1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_SSL_TLS_C)
15
16 #include "mbedtls/platform.h"
17
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22
23 #include "debug_internal.h"
24 #include "mbedtls/error.h"
25 #include "mbedtls/platform_util.h"
26 #include "mbedtls/version.h"
27 #include "mbedtls/constant_time.h"
28
29 #include <string.h>
30
31 #if defined(MBEDTLS_USE_PSA_CRYPTO)
32 #include "mbedtls/psa_util.h"
33 #include "md_psa.h"
34 #include "psa_util_internal.h"
35 #include "psa/crypto.h"
36 #endif
37
38 #if defined(MBEDTLS_X509_CRT_PARSE_C)
39 #include "mbedtls/oid.h"
40 #endif
41
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 /* Define local translating functions to save code size by not using too many
44 * arguments in each translating place. */
local_err_translation(psa_status_t status)45 static int local_err_translation(psa_status_t status)
46 {
47 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
48 ARRAY_LENGTH(psa_to_ssl_errors),
49 psa_generic_status_to_mbedtls);
50 }
51 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
52 #endif
53
54 #if defined(MBEDTLS_TEST_HOOKS)
55 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
56
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)57 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
58 const uint8_t *cur, const uint8_t *end, size_t need)
59 {
60 chk_buf_ptr_fail_args.cur = cur;
61 chk_buf_ptr_fail_args.end = end;
62 chk_buf_ptr_fail_args.need = need;
63 }
64
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)65 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
66 {
67 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
68 }
69
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)70 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
71 {
72 return (chk_buf_ptr_fail_args.cur != args->cur) ||
73 (chk_buf_ptr_fail_args.end != args->end) ||
74 (chk_buf_ptr_fail_args.need != args->need);
75 }
76 #endif /* MBEDTLS_TEST_HOOKS */
77
78 #if defined(MBEDTLS_SSL_PROTO_DTLS)
79
80 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
81 /* Top-level Connection ID API */
82
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)83 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
84 size_t len,
85 int ignore_other_cid)
86 {
87 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
89 }
90
91 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
92 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
93 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
94 }
95
96 conf->ignore_unexpected_cid = ignore_other_cid;
97 conf->cid_len = len;
98 return 0;
99 }
100
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)101 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
102 int enable,
103 unsigned char const *own_cid,
104 size_t own_cid_len)
105 {
106 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
107 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
108 }
109
110 ssl->negotiate_cid = enable;
111 if (enable == MBEDTLS_SSL_CID_DISABLED) {
112 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
113 return 0;
114 }
115 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
116 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
117
118 if (own_cid_len != ssl->conf->cid_len) {
119 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
120 (unsigned) own_cid_len,
121 (unsigned) ssl->conf->cid_len));
122 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
123 }
124
125 memcpy(ssl->own_cid, own_cid, own_cid_len);
126 /* Truncation is not an issue here because
127 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
128 ssl->own_cid_len = (uint8_t) own_cid_len;
129
130 return 0;
131 }
132
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * own_cid_len)133 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
134 int *enabled,
135 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
136 size_t *own_cid_len)
137 {
138 *enabled = MBEDTLS_SSL_CID_DISABLED;
139
140 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
142 }
143
144 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
145 * zero as this is indistinguishable from not requesting to use
146 * the CID extension. */
147 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
148 return 0;
149 }
150
151 if (own_cid_len != NULL) {
152 *own_cid_len = ssl->own_cid_len;
153 if (own_cid != NULL) {
154 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
155 }
156 }
157
158 *enabled = MBEDTLS_SSL_CID_ENABLED;
159
160 return 0;
161 }
162
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)163 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
164 int *enabled,
165 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
166 size_t *peer_cid_len)
167 {
168 *enabled = MBEDTLS_SSL_CID_DISABLED;
169
170 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
171 mbedtls_ssl_is_handshake_over(ssl) == 0) {
172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
173 }
174
175 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
176 * were used, but client and server requested the empty CID.
177 * This is indistinguishable from not using the CID extension
178 * in the first place. */
179 if (ssl->transform_in->in_cid_len == 0 &&
180 ssl->transform_in->out_cid_len == 0) {
181 return 0;
182 }
183
184 if (peer_cid_len != NULL) {
185 *peer_cid_len = ssl->transform_in->out_cid_len;
186 if (peer_cid != NULL) {
187 memcpy(peer_cid, ssl->transform_in->out_cid,
188 ssl->transform_in->out_cid_len);
189 }
190 }
191
192 *enabled = MBEDTLS_SSL_CID_ENABLED;
193
194 return 0;
195 }
196 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
197
198 #endif /* MBEDTLS_SSL_PROTO_DTLS */
199
200 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
201 /*
202 * Convert max_fragment_length codes to length.
203 * RFC 6066 says:
204 * enum{
205 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
206 * } MaxFragmentLength;
207 * and we add 0 -> extension unused
208 */
ssl_mfl_code_to_length(int mfl)209 static unsigned int ssl_mfl_code_to_length(int mfl)
210 {
211 switch (mfl) {
212 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
213 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
214 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
215 return 512;
216 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
217 return 1024;
218 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
219 return 2048;
220 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
221 return 4096;
222 default:
223 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
224 }
225 }
226 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
227
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)228 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
229 const mbedtls_ssl_session *src)
230 {
231 mbedtls_ssl_session_free(dst);
232 memcpy(dst, src, sizeof(mbedtls_ssl_session));
233 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
234 dst->ticket = NULL;
235 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
236 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
237 dst->hostname = NULL;
238 #endif
239 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
240
241 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
242 defined(MBEDTLS_SSL_EARLY_DATA)
243 dst->ticket_alpn = NULL;
244 #endif
245
246 #if defined(MBEDTLS_X509_CRT_PARSE_C)
247
248 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
249 if (src->peer_cert != NULL) {
250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
251
252 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
253 if (dst->peer_cert == NULL) {
254 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
255 }
256
257 mbedtls_x509_crt_init(dst->peer_cert);
258
259 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
260 src->peer_cert->raw.len)) != 0) {
261 mbedtls_free(dst->peer_cert);
262 dst->peer_cert = NULL;
263 return ret;
264 }
265 }
266 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
267 if (src->peer_cert_digest != NULL) {
268 dst->peer_cert_digest =
269 mbedtls_calloc(1, src->peer_cert_digest_len);
270 if (dst->peer_cert_digest == NULL) {
271 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
272 }
273
274 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
275 src->peer_cert_digest_len);
276 dst->peer_cert_digest_type = src->peer_cert_digest_type;
277 dst->peer_cert_digest_len = src->peer_cert_digest_len;
278 }
279 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
280
281 #endif /* MBEDTLS_X509_CRT_PARSE_C */
282
283 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
284 defined(MBEDTLS_SSL_EARLY_DATA)
285 {
286 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
287 if (ret != 0) {
288 return ret;
289 }
290 }
291 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
292
293 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
294 if (src->ticket != NULL) {
295 dst->ticket = mbedtls_calloc(1, src->ticket_len);
296 if (dst->ticket == NULL) {
297 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
298 }
299
300 memcpy(dst->ticket, src->ticket, src->ticket_len);
301 }
302
303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
305 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
307 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
308 if (ret != 0) {
309 return ret;
310 }
311 }
312 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
313 MBEDTLS_SSL_SERVER_NAME_INDICATION */
314 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
315
316 return 0;
317 }
318
319 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
320 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)321 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
322 {
323 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
324 if (resized_buffer == NULL) {
325 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
326 }
327
328 /* We want to copy len_new bytes when downsizing the buffer, and
329 * len_old bytes when upsizing, so we choose the smaller of two sizes,
330 * to fit one buffer into another. Size checks, ensuring that no data is
331 * lost, are done outside of this function. */
332 memcpy(resized_buffer, *buffer,
333 (len_new < *len_old) ? len_new : *len_old);
334 mbedtls_zeroize_and_free(*buffer, *len_old);
335
336 *buffer = resized_buffer;
337 *len_old = len_new;
338
339 return 0;
340 }
341
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)342 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
343 size_t in_buf_new_len,
344 size_t out_buf_new_len)
345 {
346 int modified = 0;
347 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
348 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
349 if (ssl->in_buf != NULL) {
350 written_in = ssl->in_msg - ssl->in_buf;
351 iv_offset_in = ssl->in_iv - ssl->in_buf;
352 len_offset_in = ssl->in_len - ssl->in_buf;
353 if (downsizing ?
354 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
355 ssl->in_buf_len < in_buf_new_len) {
356 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
357 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
358 } else {
359 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
360 in_buf_new_len));
361 modified = 1;
362 }
363 }
364 }
365
366 if (ssl->out_buf != NULL) {
367 written_out = ssl->out_msg - ssl->out_buf;
368 iv_offset_out = ssl->out_iv - ssl->out_buf;
369 len_offset_out = ssl->out_len - ssl->out_buf;
370 if (downsizing ?
371 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
372 ssl->out_buf_len < out_buf_new_len) {
373 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
374 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
375 } else {
376 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
377 out_buf_new_len));
378 modified = 1;
379 }
380 }
381 }
382 if (modified) {
383 /* Update pointers here to avoid doing it twice. */
384 mbedtls_ssl_reset_in_out_pointers(ssl);
385 /* Fields below might not be properly updated with record
386 * splitting or with CID, so they are manually updated here. */
387 ssl->out_msg = ssl->out_buf + written_out;
388 ssl->out_len = ssl->out_buf + len_offset_out;
389 ssl->out_iv = ssl->out_buf + iv_offset_out;
390
391 ssl->in_msg = ssl->in_buf + written_in;
392 ssl->in_len = ssl->in_buf + len_offset_in;
393 ssl->in_iv = ssl->in_buf + iv_offset_in;
394 }
395 }
396 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
397
398 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
399
400 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
401 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
402 const char *label,
403 const unsigned char *random, size_t rlen,
404 unsigned char *dstbuf, size_t dlen);
405
406 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
407
408 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
409
410 /* Type for the TLS PRF */
411 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
412 const unsigned char *, size_t,
413 unsigned char *, size_t);
414
415 MBEDTLS_CHECK_RETURN_CRITICAL
416 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
417 int ciphersuite,
418 const unsigned char master[48],
419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
420 int encrypt_then_mac,
421 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
422 ssl_tls_prf_t tls_prf,
423 const unsigned char randbytes[64],
424 mbedtls_ssl_protocol_version tls_version,
425 unsigned endpoint,
426 const mbedtls_ssl_context *ssl);
427
428 #if defined(MBEDTLS_MD_CAN_SHA256)
429 MBEDTLS_CHECK_RETURN_CRITICAL
430 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
431 const char *label,
432 const unsigned char *random, size_t rlen,
433 unsigned char *dstbuf, size_t dlen);
434 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
435 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
436
437 #endif /* MBEDTLS_MD_CAN_SHA256*/
438
439 #if defined(MBEDTLS_MD_CAN_SHA384)
440 MBEDTLS_CHECK_RETURN_CRITICAL
441 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
442 const char *label,
443 const unsigned char *random, size_t rlen,
444 unsigned char *dstbuf, size_t dlen);
445
446 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
447 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
448 #endif /* MBEDTLS_MD_CAN_SHA384*/
449
450 MBEDTLS_CHECK_RETURN_CRITICAL
451 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
452 const unsigned char *buf,
453 size_t len);
454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455
456 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
457
458 #if defined(MBEDTLS_MD_CAN_SHA256)
459 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
460 #endif /* MBEDTLS_MD_CAN_SHA256*/
461
462 #if defined(MBEDTLS_MD_CAN_SHA384)
463 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
464 #endif /* MBEDTLS_MD_CAN_SHA384*/
465
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)466 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
467 const unsigned char *secret, size_t slen,
468 const char *label,
469 const unsigned char *random, size_t rlen,
470 unsigned char *dstbuf, size_t dlen)
471 {
472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
473
474 switch (prf) {
475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
476 #if defined(MBEDTLS_MD_CAN_SHA384)
477 case MBEDTLS_SSL_TLS_PRF_SHA384:
478 tls_prf = tls_prf_sha384;
479 break;
480 #endif /* MBEDTLS_MD_CAN_SHA384*/
481 #if defined(MBEDTLS_MD_CAN_SHA256)
482 case MBEDTLS_SSL_TLS_PRF_SHA256:
483 tls_prf = tls_prf_sha256;
484 break;
485 #endif /* MBEDTLS_MD_CAN_SHA256*/
486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
487 default:
488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
489 }
490
491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
492 }
493
494 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)495 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
496 {
497 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
498 if (session->peer_cert != NULL) {
499 mbedtls_x509_crt_free(session->peer_cert);
500 mbedtls_free(session->peer_cert);
501 session->peer_cert = NULL;
502 }
503 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
504 if (session->peer_cert_digest != NULL) {
505 /* Zeroization is not necessary. */
506 mbedtls_free(session->peer_cert_digest);
507 session->peer_cert_digest = NULL;
508 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
509 session->peer_cert_digest_len = 0;
510 }
511 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
512 }
513 #endif /* MBEDTLS_X509_CRT_PARSE_C */
514
mbedtls_ssl_get_extension_id(unsigned int extension_type)515 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
516 {
517 switch (extension_type) {
518 case MBEDTLS_TLS_EXT_SERVERNAME:
519 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
520
521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
523
524 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
526
527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
529
530 case MBEDTLS_TLS_EXT_SIG_ALG:
531 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
532
533 case MBEDTLS_TLS_EXT_USE_SRTP:
534 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
535
536 case MBEDTLS_TLS_EXT_HEARTBEAT:
537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
538
539 case MBEDTLS_TLS_EXT_ALPN:
540 return MBEDTLS_SSL_EXT_ID_ALPN;
541
542 case MBEDTLS_TLS_EXT_SCT:
543 return MBEDTLS_SSL_EXT_ID_SCT;
544
545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
547
548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
550
551 case MBEDTLS_TLS_EXT_PADDING:
552 return MBEDTLS_SSL_EXT_ID_PADDING;
553
554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
556
557 case MBEDTLS_TLS_EXT_EARLY_DATA:
558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
559
560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
562
563 case MBEDTLS_TLS_EXT_COOKIE:
564 return MBEDTLS_SSL_EXT_ID_COOKIE;
565
566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
568
569 case MBEDTLS_TLS_EXT_CERT_AUTH:
570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
571
572 case MBEDTLS_TLS_EXT_OID_FILTERS:
573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
574
575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
577
578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
580
581 case MBEDTLS_TLS_EXT_KEY_SHARE:
582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
583
584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
586
587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
589
590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
592
593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
595
596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
598
599 case MBEDTLS_TLS_EXT_SESSION_TICKET:
600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
601
602 }
603
604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
605 }
606
mbedtls_ssl_get_extension_mask(unsigned int extension_type)607 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
608 {
609 return 1 << mbedtls_ssl_get_extension_id(extension_type);
610 }
611
612 #if defined(MBEDTLS_DEBUG_C)
613 static const char *extension_name_table[] = {
614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
643 };
644
645 static const unsigned int extension_type_table[] = {
646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
675 };
676
mbedtls_ssl_get_extension_name(unsigned int extension_type)677 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
678 {
679 return extension_name_table[
680 mbedtls_ssl_get_extension_id(extension_type)];
681 }
682
ssl_tls13_get_hs_msg_name(int hs_msg_type)683 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
684 {
685 switch (hs_msg_type) {
686 case MBEDTLS_SSL_HS_CLIENT_HELLO:
687 return "ClientHello";
688 case MBEDTLS_SSL_HS_SERVER_HELLO:
689 return "ServerHello";
690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
691 return "HelloRetryRequest";
692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
693 return "NewSessionTicket";
694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
695 return "EncryptedExtensions";
696 case MBEDTLS_SSL_HS_CERTIFICATE:
697 return "Certificate";
698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
699 return "CertificateRequest";
700 }
701 return "Unknown";
702 }
703
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)704 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
705 int level, const char *file, int line,
706 int hs_msg_type, unsigned int extension_type,
707 const char *extra_msg0, const char *extra_msg1)
708 {
709 const char *extra_msg;
710 if (extra_msg0 && extra_msg1) {
711 mbedtls_debug_print_msg(
712 ssl, level, file, line,
713 "%s: %s(%u) extension %s %s.",
714 ssl_tls13_get_hs_msg_name(hs_msg_type),
715 mbedtls_ssl_get_extension_name(extension_type),
716 extension_type,
717 extra_msg0, extra_msg1);
718 return;
719 }
720
721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
722 if (extra_msg) {
723 mbedtls_debug_print_msg(
724 ssl, level, file, line,
725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
726 mbedtls_ssl_get_extension_name(extension_type), extension_type,
727 extra_msg);
728 return;
729 }
730
731 mbedtls_debug_print_msg(
732 ssl, level, file, line,
733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
734 mbedtls_ssl_get_extension_name(extension_type), extension_type);
735 }
736
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)737 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
738 int level, const char *file, int line,
739 int hs_msg_type, uint32_t extensions_mask,
740 const char *extra)
741 {
742
743 for (unsigned i = 0;
744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
745 i++) {
746 mbedtls_ssl_print_extension(
747 ssl, level, file, line, hs_msg_type, extension_type_table[i],
748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
749 }
750 }
751
752 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
753 static const char *ticket_flag_name_table[] =
754 {
755 [0] = "ALLOW_PSK_RESUMPTION",
756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
757 [3] = "ALLOW_EARLY_DATA",
758 };
759
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
761 int level, const char *file, int line,
762 unsigned int flags)
763 {
764 size_t i;
765
766 mbedtls_debug_print_msg(ssl, level, file, line,
767 "print ticket_flags (0x%02x)", flags);
768
769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
770
771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
772 if ((flags & (1 << i))) {
773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
774 ticket_flag_name_table[i]);
775 }
776 }
777 }
778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
779
780 #endif /* MBEDTLS_DEBUG_C */
781
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
784 {
785 ((void) ciphersuite_info);
786
787 #if defined(MBEDTLS_MD_CAN_SHA384)
788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
789 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
790 } else
791 #endif
792 #if defined(MBEDTLS_MD_CAN_SHA256)
793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
794 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
795 } else
796 #endif
797 {
798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
799 return;
800 }
801 }
802
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
804 unsigned hs_type,
805 size_t total_hs_len)
806 {
807 unsigned char hs_hdr[4];
808
809 /* Build HS header for checksum update. */
810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
814
815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
816 }
817
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
819 unsigned hs_type,
820 unsigned char const *msg,
821 size_t msg_len)
822 {
823 int ret;
824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
825 if (ret != 0) {
826 return ret;
827 }
828 return ssl->handshake->update_checksum(ssl, msg, msg_len);
829 }
830
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
832 {
833 #if defined(MBEDTLS_MD_CAN_SHA256) || \
834 defined(MBEDTLS_MD_CAN_SHA384)
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836 psa_status_t status;
837 #else
838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
839 #endif
840 #else /* SHA-256 or SHA-384 */
841 ((void) ssl);
842 #endif /* SHA-256 or SHA-384 */
843 #if defined(MBEDTLS_MD_CAN_SHA256)
844 #if defined(MBEDTLS_USE_PSA_CRYPTO)
845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
846 if (status != PSA_SUCCESS) {
847 return mbedtls_md_error_from_psa(status);
848 }
849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
850 if (status != PSA_SUCCESS) {
851 return mbedtls_md_error_from_psa(status);
852 }
853 #else
854 mbedtls_md_free(&ssl->handshake->fin_sha256);
855 mbedtls_md_init(&ssl->handshake->fin_sha256);
856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
858 0);
859 if (ret != 0) {
860 return ret;
861 }
862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
863 if (ret != 0) {
864 return ret;
865 }
866 #endif
867 #endif
868 #if defined(MBEDTLS_MD_CAN_SHA384)
869 #if defined(MBEDTLS_USE_PSA_CRYPTO)
870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
871 if (status != PSA_SUCCESS) {
872 return mbedtls_md_error_from_psa(status);
873 }
874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
875 if (status != PSA_SUCCESS) {
876 return mbedtls_md_error_from_psa(status);
877 }
878 #else
879 mbedtls_md_free(&ssl->handshake->fin_sha384);
880 mbedtls_md_init(&ssl->handshake->fin_sha384);
881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
883 if (ret != 0) {
884 return ret;
885 }
886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
887 if (ret != 0) {
888 return ret;
889 }
890 #endif
891 #endif
892 return 0;
893 }
894
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
896 const unsigned char *buf, size_t len)
897 {
898 #if defined(MBEDTLS_MD_CAN_SHA256) || \
899 defined(MBEDTLS_MD_CAN_SHA384)
900 #if defined(MBEDTLS_USE_PSA_CRYPTO)
901 psa_status_t status;
902 #else
903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
904 #endif
905 #else /* SHA-256 or SHA-384 */
906 ((void) ssl);
907 (void) buf;
908 (void) len;
909 #endif /* SHA-256 or SHA-384 */
910 #if defined(MBEDTLS_MD_CAN_SHA256)
911 #if defined(MBEDTLS_USE_PSA_CRYPTO)
912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
913 if (status != PSA_SUCCESS) {
914 return mbedtls_md_error_from_psa(status);
915 }
916 #else
917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
918 if (ret != 0) {
919 return ret;
920 }
921 #endif
922 #endif
923 #if defined(MBEDTLS_MD_CAN_SHA384)
924 #if defined(MBEDTLS_USE_PSA_CRYPTO)
925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
926 if (status != PSA_SUCCESS) {
927 return mbedtls_md_error_from_psa(status);
928 }
929 #else
930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
931 if (ret != 0) {
932 return ret;
933 }
934 #endif
935 #endif
936 return 0;
937 }
938
939 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
941 const unsigned char *buf, size_t len)
942 {
943 #if defined(MBEDTLS_USE_PSA_CRYPTO)
944 return mbedtls_md_error_from_psa(psa_hash_update(
945 &ssl->handshake->fin_sha256_psa, buf, len));
946 #else
947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
948 #endif
949 }
950 #endif
951
952 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
954 const unsigned char *buf, size_t len)
955 {
956 #if defined(MBEDTLS_USE_PSA_CRYPTO)
957 return mbedtls_md_error_from_psa(psa_hash_update(
958 &ssl->handshake->fin_sha384_psa, buf, len));
959 #else
960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
961 #endif
962 }
963 #endif
964
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
966 {
967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
968
969 #if defined(MBEDTLS_MD_CAN_SHA256)
970 #if defined(MBEDTLS_USE_PSA_CRYPTO)
971 handshake->fin_sha256_psa = psa_hash_operation_init();
972 #else
973 mbedtls_md_init(&handshake->fin_sha256);
974 #endif
975 #endif
976 #if defined(MBEDTLS_MD_CAN_SHA384)
977 #if defined(MBEDTLS_USE_PSA_CRYPTO)
978 handshake->fin_sha384_psa = psa_hash_operation_init();
979 #else
980 mbedtls_md_init(&handshake->fin_sha384);
981 #endif
982 #endif
983
984 handshake->update_checksum = ssl_update_checksum_start;
985
986 #if defined(MBEDTLS_DHM_C)
987 mbedtls_dhm_init(&handshake->dhm_ctx);
988 #endif
989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
990 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
991 mbedtls_ecdh_init(&handshake->ecdh_ctx);
992 #endif
993 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
994 #if defined(MBEDTLS_USE_PSA_CRYPTO)
995 handshake->psa_pake_ctx = psa_pake_operation_init();
996 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
997 #else
998 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
999 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1000 #if defined(MBEDTLS_SSL_CLI_C)
1001 handshake->ecjpake_cache = NULL;
1002 handshake->ecjpake_cache_len = 0;
1003 #endif
1004 #endif
1005
1006 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1007 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1008 #endif
1009
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1012 #endif
1013
1014 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1015 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1016 mbedtls_pk_init(&handshake->peer_pubkey);
1017 #endif
1018 }
1019
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1020 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1021 {
1022 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1023
1024 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1025 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1026 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1027 #else
1028 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1029 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1030 #endif
1031
1032 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1033 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1034 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1035 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1036 #else
1037 mbedtls_md_init(&transform->md_ctx_enc);
1038 mbedtls_md_init(&transform->md_ctx_dec);
1039 #endif
1040 #endif
1041 }
1042
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1043 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1044 {
1045 memset(session, 0, sizeof(mbedtls_ssl_session));
1046 }
1047
1048 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1049 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1050 {
1051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1052
1053 /* Clear old handshake information if present */
1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1055 if (ssl->transform_negotiate) {
1056 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1057 }
1058 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1059 if (ssl->session_negotiate) {
1060 mbedtls_ssl_session_free(ssl->session_negotiate);
1061 }
1062 if (ssl->handshake) {
1063 mbedtls_ssl_handshake_free(ssl);
1064 }
1065
1066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1067 /*
1068 * Either the pointers are now NULL or cleared properly and can be freed.
1069 * Now allocate missing structures.
1070 */
1071 if (ssl->transform_negotiate == NULL) {
1072 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1073 }
1074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1075
1076 if (ssl->session_negotiate == NULL) {
1077 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1078 }
1079
1080 if (ssl->handshake == NULL) {
1081 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1082 }
1083 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1084 /* If the buffers are too small - reallocate */
1085
1086 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1087 MBEDTLS_SSL_OUT_BUFFER_LEN);
1088 #endif
1089
1090 /* All pointers should exist and can be directly freed without issue */
1091 if (ssl->handshake == NULL ||
1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1093 ssl->transform_negotiate == NULL ||
1094 #endif
1095 ssl->session_negotiate == NULL) {
1096 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1097
1098 mbedtls_free(ssl->handshake);
1099 ssl->handshake = NULL;
1100
1101 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1102 mbedtls_free(ssl->transform_negotiate);
1103 ssl->transform_negotiate = NULL;
1104 #endif
1105
1106 mbedtls_free(ssl->session_negotiate);
1107 ssl->session_negotiate = NULL;
1108
1109 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1110 }
1111
1112 #if defined(MBEDTLS_SSL_EARLY_DATA)
1113 #if defined(MBEDTLS_SSL_CLI_C)
1114 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1115 #endif
1116 #if defined(MBEDTLS_SSL_SRV_C)
1117 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1118 #endif
1119 ssl->total_early_data_size = 0;
1120 #endif /* MBEDTLS_SSL_EARLY_DATA */
1121
1122 /* Initialize structures */
1123 mbedtls_ssl_session_init(ssl->session_negotiate);
1124 ssl_handshake_params_init(ssl->handshake);
1125
1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1127 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1128 #endif
1129
1130 /* Setup handshake checksums */
1131 ret = mbedtls_ssl_reset_checksum(ssl);
1132 if (ret != 0) {
1133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1134 return ret;
1135 }
1136
1137 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1138 defined(MBEDTLS_SSL_SRV_C) && \
1139 defined(MBEDTLS_SSL_SESSION_TICKETS)
1140 ssl->handshake->new_session_tickets_count =
1141 ssl->conf->new_session_tickets_count;
1142 #endif
1143
1144 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1145 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1146 ssl->handshake->alt_transform_out = ssl->transform_out;
1147
1148 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1149 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1150 } else {
1151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1152 }
1153
1154 mbedtls_ssl_set_timer(ssl, 0);
1155 }
1156 #endif
1157
1158 /*
1159 * curve_list is translated to IANA TLS group identifiers here because
1160 * mbedtls_ssl_conf_curves returns void and so can't return
1161 * any error codes.
