1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0
6 *
7 * Licensed under the Apache License, Version 2.0 (the "License"); you may
8 * not use this file except in compliance with the License.
9 * You may obtain a copy of the License at
10 *
11 * http://www.apache.org/licenses/LICENSE-2.0
12 *
13 * Unless required by applicable law or agreed to in writing, software
14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 * See the License for the specific language governing permissions and
17 * limitations under the License.
18 */
19 /*
20 * http://www.ietf.org/rfc/rfc2246.txt
21 * http://www.ietf.org/rfc/rfc4346.txt
22 */
23
24 #include "common.h"
25
26 #if defined(MBEDTLS_SSL_TLS_C)
27
28 #if defined(MBEDTLS_PLATFORM_C)
29 #include "mbedtls/platform.h"
30 #else
31 #include <stdlib.h>
32 #define mbedtls_calloc calloc
33 #define mbedtls_free free
34 #endif
35
36 #include "mbedtls/ssl.h"
37 #include "ssl_misc.h"
38 #include "mbedtls/debug.h"
39 #include "mbedtls/error.h"
40 #include "mbedtls/platform_util.h"
41 #include "mbedtls/version.h"
42
43 #include <string.h>
44
45 #if defined(MBEDTLS_USE_PSA_CRYPTO)
46 #include "mbedtls/psa_util.h"
47 #include "psa/crypto.h"
48 #endif
49
50 #if defined(MBEDTLS_X509_CRT_PARSE_C)
51 #include "mbedtls/oid.h"
52 #endif
53
54 #if defined(MBEDTLS_SSL_PROTO_DTLS)
55
56 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
57 /* Top-level Connection ID API */
58
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)59 int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
60 size_t len,
61 int ignore_other_cid )
62 {
63 if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
64 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
65
66 if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
67 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
68 {
69 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
70 }
71
72 conf->ignore_unexpected_cid = ignore_other_cid;
73 conf->cid_len = len;
74 return( 0 );
75 }
76
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)77 int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
78 int enable,
79 unsigned char const *own_cid,
80 size_t own_cid_len )
81 {
82 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
83 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
84
85 ssl->negotiate_cid = enable;
86 if( enable == MBEDTLS_SSL_CID_DISABLED )
87 {
88 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
89 return( 0 );
90 }
91 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
92 MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
93
94 if( own_cid_len != ssl->conf->cid_len )
95 {
96 MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
97 (unsigned) own_cid_len,
98 (unsigned) ssl->conf->cid_len ) );
99 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
100 }
101
102 memcpy( ssl->own_cid, own_cid, own_cid_len );
103 /* Truncation is not an issue here because
104 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
105 ssl->own_cid_len = (uint8_t) own_cid_len;
106
107 return( 0 );
108 }
109
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)110 int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
111 int *enabled,
112 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
113 size_t *peer_cid_len )
114 {
115 *enabled = MBEDTLS_SSL_CID_DISABLED;
116
117 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
118 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
119 {
120 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
121 }
122
123 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
124 * were used, but client and server requested the empty CID.
125 * This is indistinguishable from not using the CID extension
126 * in the first place. */
127 if( ssl->transform_in->in_cid_len == 0 &&
128 ssl->transform_in->out_cid_len == 0 )
129 {
130 return( 0 );
131 }
132
133 if( peer_cid_len != NULL )
134 {
135 *peer_cid_len = ssl->transform_in->out_cid_len;
136 if( peer_cid != NULL )
137 {
138 memcpy( peer_cid, ssl->transform_in->out_cid,
139 ssl->transform_in->out_cid_len );
140 }
141 }
142
143 *enabled = MBEDTLS_SSL_CID_ENABLED;
144
145 return( 0 );
146 }
147 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
148
149 #endif /* MBEDTLS_SSL_PROTO_DTLS */
150
151 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
152 /*
153 * Convert max_fragment_length codes to length.
154 * RFC 6066 says:
155 * enum{
156 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
157 * } MaxFragmentLength;
158 * and we add 0 -> extension unused
159 */
ssl_mfl_code_to_length(int mfl)160 static unsigned int ssl_mfl_code_to_length( int mfl )
161 {
162 switch( mfl )
163 {
164 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
165 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
166 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
167 return 512;
168 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
169 return 1024;
170 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
171 return 2048;
172 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
173 return 4096;
174 default:
175 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
176 }
177 }
178 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
179
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)180 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
181 const mbedtls_ssl_session *src )
182 {
183 mbedtls_ssl_session_free( dst );
184 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
185
186 #if defined(MBEDTLS_X509_CRT_PARSE_C)
187
188 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
189 if( src->peer_cert != NULL )
190 {
191 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
192
193 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
194 if( dst->peer_cert == NULL )
195 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
196
197 mbedtls_x509_crt_init( dst->peer_cert );
198
199 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
200 src->peer_cert->raw.len ) ) != 0 )
201 {
202 mbedtls_free( dst->peer_cert );
203 dst->peer_cert = NULL;
204 return( ret );
205 }
206 }
207 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
208 if( src->peer_cert_digest != NULL )
209 {
210 dst->peer_cert_digest =
211 mbedtls_calloc( 1, src->peer_cert_digest_len );
212 if( dst->peer_cert_digest == NULL )
213 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
214
215 memcpy( dst->peer_cert_digest, src->peer_cert_digest,
216 src->peer_cert_digest_len );
217 dst->peer_cert_digest_type = src->peer_cert_digest_type;
218 dst->peer_cert_digest_len = src->peer_cert_digest_len;
219 }
220 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
221
222 #endif /* MBEDTLS_X509_CRT_PARSE_C */
223
224 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
225 if( src->ticket != NULL )
226 {
227 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
228 if( dst->ticket == NULL )
229 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
230
231 memcpy( dst->ticket, src->ticket, src->ticket_len );
232 }
233 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
234
235 return( 0 );
236 }
237
238 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)239 static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
240 {
241 unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
242 if( resized_buffer == NULL )
243 return -1;
244
245 /* We want to copy len_new bytes when downsizing the buffer, and
246 * len_old bytes when upsizing, so we choose the smaller of two sizes,
247 * to fit one buffer into another. Size checks, ensuring that no data is
248 * lost, are done outside of this function. */
249 memcpy( resized_buffer, *buffer,
250 ( len_new < *len_old ) ? len_new : *len_old );
251 mbedtls_platform_zeroize( *buffer, *len_old );
252 mbedtls_free( *buffer );
253
254 *buffer = resized_buffer;
255 *len_old = len_new;
256
257 return 0;
258 }
259
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)260 static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
261 size_t in_buf_new_len,
262 size_t out_buf_new_len )
263 {
264 int modified = 0;
265 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
266 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
267 if( ssl->in_buf != NULL )
268 {
269 written_in = ssl->in_msg - ssl->in_buf;
270 iv_offset_in = ssl->in_iv - ssl->in_buf;
271 len_offset_in = ssl->in_len - ssl->in_buf;
272 if( downsizing ?
273 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
274 ssl->in_buf_len < in_buf_new_len )
275 {
276 if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
277 {
278 MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
279 }
280 else
281 {
282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
283 in_buf_new_len ) );
284 modified = 1;
285 }
286 }
287 }
288
289 if( ssl->out_buf != NULL )
290 {
291 written_out = ssl->out_msg - ssl->out_buf;
292 iv_offset_out = ssl->out_iv - ssl->out_buf;
293 len_offset_out = ssl->out_len - ssl->out_buf;
294 if( downsizing ?
295 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
296 ssl->out_buf_len < out_buf_new_len )
297 {
298 if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
299 {
300 MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
301 }
302 else
303 {
304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
305 out_buf_new_len ) );
306 modified = 1;
307 }
308 }
309 }
310 if( modified )
311 {
312 /* Update pointers here to avoid doing it twice. */
313 mbedtls_ssl_reset_in_out_pointers( ssl );
314 /* Fields below might not be properly updated with record
315 * splitting or with CID, so they are manually updated here. */
316 ssl->out_msg = ssl->out_buf + written_out;
317 ssl->out_len = ssl->out_buf + len_offset_out;
318 ssl->out_iv = ssl->out_buf + iv_offset_out;
319
320 ssl->in_msg = ssl->in_buf + written_in;
321 ssl->in_len = ssl->in_buf + len_offset_in;
322 ssl->in_iv = ssl->in_buf + iv_offset_in;
323 }
324 }
325 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
326
327 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
328 #if defined(MBEDTLS_USE_PSA_CRYPTO)
329
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,psa_key_id_t key,psa_algorithm_t alg,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,size_t capacity)330 static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
331 psa_key_id_t key,
332 psa_algorithm_t alg,
333 const unsigned char* seed, size_t seed_length,
334 const unsigned char* label, size_t label_length,
335 size_t capacity )
336 {
337 psa_status_t status;
338
339 status = psa_key_derivation_setup( derivation, alg );
340 if( status != PSA_SUCCESS )
341 return( status );
342
343 if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
344 {
345 status = psa_key_derivation_input_bytes( derivation,
346 PSA_KEY_DERIVATION_INPUT_SEED,
347 seed, seed_length );
348 if( status != PSA_SUCCESS )
349 return( status );
350
351 if( mbedtls_svc_key_id_is_null( key ) )
352 {
353 status = psa_key_derivation_input_bytes(
354 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
355 NULL, 0 );
356 }
357 else
358 {
359 status = psa_key_derivation_input_key(
360 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
361 }
362 if( status != PSA_SUCCESS )
363 return( status );
364
365 status = psa_key_derivation_input_bytes( derivation,
366 PSA_KEY_DERIVATION_INPUT_LABEL,
367 label, label_length );
368 if( status != PSA_SUCCESS )
369 return( status );
370 }
371 else
372 {
373 return( PSA_ERROR_NOT_SUPPORTED );
374 }
375
376 status = psa_key_derivation_set_capacity( derivation, capacity );
377 if( status != PSA_SUCCESS )
378 return( status );
379
380 return( PSA_SUCCESS );
381 }
382
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)383 static int tls_prf_generic( mbedtls_md_type_t md_type,
384 const unsigned char *secret, size_t slen,
385 const char *label,
386 const unsigned char *random, size_t rlen,
387 unsigned char *dstbuf, size_t dlen )
388 {
389 psa_status_t status;
390 psa_algorithm_t alg;
391 psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
392 psa_key_derivation_operation_t derivation =
393 PSA_KEY_DERIVATION_OPERATION_INIT;
394
395 if( md_type == MBEDTLS_MD_SHA384 )
396 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
397 else
398 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
399
400 /* Normally a "secret" should be long enough to be impossible to
401 * find by brute force, and in particular should not be empty. But
402 * this PRF is also used to derive an IV, in particular in EAP-TLS,
403 * and for this use case it makes sense to have a 0-length "secret".
404 * Since the key API doesn't allow importing a key of length 0,
405 * keep master_key=0, which setup_psa_key_derivation() understands
406 * to mean a 0-length "secret" input. */
407 if( slen != 0 )
408 {
409 psa_key_attributes_t key_attributes = psa_key_attributes_init();
410 psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
411 psa_set_key_algorithm( &key_attributes, alg );
412 psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
413
414 status = psa_import_key( &key_attributes, secret, slen, &master_key );
415 if( status != PSA_SUCCESS )
416 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
417 }
418
419 status = setup_psa_key_derivation( &derivation,
420 master_key, alg,
421 random, rlen,
422 (unsigned char const *) label,
423 (size_t) strlen( label ),
424 dlen );
425 if( status != PSA_SUCCESS )
426 {
427 psa_key_derivation_abort( &derivation );
428 psa_destroy_key( master_key );
429 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
430 }
431
432 status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
433 if( status != PSA_SUCCESS )
434 {
435 psa_key_derivation_abort( &derivation );
436 psa_destroy_key( master_key );
437 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
438 }
439
440 status = psa_key_derivation_abort( &derivation );
441 if( status != PSA_SUCCESS )
442 {
443 psa_destroy_key( master_key );
444 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
445 }
446
447 if( ! mbedtls_svc_key_id_is_null( master_key ) )
448 status = psa_destroy_key( master_key );
449 if( status != PSA_SUCCESS )
450 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
451
452 return( 0 );
453 }
454
455 #else /* MBEDTLS_USE_PSA_CRYPTO */
456
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)457 static int tls_prf_generic( mbedtls_md_type_t md_type,
458 const unsigned char *secret, size_t slen,
459 const char *label,
460 const unsigned char *random, size_t rlen,
461 unsigned char *dstbuf, size_t dlen )
462 {
463 size_t nb;
464 size_t i, j, k, md_len;
465 unsigned char *tmp;
466 size_t tmp_len = 0;
467 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
468 const mbedtls_md_info_t *md_info;
469 mbedtls_md_context_t md_ctx;
470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
471
472 mbedtls_md_init( &md_ctx );
473
474 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
475 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
476
477 md_len = mbedtls_md_get_size( md_info );
478
479 tmp_len = md_len + strlen( label ) + rlen;
480 tmp = mbedtls_calloc( 1, tmp_len );
481 if( tmp == NULL )
482 {
483 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
484 goto exit;
485 }
486
487 nb = strlen( label );
488 memcpy( tmp + md_len, label, nb );
489 memcpy( tmp + md_len + nb, random, rlen );
490 nb += rlen;
491
492 /*
493 * Compute P_<hash>(secret, label + random)[0..dlen]
494 */
495 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
496 goto exit;
497
498 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
499 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
501
502 for( i = 0; i < dlen; i += md_len )
503 {
504 mbedtls_md_hmac_reset ( &md_ctx );
505 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
506 mbedtls_md_hmac_finish( &md_ctx, h_i );
507
508 mbedtls_md_hmac_reset ( &md_ctx );
509 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
510 mbedtls_md_hmac_finish( &md_ctx, tmp );
511
512 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
513
514 for( j = 0; j < k; j++ )
515 dstbuf[i + j] = h_i[j];
516 }
517
518 exit:
519 mbedtls_md_free( &md_ctx );
520
521 mbedtls_platform_zeroize( tmp, tmp_len );
522 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
523
524 mbedtls_free( tmp );
525
526 return( ret );
527 }
528 #endif /* MBEDTLS_USE_PSA_CRYPTO */
529 #if defined(MBEDTLS_SHA256_C)
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)530 static int tls_prf_sha256( const unsigned char *secret, size_t slen,
531 const char *label,
532 const unsigned char *random, size_t rlen,
533 unsigned char *dstbuf, size_t dlen )
534 {
535 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
536 label, random, rlen, dstbuf, dlen ) );
537 }
538 #endif /* MBEDTLS_SHA256_C */
539
540 #if defined(MBEDTLS_SHA384_C)
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)541 static int tls_prf_sha384( const unsigned char *secret, size_t slen,
542 const char *label,
543 const unsigned char *random, size_t rlen,
544 unsigned char *dstbuf, size_t dlen )
545 {
546 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
547 label, random, rlen, dstbuf, dlen ) );
548 }
549 #endif /* MBEDTLS_SHA384_C */
550 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
551
552 static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
553
554 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
555 #if defined(MBEDTLS_SHA256_C)
556 static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
557 static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
558 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
559 #endif
560
561 #if defined(MBEDTLS_SHA384_C)
562 static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
563 static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
564 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
565 #endif
566 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
567
568 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
569 defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_use_opaque_psk(mbedtls_ssl_context const * ssl)570 static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
571 {
572 if( ssl->conf->f_psk != NULL )
573 {
574 /* If we've used a callback to select the PSK,
575 * the static configuration is irrelevant. */
576 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
577 return( 1 );
578
579 return( 0 );
580 }
581
582 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
583 return( 1 );
584
585 return( 0 );
586 }
587 #endif /* MBEDTLS_USE_PSA_CRYPTO &&
588 MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
589
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)590 static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
591 {
592 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
593 #if defined(MBEDTLS_SHA384_C)
594 if( tls_prf == tls_prf_sha384 )
595 {
596 return( MBEDTLS_SSL_TLS_PRF_SHA384 );
597 }
598 else
599 #endif
600 #if defined(MBEDTLS_SHA256_C)
601 if( tls_prf == tls_prf_sha256 )
602 {
603 return( MBEDTLS_SSL_TLS_PRF_SHA256 );
604 }
605 else
606 #endif
607 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
608 return( MBEDTLS_SSL_TLS_PRF_NONE );
609 }
610
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)611 int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
612 const unsigned char *secret, size_t slen,
613 const char *label,
614 const unsigned char *random, size_t rlen,
615 unsigned char *dstbuf, size_t dlen )
616 {
617 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
618
619 switch( prf )
620 {
621 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
622 #if defined(MBEDTLS_SHA384_C)
623 case MBEDTLS_SSL_TLS_PRF_SHA384:
624 tls_prf = tls_prf_sha384;
625 break;
626 #endif /* MBEDTLS_SHA384_C */
627 #if defined(MBEDTLS_SHA256_C)
628 case MBEDTLS_SSL_TLS_PRF_SHA256:
629 tls_prf = tls_prf_sha256;
630 break;
631 #endif /* MBEDTLS_SHA256_C */
632 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
633 default:
634 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
635 }
636
637 return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
638 }
639
640 /* Type for the TLS PRF */
641 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
642 const unsigned char *, size_t,
643 unsigned char *, size_t);
644
645 /*
646 * Populate a transform structure with session keys and all the other
647 * necessary information.
648 *
649 * Parameters:
650 * - [in/out]: transform: structure to populate
651 * [in] must be just initialised with mbedtls_ssl_transform_init()
652 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
653 * - [in] ciphersuite
654 * - [in] master
655 * - [in] encrypt_then_mac
656 * - [in] compression
657 * - [in] tls_prf: pointer to PRF to use for key derivation
658 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
659 * - [in] minor_ver: SSL/TLS minor version
660 * - [in] endpoint: client or server
661 * - [in] ssl: used for:
662 * - ssl->conf->{f,p}_export_keys
663 * [in] optionally used for:
664 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
665 */
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],int minor_ver,unsigned endpoint,const mbedtls_ssl_context * ssl)666 static int ssl_tls12_populate_transform( mbedtls_ssl_transform *transform,
667 int ciphersuite,
668 const unsigned char master[48],
669 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
670 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
671 int encrypt_then_mac,
672 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
673 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
674 ssl_tls_prf_t tls_prf,
675 const unsigned char randbytes[64],
676 int minor_ver,
677 unsigned endpoint,
678 const mbedtls_ssl_context *ssl )
679 {
680 int ret = 0;
681 #if defined(MBEDTLS_USE_PSA_CRYPTO)
682 int psa_fallthrough;
683 #endif /* MBEDTLS_USE_PSA_CRYPTO */
684 unsigned char keyblk[256];
685 unsigned char *key1;
686 unsigned char *key2;
687 unsigned char *mac_enc;
688 unsigned char *mac_dec;
689 size_t mac_key_len = 0;
690 size_t iv_copy_len;
691 size_t keylen;
692 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
693 const mbedtls_cipher_info_t *cipher_info;
694 const mbedtls_md_info_t *md_info;
695
696 #if !defined(MBEDTLS_DEBUG_C) && \
697 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
698 if( ssl->f_export_keys == NULL )
699 {
700 ssl = NULL; /* make sure we don't use it except for these cases */
701 (void) ssl;
702 }
703 #endif
704
705 /*
706 * Some data just needs copying into the structure
707 */
708 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
709 defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
710 transform->encrypt_then_mac = encrypt_then_mac;
711 #endif
712 transform->minor_ver = minor_ver;
713
714 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
715 memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
716 #endif
717
718 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
719 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
720 {
721 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
722 * generation separate. This should never happen. */
723 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
724 }
725 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
726
727 /*
728 * Get various info structures
729 */
730 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
731 if( ciphersuite_info == NULL )
732 {
733 MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
734 ciphersuite ) );
735 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
736 }
737
738 cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
739 if( cipher_info == NULL )
740 {
741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
742 ciphersuite_info->cipher ) );
743 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
744 }
745
746 md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
747 if( md_info == NULL )
748 {
749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
750 (unsigned) ciphersuite_info->mac ) );
751 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
752 }
753
754 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
755 /* Copy own and peer's CID if the use of the CID
756 * extension has been negotiated. */
757 if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
758 {
759 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
760
761 transform->in_cid_len = ssl->own_cid_len;
762 memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
763 MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
764 transform->in_cid_len );
765
766 transform->out_cid_len = ssl->handshake->peer_cid_len;
767 memcpy( transform->out_cid, ssl->handshake->peer_cid,
768 ssl->handshake->peer_cid_len );
769 MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
770 transform->out_cid_len );
771 }
772 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
773
774 /*
775 * Compute key block using the PRF
776 */
777 ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
778 if( ret != 0 )
779 {
780 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
781 return( ret );
782 }
783
784 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
785 mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
786 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
787 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
788 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
789
790 /*
791 * Determine the appropriate key, IV and MAC length.
792 */
793
794 keylen = mbedtls_cipher_info_get_key_bitlen( cipher_info ) / 8;
795
796 #if defined(MBEDTLS_GCM_C) || \
797 defined(MBEDTLS_CCM_C) || \
798 defined(MBEDTLS_CHACHAPOLY_C)
799 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_GCM ||
800 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CCM ||
801 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
802 {
803 size_t explicit_ivlen;
804
805 transform->maclen = 0;
806 mac_key_len = 0;
807 transform->taglen =
808 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
809
810 /* All modes haves 96-bit IVs, but the length of the static parts vary
811 * with mode and version:
812 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
813 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
814 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
815 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
816 * sequence number).
817 */
818 transform->ivlen = 12;
819 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CHACHAPOLY )
820 transform->fixed_ivlen = 12;
821 else
822 transform->fixed_ivlen = 4;
823
824 /* Minimum length of encrypted record */
825 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
826 transform->minlen = explicit_ivlen + transform->taglen;
827 }
828 else
829 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
830 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
831 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM ||
832 mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
833 {
834 /* Initialize HMAC contexts */
835 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
836 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
837 {
838 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
839 goto end;
840 }
841
842 /* Get MAC length */
843 mac_key_len = mbedtls_md_get_size( md_info );
844 transform->maclen = mac_key_len;
845
846 /* IV length */
847 transform->ivlen = cipher_info->iv_size;
848
849 /* Minimum length */
850 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_STREAM )
851 transform->minlen = transform->maclen;
852 else
853 {
854 /*
855 * GenericBlockCipher:
856 * 1. if EtM is in use: one block plus MAC
857 * otherwise: * first multiple of blocklen greater than maclen
858 * 2. IV
859 */
860 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
861 if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
862 {
863 transform->minlen = transform->maclen
864 + cipher_info->block_size;
865 }
866 else
867 #endif
868 {
869 transform->minlen = transform->maclen
870 + cipher_info->block_size
871 - transform->maclen % cipher_info->block_size;
872 }
873
874 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
875 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
876 {
877 transform->minlen += transform->ivlen;
878 }
879 else
880 #endif
881 {
882 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
883 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
884 goto end;
885 }
886 }
887 }
888 else
889 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
890 {
891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
892 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
893 }
894
895 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
896 (unsigned) keylen,
897 (unsigned) transform->minlen,
898 (unsigned) transform->ivlen,
899 (unsigned) transform->maclen ) );
900
901 /*
902 * Finally setup the cipher contexts, IVs and MAC secrets.
