8603 /*
8604 * Some data just needs copying into the structure
8605 */
8606 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8607 transform->encrypt_then_mac = encrypt_then_mac;
8608 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8609 transform->tls_version = tls_version;
8610
8611 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8612 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8613 #endif
8614
8615 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8616 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8617 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8618 * generation separate. This should never happen. */
8619 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8620 }
8621 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8622
8623 /*
8624 * Get various info structures
8625 */
8626 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8627 if (ciphersuite_info == NULL) {
8628 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8629 ciphersuite));
8630 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8631 }
8632
8633 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8634 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8635 encrypt_then_mac,
8636 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8637 ciphersuite_info);
8638
8639 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8640 transform->taglen =
8641 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8642 }
8643
8644 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8645 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
8646 transform->taglen,
8647 &alg,
8648 &key_type,
8649 &key_bits)) != PSA_SUCCESS) {
8650 ret = PSA_TO_MBEDTLS_ERR(status);
8651 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8652 goto end;
8653 }
8654 #else
8655 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8656 if (cipher_info == NULL) {
8657 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8658 ciphersuite_info->cipher));
8659 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8660 }
8661 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8662
8663 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8664 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8665 if (mac_alg == 0) {
8666 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8667 (unsigned) ciphersuite_info->mac));
8668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8669 }
8670 #else
8671 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8672 if (md_info == NULL) {
8673 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8674 (unsigned) ciphersuite_info->mac));
8675 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8676 }
8677 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8678
8679 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8680 /* Copy own and peer's CID if the use of the CID
8681 * extension has been negotiated. */
8682 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8683 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8684
8685 transform->in_cid_len = ssl->own_cid_len;
8686 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8687 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8688 transform->in_cid_len);
8689
8690 transform->out_cid_len = ssl->handshake->peer_cid_len;
8691 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8692 ssl->handshake->peer_cid_len);
8693 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8694 transform->out_cid_len);
8695 }
8696 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8697
8698 /*
8699 * Compute key block using the PRF
8700 */
8701 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8702 if (ret != 0) {
8703 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8704 return ret;
8705 }
8706
8707 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8708 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8709 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8710 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8711 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8712
8713 /*
8714 * Determine the appropriate key, IV and MAC length.
8715 */
8716
8717 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8718 keylen = PSA_BITS_TO_BYTES(key_bits);
8719 #else
8720 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8721 #endif
8722
8723 #if defined(MBEDTLS_SSL_HAVE_AEAD)
8724 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8725 size_t explicit_ivlen;
8726
8727 transform->maclen = 0;
8728 mac_key_len = 0;
8729
8730 /* All modes haves 96-bit IVs, but the length of the static parts vary
8731 * with mode and version:
8732 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8733 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8734 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8735 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8736 * sequence number).
8737 */
8738 transform->ivlen = 12;
8739
8740 int is_chachapoly = 0;
8741 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8742 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8743 #else
8744 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8745 == MBEDTLS_MODE_CHACHAPOLY);
8746 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8747
8748 if (is_chachapoly) {
8749 transform->fixed_ivlen = 12;
8750 } else {
8751 transform->fixed_ivlen = 4;
8752 }
8753
8754 /* Minimum length of encrypted record */
8755 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8756 transform->minlen = explicit_ivlen + transform->taglen;
8757 } else
8758 #endif /* MBEDTLS_SSL_HAVE_AEAD */
8759 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8760 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8761 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8762 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8763 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8764 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8765 #else
8766 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8767 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8768
8769 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8770 /* Get MAC length */
8771 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8772 #else
8773 /* Initialize HMAC contexts */
8774 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8775 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8776 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8777 goto end;
8778 }
8779
8780 /* Get MAC length */
8781 mac_key_len = mbedtls_md_get_size(md_info);
8782 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8783 transform->maclen = mac_key_len;
8784
8785 /* IV length */
8786 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8787 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8788 #else
8789 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8790 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8791
8792 /* Minimum length */
8793 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8794 transform->minlen = transform->maclen;
8795 } else {
8796 /*
8797 * GenericBlockCipher:
8798 * 1. if EtM is in use: one block plus MAC
8799 * otherwise: * first multiple of blocklen greater than maclen
8800 * 2. IV
8801 */
8802 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8803 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8804 transform->minlen = transform->maclen
8805 + block_size;
8806 } else
8807 #endif
8808 {
8809 transform->minlen = transform->maclen
8810 + block_size
8811 - transform->maclen % block_size;
8812 }
8813
8814 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8815 transform->minlen += transform->ivlen;
8816 } else {
8817 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8818 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8819 goto end;
8820 }
8821 }
8822 } else
8823 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8824 {
8825 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8826 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8827 }
8828
8829 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8830 (unsigned) keylen,
8831 (unsigned) transform->minlen,
8832 (unsigned) transform->ivlen,
8833 (unsigned) transform->maclen));
8834
8835 /*
8836 * Finally setup the cipher contexts, IVs and MAC secrets.