1162 */
1163 #if defined(MBEDTLS_ECP_C)
1164 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1165 /* Heap allocate and translate curve_list from internal to IANA group ids */
1166 if (ssl->conf->curve_list != NULL) {
1167 size_t length;
1168 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1169
1170 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1171 }
1172
1173 /* Leave room for zero termination */
1174 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1175 if (group_list == NULL) {
1176 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1177 }
1178
1179 for (size_t i = 0; i < length; i++) {
1180 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1181 curve_list[i]);
1182 if (tls_id == 0) {
1183 mbedtls_free(group_list);
1184 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1185 }
1186 group_list[i] = tls_id;
1187 }
1188
1189 group_list[length] = 0;
1190
1191 ssl->handshake->group_list = group_list;
1192 ssl->handshake->group_list_heap_allocated = 1;
1193 } else {
1194 ssl->handshake->group_list = ssl->conf->group_list;
1195 ssl->handshake->group_list_heap_allocated = 0;
1196 }
1197 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1198 #endif /* MBEDTLS_ECP_C */
1199
1200 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1201 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1203 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1204 signature algorithms IANA identifiers. */
1205 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1206 ssl->conf->sig_hashes != NULL) {
1207 const int *md;
1208 const int *sig_hashes = ssl->conf->sig_hashes;
1209 size_t sig_algs_len = 0;
1210 uint16_t *p;
1211
1212 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1213 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1214 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1215
1216 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1217 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1218 continue;
1219 }
1220 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1221 sig_algs_len += sizeof(uint16_t);
1222 #endif
1223
1224 #if defined(MBEDTLS_RSA_C)
1225 sig_algs_len += sizeof(uint16_t);
1226 #endif
1227 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1228 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1229 }
1230 }
1231
1232 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1233 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1234 }
1235
1236 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1237 sizeof(uint16_t));
1238 if (ssl->handshake->sig_algs == NULL) {
1239 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1240 }
1241
1242 p = (uint16_t *) ssl->handshake->sig_algs;
1243 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1244 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1245 if (hash == MBEDTLS_SSL_HASH_NONE) {
1246 continue;
1247 }
1248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1249 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1250 p++;
1251 #endif
1252 #if defined(MBEDTLS_RSA_C)
1253 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1254 p++;
1255 #endif
1256 }
1257 *p = MBEDTLS_TLS_SIG_NONE;
1258 ssl->handshake->sig_algs_heap_allocated = 1;
1259 } else
1260 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1261 {
1262 ssl->handshake->sig_algs_heap_allocated = 0;
1263 }
1264 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1265 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1266 return 0;
1267 }
1268
1269 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1270 /* Dummy cookie callbacks for defaults */
1271 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1272 static int ssl_cookie_write_dummy(void *ctx,
1273 unsigned char **p, unsigned char *end,
1274 const unsigned char *cli_id, size_t cli_id_len)
1275 {
1276 ((void) ctx);
1277 ((void) p);
1278 ((void) end);
1279 ((void) cli_id);
1280 ((void) cli_id_len);
1281
1282 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1283 }
1284
1285 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1286 static int ssl_cookie_check_dummy(void *ctx,
1287 const unsigned char *cookie, size_t cookie_len,
1288 const unsigned char *cli_id, size_t cli_id_len)
1289 {
1290 ((void) ctx);
1291 ((void) cookie);
1292 ((void) cookie_len);
1293 ((void) cli_id);
1294 ((void) cli_id_len);
1295
1296 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1297 }
1298 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1299
1300 /*
1301 * Initialize an SSL context
1302 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1303 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1304 {
1305 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1306 }
1307
1308 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1309 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1310 {
1311 const mbedtls_ssl_config *conf = ssl->conf;
1312
1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1314 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1315 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1316 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1317 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1318 }
1319
1320 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1321 return 0;
1322 }
1323 #endif
1324
1325 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1326 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1327 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1328 return 0;
1329 }
1330 #endif
1331
1332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1333 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1334 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1335 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1336 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1337 }
1338
1339 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1340 return 0;
1341 }
1342 #endif
1343
1344 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1345 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1346 }
1347
1348 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1349 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1350 {
1351 int ret;
1352 ret = ssl_conf_version_check(ssl);
1353 if (ret != 0) {
1354 return ret;
1355 }
1356
1357 if (ssl->conf->f_rng == NULL) {
1358 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1359 return MBEDTLS_ERR_SSL_NO_RNG;
1360 }
1361
1362 /* Space for further checks */
1363
1364 return 0;
1365 }
1366
1367 /*
1368 * Setup an SSL context
1369 */
1370
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1371 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1372 const mbedtls_ssl_config *conf)
1373 {
1374 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1375 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1376 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1377
1378 ssl->conf = conf;
1379
1380 if ((ret = ssl_conf_check(ssl)) != 0) {
1381 return ret;
1382 }
1383 ssl->tls_version = ssl->conf->max_tls_version;
1384
1385 /*
1386 * Prepare base structures
1387 */
1388
1389 /* Set to NULL in case of an error condition */
1390 ssl->out_buf = NULL;
1391
1392 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1393 ssl->in_buf_len = in_buf_len;
1394 #endif
1395 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1396 if (ssl->in_buf == NULL) {
1397 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1398 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1399 goto error;
1400 }
1401
1402 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1403 ssl->out_buf_len = out_buf_len;
1404 #endif
1405 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1406 if (ssl->out_buf == NULL) {
1407 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1408 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1409 goto error;
1410 }
1411
1412 mbedtls_ssl_reset_in_out_pointers(ssl);
1413
1414 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1415 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1416 #endif
1417
1418 if ((ret = ssl_handshake_init(ssl)) != 0) {
1419 goto error;
1420 }
1421
1422 return 0;
1423
1424 error:
1425 mbedtls_free(ssl->in_buf);
1426 mbedtls_free(ssl->out_buf);
1427
1428 ssl->conf = NULL;
1429
1430 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1431 ssl->in_buf_len = 0;
1432 ssl->out_buf_len = 0;
1433 #endif
1434 ssl->in_buf = NULL;
1435 ssl->out_buf = NULL;
1436
1437 ssl->in_hdr = NULL;
1438 ssl->in_ctr = NULL;
1439 ssl->in_len = NULL;
1440 ssl->in_iv = NULL;
1441 ssl->in_msg = NULL;
1442
1443 ssl->out_hdr = NULL;
1444 ssl->out_ctr = NULL;
1445 ssl->out_len = NULL;
1446 ssl->out_iv = NULL;
1447 ssl->out_msg = NULL;
1448
1449 return ret;
1450 }
1451
1452 /*
1453 * Reset an initialized and used SSL context for re-use while retaining
1454 * all application-set variables, function pointers and data.
1455 *
1456 * If partial is non-zero, keep data in the input buffer and client ID.
1457 * (Use when a DTLS client reconnects from the same port.)
1458 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1459 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1460 int partial)
1461 {
1462 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1463 size_t in_buf_len = ssl->in_buf_len;
1464 size_t out_buf_len = ssl->out_buf_len;
1465 #else
1466 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1467 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1468 #endif
1469
1470 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1471 partial = 0;
1472 #endif
1473
1474 /* Cancel any possibly running timer */
1475 mbedtls_ssl_set_timer(ssl, 0);
1476
1477 mbedtls_ssl_reset_in_out_pointers(ssl);
1478
1479 /* Reset incoming message parsing */
1480 ssl->in_offt = NULL;
1481 ssl->nb_zero = 0;
1482 ssl->in_msgtype = 0;
1483 ssl->in_msglen = 0;
1484 ssl->in_hslen = 0;
1485 ssl->keep_current_message = 0;
1486 ssl->transform_in = NULL;
1487
1488 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1489 ssl->next_record_offset = 0;
1490 ssl->in_epoch = 0;
1491 #endif
1492
1493 /* Keep current datagram if partial == 1 */
1494 if (partial == 0) {
1495 ssl->in_left = 0;
1496 memset(ssl->in_buf, 0, in_buf_len);
1497 }
1498
1499 ssl->send_alert = 0;
1500
1501 /* Reset outgoing message writing */
1502 ssl->out_msgtype = 0;
1503 ssl->out_msglen = 0;
1504 ssl->out_left = 0;
1505 memset(ssl->out_buf, 0, out_buf_len);
1506 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1507 ssl->transform_out = NULL;
1508
1509 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1510 mbedtls_ssl_dtls_replay_reset(ssl);
1511 #endif
1512
1513 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1514 if (ssl->transform) {
1515 mbedtls_ssl_transform_free(ssl->transform);
1516 mbedtls_free(ssl->transform);
1517 ssl->transform = NULL;
1518 }
1519 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1520
1521 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1522 mbedtls_ssl_transform_free(ssl->transform_application);
1523 mbedtls_free(ssl->transform_application);
1524 ssl->transform_application = NULL;
1525
1526 if (ssl->handshake != NULL) {
1527 #if defined(MBEDTLS_SSL_EARLY_DATA)
1528 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1529 mbedtls_free(ssl->handshake->transform_earlydata);
1530 ssl->handshake->transform_earlydata = NULL;
1531 #endif
1532
1533 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1534 mbedtls_free(ssl->handshake->transform_handshake);
1535 ssl->handshake->transform_handshake = NULL;
1536 }
1537
1538 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1539 }
1540
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1541 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1542 {
1543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1544
1545 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
1546 ssl->tls_version = ssl->conf->max_tls_version;
1547
1548 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1549
1550 /* Reset renegotiation state */
1551 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1552 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1553 ssl->renego_records_seen = 0;
1554
1555 ssl->verify_data_len = 0;
1556 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1557 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1558 #endif
1559 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1560
1561 ssl->session_in = NULL;
1562 ssl->session_out = NULL;
1563 if (ssl->session) {
1564 mbedtls_ssl_session_free(ssl->session);
1565 mbedtls_free(ssl->session);
1566 ssl->session = NULL;
1567 }
1568
1569 #if defined(MBEDTLS_SSL_ALPN)
1570 ssl->alpn_chosen = NULL;
1571 #endif
1572
1573 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1574 int free_cli_id = 1;
1575 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1576 free_cli_id = (partial == 0);
1577 #endif
1578 if (free_cli_id) {
1579 mbedtls_free(ssl->cli_id);
1580 ssl->cli_id = NULL;
1581 ssl->cli_id_len = 0;
1582 }
1583 #endif
1584
1585 if ((ret = ssl_handshake_init(ssl)) != 0) {
1586 return ret;
1587 }
1588
1589 return 0;
1590 }
1591
1592 /*
1593 * Reset an initialized and used SSL context for re-use while retaining
1594 * all application-set variables, function pointers and data.
1595 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1596 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1597 {
1598 return mbedtls_ssl_session_reset_int(ssl, 0);
1599 }
1600
1601 /*
1602 * SSL set accessors
1603 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1604 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1605 {
1606 conf->endpoint = endpoint;
1607 }
1608
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1609 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1610 {
1611 conf->transport = transport;
1612 }
1613
1614 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1615 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1616 {
1617 conf->anti_replay = mode;
1618 }
1619 #endif
1620
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1621 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1622 {
1623 conf->badmac_limit = limit;
1624 }
1625
1626 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1627
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1628 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1629 unsigned allow_packing)
1630 {
1631 ssl->disable_datagram_packing = !allow_packing;
1632 }
1633
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1634 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1635 uint32_t min, uint32_t max)
1636 {
1637 conf->hs_timeout_min = min;
1638 conf->hs_timeout_max = max;
1639 }
1640 #endif
1641
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1642 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1643 {
1644 conf->authmode = authmode;
1645 }
1646
1647 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1648 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1649 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1650 void *p_vrfy)
1651 {
1652 conf->f_vrfy = f_vrfy;
1653 conf->p_vrfy = p_vrfy;
1654 }
1655 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1656
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1657 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1658 int (*f_rng)(void *, unsigned char *, size_t),
1659 void *p_rng)
1660 {
1661 conf->f_rng = f_rng;
1662 conf->p_rng = p_rng;
1663 }
1664
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1665 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1666 void (*f_dbg)(void *, int, const char *, int, const char *),
1667 void *p_dbg)
1668 {
1669 conf->f_dbg = f_dbg;
1670 conf->p_dbg = p_dbg;
1671 }
1672
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1673 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1674 void *p_bio,
1675 mbedtls_ssl_send_t *f_send,
1676 mbedtls_ssl_recv_t *f_recv,
1677 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1678 {
1679 ssl->p_bio = p_bio;
1680 ssl->f_send = f_send;
1681 ssl->f_recv = f_recv;
1682 ssl->f_recv_timeout = f_recv_timeout;
1683 }
1684
1685 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1686 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1687 {
1688 ssl->mtu = mtu;
1689 }
1690 #endif
1691
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1692 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1693 {
1694 conf->read_timeout = timeout;
1695 }
1696
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1697 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1698 void *p_timer,
1699 mbedtls_ssl_set_timer_t *f_set_timer,
1700 mbedtls_ssl_get_timer_t *f_get_timer)
1701 {
1702 ssl->p_timer = p_timer;
1703 ssl->f_set_timer = f_set_timer;
1704 ssl->f_get_timer = f_get_timer;
1705
1706 /* Make sure we start with no timer running */
1707 mbedtls_ssl_set_timer(ssl, 0);
1708 }
1709
1710 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1711 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1712 void *p_cache,
1713 mbedtls_ssl_cache_get_t *f_get_cache,
1714 mbedtls_ssl_cache_set_t *f_set_cache)
1715 {
1716 conf->p_cache = p_cache;
1717 conf->f_get_cache = f_get_cache;
1718 conf->f_set_cache = f_set_cache;
1719 }
1720 #endif /* MBEDTLS_SSL_SRV_C */
1721
1722 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1723 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1724 {
1725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1726
1727 if (ssl == NULL ||
1728 session == NULL ||
1729 ssl->session_negotiate == NULL ||
1730 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1732 }
1733
1734 if (ssl->handshake->resume == 1) {
1735 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1736 }
1737
1738 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1739 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1740 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1741 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1742
1743 if (mbedtls_ssl_validate_ciphersuite(
1744 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1745 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1746 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1747 session->ciphersuite));
1748 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1749 }
1750 }
1751 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1752
1753 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1754 session)) != 0) {
1755 return ret;
1756 }
1757
1758 ssl->handshake->resume = 1;
1759
1760 return 0;
1761 }
1762 #endif /* MBEDTLS_SSL_CLI_C */
1763
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1764 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1765 const int *ciphersuites)
1766 {
1767 conf->ciphersuite_list = ciphersuites;
1768 }
1769
1770 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1771 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1772 const int kex_modes)
1773 {
1774 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1775 }
1776
1777 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1778 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1779 int early_data_enabled)
1780 {
1781 conf->early_data_enabled = early_data_enabled;
1782 }
1783
1784 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1785 void mbedtls_ssl_conf_max_early_data_size(
1786 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1787 {
1788 conf->max_early_data_size = max_early_data_size;
1789 }
1790 #endif /* MBEDTLS_SSL_SRV_C */
1791
1792 #endif /* MBEDTLS_SSL_EARLY_DATA */
1793 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1794
1795 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1796 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1797 const mbedtls_x509_crt_profile *profile)
1798 {
1799 conf->cert_profile = profile;
1800 }
1801
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1802 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1803 {
1804 mbedtls_ssl_key_cert *cur = key_cert, *next;
1805
1806 while (cur != NULL) {
1807 next = cur->next;
1808 mbedtls_free(cur);
1809 cur = next;
1810 }
1811 }
1812
1813 /* Append a new keycert entry to a (possibly empty) list */
1814 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1815 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1816 mbedtls_x509_crt *cert,
1817 mbedtls_pk_context *key)
1818 {
1819 mbedtls_ssl_key_cert *new_cert;
1820
1821 if (cert == NULL) {
1822 /* Free list if cert is null */
1823 ssl_key_cert_free(*head);
1824 *head = NULL;
1825 return 0;
1826 }
1827
1828 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1829 if (new_cert == NULL) {
1830 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1831 }
1832
1833 new_cert->cert = cert;
1834 new_cert->key = key;
1835 new_cert->next = NULL;
1836
1837 /* Update head if the list was null, else add to the end */
1838 if (*head == NULL) {
1839 *head = new_cert;
1840 } else {
1841 mbedtls_ssl_key_cert *cur = *head;
1842 while (cur->next != NULL) {
1843 cur = cur->next;
1844 }
1845 cur->next = new_cert;
1846 }
1847
1848 return 0;
1849 }
1850
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1851 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1852 mbedtls_x509_crt *own_cert,
1853 mbedtls_pk_context *pk_key)
1854 {
1855 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1856 }
1857
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1858 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1859 mbedtls_x509_crt *ca_chain,
1860 mbedtls_x509_crl *ca_crl)
1861 {
1862 conf->ca_chain = ca_chain;
1863 conf->ca_crl = ca_crl;
1864
1865 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1866 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1867 * cannot be used together. */
1868 conf->f_ca_cb = NULL;
1869 conf->p_ca_cb = NULL;
1870 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1871 }
1872
1873 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1874 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1875 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1876 void *p_ca_cb)
1877 {
1878 conf->f_ca_cb = f_ca_cb;
1879 conf->p_ca_cb = p_ca_cb;
1880
1881 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1882 * cannot be used together. */
1883 conf->ca_chain = NULL;
1884 conf->ca_crl = NULL;
1885 }
1886 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1887 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1888
1889 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1890 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1891 size_t *name_len)
1892 {
1893 *name_len = ssl->handshake->sni_name_len;
1894 return ssl->handshake->sni_name;
1895 }
1896
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1897 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1898 mbedtls_x509_crt *own_cert,
1899 mbedtls_pk_context *pk_key)
1900 {
1901 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1902 own_cert, pk_key);
1903 }
1904
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1905 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1906 mbedtls_x509_crt *ca_chain,
1907 mbedtls_x509_crl *ca_crl)
1908 {
1909 ssl->handshake->sni_ca_chain = ca_chain;
1910 ssl->handshake->sni_ca_crl = ca_crl;
1911 }
1912
1913 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1914 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1915 const mbedtls_x509_crt *crt)
1916 {
1917 ssl->handshake->dn_hints = crt;
1918 }
1919 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1920
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1921 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1922 int authmode)
1923 {
1924 ssl->handshake->sni_authmode = authmode;
1925 }
1926 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1927
1928 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1929 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1930 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1931 void *p_vrfy)
1932 {
1933 ssl->f_vrfy = f_vrfy;
1934 ssl->p_vrfy = p_vrfy;
1935 }
1936 #endif
1937
1938 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1939
1940 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1941 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1942 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1943
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1944 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1945 mbedtls_ssl_context *ssl,
1946 mbedtls_svc_key_id_t pwd)
1947 {
1948 psa_status_t status;
1949 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1950 const uint8_t *user = NULL;
1951 size_t user_len = 0;
1952 const uint8_t *peer = NULL;
1953 size_t peer_len = 0;
1954 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1955 psa_pake_cs_set_primitive(&cipher_suite,
1956 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1957 PSA_ECC_FAMILY_SECP_R1,
1958 256));
1959 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1960
1961 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1962 if (status != PSA_SUCCESS) {
1963 return status;
1964 }
1965
1966 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1967 user = jpake_server_id;
1968 user_len = sizeof(jpake_server_id);
1969 peer = jpake_client_id;
1970 peer_len = sizeof(jpake_client_id);
1971 } else {
1972 user = jpake_client_id;
1973 user_len = sizeof(jpake_client_id);
1974 peer = jpake_server_id;
1975 peer_len = sizeof(jpake_server_id);
1976 }
1977
1978 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
1979 if (status != PSA_SUCCESS) {
1980 return status;
1981 }
1982
1983 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
1984 if (status != PSA_SUCCESS) {
1985 return status;
1986 }
1987
1988 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
1989 if (status != PSA_SUCCESS) {
1990 return status;
1991 }
1992
1993 ssl->handshake->psa_pake_ctx_is_ok = 1;
1994
1995 return PSA_SUCCESS;
1996 }
1997
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)1998 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
1999 const unsigned char *pw,
2000 size_t pw_len)
2001 {
2002 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2003 psa_status_t status;
2004
2005 if (ssl->handshake == NULL || ssl->conf == NULL) {
2006 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2007 }
2008
2009 /* Empty password is not valid */
2010 if ((pw == NULL) || (pw_len == 0)) {
2011 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2012 }
2013
2014 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2015 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2016 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2017
2018 status = psa_import_key(&attributes, pw, pw_len,
2019 &ssl->handshake->psa_pake_password);
2020 if (status != PSA_SUCCESS) {
2021 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2022 }
2023
2024 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2025 ssl->handshake->psa_pake_password);
2026 if (status != PSA_SUCCESS) {
2027 psa_destroy_key(ssl->handshake->psa_pake_password);
2028 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2029 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2030 }
2031
2032 return 0;
2033 }
2034
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2035 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2036 mbedtls_svc_key_id_t pwd)
2037 {
2038 psa_status_t status;
2039
2040 if (ssl->handshake == NULL || ssl->conf == NULL) {
2041 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2042 }
2043
2044 if (mbedtls_svc_key_id_is_null(pwd)) {
2045 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2046 }
2047
2048 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2049 if (status != PSA_SUCCESS) {
2050 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2051 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2052 }
2053
2054 return 0;
2055 }
2056 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2057 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2058 const unsigned char *pw,
2059 size_t pw_len)
2060 {
2061 mbedtls_ecjpake_role role;
2062
2063 if (ssl->handshake == NULL || ssl->conf == NULL) {
2064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2065 }
2066
2067 /* Empty password is not valid */
2068 if ((pw == NULL) || (pw_len == 0)) {
2069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2070 }
2071
2072 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2073 role = MBEDTLS_ECJPAKE_SERVER;
2074 } else {
2075 role = MBEDTLS_ECJPAKE_CLIENT;
2076 }
2077
2078 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2079 role,
2080 MBEDTLS_MD_SHA256,
2081 MBEDTLS_ECP_DP_SECP256R1,
2082 pw, pw_len);
2083 }
2084 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2085 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2086
2087 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2088 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2089 {
2090 if (conf->psk_identity == NULL ||
2091 conf->psk_identity_len == 0) {
2092 return 0;
2093 }
2094
2095 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2096 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2097 return 1;
2098 }
2099 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2100
2101 if (conf->psk != NULL && conf->psk_len != 0) {
2102 return 1;
2103 }
2104
2105 return 0;
2106 }
2107
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2108 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2109 {
2110 /* Remove reference to existing PSK, if any. */
2111 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2112 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2113 /* The maintenance of the PSK key slot is the
2114 * user's responsibility. */
2115 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2116 }
2117 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2118 if (conf->psk != NULL) {
2119 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2120 conf->psk = NULL;
2121 conf->psk_len = 0;
2122 }
2123
2124 /* Remove reference to PSK identity, if any. */
2125 if (conf->psk_identity != NULL) {
2126 mbedtls_free(conf->psk_identity);
2127 conf->psk_identity = NULL;
2128 conf->psk_identity_len = 0;
2129 }
2130 }
2131
2132 /* This function assumes that PSK identity in the SSL config is unset.
2133 * It checks that the provided identity is well-formed and attempts
2134 * to make a copy of it in the SSL config.
2135 * On failure, the PSK identity in the config remains unset. */
2136 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2137 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2138 unsigned char const *psk_identity,
2139 size_t psk_identity_len)
2140 {
2141 /* Identity len will be encoded on two bytes */
2142 if (psk_identity == NULL ||
2143 psk_identity_len == 0 ||
2144 (psk_identity_len >> 16) != 0 ||
2145 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2146 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2147 }
2148
2149 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2150 if (conf->psk_identity == NULL) {
2151 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2152 }
2153
2154 conf->psk_identity_len = psk_identity_len;
2155 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2156
2157 return 0;
2158 }
2159
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2160 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2161 const unsigned char *psk, size_t psk_len,
2162 const unsigned char *psk_identity, size_t psk_identity_len)
2163 {
2164 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2165
2166 /* We currently only support one PSK, raw or opaque. */
2167 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2168 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2169 }
2170
2171 /* Check and set raw PSK */
2172 if (psk == NULL) {
2173 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2174 }
2175 if (psk_len == 0) {
2176 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2177 }
2178 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2179 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2180 }
2181
2182 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2183 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2184 }
2185 conf->psk_len = psk_len;
2186 memcpy(conf->psk, psk, conf->psk_len);
2187
2188 /* Check and set PSK Identity */
2189 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2190 if (ret != 0) {
2191 ssl_conf_remove_psk(conf);
2192 }
2193
2194 return ret;
2195 }
2196
ssl_remove_psk(mbedtls_ssl_context * ssl)2197 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2198 {
2199 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2200 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2201 /* The maintenance of the external PSK key slot is the
2202 * user's responsibility. */
2203 if (ssl->handshake->psk_opaque_is_internal) {
2204 psa_destroy_key(ssl->handshake->psk_opaque);
2205 ssl->handshake->psk_opaque_is_internal = 0;
2206 }
2207 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2208 }
2209 #else
2210 if (ssl->handshake->psk != NULL) {
2211 mbedtls_zeroize_and_free(ssl->handshake->psk,
2212 ssl->handshake->psk_len);
2213 ssl->handshake->psk_len = 0;
2214 }
2215 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2216 }
2217
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2218 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2219 const unsigned char *psk, size_t psk_len)
2220 {
2221 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2222 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2223 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2224 psa_algorithm_t alg = PSA_ALG_NONE;
2225 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2226 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2227
2228 if (psk == NULL || ssl->handshake == NULL) {
2229 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2230 }
2231
2232 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2233 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2234 }
2235
2236 ssl_remove_psk(ssl);
2237
2238 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2239 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2240 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2241 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2242 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2243 } else {
2244 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2245 }
2246 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2247 }
2248 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2249
2250 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2251 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2252 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2253 psa_set_key_usage_flags(&key_attributes,
2254 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2255 }
2256 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2257
2258 psa_set_key_algorithm(&key_attributes, alg);
2259 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2260
2261 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2262 if (status != PSA_SUCCESS) {
2263 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2264 }
2265
2266 /* Allow calling psa_destroy_key() on psk remove */
2267 ssl->handshake->psk_opaque_is_internal = 1;
2268 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2269 #else
2270 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2271 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2272 }
2273
2274 ssl->handshake->psk_len = psk_len;
2275 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2276
2277 return 0;
2278 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2279 }
2280
2281 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2282 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2283 mbedtls_svc_key_id_t psk,
2284 const unsigned char *psk_identity,
2285 size_t psk_identity_len)
2286 {
2287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2288
2289 /* We currently only support one PSK, raw or opaque. */
2290 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2291 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2292 }
2293
2294 /* Check and set opaque PSK */
2295 if (mbedtls_svc_key_id_is_null(psk)) {
2296 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2297 }
2298 conf->psk_opaque = psk;
2299
2300 /* Check and set PSK Identity */
2301 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2302 psk_identity_len);
2303 if (ret != 0) {
2304 ssl_conf_remove_psk(conf);
2305 }
2306
2307 return ret;
2308 }
2309
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2310 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2311 mbedtls_svc_key_id_t psk)
2312 {
2313 if ((mbedtls_svc_key_id_is_null(psk)) ||
2314 (ssl->handshake == NULL)) {
2315 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2316 }
2317
2318 ssl_remove_psk(ssl);
2319 ssl->handshake->psk_opaque = psk;
2320 return 0;
2321 }
2322 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2323
2324 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2325 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2326 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2327 size_t),
2328 void *p_psk)
2329 {
2330 conf->f_psk = f_psk;
2331 conf->p_psk = p_psk;
2332 }
2333 #endif /* MBEDTLS_SSL_SRV_C */
2334
2335 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2336
2337 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2338 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2339 psa_algorithm_t alg)
2340 {
2341 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2342 if (alg == PSA_ALG_CBC_NO_PADDING) {
2343 return MBEDTLS_SSL_MODE_CBC;
2344 }
2345 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2346 if (PSA_ALG_IS_AEAD(alg)) {
2347 return MBEDTLS_SSL_MODE_AEAD;
2348 }
2349 return MBEDTLS_SSL_MODE_STREAM;
2350 }
2351
2352 #else /* MBEDTLS_USE_PSA_CRYPTO */
2353
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2354 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2355 mbedtls_cipher_mode_t mode)
2356 {
2357 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2358 if (mode == MBEDTLS_MODE_CBC) {
2359 return MBEDTLS_SSL_MODE_CBC;
2360 }
2361 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2362
2363 #if defined(MBEDTLS_GCM_C) || \
2364 defined(MBEDTLS_CCM_C) || \
2365 defined(MBEDTLS_CHACHAPOLY_C)
2366 if (mode == MBEDTLS_MODE_GCM ||
2367 mode == MBEDTLS_MODE_CCM ||
2368 mode == MBEDTLS_MODE_CHACHAPOLY) {
2369 return MBEDTLS_SSL_MODE_AEAD;
2370 }
2371 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2372
2373 return MBEDTLS_SSL_MODE_STREAM;
2374 }
2375 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2376
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2377 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2378 mbedtls_ssl_mode_t base_mode,
2379 int encrypt_then_mac)
2380 {
2381 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2382 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2383 base_mode == MBEDTLS_SSL_MODE_CBC) {
2384 return MBEDTLS_SSL_MODE_CBC_ETM;
2385 }
2386 #else
2387 (void) encrypt_then_mac;
2388 #endif
2389 return base_mode;
2390 }
2391
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2392 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2393 const mbedtls_ssl_transform *transform)
2394 {
2395 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2396 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2397 transform->psa_alg
2398 #else
2399 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2400 #endif
2401 );
2402
2403 int encrypt_then_mac = 0;
2404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2405 encrypt_then_mac = transform->encrypt_then_mac;
2406 #endif
2407 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2408 }
2409
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2410 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2411 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2412 int encrypt_then_mac,
2413 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2414 const mbedtls_ssl_ciphersuite_t *suite)
2415 {
2416 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2417
2418 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2419 psa_status_t status;
2420 psa_algorithm_t alg;
2421 psa_key_type_t type;
2422 size_t size;
2423 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2424 0, &alg, &type, &size);
2425 if (status == PSA_SUCCESS) {
2426 base_mode = mbedtls_ssl_get_base_mode(alg);
2427 }
2428 #else
2429 const mbedtls_cipher_info_t *cipher =
2430 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2431 if (cipher != NULL) {
2432 base_mode =
2433 mbedtls_ssl_get_base_mode(
2434 mbedtls_cipher_info_get_mode(cipher));
2435 }
2436 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2437
2438 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2439 int encrypt_then_mac = 0;
2440 #endif
2441 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2442 }
2443
2444 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2445
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2446 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2447 size_t taglen,
2448 psa_algorithm_t *alg,
2449 psa_key_type_t *key_type,
2450 size_t *key_size)
2451 {
2452 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2453 (void) taglen;
2454 #endif
2455 switch (mbedtls_cipher_type) {
2456 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2457 case MBEDTLS_CIPHER_AES_128_CBC:
2458 *alg = PSA_ALG_CBC_NO_PADDING;
2459 *key_type = PSA_KEY_TYPE_AES;
2460 *key_size = 128;
2461 break;
2462 #endif
2463 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2464 case MBEDTLS_CIPHER_AES_128_CCM:
2465 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2466 *key_type = PSA_KEY_TYPE_AES;
2467 *key_size = 128;
2468 break;
2469 #endif
2470 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2471 case MBEDTLS_CIPHER_AES_128_GCM:
2472 *alg = PSA_ALG_GCM;
2473 *key_type = PSA_KEY_TYPE_AES;
2474 *key_size = 128;
2475 break;
2476 #endif
2477 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2478 case MBEDTLS_CIPHER_AES_192_CCM:
2479 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2480 *key_type = PSA_KEY_TYPE_AES;
2481 *key_size = 192;
2482 break;
2483 #endif
2484 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2485 case MBEDTLS_CIPHER_AES_192_GCM:
2486 *alg = PSA_ALG_GCM;
2487 *key_type = PSA_KEY_TYPE_AES;
2488 *key_size = 192;
2489 break;
2490 #endif
2491 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2492 case MBEDTLS_CIPHER_AES_256_CBC:
2493 *alg = PSA_ALG_CBC_NO_PADDING;
2494 *key_type = PSA_KEY_TYPE_AES;
2495 *key_size = 256;
2496 break;
2497 #endif
2498 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2499 case MBEDTLS_CIPHER_AES_256_CCM:
2500 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2501 *key_type = PSA_KEY_TYPE_AES;
2502 *key_size = 256;
2503 break;
2504 #endif
2505 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2506 case MBEDTLS_CIPHER_AES_256_GCM:
2507 *alg = PSA_ALG_GCM;
2508 *key_type = PSA_KEY_TYPE_AES;
2509 *key_size = 256;
2510 break;
2511 #endif
2512 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2513 case MBEDTLS_CIPHER_ARIA_128_CBC:
2514 *alg = PSA_ALG_CBC_NO_PADDING;
2515 *key_type = PSA_KEY_TYPE_ARIA;
2516 *key_size = 128;
2517 break;
2518 #endif
2519 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2520 case MBEDTLS_CIPHER_ARIA_128_CCM:
2521 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2522 *key_type = PSA_KEY_TYPE_ARIA;
2523 *key_size = 128;
2524 break;
2525 #endif
2526 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2527 case MBEDTLS_CIPHER_ARIA_128_GCM:
2528 *alg = PSA_ALG_GCM;
2529 *key_type = PSA_KEY_TYPE_ARIA;
2530 *key_size = 128;
2531 break;
2532 #endif
2533 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2534 case MBEDTLS_CIPHER_ARIA_192_CCM:
2535 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2536 *key_type = PSA_KEY_TYPE_ARIA;
2537 *key_size = 192;
2538 break;
2539 #endif
2540 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2541 case MBEDTLS_CIPHER_ARIA_192_GCM:
2542 *alg = PSA_ALG_GCM;
2543 *key_type = PSA_KEY_TYPE_ARIA;
2544 *key_size = 192;
2545 break;
2546 #endif
2547 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2548 case MBEDTLS_CIPHER_ARIA_256_CBC:
2549 *alg = PSA_ALG_CBC_NO_PADDING;
2550 *key_type = PSA_KEY_TYPE_ARIA;
2551 *key_size = 256;
2552 break;
2553 #endif
2554 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2555 case MBEDTLS_CIPHER_ARIA_256_CCM:
2556 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2557 *key_type = PSA_KEY_TYPE_ARIA;
2558 *key_size = 256;
2559 break;
2560 #endif
2561 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2562 case MBEDTLS_CIPHER_ARIA_256_GCM:
2563 *alg = PSA_ALG_GCM;
2564 *key_type = PSA_KEY_TYPE_ARIA;
2565 *key_size = 256;
2566 break;
2567 #endif
2568 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2569 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2570 *alg = PSA_ALG_CBC_NO_PADDING;
2571 *key_type = PSA_KEY_TYPE_CAMELLIA;
2572 *key_size = 128;
2573 break;
2574 #endif
2575 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2576 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2577 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2578 *key_type = PSA_KEY_TYPE_CAMELLIA;
2579 *key_size = 128;
2580 break;
2581 #endif
2582 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2583 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2584 *alg = PSA_ALG_GCM;
2585 *key_type = PSA_KEY_TYPE_CAMELLIA;
2586 *key_size = 128;
2587 break;
2588 #endif
2589 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2590 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2591 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2592 *key_type = PSA_KEY_TYPE_CAMELLIA;
2593 *key_size = 192;
2594 break;
2595 #endif
2596 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2597 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2598 *alg = PSA_ALG_GCM;
2599 *key_type = PSA_KEY_TYPE_CAMELLIA;
2600 *key_size = 192;
2601 break;
2602 #endif
2603 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2604 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2605 *alg = PSA_ALG_CBC_NO_PADDING;
2606 *key_type = PSA_KEY_TYPE_CAMELLIA;
2607 *key_size = 256;
2608 break;
2609 #endif
2610 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2611 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2612 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2613 *key_type = PSA_KEY_TYPE_CAMELLIA;
2614 *key_size = 256;
2615 break;
2616 #endif
2617 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2618 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2619 *alg = PSA_ALG_GCM;
2620 *key_type = PSA_KEY_TYPE_CAMELLIA;
2621 *key_size = 256;
2622 break;
2623 #endif
2624 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2625 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2626 *alg = PSA_ALG_CHACHA20_POLY1305;
2627 *key_type = PSA_KEY_TYPE_CHACHA20;
2628 *key_size = 256;
2629 break;
2630 #endif
2631 case MBEDTLS_CIPHER_NULL:
2632 *alg = MBEDTLS_SSL_NULL_CIPHER;
2633 *key_type = 0;
2634 *key_size = 0;
2635 break;
2636 default:
2637 return PSA_ERROR_NOT_SUPPORTED;
2638 }
2639
2640 return PSA_SUCCESS;
2641 }
2642 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2643
2644 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2645 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2646 const unsigned char *dhm_P, size_t P_len,
2647 const unsigned char *dhm_G, size_t G_len)
2648 {
2649 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2650
2651 mbedtls_mpi_free(&conf->dhm_P);
2652 mbedtls_mpi_free(&conf->dhm_G);
2653
2654 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2655 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2656 mbedtls_mpi_free(&conf->dhm_P);
2657 mbedtls_mpi_free(&conf->dhm_G);
2658 return ret;
2659 }
2660
2661 return 0;
2662 }
2663
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2664 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2665 {
2666 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2667
2668 mbedtls_mpi_free(&conf->dhm_P);
2669 mbedtls_mpi_free(&conf->dhm_G);
2670
2671 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2672 &conf->dhm_P)) != 0 ||
2673 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2674 &conf->dhm_G)) != 0) {
2675 mbedtls_mpi_free(&conf->dhm_P);
2676 mbedtls_mpi_free(&conf->dhm_G);
2677 return ret;
2678 }
2679
2680 return 0;
2681 }
2682 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2683
2684 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2685 /*
2686 * Set the minimum length for Diffie-Hellman parameters
2687 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2688 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2689 unsigned int bitlen)
2690 {
2691 conf->dhm_min_bitlen = bitlen;
2692 }
2693 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2694
2695 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2696 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2697 /*
2698 * Set allowed/preferred hashes for handshake signatures
2699 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2700 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2701 const int *hashes)
2702 {
2703 conf->sig_hashes = hashes;
2704 }
2705 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2706
2707 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2708 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2709 const uint16_t *sig_algs)
2710 {
2711 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2712 conf->sig_hashes = NULL;
2713 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2714 conf->sig_algs = sig_algs;
2715 }
2716 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2717
2718 #if defined(MBEDTLS_ECP_C)
2719 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2720 /*
2721 * Set the allowed elliptic curves
2722 *
2723 * mbedtls_ssl_setup() takes the provided list
2724 * and translates it to a list of IANA TLS group identifiers,
2725 * stored in ssl->handshake->group_list.