903 */
904 #if defined(MBEDTLS_SSL_CLI_C)
905 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
906 {
907 key1 = keyblk + mac_key_len * 2;
908 key2 = keyblk + mac_key_len * 2 + keylen;
909
910 mac_enc = keyblk;
911 mac_dec = keyblk + mac_key_len;
912
913 /*
914 * This is not used in TLS v1.1.
915 */
916 iv_copy_len = ( transform->fixed_ivlen ) ?
917 transform->fixed_ivlen : transform->ivlen;
918 memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
919 memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
920 iv_copy_len );
921 }
922 else
923 #endif /* MBEDTLS_SSL_CLI_C */
924 #if defined(MBEDTLS_SSL_SRV_C)
925 if( endpoint == MBEDTLS_SSL_IS_SERVER )
926 {
927 key1 = keyblk + mac_key_len * 2 + keylen;
928 key2 = keyblk + mac_key_len * 2;
929
930 mac_enc = keyblk + mac_key_len;
931 mac_dec = keyblk;
932
933 /*
934 * This is not used in TLS v1.1.
935 */
936 iv_copy_len = ( transform->fixed_ivlen ) ?
937 transform->fixed_ivlen : transform->ivlen;
938 memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
939 memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
940 iv_copy_len );
941 }
942 else
943 #endif /* MBEDTLS_SSL_SRV_C */
944 {
945 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
946 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
947 goto end;
948 }
949
950 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
951 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
952 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
953 For AEAD-based ciphersuites, there is nothing to do here. */
954 if( mac_key_len != 0 )
955 {
956 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
957 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
958 }
959 #endif
960 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
961
962 ((void) mac_dec);
963 ((void) mac_enc);
964
965 if( ssl != NULL && ssl->f_export_keys != NULL )
966 {
967 ssl->f_export_keys( ssl->p_export_keys,
968 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
969 master, 48,
970 randbytes + 32,
971 randbytes,
972 tls_prf_get_type( tls_prf ) );
973 }
974
975 #if defined(MBEDTLS_USE_PSA_CRYPTO)
976 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
977 cipher_info, transform->taglen );
978 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
979 {
980 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
981 goto end;
982 }
983
984 if( ret == 0 )
985 {
986 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
987 psa_fallthrough = 0;
988 }
989 else
990 {
991 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
992 psa_fallthrough = 1;
993 }
994
995 if( psa_fallthrough == 1 )
996 #endif /* MBEDTLS_USE_PSA_CRYPTO */
997 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
998 cipher_info ) ) != 0 )
999 {
1000 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
1001 goto end;
1002 }
1003
1004 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1005 ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
1006 cipher_info, transform->taglen );
1007 if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
1008 {
1009 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
1010 goto end;
1011 }
1012
1013 if( ret == 0 )
1014 {
1015 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
1016 psa_fallthrough = 0;
1017 }
1018 else
1019 {
1020 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
1021 psa_fallthrough = 1;
1022 }
1023
1024 if( psa_fallthrough == 1 )
1025 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1026 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
1027 cipher_info ) ) != 0 )
1028 {
1029 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
1030 goto end;
1031 }
1032
1033 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
1034 (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ),
1035 MBEDTLS_ENCRYPT ) ) != 0 )
1036 {
1037 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
1038 goto end;
1039 }
1040
1041 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
1042 (int) mbedtls_cipher_info_get_key_bitlen( cipher_info ),
1043 MBEDTLS_DECRYPT ) ) != 0 )
1044 {
1045 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
1046 goto end;
1047 }
1048
1049 #if defined(MBEDTLS_CIPHER_MODE_CBC)
1050 if( mbedtls_cipher_info_get_mode( cipher_info ) == MBEDTLS_MODE_CBC )
1051 {
1052 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1053 MBEDTLS_PADDING_NONE ) ) != 0 )
1054 {
1055 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
1056 goto end;
1057 }
1058
1059 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1060 MBEDTLS_PADDING_NONE ) ) != 0 )
1061 {
1062 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
1063 goto end;
1064 }
1065 }
1066 #endif /* MBEDTLS_CIPHER_MODE_CBC */
1067
1068
1069 end:
1070 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
1071 return( ret );
1072 }
1073
1074 /*
1075 * Set appropriate PRF function and other SSL / TLS1.2 functions
1076 *
1077 * Inputs:
1078 * - SSL/TLS minor version
1079 * - hash associated with the ciphersuite (only used by TLS 1.2)
1080 *
1081 * Outputs:
1082 * - the tls_prf, calc_verify and calc_finished members of handshake structure
1083 */
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,int minor_ver,mbedtls_md_type_t hash)1084 static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
1085 int minor_ver,
1086 mbedtls_md_type_t hash )
1087 {
1088 #if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA384_C)
1089 (void) hash;
1090 #endif
1091
1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1093 #if defined(MBEDTLS_SHA384_C)
1094 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1095 hash == MBEDTLS_MD_SHA384 )
1096 {
1097 handshake->tls_prf = tls_prf_sha384;
1098 handshake->calc_verify = ssl_calc_verify_tls_sha384;
1099 handshake->calc_finished = ssl_calc_finished_tls_sha384;
1100 }
1101 else
1102 #endif
1103 #if defined(MBEDTLS_SHA256_C)
1104 if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1105 {
1106 handshake->tls_prf = tls_prf_sha256;
1107 handshake->calc_verify = ssl_calc_verify_tls_sha256;
1108 handshake->calc_finished = ssl_calc_finished_tls_sha256;
1109 }
1110 else
1111 #endif
1112 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1113 {
1114 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1115 }
1116
1117 return( 0 );
1118 }
1119
1120 /*
1121 * Compute master secret if needed
1122 *
1123 * Parameters:
1124 * [in/out] handshake
1125 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
1126 * (PSA-PSK) ciphersuite_info, psk_opaque
1127 * [out] premaster (cleared)
1128 * [out] master
1129 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
1130 * debug: conf->f_dbg, conf->p_dbg
1131 * EMS: passed to calc_verify (debug + session_negotiate)
1132 * PSA-PSA: minor_ver, conf
1133 */
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)1134 static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
1135 unsigned char *master,
1136 const mbedtls_ssl_context *ssl )
1137 {
1138 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1139
1140 /* cf. RFC 5246, Section 8.1:
1141 * "The master secret is always exactly 48 bytes in length." */
1142 size_t const master_secret_len = 48;
1143
1144 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1145 unsigned char session_hash[48];
1146 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
1147
1148 /* The label for the KDF used for key expansion.
1149 * This is either "master secret" or "extended master secret"
1150 * depending on whether the Extended Master Secret extension
1151 * is used. */
1152 char const *lbl = "master secret";
1153
1154 /* The salt for the KDF used for key expansion.
1155 * - If the Extended Master Secret extension is not used,
1156 * this is ClientHello.Random + ServerHello.Random
1157 * (see Sect. 8.1 in RFC 5246).
1158 * - If the Extended Master Secret extension is used,
1159 * this is the transcript of the handshake so far.
1160 * (see Sect. 4 in RFC 7627). */
1161 unsigned char const *salt = handshake->randbytes;
1162 size_t salt_len = 64;
1163
1164 #if !defined(MBEDTLS_DEBUG_C) && \
1165 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
1166 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
1167 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
1168 ssl = NULL; /* make sure we don't use it except for those cases */
1169 (void) ssl;
1170 #endif
1171
1172 if( handshake->resume != 0 )
1173 {
1174 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
1175 return( 0 );
1176 }
1177
1178 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
1179 if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
1180 {
1181 lbl = "extended master secret";
1182 salt = session_hash;
1183 handshake->calc_verify( ssl, session_hash, &salt_len );
1184
1185 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
1186 session_hash, salt_len );
1187 }
1188 #endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
1189
1190 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
1191 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1192 if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
1193 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1194 ssl_use_opaque_psk( ssl ) == 1 )
1195 {
1196 /* Perform PSK-to-MS expansion in a single step. */
1197 psa_status_t status;
1198 psa_algorithm_t alg;
1199 psa_key_id_t psk;
1200 psa_key_derivation_operation_t derivation =
1201 PSA_KEY_DERIVATION_OPERATION_INIT;
1202 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
1203
1204 MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
1205
1206 psk = mbedtls_ssl_get_opaque_psk( ssl );
1207
1208 if( hash_alg == MBEDTLS_MD_SHA384 )
1209 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
1210 else
1211 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
1212
1213 status = setup_psa_key_derivation( &derivation, psk, alg,
1214 salt, salt_len,
1215 (unsigned char const *) lbl,
1216 (size_t) strlen( lbl ),
1217 master_secret_len );
1218 if( status != PSA_SUCCESS )
1219 {
1220 psa_key_derivation_abort( &derivation );
1221 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1222 }
1223
1224 status = psa_key_derivation_output_bytes( &derivation,
1225 master,
1226 master_secret_len );
1227 if( status != PSA_SUCCESS )
1228 {
1229 psa_key_derivation_abort( &derivation );
1230 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1231 }
1232
1233 status = psa_key_derivation_abort( &derivation );
1234 if( status != PSA_SUCCESS )
1235 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1236 }
1237 else
1238 #endif
1239 {
1240 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
1241 lbl, salt, salt_len,
1242 master,
1243 master_secret_len );
1244 if( ret != 0 )
1245 {
1246 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
1247 return( ret );
1248 }
1249
1250 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
1251 handshake->premaster,
1252 handshake->pmslen );
1253
1254 mbedtls_platform_zeroize( handshake->premaster,
1255 sizeof(handshake->premaster) );
1256 }
1257
1258 return( 0 );
1259 }
1260
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)1261 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
1262 {
1263 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1264 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
1265 ssl->handshake->ciphersuite_info;
1266
1267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
1268
1269 /* Set PRF, calc_verify and calc_finished function pointers */
1270 ret = ssl_set_handshake_prfs( ssl->handshake,
1271 ssl->minor_ver,
1272 ciphersuite_info->mac );
1273 if( ret != 0 )
1274 {
1275 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
1276 return( ret );
1277 }
1278
1279 /* Compute master secret if needed */
1280 ret = ssl_compute_master( ssl->handshake,
1281 ssl->session_negotiate->master,
1282 ssl );
1283 if( ret != 0 )
1284 {
1285 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
1286 return( ret );
1287 }
1288
1289 /* Swap the client and server random values:
1290 * - MS derivation wanted client+server (RFC 5246 8.1)
1291 * - key derivation wants server+client (RFC 5246 6.3) */
1292 {
1293 unsigned char tmp[64];
1294 memcpy( tmp, ssl->handshake->randbytes, 64 );
1295 memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
1296 memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
1297 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
1298 }
1299
1300 /* Populate transform structure */
1301 ret = ssl_tls12_populate_transform( ssl->transform_negotiate,
1302 ssl->session_negotiate->ciphersuite,
1303 ssl->session_negotiate->master,
1304 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
1305 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1306 ssl->session_negotiate->encrypt_then_mac,
1307 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
1308 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1309 ssl->handshake->tls_prf,
1310 ssl->handshake->randbytes,
1311 ssl->minor_ver,
1312 ssl->conf->endpoint,
1313 ssl );
1314 if( ret != 0 )
1315 {
1316 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls12_populate_transform", ret );
1317 return( ret );
1318 }
1319
1320 /* We no longer need Server/ClientHello.random values */
1321 mbedtls_platform_zeroize( ssl->handshake->randbytes,
1322 sizeof( ssl->handshake->randbytes ) );
1323
1324 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
1325
1326 return( 0 );
1327 }
1328
1329 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1330 #if defined(MBEDTLS_SHA256_C)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)1331 void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
1332 unsigned char *hash,
1333 size_t *hlen )
1334 {
1335 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1336 size_t hash_size;
1337 psa_status_t status;
1338 psa_hash_operation_t sha256_psa = psa_hash_operation_init();
1339
1340 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
1341 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
1342 if( status != PSA_SUCCESS )
1343 {
1344 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1345 return;
1346 }
1347
1348 status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
1349 if( status != PSA_SUCCESS )
1350 {
1351 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1352 return;
1353 }
1354
1355 *hlen = 32;
1356 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
1357 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1358 #else
1359 mbedtls_sha256_context sha256;
1360
1361 mbedtls_sha256_init( &sha256 );
1362
1363 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
1364
1365 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
1366 mbedtls_sha256_finish( &sha256, hash );
1367
1368 *hlen = 32;
1369
1370 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
1371 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1372
1373 mbedtls_sha256_free( &sha256 );
1374 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1375 return;
1376 }
1377 #endif /* MBEDTLS_SHA256_C */
1378
1379 #if defined(MBEDTLS_SHA384_C)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)1380 void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
1381 unsigned char *hash,
1382 size_t *hlen )
1383 {
1384 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1385 size_t hash_size;
1386 psa_status_t status;
1387 psa_hash_operation_t sha384_psa = psa_hash_operation_init();
1388
1389 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
1390 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
1391 if( status != PSA_SUCCESS )
1392 {
1393 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
1394 return;
1395 }
1396
1397 status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
1398 if( status != PSA_SUCCESS )
1399 {
1400 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
1401 return;
1402 }
1403
1404 *hlen = 48;
1405 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
1406 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
1407 #else
1408 mbedtls_sha512_context sha512;
1409
1410 mbedtls_sha512_init( &sha512 );
1411
1412 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
1413
1414 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
1415 mbedtls_sha512_finish( &sha512, hash );
1416
1417 *hlen = 48;
1418
1419 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
1420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1421
1422 mbedtls_sha512_free( &sha512 );
1423 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1424 return;
1425 }
1426 #endif /* MBEDTLS_SHA384_C */
1427 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1428
1429 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)1430 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
1431 {
1432 unsigned char *p = ssl->handshake->premaster;
1433 unsigned char *end = p + sizeof( ssl->handshake->premaster );
1434 const unsigned char *psk = NULL;
1435 size_t psk_len = 0;
1436
1437 if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
1438 == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
1439 {
1440 /*
1441 * This should never happen because the existence of a PSK is always
1442 * checked before calling this function
1443 */
1444 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1445 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1446 }
1447
1448 /*
1449 * PMS = struct {
1450 * opaque other_secret<0..2^16-1>;
1451 * opaque psk<0..2^16-1>;
1452 * };
1453 * with "other_secret" depending on the particular key exchange
1454 */
1455 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1456 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
1457 {
1458 if( end - p < 2 )
1459 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1460
1461 MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
1462 p += 2;
1463
1464 if( end < p || (size_t)( end - p ) < psk_len )
1465 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1466
1467 memset( p, 0, psk_len );
1468 p += psk_len;
1469 }
1470 else
1471 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1472 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1473 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
1474 {
1475 /*
1476 * other_secret already set by the ClientKeyExchange message,
1477 * and is 48 bytes long
1478 */
1479 if( end - p < 2 )
1480 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1481
1482 *p++ = 0;
1483 *p++ = 48;
1484 p += 48;
1485 }
1486 else
1487 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1488 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1489 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
1490 {
1491 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1492 size_t len;
1493
1494 /* Write length only when we know the actual value */
1495 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
1496 p + 2, end - ( p + 2 ), &len,
1497 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1498 {
1499 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
1500 return( ret );
1501 }
1502 MBEDTLS_PUT_UINT16_BE( len, p, 0 );
1503 p += 2 + len;
1504
1505 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1506 }
1507 else
1508 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1509 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1510 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
1511 {
1512 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1513 size_t zlen;
1514
1515 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
1516 p + 2, end - ( p + 2 ),
1517 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1518 {
1519 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1520 return( ret );
1521 }
1522
1523 MBEDTLS_PUT_UINT16_BE( zlen, p, 0 );
1524 p += 2 + zlen;
1525
1526 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1527 MBEDTLS_DEBUG_ECDH_Z );
1528 }
1529 else
1530 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1531 {
1532 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1533 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1534 }
1535
1536 /* opaque psk<0..2^16-1>; */
1537 if( end - p < 2 )
1538 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1539
1540 MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
1541 p += 2;
1542
1543 if( end < p || (size_t)( end - p ) < psk_len )
1544 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1545
1546 memcpy( p, psk, psk_len );
1547 p += psk_len;
1548
1549 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1550
1551 return( 0 );
1552 }
1553 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1554
1555 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1556 static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
1557
1558 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)1559 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
1560 {
1561 /* If renegotiation is not enforced, retransmit until we would reach max
1562 * timeout if we were using the usual handshake doubling scheme */
1563 if( ssl->conf->renego_max_records < 0 )
1564 {
1565 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
1566 unsigned char doublings = 1;
1567
1568 while( ratio != 0 )
1569 {
1570 ++doublings;
1571 ratio >>= 1;
1572 }
1573
1574 if( ++ssl->renego_records_seen > doublings )
1575 {
1576 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
1577 return( 0 );
1578 }
1579 }
1580
1581 return( ssl_write_hello_request( ssl ) );
1582 }
1583 #endif
1584 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
1585
1586 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)1587 static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
1588 {
1589 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1590 if( session->peer_cert != NULL )
1591 {
1592 mbedtls_x509_crt_free( session->peer_cert );
1593 mbedtls_free( session->peer_cert );
1594 session->peer_cert = NULL;
1595 }
1596 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1597 if( session->peer_cert_digest != NULL )
1598 {
1599 /* Zeroization is not necessary. */
1600 mbedtls_free( session->peer_cert_digest );
1601 session->peer_cert_digest = NULL;
1602 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
1603 session->peer_cert_digest_len = 0;
1604 }
1605 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1606 }
1607 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1608
1609 /*
1610 * Handshake functions
1611 */
1612 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1613 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)1614 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
1615 {
1616 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1617 ssl->handshake->ciphersuite_info;
1618
1619 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1620
1621 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
1622 {
1623 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1624 ssl->state++;
1625 return( 0 );
1626 }
1627
1628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1629 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1630 }
1631
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)1632 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
1633 {
1634 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1635 ssl->handshake->ciphersuite_info;
1636
1637 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
1638
1639 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
1640 {
1641 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
1642 ssl->state++;
1643 return( 0 );
1644 }
1645
1646 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1647 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1648 }
1649
1650 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1651 /* Some certificate support -> implement write and parse */
1652
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)1653 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
1654 {
1655 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1656 size_t i, n;
1657 const mbedtls_x509_crt *crt;
1658 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1659 ssl->handshake->ciphersuite_info;
1660
1661 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
1662
1663 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
1664 {
1665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1666 ssl->state++;
1667 return( 0 );
1668 }
1669
1670 #if defined(MBEDTLS_SSL_CLI_C)
1671 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1672 {
1673 if( ssl->client_auth == 0 )
1674 {
1675 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
1676 ssl->state++;
1677 return( 0 );
1678 }
1679 }
1680 #endif /* MBEDTLS_SSL_CLI_C */
1681 #if defined(MBEDTLS_SSL_SRV_C)
1682 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
1683 {
1684 if( mbedtls_ssl_own_cert( ssl ) == NULL )
1685 {
1686 /* Should never happen because we shouldn't have picked the
1687 * ciphersuite if we don't have a certificate. */
1688 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1689 }
1690 }
1691 #endif
1692
1693 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
1694
1695 /*
1696 * 0 . 0 handshake type
1697 * 1 . 3 handshake length
1698 * 4 . 6 length of all certs
1699 * 7 . 9 length of cert. 1
1700 * 10 . n-1 peer certificate
1701 * n . n+2 length of cert. 2
1702 * n+3 . ... upper level cert, etc.
