1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_SSL_TLS_C)
15
16 #include "mbedtls/platform.h"
17
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22
23 #include "debug_internal.h"
24 #include "mbedtls/error.h"
25 #include "mbedtls/platform_util.h"
26 #include "mbedtls/version.h"
27 #include "mbedtls/constant_time.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_USE_PSA_CRYPTO)
32 #include "mbedtls/psa_util.h"
33 #include "md_psa.h"
34 #include "psa_util_internal.h"
35 #include "psa/crypto.h"
36 #endif
37
38 #if defined(MBEDTLS_X509_CRT_PARSE_C)
39 #include "mbedtls/oid.h"
40 #endif
41
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 /* Define local translating functions to save code size by not using too many
44 * arguments in each translating place. */
local_err_translation(psa_status_t status)45 static int local_err_translation(psa_status_t status)
46 {
47 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
48 ARRAY_LENGTH(psa_to_ssl_errors),
49 psa_generic_status_to_mbedtls);
50 }
51 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
52 #endif
53
54 #if defined(MBEDTLS_TEST_HOOKS)
55 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
56
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)57 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
58 const uint8_t *cur, const uint8_t *end, size_t need)
59 {
60 chk_buf_ptr_fail_args.cur = cur;
61 chk_buf_ptr_fail_args.end = end;
62 chk_buf_ptr_fail_args.need = need;
63 }
64
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)65 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
66 {
67 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
68 }
69
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)70 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
71 {
72 return (chk_buf_ptr_fail_args.cur != args->cur) ||
73 (chk_buf_ptr_fail_args.end != args->end) ||
74 (chk_buf_ptr_fail_args.need != args->need);
75 }
76 #endif /* MBEDTLS_TEST_HOOKS */
77
78 #if defined(MBEDTLS_SSL_PROTO_DTLS)
79
80 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
81 /* Top-level Connection ID API */
82
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)83 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
84 size_t len,
85 int ignore_other_cid)
86 {
87 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
89 }
90
91 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
92 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
93 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
94 }
95
96 conf->ignore_unexpected_cid = ignore_other_cid;
97 conf->cid_len = len;
98 return 0;
99 }
100
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)101 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
102 int enable,
103 unsigned char const *own_cid,
104 size_t own_cid_len)
105 {
106 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
107 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
108 }
109
110 ssl->negotiate_cid = enable;
111 if (enable == MBEDTLS_SSL_CID_DISABLED) {
112 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
113 return 0;
114 }
115 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
116 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
117
118 if (own_cid_len != ssl->conf->cid_len) {
119 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
120 (unsigned) own_cid_len,
121 (unsigned) ssl->conf->cid_len));
122 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
123 }
124
125 memcpy(ssl->own_cid, own_cid, own_cid_len);
126 /* Truncation is not an issue here because
127 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
128 ssl->own_cid_len = (uint8_t) own_cid_len;
129
130 return 0;
131 }
132
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * own_cid_len)133 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
134 int *enabled,
135 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
136 size_t *own_cid_len)
137 {
138 *enabled = MBEDTLS_SSL_CID_DISABLED;
139
140 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
142 }
143
144 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
145 * zero as this is indistinguishable from not requesting to use
146 * the CID extension. */
147 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
148 return 0;
149 }
150
151 if (own_cid_len != NULL) {
152 *own_cid_len = ssl->own_cid_len;
153 if (own_cid != NULL) {
154 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
155 }
156 }
157
158 *enabled = MBEDTLS_SSL_CID_ENABLED;
159
160 return 0;
161 }
162
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)163 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
164 int *enabled,
165 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
166 size_t *peer_cid_len)
167 {
168 *enabled = MBEDTLS_SSL_CID_DISABLED;
169
170 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
171 mbedtls_ssl_is_handshake_over(ssl) == 0) {
172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
173 }
174
175 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
176 * were used, but client and server requested the empty CID.
177 * This is indistinguishable from not using the CID extension
178 * in the first place. */
179 if (ssl->transform_in->in_cid_len == 0 &&
180 ssl->transform_in->out_cid_len == 0) {
181 return 0;
182 }
183
184 if (peer_cid_len != NULL) {
185 *peer_cid_len = ssl->transform_in->out_cid_len;
186 if (peer_cid != NULL) {
187 memcpy(peer_cid, ssl->transform_in->out_cid,
188 ssl->transform_in->out_cid_len);
189 }
190 }
191
192 *enabled = MBEDTLS_SSL_CID_ENABLED;
193
194 return 0;
195 }
196 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
197
198 #endif /* MBEDTLS_SSL_PROTO_DTLS */
199
200 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
201 /*
202 * Convert max_fragment_length codes to length.
203 * RFC 6066 says:
204 * enum{
205 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
206 * } MaxFragmentLength;
207 * and we add 0 -> extension unused
208 */
ssl_mfl_code_to_length(int mfl)209 static unsigned int ssl_mfl_code_to_length(int mfl)
210 {
211 switch (mfl) {
212 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
213 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
214 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
215 return 512;
216 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
217 return 1024;
218 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
219 return 2048;
220 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
221 return 4096;
222 default:
223 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
224 }
225 }
226 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
227
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)228 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
229 const mbedtls_ssl_session *src)
230 {
231 mbedtls_ssl_session_free(dst);
232 memcpy(dst, src, sizeof(mbedtls_ssl_session));
233 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
234 dst->ticket = NULL;
235 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
236 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
237 dst->hostname = NULL;
238 #endif
239 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
240
241 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
242 defined(MBEDTLS_SSL_EARLY_DATA)
243 dst->ticket_alpn = NULL;
244 #endif
245
246 #if defined(MBEDTLS_X509_CRT_PARSE_C)
247
248 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
249 if (src->peer_cert != NULL) {
250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
251
252 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
253 if (dst->peer_cert == NULL) {
254 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
255 }
256
257 mbedtls_x509_crt_init(dst->peer_cert);
258
259 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
260 src->peer_cert->raw.len)) != 0) {
261 mbedtls_free(dst->peer_cert);
262 dst->peer_cert = NULL;
263 return ret;
264 }
265 }
266 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
267 if (src->peer_cert_digest != NULL) {
268 dst->peer_cert_digest =
269 mbedtls_calloc(1, src->peer_cert_digest_len);
270 if (dst->peer_cert_digest == NULL) {
271 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
272 }
273
274 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
275 src->peer_cert_digest_len);
276 dst->peer_cert_digest_type = src->peer_cert_digest_type;
277 dst->peer_cert_digest_len = src->peer_cert_digest_len;
278 }
279 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
280
281 #endif /* MBEDTLS_X509_CRT_PARSE_C */
282
283 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
284 defined(MBEDTLS_SSL_EARLY_DATA)
285 {
286 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
287 if (ret != 0) {
288 return ret;
289 }
290 }
291 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
292
293 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
294 if (src->ticket != NULL) {
295 dst->ticket = mbedtls_calloc(1, src->ticket_len);
296 if (dst->ticket == NULL) {
297 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
298 }
299
300 memcpy(dst->ticket, src->ticket, src->ticket_len);
301 }
302
303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
305 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
307 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
308 if (ret != 0) {
309 return ret;
310 }
311 }
312 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
313 MBEDTLS_SSL_SERVER_NAME_INDICATION */
314 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
315
316 return 0;
317 }
318
319 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
320 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)321 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
322 {
323 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
324 if (resized_buffer == NULL) {
325 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
326 }
327
328 /* We want to copy len_new bytes when downsizing the buffer, and
329 * len_old bytes when upsizing, so we choose the smaller of two sizes,
330 * to fit one buffer into another. Size checks, ensuring that no data is
331 * lost, are done outside of this function. */
332 memcpy(resized_buffer, *buffer,
333 (len_new < *len_old) ? len_new : *len_old);
334 mbedtls_zeroize_and_free(*buffer, *len_old);
335
336 *buffer = resized_buffer;
337 *len_old = len_new;
338
339 return 0;
340 }
341
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)342 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
343 size_t in_buf_new_len,
344 size_t out_buf_new_len)
345 {
346 int modified = 0;
347 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
348 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
349 if (ssl->in_buf != NULL) {
350 written_in = ssl->in_msg - ssl->in_buf;
351 iv_offset_in = ssl->in_iv - ssl->in_buf;
352 len_offset_in = ssl->in_len - ssl->in_buf;
353 if (downsizing ?
354 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
355 ssl->in_buf_len < in_buf_new_len) {
356 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
357 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
358 } else {
359 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
360 in_buf_new_len));
361 modified = 1;
362 }
363 }
364 }
365
366 if (ssl->out_buf != NULL) {
367 written_out = ssl->out_msg - ssl->out_buf;
368 iv_offset_out = ssl->out_iv - ssl->out_buf;
369 len_offset_out = ssl->out_len - ssl->out_buf;
370 if (downsizing ?
371 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
372 ssl->out_buf_len < out_buf_new_len) {
373 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
374 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
375 } else {
376 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
377 out_buf_new_len));
378 modified = 1;
379 }
380 }
381 }
382 if (modified) {
383 /* Update pointers here to avoid doing it twice. */
384 mbedtls_ssl_reset_in_out_pointers(ssl);
385 /* Fields below might not be properly updated with record
386 * splitting or with CID, so they are manually updated here. */
387 ssl->out_msg = ssl->out_buf + written_out;
388 ssl->out_len = ssl->out_buf + len_offset_out;
389 ssl->out_iv = ssl->out_buf + iv_offset_out;
390
391 ssl->in_msg = ssl->in_buf + written_in;
392 ssl->in_len = ssl->in_buf + len_offset_in;
393 ssl->in_iv = ssl->in_buf + iv_offset_in;
394 }
395 }
396 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
397
398 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
399
400 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
401 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
402 const char *label,
403 const unsigned char *random, size_t rlen,
404 unsigned char *dstbuf, size_t dlen);
405
406 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
407
408 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
409
410 /* Type for the TLS PRF */
411 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
412 const unsigned char *, size_t,
413 unsigned char *, size_t);
414
415 MBEDTLS_CHECK_RETURN_CRITICAL
416 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
417 int ciphersuite,
418 const unsigned char master[48],
419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
420 int encrypt_then_mac,
421 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
422 ssl_tls_prf_t tls_prf,
423 const unsigned char randbytes[64],
424 mbedtls_ssl_protocol_version tls_version,
425 unsigned endpoint,
426 const mbedtls_ssl_context *ssl);
427
428 #if defined(MBEDTLS_MD_CAN_SHA256)
429 MBEDTLS_CHECK_RETURN_CRITICAL
430 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
431 const char *label,
432 const unsigned char *random, size_t rlen,
433 unsigned char *dstbuf, size_t dlen);
434 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
435 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
436
437 #endif /* MBEDTLS_MD_CAN_SHA256*/
438
439 #if defined(MBEDTLS_MD_CAN_SHA384)
440 MBEDTLS_CHECK_RETURN_CRITICAL
441 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
442 const char *label,
443 const unsigned char *random, size_t rlen,
444 unsigned char *dstbuf, size_t dlen);
445
446 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
447 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
448 #endif /* MBEDTLS_MD_CAN_SHA384*/
449
450 MBEDTLS_CHECK_RETURN_CRITICAL
451 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
452 const unsigned char *buf,
453 size_t len);
454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455
456 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
457
458 #if defined(MBEDTLS_MD_CAN_SHA256)
459 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
460 #endif /* MBEDTLS_MD_CAN_SHA256*/
461
462 #if defined(MBEDTLS_MD_CAN_SHA384)
463 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
464 #endif /* MBEDTLS_MD_CAN_SHA384*/
465
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)466 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
467 const unsigned char *secret, size_t slen,
468 const char *label,
469 const unsigned char *random, size_t rlen,
470 unsigned char *dstbuf, size_t dlen)
471 {
472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
473
474 switch (prf) {
475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
476 #if defined(MBEDTLS_MD_CAN_SHA384)
477 case MBEDTLS_SSL_TLS_PRF_SHA384:
478 tls_prf = tls_prf_sha384;
479 break;
480 #endif /* MBEDTLS_MD_CAN_SHA384*/
481 #if defined(MBEDTLS_MD_CAN_SHA256)
482 case MBEDTLS_SSL_TLS_PRF_SHA256:
483 tls_prf = tls_prf_sha256;
484 break;
485 #endif /* MBEDTLS_MD_CAN_SHA256*/
486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
487 default:
488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
489 }
490
491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
492 }
493
494 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)495 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
496 {
497 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
498 if (session->peer_cert != NULL) {
499 mbedtls_x509_crt_free(session->peer_cert);
500 mbedtls_free(session->peer_cert);
501 session->peer_cert = NULL;
502 }
503 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
504 if (session->peer_cert_digest != NULL) {
505 /* Zeroization is not necessary. */
506 mbedtls_free(session->peer_cert_digest);
507 session->peer_cert_digest = NULL;
508 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
509 session->peer_cert_digest_len = 0;
510 }
511 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
512 }
513 #endif /* MBEDTLS_X509_CRT_PARSE_C */
514
mbedtls_ssl_get_extension_id(unsigned int extension_type)515 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
516 {
517 switch (extension_type) {
518 case MBEDTLS_TLS_EXT_SERVERNAME:
519 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
520
521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
523
524 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
526
527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
529
530 case MBEDTLS_TLS_EXT_SIG_ALG:
531 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
532
533 case MBEDTLS_TLS_EXT_USE_SRTP:
534 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
535
536 case MBEDTLS_TLS_EXT_HEARTBEAT:
537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
538
539 case MBEDTLS_TLS_EXT_ALPN:
540 return MBEDTLS_SSL_EXT_ID_ALPN;
541
542 case MBEDTLS_TLS_EXT_SCT:
543 return MBEDTLS_SSL_EXT_ID_SCT;
544
545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
547
548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
550
551 case MBEDTLS_TLS_EXT_PADDING:
552 return MBEDTLS_SSL_EXT_ID_PADDING;
553
554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
556
557 case MBEDTLS_TLS_EXT_EARLY_DATA:
558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
559
560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
562
563 case MBEDTLS_TLS_EXT_COOKIE:
564 return MBEDTLS_SSL_EXT_ID_COOKIE;
565
566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
568
569 case MBEDTLS_TLS_EXT_CERT_AUTH:
570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
571
572 case MBEDTLS_TLS_EXT_OID_FILTERS:
573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
574
575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
577
578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
580
581 case MBEDTLS_TLS_EXT_KEY_SHARE:
582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
583
584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
586
587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
589
590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
592
593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
595
596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
598
599 case MBEDTLS_TLS_EXT_SESSION_TICKET:
600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
601
602 }
603
604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
605 }
606
mbedtls_ssl_get_extension_mask(unsigned int extension_type)607 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
608 {
609 return 1 << mbedtls_ssl_get_extension_id(extension_type);
610 }
611
612 #if defined(MBEDTLS_DEBUG_C)
613 static const char *extension_name_table[] = {
614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
643 };
644
645 static const unsigned int extension_type_table[] = {
646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
675 };
676
mbedtls_ssl_get_extension_name(unsigned int extension_type)677 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
678 {
679 return extension_name_table[
680 mbedtls_ssl_get_extension_id(extension_type)];
681 }
682
ssl_tls13_get_hs_msg_name(int hs_msg_type)683 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
684 {
685 switch (hs_msg_type) {
686 case MBEDTLS_SSL_HS_CLIENT_HELLO:
687 return "ClientHello";
688 case MBEDTLS_SSL_HS_SERVER_HELLO:
689 return "ServerHello";
690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
691 return "HelloRetryRequest";
692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
693 return "NewSessionTicket";
694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
695 return "EncryptedExtensions";
696 case MBEDTLS_SSL_HS_CERTIFICATE:
697 return "Certificate";
698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
699 return "CertificateRequest";
700 }
701 return "Unknown";
702 }
703
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)704 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
705 int level, const char *file, int line,
706 int hs_msg_type, unsigned int extension_type,
707 const char *extra_msg0, const char *extra_msg1)
708 {
709 const char *extra_msg;
710 if (extra_msg0 && extra_msg1) {
711 mbedtls_debug_print_msg(
712 ssl, level, file, line,
713 "%s: %s(%u) extension %s %s.",
714 ssl_tls13_get_hs_msg_name(hs_msg_type),
715 mbedtls_ssl_get_extension_name(extension_type),
716 extension_type,
717 extra_msg0, extra_msg1);
718 return;
719 }
720
721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
722 if (extra_msg) {
723 mbedtls_debug_print_msg(
724 ssl, level, file, line,
725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
726 mbedtls_ssl_get_extension_name(extension_type), extension_type,
727 extra_msg);
728 return;
729 }
730
731 mbedtls_debug_print_msg(
732 ssl, level, file, line,
733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
734 mbedtls_ssl_get_extension_name(extension_type), extension_type);
735 }
736
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)737 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
738 int level, const char *file, int line,
739 int hs_msg_type, uint32_t extensions_mask,
740 const char *extra)
741 {
742
743 for (unsigned i = 0;
744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
745 i++) {
746 mbedtls_ssl_print_extension(
747 ssl, level, file, line, hs_msg_type, extension_type_table[i],
748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
749 }
750 }
751
752 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
753 static const char *ticket_flag_name_table[] =
754 {
755 [0] = "ALLOW_PSK_RESUMPTION",
756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757 [3] = "ALLOW_EARLY_DATA",
758 };
759
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
761 int level, const char *file, int line,
762 unsigned int flags)
763 {
764 size_t i;
765
766 mbedtls_debug_print_msg(ssl, level, file, line,
767 "print ticket_flags (0x%02x)", flags);
768
769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
770
771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
772 if ((flags & (1 << i))) {
773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774 ticket_flag_name_table[i]);
775 }
776 }
777 }
778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779
780 #endif /* MBEDTLS_DEBUG_C */
781
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
784 {
785 ((void) ciphersuite_info);
786
787 #if defined(MBEDTLS_MD_CAN_SHA384)
788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
789 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
790 } else
791 #endif
792 #if defined(MBEDTLS_MD_CAN_SHA256)
793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
794 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
795 } else
796 #endif
797 {
798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
799 return;
800 }
801 }
802
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
804 unsigned hs_type,
805 size_t total_hs_len)
806 {
807 unsigned char hs_hdr[4];
808
809 /* Build HS header for checksum update. */
810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
814
815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
816 }
817
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
819 unsigned hs_type,
820 unsigned char const *msg,
821 size_t msg_len)
822 {
823 int ret;
824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
825 if (ret != 0) {
826 return ret;
827 }
828 return ssl->handshake->update_checksum(ssl, msg, msg_len);
829 }
830
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
832 {
833 #if defined(MBEDTLS_MD_CAN_SHA256) || \
834 defined(MBEDTLS_MD_CAN_SHA384)
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836 psa_status_t status;
837 #else
838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
839 #endif
840 #else /* SHA-256 or SHA-384 */
841 ((void) ssl);
842 #endif /* SHA-256 or SHA-384 */
843 #if defined(MBEDTLS_MD_CAN_SHA256)
844 #if defined(MBEDTLS_USE_PSA_CRYPTO)
845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
846 if (status != PSA_SUCCESS) {
847 return mbedtls_md_error_from_psa(status);
848 }
849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
850 if (status != PSA_SUCCESS) {
851 return mbedtls_md_error_from_psa(status);
852 }
853 #else
854 mbedtls_md_free(&ssl->handshake->fin_sha256);
855 mbedtls_md_init(&ssl->handshake->fin_sha256);
856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
858 0);
859 if (ret != 0) {
860 return ret;
861 }
862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
863 if (ret != 0) {
864 return ret;
865 }
866 #endif
867 #endif
868 #if defined(MBEDTLS_MD_CAN_SHA384)
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
871 if (status != PSA_SUCCESS) {
872 return mbedtls_md_error_from_psa(status);
873 }
874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
875 if (status != PSA_SUCCESS) {
876 return mbedtls_md_error_from_psa(status);
877 }
878 #else
879 mbedtls_md_free(&ssl->handshake->fin_sha384);
880 mbedtls_md_init(&ssl->handshake->fin_sha384);
881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
883 if (ret != 0) {
884 return ret;
885 }
886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
887 if (ret != 0) {
888 return ret;
889 }
890 #endif
891 #endif
892 return 0;
893 }
894
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
896 const unsigned char *buf, size_t len)
897 {
898 #if defined(MBEDTLS_MD_CAN_SHA256) || \
899 defined(MBEDTLS_MD_CAN_SHA384)
900 #if defined(MBEDTLS_USE_PSA_CRYPTO)
901 psa_status_t status;
902 #else
903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
904 #endif
905 #else /* SHA-256 or SHA-384 */
906 ((void) ssl);
907 (void) buf;
908 (void) len;
909 #endif /* SHA-256 or SHA-384 */
910 #if defined(MBEDTLS_MD_CAN_SHA256)
911 #if defined(MBEDTLS_USE_PSA_CRYPTO)
912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
913 if (status != PSA_SUCCESS) {
914 return mbedtls_md_error_from_psa(status);
915 }
916 #else
917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
918 if (ret != 0) {
919 return ret;
920 }
921 #endif
922 #endif
923 #if defined(MBEDTLS_MD_CAN_SHA384)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
926 if (status != PSA_SUCCESS) {
927 return mbedtls_md_error_from_psa(status);
928 }
929 #else
930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
931 if (ret != 0) {
932 return ret;
933 }
934 #endif
935 #endif
936 return 0;
937 }
938
939 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
941 const unsigned char *buf, size_t len)
942 {
943 #if defined(MBEDTLS_USE_PSA_CRYPTO)
944 return mbedtls_md_error_from_psa(psa_hash_update(
945 &ssl->handshake->fin_sha256_psa, buf, len));
946 #else
947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
948 #endif
949 }
950 #endif
951
952 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
954 const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
957 return mbedtls_md_error_from_psa(psa_hash_update(
958 &ssl->handshake->fin_sha384_psa, buf, len));
959 #else
960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
961 #endif
962 }
963 #endif
964
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
966 {
967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
968
969 #if defined(MBEDTLS_MD_CAN_SHA256)
970 #if defined(MBEDTLS_USE_PSA_CRYPTO)
971 handshake->fin_sha256_psa = psa_hash_operation_init();
972 #else
973 mbedtls_md_init(&handshake->fin_sha256);
974 #endif
975 #endif
976 #if defined(MBEDTLS_MD_CAN_SHA384)
977 #if defined(MBEDTLS_USE_PSA_CRYPTO)
978 handshake->fin_sha384_psa = psa_hash_operation_init();
979 #else
980 mbedtls_md_init(&handshake->fin_sha384);
981 #endif
982 #endif
983
984 handshake->update_checksum = ssl_update_checksum_start;
985
986 #if defined(MBEDTLS_DHM_C)
987 mbedtls_dhm_init(&handshake->dhm_ctx);
988 #endif
989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
990 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
991 mbedtls_ecdh_init(&handshake->ecdh_ctx);
992 #endif
993 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
994 #if defined(MBEDTLS_USE_PSA_CRYPTO)
995 handshake->psa_pake_ctx = psa_pake_operation_init();
996 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
997 #else
998 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
999 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1000 #if defined(MBEDTLS_SSL_CLI_C)
1001 handshake->ecjpake_cache = NULL;
1002 handshake->ecjpake_cache_len = 0;
1003 #endif
1004 #endif
1005
1006 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1007 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1008 #endif
1009
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1012 #endif
1013
1014 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1015 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1016 mbedtls_pk_init(&handshake->peer_pubkey);
1017 #endif
1018 }
1019
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1020 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1021 {
1022 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1023
1024 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1025 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1026 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1027 #else
1028 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1029 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1030 #endif
1031
1032 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1034 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1035 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1036 #else
1037 mbedtls_md_init(&transform->md_ctx_enc);
1038 mbedtls_md_init(&transform->md_ctx_dec);
1039 #endif
1040 #endif
1041 }
1042
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1043 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1044 {
1045 memset(session, 0, sizeof(mbedtls_ssl_session));
1046 }
1047
1048 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1049 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1050 {
1051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1052
1053 /* Clear old handshake information if present */
1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1055 if (ssl->transform_negotiate) {
1056 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1057 }
1058 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1059 if (ssl->session_negotiate) {
1060 mbedtls_ssl_session_free(ssl->session_negotiate);
1061 }
1062 if (ssl->handshake) {
1063 mbedtls_ssl_handshake_free(ssl);
1064 }
1065
1066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1067 /*
1068 * Either the pointers are now NULL or cleared properly and can be freed.
1069 * Now allocate missing structures.
1070 */
1071 if (ssl->transform_negotiate == NULL) {
1072 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1073 }
1074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1075
1076 if (ssl->session_negotiate == NULL) {
1077 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1078 }
1079
1080 if (ssl->handshake == NULL) {
1081 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1082 }
1083 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1084 /* If the buffers are too small - reallocate */
1085
1086 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1087 MBEDTLS_SSL_OUT_BUFFER_LEN);
1088 #endif
1089
1090 /* All pointers should exist and can be directly freed without issue */
1091 if (ssl->handshake == NULL ||
1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1093 ssl->transform_negotiate == NULL ||
1094 #endif
1095 ssl->session_negotiate == NULL) {
1096 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1097
1098 mbedtls_free(ssl->handshake);
1099 ssl->handshake = NULL;
1100
1101 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1102 mbedtls_free(ssl->transform_negotiate);
1103 ssl->transform_negotiate = NULL;
1104 #endif
1105
1106 mbedtls_free(ssl->session_negotiate);
1107 ssl->session_negotiate = NULL;
1108
1109 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1110 }
1111
1112 #if defined(MBEDTLS_SSL_EARLY_DATA)
1113 #if defined(MBEDTLS_SSL_CLI_C)
1114 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1115 #endif
1116 #if defined(MBEDTLS_SSL_SRV_C)
1117 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1118 #endif
1119 ssl->total_early_data_size = 0;
1120 #endif /* MBEDTLS_SSL_EARLY_DATA */
1121
1122 /* Initialize structures */
1123 mbedtls_ssl_session_init(ssl->session_negotiate);
1124 ssl_handshake_params_init(ssl->handshake);
1125
1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1127 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1128 #endif
1129
1130 /* Setup handshake checksums */
1131 ret = mbedtls_ssl_reset_checksum(ssl);
1132 if (ret != 0) {
1133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1134 return ret;
1135 }
1136
1137 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1138 defined(MBEDTLS_SSL_SRV_C) && \
1139 defined(MBEDTLS_SSL_SESSION_TICKETS)
1140 ssl->handshake->new_session_tickets_count =
1141 ssl->conf->new_session_tickets_count;
1142 #endif
1143
1144 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1145 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1146 ssl->handshake->alt_transform_out = ssl->transform_out;
1147
1148 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1149 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1150 } else {
1151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1152 }
1153
1154 mbedtls_ssl_set_timer(ssl, 0);
1155 }
1156 #endif
1157
1158 /*
1159 * curve_list is translated to IANA TLS group identifiers here because
1160 * mbedtls_ssl_conf_curves returns void and so can't return
1161 * any error codes.
