1 /*
2 * Generic SSL/TLS messaging layer functions
3 * (record layer + retransmission state machine)
4 *
5 * Copyright The Mbed TLS Contributors
6 * SPDX-License-Identifier: Apache-2.0
7 *
8 * Licensed under the Apache License, Version 2.0 (the "License"); you may
9 * not use this file except in compliance with the License.
10 * You may obtain a copy of the License at
11 *
12 * http://www.apache.org/licenses/LICENSE-2.0
13 *
14 * Unless required by applicable law or agreed to in writing, software
15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17 * See the License for the specific language governing permissions and
18 * limitations under the License.
19 */
20 /*
21 * http://www.ietf.org/rfc/rfc2246.txt
22 * http://www.ietf.org/rfc/rfc4346.txt
23 */
24
25 #include "common.h"
26
27 #if defined(MBEDTLS_SSL_TLS_C)
28
29 #include "mbedtls/platform.h"
30
31 #include "mbedtls/ssl.h"
32 #include "ssl_misc.h"
33 #include "mbedtls/debug.h"
34 #include "mbedtls/error.h"
35 #include "mbedtls/platform_util.h"
36 #include "mbedtls/version.h"
37 #include "constant_time_internal.h"
38 #include "mbedtls/constant_time.h"
39
40 #include <string.h>
41
42 #if defined(MBEDTLS_USE_PSA_CRYPTO)
43 #include "mbedtls/psa_util.h"
44 #include "psa/crypto.h"
45 #endif
46
47 #if defined(MBEDTLS_X509_CRT_PARSE_C)
48 #include "mbedtls/oid.h"
49 #endif
50
51 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
52
53 /*
54 * Start a timer.
55 * Passing millisecs = 0 cancels a running timer.
56 */
mbedtls_ssl_set_timer(mbedtls_ssl_context * ssl,uint32_t millisecs)57 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
58 {
59 if( ssl->f_set_timer == NULL )
60 return;
61
62 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
63 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
64 }
65
66 /*
67 * Return -1 is timer is expired, 0 if it isn't.
68 */
mbedtls_ssl_check_timer(mbedtls_ssl_context * ssl)69 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
70 {
71 if( ssl->f_get_timer == NULL )
72 return( 0 );
73
74 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
75 {
76 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
77 return( -1 );
78 }
79
80 return( 0 );
81 }
82
83 MBEDTLS_CHECK_RETURN_CRITICAL
84 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
85 unsigned char *buf,
86 size_t len,
87 mbedtls_record *rec );
88
mbedtls_ssl_check_record(mbedtls_ssl_context const * ssl,unsigned char * buf,size_t buflen)89 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
90 unsigned char *buf,
91 size_t buflen )
92 {
93 int ret = 0;
94 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
95 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
96
97 /* We don't support record checking in TLS because
98 * there doesn't seem to be a usecase for it.
99 */
100 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
101 {
102 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
103 goto exit;
104 }
105 #if defined(MBEDTLS_SSL_PROTO_DTLS)
106 else
107 {
108 mbedtls_record rec;
109
110 ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
111 if( ret != 0 )
112 {
113 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
114 goto exit;
115 }
116
117 if( ssl->transform_in != NULL )
118 {
119 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
120 if( ret != 0 )
121 {
122 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
123 goto exit;
124 }
125 }
126 }
127 #endif /* MBEDTLS_SSL_PROTO_DTLS */
128
129 exit:
130 /* On success, we have decrypted the buffer in-place, so make
131 * sure we don't leak any plaintext data. */
132 mbedtls_platform_zeroize( buf, buflen );
133
134 /* For the purpose of this API, treat messages with unexpected CID
135 * as well as such from future epochs as unexpected. */
136 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
137 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
138 {
139 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
140 }
141
142 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
143 return( ret );
144 }
145
146 #define SSL_DONT_FORCE_FLUSH 0
147 #define SSL_FORCE_FLUSH 1
148
149 #if defined(MBEDTLS_SSL_PROTO_DTLS)
150
151 /* Forward declarations for functions related to message buffering. */
152 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
153 uint8_t slot );
154 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
155 MBEDTLS_CHECK_RETURN_CRITICAL
156 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
157 MBEDTLS_CHECK_RETURN_CRITICAL
158 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
159 MBEDTLS_CHECK_RETURN_CRITICAL
160 static int ssl_buffer_message( mbedtls_ssl_context *ssl );
161 MBEDTLS_CHECK_RETURN_CRITICAL
162 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
163 mbedtls_record const *rec );
164 MBEDTLS_CHECK_RETURN_CRITICAL
165 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
166
ssl_get_maximum_datagram_size(mbedtls_ssl_context const * ssl)167 static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
168 {
169 size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
170 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
171 size_t out_buf_len = ssl->out_buf_len;
172 #else
173 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
174 #endif
175
176 if( mtu != 0 && mtu < out_buf_len )
177 return( mtu );
178
179 return( out_buf_len );
180 }
181
182 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_remaining_space_in_datagram(mbedtls_ssl_context const * ssl)183 static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
184 {
185 size_t const bytes_written = ssl->out_left;
186 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
187
188 /* Double-check that the write-index hasn't gone
189 * past what we can transmit in a single datagram. */
190 if( bytes_written > mtu )
191 {
192 /* Should never happen... */
193 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
194 }
195
196 return( (int) ( mtu - bytes_written ) );
197 }
198
199 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_remaining_payload_in_datagram(mbedtls_ssl_context const * ssl)200 static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
201 {
202 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
203 size_t remaining, expansion;
204 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
205
206 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
207 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
208
209 if( max_len > mfl )
210 max_len = mfl;
211
212 /* By the standard (RFC 6066 Sect. 4), the MFL extension
213 * only limits the maximum record payload size, so in theory
214 * we would be allowed to pack multiple records of payload size
215 * MFL into a single datagram. However, this would mean that there's
216 * no way to explicitly communicate MTU restrictions to the peer.
217 *
218 * The following reduction of max_len makes sure that we never
219 * write datagrams larger than MFL + Record Expansion Overhead.
220 */
221 if( max_len <= ssl->out_left )
222 return( 0 );
223
224 max_len -= ssl->out_left;
225 #endif
226
227 ret = ssl_get_remaining_space_in_datagram( ssl );
228 if( ret < 0 )
229 return( ret );
230 remaining = (size_t) ret;
231
232 ret = mbedtls_ssl_get_record_expansion( ssl );
233 if( ret < 0 )
234 return( ret );
235 expansion = (size_t) ret;
236
237 if( remaining <= expansion )
238 return( 0 );
239
240 remaining -= expansion;
241 if( remaining >= max_len )
242 remaining = max_len;
243
244 return( (int) remaining );
245 }
246
247 /*
248 * Double the retransmit timeout value, within the allowed range,
249 * returning -1 if the maximum value has already been reached.
250 */
251 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_double_retransmit_timeout(mbedtls_ssl_context * ssl)252 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
253 {
254 uint32_t new_timeout;
255
256 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
257 return( -1 );
258
259 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
260 * in the following way: after the initial transmission and a first
261 * retransmission, back off to a temporary estimated MTU of 508 bytes.
262 * This value is guaranteed to be deliverable (if not guaranteed to be
263 * delivered) of any compliant IPv4 (and IPv6) network, and should work
264 * on most non-IP stacks too. */
265 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
266 {
267 ssl->handshake->mtu = 508;
268 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
269 }
270
271 new_timeout = 2 * ssl->handshake->retransmit_timeout;
272
273 /* Avoid arithmetic overflow and range overflow */
274 if( new_timeout < ssl->handshake->retransmit_timeout ||
275 new_timeout > ssl->conf->hs_timeout_max )
276 {
277 new_timeout = ssl->conf->hs_timeout_max;
278 }
279
280 ssl->handshake->retransmit_timeout = new_timeout;
281 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
282 (unsigned long) ssl->handshake->retransmit_timeout ) );
283
284 return( 0 );
285 }
286
ssl_reset_retransmit_timeout(mbedtls_ssl_context * ssl)287 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
288 {
289 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
290 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
291 (unsigned long) ssl->handshake->retransmit_timeout ) );
292 }
293 #endif /* MBEDTLS_SSL_PROTO_DTLS */
294
295 /*
296 * Encryption/decryption functions
297 */
298
299 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
300
ssl_compute_padding_length(size_t len,size_t granularity)301 static size_t ssl_compute_padding_length( size_t len,
302 size_t granularity )
303 {
304 return( ( granularity - ( len + 1 ) % granularity ) % granularity );
305 }
306
307 /* This functions transforms a (D)TLS plaintext fragment and a record content
308 * type into an instance of the (D)TLSInnerPlaintext structure. This is used
309 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
310 * a record's content type.
311 *
312 * struct {
313 * opaque content[DTLSPlaintext.length];
314 * ContentType real_type;
315 * uint8 zeros[length_of_padding];
316 * } (D)TLSInnerPlaintext;
317 *
318 * Input:
319 * - `content`: The beginning of the buffer holding the
320 * plaintext to be wrapped.
321 * - `*content_size`: The length of the plaintext in Bytes.
322 * - `max_len`: The number of Bytes available starting from
323 * `content`. This must be `>= *content_size`.
324 * - `rec_type`: The desired record content type.
325 *
326 * Output:
327 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
328 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
329 *
330 * Returns:
331 * - `0` on success.
332 * - A negative error code if `max_len` didn't offer enough space
333 * for the expansion.
334 */
335 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_build_inner_plaintext(unsigned char * content,size_t * content_size,size_t remaining,uint8_t rec_type,size_t pad)336 static int ssl_build_inner_plaintext( unsigned char *content,
337 size_t *content_size,
338 size_t remaining,
339 uint8_t rec_type,
340 size_t pad )
341 {
342 size_t len = *content_size;
343
344 /* Write real content type */
345 if( remaining == 0 )
346 return( -1 );
347 content[ len ] = rec_type;
348 len++;
349 remaining--;
350
351 if( remaining < pad )
352 return( -1 );
353 memset( content + len, 0, pad );
354 len += pad;
355 remaining -= pad;
356
357 *content_size = len;
358 return( 0 );
359 }
360
361 /* This function parses a (D)TLSInnerPlaintext structure.
362 * See ssl_build_inner_plaintext() for details. */
363 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_inner_plaintext(unsigned char const * content,size_t * content_size,uint8_t * rec_type)364 static int ssl_parse_inner_plaintext( unsigned char const *content,
365 size_t *content_size,
366 uint8_t *rec_type )
367 {
368 size_t remaining = *content_size;
369
370 /* Determine length of padding by skipping zeroes from the back. */
371 do
372 {
373 if( remaining == 0 )
374 return( -1 );
375 remaining--;
376 } while( content[ remaining ] == 0 );
377
378 *content_size = remaining;
379 *rec_type = content[ remaining ];
380
381 return( 0 );
382 }
383 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || MBEDTLS_SSL_PROTO_TLS1_3 */
384
385 /* The size of the `add_data` structure depends on various
386 * factors, namely
387 *
388 * 1) CID functionality disabled
389 *
390 * additional_data =
391 * 8: seq_num +
392 * 1: type +
393 * 2: version +
394 * 2: length of inner plaintext +
395 *
396 * size = 13 bytes
397 *
398 * 2) CID functionality based on RFC 9146 enabled
399 *
400 * size = 8 + 1 + 1 + 1 + 2 + 2 + 6 + 2 + CID-length
401 * = 23 + CID-length
402 *
403 * 3) CID functionality based on legacy CID version
404 according to draft-ietf-tls-dtls-connection-id-05
405 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05
406 *
407 * size = 13 + 1 + CID-length
408 *
409 * More information about the CID usage:
410 *
411 * Per Section 5.3 of draft-ietf-tls-dtls-connection-id-05 the
412 * size of the additional data structure is calculated as:
413 *
414 * additional_data =
415 * 8: seq_num +
416 * 1: tls12_cid +
417 * 2: DTLSCipherText.version +
418 * n: cid +
419 * 1: cid_length +
420 * 2: length_of_DTLSInnerPlaintext
421 *
422 * Per RFC 9146 the size of the add_data structure is calculated as:
423 *
424 * additional_data =
425 * 8: seq_num_placeholder +
426 * 1: tls12_cid +
427 * 1: cid_length +
428 * 1: tls12_cid +
429 * 2: DTLSCiphertext.version +
430 * 2: epoch +
431 * 6: sequence_number +
432 * n: cid +
433 * 2: length_of_DTLSInnerPlaintext
434 *
435 */
ssl_extract_add_data_from_record(unsigned char * add_data,size_t * add_data_len,mbedtls_record * rec,mbedtls_ssl_protocol_version tls_version,size_t taglen)436 static void ssl_extract_add_data_from_record( unsigned char* add_data,
437 size_t *add_data_len,
438 mbedtls_record *rec,
439 mbedtls_ssl_protocol_version
440 tls_version,
441 size_t taglen )
442 {
443 /* Several types of ciphers have been defined for use with TLS and DTLS,
444 * and the MAC calculations for those ciphers differ slightly. Further
445 * variants were added when the CID functionality was added with RFC 9146.