8837 */
8838 #if defined(MBEDTLS_SSL_CLI_C)
8839 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8840 key1 = keyblk + mac_key_len * 2;
8841 key2 = keyblk + mac_key_len * 2 + keylen;
8842
8843 mac_enc = keyblk;
8844 mac_dec = keyblk + mac_key_len;
8845
8846 iv_copy_len = (transform->fixed_ivlen) ?
8847 transform->fixed_ivlen : transform->ivlen;
8848 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8849 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8850 iv_copy_len);
8851 } else
8852 #endif /* MBEDTLS_SSL_CLI_C */
8853 #if defined(MBEDTLS_SSL_SRV_C)
8854 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8855 key1 = keyblk + mac_key_len * 2 + keylen;
8856 key2 = keyblk + mac_key_len * 2;
8857
8858 mac_enc = keyblk + mac_key_len;
8859 mac_dec = keyblk;
8860
8861 iv_copy_len = (transform->fixed_ivlen) ?
8862 transform->fixed_ivlen : transform->ivlen;
8863 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8864 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8865 iv_copy_len);
8866 } else
8867 #endif /* MBEDTLS_SSL_SRV_C */
8868 {
8869 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8870 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8871 goto end;
8872 }
8873
8874 if (ssl->f_export_keys != NULL) {
8875 ssl->f_export_keys(ssl->p_export_keys,
8876 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8877 master, 48,
8878 randbytes + 32,
8879 randbytes,
8880 tls_prf_get_type(tls_prf));
8881 }
8882
8883 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8884 transform->psa_alg = alg;
8885
8886 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8887 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8888 psa_set_key_algorithm(&attributes, alg);
8889 psa_set_key_type(&attributes, key_type);
8890
8891 if ((status = psa_import_key(&attributes,
8892 key1,
8893 PSA_BITS_TO_BYTES(key_bits),
8894 &transform->psa_key_enc)) != PSA_SUCCESS) {
8895 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8896 ret = PSA_TO_MBEDTLS_ERR(status);
8897 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8898 goto end;
8899 }
8900
8901 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8902
8903 if ((status = psa_import_key(&attributes,
8904 key2,
8905 PSA_BITS_TO_BYTES(key_bits),
8906 &transform->psa_key_dec)) != PSA_SUCCESS) {
8907 ret = PSA_TO_MBEDTLS_ERR(status);
8908 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8909 goto end;
8910 }
8911 }
8912 #else
8913 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8914 cipher_info)) != 0) {
8915 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8916 goto end;
8917 }
8918
8919 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8920 cipher_info)) != 0) {
8921 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8922 goto end;
8923 }
8924
8925 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8926 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8927 MBEDTLS_ENCRYPT)) != 0) {
8928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8929 goto end;
8930 }
8931
8932 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8933 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8934 MBEDTLS_DECRYPT)) != 0) {
8935 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8936 goto end;
8937 }
8938
8939 #if defined(MBEDTLS_CIPHER_MODE_CBC)
8940 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
8941 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
8942 MBEDTLS_PADDING_NONE)) != 0) {
8943 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8944 goto end;
8945 }
8946
8947 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
8948 MBEDTLS_PADDING_NONE)) != 0) {
8949 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8950 goto end;
8951 }
8952 }
8953 #endif /* MBEDTLS_CIPHER_MODE_CBC */
8954 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8955
8956 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8957 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8958 For AEAD-based ciphersuites, there is nothing to do here. */