1162 */
1163 #if defined(MBEDTLS_ECP_C)
1164 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1165 /* Heap allocate and translate curve_list from internal to IANA group ids */
1166 if (ssl->conf->curve_list != NULL) {
1167 size_t length;
1168 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1169
1170 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1171 }
1172
1173 /* Leave room for zero termination */
1174 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1175 if (group_list == NULL) {
1176 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1177 }
1178
1179 for (size_t i = 0; i < length; i++) {
1180 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1181 curve_list[i]);
1182 if (tls_id == 0) {
1183 mbedtls_free(group_list);
1184 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1185 }
1186 group_list[i] = tls_id;
1187 }
1188
1189 group_list[length] = 0;
1190
1191 ssl->handshake->group_list = group_list;
1192 ssl->handshake->group_list_heap_allocated = 1;
1193 } else {
1194 ssl->handshake->group_list = ssl->conf->group_list;
1195 ssl->handshake->group_list_heap_allocated = 0;
1196 }
1197 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1198 #endif /* MBEDTLS_ECP_C */
1199
1200 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1201 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1203 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1204 signature algorithms IANA identifiers. */
1205 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1206 ssl->conf->sig_hashes != NULL) {
1207 const int *md;
1208 const int *sig_hashes = ssl->conf->sig_hashes;
1209 size_t sig_algs_len = 0;
1210 uint16_t *p;
1211
1212 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1213 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1214 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1215
1216 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1217 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1218 continue;
1219 }
1220 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1221 sig_algs_len += sizeof(uint16_t);
1222 #endif
1223
1224 #if defined(MBEDTLS_RSA_C)
1225 sig_algs_len += sizeof(uint16_t);
1226 #endif
1227 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1228 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1229 }
1230 }
1231
1232 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1233 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1234 }
1235
1236 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1237 sizeof(uint16_t));
1238 if (ssl->handshake->sig_algs == NULL) {
1239 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1240 }
1241
1242 p = (uint16_t *) ssl->handshake->sig_algs;
1243 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1244 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1245 if (hash == MBEDTLS_SSL_HASH_NONE) {
1246 continue;
1247 }
1248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1249 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1250 p++;
1251 #endif
1252 #if defined(MBEDTLS_RSA_C)
1253 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1254 p++;
1255 #endif
1256 }
1257 *p = MBEDTLS_TLS_SIG_NONE;
1258 ssl->handshake->sig_algs_heap_allocated = 1;
1259 } else
1260 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1261 {
1262 ssl->handshake->sig_algs_heap_allocated = 0;
1263 }
1264 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1265 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1266 return 0;
1267 }
1268
1269 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1270 /* Dummy cookie callbacks for defaults */
1271 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1272 static int ssl_cookie_write_dummy(void *ctx,
1273 unsigned char **p, unsigned char *end,
1274 const unsigned char *cli_id, size_t cli_id_len)
1275 {
1276 ((void) ctx);
1277 ((void) p);
1278 ((void) end);
1279 ((void) cli_id);
1280 ((void) cli_id_len);
1281
1282 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1283 }
1284
1285 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1286 static int ssl_cookie_check_dummy(void *ctx,
1287 const unsigned char *cookie, size_t cookie_len,
1288 const unsigned char *cli_id, size_t cli_id_len)
1289 {
1290 ((void) ctx);
1291 ((void) cookie);
1292 ((void) cookie_len);
1293 ((void) cli_id);
1294 ((void) cli_id_len);
1295
1296 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1297 }
1298 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1299
1300 /*
1301 * Initialize an SSL context
1302 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1303 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1304 {
1305 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1306 }
1307
1308 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1309 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1310 {
1311 const mbedtls_ssl_config *conf = ssl->conf;
1312
1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1314 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1315 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1316 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1317 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1318 }
1319
1320 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1321 return 0;
1322 }
1323 #endif
1324
1325 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1326 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1327 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1328 return 0;
1329 }
1330 #endif
1331
1332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1333 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1334 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1335 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1336 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1337 }
1338
1339 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1340 return 0;
1341 }
1342 #endif
1343
1344 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1345 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1346 }
1347
1348 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1349 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1350 {
1351 int ret;
1352 ret = ssl_conf_version_check(ssl);
1353 if (ret != 0) {
1354 return ret;
1355 }
1356
1357 if (ssl->conf->f_rng == NULL) {
1358 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1359 return MBEDTLS_ERR_SSL_NO_RNG;
1360 }
1361
1362 /* Space for further checks */
1363
1364 return 0;
1365 }
1366
1367 /*
1368 * Setup an SSL context
1369 */
1370
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1371 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1372 const mbedtls_ssl_config *conf)
1373 {
1374 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1375 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1376 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1377
1378 ssl->conf = conf;
1379
1380 if ((ret = ssl_conf_check(ssl)) != 0) {
1381 return ret;
1382 }
1383 ssl->tls_version = ssl->conf->max_tls_version;
1384
1385 /*
1386 * Prepare base structures
1387 */
1388
1389 /* Set to NULL in case of an error condition */
1390 ssl->out_buf = NULL;
1391
1392 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1393 ssl->in_buf_len = in_buf_len;
1394 #endif
1395 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1396 if (ssl->in_buf == NULL) {
1397 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1398 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1399 goto error;
1400 }
1401
1402 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1403 ssl->out_buf_len = out_buf_len;
1404 #endif
1405 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1406 if (ssl->out_buf == NULL) {
1407 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1408 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1409 goto error;
1410 }
1411
1412 mbedtls_ssl_reset_in_out_pointers(ssl);
1413
1414 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1415 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1416 #endif
1417
1418 if ((ret = ssl_handshake_init(ssl)) != 0) {
1419 goto error;
1420 }
1421
1422 return 0;
1423
1424 error:
1425 mbedtls_free(ssl->in_buf);
1426 mbedtls_free(ssl->out_buf);
1427
1428 ssl->conf = NULL;
1429
1430 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1431 ssl->in_buf_len = 0;
1432 ssl->out_buf_len = 0;
1433 #endif
1434 ssl->in_buf = NULL;
1435 ssl->out_buf = NULL;
1436
1437 ssl->in_hdr = NULL;
1438 ssl->in_ctr = NULL;
1439 ssl->in_len = NULL;
1440 ssl->in_iv = NULL;
1441 ssl->in_msg = NULL;
1442
1443 ssl->out_hdr = NULL;
1444 ssl->out_ctr = NULL;
1445 ssl->out_len = NULL;
1446 ssl->out_iv = NULL;
1447 ssl->out_msg = NULL;
1448
1449 return ret;
1450 }
1451
1452 /*
1453 * Reset an initialized and used SSL context for re-use while retaining
1454 * all application-set variables, function pointers and data.
1455 *
1456 * If partial is non-zero, keep data in the input buffer and client ID.
1457 * (Use when a DTLS client reconnects from the same port.)
1458 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1459 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1460 int partial)
1461 {
1462 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1463 size_t in_buf_len = ssl->in_buf_len;
1464 size_t out_buf_len = ssl->out_buf_len;
1465 #else
1466 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1467 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1468 #endif
1469
1470 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1471 partial = 0;
1472 #endif
1473
1474 /* Cancel any possibly running timer */
1475 mbedtls_ssl_set_timer(ssl, 0);
1476
1477 mbedtls_ssl_reset_in_out_pointers(ssl);
1478
1479 /* Reset incoming message parsing */
1480 ssl->in_offt = NULL;
1481 ssl->nb_zero = 0;
1482 ssl->in_msgtype = 0;
1483 ssl->in_msglen = 0;
1484 ssl->in_hslen = 0;
1485 ssl->keep_current_message = 0;
1486 ssl->transform_in = NULL;
1487
1488 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1489 ssl->next_record_offset = 0;
1490 ssl->in_epoch = 0;
1491 #endif
1492
1493 /* Keep current datagram if partial == 1 */
1494 if (partial == 0) {
1495 ssl->in_left = 0;
1496 memset(ssl->in_buf, 0, in_buf_len);
1497 }
1498
1499 ssl->send_alert = 0;
1500
1501 /* Reset outgoing message writing */
1502 ssl->out_msgtype = 0;
1503 ssl->out_msglen = 0;
1504 ssl->out_left = 0;
1505 memset(ssl->out_buf, 0, out_buf_len);
1506 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1507 ssl->transform_out = NULL;
1508
1509 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1510 mbedtls_ssl_dtls_replay_reset(ssl);
1511 #endif
1512
1513 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1514 if (ssl->transform) {
1515 mbedtls_ssl_transform_free(ssl->transform);
1516 mbedtls_free(ssl->transform);
1517 ssl->transform = NULL;
1518 }
1519 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1520
1521 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1522 mbedtls_ssl_transform_free(ssl->transform_application);
1523 mbedtls_free(ssl->transform_application);
1524 ssl->transform_application = NULL;
1525
1526 if (ssl->handshake != NULL) {
1527 #if defined(MBEDTLS_SSL_EARLY_DATA)
1528 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1529 mbedtls_free(ssl->handshake->transform_earlydata);
1530 ssl->handshake->transform_earlydata = NULL;
1531 #endif
1532
1533 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1534 mbedtls_free(ssl->handshake->transform_handshake);
1535 ssl->handshake->transform_handshake = NULL;
1536 }
1537
1538 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1539 }
1540
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1541 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1542 {
1543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1544
1545 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1546 ssl->tls_version = ssl->conf->max_tls_version;
1547
1548 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1549
1550 /* Reset renegotiation state */
1551 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1552 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1553 ssl->renego_records_seen = 0;
1554
1555 ssl->verify_data_len = 0;
1556 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1557 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1558 #endif
1559 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1560
1561 ssl->session_in = NULL;
1562 ssl->session_out = NULL;
1563 if (ssl->session) {
1564 mbedtls_ssl_session_free(ssl->session);
1565 mbedtls_free(ssl->session);
1566 ssl->session = NULL;
1567 }
1568
1569 #if defined(MBEDTLS_SSL_ALPN)
1570 ssl->alpn_chosen = NULL;
1571 #endif
1572
1573 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1574 int free_cli_id = 1;
1575 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1576 free_cli_id = (partial == 0);
1577 #endif
1578 if (free_cli_id) {
1579 mbedtls_free(ssl->cli_id);
1580 ssl->cli_id = NULL;
1581 ssl->cli_id_len = 0;
1582 }
1583 #endif
1584
1585 if ((ret = ssl_handshake_init(ssl)) != 0) {
1586 return ret;
1587 }
1588
1589 return 0;
1590 }
1591
1592 /*
1593 * Reset an initialized and used SSL context for re-use while retaining
1594 * all application-set variables, function pointers and data.
1595 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1596 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1597 {
1598 return mbedtls_ssl_session_reset_int(ssl, 0);
1599 }
1600
1601 /*
1602 * SSL set accessors
1603 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1604 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1605 {
1606 conf->endpoint = endpoint;
1607 }
1608
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1609 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1610 {
1611 conf->transport = transport;
1612 }
1613
1614 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1615 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1616 {
1617 conf->anti_replay = mode;
1618 }
1619 #endif
1620
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1621 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1622 {
1623 conf->badmac_limit = limit;
1624 }
1625
1626 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1627
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1628 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1629 unsigned allow_packing)
1630 {
1631 ssl->disable_datagram_packing = !allow_packing;
1632 }
1633
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1634 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1635 uint32_t min, uint32_t max)
1636 {
1637 conf->hs_timeout_min = min;
1638 conf->hs_timeout_max = max;
1639 }
1640 #endif
1641
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1642 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1643 {
1644 conf->authmode = authmode;
1645 }
1646
1647 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1648 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1649 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1650 void *p_vrfy)
1651 {
1652 conf->f_vrfy = f_vrfy;
1653 conf->p_vrfy = p_vrfy;
1654 }
1655 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1656
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1657 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1658 int (*f_rng)(void *, unsigned char *, size_t),
1659 void *p_rng)
1660 {
1661 conf->f_rng = f_rng;
1662 conf->p_rng = p_rng;
1663 }
1664
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1665 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1666 void (*f_dbg)(void *, int, const char *, int, const char *),
1667 void *p_dbg)
1668 {
1669 conf->f_dbg = f_dbg;
1670 conf->p_dbg = p_dbg;
1671 }
1672
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1673 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1674 void *p_bio,
1675 mbedtls_ssl_send_t *f_send,
1676 mbedtls_ssl_recv_t *f_recv,
1677 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1678 {
1679 ssl->p_bio = p_bio;
1680 ssl->f_send = f_send;
1681 ssl->f_recv = f_recv;
1682 ssl->f_recv_timeout = f_recv_timeout;
1683 }
1684
1685 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1686 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1687 {
1688 ssl->mtu = mtu;
1689 }
1690 #endif
1691
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1692 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1693 {
1694 conf->read_timeout = timeout;
1695 }
1696
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1697 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1698 void *p_timer,
1699 mbedtls_ssl_set_timer_t *f_set_timer,
1700 mbedtls_ssl_get_timer_t *f_get_timer)
1701 {
1702 ssl->p_timer = p_timer;
1703 ssl->f_set_timer = f_set_timer;
1704 ssl->f_get_timer = f_get_timer;
1705
1706 /* Make sure we start with no timer running */
1707 mbedtls_ssl_set_timer(ssl, 0);
1708 }
1709
1710 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1711 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1712 void *p_cache,
1713 mbedtls_ssl_cache_get_t *f_get_cache,
1714 mbedtls_ssl_cache_set_t *f_set_cache)
1715 {
1716 conf->p_cache = p_cache;
1717 conf->f_get_cache = f_get_cache;
1718 conf->f_set_cache = f_set_cache;
1719 }
1720 #endif /* MBEDTLS_SSL_SRV_C */
1721
1722 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1723 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1724 {
1725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1726
1727 if (ssl == NULL ||
1728 session == NULL ||
1729 ssl->session_negotiate == NULL ||
1730 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1732 }
1733
1734 if (ssl->handshake->resume == 1) {
1735 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1736 }
1737
1738 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1739 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1740 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1741 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1742
1743 if (mbedtls_ssl_validate_ciphersuite(
1744 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1745 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1746 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1747 session->ciphersuite));
1748 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1749 }
1750 }
1751 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1752
1753 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1754 session)) != 0) {
1755 return ret;
1756 }
1757
1758 ssl->handshake->resume = 1;
1759
1760 return 0;
1761 }
1762 #endif /* MBEDTLS_SSL_CLI_C */
1763
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1764 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1765 const int *ciphersuites)
1766 {
1767 conf->ciphersuite_list = ciphersuites;
1768 }
1769
1770 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1771 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1772 const int kex_modes)
1773 {
1774 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1775 }
1776
1777 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1778 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1779 int early_data_enabled)
1780 {
1781 conf->early_data_enabled = early_data_enabled;
1782 }
1783
1784 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1785 void mbedtls_ssl_conf_max_early_data_size(
1786 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1787 {
1788 conf->max_early_data_size = max_early_data_size;
1789 }
1790 #endif /* MBEDTLS_SSL_SRV_C */
1791
1792 #endif /* MBEDTLS_SSL_EARLY_DATA */
1793 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1794
1795 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1796 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1797 const mbedtls_x509_crt_profile *profile)
1798 {
1799 conf->cert_profile = profile;
1800 }
1801
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1802 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1803 {
1804 mbedtls_ssl_key_cert *cur = key_cert, *next;
1805
1806 while (cur != NULL) {
1807 next = cur->next;
1808 mbedtls_free(cur);
1809 cur = next;
1810 }
1811 }
1812
1813 /* Append a new keycert entry to a (possibly empty) list */
1814 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1815 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1816 mbedtls_x509_crt *cert,
1817 mbedtls_pk_context *key)
1818 {
1819 mbedtls_ssl_key_cert *new_cert;
1820
1821 if (cert == NULL) {
1822 /* Free list if cert is null */
1823 ssl_key_cert_free(*head);
1824 *head = NULL;
1825 return 0;
1826 }
1827
1828 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1829 if (new_cert == NULL) {
1830 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1831 }
1832
1833 new_cert->cert = cert;
1834 new_cert->key = key;
1835 new_cert->next = NULL;
1836
1837 /* Update head if the list was null, else add to the end */
1838 if (*head == NULL) {
1839 *head = new_cert;
1840 } else {
1841 mbedtls_ssl_key_cert *cur = *head;
1842 while (cur->next != NULL) {
1843 cur = cur->next;
1844 }
1845 cur->next = new_cert;
1846 }
1847
1848 return 0;
1849 }
1850
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1851 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1852 mbedtls_x509_crt *own_cert,
1853 mbedtls_pk_context *pk_key)
1854 {
1855 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1856 }
1857
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1858 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1859 mbedtls_x509_crt *ca_chain,
1860 mbedtls_x509_crl *ca_crl)
1861 {
1862 conf->ca_chain = ca_chain;
1863 conf->ca_crl = ca_crl;
1864
1865 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1866 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1867 * cannot be used together. */
1868 conf->f_ca_cb = NULL;
1869 conf->p_ca_cb = NULL;
1870 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1871 }
1872
1873 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1874 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1875 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1876 void *p_ca_cb)
1877 {
1878 conf->f_ca_cb = f_ca_cb;
1879 conf->p_ca_cb = p_ca_cb;
1880
1881 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1882 * cannot be used together. */
1883 conf->ca_chain = NULL;
1884 conf->ca_crl = NULL;
1885 }
1886 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1887 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1888
1889 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1890 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1891 size_t *name_len)
1892 {
1893 *name_len = ssl->handshake->sni_name_len;
1894 return ssl->handshake->sni_name;
1895 }
1896
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1897 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1898 mbedtls_x509_crt *own_cert,
1899 mbedtls_pk_context *pk_key)
1900 {
1901 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1902 own_cert, pk_key);
1903 }
1904
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1905 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1906 mbedtls_x509_crt *ca_chain,
1907 mbedtls_x509_crl *ca_crl)
1908 {
1909 ssl->handshake->sni_ca_chain = ca_chain;
1910 ssl->handshake->sni_ca_crl = ca_crl;
1911 }
1912
1913 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1914 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1915 const mbedtls_x509_crt *crt)
1916 {
1917 ssl->handshake->dn_hints = crt;
1918 }
1919 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1920
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1921 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1922 int authmode)
1923 {
1924 ssl->handshake->sni_authmode = authmode;
1925 }
1926 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1927
1928 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1929 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1930 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1931 void *p_vrfy)
1932 {
1933 ssl->f_vrfy = f_vrfy;
1934 ssl->p_vrfy = p_vrfy;
1935 }
1936 #endif
1937
1938 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1939
1940 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1941 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1942 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1943
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1944 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1945 mbedtls_ssl_context *ssl,
1946 mbedtls_svc_key_id_t pwd)
1947 {
1948 psa_status_t status;
1949 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1950 const uint8_t *user = NULL;
1951 size_t user_len = 0;
1952 const uint8_t *peer = NULL;
1953 size_t peer_len = 0;
1954 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1955 psa_pake_cs_set_primitive(&cipher_suite,
1956 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1957 PSA_ECC_FAMILY_SECP_R1,
1958 256));
1959 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1960
1961 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1962 if (status != PSA_SUCCESS) {
1963 return status;
1964 }
1965
1966 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1967 user = jpake_server_id;
1968 user_len = sizeof(jpake_server_id);
1969 peer = jpake_client_id;
1970 peer_len = sizeof(jpake_client_id);
1971 } else {
1972 user = jpake_client_id;
1973 user_len = sizeof(jpake_client_id);
1974 peer = jpake_server_id;
1975 peer_len = sizeof(jpake_server_id);
1976 }
1977
1978 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1979 if (status != PSA_SUCCESS) {
1980 return status;
1981 }
1982
1983 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
1984 if (status != PSA_SUCCESS) {
1985 return status;
1986 }
1987
1988 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
1989 if (status != PSA_SUCCESS) {
1990 return status;
1991 }
1992
1993 ssl->handshake->psa_pake_ctx_is_ok = 1;
1994
1995 return PSA_SUCCESS;
1996 }
1997
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)1998 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
1999 const unsigned char *pw,
2000 size_t pw_len)
2001 {
2002 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2003 psa_status_t status;
2004
2005 if (ssl->handshake == NULL || ssl->conf == NULL) {
2006 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2007 }
2008
2009 /* Empty password is not valid */
2010 if ((pw == NULL) || (pw_len == 0)) {
2011 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2012 }
2013
2014 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2015 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2016 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2017
2018 status = psa_import_key(&attributes, pw, pw_len,
2019 &ssl->handshake->psa_pake_password);
2020 if (status != PSA_SUCCESS) {
2021 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2022 }
2023
2024 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2025 ssl->handshake->psa_pake_password);
2026 if (status != PSA_SUCCESS) {
2027 psa_destroy_key(ssl->handshake->psa_pake_password);
2028 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2029 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2030 }
2031
2032 return 0;
2033 }
2034
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2035 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2036 mbedtls_svc_key_id_t pwd)
2037 {
2038 psa_status_t status;
2039
2040 if (ssl->handshake == NULL || ssl->conf == NULL) {
2041 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2042 }
2043
2044 if (mbedtls_svc_key_id_is_null(pwd)) {
2045 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2046 }
2047
2048 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2049 if (status != PSA_SUCCESS) {
2050 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2051 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2052 }
2053
2054 return 0;
2055 }
2056 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2057 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2058 const unsigned char *pw,
2059 size_t pw_len)
2060 {
2061 mbedtls_ecjpake_role role;
2062
2063 if (ssl->handshake == NULL || ssl->conf == NULL) {
2064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2065 }
2066
2067 /* Empty password is not valid */
2068 if ((pw == NULL) || (pw_len == 0)) {
2069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2070 }
2071
2072 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2073 role = MBEDTLS_ECJPAKE_SERVER;
2074 } else {
2075 role = MBEDTLS_ECJPAKE_CLIENT;
2076 }
2077
2078 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2079 role,
2080 MBEDTLS_MD_SHA256,
2081 MBEDTLS_ECP_DP_SECP256R1,
2082 pw, pw_len);
2083 }
2084 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2085 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2086
2087 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2088 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2089 {
2090 if (conf->psk_identity == NULL ||
2091 conf->psk_identity_len == 0) {
2092 return 0;
2093 }
2094
2095 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2096 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2097 return 1;
2098 }
2099 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2100
2101 if (conf->psk != NULL && conf->psk_len != 0) {
2102 return 1;
2103 }
2104
2105 return 0;
2106 }
2107
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2108 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2109 {
2110 /* Remove reference to existing PSK, if any. */
2111 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2112 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2113 /* The maintenance of the PSK key slot is the
2114 * user's responsibility. */
2115 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2116 }
2117 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2118 if (conf->psk != NULL) {
2119 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2120 conf->psk = NULL;
2121 conf->psk_len = 0;
2122 }
2123
2124 /* Remove reference to PSK identity, if any. */
2125 if (conf->psk_identity != NULL) {
2126 mbedtls_free(conf->psk_identity);
2127 conf->psk_identity = NULL;
2128 conf->psk_identity_len = 0;
2129 }
2130 }
2131
2132 /* This function assumes that PSK identity in the SSL config is unset.
2133 * It checks that the provided identity is well-formed and attempts
2134 * to make a copy of it in the SSL config.
2135 * On failure, the PSK identity in the config remains unset. */
2136 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2137 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2138 unsigned char const *psk_identity,
2139 size_t psk_identity_len)
2140 {
2141 /* Identity len will be encoded on two bytes */
2142 if (psk_identity == NULL ||
2143 psk_identity_len == 0 ||
2144 (psk_identity_len >> 16) != 0 ||
2145 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2146 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2147 }
2148
2149 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2150 if (conf->psk_identity == NULL) {
2151 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2152 }
2153
2154 conf->psk_identity_len = psk_identity_len;
2155 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2156
2157 return 0;
2158 }
2159
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2160 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2161 const unsigned char *psk, size_t psk_len,
2162 const unsigned char *psk_identity, size_t psk_identity_len)
2163 {
2164 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2165
2166 /* We currently only support one PSK, raw or opaque. */
2167 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2168 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2169 }
2170
2171 /* Check and set raw PSK */
2172 if (psk == NULL) {
2173 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2174 }
2175 if (psk_len == 0) {
2176 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2177 }
2178 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2179 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2180 }
2181
2182 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2183 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2184 }
2185 conf->psk_len = psk_len;
2186 memcpy(conf->psk, psk, conf->psk_len);
2187
2188 /* Check and set PSK Identity */
2189 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2190 if (ret != 0) {
2191 ssl_conf_remove_psk(conf);
2192 }
2193
2194 return ret;
2195 }
2196
ssl_remove_psk(mbedtls_ssl_context * ssl)2197 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2198 {
2199 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2200 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2201 /* The maintenance of the external PSK key slot is the
2202 * user's responsibility. */
2203 if (ssl->handshake->psk_opaque_is_internal) {
2204 psa_destroy_key(ssl->handshake->psk_opaque);
2205 ssl->handshake->psk_opaque_is_internal = 0;
2206 }
2207 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2208 }
2209 #else
2210 if (ssl->handshake->psk != NULL) {
2211 mbedtls_zeroize_and_free(ssl->handshake->psk,
2212 ssl->handshake->psk_len);
2213 ssl->handshake->psk_len = 0;
2214 }
2215 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2216 }
2217
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2218 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2219 const unsigned char *psk, size_t psk_len)
2220 {
2221 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2222 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2223 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2224 psa_algorithm_t alg = PSA_ALG_NONE;
2225 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2226 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2227
2228 if (psk == NULL || ssl->handshake == NULL) {
2229 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2230 }
2231
2232 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2233 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2234 }
2235
2236 ssl_remove_psk(ssl);
2237
2238 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2239 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2240 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2241 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2242 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2243 } else {
2244 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2245 }
2246 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2247 }
2248 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2249
2250 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2251 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2252 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2253 psa_set_key_usage_flags(&key_attributes,
2254 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2255 }
2256 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2257
2258 psa_set_key_algorithm(&key_attributes, alg);
2259 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2260
2261 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2262 if (status != PSA_SUCCESS) {
2263 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2264 }
2265
2266 /* Allow calling psa_destroy_key() on psk remove */
2267 ssl->handshake->psk_opaque_is_internal = 1;
2268 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2269 #else
2270 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2271 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2272 }
2273
2274 ssl->handshake->psk_len = psk_len;
2275 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2276
2277 return 0;
2278 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2279 }
2280
2281 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2282 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2283 mbedtls_svc_key_id_t psk,
2284 const unsigned char *psk_identity,
2285 size_t psk_identity_len)
2286 {
2287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2288
2289 /* We currently only support one PSK, raw or opaque. */
2290 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2291 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2292 }
2293
2294 /* Check and set opaque PSK */
2295 if (mbedtls_svc_key_id_is_null(psk)) {
2296 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2297 }
2298 conf->psk_opaque = psk;
2299
2300 /* Check and set PSK Identity */
2301 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2302 psk_identity_len);
2303 if (ret != 0) {
2304 ssl_conf_remove_psk(conf);
2305 }
2306
2307 return ret;
2308 }
2309
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2310 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2311 mbedtls_svc_key_id_t psk)
2312 {
2313 if ((mbedtls_svc_key_id_is_null(psk)) ||
2314 (ssl->handshake == NULL)) {
2315 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2316 }
2317
2318 ssl_remove_psk(ssl);
2319 ssl->handshake->psk_opaque = psk;
2320 return 0;
2321 }
2322 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2323
2324 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2325 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2326 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2327 size_t),
2328 void *p_psk)
2329 {
2330 conf->f_psk = f_psk;
2331 conf->p_psk = p_psk;
2332 }
2333 #endif /* MBEDTLS_SSL_SRV_C */
2334
2335 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2336
2337 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2338 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2339 psa_algorithm_t alg)
2340 {
2341 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2342 if (alg == PSA_ALG_CBC_NO_PADDING) {
2343 return MBEDTLS_SSL_MODE_CBC;
2344 }
2345 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2346 if (PSA_ALG_IS_AEAD(alg)) {
2347 return MBEDTLS_SSL_MODE_AEAD;
2348 }
2349 return MBEDTLS_SSL_MODE_STREAM;
2350 }
2351
2352 #else /* MBEDTLS_USE_PSA_CRYPTO */
2353
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2354 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2355 mbedtls_cipher_mode_t mode)
2356 {
2357 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2358 if (mode == MBEDTLS_MODE_CBC) {
2359 return MBEDTLS_SSL_MODE_CBC;
2360 }
2361 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2362
2363 #if defined(MBEDTLS_GCM_C) || \
2364 defined(MBEDTLS_CCM_C) || \
2365 defined(MBEDTLS_CHACHAPOLY_C)
2366 if (mode == MBEDTLS_MODE_GCM ||
2367 mode == MBEDTLS_MODE_CCM ||
2368 mode == MBEDTLS_MODE_CHACHAPOLY) {
2369 return MBEDTLS_SSL_MODE_AEAD;
2370 }
2371 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2372
2373 return MBEDTLS_SSL_MODE_STREAM;
2374 }
2375 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2376
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2377 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2378 mbedtls_ssl_mode_t base_mode,
2379 int encrypt_then_mac)
2380 {
2381 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2382 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2383 base_mode == MBEDTLS_SSL_MODE_CBC) {
2384 return MBEDTLS_SSL_MODE_CBC_ETM;
2385 }
2386 #else
2387 (void) encrypt_then_mac;
2388 #endif
2389 return base_mode;
2390 }
2391
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2392 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2393 const mbedtls_ssl_transform *transform)
2394 {
2395 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2396 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2397 transform->psa_alg
2398 #else
2399 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2400 #endif
2401 );
2402
2403 int encrypt_then_mac = 0;
2404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2405 encrypt_then_mac = transform->encrypt_then_mac;
2406 #endif
2407 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2408 }
2409
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2410 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2411 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2412 int encrypt_then_mac,
2413 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2414 const mbedtls_ssl_ciphersuite_t *suite)
2415 {
2416 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2417
2418 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2419 psa_status_t status;
2420 psa_algorithm_t alg;
2421 psa_key_type_t type;
2422 size_t size;
2423 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2424 0, &alg, &type, &size);
2425 if (status == PSA_SUCCESS) {
2426 base_mode = mbedtls_ssl_get_base_mode(alg);
2427 }
2428 #else
2429 const mbedtls_cipher_info_t *cipher =
2430 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2431 if (cipher != NULL) {
2432 base_mode =
2433 mbedtls_ssl_get_base_mode(
2434 mbedtls_cipher_info_get_mode(cipher));
2435 }
2436 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2437
2438 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2439 int encrypt_then_mac = 0;
2440 #endif
2441 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2442 }
2443
2444 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2445
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2446 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2447 size_t taglen,
2448 psa_algorithm_t *alg,
2449 psa_key_type_t *key_type,
2450 size_t *key_size)
2451 {
2452 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2453 (void) taglen;
2454 #endif
2455 switch (mbedtls_cipher_type) {
2456 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2457 case MBEDTLS_CIPHER_AES_128_CBC:
2458 *alg = PSA_ALG_CBC_NO_PADDING;
2459 *key_type = PSA_KEY_TYPE_AES;
2460 *key_size = 128;
2461 break;
2462 #endif
2463 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2464 case MBEDTLS_CIPHER_AES_128_CCM:
2465 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2466 *key_type = PSA_KEY_TYPE_AES;
2467 *key_size = 128;
2468 break;
2469 #endif
2470 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2471 case MBEDTLS_CIPHER_AES_128_GCM:
2472 *alg = PSA_ALG_GCM;
2473 *key_type = PSA_KEY_TYPE_AES;
2474 *key_size = 128;
2475 break;
2476 #endif
2477 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2478 case MBEDTLS_CIPHER_AES_192_CCM:
2479 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2480 *key_type = PSA_KEY_TYPE_AES;
2481 *key_size = 192;
2482 break;
2483 #endif
2484 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2485 case MBEDTLS_CIPHER_AES_192_GCM:
2486 *alg = PSA_ALG_GCM;
2487 *key_type = PSA_KEY_TYPE_AES;
2488 *key_size = 192;
2489 break;
2490 #endif
2491 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2492 case MBEDTLS_CIPHER_AES_256_CBC:
2493 *alg = PSA_ALG_CBC_NO_PADDING;
2494 *key_type = PSA_KEY_TYPE_AES;
2495 *key_size = 256;
2496 break;
2497 #endif
2498 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2499 case MBEDTLS_CIPHER_AES_256_CCM:
2500 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2501 *key_type = PSA_KEY_TYPE_AES;
2502 *key_size = 256;
2503 break;
2504 #endif
2505 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2506 case MBEDTLS_CIPHER_AES_256_GCM:
2507 *alg = PSA_ALG_GCM;
2508 *key_type = PSA_KEY_TYPE_AES;
2509 *key_size = 256;
2510 break;
2511 #endif
2512 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2513 case MBEDTLS_CIPHER_ARIA_128_CBC:
2514 *alg = PSA_ALG_CBC_NO_PADDING;
2515 *key_type = PSA_KEY_TYPE_ARIA;
2516 *key_size = 128;
2517 break;
2518 #endif
2519 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2520 case MBEDTLS_CIPHER_ARIA_128_CCM:
2521 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2522 *key_type = PSA_KEY_TYPE_ARIA;
2523 *key_size = 128;
2524 break;
2525 #endif
2526 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2527 case MBEDTLS_CIPHER_ARIA_128_GCM:
2528 *alg = PSA_ALG_GCM;
2529 *key_type = PSA_KEY_TYPE_ARIA;
2530 *key_size = 128;
2531 break;
2532 #endif
2533 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2534 case MBEDTLS_CIPHER_ARIA_192_CCM:
2535 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2536 *key_type = PSA_KEY_TYPE_ARIA;
2537 *key_size = 192;
2538 break;
2539 #endif
2540 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2541 case MBEDTLS_CIPHER_ARIA_192_GCM:
2542 *alg = PSA_ALG_GCM;
2543 *key_type = PSA_KEY_TYPE_ARIA;
2544 *key_size = 192;
2545 break;
2546 #endif
2547 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2548 case MBEDTLS_CIPHER_ARIA_256_CBC:
2549 *alg = PSA_ALG_CBC_NO_PADDING;
2550 *key_type = PSA_KEY_TYPE_ARIA;
2551 *key_size = 256;
2552 break;
2553 #endif
2554 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2555 case MBEDTLS_CIPHER_ARIA_256_CCM:
2556 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2557 *key_type = PSA_KEY_TYPE_ARIA;
2558 *key_size = 256;
2559 break;
2560 #endif
2561 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2562 case MBEDTLS_CIPHER_ARIA_256_GCM:
2563 *alg = PSA_ALG_GCM;
2564 *key_type = PSA_KEY_TYPE_ARIA;
2565 *key_size = 256;
2566 break;
2567 #endif
2568 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2569 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2570 *alg = PSA_ALG_CBC_NO_PADDING;
2571 *key_type = PSA_KEY_TYPE_CAMELLIA;
2572 *key_size = 128;
2573 break;
2574 #endif
2575 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2576 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2577 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2578 *key_type = PSA_KEY_TYPE_CAMELLIA;
2579 *key_size = 128;
2580 break;
2581 #endif
2582 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2583 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2584 *alg = PSA_ALG_GCM;
2585 *key_type = PSA_KEY_TYPE_CAMELLIA;
2586 *key_size = 128;
2587 break;
2588 #endif
2589 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2590 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2591 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2592 *key_type = PSA_KEY_TYPE_CAMELLIA;
2593 *key_size = 192;
2594 break;
2595 #endif
2596 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2597 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2598 *alg = PSA_ALG_GCM;
2599 *key_type = PSA_KEY_TYPE_CAMELLIA;
2600 *key_size = 192;
2601 break;
2602 #endif
2603 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2604 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2605 *alg = PSA_ALG_CBC_NO_PADDING;
2606 *key_type = PSA_KEY_TYPE_CAMELLIA;
2607 *key_size = 256;
2608 break;
2609 #endif
2610 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2611 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2612 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2613 *key_type = PSA_KEY_TYPE_CAMELLIA;
2614 *key_size = 256;
2615 break;
2616 #endif
2617 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2618 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2619 *alg = PSA_ALG_GCM;
2620 *key_type = PSA_KEY_TYPE_CAMELLIA;
2621 *key_size = 256;
2622 break;
2623 #endif
2624 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2625 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2626 *alg = PSA_ALG_CHACHA20_POLY1305;
2627 *key_type = PSA_KEY_TYPE_CHACHA20;
2628 *key_size = 256;
2629 break;
2630 #endif
2631 case MBEDTLS_CIPHER_NULL:
2632 *alg = MBEDTLS_SSL_NULL_CIPHER;
2633 *key_type = 0;
2634 *key_size = 0;
2635 break;
2636 default:
2637 return PSA_ERROR_NOT_SUPPORTED;
2638 }
2639
2640 return PSA_SUCCESS;
2641 }
2642 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2643
2644 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2645 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2646 const unsigned char *dhm_P, size_t P_len,
2647 const unsigned char *dhm_G, size_t G_len)
2648 {
2649 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2650
2651 mbedtls_mpi_free(&conf->dhm_P);
2652 mbedtls_mpi_free(&conf->dhm_G);
2653
2654 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2655 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2656 mbedtls_mpi_free(&conf->dhm_P);
2657 mbedtls_mpi_free(&conf->dhm_G);
2658 return ret;
2659 }
2660
2661 return 0;
2662 }
2663
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2664 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2665 {
2666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2667
2668 mbedtls_mpi_free(&conf->dhm_P);
2669 mbedtls_mpi_free(&conf->dhm_G);
2670
2671 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2672 &conf->dhm_P)) != 0 ||
2673 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2674 &conf->dhm_G)) != 0) {
2675 mbedtls_mpi_free(&conf->dhm_P);
2676 mbedtls_mpi_free(&conf->dhm_G);
2677 return ret;
2678 }
2679
2680 return 0;
2681 }
2682 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2683
2684 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2685 /*
2686 * Set the minimum length for Diffie-Hellman parameters
2687 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2688 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2689 unsigned int bitlen)
2690 {
2691 conf->dhm_min_bitlen = bitlen;
2692 }
2693 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2694
2695 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2696 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2697 /*
2698 * Set allowed/preferred hashes for handshake signatures
2699 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2700 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2701 const int *hashes)
2702 {
2703 conf->sig_hashes = hashes;
2704 }
2705 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2706
2707 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2708 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2709 const uint16_t *sig_algs)
2710 {
2711 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2712 conf->sig_hashes = NULL;
2713 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2714 conf->sig_algs = sig_algs;
2715 }
2716 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2717
2718 #if defined(MBEDTLS_ECP_C)
2719 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2720 /*
2721 * Set the allowed elliptic curves
2722 *
2723 * mbedtls_ssl_setup() takes the provided list
2724 * and translates it to a list of IANA TLS group identifiers,
2725 * stored in ssl->handshake->group_list.