446 * This implementations also considers the use of a legacy version of the
447 * CID specification published in draft-ietf-tls-dtls-connection-id-05,
448 * which is used in deployments.
449 *
450 * We will distinguish between the non-CID and the CID cases below.
451 *
452 * --- Non-CID cases ---
453 *
454 * Quoting RFC 5246 (TLS 1.2):
455 *
456 * additional_data = seq_num + TLSCompressed.type +
457 * TLSCompressed.version + TLSCompressed.length;
458 *
459 * For TLS 1.3, the record sequence number is dropped from the AAD
460 * and encoded within the nonce of the AEAD operation instead.
461 * Moreover, the additional data involves the length of the TLS
462 * ciphertext, not the TLS plaintext as in earlier versions.
463 * Quoting RFC 8446 (TLS 1.3):
464 *
465 * additional_data = TLSCiphertext.opaque_type ||
466 * TLSCiphertext.legacy_record_version ||
467 * TLSCiphertext.length
468 *
469 * We pass the tag length to this function in order to compute the
470 * ciphertext length from the inner plaintext length rec->data_len via
471 *
472 * TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
473 *
474 * --- CID cases ---
475 *
476 * RFC 9146 uses a common pattern when constructing the data
477 * passed into a MAC / AEAD cipher.
478 *
479 * Data concatenation for MACs used with block ciphers with
480 * Encrypt-then-MAC Processing (with CID):
481 *
482 * data = seq_num_placeholder +
483 * tls12_cid +
484 * cid_length +
485 * tls12_cid +
486 * DTLSCiphertext.version +
487 * epoch +
488 * sequence_number +
489 * cid +
490 * DTLSCiphertext.length +
491 * IV +
492 * ENC(content + padding + padding_length)
493 *
494 * Data concatenation for MACs used with block ciphers (with CID):
495 *
496 * data = seq_num_placeholder +
497 * tls12_cid +
498 * cid_length +
499 * tls12_cid +
500 * DTLSCiphertext.version +
501 * epoch +
502 * sequence_number +
503 * cid +
504 * length_of_DTLSInnerPlaintext +
505 * DTLSInnerPlaintext.content +
506 * DTLSInnerPlaintext.real_type +
507 * DTLSInnerPlaintext.zeros
508 *
509 * AEAD ciphers use the following additional data calculation (with CIDs):
510 *
511 * additional_data = seq_num_placeholder +
512 * tls12_cid +
513 * cid_length +
514 * tls12_cid +
515 * DTLSCiphertext.version +
516 * epoch +
517 * sequence_number +
518 * cid +
519 * length_of_DTLSInnerPlaintext
520 *
521 * Section 5.3 of draft-ietf-tls-dtls-connection-id-05 (for legacy CID use)
522 * defines the additional data calculation as follows:
523 *
524 * additional_data = seq_num +
525 * tls12_cid +
526 * DTLSCipherText.version +
527 * cid +
528 * cid_length +
529 * length_of_DTLSInnerPlaintext
530 */
531
532 unsigned char *cur = add_data;
533 size_t ad_len_field = rec->data_len;
534
535 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
536 MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
537 const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff };
538 #endif
539
540 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
541 if( tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
542 {
543 /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
544 * which differs from the length of the TLSInnerPlaintext
545 * by the length of the authentication tag. */
546 ad_len_field += taglen;
547 }
548 else
549 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
550 {
551 ((void) tls_version);
552 ((void) taglen);
553
554 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
555 MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
556 if( rec->cid_len != 0 )
557 {
558 // seq_num_placeholder
559 memcpy( cur, seq_num_placeholder, sizeof(seq_num_placeholder) );
560 cur += sizeof( seq_num_placeholder );
561
562 // tls12_cid type
563 *cur = rec->type;
564 cur++;
565
566 // cid_length
567 *cur = rec->cid_len;
568 cur++;
569 }
570 else
571 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
572 {
573 // epoch + sequence number
574 memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
575 cur += sizeof( rec->ctr );
576 }
577 }
578
579 // type
580 *cur = rec->type;
581 cur++;
582
583 // version
584 memcpy( cur, rec->ver, sizeof( rec->ver ) );
585 cur += sizeof( rec->ver );
586
587 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
588 MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1
589
590 if (rec->cid_len != 0)
591 {
592 // CID
593 memcpy(cur, rec->cid, rec->cid_len);
594 cur += rec->cid_len;
595
596 // cid_length
597 *cur = rec->cid_len;
598 cur++;
599
600 // length of inner plaintext
601 MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0);
602 cur += 2;
603 }
604 else
605 #elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
606 MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0
607
608 if( rec->cid_len != 0 )
609 {
610 // epoch + sequence number
611 memcpy(cur, rec->ctr, sizeof(rec->ctr));
612 cur += sizeof(rec->ctr);
613
614 // CID
615 memcpy( cur, rec->cid, rec->cid_len );
616 cur += rec->cid_len;
617
618 // length of inner plaintext
619 MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
620 cur += 2;
621 }
622 else
623 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
624 {
625 MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
626 cur += 2;
627 }
628
629 *add_data_len = cur - add_data;
630 }
631
632 #if defined(MBEDTLS_GCM_C) || \
633 defined(MBEDTLS_CCM_C) || \
634 defined(MBEDTLS_CHACHAPOLY_C)
635 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_transform_aead_dynamic_iv_is_explicit(mbedtls_ssl_transform const * transform)636 static int ssl_transform_aead_dynamic_iv_is_explicit(
637 mbedtls_ssl_transform const *transform )
638 {
639 return( transform->ivlen != transform->fixed_ivlen );
640 }
641
642 /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
643 *
644 * Concretely, this occurs in two variants:
645 *
646 * a) Fixed and dynamic IV lengths add up to total IV length, giving
647 * IV = fixed_iv || dynamic_iv
648 *
649 * This variant is used in TLS 1.2 when used with GCM or CCM.
650 *
651 * b) Fixed IV lengths matches total IV length, giving
652 * IV = fixed_iv XOR ( 0 || dynamic_iv )
653 *
654 * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
655 *
656 * See also the documentation of mbedtls_ssl_transform.
657 *
658 * This function has the precondition that
659 *
660 * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
661 *
662 * which has to be ensured by the caller. If this precondition
663 * violated, the behavior of this function is undefined.
664 */
ssl_build_record_nonce(unsigned char * dst_iv,size_t dst_iv_len,unsigned char const * fixed_iv,size_t fixed_iv_len,unsigned char const * dynamic_iv,size_t dynamic_iv_len)665 static void ssl_build_record_nonce( unsigned char *dst_iv,
666 size_t dst_iv_len,
667 unsigned char const *fixed_iv,
668 size_t fixed_iv_len,
669 unsigned char const *dynamic_iv,
670 size_t dynamic_iv_len )
671 {
672 size_t i;
673
674 /* Start with Fixed IV || 0 */
675 memset( dst_iv, 0, dst_iv_len );
676 memcpy( dst_iv, fixed_iv, fixed_iv_len );
677
678 dst_iv += dst_iv_len - dynamic_iv_len;
679 for( i = 0; i < dynamic_iv_len; i++ )
680 dst_iv[i] ^= dynamic_iv[i];
681 }
682 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
683
mbedtls_ssl_encrypt_buf(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform,mbedtls_record * rec,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)684 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
685 mbedtls_ssl_transform *transform,
686 mbedtls_record *rec,
687 int (*f_rng)(void *, unsigned char *, size_t),
688 void *p_rng )
689 {
690 mbedtls_ssl_mode_t ssl_mode;
691 int auth_done = 0;
692 unsigned char * data;
693 /* For an explanation of the additional data length see
694 * the description of ssl_extract_add_data_from_record().
695 */
696 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
697 unsigned char add_data[23 + MBEDTLS_SSL_CID_OUT_LEN_MAX];
698 #else
699 unsigned char add_data[13];
700 #endif
701 size_t add_data_len;
702 size_t post_avail;
703
704 /* The SSL context is only used for debugging purposes! */
705 #if !defined(MBEDTLS_DEBUG_C)
706 ssl = NULL; /* make sure we don't use it except for debug */
707 ((void) ssl);
708 #endif
709
710 /* The PRNG is used for dynamic IV generation that's used
711 * for CBC transformations in TLS 1.2. */
712 #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
713 defined(MBEDTLS_SSL_PROTO_TLS1_2) )
714 ((void) f_rng);
715 ((void) p_rng);
716 #endif
717
718 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
719
720 if( transform == NULL )
721 {
722 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
723 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
724 }
725 if( rec == NULL
726 || rec->buf == NULL
727 || rec->buf_len < rec->data_offset
728 || rec->buf_len - rec->data_offset < rec->data_len
729 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
730 || rec->cid_len != 0
731 #endif
732 )
733 {
734 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
735 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
736 }
737
738 ssl_mode = mbedtls_ssl_get_mode_from_transform( transform );
739
740 data = rec->buf + rec->data_offset;
741 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
742 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
743 data, rec->data_len );
744
745 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
746 {
747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
748 " too large, maximum %" MBEDTLS_PRINTF_SIZET,
749 rec->data_len,
750 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
751 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
752 }
753
754 /* The following two code paths implement the (D)TLSInnerPlaintext
755 * structure present in TLS 1.3 and DTLS 1.2 + CID.
756 *
757 * See ssl_build_inner_plaintext() for more information.
758 *
759 * Note that this changes `rec->data_len`, and hence
760 * `post_avail` needs to be recalculated afterwards.
761 *
762 * Note also that the two code paths cannot occur simultaneously
763 * since they apply to different versions of the protocol. There
764 * is hence no risk of double-addition of the inner plaintext.
765 */
766 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
767 if( transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
768 {
769 size_t padding =
770 ssl_compute_padding_length( rec->data_len,
771 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
772 if( ssl_build_inner_plaintext( data,
773 &rec->data_len,
774 post_avail,
775 rec->type,
776 padding ) != 0 )
777 {
778 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
779 }
780
781 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
782 }
783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
784
785 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
786 /*
787 * Add CID information
788 */
789 rec->cid_len = transform->out_cid_len;
790 memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
791 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
792
793 if( rec->cid_len != 0 )
794 {
795 size_t padding =
796 ssl_compute_padding_length( rec->data_len,
797 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
798 /*
799 * Wrap plaintext into DTLSInnerPlaintext structure.
800 * See ssl_build_inner_plaintext() for more information.
801 *
802 * Note that this changes `rec->data_len`, and hence
803 * `post_avail` needs to be recalculated afterwards.
