• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  Common source code for SSL test programs. This file is included by
3  *  both ssl_client2.c and ssl_server2.c and is intended for source
4  *  code that is textually identical in both programs, but that cannot be
5  *  compiled separately because it refers to types or macros that are
6  *  different in the two programs, or because it would have an incomplete
7  *  type.
8  *
9  *  This file is meant to be #include'd and cannot be compiled separately.
10  *
11  *  Copyright The Mbed TLS Contributors
12  *  SPDX-License-Identifier: Apache-2.0
13  *
14  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
15  *  not use this file except in compliance with the License.
16  *  You may obtain a copy of the License at
17  *
18  *  http://www.apache.org/licenses/LICENSE-2.0
19  *
20  *  Unless required by applicable law or agreed to in writing, software
21  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
22  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
23  *  See the License for the specific language governing permissions and
24  *  limitations under the License.
25  */
26 
eap_tls_key_derivation(void * p_expkey,mbedtls_ssl_key_export_type secret_type,const unsigned char * secret,size_t secret_len,const unsigned char client_random[32],const unsigned char server_random[32],mbedtls_tls_prf_types tls_prf_type)27 void eap_tls_key_derivation(void *p_expkey,
28                             mbedtls_ssl_key_export_type secret_type,
29                             const unsigned char *secret,
30                             size_t secret_len,
31                             const unsigned char client_random[32],
32                             const unsigned char server_random[32],
33                             mbedtls_tls_prf_types tls_prf_type)
34 {
35     eap_tls_keys *keys = (eap_tls_keys *) p_expkey;
36 
37     /* We're only interested in the TLS 1.2 master secret */
38     if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
39         return;
40     }
41     if (secret_len != sizeof(keys->master_secret)) {
42         return;
43     }
44 
45     memcpy(keys->master_secret, secret, sizeof(keys->master_secret));
46     memcpy(keys->randbytes, client_random, 32);
47     memcpy(keys->randbytes + 32, server_random, 32);
48     keys->tls_prf_type = tls_prf_type;
49 }
50 
nss_keylog_export(void * p_expkey,mbedtls_ssl_key_export_type secret_type,const unsigned char * secret,size_t secret_len,const unsigned char client_random[32],const unsigned char server_random[32],mbedtls_tls_prf_types tls_prf_type)51 void nss_keylog_export(void *p_expkey,
52                        mbedtls_ssl_key_export_type secret_type,
53                        const unsigned char *secret,
54                        size_t secret_len,
55                        const unsigned char client_random[32],
56                        const unsigned char server_random[32],
57                        mbedtls_tls_prf_types tls_prf_type)
58 {
59     char nss_keylog_line[200];
60     size_t const client_random_len = 32;
61     size_t len = 0;
62     size_t j;
63 
64     /* We're only interested in the TLS 1.2 master secret */
65     if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
66         return;
67     }
68 
69     ((void) p_expkey);
70     ((void) server_random);
71     ((void) tls_prf_type);
72 
73     len += sprintf(nss_keylog_line + len,
74                    "%s", "CLIENT_RANDOM ");
75 
76     for (j = 0; j < client_random_len; j++) {
77         len += sprintf(nss_keylog_line + len,
78                        "%02x", client_random[j]);
79     }
80 
81     len += sprintf(nss_keylog_line + len, " ");
82 
83     for (j = 0; j < secret_len; j++) {
84         len += sprintf(nss_keylog_line + len,