2726 *
2727 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2728 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2729 const mbedtls_ecp_group_id *curve_list)
2730 {
2731 conf->curve_list = curve_list;
2732 conf->group_list = NULL;
2733 }
2734 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2735 #endif /* MBEDTLS_ECP_C */
2736
2737 /*
2738 * Set the allowed groups
2739 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2740 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2741 const uint16_t *group_list)
2742 {
2743 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2744 conf->curve_list = NULL;
2745 #endif
2746 conf->group_list = group_list;
2747 }
2748
2749 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2750
2751 /* A magic value for `ssl->hostname` indicating that
2752 * mbedtls_ssl_set_hostname() has been called with `NULL`.
2753 * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
2754 * `ssl->hostname == NULL`. */
2755 static const char *const ssl_hostname_skip_cn_verification = "";
2756
2757 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2758 /** Whether mbedtls_ssl_set_hostname() has been called.
2759 *
2760 * \param[in] ssl SSL context
2761 *
2762 * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
2763 * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
2764 * otherwise \c 0.
2765 */
mbedtls_ssl_has_set_hostname_been_called(const mbedtls_ssl_context * ssl)2766 static int mbedtls_ssl_has_set_hostname_been_called(
2767 const mbedtls_ssl_context *ssl)
2768 {
2769 return ssl->hostname != NULL;
2770 }
2771 #endif
2772
2773 /* Micro-optimization: don't export this function if it isn't needed outside
2774 * of this source file. */
2775 #if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2776 static
2777 #endif
mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context * ssl)2778 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
2779 {
2780 if (ssl->hostname == ssl_hostname_skip_cn_verification) {
2781 return NULL;
2782 }
2783 return ssl->hostname;
2784 }
2785
mbedtls_ssl_free_hostname(mbedtls_ssl_context * ssl)2786 static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
2787 {
2788 if (ssl->hostname != NULL &&
2789 ssl->hostname != ssl_hostname_skip_cn_verification) {
2790 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2791 }
2792 ssl->hostname = NULL;
2793 }
2794
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2795 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2796 {
2797 /* Initialize to suppress unnecessary compiler warning */
2798 size_t hostname_len = 0;
2799
2800 /* Check if new hostname is valid before
2801 * making any change to current one */
2802 if (hostname != NULL) {
2803 hostname_len = strlen(hostname);
2804
2805 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2806 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2807 }
2808 }
2809
2810 /* Now it's clear that we will overwrite the old hostname,
2811 * so we can free it safely */
2812 mbedtls_ssl_free_hostname(ssl);
2813
2814 if (hostname == NULL) {
2815 /* Passing NULL as hostname clears the old one, but leaves a
2816 * special marker to indicate that mbedtls_ssl_set_hostname()
2817 * has been called. */
2818 /* ssl->hostname should be const, but isn't. We won't actually
2819 * write to the buffer, so it's ok to cast away the const. */
2820 ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
2821 } else {
2822 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2823 if (ssl->hostname == NULL) {
2824 /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
2825 * Leave ssl->hostname in the same state as if the function had
2826 * not been called, i.e. a null pointer. */
2827 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2828 }
2829
2830 memcpy(ssl->hostname, hostname, hostname_len);
2831
2832 ssl->hostname[hostname_len] = '\0';
2833 }
2834
2835 return 0;
2836 }
2837 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2838
2839 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)2840 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2841 int (*f_sni)(void *, mbedtls_ssl_context *,
2842 const unsigned char *, size_t),
2843 void *p_sni)
2844 {
2845 conf->f_sni = f_sni;
2846 conf->p_sni = p_sni;
2847 }
2848 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2849
2850 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)2851 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2852 {
2853 size_t cur_len, tot_len;
2854 const char **p;
2855
2856 /*
2857 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2858 * MUST NOT be truncated."
2859 * We check lengths now rather than later.
2860 */
2861 tot_len = 0;
2862 for (p = protos; *p != NULL; p++) {
2863 cur_len = strlen(*p);
2864 tot_len += cur_len;
2865
2866 if ((cur_len == 0) ||
2867 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2868 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2869 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2870 }
2871 }
2872
2873 conf->alpn_list = protos;
2874
2875 return 0;
2876 }
2877
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)2878 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2879 {
2880 return ssl->alpn_chosen;
2881 }
2882 #endif /* MBEDTLS_SSL_ALPN */
2883
2884 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)2885 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2886 int support_mki_value)
2887 {
2888 conf->dtls_srtp_mki_support = support_mki_value;
2889 }
2890
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)2891 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2892 unsigned char *mki_value,
2893 uint16_t mki_len)
2894 {
2895 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2896 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2897 }
2898
2899 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2900 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2901 }
2902
2903 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2904 ssl->dtls_srtp_info.mki_len = mki_len;
2905 return 0;
2906 }
2907
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)2908 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2909 const mbedtls_ssl_srtp_profile *profiles)
2910 {
2911 const mbedtls_ssl_srtp_profile *p;
2912 size_t list_size = 0;
2913
2914 /* check the profiles list: all entry must be valid,
2915 * its size cannot be more than the total number of supported profiles, currently 4 */
2916 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2917 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2918 p++) {
2919 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2920 list_size++;
2921 } else {
2922 /* unsupported value, stop parsing and set the size to an error value */
2923 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2924 }
2925 }
2926
2927 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2928 conf->dtls_srtp_profile_list = NULL;
2929 conf->dtls_srtp_profile_list_len = 0;
2930 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2931 }
2932
2933 conf->dtls_srtp_profile_list = profiles;
2934 conf->dtls_srtp_profile_list_len = list_size;
2935
2936 return 0;
2937 }
2938
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)2939 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2940 mbedtls_dtls_srtp_info *dtls_srtp_info)
2941 {
2942 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2943 /* do not copy the mki value if there is no chosen profile */
2944 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2945 dtls_srtp_info->mki_len = 0;
2946 } else {
2947 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2948 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2949 ssl->dtls_srtp_info.mki_len);
2950 }
2951 }
2952 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2953
2954 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)2955 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2956 {
2957 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2958 }
2959
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)2960 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2961 {
2962 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2963 }
2964 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2965
2966 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)2967 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2968 char cert_req_ca_list)
2969 {
2970 conf->cert_req_ca_list = cert_req_ca_list;
2971 }
2972 #endif
2973
2974 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)2975 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
2976 {
2977 conf->encrypt_then_mac = etm;
2978 }
2979 #endif
2980
2981 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)2982 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
2983 {
2984 conf->extended_ms = ems;
2985 }
2986 #endif
2987
2988 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)2989 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
2990 {
2991 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
2992 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
2993 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2994 }
2995
2996 conf->mfl_code = mfl_code;
2997
2998 return 0;
2999 }
3000 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3001
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)3002 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3003 {
3004 conf->allow_legacy_renegotiation = allow_legacy;
3005 }
3006
3007 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)3008 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3009 {
3010 conf->disable_renegotiation = renegotiation;
3011 }
3012
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)3013 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3014 {
3015 conf->renego_max_records = max_records;
3016 }
3017
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])3018 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3019 const unsigned char period[8])
3020 {
3021 memcpy(conf->renego_period, period, 8);
3022 }
3023 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3024
3025 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3026 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)3027 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3028 {
3029 conf->session_tickets = use_tickets;
3030 }
3031 #endif
3032
3033 #if defined(MBEDTLS_SSL_SRV_C)
3034
3035 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)3036 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3037 uint16_t num_tickets)
3038 {
3039 conf->new_session_tickets_count = num_tickets;
3040 }
3041 #endif
3042
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)3043 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3044 mbedtls_ssl_ticket_write_t *f_ticket_write,
3045 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3046 void *p_ticket)
3047 {
3048 conf->f_ticket_write = f_ticket_write;
3049 conf->f_ticket_parse = f_ticket_parse;
3050 conf->p_ticket = p_ticket;
3051 }
3052 #endif
3053 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3054
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3055 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3056 mbedtls_ssl_export_keys_t *f_export_keys,
3057 void *p_export_keys)
3058 {
3059 ssl->f_export_keys = f_export_keys;
3060 ssl->p_export_keys = p_export_keys;
3061 }
3062
3063 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3064 void mbedtls_ssl_conf_async_private_cb(
3065 mbedtls_ssl_config *conf,
3066 mbedtls_ssl_async_sign_t *f_async_sign,
3067 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3068 mbedtls_ssl_async_resume_t *f_async_resume,
3069 mbedtls_ssl_async_cancel_t *f_async_cancel,
3070 void *async_config_data)
3071 {
3072 conf->f_async_sign_start = f_async_sign;
3073 conf->f_async_decrypt_start = f_async_decrypt;
3074 conf->f_async_resume = f_async_resume;
3075 conf->f_async_cancel = f_async_cancel;
3076 conf->p_async_config_data = async_config_data;
3077 }
3078
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3079 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3080 {
3081 return conf->p_async_config_data;
3082 }
3083
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3084 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3085 {
3086 if (ssl->handshake == NULL) {
3087 return NULL;
3088 } else {
3089 return ssl->handshake->user_async_ctx;
3090 }
3091 }
3092
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3093 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3094 void *ctx)
3095 {
3096 if (ssl->handshake != NULL) {
3097 ssl->handshake->user_async_ctx = ctx;
3098 }
3099 }
3100 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3101
3102 /*
3103 * SSL get accessors
3104 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3105 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3106 {
3107 if (ssl->session != NULL) {
3108 return ssl->session->verify_result;
3109 }
3110
3111 if (ssl->session_negotiate != NULL) {
3112 return ssl->session_negotiate->verify_result;
3113 }
3114
3115 return 0xFFFFFFFF;
3116 }
3117
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3118 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3119 {
3120 if (ssl == NULL || ssl->session == NULL) {
3121 return 0;
3122 }
3123
3124 return ssl->session->ciphersuite;
3125 }
3126
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3127 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3128 {
3129 if (ssl == NULL || ssl->session == NULL) {
3130 return NULL;
3131 }
3132
3133 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3134 }
3135
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3136 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3137 {
3138 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3139 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3140 switch (ssl->tls_version) {
3141 case MBEDTLS_SSL_VERSION_TLS1_2:
3142 return "DTLSv1.2";
3143 default:
3144 return "unknown (DTLS)";
3145 }
3146 }
3147 #endif
3148
3149 switch (ssl->tls_version) {
3150 case MBEDTLS_SSL_VERSION_TLS1_2:
3151 return "TLSv1.2";
3152 case MBEDTLS_SSL_VERSION_TLS1_3:
3153 return "TLSv1.3";
3154 default:
3155 return "unknown";
3156 }
3157 }
3158
3159 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3160
mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context * ssl)3161 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3162 {
3163 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3164 size_t record_size_limit = max_len;
3165
3166 if (ssl->session != NULL &&
3167 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3168 ssl->session->record_size_limit < max_len) {
3169 record_size_limit = ssl->session->record_size_limit;
3170 }
3171
3172 // TODO: this is currently untested
3173 /* During a handshake, use the value being negotiated */
3174 if (ssl->session_negotiate != NULL &&
3175 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3176 ssl->session_negotiate->record_size_limit < max_len) {
3177 record_size_limit = ssl->session_negotiate->record_size_limit;
3178 }
3179
3180 return record_size_limit;
3181 }
3182 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3183
3184 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3185 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3186 {
3187 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3188 size_t read_mfl;
3189
3190 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3191 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3192 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3193 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3194 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3195 }
3196 #endif
3197
3198 /* Check if a smaller max length was negotiated */
3199 if (ssl->session_out != NULL) {
3200 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3201 if (read_mfl < max_len) {
3202 max_len = read_mfl;
3203 }
3204 }
3205
3206 /* During a handshake, use the value being negotiated */
3207 if (ssl->session_negotiate != NULL) {
3208 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3209 if (read_mfl < max_len) {
3210 max_len = read_mfl;
3211 }
3212 }
3213
3214 return max_len;
3215 }
3216
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3217 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3218 {
3219 size_t max_len;
3220
3221 /*
3222 * Assume mfl_code is correct since it was checked when set
3223 */
3224 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3225
3226 /* Check if a smaller max length was negotiated */
3227 if (ssl->session_out != NULL &&
3228 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3229 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3230 }
3231
3232 /* During a handshake, use the value being negotiated */
3233 if (ssl->session_negotiate != NULL &&
3234 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3235 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3236 }
3237
3238 return max_len;
3239 }
3240 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3241
3242 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3243 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3244 {
3245 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3246 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3247 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3248 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3249 return 0;
3250 }
3251
3252 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3253 return ssl->mtu;
3254 }
3255
3256 if (ssl->mtu == 0) {
3257 return ssl->handshake->mtu;
3258 }
3259
3260 return ssl->mtu < ssl->handshake->mtu ?
3261 ssl->mtu : ssl->handshake->mtu;
3262 }
3263 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3264
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3265 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3266 {
3267 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3268
3269 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3270 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3271 !defined(MBEDTLS_SSL_PROTO_DTLS)
3272 (void) ssl;
3273 #endif
3274
3275 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3276 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3277
3278 if (max_len > mfl) {
3279 max_len = mfl;
3280 }
3281 #endif
3282
3283 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3284 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3285
3286 if (max_len > record_size_limit) {
3287 max_len = record_size_limit;
3288 }
3289 #endif
3290
3291 if (ssl->transform_out != NULL &&
3292 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3293 /*
3294 * In TLS 1.3 case, when records are protected, `max_len` as computed
3295 * above is the maximum length of the TLSInnerPlaintext structure that
3296 * along the plaintext payload contains the inner content type (one byte)
3297 * and some zero padding. Given the algorithm used for padding
3298 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3299 * the plaintext payload. Round down to a multiple of
3300 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3301 * subtract 1.
3302 */
3303 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3304 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3305 }
3306
3307 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3308 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3309 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3310 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3311 const size_t overhead = (size_t) ret;
3312
3313 if (ret < 0) {
3314 return ret;
3315 }
3316
3317 if (mtu <= overhead) {
3318 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3319 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3320 }
3321
3322 if (max_len > mtu - overhead) {
3323 max_len = mtu - overhead;
3324 }
3325 }
3326 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3327
3328 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3329 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3330 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3331 ((void) ssl);
3332 #endif
3333
3334 return (int) max_len;
3335 }
3336
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3337 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3338 {
3339 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3340
3341 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3342 (void) ssl;
3343 #endif
3344
3345 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3346 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3347
3348 if (max_len > mfl) {
3349 max_len = mfl;
3350 }
3351 #endif
3352
3353 return (int) max_len;
3354 }
3355
3356 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3357 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3358 {
3359 if (ssl == NULL || ssl->session == NULL) {
3360 return NULL;
3361 }
3362
3363 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3364 return ssl->session->peer_cert;
3365 #else
3366 return NULL;
3367 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3368 }
3369 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3370
3371 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3372 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3373 mbedtls_ssl_session *dst)
3374 {
3375 int ret;
3376
3377 if (ssl == NULL ||
3378 dst == NULL ||
3379 ssl->session == NULL ||
3380 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3381 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3382 }
3383
3384 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3385 * idempotent: Each session can only be exported once.
3386 *
3387 * (This is in preparation for TLS 1.3 support where we will
3388 * need the ability to export multiple sessions (aka tickets),
3389 * which will be achieved by calling mbedtls_ssl_get_session()
3390 * multiple times until it fails.)
3391 *
3392 * Check whether we have already exported the current session,
3393 * and fail if so.
3394 */
3395 if (ssl->session->exported == 1) {
3396 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3397 }
3398
3399 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3400 if (ret != 0) {
3401 return ret;
3402 }
3403
3404 /* Remember that we've exported the session. */
3405 ssl->session->exported = 1;
3406 return 0;
3407 }
3408 #endif /* MBEDTLS_SSL_CLI_C */
3409
3410 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3411
3412 /* Serialization of TLS 1.2 sessions
3413 *
3414 * For more detail, see the description of ssl_session_save().
3415 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)3416 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3417 unsigned char *buf,
3418 size_t buf_len)
3419 {
3420 unsigned char *p = buf;
3421 size_t used = 0;
3422
3423 #if defined(MBEDTLS_HAVE_TIME)
3424 uint64_t start;
3425 #endif
3426 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3427 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3428 size_t cert_len;
3429 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3430 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3431
3432 /*
3433 * Time
3434 */
3435 #if defined(MBEDTLS_HAVE_TIME)
3436 used += 8;
3437
3438 if (used <= buf_len) {
3439 start = (uint64_t) session->start;
3440
3441 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3442 p += 8;
3443 }
3444 #endif /* MBEDTLS_HAVE_TIME */
3445
3446 /*
3447 * Basic mandatory fields
3448 */
3449 used += 1 /* id_len */
3450 + sizeof(session->id)
3451 + sizeof(session->master)
3452 + 4; /* verify_result */
3453
3454 if (used <= buf_len) {
3455 *p++ = MBEDTLS_BYTE_0(session->id_len);
3456 memcpy(p, session->id, 32);
3457 p += 32;
3458
3459 memcpy(p, session->master, 48);
3460 p += 48;
3461
3462 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3463 p += 4;
3464 }
3465
3466 /*
3467 * Peer's end-entity certificate
3468 */
3469 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3470 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3471 if (session->peer_cert == NULL) {
3472 cert_len = 0;
3473 } else {
3474 cert_len = session->peer_cert->raw.len;
3475 }
3476
3477 used += 3 + cert_len;
3478
3479 if (used <= buf_len) {
3480 *p++ = MBEDTLS_BYTE_2(cert_len);
3481 *p++ = MBEDTLS_BYTE_1(cert_len);
3482 *p++ = MBEDTLS_BYTE_0(cert_len);
3483
3484 if (session->peer_cert != NULL) {
3485 memcpy(p, session->peer_cert->raw.p, cert_len);
3486 p += cert_len;
3487 }
3488 }
3489 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3490 if (session->peer_cert_digest != NULL) {
3491 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3492 if (used <= buf_len) {
3493 *p++ = (unsigned char) session->peer_cert_digest_type;
3494 *p++ = (unsigned char) session->peer_cert_digest_len;
3495 memcpy(p, session->peer_cert_digest,
3496 session->peer_cert_digest_len);
3497 p += session->peer_cert_digest_len;
3498 }
3499 } else {
3500 used += 2;
3501 if (used <= buf_len) {
3502 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3503 *p++ = 0;
3504 }
3505 }
3506 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3507 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3508
3509 /*
3510 * Session ticket if any, plus associated data
3511 */
3512 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3513 #if defined(MBEDTLS_SSL_CLI_C)
3514 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3515 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3516
3517 if (used <= buf_len) {
3518 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3519 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3520 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3521
3522 if (session->ticket != NULL) {
3523 memcpy(p, session->ticket, session->ticket_len);
3524 p += session->ticket_len;
3525 }
3526
3527 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3528 p += 4;
3529 }
3530 }
3531 #endif /* MBEDTLS_SSL_CLI_C */
3532 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3533 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3534 used += 8;
3535
3536 if (used <= buf_len) {
3537 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3538 p += 8;
3539 }
3540 }
3541 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3542 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3543
3544 /*
3545 * Misc extension-related info
3546 */
3547 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3548 used += 1;
3549
3550 if (used <= buf_len) {
3551 *p++ = session->mfl_code;
3552 }
3553 #endif
3554
3555 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3556 used += 1;
3557
3558 if (used <= buf_len) {
3559 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3560 }
3561 #endif
3562
3563 return used;
3564 }
3565
3566 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3567 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3568 const unsigned char *buf,
3569 size_t len)
3570 {
3571 #if defined(MBEDTLS_HAVE_TIME)
3572 uint64_t start;
3573 #endif
3574 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3575 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3576 size_t cert_len;
3577 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3578 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3579
3580 const unsigned char *p = buf;
3581 const unsigned char * const end = buf + len;
3582
3583 /*
3584 * Time
3585 */
3586 #if defined(MBEDTLS_HAVE_TIME)
3587 if (8 > (size_t) (end - p)) {
3588 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3589 }
3590
3591 start = MBEDTLS_GET_UINT64_BE(p, 0);
3592 p += 8;
3593
3594 session->start = (time_t) start;
3595 #endif /* MBEDTLS_HAVE_TIME */
3596
3597 /*
3598 * Basic mandatory fields
3599 */
3600 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3601 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3602 }
3603
3604 session->id_len = *p++;
3605 memcpy(session->id, p, 32);
3606 p += 32;
3607
3608 memcpy(session->master, p, 48);
3609 p += 48;
3610
3611 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3612 p += 4;
3613
3614 /* Immediately clear invalid pointer values that have been read, in case
3615 * we exit early before we replaced them with valid ones. */
3616 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3617 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3618 session->peer_cert = NULL;
3619 #else
3620 session->peer_cert_digest = NULL;
3621 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3622 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3623 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3624 session->ticket = NULL;
3625 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3626
3627 /*
3628 * Peer certificate
3629 */
3630 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3631 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3632 /* Deserialize CRT from the end of the ticket. */
3633 if (3 > (size_t) (end - p)) {
3634 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3635 }
3636
3637 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3638 p += 3;
3639
3640 if (cert_len != 0) {
3641 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3642
3643 if (cert_len > (size_t) (end - p)) {
3644 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3645 }
3646
3647 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3648
3649 if (session->peer_cert == NULL) {
3650 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3651 }
3652
3653 mbedtls_x509_crt_init(session->peer_cert);
3654
3655 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3656 p, cert_len)) != 0) {
3657 mbedtls_x509_crt_free(session->peer_cert);
3658 mbedtls_free(session->peer_cert);
3659 session->peer_cert = NULL;
3660 return ret;
3661 }
3662
3663 p += cert_len;
3664 }
3665 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3666 /* Deserialize CRT digest from the end of the ticket. */
3667 if (2 > (size_t) (end - p)) {
3668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3669 }
3670
3671 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3672 session->peer_cert_digest_len = (size_t) *p++;
3673
3674 if (session->peer_cert_digest_len != 0) {
3675 const mbedtls_md_info_t *md_info =
3676 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3677 if (md_info == NULL) {
3678 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3679 }
3680 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3681 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3682 }
3683
3684 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3685 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3686 }
3687
3688 session->peer_cert_digest =
3689 mbedtls_calloc(1, session->peer_cert_digest_len);
3690 if (session->peer_cert_digest == NULL) {
3691 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3692 }
3693
3694 memcpy(session->peer_cert_digest, p,
3695 session->peer_cert_digest_len);
3696 p += session->peer_cert_digest_len;
3697 }
3698 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3699 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3700
3701 /*
3702 * Session ticket and associated data
3703 */
3704 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3705 #if defined(MBEDTLS_SSL_CLI_C)
3706 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3707 if (3 > (size_t) (end - p)) {
3708 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3709 }
3710
3711 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3712 p += 3;
3713
3714 if (session->ticket_len != 0) {
3715 if (session->ticket_len > (size_t) (end - p)) {
3716 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3717 }
3718
3719 session->ticket = mbedtls_calloc(1, session->ticket_len);
3720 if (session->ticket == NULL) {
3721 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3722 }
3723
3724 memcpy(session->ticket, p, session->ticket_len);
3725 p += session->ticket_len;
3726 }
3727
3728 if (4 > (size_t) (end - p)) {
3729 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3730 }
3731
3732 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3733 p += 4;
3734 }
3735 #endif /* MBEDTLS_SSL_CLI_C */
3736 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3737 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3738 if (8 > (size_t) (end - p)) {
3739 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3740 }
3741 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3742 p += 8;
3743 }
3744 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3745 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3746
3747 /*
3748 * Misc extension-related info
3749 */
3750 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3751 if (1 > (size_t) (end - p)) {
3752 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3753 }
3754
3755 session->mfl_code = *p++;
3756 #endif
3757
3758 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3759 if (1 > (size_t) (end - p)) {
3760 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3761 }
3762
3763 session->encrypt_then_mac = *p++;
3764 #endif
3765
3766 /* Done, should have consumed entire buffer */
3767 if (p != end) {
3768 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3769 }
3770
3771 return 0;
3772 }
3773
3774 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3775
3776 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3777 /* Serialization of TLS 1.3 sessions:
3778 *
3779 * For more detail, see the description of ssl_session_save().