804 */
805 if( ssl_build_inner_plaintext( data,
806 &rec->data_len,
807 post_avail,
808 rec->type,
809 padding ) != 0 )
810 {
811 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
812 }
813
814 rec->type = MBEDTLS_SSL_MSG_CID;
815 }
816 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
817
818 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
819
820 /*
821 * Add MAC before if needed
822 */
823 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
824 if( ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
825 ssl_mode == MBEDTLS_SSL_MODE_CBC )
826 {
827 if( post_avail < transform->maclen )
828 {
829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
830 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
831 }
832 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
833 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
835 #if defined(MBEDTLS_USE_PSA_CRYPTO)
836 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
837 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
838 size_t sign_mac_length = 0;
839 #endif /* MBEDTLS_USE_PSA_CRYPTO */
840
841 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
842 transform->tls_version,
843 transform->taglen );
844
845 #if defined(MBEDTLS_USE_PSA_CRYPTO)
846 status = psa_mac_sign_setup( &operation, transform->psa_mac_enc,
847 transform->psa_mac_alg );
848 if( status != PSA_SUCCESS )
849 goto hmac_failed_etm_disabled;
850
851 status = psa_mac_update( &operation, add_data, add_data_len );
852 if( status != PSA_SUCCESS )
853 goto hmac_failed_etm_disabled;
854
855 status = psa_mac_update( &operation, data, rec->data_len );
856 if( status != PSA_SUCCESS )
857 goto hmac_failed_etm_disabled;
858
859 status = psa_mac_sign_finish( &operation, mac, MBEDTLS_SSL_MAC_ADD,
860 &sign_mac_length );
861 if( status != PSA_SUCCESS )
862 goto hmac_failed_etm_disabled;
863 #else
864 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
865 add_data_len );
866 if( ret != 0 )
867 goto hmac_failed_etm_disabled;
868 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len );
869 if( ret != 0 )
870 goto hmac_failed_etm_disabled;
871 ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
872 if( ret != 0 )
873 goto hmac_failed_etm_disabled;
874 ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
875 if( ret != 0 )
876 goto hmac_failed_etm_disabled;
877 #endif /* MBEDTLS_USE_PSA_CRYPTO */
878
879 memcpy( data + rec->data_len, mac, transform->maclen );
880 #endif
881
882 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
883 transform->maclen );
884
885 rec->data_len += transform->maclen;
886 post_avail -= transform->maclen;
887 auth_done++;
888
889 hmac_failed_etm_disabled:
890 mbedtls_platform_zeroize( mac, transform->maclen );
891 #if defined(MBEDTLS_USE_PSA_CRYPTO)
892 ret = psa_ssl_status_to_mbedtls( status );
893 status = psa_mac_abort( &operation );
894 if( ret == 0 && status != PSA_SUCCESS )
895 ret = psa_ssl_status_to_mbedtls( status );
896 #endif /* MBEDTLS_USE_PSA_CRYPTO */
897 if( ret != 0 )
898 {
899 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_hmac_xxx", ret );
900 return( ret );
901 }
902 }
903 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
904
905 /*
906 * Encrypt
907 */
908 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
909 if( ssl_mode == MBEDTLS_SSL_MODE_STREAM )
910 {
911 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
912 "including %d bytes of padding",
913 rec->data_len, 0 ) );
914
915 /* The only supported stream cipher is "NULL",
916 * so there's nothing to do here.*/
917 }
918 else
919 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
920
921 #if defined(MBEDTLS_GCM_C) || \
922 defined(MBEDTLS_CCM_C) || \
923 defined(MBEDTLS_CHACHAPOLY_C)
924 if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
925 {
926 unsigned char iv[12];
927 unsigned char *dynamic_iv;
928 size_t dynamic_iv_len;
929 int dynamic_iv_is_explicit =
930 ssl_transform_aead_dynamic_iv_is_explicit( transform );
931 #if defined(MBEDTLS_USE_PSA_CRYPTO)
932 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
933 #endif /* MBEDTLS_USE_PSA_CRYPTO */
934 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
935
936 /* Check that there's space for the authentication tag. */
937 if( post_avail < transform->taglen )
938 {
939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
940 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
941 }
942
943 /*
944 * Build nonce for AEAD encryption.
945 *
946 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
947 * part of the IV is prepended to the ciphertext and
948 * can be chosen freely - in particular, it need not
949 * agree with the record sequence number.
950 * However, since ChaChaPoly as well as all AEAD modes
951 * in TLS 1.3 use the record sequence number as the
952 * dynamic part of the nonce, we uniformly use the
953 * record sequence number here in all cases.
954 */
955 dynamic_iv = rec->ctr;
956 dynamic_iv_len = sizeof( rec->ctr );
957
958 ssl_build_record_nonce( iv, sizeof( iv ),
959 transform->iv_enc,
960 transform->fixed_ivlen,
961 dynamic_iv,
962 dynamic_iv_len );
963
964 /*
965 * Build additional data for AEAD encryption.
966 * This depends on the TLS version.
967 */
968 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
969 transform->tls_version,
970 transform->taglen );
971
972 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
973 iv, transform->ivlen );
974 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
975 dynamic_iv,
976 dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
977 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
978 add_data, add_data_len );
979 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
980 "including 0 bytes of padding",
981 rec->data_len ) );
982
983 /*
984 * Encrypt and authenticate
985 */
986 #if defined(MBEDTLS_USE_PSA_CRYPTO)
987 status = psa_aead_encrypt( transform->psa_key_enc,
988 transform->psa_alg,
989 iv, transform->ivlen,
990 add_data, add_data_len,
991 data, rec->data_len,
992 data, rec->buf_len - (data - rec->buf),
993 &rec->data_len );
994
995 if( status != PSA_SUCCESS )
996 {
997 ret = psa_ssl_status_to_mbedtls( status );
998 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_encrypt_buf", ret );
999 return( ret );
1000 }
1001 #else
1002 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
1003 iv, transform->ivlen,
1004 add_data, add_data_len,
1005 data, rec->data_len, /* src */
1006 data, rec->buf_len - (data - rec->buf), /* dst */
1007 &rec->data_len,
1008 transform->taglen ) ) != 0 )
1009 {
1010 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret );
1011 return( ret );
1012 }
1013 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1014
1015 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
1016 data + rec->data_len - transform->taglen,
1017 transform->taglen );
1018 /* Account for authentication tag. */
1019 post_avail -= transform->taglen;
1020
1021 /*
1022 * Prefix record content with dynamic IV in case it is explicit.
1023 */
1024 if( dynamic_iv_is_explicit != 0 )
1025 {
1026 if( rec->data_offset < dynamic_iv_len )
1027 {
1028 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1029 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1030 }
1031
1032 memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
1033 rec->data_offset -= dynamic_iv_len;
1034 rec->data_len += dynamic_iv_len;
1035 }
1036
1037 auth_done++;
1038 }
1039 else
1040 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
1041 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1042 if( ssl_mode == MBEDTLS_SSL_MODE_CBC ||
1043 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
1044 {
1045 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1046 size_t padlen, i;
1047 size_t olen;
1048 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1049 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1050 size_t part_len;
1051 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1052 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1053
1054 /* Currently we're always using minimal padding
1055 * (up to 255 bytes would be allowed). */
1056 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
1057 if( padlen == transform->ivlen )
1058 padlen = 0;
1059
1060 /* Check there's enough space in the buffer for the padding. */
1061 if( post_avail < padlen + 1 )
1062 {
1063 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1064 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1065 }
1066
1067 for( i = 0; i <= padlen; i++ )
1068 data[rec->data_len + i] = (unsigned char) padlen;
1069
1070 rec->data_len += padlen + 1;
1071 post_avail -= padlen + 1;
1072
1073 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1074 /*
1075 * Prepend per-record IV for block cipher in TLS v1.2 as per
1076 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1077 */
1078 if( f_rng == NULL )
1079 {
1080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
1081 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1082 }
1083
1084 if( rec->data_offset < transform->ivlen )
1085 {
1086 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1087 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1088 }
1089
1090 /*
1091 * Generate IV
1092 */
1093 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
1094 if( ret != 0 )
1095 return( ret );
1096
1097 memcpy( data - transform->ivlen, transform->iv_enc, transform->ivlen );
1098 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1099
1100 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
1101 "including %" MBEDTLS_PRINTF_SIZET
1102 " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
1103 rec->data_len, transform->ivlen,
1104 padlen + 1 ) );
1105
1106 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1107 status = psa_cipher_encrypt_setup( &cipher_op,
1108 transform->psa_key_enc, transform->psa_alg );
1109
1110 if( status != PSA_SUCCESS )
1111 {
1112 ret = psa_ssl_status_to_mbedtls( status );
1113 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_encrypt_setup", ret );
1114 return( ret );
1115 }
1116
1117 status = psa_cipher_set_iv( &cipher_op, transform->iv_enc, transform->ivlen );
1118
1119 if( status != PSA_SUCCESS )
1120 {
1121 ret = psa_ssl_status_to_mbedtls( status );
1122 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_set_iv", ret );
1123 return( ret );
1124
1125 }
1126
1127 status = psa_cipher_update( &cipher_op,
1128 data, rec->data_len,
1129 data, rec->data_len, &olen );
1130
1131 if( status != PSA_SUCCESS )
1132 {
1133 ret = psa_ssl_status_to_mbedtls( status );
1134 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_update", ret );
1135 return( ret );
1136
1137 }
1138
1139 status = psa_cipher_finish( &cipher_op,
1140 data + olen, rec->data_len - olen,
1141 &part_len );
1142
1143 if( status != PSA_SUCCESS )
1144 {
1145 ret = psa_ssl_status_to_mbedtls( status );
1146 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_finish", ret );
1147 return( ret );
1148
1149 }
1150
1151 olen += part_len;
1152 #else
1153 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
1154 transform->iv_enc,
1155 transform->ivlen,
1156 data, rec->data_len,
1157 data, &olen ) ) != 0 )
1158 {
1159 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1160 return( ret );
1161 }
1162 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1163
1164 if( rec->data_len != olen )
1165 {
1166 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1167 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1168 }
1169
1170 data -= transform->ivlen;
1171 rec->data_offset -= transform->ivlen;
1172 rec->data_len += transform->ivlen;
1173
1174 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1175 if( auth_done == 0 )
1176 {
1177 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1178 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1179 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
1180 size_t sign_mac_length = 0;
1181 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1182
1183 /* MAC(MAC_write_key, add_data, IV, ENC(content + padding + padding_length))
1184 */
1185
1186 if( post_avail < transform->maclen)
1187 {
1188 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
1189 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
1190 }
1191
1192 ssl_extract_add_data_from_record( add_data, &add_data_len,
1193 rec, transform->tls_version,
1194 transform->taglen );
1195
1196 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1197 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1198 add_data_len );
1199 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1200 status = psa_mac_sign_setup( &operation, transform->psa_mac_enc,
1201 transform->psa_mac_alg );
1202 if( status != PSA_SUCCESS )
1203 goto hmac_failed_etm_enabled;
1204
1205 status = psa_mac_update( &operation, add_data, add_data_len );
1206 if( status != PSA_SUCCESS )
1207 goto hmac_failed_etm_enabled;
1208
1209 status = psa_mac_update( &operation, data, rec->data_len );
1210 if( status != PSA_SUCCESS )
1211 goto hmac_failed_etm_enabled;
1212
1213 status = psa_mac_sign_finish( &operation, mac, MBEDTLS_SSL_MAC_ADD,
1214 &sign_mac_length );
1215 if( status != PSA_SUCCESS )
1216 goto hmac_failed_etm_enabled;
1217 #else
1218
1219 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
1220 add_data_len );
1221 if( ret != 0 )
1222 goto hmac_failed_etm_enabled;
1223 ret = mbedtls_md_hmac_update( &transform->md_ctx_enc,
1224 data, rec->data_len );
1225 if( ret != 0 )
1226 goto hmac_failed_etm_enabled;
1227 ret = mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
1228 if( ret != 0 )
1229 goto hmac_failed_etm_enabled;
1230 ret = mbedtls_md_hmac_reset( &transform->md_ctx_enc );
1231 if( ret != 0 )
1232 goto hmac_failed_etm_enabled;
1233 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1234
1235 memcpy( data + rec->data_len, mac, transform->maclen );
1236
1237 rec->data_len += transform->maclen;
1238 post_avail -= transform->maclen;
1239 auth_done++;
1240
1241 hmac_failed_etm_enabled:
1242 mbedtls_platform_zeroize( mac, transform->maclen );
1243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1244 ret = psa_ssl_status_to_mbedtls( status );
1245 status = psa_mac_abort( &operation );
1246 if( ret == 0 && status != PSA_SUCCESS )
1247 ret = psa_ssl_status_to_mbedtls( status );
1248 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1249 if( ret != 0 )
1250 {
1251 MBEDTLS_SSL_DEBUG_RET( 1, "HMAC calculation failed", ret );
1252 return( ret );
1253 }
1254 }
1255 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1256 }
1257 else
1258 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
1259 {
1260 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1261 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1262 }
1263
1264 /* Make extra sure authentication was performed, exactly once */
1265 if( auth_done != 1 )
1266 {
1267 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1268 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1269 }
1270
1271 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1272
1273 return( 0 );
1274 }
1275
mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const * ssl,mbedtls_ssl_transform * transform,mbedtls_record * rec)1276 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1277 mbedtls_ssl_transform *transform,
1278 mbedtls_record *rec )
1279 {
1280 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_CIPHER_MODE_AEAD)
1281 size_t olen;
1282 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_CIPHER_MODE_AEAD */
1283 mbedtls_ssl_mode_t ssl_mode;
1284 int ret;
1285
1286 int auth_done = 0;
1287 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1288 size_t padlen = 0, correct = 1;
1289 #endif
1290 unsigned char* data;
1291 /* For an explanation of the additional data length see
1292 * the description of ssl_extract_add_data_from_record().