1703 */
1704 i = 7;
1705 crt = mbedtls_ssl_own_cert( ssl );
1706
1707 while( crt != NULL )
1708 {
1709 n = crt->raw.len;
1710 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
1711 {
1712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
1713 " > %" MBEDTLS_PRINTF_SIZET,
1714 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
1715 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1716 }
1717
1718 ssl->out_msg[i ] = MBEDTLS_BYTE_2( n );
1719 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1( n );
1720 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0( n );
1721
1722 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
1723 i += n; crt = crt->next;
1724 }
1725
1726 ssl->out_msg[4] = MBEDTLS_BYTE_2( i - 7 );
1727 ssl->out_msg[5] = MBEDTLS_BYTE_1( i - 7 );
1728 ssl->out_msg[6] = MBEDTLS_BYTE_0( i - 7 );
1729
1730 ssl->out_msglen = i;
1731 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
1732 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
1733
1734 ssl->state++;
1735
1736 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
1737 {
1738 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
1739 return( ret );
1740 }
1741
1742 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
1743
1744 return( ret );
1745 }
1746
1747 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1748
1749 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)1750 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1751 unsigned char *crt_buf,
1752 size_t crt_buf_len )
1753 {
1754 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
1755
1756 if( peer_crt == NULL )
1757 return( -1 );
1758
1759 if( peer_crt->raw.len != crt_buf_len )
1760 return( -1 );
1761
1762 return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
1763 }
1764 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)1765 static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
1766 unsigned char *crt_buf,
1767 size_t crt_buf_len )
1768 {
1769 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1770 unsigned char const * const peer_cert_digest =
1771 ssl->session->peer_cert_digest;
1772 mbedtls_md_type_t const peer_cert_digest_type =
1773 ssl->session->peer_cert_digest_type;
1774 mbedtls_md_info_t const * const digest_info =
1775 mbedtls_md_info_from_type( peer_cert_digest_type );
1776 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
1777 size_t digest_len;
1778
1779 if( peer_cert_digest == NULL || digest_info == NULL )
1780 return( -1 );
1781
1782 digest_len = mbedtls_md_get_size( digest_info );
1783 if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
1784 return( -1 );
1785
1786 ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
1787 if( ret != 0 )
1788 return( -1 );
1789
1790 return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
1791 }
1792 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1793 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
1794
1795 /*
1796 * Once the certificate message is read, parse it into a cert chain and
1797 * perform basic checks, but leave actual verification to the caller
1798 */
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)1799 static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
1800 mbedtls_x509_crt *chain )
1801 {
1802 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1803 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1804 int crt_cnt=0;
1805 #endif
1806 size_t i, n;
1807 uint8_t alert;
1808
1809 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
1810 {
1811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1812 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1813 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1814 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1815 }
1816
1817 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE )
1818 {
1819 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1820 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
1821 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
1822 }
1823
1824 if( ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
1825 {
1826 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1827 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1828 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1829 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1830 }
1831
1832 i = mbedtls_ssl_hs_hdr_len( ssl );
1833
1834 /*
1835 * Same message structure as in mbedtls_ssl_write_certificate()
1836 */
1837 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
1838
1839 if( ssl->in_msg[i] != 0 ||
1840 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
1841 {
1842 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1843 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1844 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1845 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1846 }
1847
1848 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
1849 i += 3;
1850
1851 /* Iterate through and parse the CRTs in the provided chain. */
1852 while( i < ssl->in_hslen )
1853 {
1854 /* Check that there's room for the next CRT's length fields. */
1855 if ( i + 3 > ssl->in_hslen ) {
1856 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1857 mbedtls_ssl_send_alert_message( ssl,
1858 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1859 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1860 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1861 }
1862 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
1863 * anything beyond 2**16 ~ 64K. */
1864 if( ssl->in_msg[i] != 0 )
1865 {
1866 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1867 mbedtls_ssl_send_alert_message( ssl,
1868 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1869 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT );
1870 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
1871 }
1872
1873 /* Read length of the next CRT in the chain. */
1874 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
1875 | (unsigned int) ssl->in_msg[i + 2];
1876 i += 3;
1877
1878 if( n < 128 || i + n > ssl->in_hslen )
1879 {
1880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
1881 mbedtls_ssl_send_alert_message( ssl,
1882 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1883 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
1884 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
1885 }
1886
1887 /* Check if we're handling the first CRT in the chain. */
1888 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
1889 if( crt_cnt++ == 0 &&
1890 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
1891 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
1892 {
1893 /* During client-side renegotiation, check that the server's
1894 * end-CRTs hasn't changed compared to the initial handshake,
1895 * mitigating the triple handshake attack. On success, reuse
1896 * the original end-CRT instead of parsing it again. */
1897 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
1898 if( ssl_check_peer_crt_unchanged( ssl,
1899 &ssl->in_msg[i],
1900 n ) != 0 )
1901 {
1902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
1903 mbedtls_ssl_send_alert_message( ssl,
1904 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
1905 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
1906 return( MBEDTLS_ERR_SSL_BAD_CERTIFICATE );
1907 }
1908
1909 /* Now we can safely free the original chain. */
1910 ssl_clear_peer_cert( ssl->session );
1911 }
1912 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
1913
1914 /* Parse the next certificate in the chain. */
1915 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1916 ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
1917 #else
1918 /* If we don't need to store the CRT chain permanently, parse
1919 * it in-place from the input buffer instead of making a copy. */
1920 ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
1921 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
1922 switch( ret )
1923 {
1924 case 0: /*ok*/
1925 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
1926 /* Ignore certificate with an unknown algorithm: maybe a
1927 prior certificate was already trusted. */
1928 break;
1929
1930 case MBEDTLS_ERR_X509_ALLOC_FAILED:
1931 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
1932 goto crt_parse_der_failed;
1933
1934 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
1935 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
1936 goto crt_parse_der_failed;
1937
1938 default:
1939 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
1940 crt_parse_der_failed:
1941 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
1942 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
1943 return( ret );
1944 }
1945
1946 i += n;
1947 }
1948
1949 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
1950 return( 0 );
1951 }
1952
1953 #if defined(MBEDTLS_SSL_SRV_C)
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)1954 static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
1955 {
1956 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
1957 return( -1 );
1958
1959 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1960 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
1961 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
1962 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
1963 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
1964 {
1965 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
1966 return( 0 );
1967 }
1968
1969 return( -1 );
1970 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1971 }
1972 #endif /* MBEDTLS_SSL_SRV_C */
1973
1974 /* Check if a certificate message is expected.
1975 * Return either
1976 * - SSL_CERTIFICATE_EXPECTED, or
1977 * - SSL_CERTIFICATE_SKIP
1978 * indicating whether a Certificate message is expected or not.
1979 */
1980 #define SSL_CERTIFICATE_EXPECTED 0
1981 #define SSL_CERTIFICATE_SKIP 1
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)1982 static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
1983 int authmode )
1984 {
1985 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1986 ssl->handshake->ciphersuite_info;
1987
1988 if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
1989 return( SSL_CERTIFICATE_SKIP );
1990
1991 #if defined(MBEDTLS_SSL_SRV_C)
1992 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
1993 {
1994 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
1995 return( SSL_CERTIFICATE_SKIP );
1996
1997 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
1998 {
1999 ssl->session_negotiate->verify_result =
2000 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
2001 return( SSL_CERTIFICATE_SKIP );
2002 }
2003 }
2004 #else
2005 ((void) authmode);
2006 #endif /* MBEDTLS_SSL_SRV_C */
2007
2008 return( SSL_CERTIFICATE_EXPECTED );
2009 }
2010
ssl_parse_certificate_verify(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,void * rs_ctx)2011 static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
2012 int authmode,
2013 mbedtls_x509_crt *chain,
2014 void *rs_ctx )
2015 {
2016 int ret = 0;
2017 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
2018 ssl->handshake->ciphersuite_info;
2019 int have_ca_chain = 0;
2020
2021 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
2022 void *p_vrfy;
2023
2024 if( authmode == MBEDTLS_SSL_VERIFY_NONE )
2025 return( 0 );
2026
2027 if( ssl->f_vrfy != NULL )
2028 {
2029 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
2030 f_vrfy = ssl->f_vrfy;
2031 p_vrfy = ssl->p_vrfy;
2032 }
2033 else
2034 {
2035 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
2036 f_vrfy = ssl->conf->f_vrfy;
2037 p_vrfy = ssl->conf->p_vrfy;
2038 }
2039
2040 /*
2041 * Main check: verify certificate
2042 */
2043 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
2044 if( ssl->conf->f_ca_cb != NULL )
2045 {
2046 ((void) rs_ctx);
2047 have_ca_chain = 1;
2048
2049 MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
2050 ret = mbedtls_x509_crt_verify_with_ca_cb(
2051 chain,
2052 ssl->conf->f_ca_cb,
2053 ssl->conf->p_ca_cb,
2054 ssl->conf->cert_profile,
2055 ssl->hostname,
2056 &ssl->session_negotiate->verify_result,
2057 f_vrfy, p_vrfy );
2058 }
2059 else
2060 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
2061 {
2062 mbedtls_x509_crt *ca_chain;
2063 mbedtls_x509_crl *ca_crl;
2064
2065 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2066 if( ssl->handshake->sni_ca_chain != NULL )
2067 {
2068 ca_chain = ssl->handshake->sni_ca_chain;
2069 ca_crl = ssl->handshake->sni_ca_crl;
2070 }
2071 else
2072 #endif
2073 {
2074 ca_chain = ssl->conf->ca_chain;
2075 ca_crl = ssl->conf->ca_crl;
2076 }
2077
2078 if( ca_chain != NULL )
2079 have_ca_chain = 1;
2080
2081 ret = mbedtls_x509_crt_verify_restartable(
2082 chain,
2083 ca_chain, ca_crl,
2084 ssl->conf->cert_profile,
2085 ssl->hostname,
2086 &ssl->session_negotiate->verify_result,
2087 f_vrfy, p_vrfy, rs_ctx );
2088 }
2089
2090 if( ret != 0 )
2091 {
2092 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
2093 }
2094
2095 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2096 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
2097 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
2098 #endif
2099
2100 /*
2101 * Secondary checks: always done, but change 'ret' only if it was 0
2102 */
2103
2104 #if defined(MBEDTLS_ECP_C)
2105 {
2106 const mbedtls_pk_context *pk = &chain->pk;
2107
2108 /* If certificate uses an EC key, make sure the curve is OK */
2109 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
2110 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
2111 {
2112 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
2113
2114 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
2115 if( ret == 0 )
2116 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2117 }
2118 }
2119 #endif /* MBEDTLS_ECP_C */
2120
2121 if( mbedtls_ssl_check_cert_usage( chain,
2122 ciphersuite_info,
2123 ! ssl->conf->endpoint,
2124 &ssl->session_negotiate->verify_result ) != 0 )
2125 {
2126 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
2127 if( ret == 0 )
2128 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
2129 }
2130
2131 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
2132 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
2133 * with details encoded in the verification flags. All other kinds
2134 * of error codes, including those from the user provided f_vrfy
2135 * functions, are treated as fatal and lead to a failure of
2136 * ssl_parse_certificate even if verification was optional. */
2137 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
2138 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
2139 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE ) )
2140 {
2141 ret = 0;
2142 }
2143
2144 if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
2145 {
2146 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
2147 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
2148 }
2149
2150 if( ret != 0 )
2151 {
2152 uint8_t alert;
2153
2154 /* The certificate may have been rejected for several reasons.
2155 Pick one and send the corresponding alert. Which alert to send
2156 may be a subject of debate in some cases. */
2157 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
2158 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
2159 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
2160 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
2161 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
2162 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2163 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
2164 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2165 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
2166 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2167 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
2168 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2169 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
2170 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
2171 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
2172 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
2173 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
2174 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
2175 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
2176 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
2177 else
2178 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
2179 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2180 alert );
2181 }
2182
2183 #if defined(MBEDTLS_DEBUG_C)
2184 if( ssl->session_negotiate->verify_result != 0 )
2185 {
2186 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
2187 (unsigned int) ssl->session_negotiate->verify_result ) );
2188 }
2189 else
2190 {
2191 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
2192 }
2193 #endif /* MBEDTLS_DEBUG_C */
2194
2195 return( ret );
2196 }
2197
2198 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)2199 static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
2200 unsigned char *start, size_t len )
2201 {
2202 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2203 /* Remember digest of the peer's end-CRT. */
2204 ssl->session_negotiate->peer_cert_digest =
2205 mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
2206 if( ssl->session_negotiate->peer_cert_digest == NULL )
2207 {
2208 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
2209 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
2210 mbedtls_ssl_send_alert_message( ssl,
2211 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2212 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2213
2214 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2215 }
2216
2217 ret = mbedtls_md( mbedtls_md_info_from_type(
2218 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
2219 start, len,
2220 ssl->session_negotiate->peer_cert_digest );
2221
2222 ssl->session_negotiate->peer_cert_digest_type =
2223 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
2224 ssl->session_negotiate->peer_cert_digest_len =
2225 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
2226
2227 return( ret );
2228 }
2229
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)2230 static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
2231 unsigned char *start, size_t len )
2232 {
2233 unsigned char *end = start + len;
2234 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2235
2236 /* Make a copy of the peer's raw public key. */
2237 mbedtls_pk_init( &ssl->handshake->peer_pubkey );
2238 ret = mbedtls_pk_parse_subpubkey( &start, end,
2239 &ssl->handshake->peer_pubkey );
2240 if( ret != 0 )
2241 {
2242 /* We should have parsed the public key before. */
2243 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2244 }
2245
2246 return( 0 );
2247 }
2248 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2249
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)2250 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
2251 {
2252 int ret = 0;
2253 int crt_expected;
2254 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2255 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
2256 ? ssl->handshake->sni_authmode
2257 : ssl->conf->authmode;
2258 #else
2259 const int authmode = ssl->conf->authmode;
2260 #endif
2261 void *rs_ctx = NULL;
2262 mbedtls_x509_crt *chain = NULL;
2263
2264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
2265
2266 crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
2267 if( crt_expected == SSL_CERTIFICATE_SKIP )
2268 {
2269 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
2270 goto exit;
2271 }
2272
2273 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2274 if( ssl->handshake->ecrs_enabled &&
2275 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
2276 {
2277 chain = ssl->handshake->ecrs_peer_cert;
2278 ssl->handshake->ecrs_peer_cert = NULL;
2279 goto crt_verify;
2280 }
2281 #endif
2282
2283 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2284 {
2285 /* mbedtls_ssl_read_record may have sent an alert already. We
2286 let it decide whether to alert. */
2287 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2288 goto exit;
2289 }
2290
2291 #if defined(MBEDTLS_SSL_SRV_C)
2292 if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
2293 {
2294 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
2295
2296 if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
2297 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
2298
2299 goto exit;
2300 }
2301 #endif /* MBEDTLS_SSL_SRV_C */
2302
2303 /* Clear existing peer CRT structure in case we tried to
2304 * reuse a session but it failed, and allocate a new one. */
2305 ssl_clear_peer_cert( ssl->session_negotiate );
2306
2307 chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
2308 if( chain == NULL )
2309 {
2310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
2311 sizeof( mbedtls_x509_crt ) ) );
2312 mbedtls_ssl_send_alert_message( ssl,
2313 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2314 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
2315
2316 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
2317 goto exit;
2318 }
2319 mbedtls_x509_crt_init( chain );
2320
2321 ret = ssl_parse_certificate_chain( ssl, chain );
2322 if( ret != 0 )
2323 goto exit;
2324
2325 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2326 if( ssl->handshake->ecrs_enabled)
2327 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
2328
2329 crt_verify:
2330 if( ssl->handshake->ecrs_enabled)
2331 rs_ctx = &ssl->handshake->ecrs_ctx;
2332 #endif
2333
2334 ret = ssl_parse_certificate_verify( ssl, authmode,
2335 chain, rs_ctx );
2336 if( ret != 0 )
2337 goto exit;
2338
2339 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2340 {
2341 unsigned char *crt_start, *pk_start;
2342 size_t crt_len, pk_len;
2343
2344 /* We parse the CRT chain without copying, so
2345 * these pointers point into the input buffer,
2346 * and are hence still valid after freeing the
2347 * CRT chain. */
2348
2349 crt_start = chain->raw.p;
2350 crt_len = chain->raw.len;
2351
2352 pk_start = chain->pk_raw.p;
2353 pk_len = chain->pk_raw.len;
2354
2355 /* Free the CRT structures before computing
2356 * digest and copying the peer's public key. */
2357 mbedtls_x509_crt_free( chain );
2358 mbedtls_free( chain );
2359 chain = NULL;
2360
2361 ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
2362 if( ret != 0 )
2363 goto exit;
2364
2365 ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
2366 if( ret != 0 )
2367 goto exit;
2368 }
2369 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2370 /* Pass ownership to session structure. */
2371 ssl->session_negotiate->peer_cert = chain;
2372 chain = NULL;
2373 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
2374
2375 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
2376
2377 exit:
2378
2379 if( ret == 0 )
2380 ssl->state++;
2381
2382 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2383 if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
2384 {
2385 ssl->handshake->ecrs_peer_cert = chain;
2386 chain = NULL;
2387 }
2388 #endif
2389
2390 if( chain != NULL )
2391 {
2392 mbedtls_x509_crt_free( chain );
2393 mbedtls_free( chain );
2394 }
2395
2396 return( ret );
2397 }
2398 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
2399
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)2400 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
2401 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
2402 {
2403 ((void) ciphersuite_info);
2404
2405 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2406 #if defined(MBEDTLS_SHA384_C)
2407 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
2408 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
2409 else
2410 #endif
2411 #if defined(MBEDTLS_SHA256_C)
2412 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
2413 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
2414 else
2415 #endif
2416 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2417 {
2418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2419 return;
2420 }
2421 }
2422
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)2423 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
2424 {
2425 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2426 #if defined(MBEDTLS_SHA256_C)
2427 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2428 psa_hash_abort( &ssl->handshake->fin_sha256_psa );
2429 psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2430 #else
2431 mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
2432 #endif
2433 #endif
2434 #if defined(MBEDTLS_SHA384_C)
2435 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2436 psa_hash_abort( &ssl->handshake->fin_sha384_psa );
2437 psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
2438 #else
2439 mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
2440 #endif
2441 #endif
2442 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2443 }
2444
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)2445 static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
2446 const unsigned char *buf, size_t len )
2447 {
2448 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2449 #if defined(MBEDTLS_SHA256_C)
2450 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2451 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2452 #else
2453 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
2454 #endif
2455 #endif
2456 #if defined(MBEDTLS_SHA384_C)
2457 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2458 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
2459 #else
2460 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
2461 #endif
2462 #endif
2463 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2464 }
2465
2466 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2467 #if defined(MBEDTLS_SHA256_C)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)2468 static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
2469 const unsigned char *buf, size_t len )
2470 {
2471 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2472 psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
2473 #else
2474 mbedtls_sha256_update( &ssl->handshake->fin_sha256, buf, len );
2475 #endif
2476 }
2477 #endif
2478
2479 #if defined(MBEDTLS_SHA384_C)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)2480 static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
2481 const unsigned char *buf, size_t len )
2482 {
2483 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2484 psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
2485 #else
2486 mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
2487 #endif
2488 }
2489 #endif
2490 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2491
2492 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2493 #if defined(MBEDTLS_SHA256_C)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)2494 static void ssl_calc_finished_tls_sha256(
2495 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
2496 {
2497 int len = 12;
2498 const char *sender;
2499 unsigned char padbuf[32];
2500 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2501 size_t hash_size;
2502 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
2503 psa_status_t status;
2504 #else
2505 mbedtls_sha256_context sha256;
2506 #endif
2507
2508 mbedtls_ssl_session *session = ssl->session_negotiate;
2509 if( !session )
2510 session = ssl->session;
2511
2512 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2513 ? "client finished"
2514 : "server finished";
2515
2516 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2517 sha256_psa = psa_hash_operation_init();
2518
2519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
2520
2521 status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
2522 if( status != PSA_SUCCESS )
2523 {
2524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2525 return;
2526 }
2527
2528 status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
2529 if( status != PSA_SUCCESS )
2530 {
2531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2532 return;
2533 }
2534 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
2535 #else
2536
2537 mbedtls_sha256_init( &sha256 );
2538
2539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
2540
2541 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
2542
2543 /*
2544 * TLSv1.2:
2545 * hash = PRF( master, finished_label,
2546 * Hash( handshake ) )[0.11]
2547 */
2548
2549 #if !defined(MBEDTLS_SHA256_ALT)
2550 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
2551 sha256.state, sizeof( sha256.state ) );
2552 #endif
2553
2554 mbedtls_sha256_finish( &sha256, padbuf );
2555 mbedtls_sha256_free( &sha256 );
2556 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2557
2558 ssl->handshake->tls_prf( session->master, 48, sender,
2559 padbuf, 32, buf, len );
2560
2561 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2562
2563 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
2564
2565 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2566 }
2567 #endif /* MBEDTLS_SHA256_C */
2568
2569 #if defined(MBEDTLS_SHA384_C)
2570
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)2571 static void ssl_calc_finished_tls_sha384(
2572 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
2573 {
2574 int len = 12;
2575 const char *sender;
2576 unsigned char padbuf[48];
2577 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2578 size_t hash_size;
2579 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
2580 psa_status_t status;
2581 #else
2582 mbedtls_sha512_context sha512;
2583 #endif
2584
2585 mbedtls_ssl_session *session = ssl->session_negotiate;
2586 if( !session )
2587 session = ssl->session;
2588
2589 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
2590 ? "client finished"
2591 : "server finished";
2592
2593 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2594 sha384_psa = psa_hash_operation_init();
2595
2596 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
2597
2598 status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
2599 if( status != PSA_SUCCESS )
2600 {
2601 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
2602 return;
2603 }
2604
2605 status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
2606 if( status != PSA_SUCCESS )
2607 {
2608 MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
2609 return;
2610 }
2611 MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
2612 #else
2613 mbedtls_sha512_init( &sha512 );
2614
2615 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
2616
2617 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
2618
2619 /*
2620 * TLSv1.2:
2621 * hash = PRF( master, finished_label,
2622 * Hash( handshake ) )[0.11]
2623 */
2624
2625 #if !defined(MBEDTLS_SHA512_ALT)
2626 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
2627 sha512.state, sizeof( sha512.state ) );
2628 #endif
2629 mbedtls_sha512_finish( &sha512, padbuf );
2630
2631 mbedtls_sha512_free( &sha512 );
2632 #endif
2633
2634 ssl->handshake->tls_prf( session->master, 48, sender,
2635 padbuf, 48, buf, len );
2636
2637 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
2638
2639 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
2640
2641 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
2642 }
2643 #endif /* MBEDTLS_SHA384_C */
2644 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2645
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)2646 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
2647 {
2648 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
2649
2650 /*
2651 * Free our handshake params
2652 */
2653 mbedtls_ssl_handshake_free( ssl );
2654 mbedtls_free( ssl->handshake );
2655 ssl->handshake = NULL;
2656
2657 /*
2658 * Free the previous transform and swith in the current one
2659 */
2660 if( ssl->transform )
2661 {
2662 mbedtls_ssl_transform_free( ssl->transform );
2663 mbedtls_free( ssl->transform );
2664 }
2665 ssl->transform = ssl->transform_negotiate;
2666 ssl->transform_negotiate = NULL;
2667
2668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
2669 }
2670
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)2671 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
2672 {
2673 int resume = ssl->handshake->resume;
2674
2675 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
2676
2677 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2678 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
2679 {
2680 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
2681 ssl->renego_records_seen = 0;
2682 }
2683 #endif
2684
2685 /*
2686 * Free the previous session and switch in the current one
2687 */
2688 if( ssl->session )
2689 {
2690 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2691 /* RFC 7366 3.1: keep the EtM state */
2692 ssl->session_negotiate->encrypt_then_mac =
2693 ssl->session->encrypt_then_mac;
2694 #endif
2695
2696 mbedtls_ssl_session_free( ssl->session );
2697 mbedtls_free( ssl->session );
2698 }
2699 ssl->session = ssl->session_negotiate;
2700 ssl->session_negotiate = NULL;
2701
2702 /*
2703 * Add cache entry
2704 */
2705 if( ssl->conf->f_set_cache != NULL &&
2706 ssl->session->id_len != 0 &&
2707 resume == 0 )
2708 {
2709 if( ssl->conf->f_set_cache( ssl->conf->p_cache,
2710 ssl->session->id,
2711 ssl->session->id_len,
2712 ssl->session ) != 0 )
2713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
2714 }
2715
2716 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2717 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2718 ssl->handshake->flight != NULL )
2719 {
2720 /* Cancel handshake timer */
2721 mbedtls_ssl_set_timer( ssl, 0 );
2722
2723 /* Keep last flight around in case we need to resend it:
2724 * we need the handshake and transform structures for that */
2725 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
2726 }
2727 else
2728 #endif
2729 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
2730
2731 ssl->state++;
2732
2733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
2734 }
2735
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)2736 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
2737 {
2738 int ret, hash_len;
2739
2740 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
2741
2742 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
2743
2744 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
2745
2746 /*
2747 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
2748 * may define some other value. Currently (early 2016), no defined
2749 * ciphersuite does this (and this is unlikely to change as activity has
2750 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
2751 */
2752 hash_len = 12;
2753
2754 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2755 ssl->verify_data_len = hash_len;
2756 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
2757 #endif
2758
2759 ssl->out_msglen = 4 + hash_len;
2760 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2761 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
2762
2763 /*
2764 * In case of session resuming, invert the client and server
2765 * ChangeCipherSpec messages order.