8959 if (mac_key_len != 0) {
8960 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8961 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
8962
8963 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8964 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8965 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
8966
8967 if ((status = psa_import_key(&attributes,
8968 mac_enc, mac_key_len,
8969 &transform->psa_mac_enc)) != PSA_SUCCESS) {
8970 ret = PSA_TO_MBEDTLS_ERR(status);
8971 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8972 goto end;
8973 }
8974
8975 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8976 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
8977 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8978 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
8979 #endif
8980 )) {
8981 /* mbedtls_ct_hmac() requires the key to be exportable */
8982 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8983 PSA_KEY_USAGE_VERIFY_HASH);
8984 } else {
8985 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8986 }
8987
8988 if ((status = psa_import_key(&attributes,
8989 mac_dec, mac_key_len,
8990 &transform->psa_mac_dec)) != PSA_SUCCESS) {
8991 ret = PSA_TO_MBEDTLS_ERR(status);
8992 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8993 goto end;
8994 }
8995 #else
8996 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
8997 if (ret != 0) {
8998 goto end;
8999 }
9000 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
9001 if (ret != 0) {
9002 goto end;
9003 }
9004 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9005 }
9006 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
9007
9008 ((void) mac_dec);
9009 ((void) mac_enc);
9010
9011 end:
9012 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
9013 return ret;
9014 }
9015
9016 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
9017 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)9018 int mbedtls_psa_ecjpake_read_round(
9019 psa_pake_operation_t *pake_ctx,
9020 const unsigned char *buf,
9021 size_t len, mbedtls_ecjpake_rounds_t round)
9022 {
9023 psa_status_t status;
9024 size_t input_offset = 0;
9025 /*
9026 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9027 * At round two perform a single cycle
9028 */
9029 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9030
9031 for (; remaining_steps > 0; remaining_steps--) {
9032 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9033 step <= PSA_PAKE_STEP_ZK_PROOF;
9034 ++step) {
9035 /* Length is stored at the first byte */
9036 size_t length = buf[input_offset];
9037 input_offset += 1;
9038
9039 if (input_offset + length > len) {
9040 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9041 }
9042
9043 status = psa_pake_input(pake_ctx, step,
9044 buf + input_offset, length);
9045 if (status != PSA_SUCCESS) {
9046 return PSA_TO_MBEDTLS_ERR(status);
9047 }
9048
9049 input_offset += length;
9050 }
9051 }
9052
9053 if (input_offset != len) {
9054 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9055 }
9056
9057 return 0;
9058 }
9059
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)9060 int mbedtls_psa_ecjpake_write_round(
9061 psa_pake_operation_t *pake_ctx,
9062 unsigned char *buf,
9063 size_t len, size_t *olen,
9064 mbedtls_ecjpake_rounds_t round)
9065 {
9066 psa_status_t status;
9067 size_t output_offset = 0;
9068 size_t output_len;
9069 /*
9070 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9071 * At round two perform a single cycle
9072 */
9073 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9074
9075 for (; remaining_steps > 0; remaining_steps--) {
9076 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9077 step <= PSA_PAKE_STEP_ZK_PROOF;
9078 ++step) {
9079 /*
9080 * For each step, prepend 1 byte with the length of the data as
9081 * given by psa_pake_output().