3780 */
3781 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3782 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3783 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3784 unsigned char *buf,
3785 size_t buf_len,
3786 size_t *olen)
3787 {
3788 unsigned char *p = buf;
3789 #if defined(MBEDTLS_SSL_CLI_C) && \
3790 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3791 size_t hostname_len = (session->hostname == NULL) ?
3792 0 : strlen(session->hostname) + 1;
3793 #endif
3794
3795 #if defined(MBEDTLS_SSL_SRV_C) && \
3796 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3797 const size_t alpn_len = (session->ticket_alpn == NULL) ?
3798 0 : strlen(session->ticket_alpn) + 1;
3799 #endif
3800 size_t needed = 4 /* ticket_age_add */
3801 + 1 /* ticket_flags */
3802 + 1; /* resumption_key length */
3803
3804 *olen = 0;
3805
3806 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3807 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3808 }
3809 needed += session->resumption_key_len; /* resumption_key */
3810
3811 #if defined(MBEDTLS_SSL_EARLY_DATA)
3812 needed += 4; /* max_early_data_size */
3813 #endif
3814 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3815 needed += 2; /* record_size_limit */
3816 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3817
3818 #if defined(MBEDTLS_HAVE_TIME)
3819 needed += 8; /* ticket_creation_time or ticket_reception_time */
3820 #endif
3821
3822 #if defined(MBEDTLS_SSL_SRV_C)
3823 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3824 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3825 needed += 2 /* alpn_len */
3826 + alpn_len; /* alpn */
3827 #endif
3828 }
3829 #endif /* MBEDTLS_SSL_SRV_C */
3830
3831 #if defined(MBEDTLS_SSL_CLI_C)
3832 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3833 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3834 needed += 2 /* hostname_len */
3835 + hostname_len; /* hostname */
3836 #endif
3837
3838 needed += 4 /* ticket_lifetime */
3839 + 2; /* ticket_len */
3840
3841 /* Check size_t overflow */
3842 if (session->ticket_len > SIZE_MAX - needed) {
3843 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3844 }
3845
3846 needed += session->ticket_len; /* ticket */
3847 }
3848 #endif /* MBEDTLS_SSL_CLI_C */
3849
3850 *olen = needed;
3851 if (needed > buf_len) {
3852 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3853 }
3854
3855 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3856 p[4] = session->ticket_flags;
3857
3858 /* save resumption_key */
3859 p[5] = session->resumption_key_len;
3860 p += 6;
3861 memcpy(p, session->resumption_key, session->resumption_key_len);
3862 p += session->resumption_key_len;
3863
3864 #if defined(MBEDTLS_SSL_EARLY_DATA)
3865 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3866 p += 4;
3867 #endif
3868 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3869 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3870 p += 2;
3871 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3872
3873 #if defined(MBEDTLS_SSL_SRV_C)
3874 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3875 #if defined(MBEDTLS_HAVE_TIME)
3876 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3877 p += 8;
3878 #endif /* MBEDTLS_HAVE_TIME */
3879
3880 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3881 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3882 p += 2;
3883
3884 if (alpn_len > 0) {
3885 /* save chosen alpn */
3886 memcpy(p, session->ticket_alpn, alpn_len);
3887 p += alpn_len;
3888 }
3889 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3890 }
3891 #endif /* MBEDTLS_SSL_SRV_C */
3892
3893 #if defined(MBEDTLS_SSL_CLI_C)
3894 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3895 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3896 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3897 p += 2;
3898 if (hostname_len > 0) {
3899 /* save host name */
3900 memcpy(p, session->hostname, hostname_len);
3901 p += hostname_len;
3902 }
3903 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3904
3905 #if defined(MBEDTLS_HAVE_TIME)
3906 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3907 p += 8;
3908 #endif
3909 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3910 p += 4;
3911
3912 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3913 p += 2;
3914
3915 if (session->ticket != NULL && session->ticket_len > 0) {
3916 memcpy(p, session->ticket, session->ticket_len);
3917 p += session->ticket_len;
3918 }
3919 }
3920 #endif /* MBEDTLS_SSL_CLI_C */
3921 return 0;
3922 }
3923
3924 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3925 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3926 const unsigned char *buf,
3927 size_t len)
3928 {
3929 const unsigned char *p = buf;
3930 const unsigned char *end = buf + len;
3931
3932 if (end - p < 6) {
3933 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3934 }
3935 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3936 session->ticket_flags = p[4];
3937
3938 /* load resumption_key */
3939 session->resumption_key_len = p[5];
3940 p += 6;
3941
3942 if (end - p < session->resumption_key_len) {
3943 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3944 }
3945
3946 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3947 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3948 }
3949 memcpy(session->resumption_key, p, session->resumption_key_len);
3950 p += session->resumption_key_len;
3951
3952 #if defined(MBEDTLS_SSL_EARLY_DATA)
3953 if (end - p < 4) {
3954 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3955 }
3956 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3957 p += 4;
3958 #endif
3959 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3960 if (end - p < 2) {
3961 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3962 }
3963 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
3964 p += 2;
3965 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3966
3967 #if defined(MBEDTLS_SSL_SRV_C)
3968 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3969 #if defined(MBEDTLS_HAVE_TIME)
3970 if (end - p < 8) {
3971 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3972 }
3973 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3974 p += 8;
3975 #endif /* MBEDTLS_HAVE_TIME */
3976
3977 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3978 size_t alpn_len;
3979
3980 if (end - p < 2) {
3981 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3982 }
3983
3984 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
3985 p += 2;
3986
3987 if (end - p < (long int) alpn_len) {
3988 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3989 }
3990
3991 if (alpn_len > 0) {
3992 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
3993 if (ret != 0) {
3994 return ret;
3995 }
3996 p += alpn_len;
3997 }
3998 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3999 }
4000 #endif /* MBEDTLS_SSL_SRV_C */
4001
4002 #if defined(MBEDTLS_SSL_CLI_C)
4003 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4004 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4005 size_t hostname_len;
4006 /* load host name */
4007 if (end - p < 2) {
4008 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4009 }
4010 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
4011 p += 2;
4012
4013 if (end - p < (long int) hostname_len) {
4014 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4015 }
4016 if (hostname_len > 0) {
4017 session->hostname = mbedtls_calloc(1, hostname_len);
4018 if (session->hostname == NULL) {
4019 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4020 }
4021 memcpy(session->hostname, p, hostname_len);
4022 p += hostname_len;
4023 }
4024 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4025
4026 #if defined(MBEDTLS_HAVE_TIME)
4027 if (end - p < 8) {
4028 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4029 }
4030 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
4031 p += 8;
4032 #endif
4033 if (end - p < 4) {
4034 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4035 }
4036 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
4037 p += 4;
4038
4039 if (end - p < 2) {
4040 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4041 }
4042 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
4043 p += 2;
4044
4045 if (end - p < (long int) session->ticket_len) {
4046 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4047 }
4048 if (session->ticket_len > 0) {
4049 session->ticket = mbedtls_calloc(1, session->ticket_len);
4050 if (session->ticket == NULL) {
4051 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4052 }
4053 memcpy(session->ticket, p, session->ticket_len);
4054 p += session->ticket_len;
4055 }
4056 }
4057 #endif /* MBEDTLS_SSL_CLI_C */
4058
4059 return 0;
4060
4061 }
4062 #else /* MBEDTLS_SSL_SESSION_TICKETS */
4063 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4064 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4065 unsigned char *buf,
4066 size_t buf_len,
4067 size_t *olen)
4068 {
4069 ((void) session);
4070 ((void) buf);
4071 ((void) buf_len);
4072 *olen = 0;
4073 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4074 }
4075
ssl_tls13_session_load(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)4076 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4077 unsigned char *buf,
4078 size_t buf_len)
4079 {
4080 ((void) session);
4081 ((void) buf);
4082 ((void) buf_len);
4083 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4084 }
4085 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4086 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4087
4088 /*
4089 * Define ticket header determining Mbed TLS version
4090 * and structure of the ticket.
4091 */
4092
4093 /*
4094 * Define bitflag determining compile-time settings influencing
4095 * structure of serialized SSL sessions.
4096 */
4097
4098 #if defined(MBEDTLS_HAVE_TIME)
4099 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4100 #else
4101 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4102 #endif /* MBEDTLS_HAVE_TIME */
4103
4104 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4105 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4106 #else
4107 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4108 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4109
4110 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4111 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4112 #else
4113 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4114 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4115
4116 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4117 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4118 #else
4119 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4120 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4121
4122 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4123 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4124 #else
4125 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4126 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4127
4128 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4129 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4130 #else
4131 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4132 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4133
4134 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4135 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4136 #else
4137 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4138 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4139
4140 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4141 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4142 #else
4143 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4144 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4145
4146 #if defined(MBEDTLS_SSL_EARLY_DATA)
4147 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4148 #else
4149 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4150 #endif /* MBEDTLS_SSL_EARLY_DATA */
4151
4152 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4153 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4154 #else
4155 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4156 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4157
4158 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4159 defined(MBEDTLS_SSL_EARLY_DATA)
4160 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4161 #else
4162 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4163 #endif /* MBEDTLS_SSL_ALPN */
4164
4165 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4166 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4167 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4168 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4169 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4170 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4171 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4172 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4173 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4174 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4175 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4176
4177 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4178 ((uint16_t) ( \
4179 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4180 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4181 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4182 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4183 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4184 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4185 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4186 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4187 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4188 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4189 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4190 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4191 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4192 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4193 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4194 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4195
4196 static const unsigned char ssl_serialized_session_header[] = {
4197 MBEDTLS_VERSION_MAJOR,
4198 MBEDTLS_VERSION_MINOR,
4199 MBEDTLS_VERSION_PATCH,
4200 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4201 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4202 };
4203
4204 /*
4205 * Serialize a session in the following format:
4206 * (in the presentation language of TLS, RFC 8446 section 3)
4207 *
4208 * TLS 1.2 session:
4209 *
4210 * struct {
4211 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4212 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4213 * uint32 ticket_lifetime;
4214 * #endif
4215 * } ClientOnlyData;
4216 *
4217 * struct {
4218 * #if defined(MBEDTLS_HAVE_TIME)
4219 * uint64 start_time;
4220 * #endif
4221 * uint8 session_id_len; // at most 32
4222 * opaque session_id[32];
4223 * opaque master[48]; // fixed length in the standard
4224 * uint32 verify_result;
4225 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4226 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4227 * #else
4228 * uint8 peer_cert_digest_type;
4229 * opaque peer_cert_digest<0..2^8-1>
4230 * #endif
4231 * select (endpoint) {
4232 * case client: ClientOnlyData;
4233 * case server: uint64 ticket_creation_time;
4234 * };
4235 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4236 * uint8 mfl_code; // up to 255 according to standard
4237 * #endif
4238 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4239 * uint8 encrypt_then_mac; // 0 or 1
4240 * #endif
4241 * } serialized_session_tls12;
4242 *
4243 *
4244 * TLS 1.3 Session:
4245 *
4246 * struct {
4247 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4248 * opaque hostname<0..2^16-1>;
4249 * #endif
4250 * #if defined(MBEDTLS_HAVE_TIME)
4251 * uint64 ticket_reception_time;
4252 * #endif
4253 * uint32 ticket_lifetime;
4254 * opaque ticket<1..2^16-1>;
4255 * } ClientOnlyData;
4256 *
4257 * struct {
4258 * uint32 ticket_age_add;
4259 * uint8 ticket_flags;
4260 * opaque resumption_key<0..255>;
4261 * #if defined(MBEDTLS_SSL_EARLY_DATA)
4262 * uint32 max_early_data_size;
4263 * #endif
4264 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4265 * uint16 record_size_limit;
4266 * #endif
4267 * select ( endpoint ) {
4268 * case client: ClientOnlyData;
4269 * case server:
4270 * #if defined(MBEDTLS_HAVE_TIME)
4271 * uint64 ticket_creation_time;
4272 * #endif
4273 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4274 * opaque ticket_alpn<0..256>;
4275 * #endif
4276 * };
4277 * } serialized_session_tls13;
4278 *
4279 *
4280 * SSL session:
4281 *
4282 * struct {
4283 *
4284 * opaque mbedtls_version[3]; // library version: major, minor, patch
4285 * opaque session_format[2]; // library-version specific 16-bit field
4286 * // determining the format of the remaining
4287 * // serialized data.
4288 *
4289 * Note: When updating the format, remember to keep
4290 * these version+format bytes.
4291 *
4292 * // In this version, `session_format` determines
4293 * // the setting of those compile-time
4294 * // configuration options which influence
4295 * // the structure of mbedtls_ssl_session.
4296 *
4297 * uint8_t minor_ver; // Protocol minor version. Possible values:
4298 * // - TLS 1.2 (0x0303)
4299 * // - TLS 1.3 (0x0304)
4300 * uint8_t endpoint;
4301 * uint16_t ciphersuite;
4302 *
4303 * select (serialized_session.tls_version) {
4304 *
4305 * case MBEDTLS_SSL_VERSION_TLS1_2:
4306 * serialized_session_tls12 data;
4307 * case MBEDTLS_SSL_VERSION_TLS1_3:
4308 * serialized_session_tls13 data;
4309 *
4310 * };
4311 *
4312 * } serialized_session;
4313 *
4314 */
4315
4316 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)4317 static int ssl_session_save(const mbedtls_ssl_session *session,
4318 unsigned char omit_header,
4319 unsigned char *buf,
4320 size_t buf_len,
4321 size_t *olen)
4322 {
4323 unsigned char *p = buf;
4324 size_t used = 0;
4325 size_t remaining_len;
4326 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4327 size_t out_len;
4328 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4329 #endif
4330 if (session == NULL) {
4331 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4332 }
4333
4334 if (!omit_header) {
4335 /*
4336 * Add Mbed TLS version identifier
4337 */
4338 used += sizeof(ssl_serialized_session_header);
4339
4340 if (used <= buf_len) {
4341 memcpy(p, ssl_serialized_session_header,
4342 sizeof(ssl_serialized_session_header));
4343 p += sizeof(ssl_serialized_session_header);
4344 }
4345 }
4346
4347 /*
4348 * TLS version identifier, endpoint, ciphersuite
4349 */
4350 used += 1 /* TLS version */
4351 + 1 /* endpoint */
4352 + 2; /* ciphersuite */
4353 if (used <= buf_len) {
4354 *p++ = MBEDTLS_BYTE_0(session->tls_version);
4355 *p++ = session->endpoint;
4356 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4357 p += 2;
4358 }
4359
4360 /* Forward to version-specific serialization routine. */
4361 remaining_len = (buf_len >= used) ? buf_len - used : 0;
4362 switch (session->tls_version) {
4363 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4364 case MBEDTLS_SSL_VERSION_TLS1_2:
4365 used += ssl_tls12_session_save(session, p, remaining_len);
4366 break;
4367 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4368
4369 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4370 case MBEDTLS_SSL_VERSION_TLS1_3:
4371 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4372 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4373 return ret;
4374 }
4375 used += out_len;
4376 break;
4377 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4378
4379 default:
4380 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4381 }
4382
4383 *olen = used;
4384 if (used > buf_len) {
4385 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4386 }
4387
4388 return 0;
4389 }
4390
4391 /*
4392 * Public wrapper for ssl_session_save()
4393 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4394 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4395 unsigned char *buf,
4396 size_t buf_len,
4397 size_t *olen)
4398 {
4399 return ssl_session_save(session, 0, buf, buf_len, olen);
4400 }
4401
4402 /*
4403 * Deserialize session, see mbedtls_ssl_session_save() for format.
4404 *
4405 * This internal version is wrapped by a public function that cleans up in
4406 * case of error, and has an extra option omit_header.
4407 */
4408 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)4409 static int ssl_session_load(mbedtls_ssl_session *session,
4410 unsigned char omit_header,
4411 const unsigned char *buf,
4412 size_t len)
4413 {
4414 const unsigned char *p = buf;
4415 const unsigned char * const end = buf + len;
4416 size_t remaining_len;
4417
4418
4419 if (session == NULL) {
4420 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4421 }
4422
4423 if (!omit_header) {
4424 /*
4425 * Check Mbed TLS version identifier
4426 */
4427
4428 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4429 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4430 }
4431
4432 if (memcmp(p, ssl_serialized_session_header,
4433 sizeof(ssl_serialized_session_header)) != 0) {
4434 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4435 }
4436 p += sizeof(ssl_serialized_session_header);
4437 }
4438
4439 /*
4440 * TLS version identifier, endpoint, ciphersuite
4441 */
4442 if (4 > (size_t) (end - p)) {
4443 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4444 }
4445 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4446 session->endpoint = *p++;
4447 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4448 p += 2;
4449
4450 /* Dispatch according to TLS version. */
4451 remaining_len = (size_t) (end - p);
4452 switch (session->tls_version) {
4453 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4454 case MBEDTLS_SSL_VERSION_TLS1_2:
4455 return ssl_tls12_session_load(session, p, remaining_len);
4456 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4457
4458 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4459 case MBEDTLS_SSL_VERSION_TLS1_3:
4460 return ssl_tls13_session_load(session, p, remaining_len);
4461 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4462
4463 default:
4464 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4465 }
4466 }
4467
4468 /*
4469 * Deserialize session: public wrapper for error cleaning
4470 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)4471 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4472 const unsigned char *buf,
4473 size_t len)
4474 {
4475 int ret = ssl_session_load(session, 0, buf, len);
4476
4477 if (ret != 0) {
4478 mbedtls_ssl_session_free(session);
4479 }
4480
4481 return ret;
4482 }
4483
4484 /*
4485 * Perform a single step of the SSL handshake
4486 */
4487 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)4488 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4489 {
4490 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4491
4492 /*
4493 * We may have not been able to send to the peer all the handshake data
4494 * that were written into the output buffer by the previous handshake step,
4495 * if the write to the network callback returned with the
4496 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4497 * We proceed to the next handshake step only when all data from the
4498 * previous one have been sent to the peer, thus we make sure that this is
4499 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4500 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4501 * we have to wait before to go ahead.
4502 * In the case of TLS 1.3, handshake step handlers do not send data to the
4503 * peer. Data are only sent here and through
4504 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4505 * alert occurred.
4506 */
4507 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4508 return ret;
4509 }
4510
4511 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4512 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4513 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4514 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4515 return ret;
4516 }
4517 }
4518 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4519
4520 return ret;
4521 }
4522
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)4523 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
4524 {
4525 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4526
4527 if (ssl == NULL ||
4528 ssl->conf == NULL ||
4529 ssl->handshake == NULL ||
4530 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4531 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4532 }
4533
4534 ret = ssl_prepare_handshake_step(ssl);
4535 if (ret != 0) {
4536 return ret;
4537 }
4538
4539 ret = mbedtls_ssl_handle_pending_alert(ssl);
4540 if (ret != 0) {
4541 goto cleanup;
4542 }
4543
4544 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4545 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4546 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4547
4548 #if defined(MBEDTLS_SSL_CLI_C)
4549 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4550 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4551 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
4552
4553 switch (ssl->state) {
4554 case MBEDTLS_SSL_HELLO_REQUEST:
4555 ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
4556 ret = 0;
4557 break;
4558
4559 case MBEDTLS_SSL_CLIENT_HELLO:
4560 ret = mbedtls_ssl_write_client_hello(ssl);
4561 break;
4562
4563 default:
4564 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4565 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4566 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4567 } else {
4568 ret = mbedtls_ssl_handshake_client_step(ssl);
4569 }
4570 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4571 ret = mbedtls_ssl_handshake_client_step(ssl);
4572 #else
4573 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4574 #endif
4575 }
4576 }
4577 #endif /* MBEDTLS_SSL_CLI_C */
4578
4579 #if defined(MBEDTLS_SSL_SRV_C)
4580 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4581 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4582 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4583 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4584 } else {
4585 ret = mbedtls_ssl_handshake_server_step(ssl);
4586 }
4587 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4588 ret = mbedtls_ssl_handshake_server_step(ssl);
4589 #else
4590 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4591 #endif
4592 }
4593 #endif /* MBEDTLS_SSL_SRV_C */
4594
4595 if (ret != 0) {
4596 /* handshake_step return error. And it is same
4597 * with alert_reason.
4598 */
4599 if (ssl->send_alert) {
4600 ret = mbedtls_ssl_handle_pending_alert(ssl);
4601 goto cleanup;
4602 }
4603 }
4604
4605 cleanup:
4606 return ret;
4607 }
4608
4609 /*
4610 * Perform the SSL handshake
4611 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)4612 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
4613 {
4614 int ret = 0;
4615
4616 /* Sanity checks */
4617
4618 if (ssl == NULL || ssl->conf == NULL) {
4619 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4620 }
4621
4622 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4623 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4624 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4625 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4626 "mbedtls_ssl_set_timer_cb() for DTLS"));
4627 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4628 }
4629 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4630
4631 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4632
4633 /* Main handshake loop */
4634 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4635 ret = mbedtls_ssl_handshake_step(ssl);
4636
4637 if (ret != 0) {
4638 break;
4639 }
4640 }
4641
4642 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4643
4644 return ret;
4645 }
4646
4647 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4648 #if defined(MBEDTLS_SSL_SRV_C)
4649 /*
4650 * Write HelloRequest to request renegotiation on server
4651 */
4652 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)4653 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4654 {
4655 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4656
4657 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4658
4659 ssl->out_msglen = 4;
4660 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4661 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4662
4663 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4664 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4665 return ret;
4666 }
4667
4668 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4669
4670 return 0;
4671 }
4672 #endif /* MBEDTLS_SSL_SRV_C */
4673
4674 /*
4675 * Actually renegotiate current connection, triggered by either:
4676 * - any side: calling mbedtls_ssl_renegotiate(),
4677 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4678 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4679 * the initial handshake is completed.
4680 * If the handshake doesn't complete due to waiting for I/O, it will continue
4681 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4682 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)4683 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
4684 {
4685 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4686
4687 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4688
4689 if ((ret = ssl_handshake_init(ssl)) != 0) {
4690 return ret;
4691 }
4692
4693 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4694 * the ServerHello will have message_seq = 1" */
4695 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4696 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4697 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4698 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4699 ssl->handshake->out_msg_seq = 1;
4700 } else {
4701 ssl->handshake->in_msg_seq = 1;
4702 }
4703 }
4704 #endif
4705
4706 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
4707 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4708
4709 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4710 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4711 return ret;
4712 }
4713
4714 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4715
4716 return 0;
4717 }
4718
4719 /*
4720 * Renegotiate current connection on client,
4721 * or request renegotiation on server
4722 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4723 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4724 {
4725 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4726
4727 if (ssl == NULL || ssl->conf == NULL) {
4728 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4729 }
4730
4731 #if defined(MBEDTLS_SSL_SRV_C)
4732 /* On server, just send the request */
4733 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4734 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4735 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4736 }
4737
4738 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4739
4740 /* Did we already try/start sending HelloRequest? */
4741 if (ssl->out_left != 0) {
4742 return mbedtls_ssl_flush_output(ssl);
4743 }
4744
4745 return ssl_write_hello_request(ssl);
4746 }
4747 #endif /* MBEDTLS_SSL_SRV_C */
4748
4749 #if defined(MBEDTLS_SSL_CLI_C)
4750 /*
4751 * On client, either start the renegotiation process or,
4752 * if already in progress, continue the handshake
4753 */
4754 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4755 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4756 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4757 }
4758
4759 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4760 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4761 return ret;
4762 }
4763 } else {
4764 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4765 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4766 return ret;
4767 }
4768 }
4769 #endif /* MBEDTLS_SSL_CLI_C */
4770
4771 return ret;
4772 }
4773 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4774
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4775 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4776 {
4777 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4778
4779 if (handshake == NULL) {
4780 return;
4781 }
4782
4783 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4784 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4785 if (ssl->handshake->group_list_heap_allocated) {
4786 mbedtls_free((void *) handshake->group_list);
4787 }
4788 handshake->group_list = NULL;
4789 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4790 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4791
4792 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4793 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4794 if (ssl->handshake->sig_algs_heap_allocated) {
4795 mbedtls_free((void *) handshake->sig_algs);
4796 }
4797 handshake->sig_algs = NULL;
4798 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4799 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4800 if (ssl->handshake->certificate_request_context) {
4801 mbedtls_free((void *) handshake->certificate_request_context);
4802 }
4803 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4804 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4805
4806 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4807 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4808 ssl->conf->f_async_cancel(ssl);
4809 handshake->async_in_progress = 0;
4810 }
4811 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4812
4813 #if defined(MBEDTLS_MD_CAN_SHA256)
4814 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4815 psa_hash_abort(&handshake->fin_sha256_psa);
4816 #else
4817 mbedtls_md_free(&handshake->fin_sha256);
4818 #endif
4819 #endif
4820 #if defined(MBEDTLS_MD_CAN_SHA384)
4821 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4822 psa_hash_abort(&handshake->fin_sha384_psa);
4823 #else
4824 mbedtls_md_free(&handshake->fin_sha384);
4825 #endif
4826 #endif
4827
4828 #if defined(MBEDTLS_DHM_C)
4829 mbedtls_dhm_free(&handshake->dhm_ctx);
4830 #endif
4831 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4832 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4833 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4834 #endif
4835
4836 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4837 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4838 psa_pake_abort(&handshake->psa_pake_ctx);
4839 /*
4840 * Opaque keys are not stored in the handshake's data and it's the user
4841 * responsibility to destroy them. Clear ones, instead, are created by
4842 * the TLS library and should be destroyed at the same level
4843 */
4844 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4845 psa_destroy_key(handshake->psa_pake_password);
4846 }
4847 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4848 #else
4849 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4850 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4851 #if defined(MBEDTLS_SSL_CLI_C)
4852 mbedtls_free(handshake->ecjpake_cache);
4853 handshake->ecjpake_cache = NULL;
4854 handshake->ecjpake_cache_len = 0;
4855 #endif
4856 #endif
4857
4858 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4859 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4860 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4861 /* explicit void pointer cast for buggy MS compiler */
4862 mbedtls_free((void *) handshake->curves_tls_id);
4863 #endif
4864
4865 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4866 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4867 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4868 /* The maintenance of the external PSK key slot is the
4869 * user's responsibility. */
4870 if (ssl->handshake->psk_opaque_is_internal) {
4871 psa_destroy_key(ssl->handshake->psk_opaque);
4872 ssl->handshake->psk_opaque_is_internal = 0;
4873 }
4874 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4875 }
4876 #else
4877 if (handshake->psk != NULL) {
4878 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4879 }
4880 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4881 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4882
4883 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4884 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4885 /*
4886 * Free only the linked list wrapper, not the keys themselves
4887 * since the belong to the SNI callback
4888 */
4889 ssl_key_cert_free(handshake->sni_key_cert);
4890 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4891
4892 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4893 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4894 if (handshake->ecrs_peer_cert != NULL) {
4895 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4896 mbedtls_free(handshake->ecrs_peer_cert);
4897 }
4898 #endif
4899
4900 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4901 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4902 mbedtls_pk_free(&handshake->peer_pubkey);
4903 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4904
4905 #if defined(MBEDTLS_SSL_CLI_C) && \
4906 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4907 mbedtls_free(handshake->cookie);
4908 #endif /* MBEDTLS_SSL_CLI_C &&
4909 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4910
4911 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4912 mbedtls_ssl_flight_free(handshake->flight);
4913 mbedtls_ssl_buffering_free(ssl);
4914 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4915
4916 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4917 if (handshake->xxdh_psa_privkey_is_external == 0) {
4918 psa_destroy_key(handshake->xxdh_psa_privkey);
4919 }
4920 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4921
4922 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4923 mbedtls_ssl_transform_free(handshake->transform_handshake);
4924 mbedtls_free(handshake->transform_handshake);
4925 #if defined(MBEDTLS_SSL_EARLY_DATA)
4926 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4927 mbedtls_free(handshake->transform_earlydata);
4928 #endif
4929 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4930
4931
4932 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4933 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4934 * processes datagrams and the fact that a datagram is allowed to have
4935 * several records in it, it is possible that the I/O buffers are not
4936 * empty at this stage */
4937 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4938 mbedtls_ssl_get_output_buflen(ssl));
4939 #endif
4940
4941 /* mbedtls_platform_zeroize MUST be last one in this function */
4942 mbedtls_platform_zeroize(handshake,
4943 sizeof(mbedtls_ssl_handshake_params));
4944 }
4945
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4946 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4947 {
4948 if (session == NULL) {
4949 return;
4950 }
4951
4952 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4953 ssl_clear_peer_cert(session);
4954 #endif
4955
4956 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4957 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4958 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4959 mbedtls_free(session->hostname);
4960 #endif
4961 mbedtls_free(session->ticket);
4962 #endif
4963
4964 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
4965 defined(MBEDTLS_SSL_SRV_C)
4966 mbedtls_free(session->ticket_alpn);
4967 #endif
4968
4969 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
4970 }
4971
4972 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4973
4974 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4975 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
4976 #else
4977 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
4978 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4979
4980 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
4981
4982 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4983 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
4984 #else
4985 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
4986 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
4987
4988 #if defined(MBEDTLS_SSL_ALPN)
4989 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
4990 #else
4991 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
4992 #endif /* MBEDTLS_SSL_ALPN */
4993
4994 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
4995 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
4996 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
4997 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
4998
4999 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5000 ((uint32_t) ( \
5001 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
5002 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
5003 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
5004 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
5005 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
5006 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
5007 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
5008 0u))
5009
5010 static const unsigned char ssl_serialized_context_header[] = {
5011 MBEDTLS_VERSION_MAJOR,
5012 MBEDTLS_VERSION_MINOR,
5013 MBEDTLS_VERSION_PATCH,
5014 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5015 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5016 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5017 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5018 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5019 };
5020
5021 /*
5022 * Serialize a full SSL context
5023 *
5024 * The format of the serialized data is:
5025 * (in the presentation language of TLS, RFC 8446 section 3)
5026 *
5027 * // header
5028 * opaque mbedtls_version[3]; // major, minor, patch
5029 * opaque context_format[5]; // version-specific field determining
5030 * // the format of the remaining
5031 * // serialized data.