2726 *
2727 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2728 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2729 const mbedtls_ecp_group_id *curve_list)
2730 {
2731 conf->curve_list = curve_list;
2732 conf->group_list = NULL;
2733 }
2734 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2735 #endif /* MBEDTLS_ECP_C */
2736
2737 /*
2738 * Set the allowed groups
2739 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2740 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2741 const uint16_t *group_list)
2742 {
2743 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2744 conf->curve_list = NULL;
2745 #endif
2746 conf->group_list = group_list;
2747 }
2748
2749 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2750 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2751 {
2752 /* Initialize to suppress unnecessary compiler warning */
2753 size_t hostname_len = 0;
2754
2755 /* Check if new hostname is valid before
2756 * making any change to current one */
2757 if (hostname != NULL) {
2758 hostname_len = strlen(hostname);
2759
2760 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2761 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2762 }
2763 }
2764
2765 /* Now it's clear that we will overwrite the old hostname,
2766 * so we can free it safely */
2767
2768 if (ssl->hostname != NULL) {
2769 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2770 }
2771
2772 /* Passing NULL as hostname shall clear the old one */
2773
2774 if (hostname == NULL) {
2775 ssl->hostname = NULL;
2776 } else {
2777 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2778 if (ssl->hostname == NULL) {
2779 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2780 }
2781
2782 memcpy(ssl->hostname, hostname, hostname_len);
2783
2784 ssl->hostname[hostname_len] = '\0';
2785 }
2786
2787 return 0;
2788 }
2789 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2790
2791 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)2792 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2793 int (*f_sni)(void *, mbedtls_ssl_context *,
2794 const unsigned char *, size_t),
2795 void *p_sni)
2796 {
2797 conf->f_sni = f_sni;
2798 conf->p_sni = p_sni;
2799 }
2800 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2801
2802 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)2803 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2804 {
2805 size_t cur_len, tot_len;
2806 const char **p;
2807
2808 /*
2809 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2810 * MUST NOT be truncated."
2811 * We check lengths now rather than later.
2812 */
2813 tot_len = 0;
2814 for (p = protos; *p != NULL; p++) {
2815 cur_len = strlen(*p);
2816 tot_len += cur_len;
2817
2818 if ((cur_len == 0) ||
2819 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2820 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2821 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2822 }
2823 }
2824
2825 conf->alpn_list = protos;
2826
2827 return 0;
2828 }
2829
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)2830 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2831 {
2832 return ssl->alpn_chosen;
2833 }
2834 #endif /* MBEDTLS_SSL_ALPN */
2835
2836 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)2837 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2838 int support_mki_value)
2839 {
2840 conf->dtls_srtp_mki_support = support_mki_value;
2841 }
2842
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)2843 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2844 unsigned char *mki_value,
2845 uint16_t mki_len)
2846 {
2847 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2848 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2849 }
2850
2851 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2852 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2853 }
2854
2855 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2856 ssl->dtls_srtp_info.mki_len = mki_len;
2857 return 0;
2858 }
2859
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)2860 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2861 const mbedtls_ssl_srtp_profile *profiles)
2862 {
2863 const mbedtls_ssl_srtp_profile *p;
2864 size_t list_size = 0;
2865
2866 /* check the profiles list: all entry must be valid,
2867 * its size cannot be more than the total number of supported profiles, currently 4 */
2868 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2869 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2870 p++) {
2871 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2872 list_size++;
2873 } else {
2874 /* unsupported value, stop parsing and set the size to an error value */
2875 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2876 }
2877 }
2878
2879 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2880 conf->dtls_srtp_profile_list = NULL;
2881 conf->dtls_srtp_profile_list_len = 0;
2882 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2883 }
2884
2885 conf->dtls_srtp_profile_list = profiles;
2886 conf->dtls_srtp_profile_list_len = list_size;
2887
2888 return 0;
2889 }
2890
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)2891 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2892 mbedtls_dtls_srtp_info *dtls_srtp_info)
2893 {
2894 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2895 /* do not copy the mki value if there is no chosen profile */
2896 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2897 dtls_srtp_info->mki_len = 0;
2898 } else {
2899 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2900 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2901 ssl->dtls_srtp_info.mki_len);
2902 }
2903 }
2904 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2905
2906 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)2907 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2908 {
2909 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2910 }
2911
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)2912 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2913 {
2914 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2915 }
2916 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2917
2918 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)2919 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2920 char cert_req_ca_list)
2921 {
2922 conf->cert_req_ca_list = cert_req_ca_list;
2923 }
2924 #endif
2925
2926 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)2927 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
2928 {
2929 conf->encrypt_then_mac = etm;
2930 }
2931 #endif
2932
2933 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)2934 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
2935 {
2936 conf->extended_ms = ems;
2937 }
2938 #endif
2939
2940 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)2941 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
2942 {
2943 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2944 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2945 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2946 }
2947
2948 conf->mfl_code = mfl_code;
2949
2950 return 0;
2951 }
2952 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
2953
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)2954 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
2955 {
2956 conf->allow_legacy_renegotiation = allow_legacy;
2957 }
2958
2959 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)2960 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
2961 {
2962 conf->disable_renegotiation = renegotiation;
2963 }
2964
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)2965 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
2966 {
2967 conf->renego_max_records = max_records;
2968 }
2969
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])2970 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
2971 const unsigned char period[8])
2972 {
2973 memcpy(conf->renego_period, period, 8);
2974 }
2975 #endif /* MBEDTLS_SSL_RENEGOTIATION */
2976
2977 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
2978 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)2979 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
2980 {
2981 conf->session_tickets = use_tickets;
2982 }
2983 #endif
2984
2985 #if defined(MBEDTLS_SSL_SRV_C)
2986
2987 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)2988 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
2989 uint16_t num_tickets)
2990 {
2991 conf->new_session_tickets_count = num_tickets;
2992 }
2993 #endif
2994
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)2995 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
2996 mbedtls_ssl_ticket_write_t *f_ticket_write,
2997 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
2998 void *p_ticket)
2999 {
3000 conf->f_ticket_write = f_ticket_write;
3001 conf->f_ticket_parse = f_ticket_parse;
3002 conf->p_ticket = p_ticket;
3003 }
3004 #endif
3005 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3006
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3007 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3008 mbedtls_ssl_export_keys_t *f_export_keys,
3009 void *p_export_keys)
3010 {
3011 ssl->f_export_keys = f_export_keys;
3012 ssl->p_export_keys = p_export_keys;
3013 }
3014
3015 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3016 void mbedtls_ssl_conf_async_private_cb(
3017 mbedtls_ssl_config *conf,
3018 mbedtls_ssl_async_sign_t *f_async_sign,
3019 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3020 mbedtls_ssl_async_resume_t *f_async_resume,
3021 mbedtls_ssl_async_cancel_t *f_async_cancel,
3022 void *async_config_data)
3023 {
3024 conf->f_async_sign_start = f_async_sign;
3025 conf->f_async_decrypt_start = f_async_decrypt;
3026 conf->f_async_resume = f_async_resume;
3027 conf->f_async_cancel = f_async_cancel;
3028 conf->p_async_config_data = async_config_data;
3029 }
3030
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3031 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3032 {
3033 return conf->p_async_config_data;
3034 }
3035
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3036 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3037 {
3038 if (ssl->handshake == NULL) {
3039 return NULL;
3040 } else {
3041 return ssl->handshake->user_async_ctx;
3042 }
3043 }
3044
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3045 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3046 void *ctx)
3047 {
3048 if (ssl->handshake != NULL) {
3049 ssl->handshake->user_async_ctx = ctx;
3050 }
3051 }
3052 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3053
3054 /*
3055 * SSL get accessors
3056 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3057 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3058 {
3059 if (ssl->session != NULL) {
3060 return ssl->session->verify_result;
3061 }
3062
3063 if (ssl->session_negotiate != NULL) {
3064 return ssl->session_negotiate->verify_result;
3065 }
3066
3067 return 0xFFFFFFFF;
3068 }
3069
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3070 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3071 {
3072 if (ssl == NULL || ssl->session == NULL) {
3073 return 0;
3074 }
3075
3076 return ssl->session->ciphersuite;
3077 }
3078
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3079 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3080 {
3081 if (ssl == NULL || ssl->session == NULL) {
3082 return NULL;
3083 }
3084
3085 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3086 }
3087
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3088 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3089 {
3090 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3091 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3092 switch (ssl->tls_version) {
3093 case MBEDTLS_SSL_VERSION_TLS1_2:
3094 return "DTLSv1.2";
3095 default:
3096 return "unknown (DTLS)";
3097 }
3098 }
3099 #endif
3100
3101 switch (ssl->tls_version) {
3102 case MBEDTLS_SSL_VERSION_TLS1_2:
3103 return "TLSv1.2";
3104 case MBEDTLS_SSL_VERSION_TLS1_3:
3105 return "TLSv1.3";
3106 default:
3107 return "unknown";
3108 }
3109 }
3110
3111 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3112
mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context * ssl)3113 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3114 {
3115 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3116 size_t record_size_limit = max_len;
3117
3118 if (ssl->session != NULL &&
3119 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3120 ssl->session->record_size_limit < max_len) {
3121 record_size_limit = ssl->session->record_size_limit;
3122 }
3123
3124 // TODO: this is currently untested
3125 /* During a handshake, use the value being negotiated */
3126 if (ssl->session_negotiate != NULL &&
3127 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3128 ssl->session_negotiate->record_size_limit < max_len) {
3129 record_size_limit = ssl->session_negotiate->record_size_limit;
3130 }
3131
3132 return record_size_limit;
3133 }
3134 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3135
3136 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3137 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3138 {
3139 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3140 size_t read_mfl;
3141
3142 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3143 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3144 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3145 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3146 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3147 }
3148 #endif
3149
3150 /* Check if a smaller max length was negotiated */
3151 if (ssl->session_out != NULL) {
3152 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3153 if (read_mfl < max_len) {
3154 max_len = read_mfl;
3155 }
3156 }
3157
3158 /* During a handshake, use the value being negotiated */
3159 if (ssl->session_negotiate != NULL) {
3160 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3161 if (read_mfl < max_len) {
3162 max_len = read_mfl;
3163 }
3164 }
3165
3166 return max_len;
3167 }
3168
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3169 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3170 {
3171 size_t max_len;
3172
3173 /*
3174 * Assume mfl_code is correct since it was checked when set
3175 */
3176 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3177
3178 /* Check if a smaller max length was negotiated */
3179 if (ssl->session_out != NULL &&
3180 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3181 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3182 }
3183
3184 /* During a handshake, use the value being negotiated */
3185 if (ssl->session_negotiate != NULL &&
3186 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3187 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3188 }
3189
3190 return max_len;
3191 }
3192 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3193
3194 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3195 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3196 {
3197 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3198 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3199 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3200 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3201 return 0;
3202 }
3203
3204 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3205 return ssl->mtu;
3206 }
3207
3208 if (ssl->mtu == 0) {
3209 return ssl->handshake->mtu;
3210 }
3211
3212 return ssl->mtu < ssl->handshake->mtu ?
3213 ssl->mtu : ssl->handshake->mtu;
3214 }
3215 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3216
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3217 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3218 {
3219 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3220
3221 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3222 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3223 !defined(MBEDTLS_SSL_PROTO_DTLS)
3224 (void) ssl;
3225 #endif
3226
3227 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3228 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3229
3230 if (max_len > mfl) {
3231 max_len = mfl;
3232 }
3233 #endif
3234
3235 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3236 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3237
3238 if (max_len > record_size_limit) {
3239 max_len = record_size_limit;
3240 }
3241 #endif
3242
3243 if (ssl->transform_out != NULL &&
3244 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3245 /*
3246 * In TLS 1.3 case, when records are protected, `max_len` as computed
3247 * above is the maximum length of the TLSInnerPlaintext structure that
3248 * along the plaintext payload contains the inner content type (one byte)
3249 * and some zero padding. Given the algorithm used for padding
3250 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3251 * the plaintext payload. Round down to a multiple of
3252 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3253 * subtract 1.
3254 */
3255 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3256 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3257 }
3258
3259 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3260 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3261 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3262 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3263 const size_t overhead = (size_t) ret;
3264
3265 if (ret < 0) {
3266 return ret;
3267 }
3268
3269 if (mtu <= overhead) {
3270 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3271 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3272 }
3273
3274 if (max_len > mtu - overhead) {
3275 max_len = mtu - overhead;
3276 }
3277 }
3278 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3279
3280 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3281 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3282 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3283 ((void) ssl);
3284 #endif
3285
3286 return (int) max_len;
3287 }
3288
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3289 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3290 {
3291 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3292
3293 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3294 (void) ssl;
3295 #endif
3296
3297 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3298 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3299
3300 if (max_len > mfl) {
3301 max_len = mfl;
3302 }
3303 #endif
3304
3305 return (int) max_len;
3306 }
3307
3308 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3309 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3310 {
3311 if (ssl == NULL || ssl->session == NULL) {
3312 return NULL;
3313 }
3314
3315 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3316 return ssl->session->peer_cert;
3317 #else
3318 return NULL;
3319 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3320 }
3321 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3322
3323 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3324 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3325 mbedtls_ssl_session *dst)
3326 {
3327 int ret;
3328
3329 if (ssl == NULL ||
3330 dst == NULL ||
3331 ssl->session == NULL ||
3332 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3333 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3334 }
3335
3336 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3337 * idempotent: Each session can only be exported once.
3338 *
3339 * (This is in preparation for TLS 1.3 support where we will
3340 * need the ability to export multiple sessions (aka tickets),
3341 * which will be achieved by calling mbedtls_ssl_get_session()
3342 * multiple times until it fails.)
3343 *
3344 * Check whether we have already exported the current session,
3345 * and fail if so.
3346 */
3347 if (ssl->session->exported == 1) {
3348 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3349 }
3350
3351 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3352 if (ret != 0) {
3353 return ret;
3354 }
3355
3356 /* Remember that we've exported the session. */
3357 ssl->session->exported = 1;
3358 return 0;
3359 }
3360 #endif /* MBEDTLS_SSL_CLI_C */
3361
3362 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3363
3364 /* Serialization of TLS 1.2 sessions
3365 *
3366 * For more detail, see the description of ssl_session_save().
3367 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)3368 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3369 unsigned char *buf,
3370 size_t buf_len)
3371 {
3372 unsigned char *p = buf;
3373 size_t used = 0;
3374
3375 #if defined(MBEDTLS_HAVE_TIME)
3376 uint64_t start;
3377 #endif
3378 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3379 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3380 size_t cert_len;
3381 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3382 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3383
3384 /*
3385 * Time
3386 */
3387 #if defined(MBEDTLS_HAVE_TIME)
3388 used += 8;
3389
3390 if (used <= buf_len) {
3391 start = (uint64_t) session->start;
3392
3393 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3394 p += 8;
3395 }
3396 #endif /* MBEDTLS_HAVE_TIME */
3397
3398 /*
3399 * Basic mandatory fields
3400 */
3401 used += 1 /* id_len */
3402 + sizeof(session->id)
3403 + sizeof(session->master)
3404 + 4; /* verify_result */
3405
3406 if (used <= buf_len) {
3407 *p++ = MBEDTLS_BYTE_0(session->id_len);
3408 memcpy(p, session->id, 32);
3409 p += 32;
3410
3411 memcpy(p, session->master, 48);
3412 p += 48;
3413
3414 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3415 p += 4;
3416 }
3417
3418 /*
3419 * Peer's end-entity certificate
3420 */
3421 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3422 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3423 if (session->peer_cert == NULL) {
3424 cert_len = 0;
3425 } else {
3426 cert_len = session->peer_cert->raw.len;
3427 }
3428
3429 used += 3 + cert_len;
3430
3431 if (used <= buf_len) {
3432 *p++ = MBEDTLS_BYTE_2(cert_len);
3433 *p++ = MBEDTLS_BYTE_1(cert_len);
3434 *p++ = MBEDTLS_BYTE_0(cert_len);
3435
3436 if (session->peer_cert != NULL) {
3437 memcpy(p, session->peer_cert->raw.p, cert_len);
3438 p += cert_len;
3439 }
3440 }
3441 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3442 if (session->peer_cert_digest != NULL) {
3443 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3444 if (used <= buf_len) {
3445 *p++ = (unsigned char) session->peer_cert_digest_type;
3446 *p++ = (unsigned char) session->peer_cert_digest_len;
3447 memcpy(p, session->peer_cert_digest,
3448 session->peer_cert_digest_len);
3449 p += session->peer_cert_digest_len;
3450 }
3451 } else {
3452 used += 2;
3453 if (used <= buf_len) {
3454 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3455 *p++ = 0;
3456 }
3457 }
3458 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3459 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3460
3461 /*
3462 * Session ticket if any, plus associated data
3463 */
3464 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3465 #if defined(MBEDTLS_SSL_CLI_C)
3466 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3467 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3468
3469 if (used <= buf_len) {
3470 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3471 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3472 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3473
3474 if (session->ticket != NULL) {
3475 memcpy(p, session->ticket, session->ticket_len);
3476 p += session->ticket_len;
3477 }
3478
3479 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3480 p += 4;
3481 }
3482 }
3483 #endif /* MBEDTLS_SSL_CLI_C */
3484 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3485 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3486 used += 8;
3487
3488 if (used <= buf_len) {
3489 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3490 p += 8;
3491 }
3492 }
3493 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3494 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3495
3496 /*
3497 * Misc extension-related info
3498 */
3499 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3500 used += 1;
3501
3502 if (used <= buf_len) {
3503 *p++ = session->mfl_code;
3504 }
3505 #endif
3506
3507 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3508 used += 1;
3509
3510 if (used <= buf_len) {
3511 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3512 }
3513 #endif
3514
3515 return used;
3516 }
3517
3518 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3519 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3520 const unsigned char *buf,
3521 size_t len)
3522 {
3523 #if defined(MBEDTLS_HAVE_TIME)
3524 uint64_t start;
3525 #endif
3526 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3527 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3528 size_t cert_len;
3529 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3530 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3531
3532 const unsigned char *p = buf;
3533 const unsigned char * const end = buf + len;
3534
3535 /*
3536 * Time
3537 */
3538 #if defined(MBEDTLS_HAVE_TIME)
3539 if (8 > (size_t) (end - p)) {
3540 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3541 }
3542
3543 start = MBEDTLS_GET_UINT64_BE(p, 0);
3544 p += 8;
3545
3546 session->start = (time_t) start;
3547 #endif /* MBEDTLS_HAVE_TIME */
3548
3549 /*
3550 * Basic mandatory fields
3551 */
3552 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3553 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3554 }
3555
3556 session->id_len = *p++;
3557 memcpy(session->id, p, 32);
3558 p += 32;
3559
3560 memcpy(session->master, p, 48);
3561 p += 48;
3562
3563 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3564 p += 4;
3565
3566 /* Immediately clear invalid pointer values that have been read, in case
3567 * we exit early before we replaced them with valid ones. */
3568 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3569 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3570 session->peer_cert = NULL;
3571 #else
3572 session->peer_cert_digest = NULL;
3573 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3574 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3575 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3576 session->ticket = NULL;
3577 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3578
3579 /*
3580 * Peer certificate
3581 */
3582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3583 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3584 /* Deserialize CRT from the end of the ticket. */
3585 if (3 > (size_t) (end - p)) {
3586 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3587 }
3588
3589 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3590 p += 3;
3591
3592 if (cert_len != 0) {
3593 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3594
3595 if (cert_len > (size_t) (end - p)) {
3596 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3597 }
3598
3599 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3600
3601 if (session->peer_cert == NULL) {
3602 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3603 }
3604
3605 mbedtls_x509_crt_init(session->peer_cert);
3606
3607 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3608 p, cert_len)) != 0) {
3609 mbedtls_x509_crt_free(session->peer_cert);
3610 mbedtls_free(session->peer_cert);
3611 session->peer_cert = NULL;
3612 return ret;
3613 }
3614
3615 p += cert_len;
3616 }
3617 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3618 /* Deserialize CRT digest from the end of the ticket. */
3619 if (2 > (size_t) (end - p)) {
3620 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3621 }
3622
3623 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3624 session->peer_cert_digest_len = (size_t) *p++;
3625
3626 if (session->peer_cert_digest_len != 0) {
3627 const mbedtls_md_info_t *md_info =
3628 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3629 if (md_info == NULL) {
3630 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3631 }
3632 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3633 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3634 }
3635
3636 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3637 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3638 }
3639
3640 session->peer_cert_digest =
3641 mbedtls_calloc(1, session->peer_cert_digest_len);
3642 if (session->peer_cert_digest == NULL) {
3643 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3644 }
3645
3646 memcpy(session->peer_cert_digest, p,
3647 session->peer_cert_digest_len);
3648 p += session->peer_cert_digest_len;
3649 }
3650 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3651 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3652
3653 /*
3654 * Session ticket and associated data
3655 */
3656 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3657 #if defined(MBEDTLS_SSL_CLI_C)
3658 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3659 if (3 > (size_t) (end - p)) {
3660 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3661 }
3662
3663 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3664 p += 3;
3665
3666 if (session->ticket_len != 0) {
3667 if (session->ticket_len > (size_t) (end - p)) {
3668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3669 }
3670
3671 session->ticket = mbedtls_calloc(1, session->ticket_len);
3672 if (session->ticket == NULL) {
3673 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3674 }
3675
3676 memcpy(session->ticket, p, session->ticket_len);
3677 p += session->ticket_len;
3678 }
3679
3680 if (4 > (size_t) (end - p)) {
3681 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3682 }
3683
3684 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3685 p += 4;
3686 }
3687 #endif /* MBEDTLS_SSL_CLI_C */
3688 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3689 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3690 if (8 > (size_t) (end - p)) {
3691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3692 }
3693 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3694 p += 8;
3695 }
3696 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3697 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3698
3699 /*
3700 * Misc extension-related info
3701 */
3702 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3703 if (1 > (size_t) (end - p)) {
3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3705 }
3706
3707 session->mfl_code = *p++;
3708 #endif
3709
3710 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3711 if (1 > (size_t) (end - p)) {
3712 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3713 }
3714
3715 session->encrypt_then_mac = *p++;
3716 #endif
3717
3718 /* Done, should have consumed entire buffer */
3719 if (p != end) {
3720 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3721 }
3722
3723 return 0;
3724 }
3725
3726 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3727
3728 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3729 /* Serialization of TLS 1.3 sessions:
3730 *
3731 * For more detail, see the description of ssl_session_save().
3732 */
3733 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3734 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3735 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3736 unsigned char *buf,
3737 size_t buf_len,
3738 size_t *olen)
3739 {
3740 unsigned char *p = buf;
3741 #if defined(MBEDTLS_SSL_CLI_C) && \
3742 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3743 size_t hostname_len = (session->hostname == NULL) ?
3744 0 : strlen(session->hostname) + 1;
3745 #endif
3746
3747 #if defined(MBEDTLS_SSL_SRV_C) && \
3748 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3749 const size_t alpn_len = (session->ticket_alpn == NULL) ?