9082 */
9083 status = psa_pake_output(pake_ctx, step,
9084 buf + output_offset + 1,
9085 len - output_offset - 1,
9086 &output_len);
9087 if (status != PSA_SUCCESS) {
9088 return PSA_TO_MBEDTLS_ERR(status);
9089 }
9090
9091 *(buf + output_offset) = (uint8_t) output_len;
9092
9093 output_offset += output_len + 1;
9094 }
9095 }
9096
9097 *olen = output_offset;
9098
9099 return 0;
9100 }
9101 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
9102
9103 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9104 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9105 unsigned char *hash, size_t *hashlen,
9106 unsigned char *data, size_t data_len,
9107 mbedtls_md_type_t md_alg)
9108 {
9109 psa_status_t status;
9110 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
9111 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
9112
9113 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
9114
9115 if ((status = psa_hash_setup(&hash_operation,
9116 hash_alg)) != PSA_SUCCESS) {
9117 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
9118 goto exit;
9119 }
9120
9121 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
9122 64)) != PSA_SUCCESS) {
9123 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9124 goto exit;
9125 }
9126
9127 if ((status = psa_hash_update(&hash_operation,
9128 data, data_len)) != PSA_SUCCESS) {
9129 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9130 goto exit;
9131 }
9132
9133 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
9134 hashlen)) != PSA_SUCCESS) {
9135 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
9136 goto exit;
9137 }
9138
9139 exit:
9140 if (status != PSA_SUCCESS) {
9141 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9142 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9143 switch (status) {
9144 case PSA_ERROR_NOT_SUPPORTED:
9145 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
9146 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
9147 case PSA_ERROR_BUFFER_TOO_SMALL:
9148 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
9149 case PSA_ERROR_INSUFFICIENT_MEMORY:
9150 return MBEDTLS_ERR_MD_ALLOC_FAILED;
9151 default:
9152 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
9153 }
9154 }
9155 return 0;
9156 }
9157
9158 #else
9159
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9160 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9161 unsigned char *hash, size_t *hashlen,
9162 unsigned char *data, size_t data_len,
9163 mbedtls_md_type_t md_alg)
9164 {
9165 int ret = 0;
9166 mbedtls_md_context_t ctx;
9167 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
9168 *hashlen = mbedtls_md_get_size(md_info);
9169
9170 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
9171
9172 mbedtls_md_init(&ctx);
9173
9174 /*
9175 * digitally-signed struct {
9176 * opaque client_random[32];
9177 * opaque server_random[32];
9178 * ServerDHParams params;
9179 * };
9180 */
9181 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
9182 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
9183 goto exit;
9184 }
9185 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
9186 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
9187 goto exit;
9188 }
9189 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
9190 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9191 goto exit;
9192 }
9193 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
9194 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9195 goto exit;
9196 }
9197 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
9198 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
9199 goto exit;
9200 }
9201
9202 exit:
9203 mbedtls_md_free(&ctx);
9204
9205 if (ret != 0) {
9206 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9207 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9208 }
9209
9210 return ret;
9211 }
9212 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9213
9214 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
9215
9216 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)9217 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
9218 mbedtls_ssl_context *ssl,
9219 unsigned int sig_alg)
9220 {
9221 unsigned int i;
9222 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
9223
9224 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
9225 return MBEDTLS_SSL_HASH_NONE;
9226 }
9227
9228 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
9229 unsigned int hash_alg_received =
9230 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
9231 received_sig_algs[i]);
9232 unsigned int sig_alg_received =
9233 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
9234 received_sig_algs[i]);
9235
9236 mbedtls_md_type_t md_alg =
9237 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
9238 if (md_alg == MBEDTLS_MD_NONE) {
9239 continue;
9240 }
9241
9242 if (sig_alg == sig_alg_received) {
9243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9244 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
9245 psa_algorithm_t psa_hash_alg =
9246 mbedtls_md_psa_alg_from_type(md_alg);
9247
9248 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
9249 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9250 PSA_ALG_ECDSA(psa_hash_alg),
9251 PSA_KEY_USAGE_SIGN_HASH)) {
9252 continue;
9253 }
9254
9255 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
9256 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9257 PSA_ALG_RSA_PKCS1V15_SIGN(
9258 psa_hash_alg),
9259 PSA_KEY_USAGE_SIGN_HASH)) {
9260 continue;
9261 }
9262 }
9263 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9264
9265 return hash_alg_received;
9266 }
9267 }
9268
9269 return MBEDTLS_SSL_HASH_NONE;
9270 }
9271
9272 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
9273
9274 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9275
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9276 int mbedtls_ssl_validate_ciphersuite(
9277 const mbedtls_ssl_context *ssl,
9278 const mbedtls_ssl_ciphersuite_t *suite_info,
9279 mbedtls_ssl_protocol_version min_tls_version,
9280 mbedtls_ssl_protocol_version max_tls_version)
9281 {
9282 (void) ssl;
9283
9284 if (suite_info == NULL) {
9285 return -1;
9286 }
9287
9288 if ((suite_info->min_tls_version > max_tls_version) ||
9289 (suite_info->max_tls_version < min_tls_version)) {
9290 return -1;
9291 }
9292
9293 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9294 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9295 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9296 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9297 ssl->handshake->psa_pake_ctx_is_ok != 1)
9298 #else
9299 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9300 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9301 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9302 {
9303 return -1;
9304 }
9305 #endif
9306
9307 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9308 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9309 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9310 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9311 return -1;
9312 }
9313 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9314 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9315
9316 return 0;
9317 }
9318
9319 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9320 /*
9321 * Function for writing a signature algorithm extension.