2766 */
2767 if( ssl->handshake->resume != 0 )
2768 {
2769 #if defined(MBEDTLS_SSL_CLI_C)
2770 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
2771 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
2772 #endif
2773 #if defined(MBEDTLS_SSL_SRV_C)
2774 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
2775 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
2776 #endif
2777 }
2778 else
2779 ssl->state++;
2780
2781 /*
2782 * Switch to our negotiated transform and session parameters for outbound
2783 * data.
2784 */
2785 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
2786
2787 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2788 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2789 {
2790 unsigned char i;
2791
2792 /* Remember current epoch settings for resending */
2793 ssl->handshake->alt_transform_out = ssl->transform_out;
2794 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
2795 sizeof( ssl->handshake->alt_out_ctr ) );
2796
2797 /* Set sequence_number to zero */
2798 memset( &ssl->cur_out_ctr[2], 0, sizeof( ssl->cur_out_ctr ) - 2 );
2799
2800
2801 /* Increment epoch */
2802 for( i = 2; i > 0; i-- )
2803 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2804 break;
2805
2806 /* The loop goes to its end iff the counter is wrapping */
2807 if( i == 0 )
2808 {
2809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
2810 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2811 }
2812 }
2813 else
2814 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2815 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
2816
2817 ssl->transform_out = ssl->transform_negotiate;
2818 ssl->session_out = ssl->session_negotiate;
2819
2820 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2821 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2822 mbedtls_ssl_send_flight_completed( ssl );
2823 #endif
2824
2825 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
2826 {
2827 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
2828 return( ret );
2829 }
2830
2831 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2832 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2833 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
2834 {
2835 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
2836 return( ret );
2837 }
2838 #endif
2839
2840 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
2841
2842 return( 0 );
2843 }
2844
2845 #define SSL_MAX_HASH_LEN 12
2846
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)2847 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
2848 {
2849 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2850 unsigned int hash_len;
2851 unsigned char buf[SSL_MAX_HASH_LEN];
2852
2853 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
2854
2855 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
2856
2857 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
2858 {
2859 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
2860 return( ret );
2861 }
2862
2863 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
2864 {
2865 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2866 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2867 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2868 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2869 }
2870
2871 hash_len = 12;
2872
2873 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED )
2874 {
2875 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2876 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
2877 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
2878 }
2879
2880 if( ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
2881 {
2882 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2883 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2884 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
2885 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
2886 }
2887
2888 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
2889 buf, hash_len ) != 0 )
2890 {
2891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
2892 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
2893 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
2894 return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
2895 }
2896
2897 #if defined(MBEDTLS_SSL_RENEGOTIATION)
2898 ssl->verify_data_len = hash_len;
2899 memcpy( ssl->peer_verify_data, buf, hash_len );
2900 #endif
2901
2902 if( ssl->handshake->resume != 0 )
2903 {
2904 #if defined(MBEDTLS_SSL_CLI_C)
2905 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
2906 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
2907 #endif
2908 #if defined(MBEDTLS_SSL_SRV_C)
2909 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
2910 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
2911 #endif
2912 }
2913 else
2914 ssl->state++;
2915
2916 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2917 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2918 mbedtls_ssl_recv_flight_completed( ssl );
2919 #endif
2920
2921 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
2922
2923 return( 0 );
2924 }
2925
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)2926 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
2927 {
2928 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
2929
2930 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2931 #if defined(MBEDTLS_SHA256_C)
2932 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2933 handshake->fin_sha256_psa = psa_hash_operation_init();
2934 psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
2935 #else
2936 mbedtls_sha256_init( &handshake->fin_sha256 );
2937 mbedtls_sha256_starts( &handshake->fin_sha256, 0 );
2938 #endif
2939 #endif
2940 #if defined(MBEDTLS_SHA384_C)
2941 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2942 handshake->fin_sha384_psa = psa_hash_operation_init();
2943 psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
2944 #else
2945 mbedtls_sha512_init( &handshake->fin_sha512 );
2946 mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
2947 #endif
2948 #endif
2949 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2950
2951 handshake->update_checksum = ssl_update_checksum_start;
2952
2953 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
2954 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
2955 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
2956 #endif
2957
2958 #if defined(MBEDTLS_DHM_C)
2959 mbedtls_dhm_init( &handshake->dhm_ctx );
2960 #endif
2961 #if defined(MBEDTLS_ECDH_C)
2962 mbedtls_ecdh_init( &handshake->ecdh_ctx );
2963 #endif
2964 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2965 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
2966 #if defined(MBEDTLS_SSL_CLI_C)
2967 handshake->ecjpake_cache = NULL;
2968 handshake->ecjpake_cache_len = 0;
2969 #endif
2970 #endif
2971
2972 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
2973 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
2974 #endif
2975
2976 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2977 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
2978 #endif
2979
2980 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
2981 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
2982 mbedtls_pk_init( &handshake->peer_pubkey );
2983 #endif
2984 }
2985
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)2986 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
2987 {
2988 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
2989
2990 mbedtls_cipher_init( &transform->cipher_ctx_enc );
2991 mbedtls_cipher_init( &transform->cipher_ctx_dec );
2992
2993 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2994 mbedtls_md_init( &transform->md_ctx_enc );
2995 mbedtls_md_init( &transform->md_ctx_dec );
2996 #endif
2997 }
2998
mbedtls_ssl_session_init(mbedtls_ssl_session * session)2999 void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
3000 {
3001 memset( session, 0, sizeof(mbedtls_ssl_session) );
3002 }
3003
ssl_handshake_init(mbedtls_ssl_context * ssl)3004 static int ssl_handshake_init( mbedtls_ssl_context *ssl )
3005 {
3006 /* Clear old handshake information if present */
3007 if( ssl->transform_negotiate )
3008 mbedtls_ssl_transform_free( ssl->transform_negotiate );
3009 if( ssl->session_negotiate )
3010 mbedtls_ssl_session_free( ssl->session_negotiate );
3011 if( ssl->handshake )
3012 mbedtls_ssl_handshake_free( ssl );
3013
3014 /*
3015 * Either the pointers are now NULL or cleared properly and can be freed.
3016 * Now allocate missing structures.
3017 */
3018 if( ssl->transform_negotiate == NULL )
3019 {
3020 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
3021 }
3022
3023 if( ssl->session_negotiate == NULL )
3024 {
3025 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
3026 }
3027
3028 if( ssl->handshake == NULL )
3029 {
3030 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
3031 }
3032 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3033 /* If the buffers are too small - reallocate */
3034
3035 handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
3036 MBEDTLS_SSL_OUT_BUFFER_LEN );
3037 #endif
3038
3039 /* All pointers should exist and can be directly freed without issue */
3040 if( ssl->handshake == NULL ||
3041 ssl->transform_negotiate == NULL ||
3042 ssl->session_negotiate == NULL )
3043 {
3044 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
3045
3046 mbedtls_free( ssl->handshake );
3047 mbedtls_free( ssl->transform_negotiate );
3048 mbedtls_free( ssl->session_negotiate );
3049
3050 ssl->handshake = NULL;
3051 ssl->transform_negotiate = NULL;
3052 ssl->session_negotiate = NULL;
3053
3054 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3055 }
3056
3057 /* Initialize structures */
3058 mbedtls_ssl_session_init( ssl->session_negotiate );
3059 mbedtls_ssl_transform_init( ssl->transform_negotiate );
3060 ssl_handshake_params_init( ssl->handshake );
3061
3062 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3063 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3064 {
3065 ssl->handshake->alt_transform_out = ssl->transform_out;
3066
3067 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
3068 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
3069 else
3070 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
3071
3072 mbedtls_ssl_set_timer( ssl, 0 );
3073 }
3074 #endif
3075
3076 /*
3077 * curve_list is translated to IANA TLS group identifiers here because
3078 * mbedtls_ssl_conf_curves returns void and so can't return
3079 * any error codes.
3080 */
3081 #if defined(MBEDTLS_ECP_C)
3082 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
3083 /* Heap allocate and translate curve_list from internal to IANA group ids */
3084 if ( ssl->conf->curve_list != NULL )
3085 {
3086 size_t length;
3087 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
3088
3089 for( length = 0; ( curve_list[length] != MBEDTLS_ECP_DP_NONE ) &&
3090 ( length < MBEDTLS_ECP_DP_MAX ); length++ ) {}
3091
3092 /* Leave room for zero termination */
3093 uint16_t *group_list = mbedtls_calloc( length + 1, sizeof(uint16_t) );
3094 if ( group_list == NULL )
3095 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3096
3097 for( size_t i = 0; i < length; i++ )
3098 {
3099 const mbedtls_ecp_curve_info *info =
3100 mbedtls_ecp_curve_info_from_grp_id( curve_list[i] );
3101 if ( info == NULL )
3102 {
3103 mbedtls_free( group_list );
3104 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3105 }
3106 group_list[i] = info->tls_id;
3107 }
3108
3109 group_list[length] = 0;
3110
3111 ssl->handshake->group_list = group_list;
3112 ssl->handshake->group_list_heap_allocated = 1;
3113 }
3114 else
3115 {
3116 ssl->handshake->group_list = ssl->conf->group_list;
3117 ssl->handshake->group_list_heap_allocated = 0;
3118 }
3119 #endif /* MBEDTLS_DEPRECATED_REMOVED */
3120 #endif /* MBEDTLS_ECP_C */
3121
3122 return( 0 );
3123 }
3124
3125 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
3126 /* Dummy cookie callbacks for defaults */
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)3127 static int ssl_cookie_write_dummy( void *ctx,
3128 unsigned char **p, unsigned char *end,
3129 const unsigned char *cli_id, size_t cli_id_len )
3130 {
3131 ((void) ctx);
3132 ((void) p);
3133 ((void) end);
3134 ((void) cli_id);
3135 ((void) cli_id_len);
3136
3137 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3138 }
3139
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)3140 static int ssl_cookie_check_dummy( void *ctx,
3141 const unsigned char *cookie, size_t cookie_len,
3142 const unsigned char *cli_id, size_t cli_id_len )
3143 {
3144 ((void) ctx);
3145 ((void) cookie);
3146 ((void) cookie_len);
3147 ((void) cli_id);
3148 ((void) cli_id_len);
3149
3150 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3151 }
3152 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
3153
3154 /*
3155 * Initialize an SSL context
3156 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)3157 void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
3158 {
3159 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
3160 }
3161
ssl_conf_version_check(const mbedtls_ssl_context * ssl)3162 static int ssl_conf_version_check( const mbedtls_ssl_context *ssl )
3163 {
3164 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3165 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
3166 {
3167 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3168 {
3169 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) );
3170 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3171 }
3172 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) );
3173 return( 0 );
3174 }
3175 #endif
3176
3177 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3178 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
3179 {
3180 MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) );
3181 return( 0 );
3182 }
3183 #endif
3184
3185 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3186 if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) )
3187 {
3188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) );
3189 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3190 }
3191 #endif
3192
3193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) );
3194 return( MBEDTLS_ERR_SSL_BAD_CONFIG );
3195 }
3196
ssl_conf_check(const mbedtls_ssl_context * ssl)3197 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
3198 {
3199 int ret;
3200 ret = ssl_conf_version_check( ssl );
3201 if( ret != 0 )
3202 return( ret );
3203
3204 /* Space for further checks */
3205
3206 return( 0 );
3207 }
3208
3209 /*
3210 * Setup an SSL context
3211 */
3212
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)3213 int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
3214 const mbedtls_ssl_config *conf )
3215 {
3216 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3217 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3218 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
3219
3220 ssl->conf = conf;
3221
3222 if( ( ret = ssl_conf_check( ssl ) ) != 0 )
3223 return( ret );
3224
3225 /*
3226 * Prepare base structures
3227 */
3228
3229 /* Set to NULL in case of an error condition */
3230 ssl->out_buf = NULL;
3231
3232 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3233 ssl->in_buf_len = in_buf_len;
3234 #endif
3235 ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
3236 if( ssl->in_buf == NULL )
3237 {
3238 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
3239 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
3240 goto error;
3241 }
3242
3243 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3244 ssl->out_buf_len = out_buf_len;
3245 #endif
3246 ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
3247 if( ssl->out_buf == NULL )
3248 {
3249 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
3250 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
3251 goto error;
3252 }
3253
3254 mbedtls_ssl_reset_in_out_pointers( ssl );
3255
3256 #if defined(MBEDTLS_SSL_DTLS_SRTP)
3257 memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
3258 #endif
3259
3260 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3261 goto error;
3262
3263 return( 0 );
3264
3265 error:
3266 mbedtls_free( ssl->in_buf );
3267 mbedtls_free( ssl->out_buf );
3268
3269 ssl->conf = NULL;
3270
3271 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3272 ssl->in_buf_len = 0;
3273 ssl->out_buf_len = 0;
3274 #endif
3275 ssl->in_buf = NULL;
3276 ssl->out_buf = NULL;
3277
3278 ssl->in_hdr = NULL;
3279 ssl->in_ctr = NULL;
3280 ssl->in_len = NULL;
3281 ssl->in_iv = NULL;
3282 ssl->in_msg = NULL;
3283
3284 ssl->out_hdr = NULL;
3285 ssl->out_ctr = NULL;
3286 ssl->out_len = NULL;
3287 ssl->out_iv = NULL;
3288 ssl->out_msg = NULL;
3289
3290 return( ret );
3291 }
3292
3293 /*
3294 * Reset an initialized and used SSL context for re-use while retaining
3295 * all application-set variables, function pointers and data.
3296 *
3297 * If partial is non-zero, keep data in the input buffer and client ID.
3298 * (Use when a DTLS client reconnects from the same port.)
3299 */
ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)3300 static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
3301 int partial )
3302 {
3303 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
3304 size_t in_buf_len = ssl->in_buf_len;
3305 size_t out_buf_len = ssl->out_buf_len;
3306 #else
3307 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
3308 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
3309 #endif
3310
3311 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
3312 partial = 0;
3313 #endif
3314
3315 /* Cancel any possibly running timer */
3316 mbedtls_ssl_set_timer( ssl, 0 );
3317
3318 mbedtls_ssl_reset_in_out_pointers( ssl );
3319
3320 /* Reset incoming message parsing */
3321 ssl->in_offt = NULL;
3322 ssl->nb_zero = 0;
3323 ssl->in_msgtype = 0;
3324 ssl->in_msglen = 0;
3325 ssl->in_hslen = 0;
3326 ssl->keep_current_message = 0;
3327 ssl->transform_in = NULL;
3328
3329 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3330 ssl->next_record_offset = 0;
3331 ssl->in_epoch = 0;
3332 #endif
3333
3334 /* Keep current datagram if partial == 1 */
3335 if( partial == 0 )
3336 {
3337 ssl->in_left = 0;
3338 memset( ssl->in_buf, 0, in_buf_len );
3339 }
3340
3341 /* Reset outgoing message writing */
3342 ssl->out_msgtype = 0;
3343 ssl->out_msglen = 0;
3344 ssl->out_left = 0;
3345 memset( ssl->out_buf, 0, out_buf_len );
3346 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
3347 ssl->transform_out = NULL;
3348
3349 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3350 mbedtls_ssl_dtls_replay_reset( ssl );
3351 #endif
3352
3353 if( ssl->transform )
3354 {
3355 mbedtls_ssl_transform_free( ssl->transform );
3356 mbedtls_free( ssl->transform );
3357 ssl->transform = NULL;
3358 }
3359 }
3360
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)3361 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
3362 {
3363 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3364
3365 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
3366
3367 ssl_session_reset_msg_layer( ssl, partial );
3368
3369 /* Reset renegotiation state */
3370 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3371 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
3372 ssl->renego_records_seen = 0;
3373
3374 ssl->verify_data_len = 0;
3375 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
3376 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
3377 #endif
3378 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
3379
3380 ssl->session_in = NULL;
3381 ssl->session_out = NULL;
3382 if( ssl->session )
3383 {
3384 mbedtls_ssl_session_free( ssl->session );
3385 mbedtls_free( ssl->session );
3386 ssl->session = NULL;
3387 }
3388
3389 #if defined(MBEDTLS_SSL_ALPN)
3390 ssl->alpn_chosen = NULL;
3391 #endif
3392
3393 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
3394 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
3395 if( partial == 0 )
3396 #endif
3397 {
3398 mbedtls_free( ssl->cli_id );
3399 ssl->cli_id = NULL;
3400 ssl->cli_id_len = 0;
3401 }
3402 #endif
3403
3404 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
3405 return( ret );
3406
3407 return( 0 );
3408 }
3409
3410 /*
3411 * Reset an initialized and used SSL context for re-use while retaining
3412 * all application-set variables, function pointers and data.
3413 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)3414 int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
3415 {
3416 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
3417 }
3418
3419 /*
3420 * SSL set accessors
3421 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)3422 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
3423 {
3424 conf->endpoint = endpoint;
3425 }
3426
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)3427 void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
3428 {
3429 conf->transport = transport;
3430 }
3431
3432 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)3433 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
3434 {
3435 conf->anti_replay = mode;
3436 }
3437 #endif
3438
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)3439 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
3440 {
3441 conf->badmac_limit = limit;
3442 }
3443
3444 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3445
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)3446 void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
3447 unsigned allow_packing )
3448 {
3449 ssl->disable_datagram_packing = !allow_packing;
3450 }
3451
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)3452 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
3453 uint32_t min, uint32_t max )
3454 {
3455 conf->hs_timeout_min = min;
3456 conf->hs_timeout_max = max;
3457 }
3458 #endif
3459
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)3460 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
3461 {
3462 conf->authmode = authmode;
3463 }
3464
3465 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3466 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
3467 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3468 void *p_vrfy )
3469 {
3470 conf->f_vrfy = f_vrfy;
3471 conf->p_vrfy = p_vrfy;
3472 }
3473 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3474
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)3475 void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
3476 int (*f_rng)(void *, unsigned char *, size_t),
3477 void *p_rng )
3478 {
3479 conf->f_rng = f_rng;
3480 conf->p_rng = p_rng;
3481 }
3482
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)3483 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
3484 void (*f_dbg)(void *, int, const char *, int, const char *),
3485 void *p_dbg )
3486 {
3487 conf->f_dbg = f_dbg;
3488 conf->p_dbg = p_dbg;
3489 }
3490
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)3491 void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
3492 void *p_bio,
3493 mbedtls_ssl_send_t *f_send,
3494 mbedtls_ssl_recv_t *f_recv,
3495 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
3496 {
3497 ssl->p_bio = p_bio;
3498 ssl->f_send = f_send;
3499 ssl->f_recv = f_recv;
3500 ssl->f_recv_timeout = f_recv_timeout;
3501 }
3502
3503 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)3504 void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
3505 {
3506 ssl->mtu = mtu;
3507 }
3508 #endif
3509
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)3510 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
3511 {
3512 conf->read_timeout = timeout;
3513 }
3514
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)3515 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
3516 void *p_timer,
3517 mbedtls_ssl_set_timer_t *f_set_timer,
3518 mbedtls_ssl_get_timer_t *f_get_timer )
3519 {
3520 ssl->p_timer = p_timer;
3521 ssl->f_set_timer = f_set_timer;
3522 ssl->f_get_timer = f_get_timer;
3523
3524 /* Make sure we start with no timer running */
3525 mbedtls_ssl_set_timer( ssl, 0 );
3526 }
3527
3528 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)3529 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
3530 void *p_cache,
3531 mbedtls_ssl_cache_get_t *f_get_cache,
3532 mbedtls_ssl_cache_set_t *f_set_cache )
3533 {
3534 conf->p_cache = p_cache;
3535 conf->f_get_cache = f_get_cache;
3536 conf->f_set_cache = f_set_cache;
3537 }
3538 #endif /* MBEDTLS_SSL_SRV_C */
3539
3540 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)3541 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
3542 {
3543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3544
3545 if( ssl == NULL ||
3546 session == NULL ||
3547 ssl->session_negotiate == NULL ||
3548 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
3549 {
3550 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3551 }
3552
3553 if( ssl->handshake->resume == 1 )
3554 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3555
3556 if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
3557 session ) ) != 0 )
3558 return( ret );
3559
3560 ssl->handshake->resume = 1;
3561
3562 return( 0 );
3563 }
3564 #endif /* MBEDTLS_SSL_CLI_C */
3565
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)3566 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
3567 const int *ciphersuites )
3568 {
3569 conf->ciphersuite_list = ciphersuites;
3570 }
3571
3572 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)3573 void mbedtls_ssl_conf_tls13_key_exchange_modes( mbedtls_ssl_config *conf,
3574 const int kex_modes )
3575 {
3576 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
3577 }
3578 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
3579
3580 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)3581 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
3582 const mbedtls_x509_crt_profile *profile )
3583 {
3584 conf->cert_profile = profile;
3585 }
3586
3587 /* Append a new keycert entry to a (possibly empty) list */
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)3588 static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
3589 mbedtls_x509_crt *cert,
3590 mbedtls_pk_context *key )
3591 {
3592 mbedtls_ssl_key_cert *new_cert;
3593
3594 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
3595 if( new_cert == NULL )
3596 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3597
3598 new_cert->cert = cert;
3599 new_cert->key = key;
3600 new_cert->next = NULL;
3601
3602 /* Update head is the list was null, else add to the end */
3603 if( *head == NULL )
3604 {
3605 *head = new_cert;
3606 }
3607 else
3608 {
3609 mbedtls_ssl_key_cert *cur = *head;
3610 while( cur->next != NULL )
3611 cur = cur->next;
3612 cur->next = new_cert;
3613 }
3614
3615 return( 0 );
3616 }
3617
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)3618 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
3619 mbedtls_x509_crt *own_cert,
3620 mbedtls_pk_context *pk_key )
3621 {
3622 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
3623 }
3624
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)3625 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
3626 mbedtls_x509_crt *ca_chain,
3627 mbedtls_x509_crl *ca_crl )
3628 {
3629 conf->ca_chain = ca_chain;
3630 conf->ca_crl = ca_crl;
3631
3632 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3633 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3634 * cannot be used together. */
3635 conf->f_ca_cb = NULL;
3636 conf->p_ca_cb = NULL;
3637 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3638 }
3639
3640 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)3641 void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
3642 mbedtls_x509_crt_ca_cb_t f_ca_cb,
3643 void *p_ca_cb )
3644 {
3645 conf->f_ca_cb = f_ca_cb;
3646 conf->p_ca_cb = p_ca_cb;
3647
3648 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
3649 * cannot be used together. */
3650 conf->ca_chain = NULL;
3651 conf->ca_crl = NULL;
3652 }
3653 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
3654 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3655
3656 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)3657 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
3658 mbedtls_x509_crt *own_cert,
3659 mbedtls_pk_context *pk_key )
3660 {
3661 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
3662 own_cert, pk_key ) );
3663 }
3664
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)3665 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
3666 mbedtls_x509_crt *ca_chain,
3667 mbedtls_x509_crl *ca_crl )
3668 {
3669 ssl->handshake->sni_ca_chain = ca_chain;
3670 ssl->handshake->sni_ca_crl = ca_crl;
3671 }
3672
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)3673 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
3674 int authmode )
3675 {
3676 ssl->handshake->sni_authmode = authmode;
3677 }
3678 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3679
3680 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)3681 void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
3682 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
3683 void *p_vrfy )
3684 {
3685 ssl->f_vrfy = f_vrfy;
3686 ssl->p_vrfy = p_vrfy;
3687 }
3688 #endif
3689
3690 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3691 /*
3692 * Set EC J-PAKE password for current handshake
3693 */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)3694 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
3695 const unsigned char *pw,
3696 size_t pw_len )
3697 {
3698 mbedtls_ecjpake_role role;
3699
3700 if( ssl->handshake == NULL || ssl->conf == NULL )
3701 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3702
3703 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
3704 role = MBEDTLS_ECJPAKE_SERVER;
3705 else
3706 role = MBEDTLS_ECJPAKE_CLIENT;
3707
3708 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
3709 role,
3710 MBEDTLS_MD_SHA256,
3711 MBEDTLS_ECP_DP_SECP256R1,
3712 pw, pw_len ) );
3713 }
3714 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3715
3716 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
3717
ssl_conf_psk_is_configured(mbedtls_ssl_config const * conf)3718 static int ssl_conf_psk_is_configured( mbedtls_ssl_config const *conf )
3719 {
3720 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3721 if( !mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
3722 return( 1 );
3723 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3724
3725 if( conf->psk != NULL )
3726 return( 1 );
3727
3728 return( 0 );
3729 }
3730
ssl_conf_remove_psk(mbedtls_ssl_config * conf)3731 static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
3732 {
3733 /* Remove reference to existing PSK, if any. */
3734 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3735 if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
3736 {
3737 /* The maintenance of the PSK key slot is the
3738 * user's responsibility. */
3739 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
3740 }
3741 /* This and the following branch should never
3742 * be taken simultaenously as we maintain the
3743 * invariant that raw and opaque PSKs are never
3744 * configured simultaneously. As a safeguard,
3745 * though, `else` is omitted here. */
3746 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3747 if( conf->psk != NULL )
3748 {
3749 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
3750
3751 mbedtls_free( conf->psk );
3752 conf->psk = NULL;
3753 conf->psk_len = 0;
3754 }
3755
3756 /* Remove reference to PSK identity, if any. */
3757 if( conf->psk_identity != NULL )
3758 {
3759 mbedtls_free( conf->psk_identity );
3760 conf->psk_identity = NULL;
3761 conf->psk_identity_len = 0;
3762 }
3763 }
3764
3765 /* This function assumes that PSK identity in the SSL config is unset.