85                        "%02x", secret[j]);
86     }
87 
88     len += sprintf(nss_keylog_line + len, "\n");
89     nss_keylog_line[len] = '\0';
90 
91     mbedtls_printf("\n");
92     mbedtls_printf("---------------- NSS KEYLOG -----------------\n");
93     mbedtls_printf("%s", nss_keylog_line);
94     mbedtls_printf("---------------------------------------------\n");
95 
96     if (opt.nss_keylog_file != NULL) {
97         FILE *f;
98 
99         if ((f = fopen(opt.nss_keylog_file, "a")) == NULL) {
100             goto exit;
101         }
102 
103         /* Ensure no stdio buffering of secrets, as such buffers cannot be
104          * wiped. */
105         mbedtls_setbuf(f, NULL);
106 
107         if (fwrite(nss_keylog_line, 1, len, f) != len) {
108             fclose(f);
109             goto exit;
110         }
111 
112         fclose(f);
113     }
114 
115 exit:
116     mbedtls_platform_zeroize(nss_keylog_line,
117                              sizeof(nss_keylog_line));
118 }
119 
120 #if defined(MBEDTLS_SSL_DTLS_SRTP)
dtls_srtp_key_derivation(void * p_expkey,mbedtls_ssl_key_export_type secret_type,const unsigned char * secret,size_t secret_len,const unsigned char client_random[32],const unsigned char server_random[32],mbedtls_tls_prf_types tls_prf_type)121 void dtls_srtp_key_derivation(void *p_expkey,
122                               mbedtls_ssl_key_export_type secret_type,
123                               const unsigned char *secret,
124                               size_t secret_len,
125                               const unsigned char client_random[32],
126                               const unsigned char server_random[32],
127                               mbedtls_tls_prf_types tls_prf_type)
128 {
129     dtls_srtp_keys *keys = (dtls_srtp_keys *) p_expkey;
130 
131     /* We're only interested in the TLS 1.2 master secret */
132     if (secret_type != MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET) {
133         return;
134     }
135     if (secret_len != sizeof(keys->master_secret)) {
136         return;
137     }
138 
139     memcpy(keys->master_secret, secret, sizeof(keys->master_secret));
140     memcpy(keys->randbytes, client_random, 32);
141     memcpy(keys->randbytes + 32, server_random, 32);
142     keys->tls_prf_type = tls_prf_type;
143 }
144 #endif /* MBEDTLS_SSL_DTLS_SRTP */
145 
ssl_check_record(mbedtls_ssl_context const * ssl,unsigned char const * buf,size_t len)146 int ssl_check_record(mbedtls_ssl_context const *ssl,
147                      unsigned char const *buf, size_t len)
148 {
149     int my_ret = 0, ret_cr1, ret_cr2;
150     unsigned char *tmp_buf;
151 
152     /* Record checking may modify the input buffer,
153      * so make a copy. */
154     tmp_buf = mbedtls_calloc(1, len);
155     if (tmp_buf == NULL) {
156         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
157     }
158     memcpy(tmp_buf, buf, len);
159 
160     ret_cr1 = mbedtls_ssl_check_record(ssl, tmp_buf, len);
161     if (ret_cr1 != MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) {
162         /* Test-only: Make sure that mbedtls_ssl_check_record()
163          *            doesn't alter state. */
164         memcpy(tmp_buf, buf, len);   /* Restore buffer */
165         ret_cr2 = mbedtls_ssl_check_record(ssl, tmp_buf, len);
166         if (ret_cr2 != ret_cr1) {
167             mbedtls_printf("mbedtls_ssl_check_record() returned inconsistent results.\n");
168             my_ret = -1;
169             goto cleanup;
170         }
171 
172         switch (ret_cr1) {
173             case 0:
174                 break;
175 
176             case MBEDTLS_ERR_SSL_INVALID_RECORD:
177                 if (opt.debug_level > 1) {
178                     mbedtls_printf("mbedtls_ssl_check_record() detected invalid record.\n");