9322 *
9323 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9324 * value (TLS 1.3 RFC8446):
9325 * enum {
9326 * ....
9327 * ecdsa_secp256r1_sha256( 0x0403 ),
9328 * ecdsa_secp384r1_sha384( 0x0503 ),
9329 * ecdsa_secp521r1_sha512( 0x0603 ),
9330 * ....
9331 * } SignatureScheme;
9332 *
9333 * struct {
9334 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9335 * } SignatureSchemeList;
9336 *
9337 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9338 * value (TLS 1.2 RFC5246):
9339 * enum {
9340 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9341 * sha512(6), (255)
9342 * } HashAlgorithm;
9343 *
9344 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9345 * SignatureAlgorithm;
9346 *
9347 * struct {
9348 * HashAlgorithm hash;
9349 * SignatureAlgorithm signature;
9350 * } SignatureAndHashAlgorithm;
9351 *
9352 * SignatureAndHashAlgorithm
9353 * supported_signature_algorithms<2..2^16-2>;
9354 *
9355 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9356 * generalization of the TLS 1.2 signature algorithm extension.
9357 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9358 * `SignatureScheme` field of TLS 1.3
9359 *
9360 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9361 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9362 const unsigned char *end, size_t *out_len)
9363 {
9364 unsigned char *p = buf;
9365 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9366 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9367
9368 *out_len = 0;
9369
9370 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9371
9372 /* Check if we have space for header and length field:
9373 * - extension_type (2 bytes)
9374 * - extension_data_length (2 bytes)
9375 * - supported_signature_algorithms_length (2 bytes)
9376 */
9377 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9378 p += 6;
9379
9380 /*
9381 * Write supported_signature_algorithms
9382 */
9383 supported_sig_alg = p;
9384 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9385 if (sig_alg == NULL) {
9386 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9387 }
9388
9389 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9390 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9391 *sig_alg,
9392 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9393 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9394 continue;
9395 }
9396 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9397 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9398 p += 2;
9399 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9400 *sig_alg,
9401 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9402 }
9403
9404 /* Length of supported_signature_algorithms */
9405 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
9406 if (supported_sig_alg_len == 0) {
9407 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9409 }
9410
9411 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9412 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9413 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9414
9415 *out_len = (size_t) (p - buf);
9416
9417 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9418 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9419 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9420
9421 return 0;
9422 }
9423 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9424
9425 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9426 /*
9427 * mbedtls_ssl_parse_server_name_ext
9428 *
9429 * Structure of server_name extension:
9430 *
9431 * enum {
9432 * host_name(0), (255)
9433 * } NameType;
9434 * opaque HostName<1..2^16-1>;
9435 *
9436 * struct {
9437 * NameType name_type;
9438 * select (name_type) {
9439 * case host_name: HostName;
9440 * } name;
9441 * } ServerName;
9442 * struct {
9443 * ServerName server_name_list<1..2^16-1>
9444 * } ServerNameList;
9445 */
9446 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9447 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9448 const unsigned char *buf,
9449 const unsigned char *end)
9450 {
9451 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9452 const unsigned char *p = buf;
9453 size_t server_name_list_len, hostname_len;
9454 const unsigned char *server_name_list_end;
9455
9456 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9457
9458 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9459 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9460 p += 2;
9461
9462 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9463 server_name_list_end = p + server_name_list_len;
9464 while (p < server_name_list_end) {
9465 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9466 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9467 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9468 hostname_len + 3);
9469
9470 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9471 /* sni_name is intended to be used only during the parsing of the
9472 * ClientHello message (it is reset to NULL before the end of
9473 * the message parsing). Thus it is ok to just point to the
9474 * reception buffer and not make a copy of it.