3750 0 : strlen(session->ticket_alpn) + 1;
3751 #endif
3752 size_t needed = 4 /* ticket_age_add */
3753 + 1 /* ticket_flags */
3754 + 1; /* resumption_key length */
3755
3756 *olen = 0;
3757
3758 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3759 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3760 }
3761 needed += session->resumption_key_len; /* resumption_key */
3762
3763 #if defined(MBEDTLS_SSL_EARLY_DATA)
3764 needed += 4; /* max_early_data_size */
3765 #endif
3766 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3767 needed += 2; /* record_size_limit */
3768 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3769
3770 #if defined(MBEDTLS_HAVE_TIME)
3771 needed += 8; /* ticket_creation_time or ticket_reception_time */
3772 #endif
3773
3774 #if defined(MBEDTLS_SSL_SRV_C)
3775 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3776 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3777 needed += 2 /* alpn_len */
3778 + alpn_len; /* alpn */
3779 #endif
3780 }
3781 #endif /* MBEDTLS_SSL_SRV_C */
3782
3783 #if defined(MBEDTLS_SSL_CLI_C)
3784 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3785 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3786 needed += 2 /* hostname_len */
3787 + hostname_len; /* hostname */
3788 #endif
3789
3790 needed += 4 /* ticket_lifetime */
3791 + 2; /* ticket_len */
3792
3793 /* Check size_t overflow */
3794 if (session->ticket_len > SIZE_MAX - needed) {
3795 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3796 }
3797
3798 needed += session->ticket_len; /* ticket */
3799 }
3800 #endif /* MBEDTLS_SSL_CLI_C */
3801
3802 *olen = needed;
3803 if (needed > buf_len) {
3804 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3805 }
3806
3807 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3808 p[4] = session->ticket_flags;
3809
3810 /* save resumption_key */
3811 p[5] = session->resumption_key_len;
3812 p += 6;
3813 memcpy(p, session->resumption_key, session->resumption_key_len);
3814 p += session->resumption_key_len;
3815
3816 #if defined(MBEDTLS_SSL_EARLY_DATA)
3817 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3818 p += 4;
3819 #endif
3820 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3821 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3822 p += 2;
3823 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3824
3825 #if defined(MBEDTLS_SSL_SRV_C)
3826 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3827 #if defined(MBEDTLS_HAVE_TIME)
3828 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3829 p += 8;
3830 #endif /* MBEDTLS_HAVE_TIME */
3831
3832 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3833 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3834 p += 2;
3835
3836 if (alpn_len > 0) {
3837 /* save chosen alpn */
3838 memcpy(p, session->ticket_alpn, alpn_len);
3839 p += alpn_len;
3840 }
3841 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3842 }
3843 #endif /* MBEDTLS_SSL_SRV_C */
3844
3845 #if defined(MBEDTLS_SSL_CLI_C)
3846 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3847 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3848 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3849 p += 2;
3850 if (hostname_len > 0) {
3851 /* save host name */
3852 memcpy(p, session->hostname, hostname_len);
3853 p += hostname_len;
3854 }
3855 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3856
3857 #if defined(MBEDTLS_HAVE_TIME)
3858 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3859 p += 8;
3860 #endif
3861 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3862 p += 4;
3863
3864 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3865 p += 2;
3866
3867 if (session->ticket != NULL && session->ticket_len > 0) {
3868 memcpy(p, session->ticket, session->ticket_len);
3869 p += session->ticket_len;
3870 }
3871 }
3872 #endif /* MBEDTLS_SSL_CLI_C */
3873 return 0;
3874 }
3875
3876 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3877 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3878 const unsigned char *buf,
3879 size_t len)
3880 {
3881 const unsigned char *p = buf;
3882 const unsigned char *end = buf + len;
3883
3884 if (end - p < 6) {
3885 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3886 }
3887 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3888 session->ticket_flags = p[4];
3889
3890 /* load resumption_key */
3891 session->resumption_key_len = p[5];
3892 p += 6;
3893
3894 if (end - p < session->resumption_key_len) {
3895 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3896 }
3897
3898 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3899 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3900 }
3901 memcpy(session->resumption_key, p, session->resumption_key_len);
3902 p += session->resumption_key_len;
3903
3904 #if defined(MBEDTLS_SSL_EARLY_DATA)
3905 if (end - p < 4) {
3906 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3907 }
3908 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3909 p += 4;
3910 #endif
3911 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3912 if (end - p < 2) {
3913 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3914 }
3915 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3916 p += 2;
3917 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3918
3919 #if defined(MBEDTLS_SSL_SRV_C)
3920 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3921 #if defined(MBEDTLS_HAVE_TIME)
3922 if (end - p < 8) {
3923 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3924 }
3925 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3926 p += 8;
3927 #endif /* MBEDTLS_HAVE_TIME */
3928
3929 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3930 size_t alpn_len;
3931
3932 if (end - p < 2) {
3933 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3934 }
3935
3936 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3937 p += 2;
3938
3939 if (end - p < (long int) alpn_len) {
3940 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3941 }
3942
3943 if (alpn_len > 0) {
3944 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3945 if (ret != 0) {
3946 return ret;
3947 }
3948 p += alpn_len;
3949 }
3950 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3951 }
3952 #endif /* MBEDTLS_SSL_SRV_C */
3953
3954 #if defined(MBEDTLS_SSL_CLI_C)
3955 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3956 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3957 size_t hostname_len;
3958 /* load host name */
3959 if (end - p < 2) {
3960 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3961 }
3962 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
3963 p += 2;
3964
3965 if (end - p < (long int) hostname_len) {
3966 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3967 }
3968 if (hostname_len > 0) {
3969 session->hostname = mbedtls_calloc(1, hostname_len);
3970 if (session->hostname == NULL) {
3971 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3972 }
3973 memcpy(session->hostname, p, hostname_len);
3974 p += hostname_len;
3975 }
3976 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3977
3978 #if defined(MBEDTLS_HAVE_TIME)
3979 if (end - p < 8) {
3980 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3981 }
3982 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
3983 p += 8;
3984 #endif
3985 if (end - p < 4) {
3986 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3987 }
3988 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3989 p += 4;
3990
3991 if (end - p < 2) {
3992 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3993 }
3994 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
3995 p += 2;
3996
3997 if (end - p < (long int) session->ticket_len) {
3998 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3999 }
4000 if (session->ticket_len > 0) {
4001 session->ticket = mbedtls_calloc(1, session->ticket_len);
4002 if (session->ticket == NULL) {
4003 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4004 }
4005 memcpy(session->ticket, p, session->ticket_len);
4006 p += session->ticket_len;
4007 }
4008 }
4009 #endif /* MBEDTLS_SSL_CLI_C */
4010
4011 return 0;
4012
4013 }
4014 #else /* MBEDTLS_SSL_SESSION_TICKETS */
4015 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4016 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4017 unsigned char *buf,
4018 size_t buf_len,
4019 size_t *olen)
4020 {
4021 ((void) session);
4022 ((void) buf);
4023 ((void) buf_len);
4024 *olen = 0;
4025 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4026 }
4027
ssl_tls13_session_load(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)4028 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4029 unsigned char *buf,
4030 size_t buf_len)
4031 {
4032 ((void) session);
4033 ((void) buf);
4034 ((void) buf_len);
4035 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4036 }
4037 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4038 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4039
4040 /*
4041 * Define ticket header determining Mbed TLS version
4042 * and structure of the ticket.
4043 */
4044
4045 /*
4046 * Define bitflag determining compile-time settings influencing
4047 * structure of serialized SSL sessions.
4048 */
4049
4050 #if defined(MBEDTLS_HAVE_TIME)
4051 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4052 #else
4053 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4054 #endif /* MBEDTLS_HAVE_TIME */
4055
4056 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4057 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4058 #else
4059 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4060 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4061
4062 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4063 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4064 #else
4065 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4066 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4067
4068 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4069 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4070 #else
4071 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4072 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4073
4074 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4075 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4076 #else
4077 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4078 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4079
4080 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4081 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4082 #else
4083 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4084 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4085
4086 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4087 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4088 #else
4089 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4090 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4091
4092 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4093 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4094 #else
4095 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4096 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4097
4098 #if defined(MBEDTLS_SSL_EARLY_DATA)
4099 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4100 #else
4101 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4102 #endif /* MBEDTLS_SSL_EARLY_DATA */
4103
4104 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4105 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4106 #else
4107 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4108 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4109
4110 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4111 defined(MBEDTLS_SSL_EARLY_DATA)
4112 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4113 #else
4114 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4115 #endif /* MBEDTLS_SSL_ALPN */
4116
4117 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4118 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4119 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4120 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4121 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4122 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4123 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4124 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4125 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4126 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4127 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4128
4129 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4130 ((uint16_t) ( \
4131 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4132 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4133 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4134 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4135 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4136 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4137 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4138 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4139 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4140 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4141 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4142 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4143 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4144 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4145 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4146 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4147
4148 static const unsigned char ssl_serialized_session_header[] = {
4149 MBEDTLS_VERSION_MAJOR,
4150 MBEDTLS_VERSION_MINOR,
4151 MBEDTLS_VERSION_PATCH,
4152 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4153 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4154 };
4155
4156 /*
4157 * Serialize a session in the following format:
4158 * (in the presentation language of TLS, RFC 8446 section 3)
4159 *
4160 * TLS 1.2 session:
4161 *
4162 * struct {
4163 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4164 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4165 * uint32 ticket_lifetime;
4166 * #endif
4167 * } ClientOnlyData;
4168 *
4169 * struct {
4170 * #if defined(MBEDTLS_HAVE_TIME)
4171 * uint64 start_time;
4172 * #endif
4173 * uint8 session_id_len; // at most 32
4174 * opaque session_id[32];
4175 * opaque master[48]; // fixed length in the standard
4176 * uint32 verify_result;
4177 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4178 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4179 * #else
4180 * uint8 peer_cert_digest_type;
4181 * opaque peer_cert_digest<0..2^8-1>
4182 * #endif
4183 * select (endpoint) {
4184 * case client: ClientOnlyData;
4185 * case server: uint64 ticket_creation_time;
4186 * };
4187 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4188 * uint8 mfl_code; // up to 255 according to standard
4189 * #endif
4190 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4191 * uint8 encrypt_then_mac; // 0 or 1
4192 * #endif
4193 * } serialized_session_tls12;
4194 *
4195 *
4196 * TLS 1.3 Session:
4197 *
4198 * struct {
4199 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4200 * opaque hostname<0..2^16-1>;
4201 * #endif
4202 * #if defined(MBEDTLS_HAVE_TIME)
4203 * uint64 ticket_reception_time;
4204 * #endif
4205 * uint32 ticket_lifetime;
4206 * opaque ticket<1..2^16-1>;
4207 * } ClientOnlyData;
4208 *
4209 * struct {
4210 * uint32 ticket_age_add;
4211 * uint8 ticket_flags;
4212 * opaque resumption_key<0..255>;
4213 * #if defined(MBEDTLS_SSL_EARLY_DATA)
4214 * uint32 max_early_data_size;
4215 * #endif
4216 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4217 * uint16 record_size_limit;
4218 * #endif
4219 * select ( endpoint ) {
4220 * case client: ClientOnlyData;
4221 * case server:
4222 * #if defined(MBEDTLS_HAVE_TIME)
4223 * uint64 ticket_creation_time;
4224 * #endif
4225 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4226 * opaque ticket_alpn<0..256>;
4227 * #endif
4228 * };
4229 * } serialized_session_tls13;
4230 *
4231 *
4232 * SSL session:
4233 *
4234 * struct {
4235 *
4236 * opaque mbedtls_version[3]; // library version: major, minor, patch
4237 * opaque session_format[2]; // library-version specific 16-bit field
4238 * // determining the format of the remaining
4239 * // serialized data.
4240 *
4241 * Note: When updating the format, remember to keep
4242 * these version+format bytes.
4243 *
4244 * // In this version, `session_format` determines
4245 * // the setting of those compile-time
4246 * // configuration options which influence
4247 * // the structure of mbedtls_ssl_session.
4248 *
4249 * uint8_t minor_ver; // Protocol minor version. Possible values:
4250 * // - TLS 1.2 (0x0303)
4251 * // - TLS 1.3 (0x0304)
4252 * uint8_t endpoint;
4253 * uint16_t ciphersuite;
4254 *
4255 * select (serialized_session.tls_version) {
4256 *
4257 * case MBEDTLS_SSL_VERSION_TLS1_2:
4258 * serialized_session_tls12 data;
4259 * case MBEDTLS_SSL_VERSION_TLS1_3:
4260 * serialized_session_tls13 data;
4261 *
4262 * };
4263 *
4264 * } serialized_session;
4265 *
4266 */
4267
4268 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)4269 static int ssl_session_save(const mbedtls_ssl_session *session,
4270 unsigned char omit_header,
4271 unsigned char *buf,
4272 size_t buf_len,
4273 size_t *olen)
4274 {
4275 unsigned char *p = buf;
4276 size_t used = 0;
4277 size_t remaining_len;
4278 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4279 size_t out_len;
4280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4281 #endif
4282 if (session == NULL) {
4283 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4284 }
4285
4286 if (!omit_header) {
4287 /*
4288 * Add Mbed TLS version identifier
4289 */
4290 used += sizeof(ssl_serialized_session_header);
4291
4292 if (used <= buf_len) {
4293 memcpy(p, ssl_serialized_session_header,
4294 sizeof(ssl_serialized_session_header));
4295 p += sizeof(ssl_serialized_session_header);
4296 }
4297 }
4298
4299 /*
4300 * TLS version identifier, endpoint, ciphersuite
4301 */
4302 used += 1 /* TLS version */
4303 + 1 /* endpoint */
4304 + 2; /* ciphersuite */
4305 if (used <= buf_len) {
4306 *p++ = MBEDTLS_BYTE_0(session->tls_version);
4307 *p++ = session->endpoint;
4308 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4309 p += 2;
4310 }
4311
4312 /* Forward to version-specific serialization routine. */
4313 remaining_len = (buf_len >= used) ? buf_len - used : 0;
4314 switch (session->tls_version) {
4315 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4316 case MBEDTLS_SSL_VERSION_TLS1_2:
4317 used += ssl_tls12_session_save(session, p, remaining_len);
4318 break;
4319 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4320
4321 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4322 case MBEDTLS_SSL_VERSION_TLS1_3:
4323 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4324 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4325 return ret;
4326 }
4327 used += out_len;
4328 break;
4329 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4330
4331 default:
4332 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4333 }
4334
4335 *olen = used;
4336 if (used > buf_len) {
4337 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4338 }
4339
4340 return 0;
4341 }
4342
4343 /*
4344 * Public wrapper for ssl_session_save()
4345 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4346 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4347 unsigned char *buf,
4348 size_t buf_len,
4349 size_t *olen)
4350 {
4351 return ssl_session_save(session, 0, buf, buf_len, olen);
4352 }
4353
4354 /*
4355 * Deserialize session, see mbedtls_ssl_session_save() for format.
4356 *
4357 * This internal version is wrapped by a public function that cleans up in
4358 * case of error, and has an extra option omit_header.
4359 */
4360 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)4361 static int ssl_session_load(mbedtls_ssl_session *session,
4362 unsigned char omit_header,
4363 const unsigned char *buf,
4364 size_t len)
4365 {
4366 const unsigned char *p = buf;
4367 const unsigned char * const end = buf + len;
4368 size_t remaining_len;
4369
4370
4371 if (session == NULL) {
4372 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4373 }
4374
4375 if (!omit_header) {
4376 /*
4377 * Check Mbed TLS version identifier
4378 */
4379
4380 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4381 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4382 }
4383
4384 if (memcmp(p, ssl_serialized_session_header,
4385 sizeof(ssl_serialized_session_header)) != 0) {
4386 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4387 }
4388 p += sizeof(ssl_serialized_session_header);
4389 }
4390
4391 /*
4392 * TLS version identifier, endpoint, ciphersuite
4393 */
4394 if (4 > (size_t) (end - p)) {
4395 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4396 }
4397 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4398 session->endpoint = *p++;
4399 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4400 p += 2;
4401
4402 /* Dispatch according to TLS version. */
4403 remaining_len = (size_t) (end - p);
4404 switch (session->tls_version) {
4405 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4406 case MBEDTLS_SSL_VERSION_TLS1_2:
4407 return ssl_tls12_session_load(session, p, remaining_len);
4408 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4409
4410 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4411 case MBEDTLS_SSL_VERSION_TLS1_3:
4412 return ssl_tls13_session_load(session, p, remaining_len);
4413 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4414
4415 default:
4416 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4417 }
4418 }
4419
4420 /*
4421 * Deserialize session: public wrapper for error cleaning
4422 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)4423 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4424 const unsigned char *buf,
4425 size_t len)
4426 {
4427 int ret = ssl_session_load(session, 0, buf, len);
4428
4429 if (ret != 0) {
4430 mbedtls_ssl_session_free(session);
4431 }
4432
4433 return ret;
4434 }
4435
4436 /*
4437 * Perform a single step of the SSL handshake
4438 */
4439 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)4440 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4441 {
4442 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4443
4444 /*
4445 * We may have not been able to send to the peer all the handshake data
4446 * that were written into the output buffer by the previous handshake step,
4447 * if the write to the network callback returned with the
4448 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4449 * We proceed to the next handshake step only when all data from the
4450 * previous one have been sent to the peer, thus we make sure that this is
4451 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4452 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4453 * we have to wait before to go ahead.
4454 * In the case of TLS 1.3, handshake step handlers do not send data to the
4455 * peer. Data are only sent here and through
4456 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4457 * alert occurred.
4458 */
4459 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4460 return ret;
4461 }
4462
4463 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4464 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4465 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4466 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4467 return ret;
4468 }
4469 }
4470 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4471
4472 return ret;
4473 }
4474
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)4475 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
4476 {
4477 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4478
4479 if (ssl == NULL ||
4480 ssl->conf == NULL ||
4481 ssl->handshake == NULL ||
4482 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4483 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4484 }
4485
4486 ret = ssl_prepare_handshake_step(ssl);
4487 if (ret != 0) {
4488 return ret;
4489 }
4490
4491 ret = mbedtls_ssl_handle_pending_alert(ssl);
4492 if (ret != 0) {
4493 goto cleanup;
4494 }
4495
4496 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4497 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4498 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4499
4500 #if defined(MBEDTLS_SSL_CLI_C)
4501 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4502 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4503 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
4504
4505 switch (ssl->state) {
4506 case MBEDTLS_SSL_HELLO_REQUEST:
4507 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4508 ret = 0;
4509 break;
4510
4511 case MBEDTLS_SSL_CLIENT_HELLO:
4512 ret = mbedtls_ssl_write_client_hello(ssl);
4513 break;
4514
4515 default:
4516 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4517 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4518 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4519 } else {
4520 ret = mbedtls_ssl_handshake_client_step(ssl);
4521 }
4522 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4523 ret = mbedtls_ssl_handshake_client_step(ssl);
4524 #else
4525 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4526 #endif
4527 }
4528 }
4529 #endif /* MBEDTLS_SSL_CLI_C */
4530
4531 #if defined(MBEDTLS_SSL_SRV_C)
4532 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4533 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4534 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4535 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4536 } else {
4537 ret = mbedtls_ssl_handshake_server_step(ssl);
4538 }
4539 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4540 ret = mbedtls_ssl_handshake_server_step(ssl);
4541 #else
4542 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4543 #endif
4544 }
4545 #endif /* MBEDTLS_SSL_SRV_C */
4546
4547 if (ret != 0) {
4548 /* handshake_step return error. And it is same
4549 * with alert_reason.
4550 */
4551 if (ssl->send_alert) {
4552 ret = mbedtls_ssl_handle_pending_alert(ssl);
4553 goto cleanup;
4554 }
4555 }
4556
4557 cleanup:
4558 return ret;
4559 }
4560
4561 /*
4562 * Perform the SSL handshake
4563 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)4564 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
4565 {
4566 int ret = 0;
4567
4568 /* Sanity checks */
4569
4570 if (ssl == NULL || ssl->conf == NULL) {
4571 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4572 }
4573
4574 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4575 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4576 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4577 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4578 "mbedtls_ssl_set_timer_cb() for DTLS"));
4579 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4580 }
4581 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4582
4583 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4584
4585 /* Main handshake loop */
4586 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4587 ret = mbedtls_ssl_handshake_step(ssl);
4588
4589 if (ret != 0) {
4590 break;
4591 }
4592 }
4593
4594 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4595
4596 return ret;
4597 }
4598
4599 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4600 #if defined(MBEDTLS_SSL_SRV_C)
4601 /*
4602 * Write HelloRequest to request renegotiation on server
4603 */
4604 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)4605 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4606 {
4607 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4608
4609 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4610
4611 ssl->out_msglen = 4;
4612 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4613 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4614
4615 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4616 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4617 return ret;
4618 }
4619
4620 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4621
4622 return 0;
4623 }
4624 #endif /* MBEDTLS_SSL_SRV_C */
4625
4626 /*
4627 * Actually renegotiate current connection, triggered by either:
4628 * - any side: calling mbedtls_ssl_renegotiate(),
4629 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4630 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4631 * the initial handshake is completed.
4632 * If the handshake doesn't complete due to waiting for I/O, it will continue
4633 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4634 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)4635 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
4636 {
4637 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4638
4639 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4640
4641 if ((ret = ssl_handshake_init(ssl)) != 0) {
4642 return ret;
4643 }
4644
4645 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4646 * the ServerHello will have message_seq = 1" */
4647 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4648 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4649 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4650 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4651 ssl->handshake->out_msg_seq = 1;
4652 } else {
4653 ssl->handshake->in_msg_seq = 1;
4654 }
4655 }
4656 #endif
4657
4658 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4659 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4660
4661 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4662 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4663 return ret;
4664 }
4665
4666 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4667
4668 return 0;
4669 }
4670
4671 /*
4672 * Renegotiate current connection on client,
4673 * or request renegotiation on server
4674 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4675 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4676 {
4677 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4678
4679 if (ssl == NULL || ssl->conf == NULL) {
4680 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4681 }
4682
4683 #if defined(MBEDTLS_SSL_SRV_C)
4684 /* On server, just send the request */
4685 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4686 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4687 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4688 }
4689
4690 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4691
4692 /* Did we already try/start sending HelloRequest? */
4693 if (ssl->out_left != 0) {
4694 return mbedtls_ssl_flush_output(ssl);
4695 }
4696
4697 return ssl_write_hello_request(ssl);
4698 }
4699 #endif /* MBEDTLS_SSL_SRV_C */
4700
4701 #if defined(MBEDTLS_SSL_CLI_C)
4702 /*
4703 * On client, either start the renegotiation process or,
4704 * if already in progress, continue the handshake
4705 */
4706 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4707 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4708 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4709 }
4710
4711 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4712 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4713 return ret;
4714 }
4715 } else {
4716 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4717 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4718 return ret;
4719 }
4720 }
4721 #endif /* MBEDTLS_SSL_CLI_C */
4722
4723 return ret;
4724 }
4725 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4726
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4727 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4728 {
4729 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4730
4731 if (handshake == NULL) {
4732 return;
4733 }
4734
4735 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4736 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4737 if (ssl->handshake->group_list_heap_allocated) {
4738 mbedtls_free((void *) handshake->group_list);
4739 }
4740 handshake->group_list = NULL;
4741 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4742 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4743
4744 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4745 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4746 if (ssl->handshake->sig_algs_heap_allocated) {
4747 mbedtls_free((void *) handshake->sig_algs);
4748 }
4749 handshake->sig_algs = NULL;
4750 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4752 if (ssl->handshake->certificate_request_context) {
4753 mbedtls_free((void *) handshake->certificate_request_context);
4754 }
4755 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4756 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4757
4758 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4759 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4760 ssl->conf->f_async_cancel(ssl);
4761 handshake->async_in_progress = 0;
4762 }
4763 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4764
4765 #if defined(MBEDTLS_MD_CAN_SHA256)
4766 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4767 psa_hash_abort(&handshake->fin_sha256_psa);
4768 #else
4769 mbedtls_md_free(&handshake->fin_sha256);
4770 #endif
4771 #endif
4772 #if defined(MBEDTLS_MD_CAN_SHA384)
4773 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4774 psa_hash_abort(&handshake->fin_sha384_psa);
4775 #else
4776 mbedtls_md_free(&handshake->fin_sha384);
4777 #endif
4778 #endif
4779
4780 #if defined(MBEDTLS_DHM_C)
4781 mbedtls_dhm_free(&handshake->dhm_ctx);
4782 #endif
4783 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4784 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4785 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4786 #endif
4787
4788 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4789 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4790 psa_pake_abort(&handshake->psa_pake_ctx);
4791 /*
4792 * Opaque keys are not stored in the handshake's data and it's the user
4793 * responsibility to destroy them. Clear ones, instead, are created by
4794 * the TLS library and should be destroyed at the same level
4795 */
4796 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4797 psa_destroy_key(handshake->psa_pake_password);
4798 }
4799 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4800 #else
4801 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4802 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4803 #if defined(MBEDTLS_SSL_CLI_C)
4804 mbedtls_free(handshake->ecjpake_cache);
4805 handshake->ecjpake_cache = NULL;
4806 handshake->ecjpake_cache_len = 0;
4807 #endif
4808 #endif
4809
4810 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4811 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4812 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4813 /* explicit void pointer cast for buggy MS compiler */
4814 mbedtls_free((void *) handshake->curves_tls_id);
4815 #endif
4816
4817 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4818 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4819 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4820 /* The maintenance of the external PSK key slot is the
4821 * user's responsibility. */
4822 if (ssl->handshake->psk_opaque_is_internal) {
4823 psa_destroy_key(ssl->handshake->psk_opaque);
4824 ssl->handshake->psk_opaque_is_internal = 0;
4825 }
4826 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4827 }
4828 #else
4829 if (handshake->psk != NULL) {
4830 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4831 }
4832 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4833 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4834
4835 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4836 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4837 /*
4838 * Free only the linked list wrapper, not the keys themselves
4839 * since the belong to the SNI callback
4840 */
4841 ssl_key_cert_free(handshake->sni_key_cert);
4842 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4843
4844 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4845 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4846 if (handshake->ecrs_peer_cert != NULL) {
4847 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4848 mbedtls_free(handshake->ecrs_peer_cert);
4849 }
4850 #endif
4851
4852 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4853 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4854 mbedtls_pk_free(&handshake->peer_pubkey);
4855 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4856
4857 #if defined(MBEDTLS_SSL_CLI_C) && \
4858 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4859 mbedtls_free(handshake->cookie);
4860 #endif /* MBEDTLS_SSL_CLI_C &&
4861 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4862
4863 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4864 mbedtls_ssl_flight_free(handshake->flight);
4865 mbedtls_ssl_buffering_free(ssl);
4866 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4867
4868 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4869 if (handshake->xxdh_psa_privkey_is_external == 0) {
4870 psa_destroy_key(handshake->xxdh_psa_privkey);
4871 }
4872 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4873
4874 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4875 mbedtls_ssl_transform_free(handshake->transform_handshake);
4876 mbedtls_free(handshake->transform_handshake);
4877 #if defined(MBEDTLS_SSL_EARLY_DATA)
4878 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4879 mbedtls_free(handshake->transform_earlydata);
4880 #endif
4881 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4882
4883
4884 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4885 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4886 * processes datagrams and the fact that a datagram is allowed to have
4887 * several records in it, it is possible that the I/O buffers are not
4888 * empty at this stage */
4889 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4890 mbedtls_ssl_get_output_buflen(ssl));
4891 #endif
4892
4893 /* mbedtls_platform_zeroize MUST be last one in this function */
4894 mbedtls_platform_zeroize(handshake,
4895 sizeof(mbedtls_ssl_handshake_params));
4896 }
4897
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4898 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4899 {
4900 if (session == NULL) {
4901 return;
4902 }
4903
4904 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4905 ssl_clear_peer_cert(session);
4906 #endif
4907
4908 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4909 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4910 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4911 mbedtls_free(session->hostname);
4912 #endif
4913 mbedtls_free(session->ticket);
4914 #endif
4915
4916 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4917 defined(MBEDTLS_SSL_SRV_C)
4918 mbedtls_free(session->ticket_alpn);
4919 #endif
4920
4921 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
4922 }
4923
4924 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4925
4926 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4927 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4928 #else
4929 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4930 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4931
4932 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4933
4934 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4935 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4936 #else
4937 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4938 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4939
4940 #if defined(MBEDTLS_SSL_ALPN)
4941 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4942 #else
4943 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4944 #endif /* MBEDTLS_SSL_ALPN */
4945
4946 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4947 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4948 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4949 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4950
4951 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
4952 ((uint32_t) ( \
4953 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
4954 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
4955 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
4956 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
4957 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
4958 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
4959 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
4960 0u))
4961
4962 static const unsigned char ssl_serialized_context_header[] = {
4963 MBEDTLS_VERSION_MAJOR,
4964 MBEDTLS_VERSION_MINOR,
4965 MBEDTLS_VERSION_PATCH,
4966 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4967 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4968 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4969 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4970 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
4971 };
4972
4973 /*
4974 * Serialize a full SSL context
4975 *
4976 * The format of the serialized data is:
4977 * (in the presentation language of TLS, RFC 8446 section 3)
4978 *
4979 * // header
4980 * opaque mbedtls_version[3]; // major, minor, patch
4981 * opaque context_format[5]; // version-specific field determining
4982 * // the format of the remaining
4983 * // serialized data.
4984 * Note: When updating the format, remember to keep these
4985 * version+format bytes. (We may make their size part of the API.)