1293 */
1294 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1295 unsigned char add_data[23 + MBEDTLS_SSL_CID_IN_LEN_MAX];
1296 #else
1297 unsigned char add_data[13];
1298 #endif
1299 size_t add_data_len;
1300
1301 #if !defined(MBEDTLS_DEBUG_C)
1302 ssl = NULL; /* make sure we don't use it except for debug */
1303 ((void) ssl);
1304 #endif
1305
1306 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1307 if( rec == NULL ||
1308 rec->buf == NULL ||
1309 rec->buf_len < rec->data_offset ||
1310 rec->buf_len - rec->data_offset < rec->data_len )
1311 {
1312 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
1313 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1314 }
1315
1316 data = rec->buf + rec->data_offset;
1317 ssl_mode = mbedtls_ssl_get_mode_from_transform( transform );
1318
1319 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1320 /*
1321 * Match record's CID with incoming CID.
1322 */
1323 if( rec->cid_len != transform->in_cid_len ||
1324 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1325 {
1326 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
1327 }
1328 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1329
1330 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
1331 if( ssl_mode == MBEDTLS_SSL_MODE_STREAM )
1332 {
1333 /* The only supported stream cipher is "NULL",
1334 * so there's nothing to do here.*/
1335 }
1336 else
1337 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
1338 #if defined(MBEDTLS_GCM_C) || \
1339 defined(MBEDTLS_CCM_C) || \
1340 defined(MBEDTLS_CHACHAPOLY_C)
1341 if( ssl_mode == MBEDTLS_SSL_MODE_AEAD )
1342 {
1343 unsigned char iv[12];
1344 unsigned char *dynamic_iv;
1345 size_t dynamic_iv_len;
1346 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1347 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1348 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1349
1350 /*
1351 * Extract dynamic part of nonce for AEAD decryption.
1352 *
1353 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
1354 * part of the IV is prepended to the ciphertext and
1355 * can be chosen freely - in particular, it need not
1356 * agree with the record sequence number.
1357 */
1358 dynamic_iv_len = sizeof( rec->ctr );
1359 if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
1360 {
1361 if( rec->data_len < dynamic_iv_len )
1362 {
1363 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1364 " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
1365 rec->data_len,
1366 dynamic_iv_len ) );
1367 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1368 }
1369 dynamic_iv = data;
1370
1371 data += dynamic_iv_len;
1372 rec->data_offset += dynamic_iv_len;
1373 rec->data_len -= dynamic_iv_len;
1374 }
1375 else
1376 {
1377 dynamic_iv = rec->ctr;
1378 }
1379
1380 /* Check that there's space for the authentication tag. */
1381 if( rec->data_len < transform->taglen )
1382 {
1383 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1384 ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
1385 rec->data_len,
1386 transform->taglen ) );
1387 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1388 }
1389 rec->data_len -= transform->taglen;
1390
1391 /*
1392 * Prepare nonce from dynamic and static parts.
1393 */
1394 ssl_build_record_nonce( iv, sizeof( iv ),
1395 transform->iv_dec,
1396 transform->fixed_ivlen,
1397 dynamic_iv,
1398 dynamic_iv_len );
1399
1400 /*
1401 * Build additional data for AEAD encryption.
1402 * This depends on the TLS version.
1403 */
1404 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1405 transform->tls_version,
1406 transform->taglen );
1407 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1408 add_data, add_data_len );
1409
1410 /* Because of the check above, we know that there are
1411 * explicit_iv_len Bytes preceding data, and taglen
1412 * bytes following data + data_len. This justifies
1413 * the debug message and the invocation of
1414 * mbedtls_cipher_auth_decrypt_ext() below. */
1415
1416 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
1417 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
1418 transform->taglen );
1419
1420 /*
1421 * Decrypt and authenticate
1422 */
1423 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1424 status = psa_aead_decrypt( transform->psa_key_dec,
1425 transform->psa_alg,
1426 iv, transform->ivlen,
1427 add_data, add_data_len,
1428 data, rec->data_len + transform->taglen,
1429 data, rec->buf_len - (data - rec->buf),
1430 &olen );
1431
1432 if( status != PSA_SUCCESS )
1433 {
1434 ret = psa_ssl_status_to_mbedtls( status );
1435 MBEDTLS_SSL_DEBUG_RET( 1, "psa_aead_decrypt", ret );
1436 return( ret );
1437 }
1438 #else
1439 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
1440 iv, transform->ivlen,
1441 add_data, add_data_len,
1442 data, rec->data_len + transform->taglen, /* src */
1443 data, rec->buf_len - (data - rec->buf), &olen, /* dst */
1444 transform->taglen ) ) != 0 )
1445 {
1446 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret );
1447
1448 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1449 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1450
1451 return( ret );
1452 }
1453 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1454
1455 auth_done++;
1456
1457 /* Double-check that AEAD decryption doesn't change content length. */
1458 if( olen != rec->data_len )
1459 {
1460 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1461 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1462 }
1463 }
1464 else
1465 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1466 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1467 if( ssl_mode == MBEDTLS_SSL_MODE_CBC ||
1468 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
1469 {
1470 size_t minlen = 0;
1471 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1472 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
1473 size_t part_len;
1474 psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
1475 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1476
1477 /*
1478 * Check immediate ciphertext sanity
1479 */
1480 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1481 /* The ciphertext is prefixed with the CBC IV. */
1482 minlen += transform->ivlen;
1483 #endif
1484
1485 /* Size considerations:
1486 *
1487 * - The CBC cipher text must not be empty and hence
1488 * at least of size transform->ivlen.
1489 *
1490 * Together with the potential IV-prefix, this explains
1491 * the first of the two checks below.
1492 *
1493 * - The record must contain a MAC, either in plain or
1494 * encrypted, depending on whether Encrypt-then-MAC
1495 * is used or not.
1496 * - If it is, the message contains the IV-prefix,
1497 * the CBC ciphertext, and the MAC.
1498 * - If it is not, the padded plaintext, and hence
1499 * the CBC ciphertext, has at least length maclen + 1
1500 * because there is at least the padding length byte.
1501 *
1502 * As the CBC ciphertext is not empty, both cases give the
1503 * lower bound minlen + maclen + 1 on the record size, which
1504 * we test for in the second check below.
1505 */
1506 if( rec->data_len < minlen + transform->ivlen ||
1507 rec->data_len < minlen + transform->maclen + 1 )
1508 {
1509 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1510 ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
1511 "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
1512 "+ 1 ) ( + expl IV )", rec->data_len,
1513 transform->ivlen,
1514 transform->maclen ) );
1515 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1516 }
1517
1518 /*
1519 * Authenticate before decrypt if enabled
1520 */
1521 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1522 if( ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM )
1523 {
1524 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1525 psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
1526 #else
1527 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1528 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1529
1530 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1531
1532 /* Update data_len in tandem with add_data.
1533 *
1534 * The subtraction is safe because of the previous check
1535 * data_len >= minlen + maclen + 1.
1536 *
1537 * Afterwards, we know that data + data_len is followed by at
1538 * least maclen Bytes, which justifies the call to
1539 * mbedtls_ct_memcmp() below.
1540 *
1541 * Further, we still know that data_len > minlen */
1542 rec->data_len -= transform->maclen;
1543 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1544 transform->tls_version,
1545 transform->taglen );
1546
1547 /* Calculate expected MAC. */
1548 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1549 add_data_len );
1550 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1551 status = psa_mac_verify_setup( &operation, transform->psa_mac_dec,
1552 transform->psa_mac_alg );
1553 if( status != PSA_SUCCESS )
1554 goto hmac_failed_etm_enabled;
1555
1556 status = psa_mac_update( &operation, add_data, add_data_len );
1557 if( status != PSA_SUCCESS )
1558 goto hmac_failed_etm_enabled;
1559
1560 status = psa_mac_update( &operation, data, rec->data_len );
1561 if( status != PSA_SUCCESS )
1562 goto hmac_failed_etm_enabled;
1563
1564 /* Compare expected MAC with MAC at the end of the record. */
1565 status = psa_mac_verify_finish( &operation, data + rec->data_len,
1566 transform->maclen );
1567 if( status != PSA_SUCCESS )
1568 goto hmac_failed_etm_enabled;
1569 #else
1570 ret = mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1571 add_data_len );
1572 if( ret != 0 )
1573 goto hmac_failed_etm_enabled;
1574 ret = mbedtls_md_hmac_update( &transform->md_ctx_dec,
1575 data, rec->data_len );
1576 if( ret != 0 )
1577 goto hmac_failed_etm_enabled;
1578 ret = mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1579 if( ret != 0 )
1580 goto hmac_failed_etm_enabled;
1581 ret = mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1582 if( ret != 0 )
1583 goto hmac_failed_etm_enabled;
1584
1585 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,
1586 transform->maclen );
1587 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
1588 transform->maclen );
1589
1590 /* Compare expected MAC with MAC at the end of the record. */
1591 if( mbedtls_ct_memcmp( data + rec->data_len, mac_expect,
1592 transform->maclen ) != 0 )
1593 {
1594 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1595 ret = MBEDTLS_ERR_SSL_INVALID_MAC;
1596 goto hmac_failed_etm_enabled;
1597 }
1598 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1599 auth_done++;
1600
1601 hmac_failed_etm_enabled:
1602 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1603 ret = psa_ssl_status_to_mbedtls( status );
1604 status = psa_mac_abort( &operation );
1605 if( ret == 0 && status != PSA_SUCCESS )
1606 ret = psa_ssl_status_to_mbedtls( status );
1607 #else
1608 mbedtls_platform_zeroize( mac_expect, transform->maclen );
1609 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1610 if( ret != 0 )
1611 {
1612 if( ret != MBEDTLS_ERR_SSL_INVALID_MAC )
1613 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_hmac_xxx", ret );
1614 return( ret );
1615 }
1616 }
1617 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1618
1619 /*
1620 * Check length sanity
1621 */
1622
1623 /* We know from above that data_len > minlen >= 0,
1624 * so the following check in particular implies that
1625 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
1626 if( rec->data_len % transform->ivlen != 0 )
1627 {
1628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1629 ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
1630 rec->data_len, transform->ivlen ) );
1631 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1632 }
1633
1634 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1635 /*
1636 * Initialize for prepended IV for block cipher in TLS v1.2
1637 */
1638 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
1639 memcpy( transform->iv_dec, data, transform->ivlen );
1640
1641 data += transform->ivlen;
1642 rec->data_offset += transform->ivlen;
1643 rec->data_len -= transform->ivlen;
1644 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1645
1646 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1647
1648 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1649 status = psa_cipher_decrypt_setup( &cipher_op,
1650 transform->psa_key_dec, transform->psa_alg );
1651
1652 if( status != PSA_SUCCESS )
1653 {
1654 ret = psa_ssl_status_to_mbedtls( status );
1655 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_decrypt_setup", ret );
1656 return( ret );
1657 }
1658
1659 status = psa_cipher_set_iv( &cipher_op, transform->iv_dec, transform->ivlen );
1660
1661 if( status != PSA_SUCCESS )
1662 {
1663 ret = psa_ssl_status_to_mbedtls( status );
1664 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_set_iv", ret );
1665 return( ret );
1666 }
1667
1668 status = psa_cipher_update( &cipher_op,
1669 data, rec->data_len,
1670 data, rec->data_len, &olen );
1671
1672 if( status != PSA_SUCCESS )
1673 {
1674 ret = psa_ssl_status_to_mbedtls( status );
1675 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_update", ret );
1676 return( ret );
1677 }
1678
1679 status = psa_cipher_finish( &cipher_op,
1680 data + olen, rec->data_len - olen,
1681 &part_len );
1682
1683 if( status != PSA_SUCCESS )
1684 {
1685 ret = psa_ssl_status_to_mbedtls( status );
1686 MBEDTLS_SSL_DEBUG_RET( 1, "psa_cipher_finish", ret );
1687 return( ret );
1688 }
1689
1690 olen += part_len;
1691 #else
1692
1693 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1694 transform->iv_dec, transform->ivlen,
1695 data, rec->data_len, data, &olen ) ) != 0 )
1696 {
1697 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1698 return( ret );
1699 }
1700 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1701
1702 /* Double-check that length hasn't changed during decryption. */
1703 if( rec->data_len != olen )
1704 {
1705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1706 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1707 }
1708
1709 /* Safe since data_len >= minlen + maclen + 1, so after having
1710 * subtracted at most minlen and maclen up to this point,
1711 * data_len > 0 (because of data_len % ivlen == 0, it's actually
1712 * >= ivlen ). */
1713 padlen = data[rec->data_len - 1];
1714
1715 if( auth_done == 1 )
1716 {
1717 const size_t mask = mbedtls_ct_size_mask_ge(
1718 rec->data_len,
1719 padlen + 1 );
1720 correct &= mask;
1721 padlen &= mask;
1722 }
1723 else
1724 {
1725 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1726 if( rec->data_len < transform->maclen + padlen + 1 )
1727 {
1728 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1729 ") < maclen (%" MBEDTLS_PRINTF_SIZET
1730 ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
1731 rec->data_len,
1732 transform->maclen,
1733 padlen + 1 ) );
1734 }
1735 #endif
1736
1737 const size_t mask = mbedtls_ct_size_mask_ge(
1738 rec->data_len,
1739 transform->maclen + padlen + 1 );
1740 correct &= mask;
1741 padlen &= mask;
1742 }
1743
1744 padlen++;
1745
1746 /* Regardless of the validity of the padding,
1747 * we have data_len >= padlen here. */
1748
1749 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1750 /* The padding check involves a series of up to 256
1751 * consecutive memory reads at the end of the record
1752 * plaintext buffer. In order to hide the length and
1753 * validity of the padding, always perform exactly
1754 * `min(256,plaintext_len)` reads (but take into account
1755 * only the last `padlen` bytes for the padding check). */
1756 size_t pad_count = 0;
1757 volatile unsigned char* const check = data;
1758
1759 /* Index of first padding byte; it has been ensured above
1760 * that the subtraction is safe. */
1761 size_t const padding_idx = rec->data_len - padlen;
1762 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1763 size_t const start_idx = rec->data_len - num_checks;
1764 size_t idx;
1765
1766 for( idx = start_idx; idx < rec->data_len; idx++ )
1767 {
1768 /* pad_count += (idx >= padding_idx) &&
1769 * (check[idx] == padlen - 1);
1770 */
1771 const size_t mask = mbedtls_ct_size_mask_ge( idx, padding_idx );
1772 const size_t equal = mbedtls_ct_size_bool_eq( check[idx],
1773 padlen - 1 );
1774 pad_count += mask & equal;
1775 }
1776 correct &= mbedtls_ct_size_bool_eq( pad_count, padlen );
1777
1778 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1779 if( padlen > 0 && correct == 0 )
1780 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1781 #endif
1782 padlen &= mbedtls_ct_size_mask( correct );
1783
1784 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1785
1786 /* If the padding was found to be invalid, padlen == 0
1787 * and the subtraction is safe. If the padding was found valid,
1788 * padlen hasn't been changed and the previous assertion
1789 * data_len >= padlen still holds. */
1790 rec->data_len -= padlen;
1791 }
1792 else
1793 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
1794 {
1795 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1796 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1797 }
1798
1799 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1800 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1801 data, rec->data_len );
1802 #endif
1803
1804 /*
1805 * Authenticate if not done yet.