9475 */
9476 ssl->handshake->sni_name = p + 3;
9477 ssl->handshake->sni_name_len = hostname_len;
9478 if (ssl->conf->f_sni == NULL) {
9479 return 0;
9480 }
9481 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9482 ssl, p + 3, hostname_len);
9483 if (ret != 0) {
9484 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9485 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9486 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9487 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9488 }
9489 return 0;
9490 }
9491
9492 p += hostname_len + 3;
9493 }
9494
9495 return 0;
9496 }
9497 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9498
9499 #if defined(MBEDTLS_SSL_ALPN)
9500 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9501 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9502 const unsigned char *buf,
9503 const unsigned char *end)
9504 {
9505 const unsigned char *p = buf;
9506 size_t protocol_name_list_len;
9507 const unsigned char *protocol_name_list;
9508 const unsigned char *protocol_name_list_end;
9509 size_t protocol_name_len;
9510
9511 /* If ALPN not configured, just ignore the extension */
9512 if (ssl->conf->alpn_list == NULL) {
9513 return 0;
9514 }
9515
9516 /*
9517 * RFC7301, section 3.1
9518 * opaque ProtocolName<1..2^8-1>;
9519 *
9520 * struct {
9521 * ProtocolName protocol_name_list<2..2^16-1>
9522 * } ProtocolNameList;
9523 */
9524
9525 /*
9526 * protocol_name_list_len 2 bytes
9527 * protocol_name_len 1 bytes
9528 * protocol_name >=1 byte
9529 */
9530 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9531
9532 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9533 p += 2;
9534 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9535 protocol_name_list = p;
9536 protocol_name_list_end = p + protocol_name_list_len;
9537
9538 /* Validate peer's list (lengths) */
9539 while (p < protocol_name_list_end) {
9540 protocol_name_len = *p++;
9541 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9542 protocol_name_len);
9543 if (protocol_name_len == 0) {
9544 MBEDTLS_SSL_PEND_FATAL_ALERT(
9545 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9546 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9547 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9548 }
9549
9550 p += protocol_name_len;
9551 }
9552
9553 /* Use our order of preference */
9554 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9555 size_t const alpn_len = strlen(*alpn);
9556 p = protocol_name_list;
9557 while (p < protocol_name_list_end) {
9558 protocol_name_len = *p++;
9559 if (protocol_name_len == alpn_len &&
9560 memcmp(p, *alpn, alpn_len) == 0) {
9561 ssl->alpn_chosen = *alpn;
9562 return 0;
9563 }
9564
9565 p += protocol_name_len;
9566 }
9567 }
9568
9569 /* If we get here, no match was found */
9570 MBEDTLS_SSL_PEND_FATAL_ALERT(
9571 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9572 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9573 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9574 }
9575
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9576 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9577 unsigned char *buf,
9578 unsigned char *end,
9579 size_t *out_len)
9580 {
9581 unsigned char *p = buf;
9582 size_t protocol_name_len;
9583 *out_len = 0;
9584
9585 if (ssl->alpn_chosen == NULL) {
9586 return 0;
9587 }
9588
9589 protocol_name_len = strlen(ssl->alpn_chosen);
9590 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9591
9592 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9593 /*
9594 * 0 . 1 ext identifier
9595 * 2 . 3 ext length
9596 * 4 . 5 protocol list length
9597 * 6 . 6 protocol name length
9598 * 7 . 7+n protocol name
9599 */
9600 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9601
9602 *out_len = 7 + protocol_name_len;
9603
9604 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9605 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9606 /* Note: the length of the chosen protocol has been checked to be less
9607 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9608 */
9609 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9610
9611 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9612
9613 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9614 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9615 #endif
9616
9617 return 0;
9618 }
9619 #endif /* MBEDTLS_SSL_ALPN */
9620
9621 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9622 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9623 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9624 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9625 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9626 const char *hostname)
9627 {
9628 /* Initialize to suppress unnecessary compiler warning */
9629 size_t hostname_len = 0;
9630
9631 /* Check if new hostname is valid before
9632 * making any change to current one */
9633 if (hostname != NULL) {
9634 hostname_len = strlen(hostname);
9635
9636 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9637 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9638 }
9639 }
9640
9641 /* Now it's clear that we will overwrite the old hostname,
9642 * so we can free it safely */
9643 if (session->hostname != NULL) {
9644 mbedtls_zeroize_and_free(session->hostname,
9645 strlen(session->hostname));
9646 }
9647
9648 /* Passing NULL as hostname shall clear the old one */
9649 if (hostname == NULL) {
9650 session->hostname = NULL;
9651 } else {
9652 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9653 if (session->hostname == NULL) {