5032 * Note: When updating the format, remember to keep these
5033 * version+format bytes. (We may make their size part of the API.)
5034 *
5035 * // session sub-structure
5036 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5037 * // transform sub-structure
5038 * uint8 random[64]; // ServerHello.random+ClientHello.random
5039 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5040 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5041 * // fields from ssl_context
5042 * uint32 badmac_seen; // DTLS: number of records with failing MAC
5043 * uint64 in_window_top; // DTLS: last validated record seq_num
5044 * uint64 in_window; // DTLS: bitmask for replay protection
5045 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5046 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5047 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5048 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5049 *
5050 * Note that many fields of the ssl_context or sub-structures are not
5051 * serialized, as they fall in one of the following categories:
5052 *
5053 * 1. forced value (eg in_left must be 0)
5054 * 2. pointer to dynamically-allocated memory (eg session, transform)
5055 * 3. value can be re-derived from other data (eg session keys from MS)
5056 * 4. value was temporary (eg content of input buffer)
5057 * 5. value will be provided by the user again (eg I/O callbacks and context)
5058 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)5059 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
5060 unsigned char *buf,
5061 size_t buf_len,
5062 size_t *olen)
5063 {
5064 unsigned char *p = buf;
5065 size_t used = 0;
5066 size_t session_len;
5067 int ret = 0;
5068
5069 /*
5070 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5071 * this function's documentation.
5072 *
5073 * These are due to assumptions/limitations in the implementation. Some of
5074 * them are likely to stay (no handshake in progress) some might go away
5075 * (only DTLS) but are currently used to simplify the implementation.
5076 */
5077 /* The initial handshake must be over */
5078 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5079 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5080 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5081 }
5082 if (ssl->handshake != NULL) {
5083 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5084 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5085 }
5086 /* Double-check that sub-structures are indeed ready */
5087 if (ssl->transform == NULL || ssl->session == NULL) {
5088 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5089 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5090 }
5091 /* There must be no pending incoming or outgoing data */
5092 if (mbedtls_ssl_check_pending(ssl) != 0) {
5093 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5094 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5095 }
5096 if (ssl->out_left != 0) {
5097 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5098 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5099 }
5100 /* Protocol must be DTLS, not TLS */
5101 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5102 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5103 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5104 }
5105 /* Version must be 1.2 */
5106 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5107 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5108 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5109 }
5110 /* We must be using an AEAD ciphersuite */
5111 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5112 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5113 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5114 }
5115 /* Renegotiation must not be enabled */
5116 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5117 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5118 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5119 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5120 }
5121 #endif
5122
5123 /*
5124 * Version and format identifier
5125 */
5126 used += sizeof(ssl_serialized_context_header);
5127
5128 if (used <= buf_len) {
5129 memcpy(p, ssl_serialized_context_header,
5130 sizeof(ssl_serialized_context_header));
5131 p += sizeof(ssl_serialized_context_header);
5132 }
5133
5134 /*
5135 * Session (length + data)
5136 */
5137 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5138 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5139 return ret;
5140 }
5141
5142 used += 4 + session_len;
5143 if (used <= buf_len) {
5144 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5145 p += 4;
5146
5147 ret = ssl_session_save(ssl->session, 1,
5148 p, session_len, &session_len);
5149 if (ret != 0) {
5150 return ret;
5151 }
5152
5153 p += session_len;
5154 }
5155
5156 /*
5157 * Transform
5158 */
5159 used += sizeof(ssl->transform->randbytes);
5160 if (used <= buf_len) {
5161 memcpy(p, ssl->transform->randbytes,
5162 sizeof(ssl->transform->randbytes));
5163 p += sizeof(ssl->transform->randbytes);
5164 }
5165
5166 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5167 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5168 if (used <= buf_len) {
5169 *p++ = ssl->transform->in_cid_len;
5170 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5171 p += ssl->transform->in_cid_len;
5172
5173 *p++ = ssl->transform->out_cid_len;
5174 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5175 p += ssl->transform->out_cid_len;
5176 }
5177 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5178
5179 /*
5180 * Saved fields from top-level ssl_context structure
5181 */
5182 used += 4;
5183 if (used <= buf_len) {
5184 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0);
5185 p += 4;
5186 }
5187
5188 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5189 used += 16;
5190 if (used <= buf_len) {
5191 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5192 p += 8;
5193
5194 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5195 p += 8;
5196 }
5197 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5198
5199 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5200 used += 1;
5201 if (used <= buf_len) {
5202 *p++ = ssl->disable_datagram_packing;
5203 }
5204 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5205
5206 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5207 if (used <= buf_len) {
5208 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5209 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5210 }
5211
5212 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5213 used += 2;
5214 if (used <= buf_len) {
5215 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5216 p += 2;
5217 }
5218 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5219
5220 #if defined(MBEDTLS_SSL_ALPN)
5221 {
5222 const uint8_t alpn_len = ssl->alpn_chosen
5223 ? (uint8_t) strlen(ssl->alpn_chosen)
5224 : 0;
5225
5226 used += 1 + alpn_len;
5227 if (used <= buf_len) {
5228 *p++ = alpn_len;
5229
5230 if (ssl->alpn_chosen != NULL) {
5231 memcpy(p, ssl->alpn_chosen, alpn_len);
5232 p += alpn_len;
5233 }
5234 }
5235 }
5236 #endif /* MBEDTLS_SSL_ALPN */
5237
5238 /*
5239 * Done
5240 */
5241 *olen = used;
5242
5243 if (used > buf_len) {
5244 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5245 }
5246
5247 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5248
5249 return mbedtls_ssl_session_reset_int(ssl, 0);
5250 }
5251
5252 /*
5253 * Deserialize context, see mbedtls_ssl_context_save() for format.
5254 *
5255 * This internal version is wrapped by a public function that cleans up in
5256 * case of error.
5257 */
5258 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5259 static int ssl_context_load(mbedtls_ssl_context *ssl,
5260 const unsigned char *buf,
5261 size_t len)
5262 {
5263 const unsigned char *p = buf;
5264 const unsigned char * const end = buf + len;
5265 size_t session_len;
5266 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5267 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5268 tls_prf_fn prf_func = NULL;
5269 #endif
5270
5271 /*
5272 * The context should have been freshly setup or reset.
5273 * Give the user an error in case of obvious misuse.
5274 * (Checking session is useful because it won't be NULL if we're
5275 * renegotiating, or if the user mistakenly loaded a session first.)
5276 */
5277 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5278 ssl->session != NULL) {
5279 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5280 }
5281
5282 /*
5283 * We can't check that the config matches the initial one, but we can at
5284 * least check it matches the requirements for serializing.
5285 */
5286 if (
5287 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5288 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5289 #endif
5290 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5291 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5292 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5293 ) {
5294 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5295 }
5296
5297 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5298
5299 /*
5300 * Check version identifier
5301 */
5302 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5303 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5304 }
5305
5306 if (memcmp(p, ssl_serialized_context_header,
5307 sizeof(ssl_serialized_context_header)) != 0) {
5308 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
5309 }
5310 p += sizeof(ssl_serialized_context_header);
5311
5312 /*
5313 * Session
5314 */
5315 if ((size_t) (end - p) < 4) {
5316 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5317 }
5318
5319 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5320 p += 4;
5321
5322 /* This has been allocated by ssl_handshake_init(), called by
5323 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5324 ssl->session = ssl->session_negotiate;
5325 ssl->session_in = ssl->session;
5326 ssl->session_out = ssl->session;
5327 ssl->session_negotiate = NULL;
5328
5329 if ((size_t) (end - p) < session_len) {
5330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5331 }
5332
5333 ret = ssl_session_load(ssl->session, 1, p, session_len);
5334 if (ret != 0) {
5335 mbedtls_ssl_session_free(ssl->session);
5336 return ret;
5337 }
5338
5339 p += session_len;
5340
5341 /*
5342 * Transform
5343 */
5344
5345 /* This has been allocated by ssl_handshake_init(), called by
5346 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5347 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5348 ssl->transform = ssl->transform_negotiate;
5349 ssl->transform_in = ssl->transform;
5350 ssl->transform_out = ssl->transform;
5351 ssl->transform_negotiate = NULL;
5352 #endif
5353
5354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5355 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5356 if (prf_func == NULL) {
5357 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5358 }
5359
5360 /* Read random bytes and populate structure */
5361 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5362 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5363 }
5364
5365 ret = ssl_tls12_populate_transform(ssl->transform,
5366 ssl->session->ciphersuite,
5367 ssl->session->master,
5368 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5369 ssl->session->encrypt_then_mac,
5370 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5371 prf_func,
5372 p, /* currently pointing to randbytes */
5373 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5374 ssl->conf->endpoint,
5375 ssl);
5376 if (ret != 0) {
5377 return ret;
5378 }
5379 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5380 p += sizeof(ssl->transform->randbytes);
5381
5382 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5383 /* Read connection IDs and store them */
5384 if ((size_t) (end - p) < 1) {
5385 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5386 }
5387
5388 ssl->transform->in_cid_len = *p++;
5389
5390 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5391 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5392 }
5393
5394 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5395 p += ssl->transform->in_cid_len;
5396
5397 ssl->transform->out_cid_len = *p++;
5398
5399 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5400 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5401 }
5402
5403 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5404 p += ssl->transform->out_cid_len;
5405 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5406
5407 /*
5408 * Saved fields from top-level ssl_context structure
5409 */
5410 if ((size_t) (end - p) < 4) {
5411 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5412 }
5413
5414 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0);
5415 p += 4;
5416
5417 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5418 if ((size_t) (end - p) < 16) {
5419 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5420 }
5421
5422 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5423 p += 8;
5424
5425 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5426 p += 8;
5427 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5428
5429 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5430 if ((size_t) (end - p) < 1) {
5431 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5432 }
5433
5434 ssl->disable_datagram_packing = *p++;
5435 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5436
5437 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5438 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5439 }
5440 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5441 p += sizeof(ssl->cur_out_ctr);
5442
5443 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5444 if ((size_t) (end - p) < 2) {
5445 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5446 }
5447
5448 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5449 p += 2;
5450 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5451
5452 #if defined(MBEDTLS_SSL_ALPN)
5453 {
5454 uint8_t alpn_len;
5455 const char **cur;
5456
5457 if ((size_t) (end - p) < 1) {
5458 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5459 }
5460
5461 alpn_len = *p++;
5462
5463 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5464 /* alpn_chosen should point to an item in the configured list */
5465 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5466 if (strlen(*cur) == alpn_len &&
5467 memcmp(p, *cur, alpn_len) == 0) {
5468 ssl->alpn_chosen = *cur;
5469 break;
5470 }
5471 }
5472 }
5473
5474 /* can only happen on conf mismatch */
5475 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5476 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5477 }
5478
5479 p += alpn_len;
5480 }
5481 #endif /* MBEDTLS_SSL_ALPN */
5482
5483 /*
5484 * Forced fields from top-level ssl_context structure
5485 *
5486 * Most of them already set to the correct value by mbedtls_ssl_init() and
5487 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5488 */
5489 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
5490 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5491
5492 /* Adjust pointers for header fields of outgoing records to
5493 * the given transform, accounting for explicit IV and CID. */
5494 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5495
5496 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5497 ssl->in_epoch = 1;
5498 #endif
5499
5500 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5501 * which we don't want - otherwise we'd end up freeing the wrong transform
5502 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5503 * inappropriately. */
5504 if (ssl->handshake != NULL) {
5505 mbedtls_ssl_handshake_free(ssl);
5506 mbedtls_free(ssl->handshake);
5507 ssl->handshake = NULL;
5508 }
5509
5510 /*
5511 * Done - should have consumed entire buffer
5512 */
5513 if (p != end) {
5514 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5515 }
5516
5517 return 0;
5518 }
5519
5520 /*
5521 * Deserialize context: public wrapper for error cleaning
5522 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)5523 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5524 const unsigned char *buf,
5525 size_t len)
5526 {
5527 int ret = ssl_context_load(context, buf, len);
5528
5529 if (ret != 0) {
5530 mbedtls_ssl_free(context);
5531 }
5532
5533 return ret;
5534 }
5535 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5536
5537 /*
5538 * Free an SSL context
5539 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)5540 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
5541 {
5542 if (ssl == NULL) {
5543 return;
5544 }
5545
5546 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5547
5548 if (ssl->out_buf != NULL) {
5549 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5550 size_t out_buf_len = ssl->out_buf_len;
5551 #else
5552 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5553 #endif
5554
5555 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5556 ssl->out_buf = NULL;
5557 }
5558
5559 if (ssl->in_buf != NULL) {
5560 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5561 size_t in_buf_len = ssl->in_buf_len;
5562 #else
5563 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5564 #endif
5565
5566 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5567 ssl->in_buf = NULL;
5568 }
5569
5570 if (ssl->transform) {
5571 mbedtls_ssl_transform_free(ssl->transform);
5572 mbedtls_free(ssl->transform);
5573 }
5574
5575 if (ssl->handshake) {
5576 mbedtls_ssl_handshake_free(ssl);
5577 mbedtls_free(ssl->handshake);
5578
5579 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5580 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5581 mbedtls_free(ssl->transform_negotiate);
5582 #endif
5583
5584 mbedtls_ssl_session_free(ssl->session_negotiate);
5585 mbedtls_free(ssl->session_negotiate);
5586 }
5587
5588 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5589 mbedtls_ssl_transform_free(ssl->transform_application);
5590 mbedtls_free(ssl->transform_application);
5591 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5592
5593 if (ssl->session) {
5594 mbedtls_ssl_session_free(ssl->session);
5595 mbedtls_free(ssl->session);
5596 }
5597
5598 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5599 mbedtls_ssl_free_hostname(ssl);
5600 #endif
5601
5602 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5603 mbedtls_free(ssl->cli_id);
5604 #endif
5605
5606 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5607
5608 /* Actually clear after last debug message */
5609 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
5610 }
5611
5612 /*
5613 * Initialize mbedtls_ssl_config
5614 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)5615 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
5616 {
5617 memset(conf, 0, sizeof(mbedtls_ssl_config));
5618 }
5619
5620 /* The selection should be the same as mbedtls_x509_crt_profile_default in
5621 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5622 * curves with a lower resource usage come first.
5623 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5624 * about this list.
5625 */
5626 static const uint16_t ssl_preset_default_groups[] = {
5627 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5628 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
5629 #endif
5630 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5631 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5632 #endif
5633 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5634 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5635 #endif
5636 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5637 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
5638 #endif
5639 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5640 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
5641 #endif
5642 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5643 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
5644 #endif
5645 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5646 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
5647 #endif
5648 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5649 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
5650 #endif
5651 #if defined(PSA_WANT_ALG_FFDH)
5652 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5653 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5654 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5655 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5656 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5657 #endif
5658 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5659 };
5660
5661 static const int ssl_preset_suiteb_ciphersuites[] = {
5662 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5663 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5664 0
5665 };
5666
5667 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5668
5669 /* NOTICE:
5670 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5671 * rules SHOULD be upheld.
5672 * - No duplicate entries.
5673 * - But if there is a good reason, do not change the order of the algorithms.
5674 * - ssl_tls12_preset* is for TLS 1.2 use only.
5675 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5676 */
5677 static const uint16_t ssl_preset_default_sig_algs[] = {
5678
5679 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5680 defined(MBEDTLS_MD_CAN_SHA256) && \
5681 defined(PSA_WANT_ECC_SECP_R1_256)
5682 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5683 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5684 #endif
5685
5686 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5687 defined(MBEDTLS_MD_CAN_SHA384) && \
5688 defined(PSA_WANT_ECC_SECP_R1_384)
5689 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5690 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5691 #endif
5692
5693 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5694 defined(MBEDTLS_MD_CAN_SHA512) && \
5695 defined(PSA_WANT_ECC_SECP_R1_521)
5696 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5697 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5698 #endif
5699
5700 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5701 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5702 #endif
5703
5704 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5705 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5706 #endif
5707
5708 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5709 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5710 #endif
5711
5712 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5713 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5714 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5715
5716 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5717 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5718 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5719
5720 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5721 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5722 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5723
5724 MBEDTLS_TLS_SIG_NONE
5725 };
5726
5727 /* NOTICE: see above */
5728 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5729 static uint16_t ssl_tls12_preset_default_sig_algs[] = {
5730
5731 #if defined(MBEDTLS_MD_CAN_SHA512)
5732 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5733 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5734 #endif
5735 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5736 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5737 #endif
5738 #if defined(MBEDTLS_RSA_C)
5739 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5740 #endif
5741 #endif /* MBEDTLS_MD_CAN_SHA512 */
5742
5743 #if defined(MBEDTLS_MD_CAN_SHA384)
5744 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5745 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5746 #endif
5747 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5748 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5749 #endif
5750 #if defined(MBEDTLS_RSA_C)
5751 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5752 #endif
5753 #endif /* MBEDTLS_MD_CAN_SHA384 */
5754
5755 #if defined(MBEDTLS_MD_CAN_SHA256)
5756 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5757 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5758 #endif
5759 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5760 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5761 #endif
5762 #if defined(MBEDTLS_RSA_C)
5763 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5764 #endif
5765 #endif /* MBEDTLS_MD_CAN_SHA256 */
5766
5767 MBEDTLS_TLS_SIG_NONE
5768 };
5769 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5770
5771 /* NOTICE: see above */
5772 static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5773
5774 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5775 defined(MBEDTLS_MD_CAN_SHA256) && \
5776 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5777 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5778 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5779 #endif
5780
5781 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5782 defined(MBEDTLS_MD_CAN_SHA384) && \
5783 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5784 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5785 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5786 #endif
5787
5788 MBEDTLS_TLS_SIG_NONE
5789 };
5790
5791 /* NOTICE: see above */
5792 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5793 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5794
5795 #if defined(MBEDTLS_MD_CAN_SHA256)
5796 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5797 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5798 #endif
5799 #endif /* MBEDTLS_MD_CAN_SHA256 */
5800
5801 #if defined(MBEDTLS_MD_CAN_SHA384)
5802 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5803 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5804 #endif
5805 #endif /* MBEDTLS_MD_CAN_SHA384 */
5806
5807 MBEDTLS_TLS_SIG_NONE
5808 };
5809 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5810
5811 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5812
5813 static const uint16_t ssl_preset_suiteb_groups[] = {
5814 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5815 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5816 #endif
5817 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5818 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5819 #endif
5820 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5821 };
5822
5823 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5824 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5825 * to make sure there are no duplicated signature algorithm entries. */
5826 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(const uint16_t * sig_algs)5827 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5828 {
5829 size_t i, j;
5830 int ret = 0;
5831
5832 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5833 for (j = 0; j < i; j++) {
5834 if (sig_algs[i] != sig_algs[j]) {
5835 continue;
5836 }
5837 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5838 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5839 sig_algs[i], j, i);
5840 ret = -1;
5841 }
5842 }
5843 return ret;
5844 }
5845
5846 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5847
5848 /*
5849 * Load default in mbedtls_ssl_config
5850 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5851 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5852 int endpoint, int transport, int preset)
5853 {
5854 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5855 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5856 #endif
5857
5858 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5859 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5860 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5861 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5862 }
5863
5864 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5865 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5866 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5867 }
5868
5869 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5870 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5871 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5872 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5873 }
5874
5875 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5876 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5877 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5878 }
5879 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5880 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5881
5882 /* Use the functions here so that they are covered in tests,
5883 * but otherwise access member directly for efficiency */
5884 mbedtls_ssl_conf_endpoint(conf, endpoint);
5885 mbedtls_ssl_conf_transport(conf, transport);
5886
5887 /*
5888 * Things that are common to all presets
5889 */
5890 #if defined(MBEDTLS_SSL_CLI_C)
5891 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5892 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5893 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5894 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
5895 #endif
5896 }
5897 #endif
5898
5899 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5900 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5901 #endif
5902
5903 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5904 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5905 #endif
5906
5907 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5908 conf->f_cookie_write = ssl_cookie_write_dummy;
5909 conf->f_cookie_check = ssl_cookie_check_dummy;
5910 #endif
5911
5912 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5913 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5914 #endif
5915
5916 #if defined(MBEDTLS_SSL_SRV_C)
5917 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5918 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5919 #endif
5920
5921 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5922 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5923 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5924 #endif
5925
5926 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5927 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5928 memset(conf->renego_period, 0x00, 2);
5929 memset(conf->renego_period + 2, 0xFF, 6);
5930 #endif
5931
5932 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5933 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5934 const unsigned char dhm_p[] =
5935 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5936 const unsigned char dhm_g[] =
5937 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
5938
5939 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
5940 dhm_p, sizeof(dhm_p),
5941 dhm_g, sizeof(dhm_g))) != 0) {
5942 return ret;
5943 }
5944 }
5945 #endif
5946
5947 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5948
5949 #if defined(MBEDTLS_SSL_EARLY_DATA)
5950 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
5951 #if defined(MBEDTLS_SSL_SRV_C)
5952 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
5953 #endif
5954 #endif /* MBEDTLS_SSL_EARLY_DATA */
5955
5956 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
5957 mbedtls_ssl_conf_new_session_tickets(
5958 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
5959 #endif
5960 /*
5961 * Allow all TLS 1.3 key exchange modes by default.
5962 */
5963 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
5964 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5965
5966 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5967 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5968 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5969 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5970 #else
5971 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5972 #endif
5973 } else {
5974 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
5975 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5976 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5977 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
5978 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5979 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
5980 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
5981 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5982 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5983 #else
5984 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5985 #endif
5986 }
5987
5988 /*
5989 * Preset-specific defaults
5990 */
5991 switch (preset) {
5992 /*
5993 * NSA Suite B
5994 */
5995 case MBEDTLS_SSL_PRESET_SUITEB:
5996
5997 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
5998
5999 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6000 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
6001 #endif
6002
6003 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6004 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6005 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6006 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
6007 } else
6008 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6009 conf->sig_algs = ssl_preset_suiteb_sig_algs;
6010 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6011
6012 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6013 conf->curve_list = NULL;
6014 #endif
6015 conf->group_list = ssl_preset_suiteb_groups;
6016 break;
6017
6018 /*
6019 * Default
6020 */
6021 default:
6022
6023 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6024
6025 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6026 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6027 #endif
6028
6029 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6030 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6031 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6032 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
6033 } else
6034 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6035 conf->sig_algs = ssl_preset_default_sig_algs;
6036 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6037
6038 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6039 conf->curve_list = NULL;
6040 #endif
6041 conf->group_list = ssl_preset_default_groups;
6042
6043 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6044 conf->dhm_min_bitlen = 1024;
6045 #endif
6046 }
6047
6048 return 0;
6049 }
6050
6051 /*
6052 * Free mbedtls_ssl_config
6053 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)6054 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
6055 {
6056 #if defined(MBEDTLS_DHM_C)
6057 mbedtls_mpi_free(&conf->dhm_P);
6058 mbedtls_mpi_free(&conf->dhm_G);
6059 #endif
6060
6061 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6062 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6063 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6064 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6065 }
6066 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6067 if (conf->psk != NULL) {
6068 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6069 conf->psk = NULL;
6070 conf->psk_len = 0;
6071 }
6072
6073 if (conf->psk_identity != NULL) {
6074 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6075 conf->psk_identity = NULL;
6076 conf->psk_identity_len = 0;
6077 }
6078 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6079
6080 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6081 ssl_key_cert_free(conf->key_cert);
6082 #endif
6083
6084 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
6085 }
6086
6087 #if defined(MBEDTLS_PK_C) && \
6088 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6089 /*
6090 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6091 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)6092 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
6093 {
6094 #if defined(MBEDTLS_RSA_C)
6095 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6096 return MBEDTLS_SSL_SIG_RSA;
6097 }
6098 #endif
6099 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6100 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
6101 return MBEDTLS_SSL_SIG_ECDSA;
6102 }
6103 #endif
6104 return MBEDTLS_SSL_SIG_ANON;
6105 }
6106
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)6107 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
6108 {
6109 switch (type) {
6110 case MBEDTLS_PK_RSA:
6111 return MBEDTLS_SSL_SIG_RSA;
6112 case MBEDTLS_PK_ECDSA:
6113 case MBEDTLS_PK_ECKEY:
6114 return MBEDTLS_SSL_SIG_ECDSA;
6115 default:
6116 return MBEDTLS_SSL_SIG_ANON;
6117 }
6118 }
6119
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)6120 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
6121 {
6122 switch (sig) {
6123 #if defined(MBEDTLS_RSA_C)
6124 case MBEDTLS_SSL_SIG_RSA:
6125 return MBEDTLS_PK_RSA;
6126 #endif
6127 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6128 case MBEDTLS_SSL_SIG_ECDSA:
6129 return MBEDTLS_PK_ECDSA;
6130 #endif
6131 default:
6132 return MBEDTLS_PK_NONE;
6133 }
6134 }
6135 #endif /* MBEDTLS_PK_C &&
6136 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6137
6138 /*
6139 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6140 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)6141 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
6142 {
6143 switch (hash) {
6144 #if defined(MBEDTLS_MD_CAN_MD5)
6145 case MBEDTLS_SSL_HASH_MD5:
6146 return MBEDTLS_MD_MD5;
6147 #endif
6148 #if defined(MBEDTLS_MD_CAN_SHA1)
6149 case MBEDTLS_SSL_HASH_SHA1:
6150 return MBEDTLS_MD_SHA1;
6151 #endif
6152 #if defined(MBEDTLS_MD_CAN_SHA224)
6153 case MBEDTLS_SSL_HASH_SHA224:
6154 return MBEDTLS_MD_SHA224;
6155 #endif
6156 #if defined(MBEDTLS_MD_CAN_SHA256)
6157 case MBEDTLS_SSL_HASH_SHA256:
6158 return MBEDTLS_MD_SHA256;
6159 #endif
6160 #if defined(MBEDTLS_MD_CAN_SHA384)
6161 case MBEDTLS_SSL_HASH_SHA384:
6162 return MBEDTLS_MD_SHA384;
6163 #endif
6164 #if defined(MBEDTLS_MD_CAN_SHA512)
6165 case MBEDTLS_SSL_HASH_SHA512:
6166 return MBEDTLS_MD_SHA512;
6167 #endif
6168 default:
6169 return MBEDTLS_MD_NONE;
6170 }
6171 }
6172
6173 /*
6174 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6175 */
mbedtls_ssl_hash_from_md_alg(int md)6176 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6177 {
6178 switch (md) {
6179 #if defined(MBEDTLS_MD_CAN_MD5)
6180 case MBEDTLS_MD_MD5:
6181 return MBEDTLS_SSL_HASH_MD5;
6182 #endif
6183 #if defined(MBEDTLS_MD_CAN_SHA1)
6184 case MBEDTLS_MD_SHA1:
6185 return MBEDTLS_SSL_HASH_SHA1;
6186 #endif
6187 #if defined(MBEDTLS_MD_CAN_SHA224)
6188 case MBEDTLS_MD_SHA224:
6189 return MBEDTLS_SSL_HASH_SHA224;
6190 #endif
6191 #if defined(MBEDTLS_MD_CAN_SHA256)
6192 case MBEDTLS_MD_SHA256:
6193 return MBEDTLS_SSL_HASH_SHA256;
6194 #endif
6195 #if defined(MBEDTLS_MD_CAN_SHA384)
6196 case MBEDTLS_MD_SHA384:
6197 return MBEDTLS_SSL_HASH_SHA384;
6198 #endif
6199 #if defined(MBEDTLS_MD_CAN_SHA512)
6200 case MBEDTLS_MD_SHA512:
6201 return MBEDTLS_SSL_HASH_SHA512;
6202 #endif
6203 default:
6204 return MBEDTLS_SSL_HASH_NONE;
6205 }
6206 }
6207
6208 /*
6209 * Check if a curve proposed by the peer is in our list.
6210 * Return 0 if we're willing to use it, -1 otherwise.