1806 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1807 */
1808 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1809 if( auth_done == 0 )
1810 {
1811 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD] = { 0 };
1812 unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD] = { 0 };
1813
1814 /* If the initial value of padlen was such that
1815 * data_len < maclen + padlen + 1, then padlen
1816 * got reset to 1, and the initial check
1817 * data_len >= minlen + maclen + 1
1818 * guarantees that at this point we still
1819 * have at least data_len >= maclen.
1820 *
1821 * If the initial value of padlen was such that
1822 * data_len >= maclen + padlen + 1, then we have
1823 * subtracted either padlen + 1 (if the padding was correct)
1824 * or 0 (if the padding was incorrect) since then,
1825 * hence data_len >= maclen in any case.
1826 */
1827 rec->data_len -= transform->maclen;
1828 ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1829 transform->tls_version,
1830 transform->taglen );
1831
1832 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1833 /*
1834 * The next two sizes are the minimum and maximum values of
1835 * data_len over all padlen values.
1836 *
1837 * They're independent of padlen, since we previously did
1838 * data_len -= padlen.
1839 *
1840 * Note that max_len + maclen is never more than the buffer
1841 * length, as we previously did in_msglen -= maclen too.
1842 */
1843 const size_t max_len = rec->data_len + padlen;
1844 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1845
1846 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1847 ret = mbedtls_ct_hmac( transform->psa_mac_dec,
1848 transform->psa_mac_alg,
1849 add_data, add_data_len,
1850 data, rec->data_len, min_len, max_len,
1851 mac_expect );
1852 #else
1853 ret = mbedtls_ct_hmac( &transform->md_ctx_dec,
1854 add_data, add_data_len,
1855 data, rec->data_len, min_len, max_len,
1856 mac_expect );
1857 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1858 if( ret != 0 )
1859 {
1860 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ct_hmac", ret );
1861 goto hmac_failed_etm_disabled;
1862 }
1863
1864 mbedtls_ct_memcpy_offset( mac_peer, data,
1865 rec->data_len,
1866 min_len, max_len,
1867 transform->maclen );
1868 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1869
1870 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1871 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1872 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen );
1873 #endif
1874
1875 if( mbedtls_ct_memcmp( mac_peer, mac_expect,
1876 transform->maclen ) != 0 )
1877 {
1878 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1879 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1880 #endif
1881 correct = 0;
1882 }
1883 auth_done++;
1884
1885 hmac_failed_etm_disabled:
1886 mbedtls_platform_zeroize( mac_peer, transform->maclen );
1887 mbedtls_platform_zeroize( mac_expect, transform->maclen );
1888 if( ret != 0 )
1889 return( ret );
1890 }
1891
1892 /*
1893 * Finally check the correct flag
1894 */
1895 if( correct == 0 )
1896 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1897 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1898
1899 /* Make extra sure authentication was performed, exactly once */
1900 if( auth_done != 1 )
1901 {
1902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1903 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1904 }
1905
1906 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1907 if( transform->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
1908 {
1909 /* Remove inner padding and infer true content type. */
1910 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1911 &rec->type );
1912
1913 if( ret != 0 )
1914 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1915 }
1916 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1917
1918 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1919 if( rec->cid_len != 0 )
1920 {
1921 ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1922 &rec->type );
1923 if( ret != 0 )
1924 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1925 }
1926 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1927
1928 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1929
1930 return( 0 );
1931 }
1932
1933 #undef MAC_NONE
1934 #undef MAC_PLAINTEXT
1935 #undef MAC_CIPHERTEXT
1936
1937 /*
1938 * Fill the input message buffer by appending data to it.
1939 * The amount of data already fetched is in ssl->in_left.
1940 *
1941 * If we return 0, is it guaranteed that (at least) nb_want bytes are
1942 * available (from this read and/or a previous one). Otherwise, an error code
1943 * is returned (possibly EOF or WANT_READ).
1944 *
1945 * With stream transport (TLS) on success ssl->in_left == nb_want, but
1946 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1947 * since we always read a whole datagram at once.
1948 *
1949 * For DTLS, it is up to the caller to set ssl->next_record_offset when
1950 * they're done reading a record.
1951 */
mbedtls_ssl_fetch_input(mbedtls_ssl_context * ssl,size_t nb_want)1952 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
1953 {
1954 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1955 size_t len;
1956 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1957 size_t in_buf_len = ssl->in_buf_len;
1958 #else
1959 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1960 #endif
1961
1962 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1963
1964 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1965 {
1966 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) );
1967 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1968 }
1969
1970 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
1971 {
1972 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1973 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1974 }
1975
1976 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1977 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1978 {
1979 uint32_t timeout;
1980
1981 /*
1982 * The point is, we need to always read a full datagram at once, so we
1983 * sometimes read more then requested, and handle the additional data.
1984 * It could be the rest of the current record (while fetching the
1985 * header) and/or some other records in the same datagram.
1986 */
1987
1988 /*
1989 * Move to the next record in the already read datagram if applicable
1990 */
1991 if( ssl->next_record_offset != 0 )
1992 {
1993 if( ssl->in_left < ssl->next_record_offset )
1994 {
1995 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1996 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1997 }
1998
1999 ssl->in_left -= ssl->next_record_offset;
2000
2001 if( ssl->in_left != 0 )
2002 {
2003 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %"
2004 MBEDTLS_PRINTF_SIZET,
2005 ssl->next_record_offset ) );
2006 memmove( ssl->in_hdr,
2007 ssl->in_hdr + ssl->next_record_offset,
2008 ssl->in_left );
2009 }
2010
2011 ssl->next_record_offset = 0;
2012 }
2013
2014 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2015 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
2016 ssl->in_left, nb_want ) );
2017
2018 /*
2019 * Done if we already have enough data.
2020 */
2021 if( nb_want <= ssl->in_left)
2022 {
2023 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2024 return( 0 );
2025 }
2026
2027 /*
2028 * A record can't be split across datagrams. If we need to read but
2029 * are not at the beginning of a new record, the caller did something
2030 * wrong.
2031 */
2032 if( ssl->in_left != 0 )
2033 {
2034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2035 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2036 }
2037
2038 /*
2039 * Don't even try to read if time's out already.
2040 * This avoids by-passing the timer when repeatedly receiving messages
2041 * that will end up being dropped.