4986 *
4987 * // session sub-structure
4988 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
4989 * // transform sub-structure
4990 * uint8 random[64]; // ServerHello.random+ClientHello.random
4991 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
4992 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
4993 * // fields from ssl_context
4994 * uint32 badmac_seen; // DTLS: number of records with failing MAC
4995 * uint64 in_window_top; // DTLS: last validated record seq_num
4996 * uint64 in_window; // DTLS: bitmask for replay protection
4997 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
4998 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
4999 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5000 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5001 *
5002 * Note that many fields of the ssl_context or sub-structures are not
5003 * serialized, as they fall in one of the following categories:
5004 *
5005 * 1. forced value (eg in_left must be 0)
5006 * 2. pointer to dynamically-allocated memory (eg session, transform)
5007 * 3. value can be re-derived from other data (eg session keys from MS)
5008 * 4. value was temporary (eg content of input buffer)
5009 * 5. value will be provided by the user again (eg I/O callbacks and context)
5010 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)5011 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
5012 unsigned char *buf,
5013 size_t buf_len,
5014 size_t *olen)
5015 {
5016 unsigned char *p = buf;
5017 size_t used = 0;
5018 size_t session_len;
5019 int ret = 0;
5020
5021 /*
5022 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5023 * this function's documentation.
5024 *
5025 * These are due to assumptions/limitations in the implementation. Some of
5026 * them are likely to stay (no handshake in progress) some might go away
5027 * (only DTLS) but are currently used to simplify the implementation.
5028 */
5029 /* The initial handshake must be over */
5030 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5031 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5032 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5033 }
5034 if (ssl->handshake != NULL) {
5035 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5037 }
5038 /* Double-check that sub-structures are indeed ready */
5039 if (ssl->transform == NULL || ssl->session == NULL) {
5040 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5041 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5042 }
5043 /* There must be no pending incoming or outgoing data */
5044 if (mbedtls_ssl_check_pending(ssl) != 0) {
5045 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5046 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5047 }
5048 if (ssl->out_left != 0) {
5049 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5050 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5051 }
5052 /* Protocol must be DTLS, not TLS */
5053 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5054 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5055 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5056 }
5057 /* Version must be 1.2 */
5058 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5059 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5060 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5061 }
5062 /* We must be using an AEAD ciphersuite */
5063 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5064 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5065 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5066 }
5067 /* Renegotiation must not be enabled */
5068 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5069 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5070 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5071 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5072 }
5073 #endif
5074
5075 /*
5076 * Version and format identifier
5077 */
5078 used += sizeof(ssl_serialized_context_header);
5079
5080 if (used <= buf_len) {
5081 memcpy(p, ssl_serialized_context_header,
5082 sizeof(ssl_serialized_context_header));
5083 p += sizeof(ssl_serialized_context_header);
5084 }
5085
5086 /*
5087 * Session (length + data)
5088 */
5089 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5090 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5091 return ret;
5092 }
5093
5094 used += 4 + session_len;
5095 if (used <= buf_len) {
5096 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5097 p += 4;
5098
5099 ret = ssl_session_save(ssl->session, 1,
5100 p, session_len, &session_len);
5101 if (ret != 0) {
5102 return ret;
5103 }
5104
5105 p += session_len;
5106 }
5107
5108 /*
5109 * Transform
5110 */
5111 used += sizeof(ssl->transform->randbytes);
5112 if (used <= buf_len) {
5113 memcpy(p, ssl->transform->randbytes,
5114 sizeof(ssl->transform->randbytes));
5115 p += sizeof(ssl->transform->randbytes);
5116 }
5117
5118 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5119 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5120 if (used <= buf_len) {
5121 *p++ = ssl->transform->in_cid_len;
5122 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5123 p += ssl->transform->in_cid_len;
5124
5125 *p++ = ssl->transform->out_cid_len;
5126 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5127 p += ssl->transform->out_cid_len;
5128 }
5129 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5130
5131 /*
5132 * Saved fields from top-level ssl_context structure
5133 */
5134 used += 4;
5135 if (used <= buf_len) {
5136 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
5137 p += 4;
5138 }
5139
5140 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5141 used += 16;
5142 if (used <= buf_len) {
5143 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5144 p += 8;
5145
5146 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5147 p += 8;
5148 }
5149 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5150
5151 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5152 used += 1;
5153 if (used <= buf_len) {
5154 *p++ = ssl->disable_datagram_packing;
5155 }
5156 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5157
5158 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5159 if (used <= buf_len) {
5160 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5161 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5162 }
5163
5164 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5165 used += 2;
5166 if (used <= buf_len) {
5167 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5168 p += 2;
5169 }
5170 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5171
5172 #if defined(MBEDTLS_SSL_ALPN)
5173 {
5174 const uint8_t alpn_len = ssl->alpn_chosen
5175 ? (uint8_t) strlen(ssl->alpn_chosen)
5176 : 0;
5177
5178 used += 1 + alpn_len;
5179 if (used <= buf_len) {
5180 *p++ = alpn_len;
5181
5182 if (ssl->alpn_chosen != NULL) {
5183 memcpy(p, ssl->alpn_chosen, alpn_len);
5184 p += alpn_len;
5185 }
5186 }
5187 }
5188 #endif /* MBEDTLS_SSL_ALPN */
5189
5190 /*
5191 * Done
5192 */
5193 *olen = used;
5194
5195 if (used > buf_len) {
5196 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5197 }
5198
5199 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5200
5201 return mbedtls_ssl_session_reset_int(ssl, 0);
5202 }
5203
5204 /*
5205 * Deserialize context, see mbedtls_ssl_context_save() for format.
5206 *
5207 * This internal version is wrapped by a public function that cleans up in
5208 * case of error.
5209 */
5210 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5211 static int ssl_context_load(mbedtls_ssl_context *ssl,
5212 const unsigned char *buf,
5213 size_t len)
5214 {
5215 const unsigned char *p = buf;
5216 const unsigned char * const end = buf + len;
5217 size_t session_len;
5218 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5219 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5220 tls_prf_fn prf_func = NULL;
5221 #endif
5222
5223 /*
5224 * The context should have been freshly setup or reset.
5225 * Give the user an error in case of obvious misuse.
5226 * (Checking session is useful because it won't be NULL if we're
5227 * renegotiating, or if the user mistakenly loaded a session first.)
5228 */
5229 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5230 ssl->session != NULL) {
5231 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5232 }
5233
5234 /*
5235 * We can't check that the config matches the initial one, but we can at
5236 * least check it matches the requirements for serializing.
5237 */
5238 if (
5239 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5240 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5241 #endif
5242 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5243 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5244 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5245 ) {
5246 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5247 }
5248
5249 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5250
5251 /*
5252 * Check version identifier
5253 */
5254 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5255 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5256 }
5257
5258 if (memcmp(p, ssl_serialized_context_header,
5259 sizeof(ssl_serialized_context_header)) != 0) {
5260 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
5261 }
5262 p += sizeof(ssl_serialized_context_header);
5263
5264 /*
5265 * Session
5266 */
5267 if ((size_t) (end - p) < 4) {
5268 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5269 }
5270
5271 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5272 p += 4;
5273
5274 /* This has been allocated by ssl_handshake_init(), called by
5275 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5276 ssl->session = ssl->session_negotiate;
5277 ssl->session_in = ssl->session;
5278 ssl->session_out = ssl->session;
5279 ssl->session_negotiate = NULL;
5280
5281 if ((size_t) (end - p) < session_len) {
5282 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5283 }
5284
5285 ret = ssl_session_load(ssl->session, 1, p, session_len);
5286 if (ret != 0) {
5287 mbedtls_ssl_session_free(ssl->session);
5288 return ret;
5289 }
5290
5291 p += session_len;
5292
5293 /*
5294 * Transform
5295 */
5296
5297 /* This has been allocated by ssl_handshake_init(), called by
5298 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5299 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5300 ssl->transform = ssl->transform_negotiate;
5301 ssl->transform_in = ssl->transform;
5302 ssl->transform_out = ssl->transform;
5303 ssl->transform_negotiate = NULL;
5304 #endif
5305
5306 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5307 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5308 if (prf_func == NULL) {
5309 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5310 }
5311
5312 /* Read random bytes and populate structure */
5313 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5314 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5315 }
5316
5317 ret = ssl_tls12_populate_transform(ssl->transform,
5318 ssl->session->ciphersuite,
5319 ssl->session->master,
5320 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5321 ssl->session->encrypt_then_mac,
5322 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5323 prf_func,
5324 p, /* currently pointing to randbytes */
5325 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5326 ssl->conf->endpoint,
5327 ssl);
5328 if (ret != 0) {
5329 return ret;
5330 }
5331 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5332 p += sizeof(ssl->transform->randbytes);
5333
5334 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5335 /* Read connection IDs and store them */
5336 if ((size_t) (end - p) < 1) {
5337 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5338 }
5339
5340 ssl->transform->in_cid_len = *p++;
5341
5342 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5343 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5344 }
5345
5346 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5347 p += ssl->transform->in_cid_len;
5348
5349 ssl->transform->out_cid_len = *p++;
5350
5351 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5352 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5353 }
5354
5355 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5356 p += ssl->transform->out_cid_len;
5357 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5358
5359 /*
5360 * Saved fields from top-level ssl_context structure
5361 */
5362 if ((size_t) (end - p) < 4) {
5363 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5364 }
5365
5366 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
5367 p += 4;
5368
5369 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5370 if ((size_t) (end - p) < 16) {
5371 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5372 }
5373
5374 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5375 p += 8;
5376
5377 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5378 p += 8;
5379 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5380
5381 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5382 if ((size_t) (end - p) < 1) {
5383 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5384 }
5385
5386 ssl->disable_datagram_packing = *p++;
5387 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5388
5389 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5390 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5391 }
5392 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5393 p += sizeof(ssl->cur_out_ctr);
5394
5395 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5396 if ((size_t) (end - p) < 2) {
5397 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5398 }
5399
5400 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5401 p += 2;
5402 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5403
5404 #if defined(MBEDTLS_SSL_ALPN)
5405 {
5406 uint8_t alpn_len;
5407 const char **cur;
5408
5409 if ((size_t) (end - p) < 1) {
5410 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5411 }
5412
5413 alpn_len = *p++;
5414
5415 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5416 /* alpn_chosen should point to an item in the configured list */
5417 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5418 if (strlen(*cur) == alpn_len &&
5419 memcmp(p, *cur, alpn_len) == 0) {
5420 ssl->alpn_chosen = *cur;
5421 break;
5422 }
5423 }
5424 }
5425
5426 /* can only happen on conf mismatch */
5427 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5428 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5429 }
5430
5431 p += alpn_len;
5432 }
5433 #endif /* MBEDTLS_SSL_ALPN */
5434
5435 /*
5436 * Forced fields from top-level ssl_context structure
5437 *
5438 * Most of them already set to the correct value by mbedtls_ssl_init() and
5439 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5440 */
5441 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
5442 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5443
5444 /* Adjust pointers for header fields of outgoing records to
5445 * the given transform, accounting for explicit IV and CID. */
5446 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5447
5448 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5449 ssl->in_epoch = 1;
5450 #endif
5451
5452 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5453 * which we don't want - otherwise we'd end up freeing the wrong transform
5454 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5455 * inappropriately. */
5456 if (ssl->handshake != NULL) {
5457 mbedtls_ssl_handshake_free(ssl);
5458 mbedtls_free(ssl->handshake);
5459 ssl->handshake = NULL;
5460 }
5461
5462 /*
5463 * Done - should have consumed entire buffer
5464 */
5465 if (p != end) {
5466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5467 }
5468
5469 return 0;
5470 }
5471
5472 /*
5473 * Deserialize context: public wrapper for error cleaning
5474 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)5475 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5476 const unsigned char *buf,
5477 size_t len)
5478 {
5479 int ret = ssl_context_load(context, buf, len);
5480
5481 if (ret != 0) {
5482 mbedtls_ssl_free(context);
5483 }
5484
5485 return ret;
5486 }
5487 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5488
5489 /*
5490 * Free an SSL context
5491 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)5492 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
5493 {
5494 if (ssl == NULL) {
5495 return;
5496 }
5497
5498 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5499
5500 if (ssl->out_buf != NULL) {
5501 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5502 size_t out_buf_len = ssl->out_buf_len;
5503 #else
5504 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5505 #endif
5506
5507 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5508 ssl->out_buf = NULL;
5509 }
5510
5511 if (ssl->in_buf != NULL) {
5512 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5513 size_t in_buf_len = ssl->in_buf_len;
5514 #else
5515 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5516 #endif
5517
5518 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5519 ssl->in_buf = NULL;
5520 }
5521
5522 if (ssl->transform) {
5523 mbedtls_ssl_transform_free(ssl->transform);
5524 mbedtls_free(ssl->transform);
5525 }
5526
5527 if (ssl->handshake) {
5528 mbedtls_ssl_handshake_free(ssl);
5529 mbedtls_free(ssl->handshake);
5530
5531 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5532 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5533 mbedtls_free(ssl->transform_negotiate);
5534 #endif
5535
5536 mbedtls_ssl_session_free(ssl->session_negotiate);
5537 mbedtls_free(ssl->session_negotiate);
5538 }
5539
5540 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5541 mbedtls_ssl_transform_free(ssl->transform_application);
5542 mbedtls_free(ssl->transform_application);
5543 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5544
5545 if (ssl->session) {
5546 mbedtls_ssl_session_free(ssl->session);
5547 mbedtls_free(ssl->session);
5548 }
5549
5550 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5551 if (ssl->hostname != NULL) {
5552 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
5553 }
5554 #endif
5555
5556 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5557 mbedtls_free(ssl->cli_id);
5558 #endif
5559
5560 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5561
5562 /* Actually clear after last debug message */
5563 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
5564 }
5565
5566 /*
5567 * Initialize mbedtls_ssl_config
5568 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)5569 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
5570 {
5571 memset(conf, 0, sizeof(mbedtls_ssl_config));
5572 }
5573
5574 /* The selection should be the same as mbedtls_x509_crt_profile_default in
5575 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5576 * curves with a lower resource usage come first.
5577 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5578 * about this list.
5579 */
5580 static const uint16_t ssl_preset_default_groups[] = {
5581 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5582 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
5583 #endif
5584 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5585 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5586 #endif
5587 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5588 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5589 #endif
5590 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5591 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
5592 #endif
5593 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5594 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
5595 #endif
5596 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5597 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
5598 #endif
5599 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5600 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
5601 #endif
5602 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5603 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
5604 #endif
5605 #if defined(PSA_WANT_ALG_FFDH)
5606 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5607 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5608 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5609 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5610 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5611 #endif
5612 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5613 };
5614
5615 static const int ssl_preset_suiteb_ciphersuites[] = {
5616 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5617 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5618 0
5619 };
5620
5621 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5622
5623 /* NOTICE:
5624 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5625 * rules SHOULD be upheld.
5626 * - No duplicate entries.
5627 * - But if there is a good reason, do not change the order of the algorithms.
5628 * - ssl_tls12_preset* is for TLS 1.2 use only.
5629 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5630 */
5631 static const uint16_t ssl_preset_default_sig_algs[] = {
5632
5633 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5634 defined(MBEDTLS_MD_CAN_SHA256) && \
5635 defined(PSA_WANT_ECC_SECP_R1_256)
5636 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5637 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5638 #endif
5639
5640 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5641 defined(MBEDTLS_MD_CAN_SHA384) && \
5642 defined(PSA_WANT_ECC_SECP_R1_384)
5643 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5644 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5645 #endif
5646
5647 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5648 defined(MBEDTLS_MD_CAN_SHA512) && \
5649 defined(PSA_WANT_ECC_SECP_R1_521)
5650 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5651 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5652 #endif
5653
5654 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5655 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5656 #endif
5657
5658 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5659 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5660 #endif
5661
5662 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5663 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5664 #endif
5665
5666 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5667 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5668 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5669
5670 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5671 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5672 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5673
5674 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5675 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5676 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5677
5678 MBEDTLS_TLS_SIG_NONE
5679 };
5680
5681 /* NOTICE: see above */
5682 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5683 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5684
5685 #if defined(MBEDTLS_MD_CAN_SHA512)
5686 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5687 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5688 #endif
5689 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5690 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5691 #endif
5692 #if defined(MBEDTLS_RSA_C)
5693 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5694 #endif
5695 #endif /* MBEDTLS_MD_CAN_SHA512 */
5696
5697 #if defined(MBEDTLS_MD_CAN_SHA384)
5698 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5699 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5700 #endif
5701 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5702 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5703 #endif
5704 #if defined(MBEDTLS_RSA_C)
5705 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5706 #endif
5707 #endif /* MBEDTLS_MD_CAN_SHA384 */
5708
5709 #if defined(MBEDTLS_MD_CAN_SHA256)
5710 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5711 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5712 #endif
5713 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5714 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5715 #endif
5716 #if defined(MBEDTLS_RSA_C)
5717 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5718 #endif
5719 #endif /* MBEDTLS_MD_CAN_SHA256 */
5720
5721 MBEDTLS_TLS_SIG_NONE
5722 };
5723 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5724
5725 /* NOTICE: see above */
5726 static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5727
5728 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5729 defined(MBEDTLS_MD_CAN_SHA256) && \
5730 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5731 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5732 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5733 #endif
5734
5735 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5736 defined(MBEDTLS_MD_CAN_SHA384) && \
5737 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5738 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5739 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5740 #endif
5741
5742 MBEDTLS_TLS_SIG_NONE
5743 };
5744
5745 /* NOTICE: see above */
5746 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5747 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5748
5749 #if defined(MBEDTLS_MD_CAN_SHA256)
5750 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5751 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5752 #endif
5753 #endif /* MBEDTLS_MD_CAN_SHA256 */
5754
5755 #if defined(MBEDTLS_MD_CAN_SHA384)
5756 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5757 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5758 #endif
5759 #endif /* MBEDTLS_MD_CAN_SHA384 */
5760
5761 MBEDTLS_TLS_SIG_NONE
5762 };
5763 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5764
5765 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5766
5767 static const uint16_t ssl_preset_suiteb_groups[] = {
5768 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5769 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5770 #endif
5771 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5772 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5773 #endif
5774 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5775 };
5776
5777 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5778 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5779 * to make sure there are no duplicated signature algorithm entries. */
5780 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(const uint16_t * sig_algs)5781 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5782 {
5783 size_t i, j;
5784 int ret = 0;
5785
5786 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5787 for (j = 0; j < i; j++) {
5788 if (sig_algs[i] != sig_algs[j]) {
5789 continue;
5790 }
5791 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5792 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5793 sig_algs[i], j, i);
5794 ret = -1;
5795 }
5796 }
5797 return ret;
5798 }
5799
5800 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5801
5802 /*
5803 * Load default in mbedtls_ssl_config
5804 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5805 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5806 int endpoint, int transport, int preset)
5807 {
5808 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5809 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5810 #endif
5811
5812 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5813 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5814 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5815 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5816 }
5817
5818 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5819 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5820 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5821 }
5822
5823 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5824 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5825 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5826 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5827 }
5828
5829 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5830 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5831 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5832 }
5833 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5834 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5835
5836 /* Use the functions here so that they are covered in tests,
5837 * but otherwise access member directly for efficiency */
5838 mbedtls_ssl_conf_endpoint(conf, endpoint);
5839 mbedtls_ssl_conf_transport(conf, transport);
5840
5841 /*
5842 * Things that are common to all presets
5843 */
5844 #if defined(MBEDTLS_SSL_CLI_C)
5845 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5846 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5847 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5848 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5849 #endif
5850 }
5851 #endif
5852
5853 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5854 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5855 #endif
5856
5857 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5858 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5859 #endif
5860
5861 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5862 conf->f_cookie_write = ssl_cookie_write_dummy;
5863 conf->f_cookie_check = ssl_cookie_check_dummy;
5864 #endif
5865
5866 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5867 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5868 #endif
5869
5870 #if defined(MBEDTLS_SSL_SRV_C)
5871 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5872 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5873 #endif
5874
5875 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5876 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5877 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5878 #endif
5879
5880 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5881 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5882 memset(conf->renego_period, 0x00, 2);
5883 memset(conf->renego_period + 2, 0xFF, 6);
5884 #endif
5885
5886 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5887 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5888 const unsigned char dhm_p[] =
5889 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5890 const unsigned char dhm_g[] =
5891 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
5892
5893 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5894 dhm_p, sizeof(dhm_p),
5895 dhm_g, sizeof(dhm_g))) != 0) {
5896 return ret;
5897 }
5898 }
5899 #endif
5900
5901 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5902
5903 #if defined(MBEDTLS_SSL_EARLY_DATA)
5904 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5905 #if defined(MBEDTLS_SSL_SRV_C)
5906 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5907 #endif
5908 #endif /* MBEDTLS_SSL_EARLY_DATA */
5909
5910 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5911 mbedtls_ssl_conf_new_session_tickets(
5912 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
5913 #endif
5914 /*
5915 * Allow all TLS 1.3 key exchange modes by default.
5916 */
5917 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5918 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5919
5920 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5921 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5922 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5923 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5924 #else
5925 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5926 #endif
5927 } else {
5928 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5929 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5930 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5931 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5932 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5933 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5934 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5935 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5936 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5937 #else
5938 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5939 #endif
5940 }
5941
5942 /*
5943 * Preset-specific defaults
5944 */
5945 switch (preset) {
5946 /*
5947 * NSA Suite B
5948 */
5949 case MBEDTLS_SSL_PRESET_SUITEB:
5950
5951 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
5952
5953 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5954 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
5955 #endif
5956
5957 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5958 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5959 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5960 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
5961 } else
5962 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5963 conf->sig_algs = ssl_preset_suiteb_sig_algs;
5964 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5965
5966 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5967 conf->curve_list = NULL;
5968 #endif
5969 conf->group_list = ssl_preset_suiteb_groups;
5970 break;
5971
5972 /*
5973 * Default
5974 */
5975 default:
5976
5977 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
5978
5979 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5980 conf->cert_profile = &mbedtls_x509_crt_profile_default;
5981 #endif
5982
5983 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5984 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5985 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
5986 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
5987 } else
5988 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5989 conf->sig_algs = ssl_preset_default_sig_algs;
5990 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5991
5992 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
5993 conf->curve_list = NULL;
5994 #endif
5995 conf->group_list = ssl_preset_default_groups;
5996
5997 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
5998 conf->dhm_min_bitlen = 1024;
5999 #endif
6000 }
6001
6002 return 0;
6003 }
6004
6005 /*
6006 * Free mbedtls_ssl_config
6007 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)6008 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
6009 {
6010 #if defined(MBEDTLS_DHM_C)
6011 mbedtls_mpi_free(&conf->dhm_P);
6012 mbedtls_mpi_free(&conf->dhm_G);
6013 #endif
6014
6015 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6016 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6017 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6018 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6019 }
6020 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6021 if (conf->psk != NULL) {
6022 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6023 conf->psk = NULL;
6024 conf->psk_len = 0;
6025 }
6026
6027 if (conf->psk_identity != NULL) {
6028 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6029 conf->psk_identity = NULL;
6030 conf->psk_identity_len = 0;
6031 }
6032 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6033
6034 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6035 ssl_key_cert_free(conf->key_cert);
6036 #endif
6037
6038 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
6039 }
6040
6041 #if defined(MBEDTLS_PK_C) && \
6042 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6043 /*
6044 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6045 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)6046 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
6047 {
6048 #if defined(MBEDTLS_RSA_C)
6049 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6050 return MBEDTLS_SSL_SIG_RSA;
6051 }
6052 #endif
6053 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6054 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
6055 return MBEDTLS_SSL_SIG_ECDSA;
6056 }
6057 #endif
6058 return MBEDTLS_SSL_SIG_ANON;
6059 }
6060
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)6061 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
6062 {
6063 switch (type) {
6064 case MBEDTLS_PK_RSA:
6065 return MBEDTLS_SSL_SIG_RSA;
6066 case MBEDTLS_PK_ECDSA:
6067 case MBEDTLS_PK_ECKEY:
6068 return MBEDTLS_SSL_SIG_ECDSA;
6069 default:
6070 return MBEDTLS_SSL_SIG_ANON;
6071 }
6072 }
6073
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)6074 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
6075 {
6076 switch (sig) {
6077 #if defined(MBEDTLS_RSA_C)
6078 case MBEDTLS_SSL_SIG_RSA:
6079 return MBEDTLS_PK_RSA;
6080 #endif
6081 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6082 case MBEDTLS_SSL_SIG_ECDSA:
6083 return MBEDTLS_PK_ECDSA;
6084 #endif
6085 default:
6086 return MBEDTLS_PK_NONE;
6087 }
6088 }
6089 #endif /* MBEDTLS_PK_C &&
6090 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6091
6092 /*
6093 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6094 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)6095 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
6096 {
6097 switch (hash) {
6098 #if defined(MBEDTLS_MD_CAN_MD5)
6099 case MBEDTLS_SSL_HASH_MD5:
6100 return MBEDTLS_MD_MD5;
6101 #endif
6102 #if defined(MBEDTLS_MD_CAN_SHA1)
6103 case MBEDTLS_SSL_HASH_SHA1:
6104 return MBEDTLS_MD_SHA1;
6105 #endif
6106 #if defined(MBEDTLS_MD_CAN_SHA224)
6107 case MBEDTLS_SSL_HASH_SHA224:
6108 return MBEDTLS_MD_SHA224;
6109 #endif
6110 #if defined(MBEDTLS_MD_CAN_SHA256)
6111 case MBEDTLS_SSL_HASH_SHA256:
6112 return MBEDTLS_MD_SHA256;
6113 #endif
6114 #if defined(MBEDTLS_MD_CAN_SHA384)
6115 case MBEDTLS_SSL_HASH_SHA384:
6116 return MBEDTLS_MD_SHA384;
6117 #endif
6118 #if defined(MBEDTLS_MD_CAN_SHA512)
6119 case MBEDTLS_SSL_HASH_SHA512:
6120 return MBEDTLS_MD_SHA512;
6121 #endif
6122 default:
6123 return MBEDTLS_MD_NONE;
6124 }
6125 }
6126
6127 /*
6128 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6129 */
mbedtls_ssl_hash_from_md_alg(int md)6130 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6131 {
6132 switch (md) {
6133 #if defined(MBEDTLS_MD_CAN_MD5)
6134 case MBEDTLS_MD_MD5:
6135 return MBEDTLS_SSL_HASH_MD5;
6136 #endif
6137 #if defined(MBEDTLS_MD_CAN_SHA1)
6138 case MBEDTLS_MD_SHA1:
6139 return MBEDTLS_SSL_HASH_SHA1;
6140 #endif
6141 #if defined(MBEDTLS_MD_CAN_SHA224)
6142 case MBEDTLS_MD_SHA224:
6143 return MBEDTLS_SSL_HASH_SHA224;
6144 #endif
6145 #if defined(MBEDTLS_MD_CAN_SHA256)
6146 case MBEDTLS_MD_SHA256:
6147 return MBEDTLS_SSL_HASH_SHA256;
6148 #endif
6149 #if defined(MBEDTLS_MD_CAN_SHA384)
6150 case MBEDTLS_MD_SHA384:
6151 return MBEDTLS_SSL_HASH_SHA384;
6152 #endif
6153 #if defined(MBEDTLS_MD_CAN_SHA512)
6154 case MBEDTLS_MD_SHA512:
6155 return MBEDTLS_SSL_HASH_SHA512;
6156 #endif
6157 default:
6158 return MBEDTLS_SSL_HASH_NONE;
6159 }
6160 }
6161
6162 /*
6163 * Check if a curve proposed by the peer is in our list.
6164 * Return 0 if we're willing to use it, -1 otherwise.