6211 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)6212 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
6213 {
6214 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6215
6216 if (group_list == NULL) {
6217 return -1;
6218 }
6219
6220 for (; *group_list != 0; group_list++) {
6221 if (*group_list == tls_id) {
6222 return 0;
6223 }
6224 }
6225
6226 return -1;
6227 }
6228
6229 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6230 /*
6231 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6232 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)6233 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
6234 {
6235 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
6236
6237 if (tls_id == 0) {
6238 return -1;
6239 }
6240
6241 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6242 }
6243 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6244
6245 static const struct {
6246 uint16_t tls_id;
6247 mbedtls_ecp_group_id ecp_group_id;
6248 psa_ecc_family_t psa_family;
6249 uint16_t bits;
6250 } tls_id_match_table[] =
6251 {
6252 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6253 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
6254 #endif
6255 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
6256 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
6257 #endif
6258 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6259 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
6260 #endif
6261 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
6262 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
6263 #endif
6264 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6265 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
6266 #endif
6267 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6268 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
6269 #endif
6270 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
6271 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
6272 #endif
6273 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6274 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
6275 #endif
6276 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6277 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
6278 #endif
6279 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6280 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
6281 #endif
6282 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6283 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
6284 #endif
6285 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6286 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
6287 #endif
6288 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
6289 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
6290 #endif
6291 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6292 };
6293
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_key_type_t * type,size_t * bits)6294 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
6295 psa_key_type_t *type,
6296 size_t *bits)
6297 {
6298 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6299 if (tls_id_match_table[i].tls_id == tls_id) {
6300 if (type != NULL) {
6301 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6302 }
6303 if (bits != NULL) {
6304 *bits = tls_id_match_table[i].bits;
6305 }
6306 return PSA_SUCCESS;
6307 }
6308 }
6309
6310 return PSA_ERROR_NOT_SUPPORTED;
6311 }
6312
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)6313 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
6314 {
6315 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6316 if (tls_id_match_table[i].tls_id == tls_id) {
6317 return tls_id_match_table[i].ecp_group_id;
6318 }
6319 }
6320
6321 return MBEDTLS_ECP_DP_NONE;
6322 }
6323
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)6324 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
6325 {
6326 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
6327 i++) {
6328 if (tls_id_match_table[i].ecp_group_id == grp_id) {
6329 return tls_id_match_table[i].tls_id;
6330 }
6331 }
6332
6333 return 0;
6334 }
6335
6336 #if defined(MBEDTLS_DEBUG_C)
6337 static const struct {
6338 uint16_t tls_id;
6339 const char *name;
6340 } tls_id_curve_name_table[] =
6341 {
6342 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
6343 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
6344 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
6345 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
6346 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
6347 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
6348 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
6349 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
6350 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
6351 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
6352 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
6353 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
6354 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
6355 { 0, NULL },
6356 };
6357
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)6358 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
6359 {
6360 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
6361 if (tls_id_curve_name_table[i].tls_id == tls_id) {
6362 return tls_id_curve_name_table[i].name;
6363 }
6364 }
6365
6366 return NULL;
6367 }
6368 #endif
6369
6370 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6371 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6372 const mbedtls_md_type_t md,
6373 unsigned char *dst,
6374 size_t dst_len,
6375 size_t *olen)
6376 {
6377 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6378 psa_hash_operation_t *hash_operation_to_clone;
6379 psa_hash_operation_t hash_operation = psa_hash_operation_init();
6380
6381 *olen = 0;
6382
6383 switch (md) {
6384 #if defined(MBEDTLS_MD_CAN_SHA384)
6385 case MBEDTLS_MD_SHA384:
6386 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
6387 break;
6388 #endif
6389
6390 #if defined(MBEDTLS_MD_CAN_SHA256)
6391 case MBEDTLS_MD_SHA256:
6392 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
6393 break;
6394 #endif
6395
6396 default:
6397 goto exit;
6398 }
6399
6400 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6401 if (status != PSA_SUCCESS) {
6402 goto exit;
6403 }
6404
6405 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6406 if (status != PSA_SUCCESS) {
6407 goto exit;
6408 }
6409
6410 exit:
6411 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6412 !defined(MBEDTLS_MD_CAN_SHA256)
6413 (void) ssl;
6414 #endif
6415 return PSA_TO_MBEDTLS_ERR(status);
6416 }
6417 #else /* MBEDTLS_USE_PSA_CRYPTO */
6418
6419 #if defined(MBEDTLS_MD_CAN_SHA384)
6420 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6421 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
6422 unsigned char *dst,
6423 size_t dst_len,
6424 size_t *olen)
6425 {
6426 int ret;
6427 mbedtls_md_context_t sha384;
6428
6429 if (dst_len < 48) {
6430 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6431 }
6432
6433 mbedtls_md_init(&sha384);
6434 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6435 if (ret != 0) {
6436 goto exit;
6437 }
6438 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6439 if (ret != 0) {
6440 goto exit;
6441 }
6442
6443 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
6444 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6445 goto exit;
6446 }
6447
6448 *olen = 48;
6449
6450 exit:
6451
6452 mbedtls_md_free(&sha384);
6453 return ret;
6454 }
6455 #endif /* MBEDTLS_MD_CAN_SHA384 */
6456
6457 #if defined(MBEDTLS_MD_CAN_SHA256)
6458 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6459 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
6460 unsigned char *dst,
6461 size_t dst_len,
6462 size_t *olen)
6463 {
6464 int ret;
6465 mbedtls_md_context_t sha256;
6466
6467 if (dst_len < 32) {
6468 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6469 }
6470
6471 mbedtls_md_init(&sha256);
6472 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6473 if (ret != 0) {
6474 goto exit;
6475 }
6476 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6477 if (ret != 0) {
6478 goto exit;
6479 }
6480
6481 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
6482 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6483 goto exit;
6484 }
6485
6486 *olen = 32;
6487
6488 exit:
6489
6490 mbedtls_md_free(&sha256);
6491 return ret;
6492 }
6493 #endif /* MBEDTLS_MD_CAN_SHA256 */
6494
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6495 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6496 const mbedtls_md_type_t md,
6497 unsigned char *dst,
6498 size_t dst_len,
6499 size_t *olen)
6500 {
6501 switch (md) {
6502
6503 #if defined(MBEDTLS_MD_CAN_SHA384)
6504 case MBEDTLS_MD_SHA384:
6505 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
6506 #endif /* MBEDTLS_MD_CAN_SHA384*/
6507
6508 #if defined(MBEDTLS_MD_CAN_SHA256)
6509 case MBEDTLS_MD_SHA256:
6510 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
6511 #endif /* MBEDTLS_MD_CAN_SHA256*/
6512
6513 default:
6514 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6515 !defined(MBEDTLS_MD_CAN_SHA256)
6516 (void) ssl;
6517 (void) dst;
6518 (void) dst_len;
6519 (void) olen;
6520 #endif
6521 break;
6522 }
6523 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6524 }
6525
6526 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
6527
6528 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6529 /* mbedtls_ssl_parse_sig_alg_ext()
6530 *
6531 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6532 * value (TLS 1.3 RFC8446):
6533 * enum {
6534 * ....
6535 * ecdsa_secp256r1_sha256( 0x0403 ),
6536 * ecdsa_secp384r1_sha384( 0x0503 ),
6537 * ecdsa_secp521r1_sha512( 0x0603 ),
6538 * ....
6539 * } SignatureScheme;
6540 *
6541 * struct {
6542 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6543 * } SignatureSchemeList;
6544 *
6545 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6546 * value (TLS 1.2 RFC5246):
6547 * enum {
6548 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6549 * sha512(6), (255)
6550 * } HashAlgorithm;
6551 *
6552 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6553 * SignatureAlgorithm;
6554 *
6555 * struct {
6556 * HashAlgorithm hash;
6557 * SignatureAlgorithm signature;
6558 * } SignatureAndHashAlgorithm;
6559 *
6560 * SignatureAndHashAlgorithm
6561 * supported_signature_algorithms<2..2^16-2>;
6562 *
6563 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6564 * generalization of the TLS 1.2 signature algorithm extension.
6565 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6566 * `SignatureScheme` field of TLS 1.3
6567 *
6568 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)6569 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6570 const unsigned char *buf,
6571 const unsigned char *end)
6572 {
6573 const unsigned char *p = buf;
6574 size_t supported_sig_algs_len = 0;
6575 const unsigned char *supported_sig_algs_end;
6576 uint16_t sig_alg;
6577 uint32_t common_idx = 0;
6578
6579 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6580 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
6581 p += 2;
6582
6583 memset(ssl->handshake->received_sig_algs, 0,
6584 sizeof(ssl->handshake->received_sig_algs));
6585
6586 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
6587 supported_sig_algs_end = p + supported_sig_algs_len;
6588 while (p < supported_sig_algs_end) {
6589 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6590 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
6591 p += 2;
6592 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6593 sig_alg,
6594 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6595 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6596 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6597 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6598 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
6599 continue;
6600 }
6601 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6602
6603 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6604 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6605
6606 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
6607 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6608 common_idx += 1;
6609 }
6610 }
6611 /* Check that we consumed all the message. */
6612 if (p != end) {
6613 MBEDTLS_SSL_DEBUG_MSG(1,
6614 ("Signature algorithms extension length misaligned"));
6615 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6616 MBEDTLS_ERR_SSL_DECODE_ERROR);
6617 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6618 }
6619
6620 if (common_idx == 0) {
6621 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6622 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6623 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6624 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6625 }
6626
6627 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6628 return 0;
6629 }
6630
6631 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6632
6633 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6634
6635 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6636
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6637 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6638 mbedtls_svc_key_id_t key,
6639 psa_algorithm_t alg,
6640 const unsigned char *raw_psk, size_t raw_psk_length,
6641 const unsigned char *seed, size_t seed_length,
6642 const unsigned char *label, size_t label_length,
6643 const unsigned char *other_secret,
6644 size_t other_secret_length,
6645 size_t capacity)
6646 {
6647 psa_status_t status;
6648
6649 status = psa_key_derivation_setup(derivation, alg);
6650 if (status != PSA_SUCCESS) {
6651 return status;
6652 }
6653
6654 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6655 status = psa_key_derivation_input_bytes(derivation,
6656 PSA_KEY_DERIVATION_INPUT_SEED,
6657 seed, seed_length);
6658 if (status != PSA_SUCCESS) {
6659 return status;
6660 }
6661
6662 if (other_secret != NULL) {
6663 status = psa_key_derivation_input_bytes(derivation,
6664 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6665 other_secret, other_secret_length);
6666 if (status != PSA_SUCCESS) {
6667 return status;
6668 }
6669 }
6670
6671 if (mbedtls_svc_key_id_is_null(key)) {
6672 status = psa_key_derivation_input_bytes(
6673 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6674 raw_psk, raw_psk_length);
6675 } else {
6676 status = psa_key_derivation_input_key(
6677 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6678 }
6679 if (status != PSA_SUCCESS) {
6680 return status;
6681 }
6682
6683 status = psa_key_derivation_input_bytes(derivation,
6684 PSA_KEY_DERIVATION_INPUT_LABEL,
6685 label, label_length);
6686 if (status != PSA_SUCCESS) {
6687 return status;
6688 }
6689 } else {
6690 return PSA_ERROR_NOT_SUPPORTED;
6691 }
6692
6693 status = psa_key_derivation_set_capacity(derivation, capacity);
6694 if (status != PSA_SUCCESS) {
6695 return status;
6696 }
6697
6698 return PSA_SUCCESS;
6699 }
6700
6701 #if defined(PSA_WANT_ALG_SHA_384) || \
6702 defined(PSA_WANT_ALG_SHA_256)
6703 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6704 static int tls_prf_generic(mbedtls_md_type_t md_type,
6705 const unsigned char *secret, size_t slen,
6706 const char *label,
6707 const unsigned char *random, size_t rlen,
6708 unsigned char *dstbuf, size_t dlen)
6709 {
6710 psa_status_t status;
6711 psa_algorithm_t alg;
6712 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6713 psa_key_derivation_operation_t derivation =
6714 PSA_KEY_DERIVATION_OPERATION_INIT;
6715
6716 if (md_type == MBEDTLS_MD_SHA384) {
6717 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6718 } else {
6719 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6720 }
6721
6722 /* Normally a "secret" should be long enough to be impossible to
6723 * find by brute force, and in particular should not be empty. But
6724 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6725 * and for this use case it makes sense to have a 0-length "secret".
6726 * Since the key API doesn't allow importing a key of length 0,
6727 * keep master_key=0, which setup_psa_key_derivation() understands
6728 * to mean a 0-length "secret" input. */
6729 if (slen != 0) {
6730 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6731 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6732 psa_set_key_algorithm(&key_attributes, alg);
6733 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6734
6735 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6736 if (status != PSA_SUCCESS) {
6737 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6738 }
6739 }
6740
6741 status = setup_psa_key_derivation(&derivation,
6742 master_key, alg,
6743 NULL, 0,
6744 random, rlen,
6745 (unsigned char const *) label,
6746 (size_t) strlen(label),
6747 NULL, 0,
6748 dlen);
6749 if (status != PSA_SUCCESS) {
6750 psa_key_derivation_abort(&derivation);
6751 psa_destroy_key(master_key);
6752 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6753 }
6754
6755 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6756 if (status != PSA_SUCCESS) {
6757 psa_key_derivation_abort(&derivation);
6758 psa_destroy_key(master_key);
6759 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6760 }
6761
6762 status = psa_key_derivation_abort(&derivation);
6763 if (status != PSA_SUCCESS) {
6764 psa_destroy_key(master_key);
6765 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6766 }
6767
6768 if (!mbedtls_svc_key_id_is_null(master_key)) {
6769 status = psa_destroy_key(master_key);
6770 }
6771 if (status != PSA_SUCCESS) {
6772 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6773 }
6774
6775 return 0;
6776 }
6777 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6778 #else /* MBEDTLS_USE_PSA_CRYPTO */
6779
6780 #if defined(MBEDTLS_MD_C) && \
6781 (defined(MBEDTLS_MD_CAN_SHA256) || \
6782 defined(MBEDTLS_MD_CAN_SHA384))
6783 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6784 static int tls_prf_generic(mbedtls_md_type_t md_type,
6785 const unsigned char *secret, size_t slen,
6786 const char *label,
6787 const unsigned char *random, size_t rlen,
6788 unsigned char *dstbuf, size_t dlen)
6789 {
6790 size_t nb;
6791 size_t i, j, k, md_len;
6792 unsigned char *tmp;
6793 size_t tmp_len = 0;
6794 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6795 const mbedtls_md_info_t *md_info;
6796 mbedtls_md_context_t md_ctx;
6797 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6798
6799 mbedtls_md_init(&md_ctx);
6800
6801 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6802 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6803 }
6804
6805 md_len = mbedtls_md_get_size(md_info);
6806
6807 tmp_len = md_len + strlen(label) + rlen;
6808 tmp = mbedtls_calloc(1, tmp_len);
6809 if (tmp == NULL) {
6810 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6811 goto exit;
6812 }
6813
6814 nb = strlen(label);
6815 memcpy(tmp + md_len, label, nb);
6816 memcpy(tmp + md_len + nb, random, rlen);
6817 nb += rlen;
6818
6819 /*
6820 * Compute P_<hash>(secret, label + random)[0..dlen]
6821 */
6822 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6823 goto exit;
6824 }
6825
6826 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6827 if (ret != 0) {
6828 goto exit;
6829 }
6830 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6831 if (ret != 0) {
6832 goto exit;
6833 }
6834 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6835 if (ret != 0) {
6836 goto exit;
6837 }
6838
6839 for (i = 0; i < dlen; i += md_len) {
6840 ret = mbedtls_md_hmac_reset(&md_ctx);
6841 if (ret != 0) {
6842 goto exit;
6843 }
6844 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6845 if (ret != 0) {
6846 goto exit;
6847 }
6848 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6849 if (ret != 0) {
6850 goto exit;
6851 }
6852
6853 ret = mbedtls_md_hmac_reset(&md_ctx);
6854 if (ret != 0) {
6855 goto exit;
6856 }
6857 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6858 if (ret != 0) {
6859 goto exit;
6860 }
6861 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6862 if (ret != 0) {
6863 goto exit;
6864 }
6865
6866 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6867
6868 for (j = 0; j < k; j++) {
6869 dstbuf[i + j] = h_i[j];
6870 }
6871 }
6872
6873 exit:
6874 mbedtls_md_free(&md_ctx);
6875
6876 if (tmp != NULL) {
6877 mbedtls_platform_zeroize(tmp, tmp_len);
6878 }
6879
6880 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6881
6882 mbedtls_free(tmp);
6883
6884 return ret;
6885 }
6886 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6887 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6888
6889 #if defined(MBEDTLS_MD_CAN_SHA256)
6890 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6891 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6892 const char *label,
6893 const unsigned char *random, size_t rlen,
6894 unsigned char *dstbuf, size_t dlen)
6895 {
6896 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6897 label, random, rlen, dstbuf, dlen);
6898 }
6899 #endif /* MBEDTLS_MD_CAN_SHA256*/
6900
6901 #if defined(MBEDTLS_MD_CAN_SHA384)
6902 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6903 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6904 const char *label,
6905 const unsigned char *random, size_t rlen,
6906 unsigned char *dstbuf, size_t dlen)
6907 {
6908 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6909 label, random, rlen, dstbuf, dlen);
6910 }
6911 #endif /* MBEDTLS_MD_CAN_SHA384*/
6912
6913 /*
6914 * Set appropriate PRF function and other SSL / TLS1.2 functions
6915 *
6916 * Inputs:
6917 * - hash associated with the ciphersuite (only used by TLS 1.2)
6918 *
6919 * Outputs:
6920 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6921 */
6922 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6923 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6924 mbedtls_md_type_t hash)
6925 {
6926 #if defined(MBEDTLS_MD_CAN_SHA384)
6927 if (hash == MBEDTLS_MD_SHA384) {
6928 handshake->tls_prf = tls_prf_sha384;
6929 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6930 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6931 } else
6932 #endif
6933 #if defined(MBEDTLS_MD_CAN_SHA256)
6934 {
6935 (void) hash;
6936 handshake->tls_prf = tls_prf_sha256;
6937 handshake->calc_verify = ssl_calc_verify_tls_sha256;
6938 handshake->calc_finished = ssl_calc_finished_tls_sha256;
6939 }
6940 #else
6941 {
6942 (void) handshake;
6943 (void) hash;
6944 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6945 }
6946 #endif
6947
6948 return 0;
6949 }
6950
6951 /*
6952 * Compute master secret if needed
6953 *
6954 * Parameters:
6955 * [in/out] handshake
6956 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
6957 * (PSA-PSK) ciphersuite_info, psk_opaque
6958 * [out] premaster (cleared)
6959 * [out] master
6960 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
6961 * debug: conf->f_dbg, conf->p_dbg
6962 * EMS: passed to calc_verify (debug + session_negotiate)
6963 * PSA-PSA: conf
6964 */
6965 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)6966 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
6967 unsigned char *master,
6968 const mbedtls_ssl_context *ssl)
6969 {
6970 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6971
6972 /* cf. RFC 5246, Section 8.1:
6973 * "The master secret is always exactly 48 bytes in length." */
6974 size_t const master_secret_len = 48;
6975
6976 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6977 unsigned char session_hash[48];
6978 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
6979
6980 /* The label for the KDF used for key expansion.
6981 * This is either "master secret" or "extended master secret"
6982 * depending on whether the Extended Master Secret extension
6983 * is used. */
6984 char const *lbl = "master secret";
6985
6986 /* The seed for the KDF used for key expansion.
6987 * - If the Extended Master Secret extension is not used,
6988 * this is ClientHello.Random + ServerHello.Random
6989 * (see Sect. 8.1 in RFC 5246).
6990 * - If the Extended Master Secret extension is used,
6991 * this is the transcript of the handshake so far.
6992 * (see Sect. 4 in RFC 7627). */
6993 unsigned char const *seed = handshake->randbytes;
6994 size_t seed_len = 64;
6995
6996 #if !defined(MBEDTLS_DEBUG_C) && \
6997 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
6998 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
6999 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
7000 ssl = NULL; /* make sure we don't use it except for those cases */
7001 (void) ssl;
7002 #endif
7003
7004 if (handshake->resume != 0) {
7005 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
7006 return 0;
7007 }
7008
7009 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7010 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
7011 lbl = "extended master secret";
7012 seed = session_hash;
7013 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
7014 if (ret != 0) {
7015 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
7016 }
7017
7018 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
7019 session_hash, seed_len);
7020 }
7021 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7022
7023 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7024 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
7025 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
7026 /* Perform PSK-to-MS expansion in a single step. */
7027 psa_status_t status;
7028 psa_algorithm_t alg;
7029 mbedtls_svc_key_id_t psk;
7030 psa_key_derivation_operation_t derivation =
7031 PSA_KEY_DERIVATION_OPERATION_INIT;
7032 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
7033
7034 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
7035
7036 psk = mbedtls_ssl_get_opaque_psk(ssl);
7037
7038 if (hash_alg == MBEDTLS_MD_SHA384) {
7039 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
7040 } else {
7041 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
7042 }
7043
7044 size_t other_secret_len = 0;
7045 unsigned char *other_secret = NULL;
7046
7047 switch (handshake->ciphersuite_info->key_exchange) {
7048 /* Provide other secret.
7049 * Other secret is stored in premaster, where first 2 bytes hold the
7050 * length of the other key.
7051 */
7052 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7053 /* For RSA-PSK other key length is always 48 bytes. */
7054 other_secret_len = 48;
7055 other_secret = handshake->premaster + 2;
7056 break;
7057 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7058 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7059 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
7060 other_secret = handshake->premaster + 2;
7061 break;
7062 default:
7063 break;
7064 }
7065
7066 status = setup_psa_key_derivation(&derivation, psk, alg,
7067 ssl->conf->psk, ssl->conf->psk_len,
7068 seed, seed_len,
7069 (unsigned char const *) lbl,
7070 (size_t) strlen(lbl),
7071 other_secret, other_secret_len,
7072 master_secret_len);
7073 if (status != PSA_SUCCESS) {
7074 psa_key_derivation_abort(&derivation);
7075 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7076 }
7077
7078 status = psa_key_derivation_output_bytes(&derivation,
7079 master,
7080 master_secret_len);
7081 if (status != PSA_SUCCESS) {
7082 psa_key_derivation_abort(&derivation);
7083 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7084 }
7085
7086 status = psa_key_derivation_abort(&derivation);
7087 if (status != PSA_SUCCESS) {
7088 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7089 }
7090 } else
7091 #endif
7092 {
7093 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7094 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7095 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
7096 psa_status_t status;
7097 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
7098 psa_key_derivation_operation_t derivation =
7099 PSA_KEY_DERIVATION_OPERATION_INIT;
7100
7101 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
7102
7103 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
7104
7105 status = psa_key_derivation_setup(&derivation, alg);
7106 if (status != PSA_SUCCESS) {
7107 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7108 }
7109
7110 status = psa_key_derivation_set_capacity(&derivation,
7111 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7112 if (status != PSA_SUCCESS) {
7113 psa_key_derivation_abort(&derivation);
7114 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7115 }
7116
7117 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
7118 &derivation);
7119 if (status != PSA_SUCCESS) {
7120 psa_key_derivation_abort(&derivation);
7121 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7122 }
7123
7124 status = psa_key_derivation_output_bytes(&derivation,
7125 handshake->premaster,
7126 handshake->pmslen);
7127 if (status != PSA_SUCCESS) {
7128 psa_key_derivation_abort(&derivation);
7129 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7130 }
7131
7132 status = psa_key_derivation_abort(&derivation);
7133 if (status != PSA_SUCCESS) {
7134 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7135 }
7136 }
7137 #endif
7138 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
7139 lbl, seed, seed_len,
7140 master,
7141 master_secret_len);
7142 if (ret != 0) {
7143 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7144 return ret;
7145 }
7146
7147 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
7148 handshake->premaster,
7149 handshake->pmslen);
7150
7151 mbedtls_platform_zeroize(handshake->premaster,
7152 sizeof(handshake->premaster));
7153 }
7154
7155 return 0;
7156 }
7157
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)7158 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
7159 {
7160 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7161 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
7162 ssl->handshake->ciphersuite_info;
7163
7164 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
7165
7166 /* Set PRF, calc_verify and calc_finished function pointers */
7167 ret = ssl_set_handshake_prfs(ssl->handshake,
7168 (mbedtls_md_type_t) ciphersuite_info->mac);
7169 if (ret != 0) {
7170 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
7171 return ret;
7172 }
7173
7174 /* Compute master secret if needed */
7175 ret = ssl_compute_master(ssl->handshake,
7176 ssl->session_negotiate->master,
7177 ssl);
7178 if (ret != 0) {
7179 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
7180 return ret;
7181 }
7182
7183 /* Swap the client and server random values:
7184 * - MS derivation wanted client+server (RFC 5246 8.1)
7185 * - key derivation wants server+client (RFC 5246 6.3) */
7186 {
7187 unsigned char tmp[64];
7188 memcpy(tmp, ssl->handshake->randbytes, 64);
7189 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
7190 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
7191 mbedtls_platform_zeroize(tmp, sizeof(tmp));
7192 }
7193
7194 /* Populate transform structure */
7195 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
7196 ssl->session_negotiate->ciphersuite,
7197 ssl->session_negotiate->master,
7198 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
7199 ssl->session_negotiate->encrypt_then_mac,
7200 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
7201 ssl->handshake->tls_prf,
7202 ssl->handshake->randbytes,
7203 ssl->tls_version,
7204 ssl->conf->endpoint,
7205 ssl);
7206 if (ret != 0) {
7207 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
7208 return ret;
7209 }
7210
7211 /* We no longer need Server/ClientHello.random values */
7212 mbedtls_platform_zeroize(ssl->handshake->randbytes,
7213 sizeof(ssl->handshake->randbytes));
7214
7215 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
7216
7217 return 0;
7218 }
7219
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)7220 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
7221 {
7222 switch (md) {
7223 #if defined(MBEDTLS_MD_CAN_SHA384)
7224 case MBEDTLS_SSL_HASH_SHA384:
7225 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7226 break;
7227 #endif
7228 #if defined(MBEDTLS_MD_CAN_SHA256)
7229 case MBEDTLS_SSL_HASH_SHA256:
7230 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7231 break;
7232 #endif
7233 default:
7234 return -1;
7235 }
7236 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
7237 !defined(MBEDTLS_MD_CAN_SHA256)
7238 (void) ssl;
7239 #endif
7240 return 0;
7241 }
7242
7243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_calc_verify_tls_psa(const mbedtls_ssl_context * ssl,const psa_hash_operation_t * hs_op,size_t buffer_size,unsigned char * hash,size_t * hlen)7244 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
7245 const psa_hash_operation_t *hs_op,
7246 size_t buffer_size,
7247 unsigned char *hash,
7248 size_t *hlen)
7249 {
7250 psa_status_t status;
7251 psa_hash_operation_t cloned_op = psa_hash_operation_init();
7252
7253 #if !defined(MBEDTLS_DEBUG_C)
7254 (void) ssl;
7255 #endif
7256 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
7257 status = psa_hash_clone(hs_op, &cloned_op);
7258 if (status != PSA_SUCCESS) {
7259 goto exit;
7260 }
7261
7262 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
7263 if (status != PSA_SUCCESS) {
7264 goto exit;
7265 }
7266
7267 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
7268 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
7269
7270 exit:
7271 psa_hash_abort(&cloned_op);
7272 return mbedtls_md_error_from_psa(status);
7273 }
7274 #else
ssl_calc_verify_tls_legacy(const mbedtls_ssl_context * ssl,const mbedtls_md_context_t * hs_ctx,unsigned char * hash,size_t * hlen)7275 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
7276 const mbedtls_md_context_t *hs_ctx,
7277 unsigned char *hash,
7278 size_t *hlen)
7279 {
7280 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7281 mbedtls_md_context_t cloned_ctx;
7282
7283 mbedtls_md_init(&cloned_ctx);
7284
7285 #if !defined(MBEDTLS_DEBUG_C)
7286 (void) ssl;
7287 #endif
7288 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
7289
7290 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7291 if (ret != 0) {
7292 goto exit;
7293 }
7294 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7295 if (ret != 0) {
7296 goto exit;
7297 }
7298
7299 ret = mbedtls_md_finish(&cloned_ctx, hash);
7300 if (ret != 0) {
7301 goto exit;
7302 }
7303
7304 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
7305
7306 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
7307 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
7308
7309 exit:
7310 mbedtls_md_free(&cloned_ctx);
7311 return ret;
7312 }
7313 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7314
7315 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7316 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
7317 unsigned char *hash,
7318 size_t *hlen)
7319 {
7320 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7321 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
7322 hash, hlen);
7323 #else
7324 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
7325 hash, hlen);
7326 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7327 }
7328 #endif /* MBEDTLS_MD_CAN_SHA256 */
7329
7330 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7331 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
7332 unsigned char *hash,
7333 size_t *hlen)
7334 {
7335 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7336 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
7337 hash, hlen);
7338 #else
7339 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
7340 hash, hlen);
7341 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7342 }
7343 #endif /* MBEDTLS_MD_CAN_SHA384 */
7344
7345 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
7346 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)7347 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
7348 {
7349 unsigned char *p = ssl->handshake->premaster;
7350 unsigned char *end = p + sizeof(ssl->handshake->premaster);
7351 const unsigned char *psk = NULL;
7352 size_t psk_len = 0;
7353 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
7354
7355 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
7356 /*
7357 * This should never happen because the existence of a PSK is always
7358 * checked before calling this function.
7359 *
7360 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
7361 * the shared secret without PSK.