2042 */
2043 if( mbedtls_ssl_check_timer( ssl ) != 0 )
2044 {
2045 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
2046 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2047 }
2048 else
2049 {
2050 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
2051
2052 if( mbedtls_ssl_is_handshake_over( ssl ) == 0 )
2053 timeout = ssl->handshake->retransmit_timeout;
2054 else
2055 timeout = ssl->conf->read_timeout;
2056
2057 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) );
2058
2059 if( ssl->f_recv_timeout != NULL )
2060 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2061 timeout );
2062 else
2063 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2064
2065 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2066
2067 if( ret == 0 )
2068 return( MBEDTLS_ERR_SSL_CONN_EOF );
2069 }
2070
2071 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
2072 {
2073 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
2074 mbedtls_ssl_set_timer( ssl, 0 );
2075
2076 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2077 {
2078 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2079 {
2080 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
2081 return( MBEDTLS_ERR_SSL_TIMEOUT );
2082 }
2083
2084 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2085 {
2086 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2087 return( ret );
2088 }
2089
2090 return( MBEDTLS_ERR_SSL_WANT_READ );
2091 }
2092 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2093 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
2094 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
2095 {
2096 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
2097 {
2098 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
2099 ret );
2100 return( ret );
2101 }
2102
2103 return( MBEDTLS_ERR_SSL_WANT_READ );
2104 }
2105 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2106 }
2107
2108 if( ret < 0 )
2109 return( ret );
2110
2111 ssl->in_left = ret;
2112 }
2113 else
2114 #endif
2115 {
2116 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2117 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
2118 ssl->in_left, nb_want ) );
2119
2120 while( ssl->in_left < nb_want )
2121 {
2122 len = nb_want - ssl->in_left;
2123
2124 if( mbedtls_ssl_check_timer( ssl ) != 0 )
2125 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2126 else
2127 {
2128 if( ssl->f_recv_timeout != NULL )
2129 {
2130 ret = ssl->f_recv_timeout( ssl->p_bio,
2131 ssl->in_hdr + ssl->in_left, len,
2132 ssl->conf->read_timeout );
2133 }
2134 else
2135 {
2136 ret = ssl->f_recv( ssl->p_bio,
2137 ssl->in_hdr + ssl->in_left, len );
2138 }
2139 }
2140
2141 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
2142 ", nb_want: %" MBEDTLS_PRINTF_SIZET,
2143 ssl->in_left, nb_want ) );
2144 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2145
2146 if( ret == 0 )
2147 return( MBEDTLS_ERR_SSL_CONN_EOF );
2148
2149 if( ret < 0 )
2150 return( ret );
2151
2152 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
2153 {
2154 MBEDTLS_SSL_DEBUG_MSG( 1,
2155 ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
2156 ret, len ) );
2157 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2158 }
2159
2160 ssl->in_left += ret;
2161 }
2162 }
2163
2164 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2165
2166 return( 0 );
2167 }
2168
2169 /*
2170 * Flush any data not yet written
2171 */
mbedtls_ssl_flush_output(mbedtls_ssl_context * ssl)2172 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
2173 {
2174 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2175 unsigned char *buf;
2176
2177 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2178
2179 if( ssl->f_send == NULL )
2180 {
2181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) );
2182 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2183 }
2184
2185 /* Avoid incrementing counter if data is flushed */
2186 if( ssl->out_left == 0 )
2187 {
2188 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2189 return( 0 );
2190 }
2191
2192 while( ssl->out_left > 0 )
2193 {
2194 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET
2195 ", out_left: %" MBEDTLS_PRINTF_SIZET,
2196 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
2197
2198 buf = ssl->out_hdr - ssl->out_left;
2199 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
2200
2201 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2202
2203 if( ret <= 0 )
2204 return( ret );
2205
2206 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
2207 {
2208 MBEDTLS_SSL_DEBUG_MSG( 1,
2209 ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
2210 ret, ssl->out_left ) );
2211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2212 }
2213
2214 ssl->out_left -= ret;
2215 }
2216
2217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2218 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2219 {
2220 ssl->out_hdr = ssl->out_buf;
2221 }
2222 else
2223 #endif
2224 {
2225 ssl->out_hdr = ssl->out_buf + 8;
2226 }
2227 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2228
2229 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2230
2231 return( 0 );
2232 }
2233
2234 /*
2235 * Functions to handle the DTLS retransmission state machine
2236 */
2237 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2238 /*
2239 * Append current handshake message to current outgoing flight
2240 */
2241 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_flight_append(mbedtls_ssl_context * ssl)2242 static int ssl_flight_append( mbedtls_ssl_context *ssl )
2243 {
2244 mbedtls_ssl_flight_item *msg;
2245 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2246 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2247 ssl->out_msg, ssl->out_msglen );
2248
2249 /* Allocate space for current message */
2250 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
2251 {
2252 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
2253 sizeof( mbedtls_ssl_flight_item ) ) );
2254 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2255 }
2256
2257 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2258 {
2259 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
2260 ssl->out_msglen ) );
2261 mbedtls_free( msg );
2262 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2263 }
2264
2265 /* Copy current handshake message with headers */
2266 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2267 msg->len = ssl->out_msglen;
2268 msg->type = ssl->out_msgtype;
2269 msg->next = NULL;
2270
2271 /* Append to the current flight */
2272 if( ssl->handshake->flight == NULL )
2273 ssl->handshake->flight = msg;
2274 else
2275 {
2276 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2277 while( cur->next != NULL )
2278 cur = cur->next;
2279 cur->next = msg;
2280 }
2281
2282 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
2283 return( 0 );
2284 }
2285
2286 /*
2287 * Free the current flight of handshake messages
2288 */
mbedtls_ssl_flight_free(mbedtls_ssl_flight_item * flight)2289 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
2290 {
2291 mbedtls_ssl_flight_item *cur = flight;
2292 mbedtls_ssl_flight_item *next;
2293
2294 while( cur != NULL )
2295 {
2296 next = cur->next;
2297
2298 mbedtls_free( cur->p );
2299 mbedtls_free( cur );
2300
2301 cur = next;
2302 }
2303 }
2304
2305 /*
2306 * Swap transform_out and out_ctr with the alternative ones
2307 */
2308 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_swap_epochs(mbedtls_ssl_context * ssl)2309 static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
2310 {
2311 mbedtls_ssl_transform *tmp_transform;
2312 unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];
2313
2314 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2315 {
2316 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2317 return( 0 );
2318 }
2319
2320 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2321
2322 /* Swap transforms */
2323 tmp_transform = ssl->transform_out;
2324 ssl->transform_out = ssl->handshake->alt_transform_out;
2325 ssl->handshake->alt_transform_out = tmp_transform;
2326
2327 /* Swap epoch + sequence_number */
2328 memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( tmp_out_ctr ) );
2329 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr,
2330 sizeof( ssl->cur_out_ctr ) );
2331 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,
2332 sizeof( ssl->handshake->alt_out_ctr ) );
2333
2334 /* Adjust to the newly activated transform */
2335 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2336
2337 return( 0 );
2338 }
2339
2340 /*
2341 * Retransmit the current flight of messages.
2342 */
mbedtls_ssl_resend(mbedtls_ssl_context * ssl)2343 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2344 {
2345 int ret = 0;
2346
2347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2348
2349 ret = mbedtls_ssl_flight_transmit( ssl );
2350
2351 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2352
2353 return( ret );
2354 }
2355
2356 /*
2357 * Transmit or retransmit the current flight of messages.
2358 *
2359 * Need to remember the current message in case flush_output returns
2360 * WANT_WRITE, causing us to exit this function and come back later.
2361 * This function must be called until state is no longer SENDING.
2362 */
mbedtls_ssl_flight_transmit(mbedtls_ssl_context * ssl)2363 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
2364 {
2365 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2366 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
2367
2368 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
2369 {
2370 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
2371
2372 ssl->handshake->cur_msg = ssl->handshake->flight;
2373 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
2374 ret = ssl_swap_epochs( ssl );
2375 if( ret != 0 )
2376 return( ret );
2377
2378 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
2379 }
2380
2381 while( ssl->handshake->cur_msg != NULL )
2382 {
2383 size_t max_frag_len;
2384 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
2385
2386 int const is_finished =
2387 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2388 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2389
2390 int const force_flush = ssl->disable_datagram_packing == 1 ?
2391 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2392
2393 /* Swap epochs before sending Finished: we can't do it after
2394 * sending ChangeCipherSpec, in case write returns WANT_READ.
2395 * Must be done before copying, may change out_msg pointer */
2396 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
2397 {
2398 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
2399 ret = ssl_swap_epochs( ssl );
2400 if( ret != 0 )
2401 return( ret );
2402 }
2403
2404 ret = ssl_get_remaining_payload_in_datagram( ssl );
2405 if( ret < 0 )
2406 return( ret );
2407 max_frag_len = (size_t) ret;
2408
2409 /* CCS is copied as is, while HS messages may need fragmentation */
2410 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2411 {
2412 if( max_frag_len == 0 )
2413 {
2414 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2415 return( ret );
2416
2417 continue;
2418 }
2419
2420 memcpy( ssl->out_msg, cur->p, cur->len );
2421 ssl->out_msglen = cur->len;
2422 ssl->out_msgtype = cur->type;
2423
2424 /* Update position inside current message */
2425 ssl->handshake->cur_msg_p += cur->len;
2426 }
2427 else
2428 {
2429 const unsigned char * const p = ssl->handshake->cur_msg_p;
2430 const size_t hs_len = cur->len - 12;
2431 const size_t frag_off = p - ( cur->p + 12 );
2432 const size_t rem_len = hs_len - frag_off;
2433 size_t cur_hs_frag_len, max_hs_frag_len;
2434
2435 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
2436 {
2437 if( is_finished )
2438 {
2439 ret = ssl_swap_epochs( ssl );
2440 if( ret != 0 )
2441 return( ret );
2442 }
2443
2444 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2445 return( ret );
2446
2447 continue;
2448 }
2449 max_hs_frag_len = max_frag_len - 12;
2450
2451 cur_hs_frag_len = rem_len > max_hs_frag_len ?
2452 max_hs_frag_len : rem_len;
2453
2454 if( frag_off == 0 && cur_hs_frag_len != hs_len )
2455 {
2456 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
2457 (unsigned) cur_hs_frag_len,
2458 (unsigned) max_hs_frag_len ) );
2459 }
2460
2461 /* Messages are stored with handshake headers as if not fragmented,
2462 * copy beginning of headers then fill fragmentation fields.
2463 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2464 memcpy( ssl->out_msg, cur->p, 6 );
2465
2466 ssl->out_msg[6] = MBEDTLS_BYTE_2( frag_off );
2467 ssl->out_msg[7] = MBEDTLS_BYTE_1( frag_off );
2468 ssl->out_msg[8] = MBEDTLS_BYTE_0( frag_off );
2469
2470 ssl->out_msg[ 9] = MBEDTLS_BYTE_2( cur_hs_frag_len );
2471 ssl->out_msg[10] = MBEDTLS_BYTE_1( cur_hs_frag_len );
2472 ssl->out_msg[11] = MBEDTLS_BYTE_0( cur_hs_frag_len );
2473
2474 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2475
2476 /* Copy the handshake message content and set records fields */
2477 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2478 ssl->out_msglen = cur_hs_frag_len + 12;
2479 ssl->out_msgtype = cur->type;
2480
2481 /* Update position inside current message */
2482 ssl->handshake->cur_msg_p += cur_hs_frag_len;
2483 }
2484
2485 /* If done with the current message move to the next one if any */
2486 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2487 {
2488 if( cur->next != NULL )
2489 {
2490 ssl->handshake->cur_msg = cur->next;
2491 ssl->handshake->cur_msg_p = cur->next->p + 12;
2492 }
2493 else
2494 {
2495 ssl->handshake->cur_msg = NULL;
2496 ssl->handshake->cur_msg_p = NULL;
2497 }
2498 }
2499
2500 /* Actually send the message out */
2501 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
2502 {
2503 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2504 return( ret );
2505 }
2506 }
2507
2508 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2509 return( ret );
2510
2511 /* Update state and set timer */
2512 if( mbedtls_ssl_is_handshake_over( ssl ) == 1 )
2513 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2514 else
2515 {
2516 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2517 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2518 }
2519
2520 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
2521
2522 return( 0 );
2523 }
2524
2525 /*
2526 * To be called when the last message of an incoming flight is received.
2527 */
mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context * ssl)2528 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
2529 {
2530 /* We won't need to resend that one any more */
2531 mbedtls_ssl_flight_free( ssl->handshake->flight );
2532 ssl->handshake->flight = NULL;
2533 ssl->handshake->cur_msg = NULL;
2534
2535 /* The next incoming flight will start with this msg_seq */
2536 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2537
2538 /* We don't want to remember CCS's across flight boundaries. */
2539 ssl->handshake->buffering.seen_ccs = 0;
2540
2541 /* Clear future message buffering structure. */
2542 mbedtls_ssl_buffering_free( ssl );
2543
2544 /* Cancel timer */
2545 mbedtls_ssl_set_timer( ssl, 0 );
2546
2547 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2548 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2549 {
2550 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2551 }
2552 else
2553 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
2554 }
2555
2556 /*
2557 * To be called when the last message of an outgoing flight is send.
2558 */
mbedtls_ssl_send_flight_completed(mbedtls_ssl_context * ssl)2559 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
2560 {
2561 ssl_reset_retransmit_timeout( ssl );
2562 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2563
2564 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2565 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2566 {
2567 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2568 }
2569 else
2570 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2571 }
2572 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2573
2574 /*
2575 * Handshake layer functions
2576 */
mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char ** buf,size_t * buf_len)2577 int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
2578 unsigned char **buf, size_t *buf_len )
2579 {
2580 /*
2581 * Reserve 4 bytes for handshake header. ( Section 4,RFC 8446 )
2582 * ...
2583 * HandshakeType msg_type;
2584 * uint24 length;
2585 * ...
2586 */
2587 *buf = ssl->out_msg + 4;
2588 *buf_len = MBEDTLS_SSL_OUT_CONTENT_LEN - 4;
2589
2590 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
2591 ssl->out_msg[0] = hs_type;
2592
2593 return( 0 );
2594 }
2595
2596 /*
2597 * Write (DTLS: or queue) current handshake (including CCS) message.
2598 *
2599 * - fill in handshake headers
2600 * - update handshake checksum
2601 * - DTLS: save message for resending
2602 * - then pass to the record layer
2603 *
2604 * DTLS: except for HelloRequest, messages are only queued, and will only be
2605 * actually sent when calling flight_transmit() or resend().