6165 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)6166 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
6167 {
6168 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6169
6170 if (group_list == NULL) {
6171 return -1;
6172 }
6173
6174 for (; *group_list != 0; group_list++) {
6175 if (*group_list == tls_id) {
6176 return 0;
6177 }
6178 }
6179
6180 return -1;
6181 }
6182
6183 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6184 /*
6185 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6186 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)6187 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
6188 {
6189 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
6190
6191 if (tls_id == 0) {
6192 return -1;
6193 }
6194
6195 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6196 }
6197 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6198
6199 static const struct {
6200 uint16_t tls_id;
6201 mbedtls_ecp_group_id ecp_group_id;
6202 psa_ecc_family_t psa_family;
6203 uint16_t bits;
6204 } tls_id_match_table[] =
6205 {
6206 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6207 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
6208 #endif
6209 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
6210 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
6211 #endif
6212 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6213 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
6214 #endif
6215 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
6216 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
6217 #endif
6218 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6219 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
6220 #endif
6221 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6222 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
6223 #endif
6224 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
6225 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
6226 #endif
6227 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6228 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
6229 #endif
6230 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6231 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
6232 #endif
6233 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6234 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
6235 #endif
6236 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6237 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
6238 #endif
6239 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6240 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
6241 #endif
6242 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
6243 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
6244 #endif
6245 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6246 };
6247
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_key_type_t * type,size_t * bits)6248 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
6249 psa_key_type_t *type,
6250 size_t *bits)
6251 {
6252 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6253 if (tls_id_match_table[i].tls_id == tls_id) {
6254 if (type != NULL) {
6255 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6256 }
6257 if (bits != NULL) {
6258 *bits = tls_id_match_table[i].bits;
6259 }
6260 return PSA_SUCCESS;
6261 }
6262 }
6263
6264 return PSA_ERROR_NOT_SUPPORTED;
6265 }
6266
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)6267 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
6268 {
6269 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6270 if (tls_id_match_table[i].tls_id == tls_id) {
6271 return tls_id_match_table[i].ecp_group_id;
6272 }
6273 }
6274
6275 return MBEDTLS_ECP_DP_NONE;
6276 }
6277
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)6278 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
6279 {
6280 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
6281 i++) {
6282 if (tls_id_match_table[i].ecp_group_id == grp_id) {
6283 return tls_id_match_table[i].tls_id;
6284 }
6285 }
6286
6287 return 0;
6288 }
6289
6290 #if defined(MBEDTLS_DEBUG_C)
6291 static const struct {
6292 uint16_t tls_id;
6293 const char *name;
6294 } tls_id_curve_name_table[] =
6295 {
6296 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
6297 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
6298 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
6299 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
6300 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
6301 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
6302 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
6303 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
6304 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
6305 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
6306 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
6307 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
6308 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
6309 { 0, NULL },
6310 };
6311
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)6312 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
6313 {
6314 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
6315 if (tls_id_curve_name_table[i].tls_id == tls_id) {
6316 return tls_id_curve_name_table[i].name;
6317 }
6318 }
6319
6320 return NULL;
6321 }
6322 #endif
6323
6324 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6325 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6326 const mbedtls_md_type_t md,
6327 unsigned char *dst,
6328 size_t dst_len,
6329 size_t *olen)
6330 {
6331 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6332 psa_hash_operation_t *hash_operation_to_clone;
6333 psa_hash_operation_t hash_operation = psa_hash_operation_init();
6334
6335 *olen = 0;
6336
6337 switch (md) {
6338 #if defined(MBEDTLS_MD_CAN_SHA384)
6339 case MBEDTLS_MD_SHA384:
6340 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
6341 break;
6342 #endif
6343
6344 #if defined(MBEDTLS_MD_CAN_SHA256)
6345 case MBEDTLS_MD_SHA256:
6346 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
6347 break;
6348 #endif
6349
6350 default:
6351 goto exit;
6352 }
6353
6354 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6355 if (status != PSA_SUCCESS) {
6356 goto exit;
6357 }
6358
6359 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6360 if (status != PSA_SUCCESS) {
6361 goto exit;
6362 }
6363
6364 exit:
6365 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6366 !defined(MBEDTLS_MD_CAN_SHA256)
6367 (void) ssl;
6368 #endif
6369 return PSA_TO_MBEDTLS_ERR(status);
6370 }
6371 #else /* MBEDTLS_USE_PSA_CRYPTO */
6372
6373 #if defined(MBEDTLS_MD_CAN_SHA384)
6374 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6375 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
6376 unsigned char *dst,
6377 size_t dst_len,
6378 size_t *olen)
6379 {
6380 int ret;
6381 mbedtls_md_context_t sha384;
6382
6383 if (dst_len < 48) {
6384 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6385 }
6386
6387 mbedtls_md_init(&sha384);
6388 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6389 if (ret != 0) {
6390 goto exit;
6391 }
6392 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6393 if (ret != 0) {
6394 goto exit;
6395 }
6396
6397 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
6398 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6399 goto exit;
6400 }
6401
6402 *olen = 48;
6403
6404 exit:
6405
6406 mbedtls_md_free(&sha384);
6407 return ret;
6408 }
6409 #endif /* MBEDTLS_MD_CAN_SHA384 */
6410
6411 #if defined(MBEDTLS_MD_CAN_SHA256)
6412 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6413 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
6414 unsigned char *dst,
6415 size_t dst_len,
6416 size_t *olen)
6417 {
6418 int ret;
6419 mbedtls_md_context_t sha256;
6420
6421 if (dst_len < 32) {
6422 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6423 }
6424
6425 mbedtls_md_init(&sha256);
6426 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6427 if (ret != 0) {
6428 goto exit;
6429 }
6430 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6431 if (ret != 0) {
6432 goto exit;
6433 }
6434
6435 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
6436 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6437 goto exit;
6438 }
6439
6440 *olen = 32;
6441
6442 exit:
6443
6444 mbedtls_md_free(&sha256);
6445 return ret;
6446 }
6447 #endif /* MBEDTLS_MD_CAN_SHA256 */
6448
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6449 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6450 const mbedtls_md_type_t md,
6451 unsigned char *dst,
6452 size_t dst_len,
6453 size_t *olen)
6454 {
6455 switch (md) {
6456
6457 #if defined(MBEDTLS_MD_CAN_SHA384)
6458 case MBEDTLS_MD_SHA384:
6459 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
6460 #endif /* MBEDTLS_MD_CAN_SHA384*/
6461
6462 #if defined(MBEDTLS_MD_CAN_SHA256)
6463 case MBEDTLS_MD_SHA256:
6464 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
6465 #endif /* MBEDTLS_MD_CAN_SHA256*/
6466
6467 default:
6468 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6469 !defined(MBEDTLS_MD_CAN_SHA256)
6470 (void) ssl;
6471 (void) dst;
6472 (void) dst_len;
6473 (void) olen;
6474 #endif
6475 break;
6476 }
6477 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6478 }
6479
6480 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
6481
6482 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6483 /* mbedtls_ssl_parse_sig_alg_ext()
6484 *
6485 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6486 * value (TLS 1.3 RFC8446):
6487 * enum {
6488 * ....
6489 * ecdsa_secp256r1_sha256( 0x0403 ),
6490 * ecdsa_secp384r1_sha384( 0x0503 ),
6491 * ecdsa_secp521r1_sha512( 0x0603 ),
6492 * ....
6493 * } SignatureScheme;
6494 *
6495 * struct {
6496 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6497 * } SignatureSchemeList;
6498 *
6499 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6500 * value (TLS 1.2 RFC5246):
6501 * enum {
6502 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6503 * sha512(6), (255)
6504 * } HashAlgorithm;
6505 *
6506 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6507 * SignatureAlgorithm;
6508 *
6509 * struct {
6510 * HashAlgorithm hash;
6511 * SignatureAlgorithm signature;
6512 * } SignatureAndHashAlgorithm;
6513 *
6514 * SignatureAndHashAlgorithm
6515 * supported_signature_algorithms<2..2^16-2>;
6516 *
6517 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6518 * generalization of the TLS 1.2 signature algorithm extension.
6519 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6520 * `SignatureScheme` field of TLS 1.3
6521 *
6522 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)6523 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6524 const unsigned char *buf,
6525 const unsigned char *end)
6526 {
6527 const unsigned char *p = buf;
6528 size_t supported_sig_algs_len = 0;
6529 const unsigned char *supported_sig_algs_end;
6530 uint16_t sig_alg;
6531 uint32_t common_idx = 0;
6532
6533 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6534 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
6535 p += 2;
6536
6537 memset(ssl->handshake->received_sig_algs, 0,
6538 sizeof(ssl->handshake->received_sig_algs));
6539
6540 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
6541 supported_sig_algs_end = p + supported_sig_algs_len;
6542 while (p < supported_sig_algs_end) {
6543 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6544 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
6545 p += 2;
6546 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6547 sig_alg,
6548 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6549 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6550 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6551 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6552 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
6553 continue;
6554 }
6555 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6556
6557 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6558 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6559
6560 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
6561 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6562 common_idx += 1;
6563 }
6564 }
6565 /* Check that we consumed all the message. */
6566 if (p != end) {
6567 MBEDTLS_SSL_DEBUG_MSG(1,
6568 ("Signature algorithms extension length misaligned"));
6569 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6570 MBEDTLS_ERR_SSL_DECODE_ERROR);
6571 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6572 }
6573
6574 if (common_idx == 0) {
6575 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6576 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6577 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6578 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6579 }
6580
6581 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6582 return 0;
6583 }
6584
6585 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6586
6587 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6588
6589 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6590
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6591 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6592 mbedtls_svc_key_id_t key,
6593 psa_algorithm_t alg,
6594 const unsigned char *raw_psk, size_t raw_psk_length,
6595 const unsigned char *seed, size_t seed_length,
6596 const unsigned char *label, size_t label_length,
6597 const unsigned char *other_secret,
6598 size_t other_secret_length,
6599 size_t capacity)
6600 {
6601 psa_status_t status;
6602
6603 status = psa_key_derivation_setup(derivation, alg);
6604 if (status != PSA_SUCCESS) {
6605 return status;
6606 }
6607
6608 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6609 status = psa_key_derivation_input_bytes(derivation,
6610 PSA_KEY_DERIVATION_INPUT_SEED,
6611 seed, seed_length);
6612 if (status != PSA_SUCCESS) {
6613 return status;
6614 }
6615
6616 if (other_secret != NULL) {
6617 status = psa_key_derivation_input_bytes(derivation,
6618 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6619 other_secret, other_secret_length);
6620 if (status != PSA_SUCCESS) {
6621 return status;
6622 }
6623 }
6624
6625 if (mbedtls_svc_key_id_is_null(key)) {
6626 status = psa_key_derivation_input_bytes(
6627 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6628 raw_psk, raw_psk_length);
6629 } else {
6630 status = psa_key_derivation_input_key(
6631 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6632 }
6633 if (status != PSA_SUCCESS) {
6634 return status;
6635 }
6636
6637 status = psa_key_derivation_input_bytes(derivation,
6638 PSA_KEY_DERIVATION_INPUT_LABEL,
6639 label, label_length);
6640 if (status != PSA_SUCCESS) {
6641 return status;
6642 }
6643 } else {
6644 return PSA_ERROR_NOT_SUPPORTED;
6645 }
6646
6647 status = psa_key_derivation_set_capacity(derivation, capacity);
6648 if (status != PSA_SUCCESS) {
6649 return status;
6650 }
6651
6652 return PSA_SUCCESS;
6653 }
6654
6655 #if defined(PSA_WANT_ALG_SHA_384) || \
6656 defined(PSA_WANT_ALG_SHA_256)
6657 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6658 static int tls_prf_generic(mbedtls_md_type_t md_type,
6659 const unsigned char *secret, size_t slen,
6660 const char *label,
6661 const unsigned char *random, size_t rlen,
6662 unsigned char *dstbuf, size_t dlen)
6663 {
6664 psa_status_t status;
6665 psa_algorithm_t alg;
6666 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6667 psa_key_derivation_operation_t derivation =
6668 PSA_KEY_DERIVATION_OPERATION_INIT;
6669
6670 if (md_type == MBEDTLS_MD_SHA384) {
6671 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6672 } else {
6673 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6674 }
6675
6676 /* Normally a "secret" should be long enough to be impossible to
6677 * find by brute force, and in particular should not be empty. But
6678 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6679 * and for this use case it makes sense to have a 0-length "secret".
6680 * Since the key API doesn't allow importing a key of length 0,
6681 * keep master_key=0, which setup_psa_key_derivation() understands
6682 * to mean a 0-length "secret" input. */
6683 if (slen != 0) {
6684 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6685 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6686 psa_set_key_algorithm(&key_attributes, alg);
6687 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6688
6689 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6690 if (status != PSA_SUCCESS) {
6691 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6692 }
6693 }
6694
6695 status = setup_psa_key_derivation(&derivation,
6696 master_key, alg,
6697 NULL, 0,
6698 random, rlen,
6699 (unsigned char const *) label,
6700 (size_t) strlen(label),
6701 NULL, 0,
6702 dlen);
6703 if (status != PSA_SUCCESS) {
6704 psa_key_derivation_abort(&derivation);
6705 psa_destroy_key(master_key);
6706 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6707 }
6708
6709 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6710 if (status != PSA_SUCCESS) {
6711 psa_key_derivation_abort(&derivation);
6712 psa_destroy_key(master_key);
6713 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6714 }
6715
6716 status = psa_key_derivation_abort(&derivation);
6717 if (status != PSA_SUCCESS) {
6718 psa_destroy_key(master_key);
6719 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6720 }
6721
6722 if (!mbedtls_svc_key_id_is_null(master_key)) {
6723 status = psa_destroy_key(master_key);
6724 }
6725 if (status != PSA_SUCCESS) {
6726 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6727 }
6728
6729 return 0;
6730 }
6731 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6732 #else /* MBEDTLS_USE_PSA_CRYPTO */
6733
6734 #if defined(MBEDTLS_MD_C) && \
6735 (defined(MBEDTLS_MD_CAN_SHA256) || \
6736 defined(MBEDTLS_MD_CAN_SHA384))
6737 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6738 static int tls_prf_generic(mbedtls_md_type_t md_type,
6739 const unsigned char *secret, size_t slen,
6740 const char *label,
6741 const unsigned char *random, size_t rlen,
6742 unsigned char *dstbuf, size_t dlen)
6743 {
6744 size_t nb;
6745 size_t i, j, k, md_len;
6746 unsigned char *tmp;
6747 size_t tmp_len = 0;
6748 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6749 const mbedtls_md_info_t *md_info;
6750 mbedtls_md_context_t md_ctx;
6751 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6752
6753 mbedtls_md_init(&md_ctx);
6754
6755 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6756 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6757 }
6758
6759 md_len = mbedtls_md_get_size(md_info);
6760
6761 tmp_len = md_len + strlen(label) + rlen;
6762 tmp = mbedtls_calloc(1, tmp_len);
6763 if (tmp == NULL) {
6764 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6765 goto exit;
6766 }
6767
6768 nb = strlen(label);
6769 memcpy(tmp + md_len, label, nb);
6770 memcpy(tmp + md_len + nb, random, rlen);
6771 nb += rlen;
6772
6773 /*
6774 * Compute P_<hash>(secret, label + random)[0..dlen]
6775 */
6776 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6777 goto exit;
6778 }
6779
6780 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6781 if (ret != 0) {
6782 goto exit;
6783 }
6784 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6785 if (ret != 0) {
6786 goto exit;
6787 }
6788 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6789 if (ret != 0) {
6790 goto exit;
6791 }
6792
6793 for (i = 0; i < dlen; i += md_len) {
6794 ret = mbedtls_md_hmac_reset(&md_ctx);
6795 if (ret != 0) {
6796 goto exit;
6797 }
6798 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6799 if (ret != 0) {
6800 goto exit;
6801 }
6802 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6803 if (ret != 0) {
6804 goto exit;
6805 }
6806
6807 ret = mbedtls_md_hmac_reset(&md_ctx);
6808 if (ret != 0) {
6809 goto exit;
6810 }
6811 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6812 if (ret != 0) {
6813 goto exit;
6814 }
6815 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6816 if (ret != 0) {
6817 goto exit;
6818 }
6819
6820 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6821
6822 for (j = 0; j < k; j++) {
6823 dstbuf[i + j] = h_i[j];
6824 }
6825 }
6826
6827 exit:
6828 mbedtls_md_free(&md_ctx);
6829
6830 if (tmp != NULL) {
6831 mbedtls_platform_zeroize(tmp, tmp_len);
6832 }
6833
6834 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6835
6836 mbedtls_free(tmp);
6837
6838 return ret;
6839 }
6840 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6841 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6842
6843 #if defined(MBEDTLS_MD_CAN_SHA256)
6844 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6845 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6846 const char *label,
6847 const unsigned char *random, size_t rlen,
6848 unsigned char *dstbuf, size_t dlen)
6849 {
6850 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6851 label, random, rlen, dstbuf, dlen);
6852 }
6853 #endif /* MBEDTLS_MD_CAN_SHA256*/
6854
6855 #if defined(MBEDTLS_MD_CAN_SHA384)
6856 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6857 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6858 const char *label,
6859 const unsigned char *random, size_t rlen,
6860 unsigned char *dstbuf, size_t dlen)
6861 {
6862 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6863 label, random, rlen, dstbuf, dlen);
6864 }
6865 #endif /* MBEDTLS_MD_CAN_SHA384*/
6866
6867 /*
6868 * Set appropriate PRF function and other SSL / TLS1.2 functions
6869 *
6870 * Inputs:
6871 * - hash associated with the ciphersuite (only used by TLS 1.2)
6872 *
6873 * Outputs:
6874 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6875 */
6876 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6877 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6878 mbedtls_md_type_t hash)
6879 {
6880 #if defined(MBEDTLS_MD_CAN_SHA384)
6881 if (hash == MBEDTLS_MD_SHA384) {
6882 handshake->tls_prf = tls_prf_sha384;
6883 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6884 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6885 } else
6886 #endif
6887 #if defined(MBEDTLS_MD_CAN_SHA256)
6888 {
6889 (void) hash;
6890 handshake->tls_prf = tls_prf_sha256;
6891 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6892 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6893 }
6894 #else
6895 {
6896 (void) handshake;
6897 (void) hash;
6898 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6899 }
6900 #endif
6901
6902 return 0;
6903 }
6904
6905 /*
6906 * Compute master secret if needed
6907 *
6908 * Parameters:
6909 * [in/out] handshake
6910 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6911 * (PSA-PSK) ciphersuite_info, psk_opaque
6912 * [out] premaster (cleared)
6913 * [out] master
6914 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6915 * debug: conf->f_dbg, conf->p_dbg
6916 * EMS: passed to calc_verify (debug + session_negotiate)
6917 * PSA-PSA: conf
6918 */
6919 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)6920 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6921 unsigned char *master,
6922 const mbedtls_ssl_context *ssl)
6923 {
6924 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6925
6926 /* cf. RFC 5246, Section 8.1:
6927 * "The master secret is always exactly 48 bytes in length." */
6928 size_t const master_secret_len = 48;
6929
6930 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6931 unsigned char session_hash[48];
6932 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6933
6934 /* The label for the KDF used for key expansion.
6935 * This is either "master secret" or "extended master secret"
6936 * depending on whether the Extended Master Secret extension
6937 * is used. */
6938 char const *lbl = "master secret";
6939
6940 /* The seed for the KDF used for key expansion.
6941 * - If the Extended Master Secret extension is not used,
6942 * this is ClientHello.Random + ServerHello.Random
6943 * (see Sect. 8.1 in RFC 5246).
6944 * - If the Extended Master Secret extension is used,
6945 * this is the transcript of the handshake so far.
6946 * (see Sect. 4 in RFC 7627). */
6947 unsigned char const *seed = handshake->randbytes;
6948 size_t seed_len = 64;
6949
6950 #if !defined(MBEDTLS_DEBUG_C) && \
6951 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
6952 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
6953 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
6954 ssl = NULL; /* make sure we don't use it except for those cases */
6955 (void) ssl;
6956 #endif
6957
6958 if (handshake->resume != 0) {
6959 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
6960 return 0;
6961 }
6962
6963 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6964 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
6965 lbl = "extended master secret";
6966 seed = session_hash;
6967 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
6968 if (ret != 0) {
6969 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
6970 }
6971
6972 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
6973 session_hash, seed_len);
6974 }
6975 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6976
6977 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
6978 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
6979 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
6980 /* Perform PSK-to-MS expansion in a single step. */
6981 psa_status_t status;
6982 psa_algorithm_t alg;
6983 mbedtls_svc_key_id_t psk;
6984 psa_key_derivation_operation_t derivation =
6985 PSA_KEY_DERIVATION_OPERATION_INIT;
6986 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
6987
6988 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
6989
6990 psk = mbedtls_ssl_get_opaque_psk(ssl);
6991
6992 if (hash_alg == MBEDTLS_MD_SHA384) {
6993 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
6994 } else {
6995 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
6996 }
6997
6998 size_t other_secret_len = 0;
6999 unsigned char *other_secret = NULL;
7000
7001 switch (handshake->ciphersuite_info->key_exchange) {
7002 /* Provide other secret.
7003 * Other secret is stored in premaster, where first 2 bytes hold the
7004 * length of the other key.
7005 */
7006 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7007 /* For RSA-PSK other key length is always 48 bytes. */
7008 other_secret_len = 48;
7009 other_secret = handshake->premaster + 2;
7010 break;
7011 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7012 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7013 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
7014 other_secret = handshake->premaster + 2;
7015 break;
7016 default:
7017 break;
7018 }
7019
7020 status = setup_psa_key_derivation(&derivation, psk, alg,
7021 ssl->conf->psk, ssl->conf->psk_len,
7022 seed, seed_len,
7023 (unsigned char const *) lbl,
7024 (size_t) strlen(lbl),
7025 other_secret, other_secret_len,
7026 master_secret_len);
7027 if (status != PSA_SUCCESS) {
7028 psa_key_derivation_abort(&derivation);
7029 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7030 }
7031
7032 status = psa_key_derivation_output_bytes(&derivation,
7033 master,
7034 master_secret_len);
7035 if (status != PSA_SUCCESS) {
7036 psa_key_derivation_abort(&derivation);
7037 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7038 }
7039
7040 status = psa_key_derivation_abort(&derivation);
7041 if (status != PSA_SUCCESS) {
7042 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7043 }
7044 } else
7045 #endif
7046 {
7047 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7048 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7049 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
7050 psa_status_t status;
7051 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
7052 psa_key_derivation_operation_t derivation =
7053 PSA_KEY_DERIVATION_OPERATION_INIT;
7054
7055 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
7056
7057 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
7058
7059 status = psa_key_derivation_setup(&derivation, alg);
7060 if (status != PSA_SUCCESS) {
7061 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7062 }
7063
7064 status = psa_key_derivation_set_capacity(&derivation,
7065 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7066 if (status != PSA_SUCCESS) {
7067 psa_key_derivation_abort(&derivation);
7068 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7069 }
7070
7071 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
7072 &derivation);
7073 if (status != PSA_SUCCESS) {
7074 psa_key_derivation_abort(&derivation);
7075 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7076 }
7077
7078 status = psa_key_derivation_output_bytes(&derivation,
7079 handshake->premaster,
7080 handshake->pmslen);
7081 if (status != PSA_SUCCESS) {
7082 psa_key_derivation_abort(&derivation);
7083 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7084 }
7085
7086 status = psa_key_derivation_abort(&derivation);
7087 if (status != PSA_SUCCESS) {
7088 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7089 }
7090 }
7091 #endif
7092 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
7093 lbl, seed, seed_len,
7094 master,
7095 master_secret_len);
7096 if (ret != 0) {
7097 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7098 return ret;
7099 }
7100
7101 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
7102 handshake->premaster,
7103 handshake->pmslen);
7104
7105 mbedtls_platform_zeroize(handshake->premaster,
7106 sizeof(handshake->premaster));
7107 }
7108
7109 return 0;
7110 }
7111
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)7112 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
7113 {
7114 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7115 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
7116 ssl->handshake->ciphersuite_info;
7117
7118 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
7119
7120 /* Set PRF, calc_verify and calc_finished function pointers */
7121 ret = ssl_set_handshake_prfs(ssl->handshake,
7122 (mbedtls_md_type_t) ciphersuite_info->mac);
7123 if (ret != 0) {
7124 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
7125 return ret;
7126 }
7127
7128 /* Compute master secret if needed */
7129 ret = ssl_compute_master(ssl->handshake,
7130 ssl->session_negotiate->master,
7131 ssl);
7132 if (ret != 0) {
7133 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
7134 return ret;
7135 }
7136
7137 /* Swap the client and server random values:
7138 * - MS derivation wanted client+server (RFC 5246 8.1)
7139 * - key derivation wants server+client (RFC 5246 6.3) */
7140 {
7141 unsigned char tmp[64];
7142 memcpy(tmp, ssl->handshake->randbytes, 64);
7143 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
7144 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
7145 mbedtls_platform_zeroize(tmp, sizeof(tmp));
7146 }
7147
7148 /* Populate transform structure */
7149 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
7150 ssl->session_negotiate->ciphersuite,
7151 ssl->session_negotiate->master,
7152 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
7153 ssl->session_negotiate->encrypt_then_mac,
7154 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
7155 ssl->handshake->tls_prf,
7156 ssl->handshake->randbytes,
7157 ssl->tls_version,
7158 ssl->conf->endpoint,
7159 ssl);
7160 if (ret != 0) {
7161 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
7162 return ret;
7163 }
7164
7165 /* We no longer need Server/ClientHello.random values */
7166 mbedtls_platform_zeroize(ssl->handshake->randbytes,
7167 sizeof(ssl->handshake->randbytes));
7168
7169 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
7170
7171 return 0;
7172 }
7173
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)7174 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
7175 {
7176 switch (md) {
7177 #if defined(MBEDTLS_MD_CAN_SHA384)
7178 case MBEDTLS_SSL_HASH_SHA384:
7179 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7180 break;
7181 #endif
7182 #if defined(MBEDTLS_MD_CAN_SHA256)
7183 case MBEDTLS_SSL_HASH_SHA256:
7184 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7185 break;
7186 #endif
7187 default:
7188 return -1;
7189 }
7190 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
7191 !defined(MBEDTLS_MD_CAN_SHA256)
7192 (void) ssl;
7193 #endif
7194 return 0;
7195 }
7196
7197 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_calc_verify_tls_psa(const mbedtls_ssl_context * ssl,const psa_hash_operation_t * hs_op,size_t buffer_size,unsigned char * hash,size_t * hlen)7198 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
7199 const psa_hash_operation_t *hs_op,
7200 size_t buffer_size,
7201 unsigned char *hash,
7202 size_t *hlen)
7203 {
7204 psa_status_t status;
7205 psa_hash_operation_t cloned_op = psa_hash_operation_init();
7206
7207 #if !defined(MBEDTLS_DEBUG_C)
7208 (void) ssl;
7209 #endif
7210 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
7211 status = psa_hash_clone(hs_op, &cloned_op);
7212 if (status != PSA_SUCCESS) {
7213 goto exit;
7214 }
7215
7216 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
7217 if (status != PSA_SUCCESS) {
7218 goto exit;
7219 }
7220
7221 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
7222 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
7223
7224 exit:
7225 psa_hash_abort(&cloned_op);
7226 return mbedtls_md_error_from_psa(status);
7227 }
7228 #else
ssl_calc_verify_tls_legacy(const mbedtls_ssl_context * ssl,const mbedtls_md_context_t * hs_ctx,unsigned char * hash,size_t * hlen)7229 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
7230 const mbedtls_md_context_t *hs_ctx,
7231 unsigned char *hash,
7232 size_t *hlen)
7233 {
7234 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7235 mbedtls_md_context_t cloned_ctx;
7236
7237 mbedtls_md_init(&cloned_ctx);
7238
7239 #if !defined(MBEDTLS_DEBUG_C)
7240 (void) ssl;
7241 #endif
7242 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
7243
7244 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7245 if (ret != 0) {
7246 goto exit;
7247 }
7248 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7249 if (ret != 0) {
7250 goto exit;
7251 }
7252
7253 ret = mbedtls_md_finish(&cloned_ctx, hash);
7254 if (ret != 0) {
7255 goto exit;
7256 }
7257
7258 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
7259
7260 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
7261 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
7262
7263 exit:
7264 mbedtls_md_free(&cloned_ctx);
7265 return ret;
7266 }
7267 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7268
7269 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7270 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
7271 unsigned char *hash,
7272 size_t *hlen)
7273 {
7274 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7275 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
7276 hash, hlen);
7277 #else
7278 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
7279 hash, hlen);
7280 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7281 }
7282 #endif /* MBEDTLS_MD_CAN_SHA256 */
7283
7284 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7285 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
7286 unsigned char *hash,
7287 size_t *hlen)
7288 {
7289 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7290 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
7291 hash, hlen);
7292 #else
7293 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
7294 hash, hlen);
7295 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7296 }
7297 #endif /* MBEDTLS_MD_CAN_SHA384 */
7298
7299 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
7300 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)7301 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
7302 {
7303 unsigned char *p = ssl->handshake->premaster;
7304 unsigned char *end = p + sizeof(ssl->handshake->premaster);
7305 const unsigned char *psk = NULL;
7306 size_t psk_len = 0;
7307 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
7308
7309 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
7310 /*
7311 * This should never happen because the existence of a PSK is always
7312 * checked before calling this function.
7313 *
7314 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
7315 * the shared secret without PSK.