3766 * It checks that the provided identity is well-formed and attempts
3767 * to make a copy of it in the SSL config.
3768 * On failure, the PSK identity in the config remains unset. */
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)3769 static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
3770 unsigned char const *psk_identity,
3771 size_t psk_identity_len )
3772 {
3773 /* Identity len will be encoded on two bytes */
3774 if( psk_identity == NULL ||
3775 ( psk_identity_len >> 16 ) != 0 ||
3776 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
3777 {
3778 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3779 }
3780
3781 conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
3782 if( conf->psk_identity == NULL )
3783 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3784
3785 conf->psk_identity_len = psk_identity_len;
3786 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
3787
3788 return( 0 );
3789 }
3790
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)3791 int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
3792 const unsigned char *psk, size_t psk_len,
3793 const unsigned char *psk_identity, size_t psk_identity_len )
3794 {
3795 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3796
3797 /* We currently only support one PSK, raw or opaque. */
3798 if( ssl_conf_psk_is_configured( conf ) )
3799 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3800
3801 /* Check and set raw PSK */
3802 if( psk == NULL )
3803 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3804 if( psk_len == 0 )
3805 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3806 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3807 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3808
3809 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
3810 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3811 conf->psk_len = psk_len;
3812 memcpy( conf->psk, psk, conf->psk_len );
3813
3814 /* Check and set PSK Identity */
3815 ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
3816 if( ret != 0 )
3817 ssl_conf_remove_psk( conf );
3818
3819 return( ret );
3820 }
3821
ssl_remove_psk(mbedtls_ssl_context * ssl)3822 static void ssl_remove_psk( mbedtls_ssl_context *ssl )
3823 {
3824 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3825 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
3826 {
3827 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
3828 }
3829 else
3830 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3831 if( ssl->handshake->psk != NULL )
3832 {
3833 mbedtls_platform_zeroize( ssl->handshake->psk,
3834 ssl->handshake->psk_len );
3835 mbedtls_free( ssl->handshake->psk );
3836 ssl->handshake->psk_len = 0;
3837 }
3838 }
3839
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)3840 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
3841 const unsigned char *psk, size_t psk_len )
3842 {
3843 if( psk == NULL || ssl->handshake == NULL )
3844 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3845
3846 if( psk_len > MBEDTLS_PSK_MAX_LEN )
3847 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3848
3849 ssl_remove_psk( ssl );
3850
3851 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
3852 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
3853
3854 ssl->handshake->psk_len = psk_len;
3855 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
3856
3857 return( 0 );
3858 }
3859
3860 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,psa_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)3861 int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
3862 psa_key_id_t psk,
3863 const unsigned char *psk_identity,
3864 size_t psk_identity_len )
3865 {
3866 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3867
3868 /* We currently only support one PSK, raw or opaque. */
3869 if( ssl_conf_psk_is_configured( conf ) )
3870 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3871
3872 /* Check and set opaque PSK */
3873 if( mbedtls_svc_key_id_is_null( psk ) )
3874 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3875 conf->psk_opaque = psk;
3876
3877 /* Check and set PSK Identity */
3878 ret = ssl_conf_set_psk_identity( conf, psk_identity,
3879 psk_identity_len );
3880 if( ret != 0 )
3881 ssl_conf_remove_psk( conf );
3882
3883 return( ret );
3884 }
3885
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,psa_key_id_t psk)3886 int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
3887 psa_key_id_t psk )
3888 {
3889 if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
3890 ( ssl->handshake == NULL ) )
3891 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3892
3893 ssl_remove_psk( ssl );
3894 ssl->handshake->psk_opaque = psk;
3895 return( 0 );
3896 }
3897 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3898
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)3899 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
3900 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
3901 size_t),
3902 void *p_psk )
3903 {
3904 conf->f_psk = f_psk;
3905 conf->p_psk = p_psk;
3906 }
3907 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
3908
3909 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)3910 int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
3911 const unsigned char *dhm_P, size_t P_len,
3912 const unsigned char *dhm_G, size_t G_len )
3913 {
3914 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3915
3916 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
3917 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
3918 {
3919 mbedtls_mpi_free( &conf->dhm_P );
3920 mbedtls_mpi_free( &conf->dhm_G );
3921 return( ret );
3922 }
3923
3924 return( 0 );
3925 }
3926
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)3927 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
3928 {
3929 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3930
3931 if( ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_P,
3932 &conf->dhm_P ) ) != 0 ||
3933 ( ret = mbedtls_dhm_get_value( dhm_ctx, MBEDTLS_DHM_PARAM_G,
3934 &conf->dhm_G ) ) != 0 )
3935 {
3936 mbedtls_mpi_free( &conf->dhm_P );
3937 mbedtls_mpi_free( &conf->dhm_G );
3938 return( ret );
3939 }
3940
3941 return( 0 );
3942 }
3943 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
3944
3945 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
3946 /*
3947 * Set the minimum length for Diffie-Hellman parameters
3948 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)3949 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
3950 unsigned int bitlen )
3951 {
3952 conf->dhm_min_bitlen = bitlen;
3953 }
3954 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
3955
3956 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
3957 /*
3958 * Set allowed/preferred hashes for handshake signatures
3959 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)3960 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
3961 const int *hashes )
3962 {
3963 conf->sig_hashes = hashes;
3964 }
3965
3966 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
3967 /* Configure allowed signature algorithms for use in TLS 1.3 */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)3968 void mbedtls_ssl_conf_sig_algs( mbedtls_ssl_config *conf,
3969 const uint16_t* sig_algs )
3970 {
3971 conf->tls13_sig_algs = sig_algs;
3972 }
3973 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
3974 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
3975
3976 #if defined(MBEDTLS_ECP_C)
3977 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
3978 /*
3979 * Set the allowed elliptic curves
3980 *
3981 * mbedtls_ssl_setup() takes the provided list
3982 * and translates it to a list of IANA TLS group identifiers,
3983 * stored in ssl->handshake->group_list.
3984 *
3985 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)3986 void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
3987 const mbedtls_ecp_group_id *curve_list )
3988 {
3989 conf->curve_list = curve_list;
3990 conf->group_list = NULL;
3991 }
3992 #endif /* MBEDTLS_DEPRECATED_REMOVED */
3993 #endif /* MBEDTLS_ECP_C */
3994
3995 /*
3996 * Set the allowed groups
3997 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)3998 void mbedtls_ssl_conf_groups( mbedtls_ssl_config *conf,
3999 const uint16_t *group_list )
4000 {
4001 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
4002 conf->curve_list = NULL;
4003 #endif
4004 conf->group_list = group_list;
4005 }
4006
4007 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)4008 int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
4009 {
4010 /* Initialize to suppress unnecessary compiler warning */
4011 size_t hostname_len = 0;
4012
4013 /* Check if new hostname is valid before
4014 * making any change to current one */
4015 if( hostname != NULL )
4016 {
4017 hostname_len = strlen( hostname );
4018
4019 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
4020 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4021 }
4022
4023 /* Now it's clear that we will overwrite the old hostname,
4024 * so we can free it safely */
4025
4026 if( ssl->hostname != NULL )
4027 {
4028 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
4029 mbedtls_free( ssl->hostname );
4030 }
4031
4032 /* Passing NULL as hostname shall clear the old one */
4033
4034 if( hostname == NULL )
4035 {
4036 ssl->hostname = NULL;
4037 }
4038 else
4039 {
4040 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
4041 if( ssl->hostname == NULL )
4042 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
4043
4044 memcpy( ssl->hostname, hostname, hostname_len );
4045
4046 ssl->hostname[hostname_len] = '\0';
4047 }
4048
4049 return( 0 );
4050 }
4051 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4052
4053 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)4054 void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
4055 int (*f_sni)(void *, mbedtls_ssl_context *,
4056 const unsigned char *, size_t),
4057 void *p_sni )
4058 {
4059 conf->f_sni = f_sni;
4060 conf->p_sni = p_sni;
4061 }
4062 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4063
4064 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)4065 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
4066 {
4067 size_t cur_len, tot_len;
4068 const char **p;
4069
4070 /*
4071 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
4072 * MUST NOT be truncated."
4073 * We check lengths now rather than later.
4074 */
4075 tot_len = 0;
4076 for( p = protos; *p != NULL; p++ )
4077 {
4078 cur_len = strlen( *p );
4079 tot_len += cur_len;
4080
4081 if( ( cur_len == 0 ) ||
4082 ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
4083 ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
4084 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4085 }
4086
4087 conf->alpn_list = protos;
4088
4089 return( 0 );
4090 }
4091
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)4092 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
4093 {
4094 return( ssl->alpn_chosen );
4095 }
4096 #endif /* MBEDTLS_SSL_ALPN */
4097
4098 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)4099 void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
4100 int support_mki_value )
4101 {
4102 conf->dtls_srtp_mki_support = support_mki_value;
4103 }
4104
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)4105 int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
4106 unsigned char *mki_value,
4107 uint16_t mki_len )
4108 {
4109 if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
4110 {
4111 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4112 }
4113
4114 if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
4115 {
4116 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4117 }
4118
4119 memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
4120 ssl->dtls_srtp_info.mki_len = mki_len;
4121 return( 0 );
4122 }
4123
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)4124 int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
4125 const mbedtls_ssl_srtp_profile *profiles )
4126 {
4127 const mbedtls_ssl_srtp_profile *p;
4128 size_t list_size = 0;
4129
4130 /* check the profiles list: all entry must be valid,
4131 * its size cannot be more than the total number of supported profiles, currently 4 */
4132 for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
4133 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
4134 p++ )
4135 {
4136 if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
4137 {
4138 list_size++;
4139 }
4140 else
4141 {
4142 /* unsupported value, stop parsing and set the size to an error value */
4143 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
4144 }
4145 }
4146
4147 if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
4148 {
4149 conf->dtls_srtp_profile_list = NULL;
4150 conf->dtls_srtp_profile_list_len = 0;
4151 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4152 }
4153
4154 conf->dtls_srtp_profile_list = profiles;
4155 conf->dtls_srtp_profile_list_len = list_size;
4156
4157 return( 0 );
4158 }
4159
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)4160 void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
4161 mbedtls_dtls_srtp_info *dtls_srtp_info )
4162 {
4163 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
4164 /* do not copy the mki value if there is no chosen profile */
4165 if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
4166 {
4167 dtls_srtp_info->mki_len = 0;
4168 }
4169 else
4170 {
4171 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
4172 memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
4173 ssl->dtls_srtp_info.mki_len );
4174 }
4175 }
4176 #endif /* MBEDTLS_SSL_DTLS_SRTP */
4177
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)4178 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
4179 {
4180 conf->max_major_ver = major;
4181 conf->max_minor_ver = minor;
4182 }
4183
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)4184 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
4185 {
4186 conf->min_major_ver = major;
4187 conf->min_minor_ver = minor;
4188 }
4189
4190 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)4191 void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
4192 char cert_req_ca_list )
4193 {
4194 conf->cert_req_ca_list = cert_req_ca_list;
4195 }
4196 #endif
4197
4198 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)4199 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
4200 {
4201 conf->encrypt_then_mac = etm;
4202 }
4203 #endif
4204
4205 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)4206 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
4207 {
4208 conf->extended_ms = ems;
4209 }
4210 #endif
4211
4212 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)4213 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
4214 {
4215 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
4216 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
4217 {
4218 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4219 }
4220
4221 conf->mfl_code = mfl_code;
4222
4223 return( 0 );
4224 }
4225 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4226
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)4227 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
4228 {
4229 conf->allow_legacy_renegotiation = allow_legacy;
4230 }
4231
4232 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)4233 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
4234 {
4235 conf->disable_renegotiation = renegotiation;
4236 }
4237
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)4238 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
4239 {
4240 conf->renego_max_records = max_records;
4241 }
4242
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])4243 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
4244 const unsigned char period[8] )
4245 {
4246 memcpy( conf->renego_period, period, 8 );
4247 }
4248 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4249
4250 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4251 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)4252 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
4253 {
4254 conf->session_tickets = use_tickets;
4255 }
4256 #endif
4257
4258 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)4259 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
4260 mbedtls_ssl_ticket_write_t *f_ticket_write,
4261 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
4262 void *p_ticket )
4263 {
4264 conf->f_ticket_write = f_ticket_write;
4265 conf->f_ticket_parse = f_ticket_parse;
4266 conf->p_ticket = p_ticket;
4267 }
4268 #endif
4269 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4270
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)4271 void mbedtls_ssl_set_export_keys_cb( mbedtls_ssl_context *ssl,
4272 mbedtls_ssl_export_keys_t *f_export_keys,
4273 void *p_export_keys )
4274 {
4275 ssl->f_export_keys = f_export_keys;
4276 ssl->p_export_keys = p_export_keys;
4277 }
4278
4279 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)4280 void mbedtls_ssl_conf_async_private_cb(
4281 mbedtls_ssl_config *conf,
4282 mbedtls_ssl_async_sign_t *f_async_sign,
4283 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
4284 mbedtls_ssl_async_resume_t *f_async_resume,
4285 mbedtls_ssl_async_cancel_t *f_async_cancel,
4286 void *async_config_data )
4287 {
4288 conf->f_async_sign_start = f_async_sign;
4289 conf->f_async_decrypt_start = f_async_decrypt;
4290 conf->f_async_resume = f_async_resume;
4291 conf->f_async_cancel = f_async_cancel;
4292 conf->p_async_config_data = async_config_data;
4293 }
4294
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)4295 void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
4296 {
4297 return( conf->p_async_config_data );
4298 }
4299
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)4300 void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
4301 {
4302 if( ssl->handshake == NULL )
4303 return( NULL );
4304 else
4305 return( ssl->handshake->user_async_ctx );
4306 }
4307
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)4308 void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
4309 void *ctx )
4310 {
4311 if( ssl->handshake != NULL )
4312 ssl->handshake->user_async_ctx = ctx;
4313 }
4314 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4315
4316 /*
4317 * SSL get accessors
4318 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)4319 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
4320 {
4321 if( ssl->session != NULL )
4322 return( ssl->session->verify_result );
4323
4324 if( ssl->session_negotiate != NULL )
4325 return( ssl->session_negotiate->verify_result );
4326
4327 return( 0xFFFFFFFF );
4328 }
4329
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)4330 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
4331 {
4332 if( ssl == NULL || ssl->session == NULL )
4333 return( NULL );
4334
4335 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
4336 }
4337
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)4338 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
4339 {
4340 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4341 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4342 {
4343 switch( ssl->minor_ver )
4344 {
4345 case MBEDTLS_SSL_MINOR_VERSION_3:
4346 return( "DTLSv1.2" );
4347
4348 default:
4349 return( "unknown (DTLS)" );
4350 }
4351 }
4352 #endif
4353
4354 switch( ssl->minor_ver )
4355 {
4356 case MBEDTLS_SSL_MINOR_VERSION_3:
4357 return( "TLSv1.2" );
4358
4359 default:
4360 return( "unknown" );
4361 }
4362 }
4363
4364 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)4365 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
4366 {
4367 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
4368 size_t read_mfl;
4369
4370 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
4371 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4372 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
4373 {
4374 return ssl_mfl_code_to_length( ssl->conf->mfl_code );
4375 }
4376
4377 /* Check if a smaller max length was negotiated */
4378 if( ssl->session_out != NULL )
4379 {
4380 read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
4381 if( read_mfl < max_len )
4382 {
4383 max_len = read_mfl;
4384 }
4385 }
4386
4387 // During a handshake, use the value being negotiated
4388 if( ssl->session_negotiate != NULL )
4389 {
4390 read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4391 if( read_mfl < max_len )
4392 {
4393 max_len = read_mfl;
4394 }
4395 }
4396
4397 return( max_len );
4398 }
4399
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)4400 size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
4401 {
4402 size_t max_len;
4403
4404 /*
4405 * Assume mfl_code is correct since it was checked when set
4406 */
4407 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
4408
4409 /* Check if a smaller max length was negotiated */
4410 if( ssl->session_out != NULL &&
4411 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
4412 {
4413 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
4414 }
4415
4416 /* During a handshake, use the value being negotiated */
4417 if( ssl->session_negotiate != NULL &&
4418 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
4419 {
4420 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
4421 }
4422
4423 return( max_len );
4424 }
4425 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4426
4427 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)4428 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
4429 {
4430 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
4431 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
4432 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
4433 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
4434 return ( 0 );
4435
4436 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
4437 return( ssl->mtu );
4438
4439 if( ssl->mtu == 0 )
4440 return( ssl->handshake->mtu );
4441
4442 return( ssl->mtu < ssl->handshake->mtu ?
4443 ssl->mtu : ssl->handshake->mtu );
4444 }
4445 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4446
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)4447 int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
4448 {
4449 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
4450
4451 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4452 !defined(MBEDTLS_SSL_PROTO_DTLS)
4453 (void) ssl;
4454 #endif
4455
4456 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4457 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
4458
4459 if( max_len > mfl )
4460 max_len = mfl;
4461 #endif
4462
4463 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4464 if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
4465 {
4466 const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
4467 const int ret = mbedtls_ssl_get_record_expansion( ssl );
4468 const size_t overhead = (size_t) ret;
4469
4470 if( ret < 0 )
4471 return( ret );
4472
4473 if( mtu <= overhead )
4474 {
4475 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
4476 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4477 }
4478
4479 if( max_len > mtu - overhead )
4480 max_len = mtu - overhead;
4481 }
4482 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4483
4484 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
4485 !defined(MBEDTLS_SSL_PROTO_DTLS)
4486 ((void) ssl);
4487 #endif
4488
4489 return( (int) max_len );
4490 }
4491
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)4492 int mbedtls_ssl_get_max_in_record_payload( const mbedtls_ssl_context *ssl )
4493 {
4494 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
4495
4496 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4497 (void) ssl;
4498 #endif
4499
4500 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4501 const size_t mfl = mbedtls_ssl_get_input_max_frag_len( ssl );
4502
4503 if( max_len > mfl )
4504 max_len = mfl;
4505 #endif
4506
4507 return( (int) max_len );
4508 }
4509
4510 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)4511 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
4512 {
4513 if( ssl == NULL || ssl->session == NULL )
4514 return( NULL );
4515
4516 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4517 return( ssl->session->peer_cert );
4518 #else
4519 return( NULL );
4520 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4521 }
4522 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4523
4524 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)4525 int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
4526 mbedtls_ssl_session *dst )
4527 {
4528 int ret;
4529
4530 if( ssl == NULL ||
4531 dst == NULL ||
4532 ssl->session == NULL ||
4533 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
4534 {
4535 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4536 }
4537
4538 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
4539 * idempotent: Each session can only be exported once.