7362 */
7363 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7364 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7365 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7366 }
7367 }
7368
7369 /*
7370 * PMS = struct {
7371 * opaque other_secret<0..2^16-1>;
7372 * opaque psk<0..2^16-1>;
7373 * };
7374 * with "other_secret" depending on the particular key exchange
7375 */
7376 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
7377 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
7378 if (end - p < 2) {
7379 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7380 }
7381
7382 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7383 p += 2;
7384
7385 if (end < p || (size_t) (end - p) < psk_len) {
7386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7387 }
7388
7389 memset(p, 0, psk_len);
7390 p += psk_len;
7391 } else
7392 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
7393 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
7394 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7395 /*
7396 * other_secret already set by the ClientKeyExchange message,
7397 * and is 48 bytes long
7398 */
7399 if (end - p < 2) {
7400 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7401 }
7402
7403 *p++ = 0;
7404 *p++ = 48;
7405 p += 48;
7406 } else
7407 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
7408 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
7409 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7410 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7411 size_t len;
7412
7413 /* Write length only when we know the actual value */
7414 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
7415 p + 2, (size_t) (end - (p + 2)), &len,
7416 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7417 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
7418 return ret;
7419 }
7420 MBEDTLS_PUT_UINT16_BE(len, p, 0);
7421 p += 2 + len;
7422
7423 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
7424 } else
7425 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
7426 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
7427 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
7428 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7429 size_t zlen;
7430
7431 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
7432 p + 2, (size_t) (end - (p + 2)),
7433 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7434 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
7435 return ret;
7436 }
7437
7438 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
7439 p += 2 + zlen;
7440
7441 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
7442 MBEDTLS_DEBUG_ECDH_Z);
7443 } else
7444 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
7445 {
7446 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7447 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7448 }
7449
7450 /* opaque psk<0..2^16-1>; */
7451 if (end - p < 2) {
7452 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7453 }
7454
7455 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7456 p += 2;
7457
7458 if (end < p || (size_t) (end - p) < psk_len) {
7459 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7460 }
7461
7462 memcpy(p, psk, psk_len);
7463 p += psk_len;
7464
7465 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
7466
7467 return 0;
7468 }
7469 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
7470
7471 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
7472 MBEDTLS_CHECK_RETURN_CRITICAL
7473 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
7474
7475 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)7476 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
7477 {
7478 /* If renegotiation is not enforced, retransmit until we would reach max
7479 * timeout if we were using the usual handshake doubling scheme */
7480 if (ssl->conf->renego_max_records < 0) {
7481 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
7482 unsigned char doublings = 1;
7483
7484 while (ratio != 0) {
7485 ++doublings;
7486 ratio >>= 1;
7487 }
7488
7489 if (++ssl->renego_records_seen > doublings) {
7490 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
7491 return 0;
7492 }
7493 }
7494
7495 return ssl_write_hello_request(ssl);
7496 }
7497 #endif
7498 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
7499
7500 /*
7501 * Handshake functions
7502 */
7503 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7504 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7505 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7506 {
7507 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7508 ssl->handshake->ciphersuite_info;
7509
7510 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7511
7512 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7513 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7514 ssl->state++;
7515 return 0;
7516 }
7517
7518 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7519 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7520 }
7521
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7522 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7523 {
7524 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7525 ssl->handshake->ciphersuite_info;
7526
7527 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7528
7529 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7530 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7531 ssl->state++;
7532 return 0;
7533 }
7534
7535 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7536 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7537 }
7538
7539 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7540 /* Some certificate support -> implement write and parse */
7541
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7542 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7543 {
7544 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
7545 size_t i, n;
7546 const mbedtls_x509_crt *crt;
7547 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7548 ssl->handshake->ciphersuite_info;
7549
7550 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7551
7552 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7553 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7554 ssl->state++;
7555 return 0;
7556 }
7557
7558 #if defined(MBEDTLS_SSL_CLI_C)
7559 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7560 if (ssl->handshake->client_auth == 0) {
7561 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7562 ssl->state++;
7563 return 0;
7564 }
7565 }
7566 #endif /* MBEDTLS_SSL_CLI_C */
7567 #if defined(MBEDTLS_SSL_SRV_C)
7568 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7569 if (mbedtls_ssl_own_cert(ssl) == NULL) {
7570 /* Should never happen because we shouldn't have picked the
7571 * ciphersuite if we don't have a certificate. */
7572 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7573 }
7574 }
7575 #endif
7576
7577 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
7578
7579 /*
7580 * 0 . 0 handshake type
7581 * 1 . 3 handshake length
7582 * 4 . 6 length of all certs
7583 * 7 . 9 length of cert. 1
7584 * 10 . n-1 peer certificate
7585 * n . n+2 length of cert. 2
7586 * n+3 . ... upper level cert, etc.
7587 */
7588 i = 7;
7589 crt = mbedtls_ssl_own_cert(ssl);
7590
7591 while (crt != NULL) {
7592 n = crt->raw.len;
7593 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7594 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7595 " > %" MBEDTLS_PRINTF_SIZET,
7596 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7597 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7598 }
7599
7600 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7601 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7602 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7603
7604 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7605 i += n; crt = crt->next;
7606 }
7607
7608 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7609 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7610 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7611
7612 ssl->out_msglen = i;
7613 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7614 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7615
7616 ssl->state++;
7617
7618 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7619 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7620 return ret;
7621 }
7622
7623 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7624
7625 return ret;
7626 }
7627
7628 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7629
7630 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7631 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7632 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7633 unsigned char *crt_buf,
7634 size_t crt_buf_len)
7635 {
7636 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7637
7638 if (peer_crt == NULL) {
7639 return -1;
7640 }
7641
7642 if (peer_crt->raw.len != crt_buf_len) {
7643 return -1;
7644 }
7645
7646 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7647 }
7648 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7649 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7650 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7651 unsigned char *crt_buf,
7652 size_t crt_buf_len)
7653 {
7654 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7655 unsigned char const * const peer_cert_digest =
7656 ssl->session->peer_cert_digest;
7657 mbedtls_md_type_t const peer_cert_digest_type =
7658 ssl->session->peer_cert_digest_type;
7659 mbedtls_md_info_t const * const digest_info =
7660 mbedtls_md_info_from_type(peer_cert_digest_type);
7661 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7662 size_t digest_len;
7663
7664 if (peer_cert_digest == NULL || digest_info == NULL) {
7665 return -1;
7666 }
7667
7668 digest_len = mbedtls_md_get_size(digest_info);
7669 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7670 return -1;
7671 }
7672
7673 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7674 if (ret != 0) {
7675 return -1;
7676 }
7677
7678 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7679 }
7680 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7681 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7682
7683 /*
7684 * Once the certificate message is read, parse it into a cert chain and
7685 * perform basic checks, but leave actual verification to the caller
7686 */
7687 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7688 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7689 mbedtls_x509_crt *chain)
7690 {
7691 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7692 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7693 int crt_cnt = 0;
7694 #endif
7695 size_t i, n;
7696 uint8_t alert;
7697
7698 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7699 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7700 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7701 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7702 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7703 }
7704
7705 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7706 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7707 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7708 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7709 }
7710
7711 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7712 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7713 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7714 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7715 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7716 }
7717
7718 i = mbedtls_ssl_hs_hdr_len(ssl);
7719
7720 /*
7721 * Same message structure as in mbedtls_ssl_write_certificate()
7722 */
7723 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7724
7725 if (ssl->in_msg[i] != 0 ||
7726 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7727 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7728 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7729 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7730 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7731 }
7732
7733 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7734 i += 3;
7735
7736 /* Iterate through and parse the CRTs in the provided chain. */
7737 while (i < ssl->in_hslen) {
7738 /* Check that there's room for the next CRT's length fields. */
7739 if (i + 3 > ssl->in_hslen) {
7740 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7741 mbedtls_ssl_send_alert_message(ssl,
7742 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7743 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7744 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7745 }
7746 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7747 * anything beyond 2**16 ~ 64K. */
7748 if (ssl->in_msg[i] != 0) {
7749 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7750 mbedtls_ssl_send_alert_message(ssl,
7751 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7752 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7753 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7754 }
7755
7756 /* Read length of the next CRT in the chain. */
7757 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7758 i += 3;
7759
7760 if (n < 128 || i + n > ssl->in_hslen) {
7761 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7762 mbedtls_ssl_send_alert_message(ssl,
7763 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7764 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7765 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7766 }
7767
7768 /* Check if we're handling the first CRT in the chain. */
7769 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7770 if (crt_cnt++ == 0 &&
7771 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7772 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7773 /* During client-side renegotiation, check that the server's
7774 * end-CRTs hasn't changed compared to the initial handshake,
7775 * mitigating the triple handshake attack. On success, reuse
7776 * the original end-CRT instead of parsing it again. */
7777 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7778 if (ssl_check_peer_crt_unchanged(ssl,
7779 &ssl->in_msg[i],
7780 n) != 0) {
7781 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7782 mbedtls_ssl_send_alert_message(ssl,
7783 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7784 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7785 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7786 }
7787
7788 /* Now we can safely free the original chain. */
7789 ssl_clear_peer_cert(ssl->session);
7790 }
7791 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7792
7793 /* Parse the next certificate in the chain. */
7794 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7795 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7796 #else
7797 /* If we don't need to store the CRT chain permanently, parse
7798 * it in-place from the input buffer instead of making a copy. */
7799 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7800 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7801 switch (ret) {
7802 case 0: /*ok*/
7803 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7804 /* Ignore certificate with an unknown algorithm: maybe a
7805 prior certificate was already trusted. */
7806 break;
7807
7808 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7809 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7810 goto crt_parse_der_failed;
7811
7812 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7813 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7814 goto crt_parse_der_failed;
7815
7816 default:
7817 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7818 crt_parse_der_failed:
7819 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7820 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7821 return ret;
7822 }
7823
7824 i += n;
7825 }
7826
7827 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7828 return 0;
7829 }
7830
7831 #if defined(MBEDTLS_SSL_SRV_C)
7832 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7833 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7834 {
7835 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7836 return -1;
7837 }
7838
7839 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7840 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7841 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7842 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7843 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7844 return 0;
7845 }
7846 return -1;
7847 }
7848 #endif /* MBEDTLS_SSL_SRV_C */
7849
7850 /* Check if a certificate message is expected.
7851 * Return either
7852 * - SSL_CERTIFICATE_EXPECTED, or
7853 * - SSL_CERTIFICATE_SKIP
7854 * indicating whether a Certificate message is expected or not.
7855 */
7856 #define SSL_CERTIFICATE_EXPECTED 0
7857 #define SSL_CERTIFICATE_SKIP 1
7858 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7859 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7860 int authmode)
7861 {
7862 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7863 ssl->handshake->ciphersuite_info;
7864
7865 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7866 return SSL_CERTIFICATE_SKIP;
7867 }
7868
7869 #if defined(MBEDTLS_SSL_SRV_C)
7870 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7871 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7872 return SSL_CERTIFICATE_SKIP;
7873 }
7874
7875 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7876 ssl->session_negotiate->verify_result =
7877 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7878 return SSL_CERTIFICATE_SKIP;
7879 }
7880 }
7881 #else
7882 ((void) authmode);
7883 #endif /* MBEDTLS_SSL_SRV_C */
7884
7885 return SSL_CERTIFICATE_EXPECTED;
7886 }
7887
7888 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7889 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7890 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7891 unsigned char *start, size_t len)
7892 {
7893 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7894 /* Remember digest of the peer's end-CRT. */
7895 ssl->session_negotiate->peer_cert_digest =
7896 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7897 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7898 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7899 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7900 mbedtls_ssl_send_alert_message(ssl,
7901 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7902 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7903
7904 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7905 }
7906
7907 ret = mbedtls_md(mbedtls_md_info_from_type(
7908 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7909 start, len,
7910 ssl->session_negotiate->peer_cert_digest);
7911
7912 ssl->session_negotiate->peer_cert_digest_type =
7913 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7914 ssl->session_negotiate->peer_cert_digest_len =
7915 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7916
7917 return ret;
7918 }
7919
7920 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7921 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7922 unsigned char *start, size_t len)
7923 {
7924 unsigned char *end = start + len;
7925 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7926
7927 /* Make a copy of the peer's raw public key. */
7928 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7929 ret = mbedtls_pk_parse_subpubkey(&start, end,
7930 &ssl->handshake->peer_pubkey);
7931 if (ret != 0) {
7932 /* We should have parsed the public key before. */
7933 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7934 }
7935
7936 return 0;
7937 }
7938 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7939
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7940 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7941 {
7942 int ret = 0;
7943 int crt_expected;
7944 /* Authmode: precedence order is SNI if used else configuration */
7945 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7946 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
7947 ? ssl->handshake->sni_authmode
7948 : ssl->conf->authmode;
7949 #else
7950 const int authmode = ssl->conf->authmode;
7951 #endif
7952 void *rs_ctx = NULL;
7953 mbedtls_x509_crt *chain = NULL;
7954
7955 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7956
7957 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
7958 if (crt_expected == SSL_CERTIFICATE_SKIP) {
7959 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7960 goto exit;
7961 }
7962
7963 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
7964 if (ssl->handshake->ecrs_enabled &&
7965 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
7966 chain = ssl->handshake->ecrs_peer_cert;
7967 ssl->handshake->ecrs_peer_cert = NULL;
7968 goto crt_verify;
7969 }
7970 #endif
7971
7972 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
7973 /* mbedtls_ssl_read_record may have sent an alert already. We
7974 let it decide whether to alert. */
7975 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
7976 goto exit;
7977 }
7978
7979 #if defined(MBEDTLS_SSL_SRV_C)
7980 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
7981 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
7982
7983 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
7984 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
7985 }
7986
7987 goto exit;
7988 }
7989 #endif /* MBEDTLS_SSL_SRV_C */
7990
7991 /* Clear existing peer CRT structure in case we tried to
7992 * reuse a session but it failed, and allocate a new one. */
7993 ssl_clear_peer_cert(ssl->session_negotiate);
7994
7995 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
7996 if (chain == NULL) {
7997 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
7998 sizeof(mbedtls_x509_crt)));
7999 mbedtls_ssl_send_alert_message(ssl,
8000 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8001 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8002
8003 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
8004 goto exit;
8005 }
8006 mbedtls_x509_crt_init(chain);
8007
8008 ret = ssl_parse_certificate_chain(ssl, chain);
8009 if (ret != 0) {
8010 goto exit;
8011 }
8012
8013 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8014 if (ssl->handshake->ecrs_enabled) {
8015 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
8016 }
8017
8018 crt_verify:
8019 if (ssl->handshake->ecrs_enabled) {
8020 rs_ctx = &ssl->handshake->ecrs_ctx;
8021 }
8022 #endif
8023
8024 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
8025 ssl->handshake->ciphersuite_info,
8026 rs_ctx);
8027 if (ret != 0) {
8028 goto exit;
8029 }
8030
8031 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8032 {
8033 unsigned char *crt_start, *pk_start;
8034 size_t crt_len, pk_len;
8035
8036 /* We parse the CRT chain without copying, so
8037 * these pointers point into the input buffer,
8038 * and are hence still valid after freeing the
8039 * CRT chain. */
8040
8041 crt_start = chain->raw.p;
8042 crt_len = chain->raw.len;
8043
8044 pk_start = chain->pk_raw.p;
8045 pk_len = chain->pk_raw.len;
8046
8047 /* Free the CRT structures before computing
8048 * digest and copying the peer's public key. */
8049 mbedtls_x509_crt_free(chain);
8050 mbedtls_free(chain);
8051 chain = NULL;
8052
8053 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
8054 if (ret != 0) {
8055 goto exit;
8056 }
8057
8058 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
8059 if (ret != 0) {
8060 goto exit;
8061 }
8062 }
8063 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8064 /* Pass ownership to session structure. */
8065 ssl->session_negotiate->peer_cert = chain;
8066 chain = NULL;
8067 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8068
8069 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
8070
8071 exit:
8072
8073 if (ret == 0) {
8074 ssl->state++;
8075 }
8076
8077 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8078 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
8079 ssl->handshake->ecrs_peer_cert = chain;
8080 chain = NULL;
8081 }
8082 #endif
8083
8084 if (chain != NULL) {
8085 mbedtls_x509_crt_free(chain);
8086 mbedtls_free(chain);
8087 }
8088
8089 return ret;
8090 }
8091 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8092
ssl_calc_finished_tls_generic(mbedtls_ssl_context * ssl,void * ctx,unsigned char * padbuf,size_t hlen,unsigned char * buf,int from)8093 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
8094 unsigned char *padbuf, size_t hlen,
8095 unsigned char *buf, int from)
8096 {
8097 unsigned int len = 12;
8098 const char *sender;
8099 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8100 psa_status_t status;
8101 psa_hash_operation_t *hs_op = ctx;
8102 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
8103 size_t hash_size;
8104 #else
8105 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8106 mbedtls_md_context_t *hs_ctx = ctx;
8107 mbedtls_md_context_t cloned_ctx;
8108 mbedtls_md_init(&cloned_ctx);
8109 #endif
8110
8111 mbedtls_ssl_session *session = ssl->session_negotiate;
8112 if (!session) {
8113 session = ssl->session;
8114 }
8115
8116 sender = (from == MBEDTLS_SSL_IS_CLIENT)
8117 ? "client finished"
8118 : "server finished";
8119
8120 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8121 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
8122
8123 status = psa_hash_clone(hs_op, &cloned_op);
8124 if (status != PSA_SUCCESS) {
8125 goto exit;
8126 }
8127
8128 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
8129 if (status != PSA_SUCCESS) {
8130 goto exit;
8131 }
8132 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
8133 #else
8134 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
8135
8136 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
8137 if (ret != 0) {
8138 goto exit;
8139 }
8140 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
8141 if (ret != 0) {
8142 goto exit;
8143 }
8144
8145 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
8146 if (ret != 0) {
8147 goto exit;
8148 }
8149 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8150
8151 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
8152
8153 /*
8154 * TLSv1.2:
8155 * hash = PRF( master, finished_label,
8156 * Hash( handshake ) )[0.11]
8157 */
8158 ssl->handshake->tls_prf(session->master, 48, sender,
8159 padbuf, hlen, buf, len);
8160
8161 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
8162
8163 mbedtls_platform_zeroize(padbuf, hlen);
8164
8165 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
8166
8167 exit:
8168 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8169 psa_hash_abort(&cloned_op);
8170 return mbedtls_md_error_from_psa(status);
8171 #else
8172 mbedtls_md_free(&cloned_ctx);
8173 return ret;
8174 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8175 }
8176
8177 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8178 static int ssl_calc_finished_tls_sha256(
8179 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8180 {
8181 unsigned char padbuf[32];
8182 return ssl_calc_finished_tls_generic(ssl,
8183 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8184 &ssl->handshake->fin_sha256_psa,
8185 #else
8186 &ssl->handshake->fin_sha256,
8187 #endif
8188 padbuf, sizeof(padbuf),
8189 buf, from);
8190 }
8191 #endif /* MBEDTLS_MD_CAN_SHA256*/
8192
8193
8194 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8195 static int ssl_calc_finished_tls_sha384(
8196 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8197 {
8198 unsigned char padbuf[48];
8199 return ssl_calc_finished_tls_generic(ssl,
8200 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8201 &ssl->handshake->fin_sha384_psa,
8202 #else
8203 &ssl->handshake->fin_sha384,
8204 #endif
8205 padbuf, sizeof(padbuf),
8206 buf, from);
8207 }
8208 #endif /* MBEDTLS_MD_CAN_SHA384*/
8209
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)8210 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
8211 {
8212 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
8213
8214 /*
8215 * Free our handshake params
8216 */
8217 mbedtls_ssl_handshake_free(ssl);
8218 mbedtls_free(ssl->handshake);
8219 ssl->handshake = NULL;
8220
8221 /*
8222 * Free the previous transform and switch in the current one
8223 */
8224 if (ssl->transform) {
8225 mbedtls_ssl_transform_free(ssl->transform);
8226 mbedtls_free(ssl->transform);
8227 }
8228 ssl->transform = ssl->transform_negotiate;
8229 ssl->transform_negotiate = NULL;
8230
8231 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
8232 }
8233
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)8234 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
8235 {
8236 int resume = ssl->handshake->resume;
8237
8238 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
8239
8240 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8241 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
8242 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
8243 ssl->renego_records_seen = 0;
8244 }
8245 #endif
8246
8247 /*
8248 * Free the previous session and switch in the current one
8249 */
8250 if (ssl->session) {
8251 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8252 /* RFC 7366 3.1: keep the EtM state */
8253 ssl->session_negotiate->encrypt_then_mac =
8254 ssl->session->encrypt_then_mac;
8255 #endif
8256
8257 mbedtls_ssl_session_free(ssl->session);
8258 mbedtls_free(ssl->session);
8259 }
8260 ssl->session = ssl->session_negotiate;
8261 ssl->session_negotiate = NULL;
8262
8263 /*
8264 * Add cache entry
8265 */
8266 if (ssl->conf->f_set_cache != NULL &&
8267 ssl->session->id_len != 0 &&
8268 resume == 0) {
8269 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
8270 ssl->session->id,
8271 ssl->session->id_len,
8272 ssl->session) != 0) {
8273 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
8274 }
8275 }
8276
8277 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8278 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8279 ssl->handshake->flight != NULL) {
8280 /* Cancel handshake timer */
8281 mbedtls_ssl_set_timer(ssl, 0);
8282
8283 /* Keep last flight around in case we need to resend it:
8284 * we need the handshake and transform structures for that */
8285 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
8286 } else
8287 #endif
8288 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
8289
8290 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
8291
8292 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
8293 }
8294
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)8295 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
8296 {
8297 int ret;
8298 unsigned int hash_len;
8299
8300 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
8301
8302 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
8303
8304 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
8305 if (ret != 0) {
8306 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8307 }
8308
8309 /*
8310 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
8311 * may define some other value. Currently (early 2016), no defined
8312 * ciphersuite does this (and this is unlikely to change as activity has
8313 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
8314 */
8315 hash_len = 12;
8316
8317 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8318 ssl->verify_data_len = hash_len;
8319 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
8320 #endif
8321
8322 ssl->out_msglen = 4 + hash_len;
8323 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8324 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
8325
8326 /*
8327 * In case of session resuming, invert the client and server
8328 * ChangeCipherSpec messages order.
8329 */
8330 if (ssl->handshake->resume != 0) {
8331 #if defined(MBEDTLS_SSL_CLI_C)
8332 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8333 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8334 }
8335 #endif
8336 #if defined(MBEDTLS_SSL_SRV_C)
8337 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8338 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8339 }
8340 #endif
8341 } else {
8342 ssl->state++;
8343 }
8344
8345 /*
8346 * Switch to our negotiated transform and session parameters for outbound
8347 * data.
8348 */
8349 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8350
8351 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8352 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8353 unsigned char i;
8354
8355 /* Remember current epoch settings for resending */
8356 ssl->handshake->alt_transform_out = ssl->transform_out;
8357 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8358 sizeof(ssl->handshake->alt_out_ctr));
8359
8360 /* Set sequence_number to zero */
8361 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8362
8363
8364 /* Increment epoch */
8365 for (i = 2; i > 0; i--) {
8366 if (++ssl->cur_out_ctr[i - 1] != 0) {
8367 break;
8368 }
8369 }
8370
8371 /* The loop goes to its end iff the counter is wrapping */
8372 if (i == 0) {
8373 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8374 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8375 }
8376 } else
8377 #endif /* MBEDTLS_SSL_PROTO_DTLS */
8378 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8379
8380 ssl->transform_out = ssl->transform_negotiate;
8381 ssl->session_out = ssl->session_negotiate;
8382
8383 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8384 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8385 mbedtls_ssl_send_flight_completed(ssl);
8386 }
8387 #endif
8388
8389 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8390 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8391 return ret;
8392 }
8393
8394 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8395 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8396 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8397 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8398 return ret;
8399 }
8400 #endif
8401
8402 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8403
8404 return 0;
8405 }
8406
8407 #define SSL_MAX_HASH_LEN 12
8408
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)8409 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8410 {
8411 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8412 unsigned int hash_len = 12;
8413 unsigned char buf[SSL_MAX_HASH_LEN];
8414
8415 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8416
8417 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8418 if (ret != 0) {
8419 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8420 }
8421
8422 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8423 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8424 goto exit;
8425 }
8426
8427 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8428 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8429 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8430 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8431 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8432 goto exit;
8433 }
8434
8435 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8436 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8437 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8438 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8439 goto exit;
8440 }
8441
8442 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8443 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8444 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8445 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8446 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8447 goto exit;
8448 }
8449
8450 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8451 buf, hash_len) != 0) {
8452 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8453 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8454 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8455 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8456 goto exit;
8457 }
8458
8459 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8460 ssl->verify_data_len = hash_len;
8461 memcpy(ssl->peer_verify_data, buf, hash_len);
8462 #endif
8463
8464 if (ssl->handshake->resume != 0) {
8465 #if defined(MBEDTLS_SSL_CLI_C)
8466 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8467 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
8468 }
8469 #endif
8470 #if defined(MBEDTLS_SSL_SRV_C)
8471 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8472 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
8473 }
8474 #endif
8475 } else {
8476 ssl->state++;
8477 }
8478
8479 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8480 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8481 mbedtls_ssl_recv_flight_completed(ssl);
8482 }
8483 #endif
8484
8485 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8486
8487 exit:
8488 mbedtls_platform_zeroize(buf, hash_len);
8489 return ret;
8490 }
8491
8492 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8493 /*
8494 * Helper to get TLS 1.2 PRF from ciphersuite
8495 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8496 */
ssl_tls12prf_from_cs(int ciphersuite_id)8497 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8498 {
8499 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8500 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8501 #if defined(MBEDTLS_MD_CAN_SHA384)
8502 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8503 return tls_prf_sha384;
8504 } else
8505 #endif
8506 #if defined(MBEDTLS_MD_CAN_SHA256)
8507 {
8508 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8509 return tls_prf_sha256;
8510 }
8511 }
8512 #endif
8513 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
8514 !defined(MBEDTLS_MD_CAN_SHA256)
8515 (void) ciphersuite_info;
8516 #endif
8517
8518 return NULL;
8519 }
8520 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8521
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8522 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8523 {
8524 ((void) tls_prf);
8525 #if defined(MBEDTLS_MD_CAN_SHA384)
8526 if (tls_prf == tls_prf_sha384) {
8527 return MBEDTLS_SSL_TLS_PRF_SHA384;
8528 } else
8529 #endif
8530 #if defined(MBEDTLS_MD_CAN_SHA256)
8531 if (tls_prf == tls_prf_sha256) {
8532 return MBEDTLS_SSL_TLS_PRF_SHA256;
8533 } else
8534 #endif
8535 return MBEDTLS_SSL_TLS_PRF_NONE;
8536 }
8537
8538 /*
8539 * Populate a transform structure with session keys and all the other
8540 * necessary information.
8541 *
8542 * Parameters:
8543 * - [in/out]: transform: structure to populate
8544 * [in] must be just initialised with mbedtls_ssl_transform_init()
8545 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8546 * - [in] ciphersuite
8547 * - [in] master
8548 * - [in] encrypt_then_mac
8549 * - [in] tls_prf: pointer to PRF to use for key derivation
8550 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8551 * - [in] tls_version: TLS version
8552 * - [in] endpoint: client or server
8553 * - [in] ssl: used for:
8554 * - ssl->conf->{f,p}_export_keys
8555 * [in] optionally used for:
8556 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8557 */
8558 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8559 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8560 int ciphersuite,
8561 const unsigned char master[48],
8562 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8563 int encrypt_then_mac,
8564 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8565 ssl_tls_prf_t tls_prf,
8566 const unsigned char randbytes[64],
8567 mbedtls_ssl_protocol_version tls_version,
8568 unsigned endpoint,
8569 const mbedtls_ssl_context *ssl)
8570 {
8571 int ret = 0;
8572 unsigned char keyblk[256];
8573 unsigned char *key1;
8574 unsigned char *key2;
8575 unsigned char *mac_enc;
8576 unsigned char *mac_dec;
8577 size_t mac_key_len = 0;
8578 size_t iv_copy_len;
8579 size_t keylen;
8580 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8581 mbedtls_ssl_mode_t ssl_mode;
8582 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8583 const mbedtls_cipher_info_t *cipher_info;
8584 const mbedtls_md_info_t *md_info;
8585 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8586
8587 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8588 psa_key_type_t key_type;
8589 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8590 psa_algorithm_t alg;
8591 psa_algorithm_t mac_alg = 0;
8592 size_t key_bits;
8593 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8594 #endif
8595
8596 /*
8597 * Some data just needs copying into the structure
8598 */
8599 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8600 transform->encrypt_then_mac = encrypt_then_mac;
8601 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8602 transform->tls_version = tls_version;
8603
8604 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8605 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8606 #endif
8607
8608 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8609 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8610 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8611 * generation separate. This should never happen. */
8612 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8613 }
8614 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8615
8616 /*
8617 * Get various info structures
8618 */
8619 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8620 if (ciphersuite_info == NULL) {
8621 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8622 ciphersuite));
8623 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8624 }
8625
8626 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8627 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8628 encrypt_then_mac,
8629 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8630 ciphersuite_info);
8631
8632 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8633 transform->taglen =
8634 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8635 }
8636
8637 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8638 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
8639 transform->taglen,
8640 &alg,
8641 &key_type,
8642 &key_bits)) != PSA_SUCCESS) {
8643 ret = PSA_TO_MBEDTLS_ERR(status);
8644 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8645 goto end;
8646 }
8647 #else
8648 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8649 if (cipher_info == NULL) {
8650 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8651 ciphersuite_info->cipher));
8652 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8653 }
8654 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8655
8656 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8657 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8658 if (mac_alg == 0) {
8659 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8660 (unsigned) ciphersuite_info->mac));
8661 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8662 }
8663 #else
8664 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8665 if (md_info == NULL) {
8666 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8667 (unsigned) ciphersuite_info->mac));
8668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8669 }
8670 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8671
8672 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8673 /* Copy own and peer's CID if the use of the CID
8674 * extension has been negotiated. */
8675 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8676 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8677
8678 transform->in_cid_len = ssl->own_cid_len;
8679 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8680 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8681 transform->in_cid_len);
8682
8683 transform->out_cid_len = ssl->handshake->peer_cid_len;
8684 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8685 ssl->handshake->peer_cid_len);
8686 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8687 transform->out_cid_len);
8688 }
8689 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8690
8691 /*
8692 * Compute key block using the PRF
8693 */
8694 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8695 if (ret != 0) {
8696 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8697 return ret;
8698 }
8699
8700 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8701 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8702 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8703 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8704 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8705
8706 /*
8707 * Determine the appropriate key, IV and MAC length.
8708 */
8709
8710 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8711 keylen = PSA_BITS_TO_BYTES(key_bits);
8712 #else
8713 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8714 #endif
8715
8716 #if defined(MBEDTLS_SSL_HAVE_AEAD)
8717 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8718 size_t explicit_ivlen;
8719
8720 transform->maclen = 0;
8721 mac_key_len = 0;
8722
8723 /* All modes haves 96-bit IVs, but the length of the static parts vary
8724 * with mode and version:
8725 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8726 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8727 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8728 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8729 * sequence number).