7316 */
7317 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7318 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7319 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7320 }
7321 }
7322
7323 /*
7324 * PMS = struct {
7325 * opaque other_secret<0..2^16-1>;
7326 * opaque psk<0..2^16-1>;
7327 * };
7328 * with "other_secret" depending on the particular key exchange
7329 */
7330 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
7331 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
7332 if (end - p < 2) {
7333 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7334 }
7335
7336 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7337 p += 2;
7338
7339 if (end < p || (size_t) (end - p) < psk_len) {
7340 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7341 }
7342
7343 memset(p, 0, psk_len);
7344 p += psk_len;
7345 } else
7346 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
7347 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
7348 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7349 /*
7350 * other_secret already set by the ClientKeyExchange message,
7351 * and is 48 bytes long
7352 */
7353 if (end - p < 2) {
7354 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7355 }
7356
7357 *p++ = 0;
7358 *p++ = 48;
7359 p += 48;
7360 } else
7361 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
7362 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
7363 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7364 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7365 size_t len;
7366
7367 /* Write length only when we know the actual value */
7368 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
7369 p + 2, (size_t) (end - (p + 2)), &len,
7370 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7371 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
7372 return ret;
7373 }
7374 MBEDTLS_PUT_UINT16_BE(len, p, 0);
7375 p += 2 + len;
7376
7377 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
7378 } else
7379 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
7380 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
7381 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
7382 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7383 size_t zlen;
7384
7385 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
7386 p + 2, (size_t) (end - (p + 2)),
7387 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7388 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
7389 return ret;
7390 }
7391
7392 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
7393 p += 2 + zlen;
7394
7395 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
7396 MBEDTLS_DEBUG_ECDH_Z);
7397 } else
7398 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
7399 {
7400 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7401 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7402 }
7403
7404 /* opaque psk<0..2^16-1>; */
7405 if (end - p < 2) {
7406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7407 }
7408
7409 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7410 p += 2;
7411
7412 if (end < p || (size_t) (end - p) < psk_len) {
7413 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7414 }
7415
7416 memcpy(p, psk, psk_len);
7417 p += psk_len;
7418
7419 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
7420
7421 return 0;
7422 }
7423 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
7424
7425 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
7426 MBEDTLS_CHECK_RETURN_CRITICAL
7427 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
7428
7429 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)7430 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
7431 {
7432 /* If renegotiation is not enforced, retransmit until we would reach max
7433 * timeout if we were using the usual handshake doubling scheme */
7434 if (ssl->conf->renego_max_records < 0) {
7435 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
7436 unsigned char doublings = 1;
7437
7438 while (ratio != 0) {
7439 ++doublings;
7440 ratio >>= 1;
7441 }
7442
7443 if (++ssl->renego_records_seen > doublings) {
7444 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
7445 return 0;
7446 }
7447 }
7448
7449 return ssl_write_hello_request(ssl);
7450 }
7451 #endif
7452 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
7453
7454 /*
7455 * Handshake functions
7456 */
7457 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7458 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7459 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7460 {
7461 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7462 ssl->handshake->ciphersuite_info;
7463
7464 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7465
7466 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7467 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7468 ssl->state++;
7469 return 0;
7470 }
7471
7472 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7473 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7474 }
7475
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7476 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7477 {
7478 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7479 ssl->handshake->ciphersuite_info;
7480
7481 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7482
7483 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7484 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7485 ssl->state++;
7486 return 0;
7487 }
7488
7489 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7490 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7491 }
7492
7493 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7494 /* Some certificate support -> implement write and parse */
7495
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7496 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7497 {
7498 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
7499 size_t i, n;
7500 const mbedtls_x509_crt *crt;
7501 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7502 ssl->handshake->ciphersuite_info;
7503
7504 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7505
7506 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7507 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7508 ssl->state++;
7509 return 0;
7510 }
7511
7512 #if defined(MBEDTLS_SSL_CLI_C)
7513 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7514 if (ssl->handshake->client_auth == 0) {
7515 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7516 ssl->state++;
7517 return 0;
7518 }
7519 }
7520 #endif /* MBEDTLS_SSL_CLI_C */
7521 #if defined(MBEDTLS_SSL_SRV_C)
7522 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7523 if (mbedtls_ssl_own_cert(ssl) == NULL) {
7524 /* Should never happen because we shouldn't have picked the
7525 * ciphersuite if we don't have a certificate. */
7526 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7527 }
7528 }
7529 #endif
7530
7531 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
7532
7533 /*
7534 * 0 . 0 handshake type
7535 * 1 . 3 handshake length
7536 * 4 . 6 length of all certs
7537 * 7 . 9 length of cert. 1
7538 * 10 . n-1 peer certificate
7539 * n . n+2 length of cert. 2
7540 * n+3 . ... upper level cert, etc.
7541 */
7542 i = 7;
7543 crt = mbedtls_ssl_own_cert(ssl);
7544
7545 while (crt != NULL) {
7546 n = crt->raw.len;
7547 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7548 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7549 " > %" MBEDTLS_PRINTF_SIZET,
7550 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7551 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7552 }
7553
7554 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7555 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7556 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7557
7558 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7559 i += n; crt = crt->next;
7560 }
7561
7562 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7563 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7564 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7565
7566 ssl->out_msglen = i;
7567 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7568 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7569
7570 ssl->state++;
7571
7572 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7573 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7574 return ret;
7575 }
7576
7577 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7578
7579 return ret;
7580 }
7581
7582 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7583
7584 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7585 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7586 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7587 unsigned char *crt_buf,
7588 size_t crt_buf_len)
7589 {
7590 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7591
7592 if (peer_crt == NULL) {
7593 return -1;
7594 }
7595
7596 if (peer_crt->raw.len != crt_buf_len) {
7597 return -1;
7598 }
7599
7600 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7601 }
7602 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7603 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7604 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7605 unsigned char *crt_buf,
7606 size_t crt_buf_len)
7607 {
7608 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7609 unsigned char const * const peer_cert_digest =
7610 ssl->session->peer_cert_digest;
7611 mbedtls_md_type_t const peer_cert_digest_type =
7612 ssl->session->peer_cert_digest_type;
7613 mbedtls_md_info_t const * const digest_info =
7614 mbedtls_md_info_from_type(peer_cert_digest_type);
7615 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7616 size_t digest_len;
7617
7618 if (peer_cert_digest == NULL || digest_info == NULL) {
7619 return -1;
7620 }
7621
7622 digest_len = mbedtls_md_get_size(digest_info);
7623 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7624 return -1;
7625 }
7626
7627 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7628 if (ret != 0) {
7629 return -1;
7630 }
7631
7632 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7633 }
7634 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7635 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7636
7637 /*
7638 * Once the certificate message is read, parse it into a cert chain and
7639 * perform basic checks, but leave actual verification to the caller
7640 */
7641 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7642 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7643 mbedtls_x509_crt *chain)
7644 {
7645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7646 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7647 int crt_cnt = 0;
7648 #endif
7649 size_t i, n;
7650 uint8_t alert;
7651
7652 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7653 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7654 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7655 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7656 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7657 }
7658
7659 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7660 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7661 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7662 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7663 }
7664
7665 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7666 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7667 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7668 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7669 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7670 }
7671
7672 i = mbedtls_ssl_hs_hdr_len(ssl);
7673
7674 /*
7675 * Same message structure as in mbedtls_ssl_write_certificate()
7676 */
7677 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7678
7679 if (ssl->in_msg[i] != 0 ||
7680 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7681 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7682 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7683 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7684 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7685 }
7686
7687 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7688 i += 3;
7689
7690 /* Iterate through and parse the CRTs in the provided chain. */
7691 while (i < ssl->in_hslen) {
7692 /* Check that there's room for the next CRT's length fields. */
7693 if (i + 3 > ssl->in_hslen) {
7694 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7695 mbedtls_ssl_send_alert_message(ssl,
7696 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7697 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7698 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7699 }
7700 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7701 * anything beyond 2**16 ~ 64K. */
7702 if (ssl->in_msg[i] != 0) {
7703 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7704 mbedtls_ssl_send_alert_message(ssl,
7705 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7706 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7707 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7708 }
7709
7710 /* Read length of the next CRT in the chain. */
7711 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7712 i += 3;
7713
7714 if (n < 128 || i + n > ssl->in_hslen) {
7715 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7716 mbedtls_ssl_send_alert_message(ssl,
7717 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7718 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7719 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7720 }
7721
7722 /* Check if we're handling the first CRT in the chain. */
7723 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7724 if (crt_cnt++ == 0 &&
7725 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7726 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7727 /* During client-side renegotiation, check that the server's
7728 * end-CRTs hasn't changed compared to the initial handshake,
7729 * mitigating the triple handshake attack. On success, reuse
7730 * the original end-CRT instead of parsing it again. */
7731 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7732 if (ssl_check_peer_crt_unchanged(ssl,
7733 &ssl->in_msg[i],
7734 n) != 0) {
7735 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7736 mbedtls_ssl_send_alert_message(ssl,
7737 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7738 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7739 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7740 }
7741
7742 /* Now we can safely free the original chain. */
7743 ssl_clear_peer_cert(ssl->session);
7744 }
7745 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7746
7747 /* Parse the next certificate in the chain. */
7748 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7749 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7750 #else
7751 /* If we don't need to store the CRT chain permanently, parse
7752 * it in-place from the input buffer instead of making a copy. */
7753 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7754 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7755 switch (ret) {
7756 case 0: /*ok*/
7757 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7758 /* Ignore certificate with an unknown algorithm: maybe a
7759 prior certificate was already trusted. */
7760 break;
7761
7762 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7763 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7764 goto crt_parse_der_failed;
7765
7766 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7767 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7768 goto crt_parse_der_failed;
7769
7770 default:
7771 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7772 crt_parse_der_failed:
7773 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7774 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7775 return ret;
7776 }
7777
7778 i += n;
7779 }
7780
7781 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7782 return 0;
7783 }
7784
7785 #if defined(MBEDTLS_SSL_SRV_C)
7786 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7787 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7788 {
7789 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7790 return -1;
7791 }
7792
7793 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7794 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7795 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7796 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7797 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7798 return 0;
7799 }
7800 return -1;
7801 }
7802 #endif /* MBEDTLS_SSL_SRV_C */
7803
7804 /* Check if a certificate message is expected.
7805 * Return either
7806 * - SSL_CERTIFICATE_EXPECTED, or
7807 * - SSL_CERTIFICATE_SKIP
7808 * indicating whether a Certificate message is expected or not.
7809 */
7810 #define SSL_CERTIFICATE_EXPECTED 0
7811 #define SSL_CERTIFICATE_SKIP 1
7812 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7813 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7814 int authmode)
7815 {
7816 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7817 ssl->handshake->ciphersuite_info;
7818
7819 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7820 return SSL_CERTIFICATE_SKIP;
7821 }
7822
7823 #if defined(MBEDTLS_SSL_SRV_C)
7824 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7825 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7826 return SSL_CERTIFICATE_SKIP;
7827 }
7828
7829 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7830 ssl->session_negotiate->verify_result =
7831 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7832 return SSL_CERTIFICATE_SKIP;
7833 }
7834 }
7835 #else
7836 ((void) authmode);
7837 #endif /* MBEDTLS_SSL_SRV_C */
7838
7839 return SSL_CERTIFICATE_EXPECTED;
7840 }
7841
7842 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7843 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7844 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7845 unsigned char *start, size_t len)
7846 {
7847 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7848 /* Remember digest of the peer's end-CRT. */
7849 ssl->session_negotiate->peer_cert_digest =
7850 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7851 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7852 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7853 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7854 mbedtls_ssl_send_alert_message(ssl,
7855 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7856 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7857
7858 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7859 }
7860
7861 ret = mbedtls_md(mbedtls_md_info_from_type(
7862 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7863 start, len,
7864 ssl->session_negotiate->peer_cert_digest);
7865
7866 ssl->session_negotiate->peer_cert_digest_type =
7867 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7868 ssl->session_negotiate->peer_cert_digest_len =
7869 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7870
7871 return ret;
7872 }
7873
7874 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7875 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7876 unsigned char *start, size_t len)
7877 {
7878 unsigned char *end = start + len;
7879 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7880
7881 /* Make a copy of the peer's raw public key. */
7882 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7883 ret = mbedtls_pk_parse_subpubkey(&start, end,
7884 &ssl->handshake->peer_pubkey);
7885 if (ret != 0) {
7886 /* We should have parsed the public key before. */
7887 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7888 }
7889
7890 return 0;
7891 }
7892 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7893
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7894 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7895 {
7896 int ret = 0;
7897 int crt_expected;
7898 /* Authmode: precedence order is SNI if used else configuration */
7899 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7900 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7901 ? ssl->handshake->sni_authmode
7902 : ssl->conf->authmode;
7903 #else
7904 const int authmode = ssl->conf->authmode;
7905 #endif
7906 void *rs_ctx = NULL;
7907 mbedtls_x509_crt *chain = NULL;
7908
7909 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7910
7911 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7912 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7913 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7914 goto exit;
7915 }
7916
7917 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7918 if (ssl->handshake->ecrs_enabled &&
7919 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
7920 chain = ssl->handshake->ecrs_peer_cert;
7921 ssl->handshake->ecrs_peer_cert = NULL;
7922 goto crt_verify;
7923 }
7924 #endif
7925
7926 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7927 /* mbedtls_ssl_read_record may have sent an alert already. We
7928 let it decide whether to alert. */
7929 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7930 goto exit;
7931 }
7932
7933 #if defined(MBEDTLS_SSL_SRV_C)
7934 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
7935 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7936
7937 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
7938 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
7939 }
7940
7941 goto exit;
7942 }
7943 #endif /* MBEDTLS_SSL_SRV_C */
7944
7945 /* Clear existing peer CRT structure in case we tried to
7946 * reuse a session but it failed, and allocate a new one. */
7947 ssl_clear_peer_cert(ssl->session_negotiate);
7948
7949 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7950 if (chain == NULL) {
7951 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7952 sizeof(mbedtls_x509_crt)));
7953 mbedtls_ssl_send_alert_message(ssl,
7954 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7955 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7956
7957 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7958 goto exit;
7959 }
7960 mbedtls_x509_crt_init(chain);
7961
7962 ret = ssl_parse_certificate_chain(ssl, chain);
7963 if (ret != 0) {
7964 goto exit;
7965 }
7966
7967 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7968 if (ssl->handshake->ecrs_enabled) {
7969 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
7970 }
7971
7972 crt_verify:
7973 if (ssl->handshake->ecrs_enabled) {
7974 rs_ctx = &ssl->handshake->ecrs_ctx;
7975 }
7976 #endif
7977
7978 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
7979 ssl->handshake->ciphersuite_info,
7980 rs_ctx);
7981 if (ret != 0) {
7982 goto exit;
7983 }
7984
7985 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7986 {
7987 unsigned char *crt_start, *pk_start;
7988 size_t crt_len, pk_len;
7989
7990 /* We parse the CRT chain without copying, so
7991 * these pointers point into the input buffer,
7992 * and are hence still valid after freeing the
7993 * CRT chain. */
7994
7995 crt_start = chain->raw.p;
7996 crt_len = chain->raw.len;
7997
7998 pk_start = chain->pk_raw.p;
7999 pk_len = chain->pk_raw.len;
8000
8001 /* Free the CRT structures before computing
8002 * digest and copying the peer's public key. */
8003 mbedtls_x509_crt_free(chain);
8004 mbedtls_free(chain);
8005 chain = NULL;
8006
8007 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
8008 if (ret != 0) {
8009 goto exit;
8010 }
8011
8012 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
8013 if (ret != 0) {
8014 goto exit;
8015 }
8016 }
8017 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8018 /* Pass ownership to session structure. */
8019 ssl->session_negotiate->peer_cert = chain;
8020 chain = NULL;
8021 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8022
8023 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
8024
8025 exit:
8026
8027 if (ret == 0) {
8028 ssl->state++;
8029 }
8030
8031 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8032 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
8033 ssl->handshake->ecrs_peer_cert = chain;
8034 chain = NULL;
8035 }
8036 #endif
8037
8038 if (chain != NULL) {
8039 mbedtls_x509_crt_free(chain);
8040 mbedtls_free(chain);
8041 }
8042
8043 return ret;
8044 }
8045 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8046
ssl_calc_finished_tls_generic(mbedtls_ssl_context * ssl,void * ctx,unsigned char * padbuf,size_t hlen,unsigned char * buf,int from)8047 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
8048 unsigned char *padbuf, size_t hlen,
8049 unsigned char *buf, int from)
8050 {
8051 unsigned int len = 12;
8052 const char *sender;
8053 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8054 psa_status_t status;
8055 psa_hash_operation_t *hs_op = ctx;
8056 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
8057 size_t hash_size;
8058 #else
8059 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8060 mbedtls_md_context_t *hs_ctx = ctx;
8061 mbedtls_md_context_t cloned_ctx;
8062 mbedtls_md_init(&cloned_ctx);
8063 #endif
8064
8065 mbedtls_ssl_session *session = ssl->session_negotiate;
8066 if (!session) {
8067 session = ssl->session;
8068 }
8069
8070 sender = (from == MBEDTLS_SSL_IS_CLIENT)
8071 ? "client finished"
8072 : "server finished";
8073
8074 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8075 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
8076
8077 status = psa_hash_clone(hs_op, &cloned_op);
8078 if (status != PSA_SUCCESS) {
8079 goto exit;
8080 }
8081
8082 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
8083 if (status != PSA_SUCCESS) {
8084 goto exit;
8085 }
8086 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
8087 #else
8088 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
8089
8090 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
8091 if (ret != 0) {
8092 goto exit;
8093 }
8094 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
8095 if (ret != 0) {
8096 goto exit;
8097 }
8098
8099 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
8100 if (ret != 0) {
8101 goto exit;
8102 }
8103 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8104
8105 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
8106
8107 /*
8108 * TLSv1.2:
8109 * hash = PRF( master, finished_label,
8110 * Hash( handshake ) )[0.11]
8111 */
8112 ssl->handshake->tls_prf(session->master, 48, sender,
8113 padbuf, hlen, buf, len);
8114
8115 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
8116
8117 mbedtls_platform_zeroize(padbuf, hlen);
8118
8119 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
8120
8121 exit:
8122 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8123 psa_hash_abort(&cloned_op);
8124 return mbedtls_md_error_from_psa(status);
8125 #else
8126 mbedtls_md_free(&cloned_ctx);
8127 return ret;
8128 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8129 }
8130
8131 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8132 static int ssl_calc_finished_tls_sha256(
8133 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8134 {
8135 unsigned char padbuf[32];
8136 return ssl_calc_finished_tls_generic(ssl,
8137 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8138 &ssl->handshake->fin_sha256_psa,
8139 #else
8140 &ssl->handshake->fin_sha256,
8141 #endif
8142 padbuf, sizeof(padbuf),
8143 buf, from);
8144 }
8145 #endif /* MBEDTLS_MD_CAN_SHA256*/
8146
8147
8148 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8149 static int ssl_calc_finished_tls_sha384(
8150 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8151 {
8152 unsigned char padbuf[48];
8153 return ssl_calc_finished_tls_generic(ssl,
8154 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8155 &ssl->handshake->fin_sha384_psa,
8156 #else
8157 &ssl->handshake->fin_sha384,
8158 #endif
8159 padbuf, sizeof(padbuf),
8160 buf, from);
8161 }
8162 #endif /* MBEDTLS_MD_CAN_SHA384*/
8163
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)8164 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
8165 {
8166 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
8167
8168 /*
8169 * Free our handshake params
8170 */
8171 mbedtls_ssl_handshake_free(ssl);
8172 mbedtls_free(ssl->handshake);
8173 ssl->handshake = NULL;
8174
8175 /*
8176 * Free the previous transform and switch in the current one
8177 */
8178 if (ssl->transform) {
8179 mbedtls_ssl_transform_free(ssl->transform);
8180 mbedtls_free(ssl->transform);
8181 }
8182 ssl->transform = ssl->transform_negotiate;
8183 ssl->transform_negotiate = NULL;
8184
8185 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
8186 }
8187
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)8188 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
8189 {
8190 int resume = ssl->handshake->resume;
8191
8192 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
8193
8194 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8195 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
8196 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
8197 ssl->renego_records_seen = 0;
8198 }
8199 #endif
8200
8201 /*
8202 * Free the previous session and switch in the current one
8203 */
8204 if (ssl->session) {
8205 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8206 /* RFC 7366 3.1: keep the EtM state */
8207 ssl->session_negotiate->encrypt_then_mac =
8208 ssl->session->encrypt_then_mac;
8209 #endif
8210
8211 mbedtls_ssl_session_free(ssl->session);
8212 mbedtls_free(ssl->session);
8213 }
8214 ssl->session = ssl->session_negotiate;
8215 ssl->session_negotiate = NULL;
8216
8217 /*
8218 * Add cache entry
8219 */
8220 if (ssl->conf->f_set_cache != NULL &&
8221 ssl->session->id_len != 0 &&
8222 resume == 0) {
8223 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
8224 ssl->session->id,
8225 ssl->session->id_len,
8226 ssl->session) != 0) {
8227 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
8228 }
8229 }
8230
8231 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8232 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8233 ssl->handshake->flight != NULL) {
8234 /* Cancel handshake timer */
8235 mbedtls_ssl_set_timer(ssl, 0);
8236
8237 /* Keep last flight around in case we need to resend it:
8238 * we need the handshake and transform structures for that */
8239 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
8240 } else
8241 #endif
8242 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
8243
8244 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
8245
8246 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
8247 }
8248
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)8249 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
8250 {
8251 int ret;
8252 unsigned int hash_len;
8253
8254 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
8255
8256 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
8257
8258 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
8259 if (ret != 0) {
8260 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8261 }
8262
8263 /*
8264 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
8265 * may define some other value. Currently (early 2016), no defined
8266 * ciphersuite does this (and this is unlikely to change as activity has
8267 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
8268 */
8269 hash_len = 12;
8270
8271 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8272 ssl->verify_data_len = hash_len;
8273 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
8274 #endif
8275
8276 ssl->out_msglen = 4 + hash_len;
8277 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8278 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
8279
8280 /*
8281 * In case of session resuming, invert the client and server
8282 * ChangeCipherSpec messages order.
8283 */
8284 if (ssl->handshake->resume != 0) {
8285 #if defined(MBEDTLS_SSL_CLI_C)
8286 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8287 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8288 }
8289 #endif
8290 #if defined(MBEDTLS_SSL_SRV_C)
8291 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8292 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8293 }
8294 #endif
8295 } else {
8296 ssl->state++;
8297 }
8298
8299 /*
8300 * Switch to our negotiated transform and session parameters for outbound
8301 * data.
8302 */
8303 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8304
8305 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8306 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8307 unsigned char i;
8308
8309 /* Remember current epoch settings for resending */
8310 ssl->handshake->alt_transform_out = ssl->transform_out;
8311 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8312 sizeof(ssl->handshake->alt_out_ctr));
8313
8314 /* Set sequence_number to zero */
8315 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8316
8317
8318 /* Increment epoch */
8319 for (i = 2; i > 0; i--) {
8320 if (++ssl->cur_out_ctr[i - 1] != 0) {
8321 break;
8322 }
8323 }
8324
8325 /* The loop goes to its end iff the counter is wrapping */
8326 if (i == 0) {
8327 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8328 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8329 }
8330 } else
8331 #endif /* MBEDTLS_SSL_PROTO_DTLS */
8332 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8333
8334 ssl->transform_out = ssl->transform_negotiate;
8335 ssl->session_out = ssl->session_negotiate;
8336
8337 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8338 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8339 mbedtls_ssl_send_flight_completed(ssl);
8340 }
8341 #endif
8342
8343 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8344 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8345 return ret;
8346 }
8347
8348 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8349 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8350 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8351 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8352 return ret;
8353 }
8354 #endif
8355
8356 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8357
8358 return 0;
8359 }
8360
8361 #define SSL_MAX_HASH_LEN 12
8362
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)8363 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8364 {
8365 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8366 unsigned int hash_len = 12;
8367 unsigned char buf[SSL_MAX_HASH_LEN];
8368
8369 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8370
8371 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8372 if (ret != 0) {
8373 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8374 }
8375
8376 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8377 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8378 goto exit;
8379 }
8380
8381 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8382 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8383 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8384 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8385 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8386 goto exit;
8387 }
8388
8389 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8390 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8391 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8392 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8393 goto exit;
8394 }
8395
8396 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8397 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8398 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8399 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8400 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8401 goto exit;
8402 }
8403
8404 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8405 buf, hash_len) != 0) {
8406 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8407 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8408 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8409 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8410 goto exit;
8411 }
8412
8413 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8414 ssl->verify_data_len = hash_len;
8415 memcpy(ssl->peer_verify_data, buf, hash_len);
8416 #endif
8417
8418 if (ssl->handshake->resume != 0) {
8419 #if defined(MBEDTLS_SSL_CLI_C)
8420 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8421 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8422 }
8423 #endif
8424 #if defined(MBEDTLS_SSL_SRV_C)
8425 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8426 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8427 }
8428 #endif
8429 } else {
8430 ssl->state++;
8431 }
8432
8433 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8434 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8435 mbedtls_ssl_recv_flight_completed(ssl);
8436 }
8437 #endif
8438
8439 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8440
8441 exit:
8442 mbedtls_platform_zeroize(buf, hash_len);
8443 return ret;
8444 }
8445
8446 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8447 /*
8448 * Helper to get TLS 1.2 PRF from ciphersuite
8449 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8450 */
ssl_tls12prf_from_cs(int ciphersuite_id)8451 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8452 {
8453 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8454 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8455 #if defined(MBEDTLS_MD_CAN_SHA384)
8456 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8457 return tls_prf_sha384;
8458 } else
8459 #endif
8460 #if defined(MBEDTLS_MD_CAN_SHA256)
8461 {
8462 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8463 return tls_prf_sha256;
8464 }
8465 }
8466 #endif
8467 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
8468 !defined(MBEDTLS_MD_CAN_SHA256)
8469 (void) ciphersuite_info;
8470 #endif
8471
8472 return NULL;
8473 }
8474 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8475
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8476 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8477 {
8478 ((void) tls_prf);
8479 #if defined(MBEDTLS_MD_CAN_SHA384)
8480 if (tls_prf == tls_prf_sha384) {
8481 return MBEDTLS_SSL_TLS_PRF_SHA384;
8482 } else
8483 #endif
8484 #if defined(MBEDTLS_MD_CAN_SHA256)
8485 if (tls_prf == tls_prf_sha256) {
8486 return MBEDTLS_SSL_TLS_PRF_SHA256;
8487 } else
8488 #endif
8489 return MBEDTLS_SSL_TLS_PRF_NONE;
8490 }
8491
8492 /*
8493 * Populate a transform structure with session keys and all the other
8494 * necessary information.
8495 *
8496 * Parameters:
8497 * - [in/out]: transform: structure to populate
8498 * [in] must be just initialised with mbedtls_ssl_transform_init()
8499 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8500 * - [in] ciphersuite
8501 * - [in] master
8502 * - [in] encrypt_then_mac
8503 * - [in] tls_prf: pointer to PRF to use for key derivation
8504 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8505 * - [in] tls_version: TLS version
8506 * - [in] endpoint: client or server
8507 * - [in] ssl: used for:
8508 * - ssl->conf->{f,p}_export_keys
8509 * [in] optionally used for:
8510 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8511 */
8512 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8513 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8514 int ciphersuite,
8515 const unsigned char master[48],
8516 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8517 int encrypt_then_mac,
8518 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8519 ssl_tls_prf_t tls_prf,
8520 const unsigned char randbytes[64],
8521 mbedtls_ssl_protocol_version tls_version,
8522 unsigned endpoint,
8523 const mbedtls_ssl_context *ssl)
8524 {
8525 int ret = 0;
8526 unsigned char keyblk[256];
8527 unsigned char *key1;
8528 unsigned char *key2;
8529 unsigned char *mac_enc;
8530 unsigned char *mac_dec;
8531 size_t mac_key_len = 0;
8532 size_t iv_copy_len;
8533 size_t keylen;
8534 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8535 mbedtls_ssl_mode_t ssl_mode;
8536 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8537 const mbedtls_cipher_info_t *cipher_info;
8538 const mbedtls_md_info_t *md_info;
8539 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8540
8541 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8542 psa_key_type_t key_type;
8543 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8544 psa_algorithm_t alg;
8545 psa_algorithm_t mac_alg = 0;
8546 size_t key_bits;
8547 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8548 #endif
8549
8550 /*
8551 * Some data just needs copying into the structure
8552 */
8553 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8554 transform->encrypt_then_mac = encrypt_then_mac;
8555 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8556 transform->tls_version = tls_version;
8557
8558 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8559 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8560 #endif
8561
8562 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8563 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8564 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8565 * generation separate. This should never happen. */
8566 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8567 }
8568 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8569
8570 /*
8571 * Get various info structures
8572 */
8573 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8574 if (ciphersuite_info == NULL) {
8575 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8576 ciphersuite));
8577 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8578 }
8579
8580 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8581 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8582 encrypt_then_mac,
8583 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8584 ciphersuite_info);
8585
8586 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8587 transform->taglen =
8588 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8589 }
8590
8591 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8592 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
8593 transform->taglen,
8594 &alg,
8595 &key_type,
8596 &key_bits)) != PSA_SUCCESS) {
8597 ret = PSA_TO_MBEDTLS_ERR(status);
8598 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8599 goto end;
8600 }
8601 #else
8602 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8603 if (cipher_info == NULL) {
8604 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8605 ciphersuite_info->cipher));
8606 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8607 }
8608 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8609
8610 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8611 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8612 if (mac_alg == 0) {
8613 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8614 (unsigned) ciphersuite_info->mac));
8615 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8616 }
8617 #else
8618 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8619 if (md_info == NULL) {
8620 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8621 (unsigned) ciphersuite_info->mac));
8622 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8623 }
8624 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8625
8626 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8627 /* Copy own and peer's CID if the use of the CID
8628 * extension has been negotiated. */
8629 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8630 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8631
8632 transform->in_cid_len = ssl->own_cid_len;
8633 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8634 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8635 transform->in_cid_len);
8636
8637 transform->out_cid_len = ssl->handshake->peer_cid_len;
8638 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8639 ssl->handshake->peer_cid_len);
8640 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8641 transform->out_cid_len);
8642 }
8643 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8644
8645 /*
8646 * Compute key block using the PRF
8647 */
8648 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8649 if (ret != 0) {
8650 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8651 return ret;
8652 }
8653
8654 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8655 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8656 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8657 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8658 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8659
8660 /*
8661 * Determine the appropriate key, IV and MAC length.
8662 */
8663
8664 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8665 keylen = PSA_BITS_TO_BYTES(key_bits);
8666 #else
8667 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8668 #endif
8669
8670 #if defined(MBEDTLS_SSL_HAVE_AEAD)
8671 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8672 size_t explicit_ivlen;
8673
8674 transform->maclen = 0;
8675 mac_key_len = 0;
8676
8677 /* All modes haves 96-bit IVs, but the length of the static parts vary
8678 * with mode and version:
8679 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8680 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8681 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8682 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8683 * sequence number).