2606 *
2607 * Inputs:
2608 * - ssl->out_msglen: 4 + actual handshake message len
2609 * (4 is the size of handshake headers for TLS)
2610 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2611 * - ssl->out_msg + 4: the handshake message body
2612 *
2613 * Outputs, ie state before passing to flight_append() or write_record():
2614 * - ssl->out_msglen: the length of the record contents
2615 * (including handshake headers but excluding record headers)
2616 * - ssl->out_msg: the record contents (handshake headers + content)
2617 */
mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context * ssl,int update_checksum,int force_flush)2618 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
2619 int update_checksum,
2620 int force_flush )
2621 {
2622 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2623 const size_t hs_len = ssl->out_msglen - 4;
2624 const unsigned char hs_type = ssl->out_msg[0];
2625
2626 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2627
2628 /*
2629 * Sanity checks
2630 */
2631 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
2632 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2633 {
2634 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2635 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2636 }
2637
2638 /* Whenever we send anything different from a
2639 * HelloRequest we should be in a handshake - double check. */
2640 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2641 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
2642 ssl->handshake == NULL )
2643 {
2644 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2645 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2646 }
2647
2648 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2649 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2650 ssl->handshake != NULL &&
2651 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
2652 {
2653 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2654 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2655 }
2656 #endif
2657
2658 /* Double-check that we did not exceed the bounds
2659 * of the outgoing record buffer.
2660 * This should never fail as the various message
2661 * writing functions must obey the bounds of the
2662 * outgoing record buffer, but better be safe.
2663 *
2664 * Note: We deliberately do not check for the MTU or MFL here.
2665 */
2666 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2667 {
2668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2669 "size %" MBEDTLS_PRINTF_SIZET
2670 ", maximum %" MBEDTLS_PRINTF_SIZET,
2671 ssl->out_msglen,
2672 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2673 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2674 }
2675
2676 /*
2677 * Fill handshake headers
2678 */
2679 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
2680 {
2681 ssl->out_msg[1] = MBEDTLS_BYTE_2( hs_len );
2682 ssl->out_msg[2] = MBEDTLS_BYTE_1( hs_len );
2683 ssl->out_msg[3] = MBEDTLS_BYTE_0( hs_len );
2684
2685 /*
2686 * DTLS has additional fields in the Handshake layer,
2687 * between the length field and the actual payload:
2688 * uint16 message_seq;
2689 * uint24 fragment_offset;
2690 * uint24 fragment_length;
2691 */
2692 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2693 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2694 {
2695 /* Make room for the additional DTLS fields */
2696 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
2697 {
2698 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2699 "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
2700 hs_len,
2701 (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
2702 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2703 }
2704
2705 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
2706 ssl->out_msglen += 8;
2707
2708 /* Write message_seq and update it, except for HelloRequest */
2709 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2710 {
2711 MBEDTLS_PUT_UINT16_BE( ssl->handshake->out_msg_seq, ssl->out_msg, 4 );
2712 ++( ssl->handshake->out_msg_seq );
2713 }
2714 else
2715 {
2716 ssl->out_msg[4] = 0;
2717 ssl->out_msg[5] = 0;
2718 }
2719
2720 /* Handshake hashes are computed without fragmentation,
2721 * so set frag_offset = 0 and frag_len = hs_len for now */
2722 memset( ssl->out_msg + 6, 0x00, 3 );
2723 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
2724 }
2725 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2726
2727 /* Update running hashes of handshake messages seen */
2728 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 )
2729 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2730 }
2731
2732 /* Either send now, or just save to be sent (and resent) later */
2733 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2734 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2735 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2736 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
2737 {
2738 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2739 {
2740 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
2741 return( ret );
2742 }
2743 }
2744 else
2745 #endif
2746 {
2747 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
2748 {
2749 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2750 return( ret );
2751 }
2752 }
2753
2754 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2755
2756 return( 0 );
2757 }
2758
mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context * ssl,size_t buf_len,size_t msg_len)2759 int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
2760 size_t buf_len, size_t msg_len )
2761 {
2762 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2763 size_t msg_with_header_len;
2764 ((void) buf_len);
2765
2766 /* Add reserved 4 bytes for handshake header */
2767 msg_with_header_len = msg_len + 4;
2768 ssl->out_msglen = msg_with_header_len;
2769 MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_handshake_msg_ext( ssl, 0, 0 ) );
2770
2771 cleanup:
2772 return( ret );
2773 }
2774
2775 /*
2776 * Record layer functions
2777 */
2778
2779 /*
2780 * Write current record.
2781 *
2782 * Uses:
2783 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2784 * - ssl->out_msglen: length of the record content (excl headers)
2785 * - ssl->out_msg: record content
2786 */
mbedtls_ssl_write_record(mbedtls_ssl_context * ssl,int force_flush)2787 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush )
2788 {
2789 int ret, done = 0;
2790 size_t len = ssl->out_msglen;
2791 int flush = force_flush;
2792
2793 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2794
2795 if( !done )
2796 {
2797 unsigned i;
2798 size_t protected_record_size;
2799 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2800 size_t out_buf_len = ssl->out_buf_len;
2801 #else
2802 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2803 #endif
2804 /* Skip writing the record content type to after the encryption,
2805 * as it may change when using the CID extension. */
2806 mbedtls_ssl_protocol_version tls_ver = ssl->tls_version;
2807 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2808 /* TLS 1.3 still uses the TLS 1.2 version identifier
2809 * for backwards compatibility. */
2810 if( tls_ver == MBEDTLS_SSL_VERSION_TLS1_3 )
2811 tls_ver = MBEDTLS_SSL_VERSION_TLS1_2;
2812 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2813 mbedtls_ssl_write_version( ssl->out_hdr + 1, ssl->conf->transport,
2814 tls_ver );
2815
2816 memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
2817 MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
2818
2819 if( ssl->transform_out != NULL )
2820 {
2821 mbedtls_record rec;
2822
2823 rec.buf = ssl->out_iv;
2824 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf );
2825 rec.data_len = ssl->out_msglen;
2826 rec.data_offset = ssl->out_msg - rec.buf;
2827
2828 memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) );
2829 mbedtls_ssl_write_version( rec.ver, ssl->conf->transport, tls_ver );
2830 rec.type = ssl->out_msgtype;
2831
2832 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2833 /* The CID is set by mbedtls_ssl_encrypt_buf(). */
2834 rec.cid_len = 0;
2835 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2836
2837 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
2838 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2839 {
2840 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2841 return( ret );
2842 }
2843
2844 if( rec.data_offset != 0 )
2845 {
2846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2847 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2848 }
2849
2850 /* Update the record content type and CID. */
2851 ssl->out_msgtype = rec.type;
2852 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
2853 memcpy( ssl->out_cid, rec.cid, rec.cid_len );
2854 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2855 ssl->out_msglen = len = rec.data_len;
2856 MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->out_len, 0 );
2857 }
2858
2859 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
2860
2861 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2862 /* In case of DTLS, double-check that we don't exceed
2863 * the remaining space in the datagram. */
2864 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2865 {
2866 ret = ssl_get_remaining_space_in_datagram( ssl );
2867 if( ret < 0 )
2868 return( ret );
2869
2870 if( protected_record_size > (size_t) ret )
2871 {
2872 /* Should never happen */
2873 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2874 }
2875 }
2876 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2877
2878 /* Now write the potentially updated record content type. */
2879 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2880
2881 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, "
2882 "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
2883 ssl->out_hdr[0], ssl->out_hdr[1],
2884 ssl->out_hdr[2], len ) );
2885
2886 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2887 ssl->out_hdr, protected_record_size );
2888
2889 ssl->out_left += protected_record_size;
2890 ssl->out_hdr += protected_record_size;
2891 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2892
2893 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
2894 if( ++ssl->cur_out_ctr[i - 1] != 0 )
2895 break;
2896
2897 /* The loop goes to its end if the counter is wrapping */
2898 if( i == mbedtls_ssl_ep_len( ssl ) )
2899 {
2900 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2901 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2902 }
2903 }
2904
2905 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2906 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2907 flush == SSL_DONT_FORCE_FLUSH )
2908 {
2909 size_t remaining;
2910 ret = ssl_get_remaining_payload_in_datagram( ssl );
2911 if( ret < 0 )
2912 {
2913 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2914 ret );
2915 return( ret );
2916 }
2917
2918 remaining = (size_t) ret;
2919 if( remaining == 0 )
2920 {
2921 flush = SSL_FORCE_FLUSH;
2922 }
2923 else
2924 {
2925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
2926 }
2927 }
2928 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2929
2930 if( ( flush == SSL_FORCE_FLUSH ) &&
2931 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2932 {
2933 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
2934 return( ret );
2935 }
2936
2937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2938
2939 return( 0 );
2940 }
2941
2942 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2943
2944 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_hs_is_proper_fragment(mbedtls_ssl_context * ssl)2945 static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2946 {
2947 if( ssl->in_msglen < ssl->in_hslen ||
2948 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
2949 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2950 {
2951 return( 1 );
2952 }
2953 return( 0 );
2954 }
2955
ssl_get_hs_frag_len(mbedtls_ssl_context const * ssl)2956 static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
2957 {
2958 return( ( ssl->in_msg[9] << 16 ) |
2959 ( ssl->in_msg[10] << 8 ) |
2960 ssl->in_msg[11] );
2961 }
2962
ssl_get_hs_frag_off(mbedtls_ssl_context const * ssl)2963 static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
2964 {
2965 return( ( ssl->in_msg[6] << 16 ) |
2966 ( ssl->in_msg[7] << 8 ) |
2967 ssl->in_msg[8] );
2968 }
2969
2970 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_hs_header(mbedtls_ssl_context const * ssl)2971 static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
2972 {
2973 uint32_t msg_len, frag_off, frag_len;
2974
2975 msg_len = ssl_get_hs_total_len( ssl );
2976 frag_off = ssl_get_hs_frag_off( ssl );
2977 frag_len = ssl_get_hs_frag_len( ssl );
2978
2979 if( frag_off > msg_len )
2980 return( -1 );
2981
2982 if( frag_len > msg_len - frag_off )
2983 return( -1 );
2984
2985 if( frag_len + 12 > ssl->in_msglen )
2986 return( -1 );
2987
2988 return( 0 );
2989 }
2990
2991 /*
2992 * Mark bits in bitmask (used for DTLS HS reassembly)
2993 */
ssl_bitmask_set(unsigned char * mask,size_t offset,size_t len)2994 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2995 {
2996 unsigned int start_bits, end_bits;
2997
2998 start_bits = 8 - ( offset % 8 );
2999 if( start_bits != 8 )
3000 {
3001 size_t first_byte_idx = offset / 8;
3002
3003 /* Special case */
3004 if( len <= start_bits )
3005 {
3006 for( ; len != 0; len-- )
3007 mask[first_byte_idx] |= 1 << ( start_bits - len );
3008
3009 /* Avoid potential issues with offset or len becoming invalid */
3010 return;
3011 }
3012
3013 offset += start_bits; /* Now offset % 8 == 0 */
3014 len -= start_bits;
3015
3016 for( ; start_bits != 0; start_bits-- )
3017 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3018 }
3019
3020 end_bits = len % 8;
3021 if( end_bits != 0 )
3022 {
3023 size_t last_byte_idx = ( offset + len ) / 8;
3024
3025 len -= end_bits; /* Now len % 8 == 0 */
3026
3027 for( ; end_bits != 0; end_bits-- )
3028 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3029 }
3030
3031 memset( mask + offset / 8, 0xFF, len / 8 );
3032 }
3033
3034 /*
3035 * Check that bitmask is full
3036 */
3037 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_bitmask_check(unsigned char * mask,size_t len)3038 static int ssl_bitmask_check( unsigned char *mask, size_t len )
3039 {
3040 size_t i;
3041
3042 for( i = 0; i < len / 8; i++ )
3043 if( mask[i] != 0xFF )
3044 return( -1 );
3045
3046 for( i = 0; i < len % 8; i++ )
3047 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3048 return( -1 );
3049
3050 return( 0 );
3051 }
3052
3053 /* msg_len does not include the handshake header */
ssl_get_reassembly_buffer_size(size_t msg_len,unsigned add_bitmap)3054 static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
3055 unsigned add_bitmap )
3056 {
3057 size_t alloc_len;
3058
3059 alloc_len = 12; /* Handshake header */
3060 alloc_len += msg_len; /* Content buffer */
3061
3062 if( add_bitmap )
3063 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
3064
3065 return( alloc_len );
3066 }
3067
3068 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3069
ssl_get_hs_total_len(mbedtls_ssl_context const * ssl)3070 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
3071 {
3072 return( ( ssl->in_msg[1] << 16 ) |
3073 ( ssl->in_msg[2] << 8 ) |
3074 ssl->in_msg[3] );
3075 }
3076
mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context * ssl)3077 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
3078 {
3079 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
3080 {
3081 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET,
3082 ssl->in_msglen ) );
3083 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3084 }
3085
3086 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
3087
3088 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
3089 " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
3090 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
3091
3092 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3093 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3094 {
3095 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3096 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3097
3098 if( ssl_check_hs_header( ssl ) != 0 )
3099 {
3100 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3101 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3102 }
3103
3104 if( ssl->handshake != NULL &&
3105 ( ( mbedtls_ssl_is_handshake_over( ssl ) == 0 &&
3106 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3107 ( mbedtls_ssl_is_handshake_over( ssl ) == 1 &&
3108 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
3109 {
3110 if( recv_msg_seq > ssl->handshake->in_msg_seq )
3111 {
3112 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
3113 recv_msg_seq,
3114 ssl->handshake->in_msg_seq ) );
3115 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3116 }
3117
3118 /* Retransmit only on last message from previous flight, to avoid
3119 * too many retransmissions.