9654 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9655 }
9656
9657 memcpy(session->hostname, hostname, hostname_len);
9658 }
9659
9660 return 0;
9661 }
9662 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9663 MBEDTLS_SSL_SESSION_TICKETS &&
9664 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9665 MBEDTLS_SSL_CLI_C */
9666
9667 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
9668 defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session * session,const char * alpn)9669 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
9670 const char *alpn)
9671 {
9672 size_t alpn_len = 0;
9673
9674 if (alpn != NULL) {
9675 alpn_len = strlen(alpn);
9676
9677 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
9678 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9679 }
9680 }
9681
9682 if (session->ticket_alpn != NULL) {
9683 mbedtls_zeroize_and_free(session->ticket_alpn,
9684 strlen(session->ticket_alpn));
9685 session->ticket_alpn = NULL;
9686 }
9687
9688 if (alpn != NULL) {
9689 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
9690 if (session->ticket_alpn == NULL) {
9691 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9692 }
9693 memcpy(session->ticket_alpn, alpn, alpn_len);
9694 }
9695
9696 return 0;
9697 }
9698 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
9699
9700 /*
9701 * The following functions are used by 1.2 and 1.3, client and server.
9702 */
9703 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int recv_endpoint,mbedtls_ssl_protocol_version tls_version,uint32_t * flags)9704 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
9705 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9706 int recv_endpoint,
9707 mbedtls_ssl_protocol_version tls_version,
9708 uint32_t *flags)
9709 {
9710 int ret = 0;
9711 unsigned int usage = 0;
9712 const char *ext_oid;
9713 size_t ext_len;
9714
9715 /*
9716 * keyUsage
9717 */
9718
9719 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
9720 * to check what a compliant client will think while choosing which cert
9721 * to send to the client. */
9722 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9723 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9724 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9725 /* TLS 1.2 server part of the key exchange */
9726 switch (ciphersuite->key_exchange) {
9727 case MBEDTLS_KEY_EXCHANGE_RSA:
9728 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9729 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9730 break;
9731
9732 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9733 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9734 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9735 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9736 break;
9737
9738 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9739 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9740 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9741 break;
9742
9743 /* Don't use default: we want warnings when adding new values */
9744 case MBEDTLS_KEY_EXCHANGE_NONE:
9745 case MBEDTLS_KEY_EXCHANGE_PSK:
9746 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9747 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9748 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9749 usage = 0;
9750 }
9751 } else
9752 #endif
9753 {
9754 /* This is either TLS 1.3 authentication, which always uses signatures,
9755 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
9756 * options we implement, both using signatures. */
9757 (void) tls_version;
9758 (void) ciphersuite;
9759 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9760 }
9761
9762 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
9763 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9764 ret = -1;
9765 }
9766
9767 /*
9768 * extKeyUsage
9769 */
9770
9771 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9772 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9773 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
9774 } else {
9775 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9776 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
9777 }
9778
9779 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
9780 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9781 ret = -1;
9782 }
9783
9784 return ret;
9785 }
9786
mbedtls_ssl_verify_certificate(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,const mbedtls_ssl_ciphersuite_t * ciphersuite_info,void * rs_ctx)9787 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
9788 int authmode,
9789 mbedtls_x509_crt *chain,
9790 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
9791 void *rs_ctx)
9792 {
9793 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
9794 return 0;
9795 }
9796
9797 /*
9798 * Primary check: use the appropriate X.509 verification function
9799 */
9800 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
9801 void *p_vrfy;
9802 if (ssl->f_vrfy != NULL) {
9803 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
9804 f_vrfy = ssl->f_vrfy;
9805 p_vrfy = ssl->p_vrfy;
9806 } else {
9807 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
9808 f_vrfy = ssl->conf->f_vrfy;
9809 p_vrfy = ssl->conf->p_vrfy;
9810 }
9811
9812 int ret = 0;
9813 int have_ca_chain_or_callback = 0;
9814 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
9815 if (ssl->conf->f_ca_cb != NULL) {
9816 ((void) rs_ctx);
9817 have_ca_chain_or_callback = 1;
9818
9819 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