8684 */
8685 transform->ivlen = 12;
8686
8687 int is_chachapoly = 0;
8688 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8689 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8690 #else
8691 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8692 == MBEDTLS_MODE_CHACHAPOLY);
8693 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8694
8695 if (is_chachapoly) {
8696 transform->fixed_ivlen = 12;
8697 } else {
8698 transform->fixed_ivlen = 4;
8699 }
8700
8701 /* Minimum length of encrypted record */
8702 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8703 transform->minlen = explicit_ivlen + transform->taglen;
8704 } else
8705 #endif /* MBEDTLS_SSL_HAVE_AEAD */
8706 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8707 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8708 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8709 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8710 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8711 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8712 #else
8713 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8714 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8715
8716 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8717 /* Get MAC length */
8718 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8719 #else
8720 /* Initialize HMAC contexts */
8721 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8722 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8723 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8724 goto end;
8725 }
8726
8727 /* Get MAC length */
8728 mac_key_len = mbedtls_md_get_size(md_info);
8729 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8730 transform->maclen = mac_key_len;
8731
8732 /* IV length */
8733 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8734 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8735 #else
8736 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8737 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8738
8739 /* Minimum length */
8740 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8741 transform->minlen = transform->maclen;
8742 } else {
8743 /*
8744 * GenericBlockCipher:
8745 * 1. if EtM is in use: one block plus MAC
8746 * otherwise: * first multiple of blocklen greater than maclen
8747 * 2. IV
8748 */
8749 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8750 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8751 transform->minlen = transform->maclen
8752 + block_size;
8753 } else
8754 #endif
8755 {
8756 transform->minlen = transform->maclen
8757 + block_size
8758 - transform->maclen % block_size;
8759 }
8760
8761 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8762 transform->minlen += transform->ivlen;
8763 } else {
8764 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8765 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8766 goto end;
8767 }
8768 }
8769 } else
8770 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8771 {
8772 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8773 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8774 }
8775
8776 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8777 (unsigned) keylen,
8778 (unsigned) transform->minlen,
8779 (unsigned) transform->ivlen,
8780 (unsigned) transform->maclen));
8781
8782 /*
8783 * Finally setup the cipher contexts, IVs and MAC secrets.
8784 */
8785 #if defined(MBEDTLS_SSL_CLI_C)
8786 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8787 key1 = keyblk + mac_key_len * 2;
8788 key2 = keyblk + mac_key_len * 2 + keylen;
8789
8790 mac_enc = keyblk;
8791 mac_dec = keyblk + mac_key_len;
8792
8793 iv_copy_len = (transform->fixed_ivlen) ?
8794 transform->fixed_ivlen : transform->ivlen;
8795 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8796 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8797 iv_copy_len);
8798 } else
8799 #endif /* MBEDTLS_SSL_CLI_C */
8800 #if defined(MBEDTLS_SSL_SRV_C)
8801 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8802 key1 = keyblk + mac_key_len * 2 + keylen;
8803 key2 = keyblk + mac_key_len * 2;
8804
8805 mac_enc = keyblk + mac_key_len;
8806 mac_dec = keyblk;
8807
8808 iv_copy_len = (transform->fixed_ivlen) ?
8809 transform->fixed_ivlen : transform->ivlen;
8810 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8811 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8812 iv_copy_len);
8813 } else
8814 #endif /* MBEDTLS_SSL_SRV_C */
8815 {
8816 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8817 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8818 goto end;
8819 }
8820
8821 if (ssl->f_export_keys != NULL) {
8822 ssl->f_export_keys(ssl->p_export_keys,
8823 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8824 master, 48,
8825 randbytes + 32,
8826 randbytes,
8827 tls_prf_get_type(tls_prf));
8828 }
8829
8830 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8831 transform->psa_alg = alg;
8832
8833 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8834 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8835 psa_set_key_algorithm(&attributes, alg);
8836 psa_set_key_type(&attributes, key_type);
8837
8838 if ((status = psa_import_key(&attributes,
8839 key1,
8840 PSA_BITS_TO_BYTES(key_bits),
8841 &transform->psa_key_enc)) != PSA_SUCCESS) {
8842 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8843 ret = PSA_TO_MBEDTLS_ERR(status);
8844 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8845 goto end;
8846 }
8847
8848 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8849
8850 if ((status = psa_import_key(&attributes,
8851 key2,
8852 PSA_BITS_TO_BYTES(key_bits),
8853 &transform->psa_key_dec)) != PSA_SUCCESS) {
8854 ret = PSA_TO_MBEDTLS_ERR(status);
8855 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8856 goto end;
8857 }
8858 }
8859 #else
8860 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8861 cipher_info)) != 0) {
8862 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8863 goto end;
8864 }
8865
8866 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8867 cipher_info)) != 0) {
8868 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8869 goto end;
8870 }
8871
8872 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8873 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8874 MBEDTLS_ENCRYPT)) != 0) {
8875 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8876 goto end;
8877 }
8878
8879 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8880 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8881 MBEDTLS_DECRYPT)) != 0) {
8882 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8883 goto end;
8884 }
8885
8886 #if defined(MBEDTLS_CIPHER_MODE_CBC)
8887 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
8888 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
8889 MBEDTLS_PADDING_NONE)) != 0) {
8890 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8891 goto end;
8892 }
8893
8894 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
8895 MBEDTLS_PADDING_NONE)) != 0) {
8896 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8897 goto end;
8898 }
8899 }
8900 #endif /* MBEDTLS_CIPHER_MODE_CBC */
8901 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8902
8903 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8904 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8905 For AEAD-based ciphersuites, there is nothing to do here. */
8906 if (mac_key_len != 0) {
8907 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8908 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
8909
8910 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8911 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8912 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
8913
8914 if ((status = psa_import_key(&attributes,
8915 mac_enc, mac_key_len,
8916 &transform->psa_mac_enc)) != PSA_SUCCESS) {
8917 ret = PSA_TO_MBEDTLS_ERR(status);
8918 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8919 goto end;
8920 }
8921
8922 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8923 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
8924 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8925 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
8926 #endif
8927 )) {
8928 /* mbedtls_ct_hmac() requires the key to be exportable */
8929 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8930 PSA_KEY_USAGE_VERIFY_HASH);
8931 } else {
8932 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8933 }
8934
8935 if ((status = psa_import_key(&attributes,
8936 mac_dec, mac_key_len,
8937 &transform->psa_mac_dec)) != PSA_SUCCESS) {
8938 ret = PSA_TO_MBEDTLS_ERR(status);
8939 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8940 goto end;
8941 }
8942 #else
8943 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
8944 if (ret != 0) {
8945 goto end;
8946 }
8947 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
8948 if (ret != 0) {
8949 goto end;
8950 }
8951 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8952 }
8953 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8954
8955 ((void) mac_dec);
8956 ((void) mac_enc);
8957
8958 end:
8959 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
8960 return ret;
8961 }
8962
8963 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
8964 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)8965 int mbedtls_psa_ecjpake_read_round(
8966 psa_pake_operation_t *pake_ctx,
8967 const unsigned char *buf,
8968 size_t len, mbedtls_ecjpake_rounds_t round)
8969 {
8970 psa_status_t status;
8971 size_t input_offset = 0;
8972 /*
8973 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
8974 * At round two perform a single cycle
8975 */
8976 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
8977
8978 for (; remaining_steps > 0; remaining_steps--) {
8979 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
8980 step <= PSA_PAKE_STEP_ZK_PROOF;
8981 ++step) {
8982 /* Length is stored at the first byte */
8983 size_t length = buf[input_offset];
8984 input_offset += 1;
8985
8986 if (input_offset + length > len) {
8987 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8988 }
8989
8990 status = psa_pake_input(pake_ctx, step,
8991 buf + input_offset, length);
8992 if (status != PSA_SUCCESS) {
8993 return PSA_TO_MBEDTLS_ERR(status);
8994 }
8995
8996 input_offset += length;
8997 }
8998 }
8999
9000 if (input_offset != len) {
9001 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9002 }
9003
9004 return 0;
9005 }
9006
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)9007 int mbedtls_psa_ecjpake_write_round(
9008 psa_pake_operation_t *pake_ctx,
9009 unsigned char *buf,
9010 size_t len, size_t *olen,
9011 mbedtls_ecjpake_rounds_t round)
9012 {
9013 psa_status_t status;
9014 size_t output_offset = 0;
9015 size_t output_len;
9016 /*
9017 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9018 * At round two perform a single cycle
9019 */
9020 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9021
9022 for (; remaining_steps > 0; remaining_steps--) {
9023 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9024 step <= PSA_PAKE_STEP_ZK_PROOF;
9025 ++step) {
9026 /*
9027 * For each step, prepend 1 byte with the length of the data as
9028 * given by psa_pake_output().
9029 */
9030 status = psa_pake_output(pake_ctx, step,
9031 buf + output_offset + 1,
9032 len - output_offset - 1,
9033 &output_len);
9034 if (status != PSA_SUCCESS) {
9035 return PSA_TO_MBEDTLS_ERR(status);
9036 }
9037
9038 *(buf + output_offset) = (uint8_t) output_len;
9039
9040 output_offset += output_len + 1;
9041 }
9042 }
9043
9044 *olen = output_offset;
9045
9046 return 0;
9047 }
9048 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
9049
9050 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9051 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9052 unsigned char *hash, size_t *hashlen,
9053 unsigned char *data, size_t data_len,
9054 mbedtls_md_type_t md_alg)
9055 {
9056 psa_status_t status;
9057 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
9058 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
9059
9060 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
9061
9062 if ((status = psa_hash_setup(&hash_operation,
9063 hash_alg)) != PSA_SUCCESS) {
9064 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
9065 goto exit;
9066 }
9067
9068 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
9069 64)) != PSA_SUCCESS) {
9070 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9071 goto exit;
9072 }
9073
9074 if ((status = psa_hash_update(&hash_operation,
9075 data, data_len)) != PSA_SUCCESS) {
9076 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9077 goto exit;
9078 }
9079
9080 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
9081 hashlen)) != PSA_SUCCESS) {
9082 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
9083 goto exit;
9084 }
9085
9086 exit:
9087 if (status != PSA_SUCCESS) {
9088 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9089 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9090 switch (status) {
9091 case PSA_ERROR_NOT_SUPPORTED:
9092 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
9093 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
9094 case PSA_ERROR_BUFFER_TOO_SMALL:
9095 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
9096 case PSA_ERROR_INSUFFICIENT_MEMORY:
9097 return MBEDTLS_ERR_MD_ALLOC_FAILED;
9098 default:
9099 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
9100 }
9101 }
9102 return 0;
9103 }
9104
9105 #else
9106
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9107 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9108 unsigned char *hash, size_t *hashlen,
9109 unsigned char *data, size_t data_len,
9110 mbedtls_md_type_t md_alg)
9111 {
9112 int ret = 0;
9113 mbedtls_md_context_t ctx;
9114 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
9115 *hashlen = mbedtls_md_get_size(md_info);
9116
9117 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
9118
9119 mbedtls_md_init(&ctx);
9120
9121 /*
9122 * digitally-signed struct {
9123 * opaque client_random[32];
9124 * opaque server_random[32];
9125 * ServerDHParams params;
9126 * };
9127 */
9128 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
9129 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
9130 goto exit;
9131 }
9132 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
9133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
9134 goto exit;
9135 }
9136 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
9137 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9138 goto exit;
9139 }
9140 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
9141 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9142 goto exit;
9143 }
9144 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
9145 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
9146 goto exit;
9147 }
9148
9149 exit:
9150 mbedtls_md_free(&ctx);
9151
9152 if (ret != 0) {
9153 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9154 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9155 }
9156
9157 return ret;
9158 }
9159 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9160
9161 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
9162
9163 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)9164 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
9165 mbedtls_ssl_context *ssl,
9166 unsigned int sig_alg)
9167 {
9168 unsigned int i;
9169 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
9170
9171 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
9172 return MBEDTLS_SSL_HASH_NONE;
9173 }
9174
9175 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
9176 unsigned int hash_alg_received =
9177 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
9178 received_sig_algs[i]);
9179 unsigned int sig_alg_received =
9180 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
9181 received_sig_algs[i]);
9182
9183 mbedtls_md_type_t md_alg =
9184 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
9185 if (md_alg == MBEDTLS_MD_NONE) {
9186 continue;
9187 }
9188
9189 if (sig_alg == sig_alg_received) {
9190 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9191 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
9192 psa_algorithm_t psa_hash_alg =
9193 mbedtls_md_psa_alg_from_type(md_alg);
9194
9195 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
9196 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9197 PSA_ALG_ECDSA(psa_hash_alg),
9198 PSA_KEY_USAGE_SIGN_HASH)) {
9199 continue;
9200 }
9201
9202 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
9203 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9204 PSA_ALG_RSA_PKCS1V15_SIGN(
9205 psa_hash_alg),
9206 PSA_KEY_USAGE_SIGN_HASH)) {
9207 continue;
9208 }
9209 }
9210 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9211
9212 return hash_alg_received;
9213 }
9214 }
9215
9216 return MBEDTLS_SSL_HASH_NONE;
9217 }
9218
9219 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
9220
9221 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9222
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9223 int mbedtls_ssl_validate_ciphersuite(
9224 const mbedtls_ssl_context *ssl,
9225 const mbedtls_ssl_ciphersuite_t *suite_info,
9226 mbedtls_ssl_protocol_version min_tls_version,
9227 mbedtls_ssl_protocol_version max_tls_version)
9228 {
9229 (void) ssl;
9230
9231 if (suite_info == NULL) {
9232 return -1;
9233 }
9234
9235 if ((suite_info->min_tls_version > max_tls_version) ||
9236 (suite_info->max_tls_version < min_tls_version)) {
9237 return -1;
9238 }
9239
9240 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9241 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9242 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9243 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9244 ssl->handshake->psa_pake_ctx_is_ok != 1)
9245 #else
9246 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9247 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9248 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9249 {
9250 return -1;
9251 }
9252 #endif
9253
9254 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9255 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9256 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9257 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9258 return -1;
9259 }
9260 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9261 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9262
9263 return 0;
9264 }
9265
9266 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9267 /*
9268 * Function for writing a signature algorithm extension.
9269 *
9270 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9271 * value (TLS 1.3 RFC8446):
9272 * enum {
9273 * ....
9274 * ecdsa_secp256r1_sha256( 0x0403 ),
9275 * ecdsa_secp384r1_sha384( 0x0503 ),
9276 * ecdsa_secp521r1_sha512( 0x0603 ),
9277 * ....
9278 * } SignatureScheme;
9279 *
9280 * struct {
9281 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9282 * } SignatureSchemeList;
9283 *
9284 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9285 * value (TLS 1.2 RFC5246):
9286 * enum {
9287 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9288 * sha512(6), (255)
9289 * } HashAlgorithm;
9290 *
9291 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9292 * SignatureAlgorithm;
9293 *
9294 * struct {
9295 * HashAlgorithm hash;
9296 * SignatureAlgorithm signature;
9297 * } SignatureAndHashAlgorithm;
9298 *
9299 * SignatureAndHashAlgorithm
9300 * supported_signature_algorithms<2..2^16-2>;
9301 *
9302 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9303 * generalization of the TLS 1.2 signature algorithm extension.
9304 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9305 * `SignatureScheme` field of TLS 1.3
9306 *
9307 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9308 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9309 const unsigned char *end, size_t *out_len)
9310 {
9311 unsigned char *p = buf;
9312 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9313 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9314
9315 *out_len = 0;
9316
9317 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9318
9319 /* Check if we have space for header and length field:
9320 * - extension_type (2 bytes)
9321 * - extension_data_length (2 bytes)
9322 * - supported_signature_algorithms_length (2 bytes)
9323 */
9324 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9325 p += 6;
9326
9327 /*
9328 * Write supported_signature_algorithms
9329 */
9330 supported_sig_alg = p;
9331 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9332 if (sig_alg == NULL) {
9333 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9334 }
9335
9336 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9337 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9338 *sig_alg,
9339 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9340 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9341 continue;
9342 }
9343 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9344 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9345 p += 2;
9346 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9347 *sig_alg,
9348 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9349 }
9350
9351 /* Length of supported_signature_algorithms */
9352 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
9353 if (supported_sig_alg_len == 0) {
9354 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9355 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9356 }
9357
9358 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9359 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9360 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9361
9362 *out_len = (size_t) (p - buf);
9363
9364 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9365 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9366 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9367
9368 return 0;
9369 }
9370 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9371
9372 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9373 /*
9374 * mbedtls_ssl_parse_server_name_ext
9375 *
9376 * Structure of server_name extension:
9377 *
9378 * enum {
9379 * host_name(0), (255)
9380 * } NameType;
9381 * opaque HostName<1..2^16-1>;
9382 *
9383 * struct {
9384 * NameType name_type;
9385 * select (name_type) {
9386 * case host_name: HostName;
9387 * } name;
9388 * } ServerName;
9389 * struct {
9390 * ServerName server_name_list<1..2^16-1>
9391 * } ServerNameList;
9392 */
9393 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9394 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9395 const unsigned char *buf,
9396 const unsigned char *end)
9397 {
9398 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9399 const unsigned char *p = buf;
9400 size_t server_name_list_len, hostname_len;
9401 const unsigned char *server_name_list_end;
9402
9403 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9404
9405 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9406 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9407 p += 2;
9408
9409 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9410 server_name_list_end = p + server_name_list_len;
9411 while (p < server_name_list_end) {
9412 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9413 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9414 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9415 hostname_len + 3);
9416
9417 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9418 /* sni_name is intended to be used only during the parsing of the
9419 * ClientHello message (it is reset to NULL before the end of
9420 * the message parsing). Thus it is ok to just point to the
9421 * reception buffer and not make a copy of it.
9422 */
9423 ssl->handshake->sni_name = p + 3;
9424 ssl->handshake->sni_name_len = hostname_len;
9425 if (ssl->conf->f_sni == NULL) {
9426 return 0;
9427 }
9428 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9429 ssl, p + 3, hostname_len);
9430 if (ret != 0) {
9431 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9432 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9433 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9434 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9435 }
9436 return 0;
9437 }
9438
9439 p += hostname_len + 3;
9440 }
9441
9442 return 0;
9443 }
9444 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9445
9446 #if defined(MBEDTLS_SSL_ALPN)
9447 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9448 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9449 const unsigned char *buf,
9450 const unsigned char *end)
9451 {
9452 const unsigned char *p = buf;
9453 size_t protocol_name_list_len;
9454 const unsigned char *protocol_name_list;
9455 const unsigned char *protocol_name_list_end;
9456 size_t protocol_name_len;
9457
9458 /* If ALPN not configured, just ignore the extension */
9459 if (ssl->conf->alpn_list == NULL) {
9460 return 0;
9461 }
9462
9463 /*
9464 * RFC7301, section 3.1
9465 * opaque ProtocolName<1..2^8-1>;
9466 *
9467 * struct {
9468 * ProtocolName protocol_name_list<2..2^16-1>
9469 * } ProtocolNameList;
9470 */
9471
9472 /*
9473 * protocol_name_list_len 2 bytes
9474 * protocol_name_len 1 bytes
9475 * protocol_name >=1 byte
9476 */
9477 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9478
9479 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9480 p += 2;
9481 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9482 protocol_name_list = p;
9483 protocol_name_list_end = p + protocol_name_list_len;
9484
9485 /* Validate peer's list (lengths) */
9486 while (p < protocol_name_list_end) {
9487 protocol_name_len = *p++;
9488 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9489 protocol_name_len);
9490 if (protocol_name_len == 0) {
9491 MBEDTLS_SSL_PEND_FATAL_ALERT(
9492 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9493 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9494 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9495 }
9496
9497 p += protocol_name_len;
9498 }
9499
9500 /* Use our order of preference */
9501 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9502 size_t const alpn_len = strlen(*alpn);
9503 p = protocol_name_list;
9504 while (p < protocol_name_list_end) {
9505 protocol_name_len = *p++;
9506 if (protocol_name_len == alpn_len &&
9507 memcmp(p, *alpn, alpn_len) == 0) {
9508 ssl->alpn_chosen = *alpn;
9509 return 0;
9510 }
9511
9512 p += protocol_name_len;
9513 }
9514 }
9515
9516 /* If we get here, no match was found */
9517 MBEDTLS_SSL_PEND_FATAL_ALERT(
9518 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9519 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9520 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9521 }
9522
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9523 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9524 unsigned char *buf,
9525 unsigned char *end,
9526 size_t *out_len)
9527 {
9528 unsigned char *p = buf;
9529 size_t protocol_name_len;
9530 *out_len = 0;
9531
9532 if (ssl->alpn_chosen == NULL) {
9533 return 0;
9534 }
9535
9536 protocol_name_len = strlen(ssl->alpn_chosen);
9537 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9538
9539 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9540 /*
9541 * 0 . 1 ext identifier
9542 * 2 . 3 ext length
9543 * 4 . 5 protocol list length
9544 * 6 . 6 protocol name length
9545 * 7 . 7+n protocol name
9546 */
9547 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9548
9549 *out_len = 7 + protocol_name_len;
9550
9551 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9552 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9553 /* Note: the length of the chosen protocol has been checked to be less
9554 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9555 */
9556 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9557
9558 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9559
9560 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9561 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9562 #endif
9563
9564 return 0;
9565 }
9566 #endif /* MBEDTLS_SSL_ALPN */
9567
9568 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9569 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9570 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9571 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9572 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9573 const char *hostname)
9574 {
9575 /* Initialize to suppress unnecessary compiler warning */
9576 size_t hostname_len = 0;
9577
9578 /* Check if new hostname is valid before
9579 * making any change to current one */
9580 if (hostname != NULL) {
9581 hostname_len = strlen(hostname);
9582
9583 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9584 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9585 }
9586 }
9587
9588 /* Now it's clear that we will overwrite the old hostname,
9589 * so we can free it safely */
9590 if (session->hostname != NULL) {
9591 mbedtls_zeroize_and_free(session->hostname,
9592 strlen(session->hostname));
9593 }
9594
9595 /* Passing NULL as hostname shall clear the old one */
9596 if (hostname == NULL) {
9597 session->hostname = NULL;
9598 } else {
9599 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9600 if (session->hostname == NULL) {
9601 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9602 }
9603
9604 memcpy(session->hostname, hostname, hostname_len);
9605 }
9606
9607 return 0;
9608 }
9609 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9610 MBEDTLS_SSL_SESSION_TICKETS &&
9611 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9612 MBEDTLS_SSL_CLI_C */
9613
9614 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
9615 defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session * session,const char * alpn)9616 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
9617 const char *alpn)
9618 {
9619 size_t alpn_len = 0;
9620
9621 if (alpn != NULL) {
9622 alpn_len = strlen(alpn);
9623
9624 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
9625 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9626 }
9627 }
9628
9629 if (session->ticket_alpn != NULL) {
9630 mbedtls_zeroize_and_free(session->ticket_alpn,
9631 strlen(session->ticket_alpn));
9632 session->ticket_alpn = NULL;
9633 }
9634
9635 if (alpn != NULL) {
9636 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
9637 if (session->ticket_alpn == NULL) {
9638 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9639 }
9640 memcpy(session->ticket_alpn, alpn, alpn_len);
9641 }
9642
9643 return 0;
9644 }
9645 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
9646
9647 /*
9648 * The following functions are used by 1.2 and 1.3, client and server.
9649 */
9650 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int recv_endpoint,mbedtls_ssl_protocol_version tls_version,uint32_t * flags)9651 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
9652 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9653 int recv_endpoint,
9654 mbedtls_ssl_protocol_version tls_version,
9655 uint32_t *flags)
9656 {
9657 int ret = 0;
9658 unsigned int usage = 0;
9659 const char *ext_oid;
9660 size_t ext_len;
9661
9662 /*
9663 * keyUsage
9664 */
9665
9666 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
9667 * to check what a compliant client will think while choosing which cert
9668 * to send to the client. */
9669 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9670 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9671 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9672 /* TLS 1.2 server part of the key exchange */
9673 switch (ciphersuite->key_exchange) {
9674 case MBEDTLS_KEY_EXCHANGE_RSA:
9675 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9676 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9677 break;
9678
9679 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9680 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9681 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9682 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9683 break;
9684
9685 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9686 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9687 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9688 break;
9689
9690 /* Don't use default: we want warnings when adding new values */
9691 case MBEDTLS_KEY_EXCHANGE_NONE:
9692 case MBEDTLS_KEY_EXCHANGE_PSK:
9693 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9694 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9695 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9696 usage = 0;
9697 }
9698 } else
9699 #endif
9700 {
9701 /* This is either TLS 1.3 authentication, which always uses signatures,
9702 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
9703 * options we implement, both using signatures. */
9704 (void) tls_version;
9705 (void) ciphersuite;
9706 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9707 }
9708
9709 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
9710 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9711 ret = -1;
9712 }
9713
9714 /*
9715 * extKeyUsage
9716 */
9717
9718 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9719 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9720 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
9721 } else {
9722 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9723 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
9724 }
9725
9726 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
9727 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9728 ret = -1;
9729 }
9730
9731 return ret;
9732 }
9733
mbedtls_ssl_verify_certificate(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,const mbedtls_ssl_ciphersuite_t * ciphersuite_info,void * rs_ctx)9734 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
9735 int authmode,
9736 mbedtls_x509_crt *chain,
9737 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
9738 void *rs_ctx)
9739 {
9740 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
9741 return 0;
9742 }
9743
9744 /*
9745 * Primary check: use the appropriate X.509 verification function
9746 */
9747 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
9748 void *p_vrfy;
9749 if (ssl->f_vrfy != NULL) {
9750 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
9751 f_vrfy = ssl->f_vrfy;
9752 p_vrfy = ssl->p_vrfy;
9753 } else {
9754 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
9755 f_vrfy = ssl->conf->f_vrfy;
9756 p_vrfy = ssl->conf->p_vrfy;
9757 }
9758
9759 int ret = 0;
9760 int have_ca_chain_or_callback = 0;
9761 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
9762 if (ssl->conf->f_ca_cb != NULL) {
9763 ((void) rs_ctx);
9764 have_ca_chain_or_callback = 1;
9765
9766 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
9767 ret = mbedtls_x509_crt_verify_with_ca_cb(
9768 chain,
9769 ssl->conf->f_ca_cb,
9770 ssl->conf->p_ca_cb,
9771 ssl->conf->cert_profile,
9772 ssl->hostname,
9773 &ssl->session_negotiate->verify_result,
9774 f_vrfy, p_vrfy);
9775 } else
9776 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
9777 {
9778 mbedtls_x509_crt *ca_chain;
9779 mbedtls_x509_crl *ca_crl;
9780 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9781 if (ssl->handshake->sni_ca_chain != NULL) {
9782 ca_chain = ssl->handshake->sni_ca_chain;
9783 ca_crl = ssl->handshake->sni_ca_crl;
9784 } else
9785 #endif
9786 {
9787 ca_chain = ssl->conf->ca_chain;
9788 ca_crl = ssl->conf->ca_crl;
9789 }
9790
9791 if (ca_chain != NULL) {
9792 have_ca_chain_or_callback = 1;
9793 }
9794
9795 ret = mbedtls_x509_crt_verify_restartable(
9796 chain,
9797 ca_chain, ca_crl,
9798 ssl->conf->cert_profile,
9799 ssl->hostname,
9800 &ssl->session_negotiate->verify_result,
9801 f_vrfy, p_vrfy, rs_ctx);
9802 }
9803
9804 if (ret != 0) {
9805 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
9806 }
9807
9808 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
9809 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
9810 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
9811 }
9812 #endif
9813
9814 /*
9815 * Secondary checks: always done, but change 'ret' only if it was 0
9816 */
9817
9818 /* With TLS 1.2 and ECC certs, check that the curve used by the
9819 * certificate is on our list of acceptable curves.
9820 *
9821 * With TLS 1.3 this is not needed because the curve is part of the
9822 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
9823 * we validate the signature made with the key associated to this cert.
9824 */
9825 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9826 defined(MBEDTLS_PK_HAVE_ECC_KEYS)
9827 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9828 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
9829 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
9830 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
9831 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
9832 if (ret == 0) {
9833 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9834 }
9835 }
9836 }
9837 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
9838
9839 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
9840 if (mbedtls_ssl_check_cert_usage(chain,
9841 ciphersuite_info,
9842 ssl->conf->endpoint,
9843 ssl->tls_version,
9844 &ssl->session_negotiate->verify_result) != 0) {
9845 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
9846 if (ret == 0) {
9847 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9848 }
9849 }
9850
9851 /* With authmode optional, we want to keep going if the certificate was
9852 * unacceptable, but still fail on other errors (out of memory etc),
9853 * including fatal errors from the f_vrfy callback.
9854 *
9855 * The only acceptable errors are:
9856 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
9857 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
9858 * Anything else is a fatal error. */
9859 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
9860 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
9861 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
9862 ret = 0;
9863 }
9864
9865 /* Return a specific error as this is a user error: inconsistent
9866 * configuration - can't verify without trust anchors. */
9867 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9868 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
9869 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
9870 }
9871
9872 if (ret != 0) {
9873 uint8_t alert;
9874
9875 /* The certificate may have been rejected for several reasons.
9876 Pick one and send the corresponding alert. Which alert to send
9877 may be a subject of debate in some cases. */
9878 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
9879 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
9880 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
9881 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
9882 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
9883 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9884 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
9885 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9886 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
9887 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9888 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
9889 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9890 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
9891 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
9892 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
9893 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
9894 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
9895 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
9896 } else {
9897 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
9898 }
9899 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9900 alert);
9901 }
9902
9903 #if defined(MBEDTLS_DEBUG_C)
9904 if (ssl->session_negotiate->verify_result != 0) {
9905 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
9906 (unsigned int) ssl->session_negotiate->verify_result));
9907 } else {
9908 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
9909 }
9910 #endif /* MBEDTLS_DEBUG_C */
9911
9912 return ret;
9913 }
9914 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9915
9916 #endif /* MBEDTLS_SSL_TLS_C */
9917