4540 *
4541 * (This is in preparation for TLS 1.3 support where we will
4542 * need the ability to export multiple sessions (aka tickets),
4543 * which will be achieved by calling mbedtls_ssl_get_session()
4544 * multiple times until it fails.)
4545 *
4546 * Check whether we have already exported the current session,
4547 * and fail if so.
4548 */
4549 if( ssl->session->exported == 1 )
4550 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4551
4552 ret = mbedtls_ssl_session_copy( dst, ssl->session );
4553 if( ret != 0 )
4554 return( ret );
4555
4556 /* Remember that we've exported the session. */
4557 ssl->session->exported = 1;
4558 return( 0 );
4559 }
4560 #endif /* MBEDTLS_SSL_CLI_C */
4561
4562 /*
4563 * Define ticket header determining Mbed TLS version
4564 * and structure of the ticket.
4565 */
4566
4567 /*
4568 * Define bitflag determining compile-time settings influencing
4569 * structure of serialized SSL sessions.
4570 */
4571
4572 #if defined(MBEDTLS_HAVE_TIME)
4573 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4574 #else
4575 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4576 #endif /* MBEDTLS_HAVE_TIME */
4577
4578 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4579 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4580 #else
4581 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4582 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4583
4584 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4585 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4586 #else
4587 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4588 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4589
4590 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4591 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4592 #else
4593 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4594 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4595
4596 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4597 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4598 #else
4599 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4600 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4601
4602 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4603 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4604 #else
4605 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4606 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4607
4608 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4609 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4610 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4611 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4612 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4613 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4614
4615 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4616 ( (uint16_t) ( \
4617 ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \
4618 ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \
4619 ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
4620 ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \
4621 ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \
4622 ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
4623
4624 static unsigned char ssl_serialized_session_header[] = {
4625 MBEDTLS_VERSION_MAJOR,
4626 MBEDTLS_VERSION_MINOR,
4627 MBEDTLS_VERSION_PATCH,
4628 MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
4629 MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
4630 };
4631
4632 /*
4633 * Serialize a session in the following format:
4634 * (in the presentation language of TLS, RFC 8446 section 3)
4635 *
4636 * struct {
4637 *
4638 * opaque mbedtls_version[3]; // library version: major, minor, patch
4639 * opaque session_format[2]; // library-version specific 16-bit field
4640 * // determining the format of the remaining
4641 * // serialized data.
4642 *
4643 * Note: When updating the format, remember to keep
4644 * these version+format bytes.
4645 *
4646 * // In this version, `session_format` determines
4647 * // the setting of those compile-time
4648 * // configuration options which influence
4649 * // the structure of mbedtls_ssl_session.
4650 *
4651 * uint8_t minor_ver; // Protocol-version. Possible values:
4652 * // - TLS 1.2 (MBEDTLS_SSL_MINOR_VERSION_3)
4653 *
4654 * select (serialized_session.minor_ver) {
4655 *
4656 * case MBEDTLS_SSL_MINOR_VERSION_3: // TLS 1.2
4657 * serialized_session_tls12 data;
4658 *
4659 * };
4660 *
4661 * } serialized_session;
4662 *
4663 */
4664
4665 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4666 /* Serialization of TLS 1.2 sessions:
4667 *
4668 * struct {
4669 * uint64 start_time;
4670 * uint8 ciphersuite[2]; // defined by the standard
4671 * uint8 compression; // 0 or 1
4672 * uint8 session_id_len; // at most 32
4673 * opaque session_id[32];
4674 * opaque master[48]; // fixed length in the standard
4675 * uint32 verify_result;
4676 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4677 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4678 * uint32 ticket_lifetime;
4679 * uint8 mfl_code; // up to 255 according to standard
4680 * uint8 encrypt_then_mac; // 0 or 1
4681 * } serialized_session_tls12;
4682 *
4683 */
ssl_session_save_tls12(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)4684 static size_t ssl_session_save_tls12( const mbedtls_ssl_session *session,
4685 unsigned char *buf,
4686 size_t buf_len )
4687 {
4688 unsigned char *p = buf;
4689 size_t used = 0;
4690
4691 #if defined(MBEDTLS_HAVE_TIME)
4692 uint64_t start;
4693 #endif
4694 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4695 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4696 size_t cert_len;
4697 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4698 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4699
4700 /*
4701 * Time
4702 */
4703 #if defined(MBEDTLS_HAVE_TIME)
4704 used += 8;
4705
4706 if( used <= buf_len )
4707 {
4708 start = (uint64_t) session->start;
4709
4710 MBEDTLS_PUT_UINT64_BE( start, p, 0 );
4711 p += 8;
4712 }
4713 #endif /* MBEDTLS_HAVE_TIME */
4714
4715 /*
4716 * Basic mandatory fields
4717 */
4718 used += 2 /* ciphersuite */
4719 + 1 /* compression */
4720 + 1 /* id_len */
4721 + sizeof( session->id )
4722 + sizeof( session->master )
4723 + 4; /* verify_result */
4724
4725 if( used <= buf_len )
4726 {
4727 MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 );
4728 p += 2;
4729
4730 *p++ = MBEDTLS_BYTE_0( session->compression );
4731
4732 *p++ = MBEDTLS_BYTE_0( session->id_len );
4733 memcpy( p, session->id, 32 );
4734 p += 32;
4735
4736 memcpy( p, session->master, 48 );
4737 p += 48;
4738
4739 MBEDTLS_PUT_UINT32_BE( session->verify_result, p, 0 );
4740 p += 4;
4741 }
4742
4743 /*
4744 * Peer's end-entity certificate
4745 */
4746 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4747 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4748 if( session->peer_cert == NULL )
4749 cert_len = 0;
4750 else
4751 cert_len = session->peer_cert->raw.len;
4752
4753 used += 3 + cert_len;
4754
4755 if( used <= buf_len )
4756 {
4757 *p++ = MBEDTLS_BYTE_2( cert_len );
4758 *p++ = MBEDTLS_BYTE_1( cert_len );
4759 *p++ = MBEDTLS_BYTE_0( cert_len );
4760
4761 if( session->peer_cert != NULL )
4762 {
4763 memcpy( p, session->peer_cert->raw.p, cert_len );
4764 p += cert_len;
4765 }
4766 }
4767 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4768 if( session->peer_cert_digest != NULL )
4769 {
4770 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
4771 if( used <= buf_len )
4772 {
4773 *p++ = (unsigned char) session->peer_cert_digest_type;
4774 *p++ = (unsigned char) session->peer_cert_digest_len;
4775 memcpy( p, session->peer_cert_digest,
4776 session->peer_cert_digest_len );
4777 p += session->peer_cert_digest_len;
4778 }
4779 }
4780 else
4781 {
4782 used += 2;
4783 if( used <= buf_len )
4784 {
4785 *p++ = (unsigned char) MBEDTLS_MD_NONE;
4786 *p++ = 0;
4787 }
4788 }
4789 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4790 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4791
4792 /*
4793 * Session ticket if any, plus associated data
4794 */
4795 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4796 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
4797
4798 if( used <= buf_len )
4799 {
4800 *p++ = MBEDTLS_BYTE_2( session->ticket_len );
4801 *p++ = MBEDTLS_BYTE_1( session->ticket_len );
4802 *p++ = MBEDTLS_BYTE_0( session->ticket_len );
4803
4804 if( session->ticket != NULL )
4805 {
4806 memcpy( p, session->ticket, session->ticket_len );
4807 p += session->ticket_len;
4808 }
4809
4810 MBEDTLS_PUT_UINT32_BE( session->ticket_lifetime, p, 0 );
4811 p += 4;
4812 }
4813 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4814
4815 /*
4816 * Misc extension-related info
4817 */
4818 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4819 used += 1;
4820
4821 if( used <= buf_len )
4822 *p++ = session->mfl_code;
4823 #endif
4824
4825 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4826 used += 1;
4827
4828 if( used <= buf_len )
4829 *p++ = MBEDTLS_BYTE_0( session->encrypt_then_mac );
4830 #endif
4831
4832 return( used );
4833 }
4834 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4835
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)4836 static int ssl_session_save( const mbedtls_ssl_session *session,
4837 unsigned char omit_header,
4838 unsigned char *buf,
4839 size_t buf_len,
4840 size_t *olen )
4841 {
4842 unsigned char *p = buf;
4843 size_t used = 0;
4844
4845 if( !omit_header )
4846 {
4847 /*
4848 * Add Mbed TLS version identifier
4849 */
4850
4851 used += sizeof( ssl_serialized_session_header );
4852
4853 if( used <= buf_len )
4854 {
4855 memcpy( p, ssl_serialized_session_header,
4856 sizeof( ssl_serialized_session_header ) );
4857 p += sizeof( ssl_serialized_session_header );
4858 }
4859 }
4860
4861 /*
4862 * TLS version identifier
4863 */
4864 used += 1;
4865 if( used <= buf_len )
4866 {
4867 *p++ = session->minor_ver;
4868 }
4869
4870 /* Forward to version-specific serialization routine. */
4871 switch( session->minor_ver )
4872 {
4873 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4874 case MBEDTLS_SSL_MINOR_VERSION_3:
4875 {
4876 size_t remaining_len = used <= buf_len ? buf_len - used : 0;
4877 used += ssl_session_save_tls12( session, p, remaining_len );
4878 break;
4879 }
4880 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4881
4882 default:
4883 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
4884 }
4885
4886 *olen = used;
4887 if( used > buf_len )
4888 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4889
4890 return( 0 );
4891 }
4892
4893 /*
4894 * Public wrapper for ssl_session_save()
4895 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4896 int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
4897 unsigned char *buf,
4898 size_t buf_len,
4899 size_t *olen )
4900 {
4901 return( ssl_session_save( session, 0, buf, buf_len, olen ) );
4902 }
4903
4904 /*
4905 * Deserialize session, see mbedtls_ssl_session_save() for format.
4906 *
4907 * This internal version is wrapped by a public function that cleans up in
4908 * case of error, and has an extra option omit_header.
4909 */
ssl_session_load_tls12(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)4910 static int ssl_session_load_tls12( mbedtls_ssl_session *session,
4911 const unsigned char *buf,
4912 size_t len )
4913 {
4914 #if defined(MBEDTLS_HAVE_TIME)
4915 uint64_t start;
4916 #endif
4917 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4918 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4919 size_t cert_len;
4920 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4921 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4922
4923 const unsigned char *p = buf;
4924 const unsigned char * const end = buf + len;
4925
4926 /*
4927 * Time
4928 */
4929 #if defined(MBEDTLS_HAVE_TIME)
4930 if( 8 > (size_t)( end - p ) )
4931 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4932
4933 start = ( (uint64_t) p[0] << 56 ) |
4934 ( (uint64_t) p[1] << 48 ) |
4935 ( (uint64_t) p[2] << 40 ) |
4936 ( (uint64_t) p[3] << 32 ) |
4937 ( (uint64_t) p[4] << 24 ) |
4938 ( (uint64_t) p[5] << 16 ) |
4939 ( (uint64_t) p[6] << 8 ) |
4940 ( (uint64_t) p[7] );
4941 p += 8;
4942
4943 session->start = (time_t) start;
4944 #endif /* MBEDTLS_HAVE_TIME */
4945
4946 /*
4947 * Basic mandatory fields
4948 */
4949 if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
4950 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4951
4952 session->ciphersuite = ( p[0] << 8 ) | p[1];
4953 p += 2;
4954
4955 session->compression = *p++;
4956
4957 session->id_len = *p++;
4958 memcpy( session->id, p, 32 );
4959 p += 32;
4960
4961 memcpy( session->master, p, 48 );
4962 p += 48;
4963
4964 session->verify_result = ( (uint32_t) p[0] << 24 ) |
4965 ( (uint32_t) p[1] << 16 ) |
4966 ( (uint32_t) p[2] << 8 ) |
4967 ( (uint32_t) p[3] );
4968 p += 4;
4969
4970 /* Immediately clear invalid pointer values that have been read, in case
4971 * we exit early before we replaced them with valid ones. */
4972 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4973 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4974 session->peer_cert = NULL;
4975 #else
4976 session->peer_cert_digest = NULL;
4977 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4978 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4979 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4980 session->ticket = NULL;
4981 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
4982
4983 /*
4984 * Peer certificate
4985 */
4986 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4987 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4988 /* Deserialize CRT from the end of the ticket. */
4989 if( 3 > (size_t)( end - p ) )
4990 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4991
4992 cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
4993 p += 3;
4994
4995 if( cert_len != 0 )
4996 {
4997 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4998
4999 if( cert_len > (size_t)( end - p ) )
5000 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5001
5002 session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
5003
5004 if( session->peer_cert == NULL )
5005 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5006
5007 mbedtls_x509_crt_init( session->peer_cert );
5008
5009 if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
5010 p, cert_len ) ) != 0 )
5011 {
5012 mbedtls_x509_crt_free( session->peer_cert );
5013 mbedtls_free( session->peer_cert );
5014 session->peer_cert = NULL;
5015 return( ret );
5016 }
5017
5018 p += cert_len;
5019 }
5020 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5021 /* Deserialize CRT digest from the end of the ticket. */
5022 if( 2 > (size_t)( end - p ) )
5023 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5024
5025 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
5026 session->peer_cert_digest_len = (size_t) *p++;
5027
5028 if( session->peer_cert_digest_len != 0 )
5029 {
5030 const mbedtls_md_info_t *md_info =
5031 mbedtls_md_info_from_type( session->peer_cert_digest_type );
5032 if( md_info == NULL )
5033 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5034 if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
5035 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5036
5037 if( session->peer_cert_digest_len > (size_t)( end - p ) )
5038 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5039
5040 session->peer_cert_digest =
5041 mbedtls_calloc( 1, session->peer_cert_digest_len );
5042 if( session->peer_cert_digest == NULL )
5043 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5044
5045 memcpy( session->peer_cert_digest, p,
5046 session->peer_cert_digest_len );
5047 p += session->peer_cert_digest_len;
5048 }
5049 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5050 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5051
5052 /*
5053 * Session ticket and associated data
5054 */
5055 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5056 if( 3 > (size_t)( end - p ) )
5057 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5058
5059 session->ticket_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
5060 p += 3;
5061
5062 if( session->ticket_len != 0 )
5063 {
5064 if( session->ticket_len > (size_t)( end - p ) )
5065 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5066
5067 session->ticket = mbedtls_calloc( 1, session->ticket_len );
5068 if( session->ticket == NULL )
5069 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5070
5071 memcpy( session->ticket, p, session->ticket_len );
5072 p += session->ticket_len;
5073 }
5074
5075 if( 4 > (size_t)( end - p ) )
5076 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5077
5078 session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) |
5079 ( (uint32_t) p[1] << 16 ) |
5080 ( (uint32_t) p[2] << 8 ) |
5081 ( (uint32_t) p[3] );
5082 p += 4;
5083 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5084
5085 /*
5086 * Misc extension-related info
5087 */
5088 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
5089 if( 1 > (size_t)( end - p ) )
5090 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5091
5092 session->mfl_code = *p++;
5093 #endif
5094
5095 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5096 if( 1 > (size_t)( end - p ) )
5097 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5098
5099 session->encrypt_then_mac = *p++;
5100 #endif
5101
5102 /* Done, should have consumed entire buffer */
5103 if( p != end )
5104 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5105
5106 return( 0 );
5107 }
5108
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)5109 static int ssl_session_load( mbedtls_ssl_session *session,
5110 unsigned char omit_header,
5111 const unsigned char *buf,
5112 size_t len )
5113 {
5114 const unsigned char *p = buf;
5115 const unsigned char * const end = buf + len;
5116
5117 if( !omit_header )
5118 {
5119 /*
5120 * Check Mbed TLS version identifier
5121 */
5122
5123 if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
5124 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5125
5126 if( memcmp( p, ssl_serialized_session_header,
5127 sizeof( ssl_serialized_session_header ) ) != 0 )
5128 {
5129 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5130 }
5131 p += sizeof( ssl_serialized_session_header );
5132 }
5133
5134 /*
5135 * TLS version identifier
5136 */
5137 if( 1 > (size_t)( end - p ) )
5138 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5139 session->minor_ver = *p++;
5140
5141 /* Dispatch according to TLS version. */
5142 switch( session->minor_ver )
5143 {
5144 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5145 case MBEDTLS_SSL_MINOR_VERSION_3: /* TLS 1.2 */
5146 {
5147 size_t remaining_len = ( end - p );
5148 return( ssl_session_load_tls12( session, p, remaining_len ) );
5149 }
5150 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5151
5152 default:
5153 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5154 }
5155 }
5156
5157 /*
5158 * Deserialize session: public wrapper for error cleaning
5159 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)5160 int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
5161 const unsigned char *buf,
5162 size_t len )
5163 {
5164 int ret = ssl_session_load( session, 0, buf, len );
5165
5166 if( ret != 0 )
5167 mbedtls_ssl_session_free( session );
5168
5169 return( ret );
5170 }
5171
5172 /*
5173 * Perform a single step of the SSL handshake
5174 */
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)5175 static int ssl_prepare_handshake_step( mbedtls_ssl_context *ssl )
5176 {
5177 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5178
5179 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5180 return( ret );
5181
5182 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5183 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5184 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5185 {
5186 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5187 return( ret );
5188 }
5189 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5190
5191 return( ret );
5192 }
5193
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)5194 int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
5195 {
5196 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5197
5198 if( ssl == NULL ||
5199 ssl->conf == NULL ||
5200 ssl->handshake == NULL ||
5201 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5202 {
5203 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5204 }
5205
5206 ret = ssl_prepare_handshake_step( ssl );
5207 if( ret != 0 )
5208 return( ret );
5209
5210 ret = mbedtls_ssl_handle_pending_alert( ssl );
5211 if( ret != 0 )
5212 goto cleanup;
5213
5214 #if defined(MBEDTLS_SSL_CLI_C)
5215 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5216 {
5217 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
5218 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
5219 ret = mbedtls_ssl_tls13_handshake_client_step( ssl );
5220 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
5221
5222 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5223 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5224 ret = mbedtls_ssl_handshake_client_step( ssl );
5225 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5226 }
5227 #endif
5228 #if defined(MBEDTLS_SSL_SRV_C)
5229 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5230 {
5231 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
5232 if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) )
5233 ret = mbedtls_ssl_tls13_handshake_server_step( ssl );
5234 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
5235
5236 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5237 if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) )
5238 ret = mbedtls_ssl_handshake_server_step( ssl );
5239 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5240 }
5241 #endif
5242
5243 if( ret != 0 )
5244 {
5245 /* handshake_step return error. And it is same
5246 * with alert_reason.
5247 */
5248 if( ssl->send_alert )
5249 {
5250 ret = mbedtls_ssl_handle_pending_alert( ssl );
5251 goto cleanup;
5252 }
5253 }
5254
5255 cleanup:
5256 return( ret );
5257 }
5258
5259 /*
5260 * Perform the SSL handshake
5261 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)5262 int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
5263 {
5264 int ret = 0;
5265
5266 /* Sanity checks */
5267
5268 if( ssl == NULL || ssl->conf == NULL )
5269 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5270
5271 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5272 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5273 ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
5274 {
5275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
5276 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
5277 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5278 }
5279 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5280
5281 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
5282
5283 /* Main handshake loop */
5284 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5285 {
5286 ret = mbedtls_ssl_handshake_step( ssl );
5287
5288 if( ret != 0 )
5289 break;
5290 }
5291
5292 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
5293
5294 return( ret );
5295 }
5296
5297 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5298 #if defined(MBEDTLS_SSL_SRV_C)
5299 /*
5300 * Write HelloRequest to request renegotiation on server
5301 */
ssl_write_hello_request(mbedtls_ssl_context * ssl)5302 static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
5303 {
5304 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5305
5306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
5307
5308 ssl->out_msglen = 4;
5309 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5310 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
5311
5312 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
5313 {
5314 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
5315 return( ret );
5316 }
5317
5318 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
5319
5320 return( 0 );
5321 }
5322 #endif /* MBEDTLS_SSL_SRV_C */
5323
5324 /*
5325 * Actually renegotiate current connection, triggered by either:
5326 * - any side: calling mbedtls_ssl_renegotiate(),
5327 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
5328 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
5329 * the initial handshake is completed.