8730 */
8731 transform->ivlen = 12;
8732
8733 int is_chachapoly = 0;
8734 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8735 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8736 #else
8737 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8738 == MBEDTLS_MODE_CHACHAPOLY);
8739 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8740
8741 if (is_chachapoly) {
8742 transform->fixed_ivlen = 12;
8743 } else {
8744 transform->fixed_ivlen = 4;
8745 }
8746
8747 /* Minimum length of encrypted record */
8748 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8749 transform->minlen = explicit_ivlen + transform->taglen;
8750 } else
8751 #endif /* MBEDTLS_SSL_HAVE_AEAD */
8752 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8753 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8754 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8755 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8756 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8757 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8758 #else
8759 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8760 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8761
8762 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8763 /* Get MAC length */
8764 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8765 #else
8766 /* Initialize HMAC contexts */
8767 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8768 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8769 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8770 goto end;
8771 }
8772
8773 /* Get MAC length */
8774 mac_key_len = mbedtls_md_get_size(md_info);
8775 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8776 transform->maclen = mac_key_len;
8777
8778 /* IV length */
8779 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8780 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8781 #else
8782 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8783 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8784
8785 /* Minimum length */
8786 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8787 transform->minlen = transform->maclen;
8788 } else {
8789 /*
8790 * GenericBlockCipher:
8791 * 1. if EtM is in use: one block plus MAC
8792 * otherwise: * first multiple of blocklen greater than maclen
8793 * 2. IV
8794 */
8795 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8796 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8797 transform->minlen = transform->maclen
8798 + block_size;
8799 } else
8800 #endif
8801 {
8802 transform->minlen = transform->maclen
8803 + block_size
8804 - transform->maclen % block_size;
8805 }
8806
8807 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8808 transform->minlen += transform->ivlen;
8809 } else {
8810 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8811 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8812 goto end;
8813 }
8814 }
8815 } else
8816 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8817 {
8818 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8819 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8820 }
8821
8822 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8823 (unsigned) keylen,
8824 (unsigned) transform->minlen,
8825 (unsigned) transform->ivlen,
8826 (unsigned) transform->maclen));
8827
8828 /*
8829 * Finally setup the cipher contexts, IVs and MAC secrets.
8830 */
8831 #if defined(MBEDTLS_SSL_CLI_C)
8832 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8833 key1 = keyblk + mac_key_len * 2;
8834 key2 = keyblk + mac_key_len * 2 + keylen;
8835
8836 mac_enc = keyblk;
8837 mac_dec = keyblk + mac_key_len;
8838
8839 iv_copy_len = (transform->fixed_ivlen) ?
8840 transform->fixed_ivlen : transform->ivlen;
8841 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8842 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8843 iv_copy_len);
8844 } else
8845 #endif /* MBEDTLS_SSL_CLI_C */
8846 #if defined(MBEDTLS_SSL_SRV_C)
8847 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8848 key1 = keyblk + mac_key_len * 2 + keylen;
8849 key2 = keyblk + mac_key_len * 2;
8850
8851 mac_enc = keyblk + mac_key_len;
8852 mac_dec = keyblk;
8853
8854 iv_copy_len = (transform->fixed_ivlen) ?
8855 transform->fixed_ivlen : transform->ivlen;
8856 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8857 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8858 iv_copy_len);
8859 } else
8860 #endif /* MBEDTLS_SSL_SRV_C */
8861 {
8862 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8863 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8864 goto end;
8865 }
8866
8867 if (ssl->f_export_keys != NULL) {
8868 ssl->f_export_keys(ssl->p_export_keys,
8869 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8870 master, 48,
8871 randbytes + 32,
8872 randbytes,
8873 tls_prf_get_type(tls_prf));
8874 }
8875
8876 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8877 transform->psa_alg = alg;
8878
8879 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8880 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8881 psa_set_key_algorithm(&attributes, alg);
8882 psa_set_key_type(&attributes, key_type);
8883
8884 if ((status = psa_import_key(&attributes,
8885 key1,
8886 PSA_BITS_TO_BYTES(key_bits),
8887 &transform->psa_key_enc)) != PSA_SUCCESS) {
8888 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8889 ret = PSA_TO_MBEDTLS_ERR(status);
8890 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8891 goto end;
8892 }
8893
8894 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8895
8896 if ((status = psa_import_key(&attributes,
8897 key2,
8898 PSA_BITS_TO_BYTES(key_bits),
8899 &transform->psa_key_dec)) != PSA_SUCCESS) {
8900 ret = PSA_TO_MBEDTLS_ERR(status);
8901 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8902 goto end;
8903 }
8904 }
8905 #else
8906 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8907 cipher_info)) != 0) {
8908 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8909 goto end;
8910 }
8911
8912 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8913 cipher_info)) != 0) {
8914 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8915 goto end;
8916 }
8917
8918 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8919 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8920 MBEDTLS_ENCRYPT)) != 0) {
8921 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8922 goto end;
8923 }
8924
8925 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8926 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8927 MBEDTLS_DECRYPT)) != 0) {
8928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8929 goto end;
8930 }
8931
8932 #if defined(MBEDTLS_CIPHER_MODE_CBC)
8933 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
8934 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
8935 MBEDTLS_PADDING_NONE)) != 0) {
8936 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8937 goto end;
8938 }
8939
8940 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
8941 MBEDTLS_PADDING_NONE)) != 0) {
8942 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
8943 goto end;
8944 }
8945 }
8946 #endif /* MBEDTLS_CIPHER_MODE_CBC */
8947 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8948
8949 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8950 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
8951 For AEAD-based ciphersuites, there is nothing to do here. */
8952 if (mac_key_len != 0) {
8953 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8954 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
8955
8956 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
8957 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
8958 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
8959
8960 if ((status = psa_import_key(&attributes,
8961 mac_enc, mac_key_len,
8962 &transform->psa_mac_enc)) != PSA_SUCCESS) {
8963 ret = PSA_TO_MBEDTLS_ERR(status);
8964 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8965 goto end;
8966 }
8967
8968 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
8969 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
8970 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8971 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
8972 #endif
8973 )) {
8974 /* mbedtls_ct_hmac() requires the key to be exportable */
8975 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
8976 PSA_KEY_USAGE_VERIFY_HASH);
8977 } else {
8978 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
8979 }
8980
8981 if ((status = psa_import_key(&attributes,
8982 mac_dec, mac_key_len,
8983 &transform->psa_mac_dec)) != PSA_SUCCESS) {
8984 ret = PSA_TO_MBEDTLS_ERR(status);
8985 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
8986 goto end;
8987 }
8988 #else
8989 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
8990 if (ret != 0) {
8991 goto end;
8992 }
8993 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
8994 if (ret != 0) {
8995 goto end;
8996 }
8997 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8998 }
8999 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
9000
9001 ((void) mac_dec);
9002 ((void) mac_enc);
9003
9004 end:
9005 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
9006 return ret;
9007 }
9008
9009 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
9010 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)9011 int mbedtls_psa_ecjpake_read_round(
9012 psa_pake_operation_t *pake_ctx,
9013 const unsigned char *buf,
9014 size_t len, mbedtls_ecjpake_rounds_t round)
9015 {
9016 psa_status_t status;
9017 size_t input_offset = 0;
9018 /*
9019 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9020 * At round two perform a single cycle
9021 */
9022 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9023
9024 for (; remaining_steps > 0; remaining_steps--) {
9025 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9026 step <= PSA_PAKE_STEP_ZK_PROOF;
9027 ++step) {
9028 /* Length is stored at the first byte */
9029 size_t length = buf[input_offset];
9030 input_offset += 1;
9031
9032 if (input_offset + length > len) {
9033 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9034 }
9035
9036 status = psa_pake_input(pake_ctx, step,
9037 buf + input_offset, length);
9038 if (status != PSA_SUCCESS) {
9039 return PSA_TO_MBEDTLS_ERR(status);
9040 }
9041
9042 input_offset += length;
9043 }
9044 }
9045
9046 if (input_offset != len) {
9047 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9048 }
9049
9050 return 0;
9051 }
9052
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)9053 int mbedtls_psa_ecjpake_write_round(
9054 psa_pake_operation_t *pake_ctx,
9055 unsigned char *buf,
9056 size_t len, size_t *olen,
9057 mbedtls_ecjpake_rounds_t round)
9058 {
9059 psa_status_t status;
9060 size_t output_offset = 0;
9061 size_t output_len;
9062 /*
9063 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9064 * At round two perform a single cycle
9065 */
9066 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9067
9068 for (; remaining_steps > 0; remaining_steps--) {
9069 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9070 step <= PSA_PAKE_STEP_ZK_PROOF;
9071 ++step) {
9072 /*
9073 * For each step, prepend 1 byte with the length of the data as
9074 * given by psa_pake_output().
9075 */
9076 status = psa_pake_output(pake_ctx, step,
9077 buf + output_offset + 1,
9078 len - output_offset - 1,
9079 &output_len);
9080 if (status != PSA_SUCCESS) {
9081 return PSA_TO_MBEDTLS_ERR(status);
9082 }
9083
9084 *(buf + output_offset) = (uint8_t) output_len;
9085
9086 output_offset += output_len + 1;
9087 }
9088 }
9089
9090 *olen = output_offset;
9091
9092 return 0;
9093 }
9094 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
9095
9096 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9097 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9098 unsigned char *hash, size_t *hashlen,
9099 unsigned char *data, size_t data_len,
9100 mbedtls_md_type_t md_alg)
9101 {
9102 psa_status_t status;
9103 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
9104 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
9105
9106 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
9107
9108 if ((status = psa_hash_setup(&hash_operation,
9109 hash_alg)) != PSA_SUCCESS) {
9110 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
9111 goto exit;
9112 }
9113
9114 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
9115 64)) != PSA_SUCCESS) {
9116 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9117 goto exit;
9118 }
9119
9120 if ((status = psa_hash_update(&hash_operation,
9121 data, data_len)) != PSA_SUCCESS) {
9122 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9123 goto exit;
9124 }
9125
9126 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
9127 hashlen)) != PSA_SUCCESS) {
9128 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
9129 goto exit;
9130 }
9131
9132 exit:
9133 if (status != PSA_SUCCESS) {
9134 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9135 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9136 switch (status) {
9137 case PSA_ERROR_NOT_SUPPORTED:
9138 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
9139 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
9140 case PSA_ERROR_BUFFER_TOO_SMALL:
9141 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
9142 case PSA_ERROR_INSUFFICIENT_MEMORY:
9143 return MBEDTLS_ERR_MD_ALLOC_FAILED;
9144 default:
9145 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
9146 }
9147 }
9148 return 0;
9149 }
9150
9151 #else
9152
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9153 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9154 unsigned char *hash, size_t *hashlen,
9155 unsigned char *data, size_t data_len,
9156 mbedtls_md_type_t md_alg)
9157 {
9158 int ret = 0;
9159 mbedtls_md_context_t ctx;
9160 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
9161 *hashlen = mbedtls_md_get_size(md_info);
9162
9163 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
9164
9165 mbedtls_md_init(&ctx);
9166
9167 /*
9168 * digitally-signed struct {
9169 * opaque client_random[32];
9170 * opaque server_random[32];
9171 * ServerDHParams params;
9172 * };
9173 */
9174 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
9175 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
9176 goto exit;
9177 }
9178 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
9179 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
9180 goto exit;
9181 }
9182 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
9183 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9184 goto exit;
9185 }
9186 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
9187 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9188 goto exit;
9189 }
9190 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
9191 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
9192 goto exit;
9193 }
9194
9195 exit:
9196 mbedtls_md_free(&ctx);
9197
9198 if (ret != 0) {
9199 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9200 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9201 }
9202
9203 return ret;
9204 }
9205 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9206
9207 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
9208
9209 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)9210 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
9211 mbedtls_ssl_context *ssl,
9212 unsigned int sig_alg)
9213 {
9214 unsigned int i;
9215 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
9216
9217 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
9218 return MBEDTLS_SSL_HASH_NONE;
9219 }
9220
9221 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
9222 unsigned int hash_alg_received =
9223 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
9224 received_sig_algs[i]);
9225 unsigned int sig_alg_received =
9226 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
9227 received_sig_algs[i]);
9228
9229 mbedtls_md_type_t md_alg =
9230 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
9231 if (md_alg == MBEDTLS_MD_NONE) {
9232 continue;
9233 }
9234
9235 if (sig_alg == sig_alg_received) {
9236 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9237 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
9238 psa_algorithm_t psa_hash_alg =
9239 mbedtls_md_psa_alg_from_type(md_alg);
9240
9241 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
9242 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9243 PSA_ALG_ECDSA(psa_hash_alg),
9244 PSA_KEY_USAGE_SIGN_HASH)) {
9245 continue;
9246 }
9247
9248 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
9249 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9250 PSA_ALG_RSA_PKCS1V15_SIGN(
9251 psa_hash_alg),
9252 PSA_KEY_USAGE_SIGN_HASH)) {
9253 continue;
9254 }
9255 }
9256 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9257
9258 return hash_alg_received;
9259 }
9260 }
9261
9262 return MBEDTLS_SSL_HASH_NONE;
9263 }
9264
9265 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
9266
9267 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9268
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9269 int mbedtls_ssl_validate_ciphersuite(
9270 const mbedtls_ssl_context *ssl,
9271 const mbedtls_ssl_ciphersuite_t *suite_info,
9272 mbedtls_ssl_protocol_version min_tls_version,
9273 mbedtls_ssl_protocol_version max_tls_version)
9274 {
9275 (void) ssl;
9276
9277 if (suite_info == NULL) {
9278 return -1;
9279 }
9280
9281 if ((suite_info->min_tls_version > max_tls_version) ||
9282 (suite_info->max_tls_version < min_tls_version)) {
9283 return -1;
9284 }
9285
9286 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9287 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9288 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9289 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9290 ssl->handshake->psa_pake_ctx_is_ok != 1)
9291 #else
9292 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9293 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9294 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9295 {
9296 return -1;
9297 }
9298 #endif
9299
9300 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9301 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9302 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9303 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9304 return -1;
9305 }
9306 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9307 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9308
9309 return 0;
9310 }
9311
9312 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9313 /*
9314 * Function for writing a signature algorithm extension.
9315 *
9316 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9317 * value (TLS 1.3 RFC8446):
9318 * enum {
9319 * ....
9320 * ecdsa_secp256r1_sha256( 0x0403 ),
9321 * ecdsa_secp384r1_sha384( 0x0503 ),
9322 * ecdsa_secp521r1_sha512( 0x0603 ),
9323 * ....
9324 * } SignatureScheme;
9325 *
9326 * struct {
9327 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9328 * } SignatureSchemeList;
9329 *
9330 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9331 * value (TLS 1.2 RFC5246):
9332 * enum {
9333 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9334 * sha512(6), (255)
9335 * } HashAlgorithm;
9336 *
9337 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9338 * SignatureAlgorithm;
9339 *
9340 * struct {
9341 * HashAlgorithm hash;
9342 * SignatureAlgorithm signature;
9343 * } SignatureAndHashAlgorithm;
9344 *
9345 * SignatureAndHashAlgorithm
9346 * supported_signature_algorithms<2..2^16-2>;
9347 *
9348 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9349 * generalization of the TLS 1.2 signature algorithm extension.
9350 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9351 * `SignatureScheme` field of TLS 1.3
9352 *
9353 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9354 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9355 const unsigned char *end, size_t *out_len)
9356 {
9357 unsigned char *p = buf;
9358 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9359 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9360
9361 *out_len = 0;
9362
9363 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9364
9365 /* Check if we have space for header and length field:
9366 * - extension_type (2 bytes)
9367 * - extension_data_length (2 bytes)
9368 * - supported_signature_algorithms_length (2 bytes)
9369 */
9370 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9371 p += 6;
9372
9373 /*
9374 * Write supported_signature_algorithms
9375 */
9376 supported_sig_alg = p;
9377 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9378 if (sig_alg == NULL) {
9379 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9380 }
9381
9382 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9383 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9384 *sig_alg,
9385 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9386 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9387 continue;
9388 }
9389 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9390 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9391 p += 2;
9392 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9393 *sig_alg,
9394 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9395 }
9396
9397 /* Length of supported_signature_algorithms */
9398 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
9399 if (supported_sig_alg_len == 0) {
9400 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9401 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9402 }
9403
9404 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9405 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9406 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9407
9408 *out_len = (size_t) (p - buf);
9409
9410 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9411 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9412 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9413
9414 return 0;
9415 }
9416 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9417
9418 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9419 /*
9420 * mbedtls_ssl_parse_server_name_ext
9421 *
9422 * Structure of server_name extension:
9423 *
9424 * enum {
9425 * host_name(0), (255)
9426 * } NameType;
9427 * opaque HostName<1..2^16-1>;
9428 *
9429 * struct {
9430 * NameType name_type;
9431 * select (name_type) {
9432 * case host_name: HostName;
9433 * } name;
9434 * } ServerName;
9435 * struct {
9436 * ServerName server_name_list<1..2^16-1>
9437 * } ServerNameList;
9438 */
9439 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9440 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9441 const unsigned char *buf,
9442 const unsigned char *end)
9443 {
9444 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9445 const unsigned char *p = buf;
9446 size_t server_name_list_len, hostname_len;
9447 const unsigned char *server_name_list_end;
9448
9449 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9450
9451 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9452 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9453 p += 2;
9454
9455 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9456 server_name_list_end = p + server_name_list_len;
9457 while (p < server_name_list_end) {
9458 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9459 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9460 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9461 hostname_len + 3);
9462
9463 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9464 /* sni_name is intended to be used only during the parsing of the
9465 * ClientHello message (it is reset to NULL before the end of
9466 * the message parsing). Thus it is ok to just point to the
9467 * reception buffer and not make a copy of it.
9468 */
9469 ssl->handshake->sni_name = p + 3;
9470 ssl->handshake->sni_name_len = hostname_len;
9471 if (ssl->conf->f_sni == NULL) {
9472 return 0;
9473 }
9474 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9475 ssl, p + 3, hostname_len);
9476 if (ret != 0) {
9477 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9478 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9479 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9480 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9481 }
9482 return 0;
9483 }
9484
9485 p += hostname_len + 3;
9486 }
9487
9488 return 0;
9489 }
9490 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9491
9492 #if defined(MBEDTLS_SSL_ALPN)
9493 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9494 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9495 const unsigned char *buf,
9496 const unsigned char *end)
9497 {
9498 const unsigned char *p = buf;
9499 size_t protocol_name_list_len;
9500 const unsigned char *protocol_name_list;
9501 const unsigned char *protocol_name_list_end;
9502 size_t protocol_name_len;
9503
9504 /* If ALPN not configured, just ignore the extension */
9505 if (ssl->conf->alpn_list == NULL) {
9506 return 0;
9507 }
9508
9509 /*
9510 * RFC7301, section 3.1
9511 * opaque ProtocolName<1..2^8-1>;
9512 *
9513 * struct {
9514 * ProtocolName protocol_name_list<2..2^16-1>
9515 * } ProtocolNameList;
9516 */
9517
9518 /*
9519 * protocol_name_list_len 2 bytes
9520 * protocol_name_len 1 bytes
9521 * protocol_name >=1 byte
9522 */
9523 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9524
9525 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9526 p += 2;
9527 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9528 protocol_name_list = p;
9529 protocol_name_list_end = p + protocol_name_list_len;
9530
9531 /* Validate peer's list (lengths) */
9532 while (p < protocol_name_list_end) {
9533 protocol_name_len = *p++;
9534 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9535 protocol_name_len);
9536 if (protocol_name_len == 0) {
9537 MBEDTLS_SSL_PEND_FATAL_ALERT(
9538 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9539 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9540 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9541 }
9542
9543 p += protocol_name_len;
9544 }
9545
9546 /* Use our order of preference */
9547 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9548 size_t const alpn_len = strlen(*alpn);
9549 p = protocol_name_list;
9550 while (p < protocol_name_list_end) {
9551 protocol_name_len = *p++;
9552 if (protocol_name_len == alpn_len &&
9553 memcmp(p, *alpn, alpn_len) == 0) {
9554 ssl->alpn_chosen = *alpn;
9555 return 0;
9556 }
9557
9558 p += protocol_name_len;
9559 }
9560 }
9561
9562 /* If we get here, no match was found */
9563 MBEDTLS_SSL_PEND_FATAL_ALERT(
9564 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9565 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9566 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9567 }
9568
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9569 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9570 unsigned char *buf,
9571 unsigned char *end,
9572 size_t *out_len)
9573 {
9574 unsigned char *p = buf;
9575 size_t protocol_name_len;
9576 *out_len = 0;
9577
9578 if (ssl->alpn_chosen == NULL) {
9579 return 0;
9580 }
9581
9582 protocol_name_len = strlen(ssl->alpn_chosen);
9583 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9584
9585 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9586 /*
9587 * 0 . 1 ext identifier
9588 * 2 . 3 ext length
9589 * 4 . 5 protocol list length
9590 * 6 . 6 protocol name length
9591 * 7 . 7+n protocol name
9592 */
9593 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9594
9595 *out_len = 7 + protocol_name_len;
9596
9597 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9598 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9599 /* Note: the length of the chosen protocol has been checked to be less
9600 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9601 */
9602 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9603
9604 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9605
9606 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9607 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9608 #endif
9609
9610 return 0;
9611 }
9612 #endif /* MBEDTLS_SSL_ALPN */
9613
9614 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9615 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9616 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9617 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9618 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9619 const char *hostname)
9620 {
9621 /* Initialize to suppress unnecessary compiler warning */
9622 size_t hostname_len = 0;
9623
9624 /* Check if new hostname is valid before
9625 * making any change to current one */
9626 if (hostname != NULL) {
9627 hostname_len = strlen(hostname);
9628
9629 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9630 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9631 }
9632 }
9633
9634 /* Now it's clear that we will overwrite the old hostname,
9635 * so we can free it safely */
9636 if (session->hostname != NULL) {
9637 mbedtls_zeroize_and_free(session->hostname,
9638 strlen(session->hostname));
9639 }
9640
9641 /* Passing NULL as hostname shall clear the old one */
9642 if (hostname == NULL) {
9643 session->hostname = NULL;
9644 } else {
9645 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9646 if (session->hostname == NULL) {
9647 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9648 }
9649
9650 memcpy(session->hostname, hostname, hostname_len);
9651 }
9652
9653 return 0;
9654 }
9655 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9656 MBEDTLS_SSL_SESSION_TICKETS &&
9657 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9658 MBEDTLS_SSL_CLI_C */
9659
9660 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
9661 defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session * session,const char * alpn)9662 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
9663 const char *alpn)
9664 {
9665 size_t alpn_len = 0;
9666
9667 if (alpn != NULL) {
9668 alpn_len = strlen(alpn);
9669
9670 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
9671 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9672 }
9673 }
9674
9675 if (session->ticket_alpn != NULL) {
9676 mbedtls_zeroize_and_free(session->ticket_alpn,
9677 strlen(session->ticket_alpn));
9678 session->ticket_alpn = NULL;
9679 }
9680
9681 if (alpn != NULL) {
9682 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
9683 if (session->ticket_alpn == NULL) {
9684 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9685 }
9686 memcpy(session->ticket_alpn, alpn, alpn_len);
9687 }
9688
9689 return 0;
9690 }
9691 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
9692
9693 /*
9694 * The following functions are used by 1.2 and 1.3, client and server.
9695 */
9696 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int recv_endpoint,mbedtls_ssl_protocol_version tls_version,uint32_t * flags)9697 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
9698 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9699 int recv_endpoint,
9700 mbedtls_ssl_protocol_version tls_version,
9701 uint32_t *flags)
9702 {
9703 int ret = 0;
9704 unsigned int usage = 0;
9705 const char *ext_oid;
9706 size_t ext_len;
9707
9708 /*
9709 * keyUsage
9710 */
9711
9712 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
9713 * to check what a compliant client will think while choosing which cert
9714 * to send to the client. */
9715 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9716 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9717 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9718 /* TLS 1.2 server part of the key exchange */
9719 switch (ciphersuite->key_exchange) {
9720 case MBEDTLS_KEY_EXCHANGE_RSA:
9721 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9722 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9723 break;
9724
9725 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9726 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9727 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9728 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9729 break;
9730
9731 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9732 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9733 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9734 break;
9735
9736 /* Don't use default: we want warnings when adding new values */
9737 case MBEDTLS_KEY_EXCHANGE_NONE:
9738 case MBEDTLS_KEY_EXCHANGE_PSK:
9739 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9740 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9741 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9742 usage = 0;
9743 }
9744 } else
9745 #endif
9746 {
9747 /* This is either TLS 1.3 authentication, which always uses signatures,
9748 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
9749 * options we implement, both using signatures. */
9750 (void) tls_version;
9751 (void) ciphersuite;
9752 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9753 }
9754
9755 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
9756 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9757 ret = -1;
9758 }
9759
9760 /*
9761 * extKeyUsage
9762 */
9763
9764 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9765 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9766 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
9767 } else {
9768 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9769 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
9770 }
9771
9772 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
9773 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9774 ret = -1;
9775 }
9776
9777 return ret;
9778 }
9779
get_hostname_for_verification(mbedtls_ssl_context * ssl,const char ** hostname)9780 static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
9781 const char **hostname)
9782 {
9783 if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
9784 MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
9785 #if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
9786 if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
9787 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9788 return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
9789 }
9790 #endif
9791 }
9792
9793 *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
9794 if (*hostname == NULL) {
9795 MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
9796 }
9797
9798 return 0;
9799 }
9800
mbedtls_ssl_verify_certificate(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,const mbedtls_ssl_ciphersuite_t * ciphersuite_info,void * rs_ctx)9801 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
9802 int authmode,
9803 mbedtls_x509_crt *chain,
9804 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
9805 void *rs_ctx)
9806 {
9807 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
9808 return 0;
9809 }
9810
9811 /*
9812 * Primary check: use the appropriate X.509 verification function
9813 */
9814 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
9815 void *p_vrfy;
9816 if (ssl->f_vrfy != NULL) {
9817 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
9818 f_vrfy = ssl->f_vrfy;
9819 p_vrfy = ssl->p_vrfy;
9820 } else {
9821 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
9822 f_vrfy = ssl->conf->f_vrfy;
9823 p_vrfy = ssl->conf->p_vrfy;
9824 }
9825
9826 const char *hostname = "";
9827 int ret = get_hostname_for_verification(ssl, &hostname);
9828 if (ret != 0) {
9829 MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
9830 return ret;
9831 }
9832
9833 int have_ca_chain_or_callback = 0;
9834 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
9835 if (ssl->conf->f_ca_cb != NULL) {
9836 ((void) rs_ctx);
9837 have_ca_chain_or_callback = 1;
9838
9839 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
9840 ret = mbedtls_x509_crt_verify_with_ca_cb(
9841 chain,
9842 ssl->conf->f_ca_cb,
9843 ssl->conf->p_ca_cb,
9844 ssl->conf->cert_profile,
9845 hostname,
9846 &ssl->session_negotiate->verify_result,
9847 f_vrfy, p_vrfy);
9848 } else
9849 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
9850 {
9851 mbedtls_x509_crt *ca_chain;
9852 mbedtls_x509_crl *ca_crl;
9853 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9854 if (ssl->handshake->sni_ca_chain != NULL) {
9855 ca_chain = ssl->handshake->sni_ca_chain;
9856 ca_crl = ssl->handshake->sni_ca_crl;
9857 } else
9858 #endif
9859 {
9860 ca_chain = ssl->conf->ca_chain;
9861 ca_crl = ssl->conf->ca_crl;
9862 }
9863
9864 if (ca_chain != NULL) {
9865 have_ca_chain_or_callback = 1;
9866 }
9867
9868 ret = mbedtls_x509_crt_verify_restartable(
9869 chain,
9870 ca_chain, ca_crl,
9871 ssl->conf->cert_profile,
9872 hostname,
9873 &ssl->session_negotiate->verify_result,
9874 f_vrfy, p_vrfy, rs_ctx);
9875 }
9876
9877 if (ret != 0) {
9878 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
9879 }
9880
9881 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
9882 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
9883 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
9884 }
9885 #endif
9886
9887 /*
9888 * Secondary checks: always done, but change 'ret' only if it was 0
9889 */
9890
9891 /* With TLS 1.2 and ECC certs, check that the curve used by the
9892 * certificate is on our list of acceptable curves.
9893 *
9894 * With TLS 1.3 this is not needed because the curve is part of the
9895 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
9896 * we validate the signature made with the key associated to this cert.
9897 */
9898 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9899 defined(MBEDTLS_PK_HAVE_ECC_KEYS)
9900 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9901 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
9902 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
9903 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
9904 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
9905 if (ret == 0) {
9906 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9907 }
9908 }
9909 }
9910 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
9911
9912 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
9913 if (mbedtls_ssl_check_cert_usage(chain,
9914 ciphersuite_info,
9915 ssl->conf->endpoint,
9916 ssl->tls_version,
9917 &ssl->session_negotiate->verify_result) != 0) {
9918 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
9919 if (ret == 0) {
9920 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9921 }
9922 }
9923
9924 /* With authmode optional, we want to keep going if the certificate was
9925 * unacceptable, but still fail on other errors (out of memory etc),
9926 * including fatal errors from the f_vrfy callback.
9927 *
9928 * The only acceptable errors are:
9929 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
9930 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
9931 * Anything else is a fatal error. */
9932 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
9933 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
9934 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
9935 ret = 0;
9936 }
9937
9938 /* Return a specific error as this is a user error: inconsistent
9939 * configuration - can't verify without trust anchors. */
9940 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9941 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
9942 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
9943 }
9944
9945 if (ret != 0) {
9946 uint8_t alert;
9947
9948 /* The certificate may have been rejected for several reasons.
9949 Pick one and send the corresponding alert. Which alert to send
9950 may be a subject of debate in some cases. */
9951 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
9952 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
9953 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
9954 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
9955 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
9956 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9957 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
9958 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9959 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
9960 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9961 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
9962 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
9963 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
9964 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
9965 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
9966 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
9967 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
9968 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
9969 } else {
9970 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
9971 }
9972 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9973 alert);
9974 }
9975
9976 #if defined(MBEDTLS_DEBUG_C)
9977 if (ssl->session_negotiate->verify_result != 0) {
9978 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
9979 (unsigned int) ssl->session_negotiate->verify_result));
9980 } else {
9981 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
9982 }
9983 #endif /* MBEDTLS_DEBUG_C */
9984
9985 return ret;
9986 }
9987 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9988
9989 #endif /* MBEDTLS_SSL_TLS_C */
9990