179                 }
180                 break;
181 
182             case MBEDTLS_ERR_SSL_INVALID_MAC:
183                 if (opt.debug_level > 1) {
184                     mbedtls_printf("mbedtls_ssl_check_record() detected unauthentic record.\n");
185                 }
186                 break;
187 
188             case MBEDTLS_ERR_SSL_UNEXPECTED_RECORD:
189                 if (opt.debug_level > 1) {
190                     mbedtls_printf("mbedtls_ssl_check_record() detected unexpected record.\n");
191                 }
192                 break;
193 
194             default:
195                 mbedtls_printf("mbedtls_ssl_check_record() failed fatally with -%#04x.\n",
196                                (unsigned int) -ret_cr1);
197                 my_ret = -1;
198                 goto cleanup;
199         }
200 
201         /* Regardless of the outcome, forward the record to the stack. */
202     }
203 
204 cleanup:
205     mbedtls_free(tmp_buf);
206 
207     return my_ret;
208 }
209 
recv_cb(void * ctx,unsigned char * buf,size_t len)210 int recv_cb(void *ctx, unsigned char *buf, size_t len)
211 {
212     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
213     size_t recv_len;
214     int ret;
215 
216     if (opt.nbio == 2) {
217         ret = delayed_recv(io_ctx->net, buf, len);
218     } else {
219         ret = mbedtls_net_recv(io_ctx->net, buf, len);
220     }
221     if (ret < 0) {
222         return ret;
223     }
224     recv_len = (size_t) ret;
225 
226     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
227         /* Here's the place to do any datagram/record checking
228          * in between receiving the packet from the underlying
229          * transport and passing it on to the TLS stack. */
230         if (ssl_check_record(io_ctx->ssl, buf, recv_len) != 0) {
231             return -1;
232         }
233     }
234 
235     return (int) recv_len;
236 }
237 
recv_timeout_cb(void * ctx,unsigned char * buf,size_t len,uint32_t timeout)238 int recv_timeout_cb(void *ctx, unsigned char *buf, size_t len,
239                     uint32_t timeout)
240 {
241     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
242     int ret;
243     size_t recv_len;
244 
245     ret = mbedtls_net_recv_timeout(io_ctx->net, buf, len, timeout);
246     if (ret < 0) {
247         return ret;
248     }
249     recv_len = (size_t) ret;
250 
251     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
252         /* Here's the place to do any datagram/record checking
253          * in between receiving the packet from the underlying
254          * transport and passing it on to the TLS stack. */
255         if (ssl_check_record(io_ctx->ssl, buf, recv_len) != 0) {
256             return -1;
257         }
258     }
259 
260     return (int) recv_len;
261 }
262 
send_cb(void * ctx,unsigned char const * buf,size_t len)263 int send_cb(void *ctx, unsigned char const *buf, size_t len)
264 {
265     io_ctx_t *io_ctx = (io_ctx_t *) ctx;
266 
267     if (opt.nbio == 2) {
268         return delayed_send(io_ctx->net, buf, len);
269     }
270 
271     return mbedtls_net_send(io_ctx->net, buf, len);
272 }
273 
274 #if defined(MBEDTLS_X509_CRT_PARSE_C)
275 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && defined(MBEDTLS_RSA_C)
276 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
277 /*
278  *   When GnuTLS/Openssl server is configured in TLS 1.2 mode with a certificate
279  *   declaring an RSA public key and Mbed TLS is configured in hybrid mode, if
280  *   `rsa_pss_rsae_*` algorithms are before `rsa_pkcs1_*` ones in this list then
281  *   the GnuTLS/Openssl server chooses an `rsa_pss_rsae_*` signature algorithm
282  *   for its signature in the key exchange message. As Mbed TLS 1.2 does not
283  *   support them, the handshake fails.