9820 ret = mbedtls_x509_crt_verify_with_ca_cb(
9821 chain,
9822 ssl->conf->f_ca_cb,
9823 ssl->conf->p_ca_cb,
9824 ssl->conf->cert_profile,
9825 ssl->hostname,
9826 &ssl->session_negotiate->verify_result,
9827 f_vrfy, p_vrfy);
9828 } else
9829 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
9830 {
9831 mbedtls_x509_crt *ca_chain;
9832 mbedtls_x509_crl *ca_crl;
9833 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9834 if (ssl->handshake->sni_ca_chain != NULL) {
9835 ca_chain = ssl->handshake->sni_ca_chain;
9836 ca_crl = ssl->handshake->sni_ca_crl;
9837 } else
9838 #endif
9839 {
9840 ca_chain = ssl->conf->ca_chain;
9841 ca_crl = ssl->conf->ca_crl;
9842 }
9843
9844 if (ca_chain != NULL) {
9845 have_ca_chain_or_callback = 1;
9846 }
9847
9848 ret = mbedtls_x509_crt_verify_restartable(
9849 chain,
9850 ca_chain, ca_crl,
9851 ssl->conf->cert_profile,
9852 ssl->hostname,
9853 &ssl->session_negotiate->verify_result,
9854 f_vrfy, p_vrfy, rs_ctx);
9855 }
9856
9857 if (ret != 0) {
9858 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
9859 }
9860
9861 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
9862 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
9863 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
9864 }
9865 #endif
9866
9867 /*
9868 * Secondary checks: always done, but change 'ret' only if it was 0
9869 */
9870
9871 /* With TLS 1.2 and ECC certs, check that the curve used by the
9872 * certificate is on our list of acceptable curves.
9873 *
9874 * With TLS 1.3 this is not needed because the curve is part of the
9875 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
9876 * we validate the signature made with the key associated to this cert.
9877 */
9878 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9879 defined(MBEDTLS_PK_HAVE_ECC_KEYS)
9880 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9881 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
9882 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
9883 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
9884 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
9885 if (ret == 0) {
9886 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9887 }
9888 }
9889 }
9890 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
9891
9892 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
9893 if (mbedtls_ssl_check_cert_usage(chain,
9894 ciphersuite_info,
9895 ssl->conf->endpoint,
9896 ssl->tls_version,
9897 &ssl->session_negotiate->verify_result) != 0) {
9898 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
9899 if (ret == 0) {
9900 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9901 }
9902 }
9903
9904 /* With authmode optional, we want to keep going if the certificate was
9905 * unacceptable, but still fail on other errors (out of memory etc),
9906 * including fatal errors from the f_vrfy callback.
9907 *
9908 * The only acceptable errors are:
9909 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
9910 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
9911 * Anything else is a fatal error. */
9912 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
9913 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
9914 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
9915 ret = 0;
9916 }
9917
9918 /* Return a specific error as this is a user error: inconsistent
9919 * configuration - can't verify without trust anchors. */
9920 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9921 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
9922 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
9923 }
9924
9925 if (ret != 0) {
9926 uint8_t alert;
9927
9928 /* The certificate may have been rejected for several reasons.
9929 Pick one and send the corresponding alert. Which alert to send
9930 may be a subject of debate in some cases. */
9931 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
9932 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
9933 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
9934 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
9935 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
9936 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9937 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
9938 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9939 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
9940 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9941 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
9942 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9943 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
9944 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
9945 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
9946 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
9947 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
9948 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
9949 } else {
9950 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
9951 }
9952 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9953 alert);
9954 }
9955
9956 #if defined(MBEDTLS_DEBUG_C)
9957 if (ssl->session_negotiate->verify_result != 0) {
9958 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
9959 (unsigned int) ssl->session_negotiate->verify_result));
9960 } else {
9961 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
9962 }
9963 #endif /* MBEDTLS_DEBUG_C */
9964
9965 return ret;
9966 }
9967 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9968
9969 #endif /* MBEDTLS_SSL_TLS_C */
9970