5330 * If the handshake doesn't complete due to waiting for I/O, it will continue
5331 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
5332 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)5333 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
5334 {
5335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5336
5337 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
5338
5339 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
5340 return( ret );
5341
5342 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
5343 * the ServerHello will have message_seq = 1" */
5344 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5345 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5346 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5347 {
5348 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5349 ssl->handshake->out_msg_seq = 1;
5350 else
5351 ssl->handshake->in_msg_seq = 1;
5352 }
5353 #endif
5354
5355 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
5356 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
5357
5358 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5359 {
5360 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5361 return( ret );
5362 }
5363
5364 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
5365
5366 return( 0 );
5367 }
5368
5369 /*
5370 * Renegotiate current connection on client,
5371 * or request renegotiation on server
5372 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)5373 int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
5374 {
5375 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5376
5377 if( ssl == NULL || ssl->conf == NULL )
5378 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5379
5380 #if defined(MBEDTLS_SSL_SRV_C)
5381 /* On server, just send the request */
5382 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5383 {
5384 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5385 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5386
5387 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5388
5389 /* Did we already try/start sending HelloRequest? */
5390 if( ssl->out_left != 0 )
5391 return( mbedtls_ssl_flush_output( ssl ) );
5392
5393 return( ssl_write_hello_request( ssl ) );
5394 }
5395 #endif /* MBEDTLS_SSL_SRV_C */
5396
5397 #if defined(MBEDTLS_SSL_CLI_C)
5398 /*
5399 * On client, either start the renegotiation process or,
5400 * if already in progress, continue the handshake
5401 */
5402 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
5403 {
5404 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5405 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5406
5407 if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
5408 {
5409 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
5410 return( ret );
5411 }
5412 }
5413 else
5414 {
5415 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5416 {
5417 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5418 return( ret );
5419 }
5420 }
5421 #endif /* MBEDTLS_SSL_CLI_C */
5422
5423 return( ret );
5424 }
5425 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5426
5427 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)5428 static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
5429 {
5430 mbedtls_ssl_key_cert *cur = key_cert, *next;
5431
5432 while( cur != NULL )
5433 {
5434 next = cur->next;
5435 mbedtls_free( cur );
5436 cur = next;
5437 }
5438 }
5439 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5440
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)5441 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
5442 {
5443 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
5444
5445 if( handshake == NULL )
5446 return;
5447
5448 #if defined(MBEDTLS_ECP_C)
5449 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
5450 if ( ssl->handshake->group_list_heap_allocated )
5451 mbedtls_free( (void*) handshake->group_list );
5452 handshake->group_list = NULL;
5453 #endif /* MBEDTLS_DEPRECATED_REMOVED */
5454 #endif /* MBEDTLS_ECP_C */
5455
5456 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
5457 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
5458 {
5459 ssl->conf->f_async_cancel( ssl );
5460 handshake->async_in_progress = 0;
5461 }
5462 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
5463
5464 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5465 #if defined(MBEDTLS_SHA256_C)
5466 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5467 psa_hash_abort( &handshake->fin_sha256_psa );
5468 #else
5469 mbedtls_sha256_free( &handshake->fin_sha256 );
5470 #endif
5471 #endif
5472 #if defined(MBEDTLS_SHA384_C)
5473 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5474 psa_hash_abort( &handshake->fin_sha384_psa );
5475 #else
5476 mbedtls_sha512_free( &handshake->fin_sha512 );
5477 #endif
5478 #endif
5479 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5480
5481 #if defined(MBEDTLS_DHM_C)
5482 mbedtls_dhm_free( &handshake->dhm_ctx );
5483 #endif
5484 #if defined(MBEDTLS_ECDH_C)
5485 mbedtls_ecdh_free( &handshake->ecdh_ctx );
5486 #endif
5487 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5488 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
5489 #if defined(MBEDTLS_SSL_CLI_C)
5490 mbedtls_free( handshake->ecjpake_cache );
5491 handshake->ecjpake_cache = NULL;
5492 handshake->ecjpake_cache_len = 0;
5493 #endif
5494 #endif
5495
5496 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
5497 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5498 /* explicit void pointer cast for buggy MS compiler */
5499 mbedtls_free( (void *) handshake->curves );
5500 #endif
5501
5502 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
5503 if( handshake->psk != NULL )
5504 {
5505 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
5506 mbedtls_free( handshake->psk );
5507 }
5508 #endif
5509
5510 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5511 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5512 /*
5513 * Free only the linked list wrapper, not the keys themselves
5514 * since the belong to the SNI callback
5515 */
5516 if( handshake->sni_key_cert != NULL )
5517 {
5518 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
5519
5520 while( cur != NULL )
5521 {
5522 next = cur->next;
5523 mbedtls_free( cur );
5524 cur = next;
5525 }
5526 }
5527 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
5528
5529 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
5530 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
5531 if( handshake->ecrs_peer_cert != NULL )
5532 {
5533 mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
5534 mbedtls_free( handshake->ecrs_peer_cert );
5535 }
5536 #endif
5537
5538 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
5539 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
5540 mbedtls_pk_free( &handshake->peer_pubkey );
5541 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
5542
5543 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5544 mbedtls_free( handshake->verify_cookie );
5545 mbedtls_ssl_flight_free( handshake->flight );
5546 mbedtls_ssl_buffering_free( ssl );
5547 #endif
5548
5549 #if defined(MBEDTLS_ECDH_C) && \
5550 defined(MBEDTLS_USE_PSA_CRYPTO)
5551 psa_destroy_key( handshake->ecdh_psa_privkey );
5552 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
5553
5554 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
5555 mbedtls_ssl_transform_free( handshake->transform_handshake );
5556 mbedtls_ssl_transform_free( handshake->transform_earlydata );
5557 mbedtls_free( handshake->transform_earlydata );
5558 mbedtls_free( handshake->transform_handshake );
5559 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
5560
5561
5562 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5563 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
5564 * processes datagrams and the fact that a datagram is allowed to have
5565 * several records in it, it is possible that the I/O buffers are not
5566 * empty at this stage */
5567 handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
5568 mbedtls_ssl_get_output_buflen( ssl ) );
5569 #endif
5570
5571 /* mbedtls_platform_zeroize MUST be last one in this function */
5572 mbedtls_platform_zeroize( handshake,
5573 sizeof( mbedtls_ssl_handshake_params ) );
5574 }
5575
mbedtls_ssl_session_free(mbedtls_ssl_session * session)5576 void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
5577 {
5578 if( session == NULL )
5579 return;
5580
5581 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5582 ssl_clear_peer_cert( session );
5583 #endif
5584
5585 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5586 mbedtls_free( session->ticket );
5587 #endif
5588
5589 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
5590 }
5591
5592 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
5593
5594 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5595 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5596 #else
5597 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5598 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5599
5600 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
5601
5602 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5603 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5604 #else
5605 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5606 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5607
5608 #if defined(MBEDTLS_SSL_ALPN)
5609 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5610 #else
5611 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5612 #endif /* MBEDTLS_SSL_ALPN */
5613
5614 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5615 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5616 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5617 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5618
5619 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5620 ( (uint32_t) ( \
5621 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) | \
5622 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) | \
5623 ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) | \
5624 ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) | \
5625 0u ) )
5626
5627 static unsigned char ssl_serialized_context_header[] = {
5628 MBEDTLS_VERSION_MAJOR,
5629 MBEDTLS_VERSION_MINOR,
5630 MBEDTLS_VERSION_PATCH,
5631 MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
5632 MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
5633 MBEDTLS_BYTE_2( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
5634 MBEDTLS_BYTE_1( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
5635 MBEDTLS_BYTE_0( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
5636 };
5637
5638 /*
5639 * Serialize a full SSL context
5640 *
5641 * The format of the serialized data is:
5642 * (in the presentation language of TLS, RFC 8446 section 3)
5643 *
5644 * // header
5645 * opaque mbedtls_version[3]; // major, minor, patch
5646 * opaque context_format[5]; // version-specific field determining
5647 * // the format of the remaining
5648 * // serialized data.
5649 * Note: When updating the format, remember to keep these
5650 * version+format bytes. (We may make their size part of the API.)
5651 *
5652 * // session sub-structure
5653 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5654 * // transform sub-structure
5655 * uint8 random[64]; // ServerHello.random+ClientHello.random
5656 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5657 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5658 * // fields from ssl_context
5659 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5660 * uint64 in_window_top; // DTLS: last validated record seq_num
5661 * uint64 in_window; // DTLS: bitmask for replay protection
5662 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5663 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5664 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5665 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5666 *
5667 * Note that many fields of the ssl_context or sub-structures are not
5668 * serialized, as they fall in one of the following categories:
5669 *
5670 * 1. forced value (eg in_left must be 0)
5671 * 2. pointer to dynamically-allocated memory (eg session, transform)
5672 * 3. value can be re-derived from other data (eg session keys from MS)
5673 * 4. value was temporary (eg content of input buffer)
5674 * 5. value will be provided by the user again (eg I/O callbacks and context)
5675 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)5676 int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
5677 unsigned char *buf,
5678 size_t buf_len,
5679 size_t *olen )
5680 {
5681 unsigned char *p = buf;
5682 size_t used = 0;
5683 size_t session_len;
5684 int ret = 0;
5685
5686 /*
5687 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5688 * this function's documentation.
5689 *
5690 * These are due to assumptions/limitations in the implementation. Some of
5691 * them are likely to stay (no handshake in progress) some might go away
5692 * (only DTLS) but are currently used to simplify the implementation.
5693 */
5694 /* The initial handshake must be over */
5695 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5696 {
5697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
5698 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5699 }
5700 if( ssl->handshake != NULL )
5701 {
5702 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
5703 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5704 }
5705 /* Double-check that sub-structures are indeed ready */
5706 if( ssl->transform == NULL || ssl->session == NULL )
5707 {
5708 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
5709 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5710 }
5711 /* There must be no pending incoming or outgoing data */
5712 if( mbedtls_ssl_check_pending( ssl ) != 0 )
5713 {
5714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
5715 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5716 }
5717 if( ssl->out_left != 0 )
5718 {
5719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
5720 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5721 }
5722 /* Protocol must be DLTS, not TLS */
5723 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5724 {
5725 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
5726 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5727 }
5728 /* Version must be 1.2 */
5729 if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
5730 {
5731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
5732 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5733 }
5734 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
5735 {
5736 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
5737 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5738 }
5739 /* We must be using an AEAD ciphersuite */
5740 if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
5741 {
5742 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
5743 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5744 }
5745 /* Renegotiation must not be enabled */
5746 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5747 if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
5748 {
5749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
5750 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5751 }
5752 #endif
5753
5754 /*
5755 * Version and format identifier
5756 */
5757 used += sizeof( ssl_serialized_context_header );
5758
5759 if( used <= buf_len )
5760 {
5761 memcpy( p, ssl_serialized_context_header,
5762 sizeof( ssl_serialized_context_header ) );
5763 p += sizeof( ssl_serialized_context_header );
5764 }
5765
5766 /*
5767 * Session (length + data)
5768 */
5769 ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
5770 if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
5771 return( ret );
5772
5773 used += 4 + session_len;
5774 if( used <= buf_len )
5775 {
5776 MBEDTLS_PUT_UINT32_BE( session_len, p, 0 );
5777 p += 4;
5778
5779 ret = ssl_session_save( ssl->session, 1,
5780 p, session_len, &session_len );
5781 if( ret != 0 )
5782 return( ret );
5783
5784 p += session_len;
5785 }
5786
5787 /*
5788 * Transform
5789 */
5790 used += sizeof( ssl->transform->randbytes );
5791 if( used <= buf_len )
5792 {
5793 memcpy( p, ssl->transform->randbytes,
5794 sizeof( ssl->transform->randbytes ) );
5795 p += sizeof( ssl->transform->randbytes );
5796 }
5797
5798 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5799 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5800 if( used <= buf_len )
5801 {
5802 *p++ = ssl->transform->in_cid_len;
5803 memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
5804 p += ssl->transform->in_cid_len;
5805
5806 *p++ = ssl->transform->out_cid_len;
5807 memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
5808 p += ssl->transform->out_cid_len;
5809 }
5810 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5811
5812 /*
5813 * Saved fields from top-level ssl_context structure
5814 */
5815 used += 4;
5816 if( used <= buf_len )
5817 {
5818 MBEDTLS_PUT_UINT32_BE( ssl->badmac_seen, p, 0 );
5819 p += 4;
5820 }
5821
5822 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5823 used += 16;
5824 if( used <= buf_len )
5825 {
5826 MBEDTLS_PUT_UINT64_BE( ssl->in_window_top, p, 0 );
5827 p += 8;
5828
5829 MBEDTLS_PUT_UINT64_BE( ssl->in_window, p, 0 );
5830 p += 8;
5831 }
5832 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5833
5834 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5835 used += 1;
5836 if( used <= buf_len )
5837 {
5838 *p++ = ssl->disable_datagram_packing;
5839 }
5840 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5841
5842 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5843 if( used <= buf_len )
5844 {
5845 memcpy( p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
5846 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5847 }
5848
5849 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5850 used += 2;
5851 if( used <= buf_len )
5852 {
5853 MBEDTLS_PUT_UINT16_BE( ssl->mtu, p, 0 );
5854 p += 2;
5855 }
5856 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5857
5858 #if defined(MBEDTLS_SSL_ALPN)
5859 {
5860 const uint8_t alpn_len = ssl->alpn_chosen
5861 ? (uint8_t) strlen( ssl->alpn_chosen )
5862 : 0;
5863
5864 used += 1 + alpn_len;
5865 if( used <= buf_len )
5866 {
5867 *p++ = alpn_len;
5868
5869 if( ssl->alpn_chosen != NULL )
5870 {
5871 memcpy( p, ssl->alpn_chosen, alpn_len );
5872 p += alpn_len;
5873 }
5874 }
5875 }
5876 #endif /* MBEDTLS_SSL_ALPN */
5877
5878 /*
5879 * Done
5880 */
5881 *olen = used;
5882
5883 if( used > buf_len )
5884 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
5885
5886 MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
5887
5888 return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
5889 }
5890
5891 /*
5892 * Helper to get TLS 1.2 PRF from ciphersuite
5893 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
5894 */
5895 typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
5896 const char *label,
5897 const unsigned char *random, size_t rlen,
5898 unsigned char *dstbuf, size_t dlen );
ssl_tls12prf_from_cs(int ciphersuite_id)5899 static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
5900 {
5901 #if defined(MBEDTLS_SHA384_C)
5902 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
5903 mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
5904
5905 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
5906 return( tls_prf_sha384 );
5907 #else
5908 (void) ciphersuite_id;
5909 #endif
5910 return( tls_prf_sha256 );
5911 }
5912
5913 /*
5914 * Deserialize context, see mbedtls_ssl_context_save() for format.
5915 *
5916 * This internal version is wrapped by a public function that cleans up in
5917 * case of error.
5918 */
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5919 static int ssl_context_load( mbedtls_ssl_context *ssl,
5920 const unsigned char *buf,
5921 size_t len )
5922 {
5923 const unsigned char *p = buf;
5924 const unsigned char * const end = buf + len;
5925 size_t session_len;
5926 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5927
5928 /*
5929 * The context should have been freshly setup or reset.
5930 * Give the user an error in case of obvious misuse.
5931 * (Checking session is useful because it won't be NULL if we're
5932 * renegotiating, or if the user mistakenly loaded a session first.)
5933 */
5934 if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5935 ssl->session != NULL )
5936 {
5937 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5938 }
5939
5940 /*
5941 * We can't check that the config matches the initial one, but we can at
5942 * least check it matches the requirements for serializing.
5943 */
5944 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5945 ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
5946 ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
5947 ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
5948 ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
5949 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5950 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5951 #endif
5952 0 )
5953 {
5954 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5955 }
5956
5957 MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
5958
5959 /*
5960 * Check version identifier
5961 */
5962 if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
5963 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5964
5965 if( memcmp( p, ssl_serialized_context_header,
5966 sizeof( ssl_serialized_context_header ) ) != 0 )
5967 {
5968 return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
5969 }
5970 p += sizeof( ssl_serialized_context_header );
5971
5972 /*
5973 * Session
5974 */
5975 if( (size_t)( end - p ) < 4 )
5976 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5977
5978 session_len = ( (size_t) p[0] << 24 ) |
5979 ( (size_t) p[1] << 16 ) |
5980 ( (size_t) p[2] << 8 ) |
5981 ( (size_t) p[3] );
5982 p += 4;
5983
5984 /* This has been allocated by ssl_handshake_init(), called by
5985 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5986 ssl->session = ssl->session_negotiate;
5987 ssl->session_in = ssl->session;
5988 ssl->session_out = ssl->session;
5989 ssl->session_negotiate = NULL;
5990
5991 if( (size_t)( end - p ) < session_len )
5992 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5993
5994 ret = ssl_session_load( ssl->session, 1, p, session_len );
5995 if( ret != 0 )
5996 {
5997 mbedtls_ssl_session_free( ssl->session );
5998 return( ret );
5999 }
6000
6001 p += session_len;
6002
6003 /*
6004 * Transform
6005 */
6006
6007 /* This has been allocated by ssl_handshake_init(), called by
6008 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
6009 ssl->transform = ssl->transform_negotiate;
6010 ssl->transform_in = ssl->transform;
6011 ssl->transform_out = ssl->transform;
6012 ssl->transform_negotiate = NULL;
6013
6014 /* Read random bytes and populate structure */
6015 if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
6016 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6017
6018 ret = ssl_tls12_populate_transform( ssl->transform,
6019 ssl->session->ciphersuite,
6020 ssl->session->master,
6021 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) && \
6022 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6023 ssl->session->encrypt_then_mac,
6024 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC &&
6025 MBEDTLS_SSL_SOME_SUITES_USE_MAC */
6026 ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
6027 p, /* currently pointing to randbytes */
6028 MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
6029 ssl->conf->endpoint,
6030 ssl );
6031 if( ret != 0 )
6032 return( ret );
6033
6034 p += sizeof( ssl->transform->randbytes );
6035
6036 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
6037 /* Read connection IDs and store them */
6038 if( (size_t)( end - p ) < 1 )
6039 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6040
6041 ssl->transform->in_cid_len = *p++;
6042
6043 if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
6044 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6045
6046 memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
6047 p += ssl->transform->in_cid_len;
6048
6049 ssl->transform->out_cid_len = *p++;
6050
6051 if( (size_t)( end - p ) < ssl->transform->out_cid_len )
6052 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6053
6054 memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
6055 p += ssl->transform->out_cid_len;
6056 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
6057
6058 /*
6059 * Saved fields from top-level ssl_context structure
6060 */
6061 if( (size_t)( end - p ) < 4 )
6062 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6063
6064 ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) |
6065 ( (uint32_t) p[1] << 16 ) |
6066 ( (uint32_t) p[2] << 8 ) |
6067 ( (uint32_t) p[3] );
6068 p += 4;
6069
6070 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6071 if( (size_t)( end - p ) < 16 )
6072 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6073
6074 ssl->in_window_top = ( (uint64_t) p[0] << 56 ) |
6075 ( (uint64_t) p[1] << 48 ) |
6076 ( (uint64_t) p[2] << 40 ) |
6077 ( (uint64_t) p[3] << 32 ) |
6078 ( (uint64_t) p[4] << 24 ) |
6079 ( (uint64_t) p[5] << 16 ) |
6080 ( (uint64_t) p[6] << 8 ) |
6081 ( (uint64_t) p[7] );
6082 p += 8;
6083
6084 ssl->in_window = ( (uint64_t) p[0] << 56 ) |
6085 ( (uint64_t) p[1] << 48 ) |
6086 ( (uint64_t) p[2] << 40 ) |
6087 ( (uint64_t) p[3] << 32 ) |
6088 ( (uint64_t) p[4] << 24 ) |
6089 ( (uint64_t) p[5] << 16 ) |
6090 ( (uint64_t) p[6] << 8 ) |
6091 ( (uint64_t) p[7] );
6092 p += 8;
6093 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
6094
6095 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6096 if( (size_t)( end - p ) < 1 )
6097 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6098
6099 ssl->disable_datagram_packing = *p++;
6100 #endif /* MBEDTLS_SSL_PROTO_DTLS */
6101
6102 if( (size_t)( end - p ) < sizeof( ssl->cur_out_ctr ) )
6103 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6104 memcpy( ssl->cur_out_ctr, p, sizeof( ssl->cur_out_ctr ) );
6105 p += sizeof( ssl->cur_out_ctr );
6106
6107 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6108 if( (size_t)( end - p ) < 2 )
6109 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6110
6111 ssl->mtu = ( p[0] << 8 ) | p[1];
6112 p += 2;
6113 #endif /* MBEDTLS_SSL_PROTO_DTLS */
6114
6115 #if defined(MBEDTLS_SSL_ALPN)
6116 {
6117 uint8_t alpn_len;
6118 const char **cur;
6119
6120 if( (size_t)( end - p ) < 1 )
6121 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6122
6123 alpn_len = *p++;
6124
6125 if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
6126 {
6127 /* alpn_chosen should point to an item in the configured list */
6128 for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
6129 {
6130 if( strlen( *cur ) == alpn_len &&
6131 memcmp( p, cur, alpn_len ) == 0 )
6132 {
6133 ssl->alpn_chosen = *cur;
6134 break;
6135 }
6136 }
6137 }
6138
6139 /* can only happen on conf mismatch */
6140 if( alpn_len != 0 && ssl->alpn_chosen == NULL )
6141 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6142
6143 p += alpn_len;
6144 }
6145 #endif /* MBEDTLS_SSL_ALPN */
6146
6147 /*
6148 * Forced fields from top-level ssl_context structure
6149 *
6150 * Most of them already set to the correct value by mbedtls_ssl_init() and
6151 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
6152 */
6153 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
6154
6155 ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6156 ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
6157
6158 /* Adjust pointers for header fields of outgoing records to
6159 * the given transform, accounting for explicit IV and CID. */
6160 mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
6161
6162 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6163 ssl->in_epoch = 1;
6164 #endif
6165
6166 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
6167 * which we don't want - otherwise we'd end up freeing the wrong transform
6168 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
6169 * inappropriately. */
6170 if( ssl->handshake != NULL )
6171 {
6172 mbedtls_ssl_handshake_free( ssl );
6173 mbedtls_free( ssl->handshake );
6174 ssl->handshake = NULL;
6175 }
6176
6177 /*
6178 * Done - should have consumed entire buffer
6179 */
6180 if( p != end )
6181 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
6182
6183 return( 0 );
6184 }
6185
6186 /*
6187 * Deserialize context: public wrapper for error cleaning
6188 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)6189 int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
6190 const unsigned char *buf,
6191 size_t len )
6192 {
6193 int ret = ssl_context_load( context, buf, len );
6194
6195 if( ret != 0 )
6196 mbedtls_ssl_free( context );
6197
6198 return( ret );
6199 }
6200 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
6201
6202 /*
6203 * Free an SSL context
6204 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)6205 void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
6206 {
6207 if( ssl == NULL )
6208 return;
6209
6210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
6211
6212 if( ssl->out_buf != NULL )
6213 {
6214 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6215 size_t out_buf_len = ssl->out_buf_len;
6216 #else
6217 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
6218 #endif
6219
6220 mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
6221 mbedtls_free( ssl->out_buf );
6222 ssl->out_buf = NULL;
6223 }
6224
6225 if( ssl->in_buf != NULL )
6226 {
6227 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
6228 size_t in_buf_len = ssl->in_buf_len;
6229 #else
6230 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
6231 #endif
6232
6233 mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
6234 mbedtls_free( ssl->in_buf );
6235 ssl->in_buf = NULL;
6236 }
6237
6238 if( ssl->transform )
6239 {
6240 mbedtls_ssl_transform_free( ssl->transform );
6241 mbedtls_free( ssl->transform );
6242 }
6243
6244 if( ssl->handshake )
6245 {
6246 mbedtls_ssl_handshake_free( ssl );
6247 mbedtls_ssl_transform_free( ssl->transform_negotiate );
6248 mbedtls_ssl_session_free( ssl->session_negotiate );
6249
6250 mbedtls_free( ssl->handshake );
6251 mbedtls_free( ssl->transform_negotiate );
6252 mbedtls_free( ssl->session_negotiate );
6253 }
6254
6255 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6256 mbedtls_ssl_transform_free( ssl->transform_application );
6257 mbedtls_free( ssl->transform_application );
6258 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6259
6260 if( ssl->session )
6261 {
6262 mbedtls_ssl_session_free( ssl->session );
6263 mbedtls_free( ssl->session );
6264 }
6265
6266 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6267 if( ssl->hostname != NULL )
6268 {
6269 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
6270 mbedtls_free( ssl->hostname );
6271 }
6272 #endif
6273
6274 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
6275 mbedtls_free( ssl->cli_id );
6276 #endif
6277
6278 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
6279
6280 /* Actually clear after last debug message */
6281 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
6282 }
6283
6284 /*
6285 * Initialze mbedtls_ssl_config
6286 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)6287 void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
6288 {
6289 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
6290 }
6291
6292 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6293 /* The selection should be the same as mbedtls_x509_crt_profile_default in
6294 * x509_crt.c. Here, the order matters. Currently we favor stronger hashes,
6295 * for no fundamental reason.