284  */
285 #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \
286     ((hash << 8) | MBEDTLS_SSL_SIG_RSA), \
287     (0x800 | hash),
288 #else
289 #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA), \
290     ((hash << 8) | MBEDTLS_SSL_SIG_RSA),
291 #endif
292 #elif defined(MBEDTLS_PK_CAN_ECDSA_SOME)
293 #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA),
294 #elif defined(MBEDTLS_RSA_C)
295 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
296 /* See above */
297 #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_RSA), \
298     (0x800 | hash),
299 #else
300 #define MBEDTLS_SSL_SIG_ALG(hash) ((hash << 8) | MBEDTLS_SSL_SIG_RSA),
301 #endif
302 #else
303 #define MBEDTLS_SSL_SIG_ALG(hash)
304 #endif
305 
306 uint16_t ssl_sig_algs_for_test[] = {
307 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
308     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA512)
309 #endif
310 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
311     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA384)
312 #endif
313 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
314     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA256)
315 #endif
316 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
317     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA224)
318 #endif
319 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
320     MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
321 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
322 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
323     /* Allow SHA-1 as we use it extensively in tests. */
324     MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1)
325 #endif
326     MBEDTLS_TLS1_3_SIG_NONE
327 };
328 #endif /* MBEDTLS_X509_CRT_PARSE_C */
329 
330 #if defined(MBEDTLS_X509_CRT_PARSE_C)
331 /** Functionally equivalent to mbedtls_x509_crt_verify_info, see that function
332  *  for more info.
333  */
x509_crt_verify_info(char * buf,size_t size,const char * prefix,uint32_t flags)334 int x509_crt_verify_info(char *buf, size_t size, const char *prefix,
335                          uint32_t flags)
336 {
337 #if !defined(MBEDTLS_X509_REMOVE_INFO)
338     return mbedtls_x509_crt_verify_info(buf, size, prefix, flags);
339 
340 #else /* !MBEDTLS_X509_REMOVE_INFO */
341     int ret;
342     char *p = buf;
343     size_t n = size;
344 
345 #define X509_CRT_ERROR_INFO(err, err_str, info)                      \
346     if ((flags & err) != 0)                                         \
347     {                                                                  \
348         ret = mbedtls_snprintf(p, n, "%s%s\n", prefix, info);        \
349         MBEDTLS_X509_SAFE_SNPRINTF;                                    \
350         flags ^= err;                                                  \
351     }
352 
353     MBEDTLS_X509_CRT_ERROR_INFO_LIST
354 #undef X509_CRT_ERROR_INFO
355 
356     if (flags != 0) {
357         ret = mbedtls_snprintf(p, n, "%sUnknown reason "
358                                      "(this should not happen)\n", prefix);
359         MBEDTLS_X509_SAFE_SNPRINTF;
360     }
361 
362     return (int) (size - n);
363 #endif /* MBEDTLS_X509_REMOVE_INFO */
364 }
365 #endif /* MBEDTLS_X509_CRT_PARSE_C */
366 
mbedtls_print_supported_sig_algs(void)367 void mbedtls_print_supported_sig_algs(void)
368 {
369     mbedtls_printf("supported signature algorithms:\n");
370     mbedtls_printf("\trsa_pkcs1_sha256 ");
371     mbedtls_printf("rsa_pkcs1_sha384 ");
372     mbedtls_printf("rsa_pkcs1_sha512\n");
373     mbedtls_printf("\tecdsa_secp256r1_sha256 ");
374     mbedtls_printf("ecdsa_secp384r1_sha384 ");
375     mbedtls_printf("ecdsa_secp521r1_sha512\n");
376     mbedtls_printf("\trsa_pss_rsae_sha256 ");
377     mbedtls_printf("rsa_pss_rsae_sha384 ");
378     mbedtls_printf("rsa_pss_rsae_sha512\n");
379     mbedtls_printf("\trsa_pss_pss_sha256 ");
380     mbedtls_printf("rsa_pss_pss_sha384 ");
381     mbedtls_printf("rsa_pss_pss_sha512\n");
382     mbedtls_printf("\ted25519 ");
383     mbedtls_printf("ed448 ");
384     mbedtls_printf("rsa_pkcs1_sha1 ");
385     mbedtls_printf("ecdsa_sha1\n");
386     mbedtls_printf("\n");
387 }
388