6296 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
6297 * about this list. */
6298 static int ssl_preset_default_hashes[] = {
6299 #if defined(MBEDTLS_SHA512_C)
6300 MBEDTLS_MD_SHA512,
6301 #endif
6302 #if defined(MBEDTLS_SHA384_C)
6303 MBEDTLS_MD_SHA384,
6304 #endif
6305 #if defined(MBEDTLS_SHA256_C)
6306 MBEDTLS_MD_SHA256,
6307 #endif
6308 MBEDTLS_MD_NONE
6309 };
6310 #endif
6311
6312 /* The selection should be the same as mbedtls_x509_crt_profile_default in
6313 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
6314 * curves with a lower resource usage come first.
6315 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
6316 * about this list.
6317 */
6318 static uint16_t ssl_preset_default_groups[] = {
6319 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
6320 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
6321 #endif
6322 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6323 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
6324 #endif
6325 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6326 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
6327 #endif
6328 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
6329 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
6330 #endif
6331 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
6332 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
6333 #endif
6334 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
6335 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
6336 #endif
6337 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
6338 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
6339 #endif
6340 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
6341 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
6342 #endif
6343 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
6344 };
6345
6346 static int ssl_preset_suiteb_ciphersuites[] = {
6347 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6348 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
6349 0
6350 };
6351
6352 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6353 static int ssl_preset_suiteb_hashes[] = {
6354 MBEDTLS_MD_SHA256,
6355 MBEDTLS_MD_SHA384,
6356 MBEDTLS_MD_NONE
6357 };
6358
6359 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6360 static uint16_t ssl_preset_default_sig_algs[] = {
6361 /* ECDSA algorithms */
6362 #if defined(MBEDTLS_ECDSA_C)
6363 #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6364 MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256,
6365 #endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
6366 #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6367 MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384,
6368 #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
6369 #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
6370 MBEDTLS_TLS13_SIG_ECDSA_SECP521R1_SHA512,
6371 #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
6372 #endif /* MBEDTLS_ECDSA_C */
6373 MBEDTLS_TLS13_SIG_NONE
6374 };
6375
6376 static uint16_t ssl_preset_suiteb_sig_algs[] = {
6377 /* ECDSA algorithms */
6378 #if defined(MBEDTLS_ECDSA_C)
6379 #if defined(MBEDTLS_SHA256_C) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6380 MBEDTLS_TLS13_SIG_ECDSA_SECP256R1_SHA256,
6381 #endif /* MBEDTLS_SHA256_C && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
6382 #if defined(MBEDTLS_SHA512_C) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6383 MBEDTLS_TLS13_SIG_ECDSA_SECP384R1_SHA384,
6384 #endif /* MBEDTLS_SHA512_C && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
6385 #endif /* MBEDTLS_ECDSA_C */
6386 MBEDTLS_TLS13_SIG_NONE
6387 };
6388 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6389 #endif
6390
6391 static uint16_t ssl_preset_suiteb_groups[] = {
6392 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
6393 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
6394 #endif
6395 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
6396 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
6397 #endif
6398 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
6399 };
6400
6401 /*
6402 * Load default in mbedtls_ssl_config
6403 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)6404 int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
6405 int endpoint, int transport, int preset )
6406 {
6407 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
6408 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6409 #endif
6410
6411 /* Use the functions here so that they are covered in tests,
6412 * but otherwise access member directly for efficiency */
6413 mbedtls_ssl_conf_endpoint( conf, endpoint );
6414 mbedtls_ssl_conf_transport( conf, transport );
6415
6416 /*
6417 * Things that are common to all presets
6418 */
6419 #if defined(MBEDTLS_SSL_CLI_C)
6420 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
6421 {
6422 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
6423 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
6424 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
6425 #endif
6426 }
6427 #endif
6428
6429 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6430 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
6431 #endif
6432
6433 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6434 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
6435 #endif
6436
6437 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
6438 conf->f_cookie_write = ssl_cookie_write_dummy;
6439 conf->f_cookie_check = ssl_cookie_check_dummy;
6440 #endif
6441
6442 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6443 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
6444 #endif
6445
6446 #if defined(MBEDTLS_SSL_SRV_C)
6447 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
6448 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
6449 #endif
6450
6451 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6452 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
6453 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
6454 #endif
6455
6456 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6457 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
6458 memset( conf->renego_period, 0x00, 2 );
6459 memset( conf->renego_period + 2, 0xFF, 6 );
6460 #endif
6461
6462 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
6463 if( endpoint == MBEDTLS_SSL_IS_SERVER )
6464 {
6465 const unsigned char dhm_p[] =
6466 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
6467 const unsigned char dhm_g[] =
6468 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
6469
6470 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
6471 dhm_p, sizeof( dhm_p ),
6472 dhm_g, sizeof( dhm_g ) ) ) != 0 )
6473 {
6474 return( ret );
6475 }
6476 }
6477 #endif
6478
6479 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6480 /*
6481 * Allow all TLS 1.3 key exchange modes by default.
6482 */
6483 conf->tls13_kex_modes = MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_ALL;
6484 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6485
6486 /*
6487 * Preset-specific defaults
6488 */
6489 switch( preset )
6490 {
6491 /*
6492 * NSA Suite B
6493 */
6494 case MBEDTLS_SSL_PRESET_SUITEB:
6495 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
6496 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
6497 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6498 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6499
6500 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
6501
6502 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6503 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
6504 #endif
6505
6506 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6507 conf->sig_hashes = ssl_preset_suiteb_hashes;
6508 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6509 conf->tls13_sig_algs = ssl_preset_suiteb_sig_algs;
6510 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6511 #endif
6512
6513 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6514 conf->curve_list = NULL;
6515 #endif
6516 conf->group_list = ssl_preset_suiteb_groups;
6517 break;
6518
6519 /*
6520 * Default
6521 */
6522 default:
6523 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
6524 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
6525 MBEDTLS_SSL_MIN_MAJOR_VERSION :
6526 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
6527 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
6528 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
6529 MBEDTLS_SSL_MIN_MINOR_VERSION :
6530 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
6531 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
6532 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
6533
6534 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6535 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6536 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
6537 #endif
6538 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6539
6540 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6541 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6542 #endif
6543
6544 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6545 conf->sig_hashes = ssl_preset_default_hashes;
6546 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
6547 conf->tls13_sig_algs = ssl_preset_default_sig_algs;
6548 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
6549 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6550
6551 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6552 conf->curve_list = NULL;
6553 #endif
6554 conf->group_list = ssl_preset_default_groups;
6555
6556 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6557 conf->dhm_min_bitlen = 1024;
6558 #endif
6559 }
6560
6561 return( 0 );
6562 }
6563
6564 /*
6565 * Free mbedtls_ssl_config
6566 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)6567 void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
6568 {
6569 #if defined(MBEDTLS_DHM_C)
6570 mbedtls_mpi_free( &conf->dhm_P );
6571 mbedtls_mpi_free( &conf->dhm_G );
6572 #endif
6573
6574 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
6575 if( conf->psk != NULL )
6576 {
6577 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
6578 mbedtls_free( conf->psk );
6579 conf->psk = NULL;
6580 conf->psk_len = 0;
6581 }
6582
6583 if( conf->psk_identity != NULL )
6584 {
6585 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
6586 mbedtls_free( conf->psk_identity );
6587 conf->psk_identity = NULL;
6588 conf->psk_identity_len = 0;
6589 }
6590 #endif
6591
6592 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6593 ssl_key_cert_free( conf->key_cert );
6594 #endif
6595
6596 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
6597 }
6598
6599 #if defined(MBEDTLS_PK_C) && \
6600 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
6601 /*
6602 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6603 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)6604 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
6605 {
6606 #if defined(MBEDTLS_RSA_C)
6607 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
6608 return( MBEDTLS_SSL_SIG_RSA );
6609 #endif
6610 #if defined(MBEDTLS_ECDSA_C)
6611 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
6612 return( MBEDTLS_SSL_SIG_ECDSA );
6613 #endif
6614 return( MBEDTLS_SSL_SIG_ANON );
6615 }
6616
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)6617 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
6618 {
6619 switch( type ) {
6620 case MBEDTLS_PK_RSA:
6621 return( MBEDTLS_SSL_SIG_RSA );
6622 case MBEDTLS_PK_ECDSA:
6623 case MBEDTLS_PK_ECKEY:
6624 return( MBEDTLS_SSL_SIG_ECDSA );
6625 default:
6626 return( MBEDTLS_SSL_SIG_ANON );
6627 }
6628 }
6629
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)6630 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
6631 {
6632 switch( sig )
6633 {
6634 #if defined(MBEDTLS_RSA_C)
6635 case MBEDTLS_SSL_SIG_RSA:
6636 return( MBEDTLS_PK_RSA );
6637 #endif
6638 #if defined(MBEDTLS_ECDSA_C)
6639 case MBEDTLS_SSL_SIG_ECDSA:
6640 return( MBEDTLS_PK_ECDSA );
6641 #endif
6642 default:
6643 return( MBEDTLS_PK_NONE );
6644 }
6645 }
6646 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
6647
6648 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
6649 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6650
6651 /* Find an entry in a signature-hash set matching a given hash algorithm. */
mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t * set,mbedtls_pk_type_t sig_alg)6652 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
6653 mbedtls_pk_type_t sig_alg )
6654 {
6655 switch( sig_alg )
6656 {
6657 case MBEDTLS_PK_RSA:
6658 return( set->rsa );
6659 case MBEDTLS_PK_ECDSA:
6660 return( set->ecdsa );
6661 default:
6662 return( MBEDTLS_MD_NONE );
6663 }
6664 }
6665
6666 /* Add a signature-hash-pair to a signature-hash set */
mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t * set,mbedtls_pk_type_t sig_alg,mbedtls_md_type_t md_alg)6667 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
6668 mbedtls_pk_type_t sig_alg,
6669 mbedtls_md_type_t md_alg )
6670 {
6671 switch( sig_alg )
6672 {
6673 case MBEDTLS_PK_RSA:
6674 if( set->rsa == MBEDTLS_MD_NONE )
6675 set->rsa = md_alg;
6676 break;
6677
6678 case MBEDTLS_PK_ECDSA:
6679 if( set->ecdsa == MBEDTLS_MD_NONE )
6680 set->ecdsa = md_alg;
6681 break;
6682
6683 default:
6684 break;
6685 }
6686 }
6687
6688 /* Allow exactly one hash algorithm for each signature. */
mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t * set,mbedtls_md_type_t md_alg)6689 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
6690 mbedtls_md_type_t md_alg )
6691 {
6692 set->rsa = md_alg;
6693 set->ecdsa = md_alg;
6694 }
6695
6696 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
6697 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6698
6699 /*
6700 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6701 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)6702 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
6703 {
6704 switch( hash )
6705 {
6706 #if defined(MBEDTLS_MD5_C)
6707 case MBEDTLS_SSL_HASH_MD5:
6708 return( MBEDTLS_MD_MD5 );
6709 #endif
6710 #if defined(MBEDTLS_SHA1_C)
6711 case MBEDTLS_SSL_HASH_SHA1:
6712 return( MBEDTLS_MD_SHA1 );
6713 #endif
6714 #if defined(MBEDTLS_SHA224_C)
6715 case MBEDTLS_SSL_HASH_SHA224:
6716 return( MBEDTLS_MD_SHA224 );
6717 #endif
6718 #if defined(MBEDTLS_SHA256_C)
6719 case MBEDTLS_SSL_HASH_SHA256:
6720 return( MBEDTLS_MD_SHA256 );
6721 #endif
6722 #if defined(MBEDTLS_SHA384_C)
6723 case MBEDTLS_SSL_HASH_SHA384:
6724 return( MBEDTLS_MD_SHA384 );
6725 #endif
6726 #if defined(MBEDTLS_SHA512_C)
6727 case MBEDTLS_SSL_HASH_SHA512:
6728 return( MBEDTLS_MD_SHA512 );
6729 #endif
6730 default:
6731 return( MBEDTLS_MD_NONE );
6732 }
6733 }
6734
6735 /*
6736 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6737 */
mbedtls_ssl_hash_from_md_alg(int md)6738 unsigned char mbedtls_ssl_hash_from_md_alg( int md )
6739 {
6740 switch( md )
6741 {
6742 #if defined(MBEDTLS_MD5_C)
6743 case MBEDTLS_MD_MD5:
6744 return( MBEDTLS_SSL_HASH_MD5 );
6745 #endif
6746 #if defined(MBEDTLS_SHA1_C)
6747 case MBEDTLS_MD_SHA1:
6748 return( MBEDTLS_SSL_HASH_SHA1 );
6749 #endif
6750 #if defined(MBEDTLS_SHA224_C)
6751 case MBEDTLS_MD_SHA224:
6752 return( MBEDTLS_SSL_HASH_SHA224 );
6753 #endif
6754 #if defined(MBEDTLS_SHA256_C)
6755 case MBEDTLS_MD_SHA256:
6756 return( MBEDTLS_SSL_HASH_SHA256 );
6757 #endif
6758 #if defined(MBEDTLS_SHA384_C)
6759 case MBEDTLS_MD_SHA384:
6760 return( MBEDTLS_SSL_HASH_SHA384 );
6761 #endif
6762 #if defined(MBEDTLS_SHA512_C)
6763 case MBEDTLS_MD_SHA512:
6764 return( MBEDTLS_SSL_HASH_SHA512 );
6765 #endif
6766 default:
6767 return( MBEDTLS_SSL_HASH_NONE );
6768 }
6769 }
6770
6771 #if defined(MBEDTLS_ECP_C)
6772 /*
6773 * Check if a curve proposed by the peer is in our list.
6774 * Return 0 if we're willing to use it, -1 otherwise.
6775 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)6776 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
6777 {
6778 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
6779
6780 if( group_list == NULL )
6781 return( -1 );
6782 uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
6783
6784 for( ; *group_list != 0; group_list++ )
6785 {
6786 if( *group_list == tls_id )
6787 return( 0 );
6788 }
6789
6790 return( -1 );
6791 }
6792 #endif /* MBEDTLS_ECP_C */
6793
6794 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
6795 /*
6796 * Check if a hash proposed by the peer is in our list.
6797 * Return 0 if we're willing to use it, -1 otherwise.
6798 */
mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context * ssl,mbedtls_md_type_t md)6799 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
6800 mbedtls_md_type_t md )
6801 {
6802 const int *cur;
6803
6804 if( ssl->conf->sig_hashes == NULL )
6805 return( -1 );
6806
6807 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
6808 if( *cur == (int) md )
6809 return( 0 );
6810
6811 return( -1 );
6812 }
6813 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
6814
6815 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int cert_endpoint,uint32_t * flags)6816 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
6817 const mbedtls_ssl_ciphersuite_t *ciphersuite,
6818 int cert_endpoint,
6819 uint32_t *flags )
6820 {
6821 int ret = 0;
6822 int usage = 0;
6823 const char *ext_oid;
6824 size_t ext_len;
6825
6826 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
6827 {
6828 /* Server part of the key exchange */
6829 switch( ciphersuite->key_exchange )
6830 {
6831 case MBEDTLS_KEY_EXCHANGE_RSA:
6832 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
6833 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
6834 break;
6835
6836 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
6837 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
6838 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
6839 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
6840 break;
6841
6842 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
6843 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
6844 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
6845 break;
6846
6847 /* Don't use default: we want warnings when adding new values */
6848 case MBEDTLS_KEY_EXCHANGE_NONE:
6849 case MBEDTLS_KEY_EXCHANGE_PSK:
6850 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
6851 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
6852 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
6853 usage = 0;
6854 }
6855 }
6856 else
6857 {
6858 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
6859 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
6860 }
6861
6862 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
6863 {
6864 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
6865 ret = -1;
6866 }
6867
6868 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
6869 {
6870 ext_oid = MBEDTLS_OID_SERVER_AUTH;
6871 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
6872 }
6873 else
6874 {
6875 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
6876 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
6877 }
6878
6879 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
6880 {
6881 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
6882 ret = -1;
6883 }
6884
6885 return( ret );
6886 }
6887 #endif /* MBEDTLS_X509_CRT_PARSE_C */
6888
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)6889 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
6890 {
6891 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6892 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
6893 return( -1 );
6894
6895 switch( md )
6896 {
6897 #if defined(MBEDTLS_SHA384_C)
6898 case MBEDTLS_SSL_HASH_SHA384:
6899 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
6900 break;
6901 #endif
6902 #if defined(MBEDTLS_SHA256_C)
6903 case MBEDTLS_SSL_HASH_SHA256:
6904 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
6905 break;
6906 #endif
6907 default:
6908 return( -1 );
6909 }
6910
6911 return 0;
6912 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
6913 (void) ssl;
6914 (void) md;
6915
6916 return( -1 );
6917 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6918 }
6919
6920 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6921
6922 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)6923 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
6924 unsigned char *hash, size_t *hashlen,
6925 unsigned char *data, size_t data_len,
6926 mbedtls_md_type_t md_alg )
6927 {
6928 psa_status_t status;
6929 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
6930 psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
6931
6932 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
6933
6934 if( ( status = psa_hash_setup( &hash_operation,
6935 hash_alg ) ) != PSA_SUCCESS )
6936 {
6937 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
6938 goto exit;
6939 }
6940
6941 if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
6942 64 ) ) != PSA_SUCCESS )
6943 {
6944 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
6945 goto exit;
6946 }
6947
6948 if( ( status = psa_hash_update( &hash_operation,
6949 data, data_len ) ) != PSA_SUCCESS )
6950 {
6951 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
6952 goto exit;
6953 }
6954
6955 if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,
6956 hashlen ) ) != PSA_SUCCESS )
6957 {
6958 MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
6959 goto exit;
6960 }
6961
6962 exit:
6963 if( status != PSA_SUCCESS )
6964 {
6965 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6966 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6967 switch( status )
6968 {
6969 case PSA_ERROR_NOT_SUPPORTED:
6970 return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
6971 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
6972 case PSA_ERROR_BUFFER_TOO_SMALL:
6973 return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
6974 case PSA_ERROR_INSUFFICIENT_MEMORY:
6975 return( MBEDTLS_ERR_MD_ALLOC_FAILED );
6976 default:
6977 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
6978 }
6979 }
6980 return( 0 );
6981 }
6982
6983 #else
6984
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)6985 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
6986 unsigned char *hash, size_t *hashlen,
6987 unsigned char *data, size_t data_len,
6988 mbedtls_md_type_t md_alg )
6989 {
6990 int ret = 0;
6991 mbedtls_md_context_t ctx;
6992 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
6993 *hashlen = mbedtls_md_get_size( md_info );
6994
6995 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
6996
6997 mbedtls_md_init( &ctx );
6998
6999 /*
7000 * digitally-signed struct {
7001 * opaque client_random[32];
7002 * opaque server_random[32];
7003 * ServerDHParams params;
7004 * };
7005 */
7006 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
7007 {
7008 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
7009 goto exit;
7010 }
7011 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
7012 {
7013 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
7014 goto exit;
7015 }
7016 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
7017 {
7018 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
7019 goto exit;
7020 }
7021 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
7022 {
7023 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
7024 goto exit;
7025 }
7026 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
7027 {
7028 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
7029 goto exit;
7030 }
7031
7032 exit:
7033 mbedtls_md_free( &ctx );
7034
7035 if( ret != 0 )
7036 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7037 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
7038
7039 return( ret );
7040 }
7041 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7042
7043 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
7044
7045 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)7046 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
7047 const mbedtls_md_type_t md,
7048 unsigned char *dst,
7049 size_t dst_len,
7050 size_t *olen )
7051 {
7052 ((void) ssl);
7053 ((void) md);
7054 ((void) dst);
7055 ((void) dst_len);
7056 *olen = 0;
7057 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE);
7058 }
7059 #else /* MBEDTLS_USE_PSA_CRYPTO */
7060
7061 #if defined(MBEDTLS_SHA384_C)
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)7062 static int ssl_get_handshake_transcript_sha384( mbedtls_ssl_context *ssl,
7063 unsigned char *dst,
7064 size_t dst_len,
7065 size_t *olen )
7066 {
7067 int ret;
7068 mbedtls_sha512_context sha512;
7069
7070 if( dst_len < 48 )
7071 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7072
7073 mbedtls_sha512_init( &sha512 );
7074 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
7075
7076 if( ( ret = mbedtls_sha512_finish( &sha512, dst ) ) != 0 )
7077 {
7078 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha512_finish", ret );
7079 goto exit;
7080 }
7081
7082 *olen = 48;
7083
7084 exit:
7085
7086 mbedtls_sha512_free( &sha512 );
7087 return( ret );
7088 }
7089 #endif /* MBEDTLS_SHA384_C */
7090
7091 #if defined(MBEDTLS_SHA256_C)
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)7092 static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
7093 unsigned char *dst,
7094 size_t dst_len,
7095 size_t *olen )
7096 {
7097 int ret;
7098 mbedtls_sha256_context sha256;
7099
7100 if( dst_len < 32 )
7101 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7102
7103 mbedtls_sha256_init( &sha256 );
7104 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
7105
7106 if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 )
7107 {
7108 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret );
7109 goto exit;
7110 }
7111
7112 *olen = 32;
7113
7114 exit:
7115
7116 mbedtls_sha256_free( &sha256 );
7117 return( ret );
7118 }
7119 #endif /* MBEDTLS_SHA256_C */
7120
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)7121 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
7122 const mbedtls_md_type_t md,
7123 unsigned char *dst,
7124 size_t dst_len,
7125 size_t *olen )
7126 {
7127 switch( md )
7128 {
7129
7130 #if defined(MBEDTLS_SHA384_C)
7131 case MBEDTLS_MD_SHA384:
7132 return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) );
7133 #endif /* MBEDTLS_SHA384_C */
7134
7135 #if defined(MBEDTLS_SHA256_C)
7136 case MBEDTLS_MD_SHA256:
7137 return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) );
7138 #endif /* MBEDTLS_SHA256_C */
7139
7140 default:
7141 break;
7142 }
7143 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
7144 }
7145 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
7146
7147 #endif /* MBEDTLS_SSL_TLS_C */
7148