3120 * Besides, No sane server ever retransmits HelloVerifyRequest */
3121 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
3122 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
3123 {
3124 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
3125 "message_seq = %u, start_of_flight = %u",
3126 recv_msg_seq,
3127 ssl->handshake->in_flight_start_seq ) );
3128
3129 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3130 {
3131 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
3132 return( ret );
3133 }
3134 }
3135 else
3136 {
3137 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
3138 "message_seq = %u, expected = %u",
3139 recv_msg_seq,
3140 ssl->handshake->in_msg_seq ) );
3141 }
3142
3143 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
3144 }
3145 /* Wait until message completion to increment in_msg_seq */
3146
3147 /* Message reassembly is handled alongside buffering of future
3148 * messages; the commonality is that both handshake fragments and
3149 * future messages cannot be forwarded immediately to the
3150 * handshake logic layer. */
3151 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
3152 {
3153 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
3154 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3155 }
3156 }
3157 else
3158 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3159 /* With TLS we don't handle fragmentation (for now) */
3160 if( ssl->in_msglen < ssl->in_hslen )
3161 {
3162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
3163 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3164 }
3165
3166 return( 0 );
3167 }
3168
mbedtls_ssl_update_handshake_status(mbedtls_ssl_context * ssl)3169 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
3170 {
3171 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3172
3173 if( mbedtls_ssl_is_handshake_over( ssl ) == 0 && hs != NULL )
3174 {
3175 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
3176 }
3177
3178 /* Handshake message is complete, increment counter */
3179 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3180 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3181 ssl->handshake != NULL )
3182 {
3183 unsigned offset;
3184 mbedtls_ssl_hs_buffer *hs_buf;
3185
3186 /* Increment handshake sequence number */
3187 hs->in_msg_seq++;
3188
3189 /*
3190 * Clear up handshake buffering and reassembly structure.
3191 */
3192
3193 /* Free first entry */
3194 ssl_buffering_free_slot( ssl, 0 );
3195
3196 /* Shift all other entries */
3197 for( offset = 0, hs_buf = &hs->buffering.hs[0];
3198 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
3199 offset++, hs_buf++ )
3200 {
3201 *hs_buf = *(hs_buf + 1);
3202 }
3203
3204 /* Create a fresh last entry */
3205 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
3206 }
3207 #endif
3208 }
3209
3210 /*
3211 * DTLS anti-replay: RFC 6347 4.1.2.6
3212 *
3213 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3214 * Bit n is set iff record number in_window_top - n has been seen.
3215 *
3216 * Usually, in_window_top is the last record number seen and the lsb of
3217 * in_window is set. The only exception is the initial state (record number 0
3218 * not seen yet).
3219 */
3220 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context * ssl)3221 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
3222 {
3223 ssl->in_window_top = 0;
3224 ssl->in_window = 0;
3225 }
3226
ssl_load_six_bytes(unsigned char * buf)3227 static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3228 {
3229 return( ( (uint64_t) buf[0] << 40 ) |
3230 ( (uint64_t) buf[1] << 32 ) |
3231 ( (uint64_t) buf[2] << 24 ) |
3232 ( (uint64_t) buf[3] << 16 ) |
3233 ( (uint64_t) buf[4] << 8 ) |
3234 ( (uint64_t) buf[5] ) );
3235 }
3236
3237 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_dtls_record_replay_check(mbedtls_ssl_context * ssl,uint8_t * record_in_ctr)3238 static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
3239 {
3240 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3241 unsigned char *original_in_ctr;
3242
3243 // save original in_ctr
3244 original_in_ctr = ssl->in_ctr;
3245
3246 // use counter from record
3247 ssl->in_ctr = record_in_ctr;
3248
3249 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3250
3251 // restore the counter
3252 ssl->in_ctr = original_in_ctr;
3253
3254 return ret;
3255 }
3256
3257 /*
3258 * Return 0 if sequence number is acceptable, -1 otherwise
3259 */
mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const * ssl)3260 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
3261 {
3262 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3263 uint64_t bit;
3264
3265 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3266 return( 0 );
3267
3268 if( rec_seqnum > ssl->in_window_top )
3269 return( 0 );
3270
3271 bit = ssl->in_window_top - rec_seqnum;
3272
3273 if( bit >= 64 )
3274 return( -1 );
3275
3276 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3277 return( -1 );
3278
3279 return( 0 );
3280 }
3281
3282 /*
3283 * Update replay window on new validated record
3284 */
mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context * ssl)3285 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3286 {
3287 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3288
3289 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3290 return;
3291
3292 if( rec_seqnum > ssl->in_window_top )
3293 {
3294 /* Update window_top and the contents of the window */
3295 uint64_t shift = rec_seqnum - ssl->in_window_top;
3296
3297 if( shift >= 64 )
3298 ssl->in_window = 1;
3299 else
3300 {
3301 ssl->in_window <<= shift;
3302 ssl->in_window |= 1;
3303 }
3304
3305 ssl->in_window_top = rec_seqnum;
3306 }
3307 else
3308 {
3309 /* Mark that number as seen in the current window */
3310 uint64_t bit = ssl->in_window_top - rec_seqnum;
3311
3312 if( bit < 64 ) /* Always true, but be extra sure */
3313 ssl->in_window |= (uint64_t) 1 << bit;
3314 }
3315 }
3316 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3317
3318 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3319 /*
3320 * Check if a datagram looks like a ClientHello with a valid cookie,
3321 * and if it doesn't, generate a HelloVerifyRequest message.
3322 * Both input and output include full DTLS headers.
3323 *
3324 * - if cookie is valid, return 0
3325 * - if ClientHello looks superficially valid but cookie is not,
3326 * fill obuf and set olen, then
3327 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3328 * - otherwise return a specific error code
3329 */
3330 MBEDTLS_CHECK_RETURN_CRITICAL
3331 MBEDTLS_STATIC_TESTABLE
mbedtls_ssl_check_dtls_clihlo_cookie(mbedtls_ssl_context * ssl,const unsigned char * cli_id,size_t cli_id_len,const unsigned char * in,size_t in_len,unsigned char * obuf,size_t buf_len,size_t * olen)3332 int mbedtls_ssl_check_dtls_clihlo_cookie(
3333 mbedtls_ssl_context *ssl,
3334 const unsigned char *cli_id, size_t cli_id_len,
3335 const unsigned char *in, size_t in_len,
3336 unsigned char *obuf, size_t buf_len, size_t *olen )
3337 {
3338 size_t sid_len, cookie_len, epoch, fragment_offset;
3339 unsigned char *p;
3340
3341 /*
3342 * Structure of ClientHello with record and handshake headers,
3343 * and expected values. We don't need to check a lot, more checks will be
3344 * done when actually parsing the ClientHello - skipping those checks
3345 * avoids code duplication and does not make cookie forging any easier.
3346 *
3347 * 0-0 ContentType type; copied, must be handshake
3348 * 1-2 ProtocolVersion version; copied
3349 * 3-4 uint16 epoch; copied, must be 0
3350 * 5-10 uint48 sequence_number; copied
3351 * 11-12 uint16 length; (ignored)
3352 *
3353 * 13-13 HandshakeType msg_type; (ignored)
3354 * 14-16 uint24 length; (ignored)
3355 * 17-18 uint16 message_seq; copied
3356 * 19-21 uint24 fragment_offset; copied, must be 0
3357 * 22-24 uint24 fragment_length; (ignored)
3358 *
3359 * 25-26 ProtocolVersion client_version; (ignored)
3360 * 27-58 Random random; (ignored)
3361 * 59-xx SessionID session_id; 1 byte len + sid_len content
3362 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3363 * ...
3364 *
3365 * Minimum length is 61 bytes.
3366 */
3367 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: in_len=%u",
3368 (unsigned) in_len ) );
3369 MBEDTLS_SSL_DEBUG_BUF( 4, "cli_id", cli_id, cli_id_len );
3370 if( in_len < 61 )
3371 {
3372 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: record too short" ) );
3373 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3374 }
3375
3376 epoch = MBEDTLS_GET_UINT16_BE( in, 3 );
3377 fragment_offset = MBEDTLS_GET_UINT24_BE( in, 19 );
3378
3379 if( in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || epoch != 0 ||
3380 fragment_offset != 0 )
3381 {
3382 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: not a good ClientHello" ) );
3383 MBEDTLS_SSL_DEBUG_MSG( 4, ( " type=%u epoch=%u fragment_offset=%u",
3384 in[0], (unsigned) epoch,
3385 (unsigned) fragment_offset ) );
3386 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3387 }
3388
3389 sid_len = in[59];
3390 if( 59 + 1 + sid_len + 1 > in_len )
3391 {
3392 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: sid_len=%u > %u",
3393 (unsigned) sid_len,
3394 (unsigned) in_len - 61 ) );
3395 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3396 }
3397 MBEDTLS_SSL_DEBUG_BUF( 4, "sid received from network",
3398 in + 60, sid_len );
3399
3400 cookie_len = in[60 + sid_len];
3401 if( 59 + 1 + sid_len + 1 + cookie_len > in_len )
3402 {
3403 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: cookie_len=%u > %u",
3404 (unsigned) cookie_len,
3405 (unsigned) ( in_len - sid_len - 61 ) ) );
3406 return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3407 }
3408
3409 MBEDTLS_SSL_DEBUG_BUF( 4, "cookie received from network",
3410 in + sid_len + 61, cookie_len );
3411 if( ssl->conf->f_cookie_check( ssl->conf->p_cookie,
3412 in + sid_len + 61, cookie_len,
3413 cli_id, cli_id_len ) == 0 )
3414 {
3415 MBEDTLS_SSL_DEBUG_MSG( 4, ( "check cookie: valid" ) );
3416 return( 0 );
3417 }
3418
3419 /*
3420 * If we get here, we've got an invalid cookie, let's prepare HVR.
3421 *
3422 * 0-0 ContentType type; copied
3423 * 1-2 ProtocolVersion version; copied
3424 * 3-4 uint16 epoch; copied
3425 * 5-10 uint48 sequence_number; copied
3426 * 11-12 uint16 length; olen - 13
3427 *
3428 * 13-13 HandshakeType msg_type; hello_verify_request
3429 * 14-16 uint24 length; olen - 25
3430 * 17-18 uint16 message_seq; copied
3431 * 19-21 uint24 fragment_offset; copied
3432 * 22-24 uint24 fragment_length; olen - 25
3433 *
3434 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3435 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3436 *
3437 * Minimum length is 28.
3438 */
3439 if( buf_len < 28 )
3440 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3441
3442 /* Copy most fields and adapt others */
3443 memcpy( obuf, in, 25 );
3444 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3445 obuf[25] = 0xfe;
3446 obuf[26] = 0xff;
3447
3448 /* Generate and write actual cookie */
3449 p = obuf + 28;
3450 if( ssl->conf->f_cookie_write( ssl->conf->p_cookie,
3451 &p, obuf + buf_len,
3452 cli_id, cli_id_len ) != 0 )
3453 {
3454 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3455 }
3456
3457 *olen = p - obuf;
3458
3459 /* Go back and fill length fields */
3460 obuf[27] = (unsigned char)( *olen - 28 );
3461
3462 obuf[14] = obuf[22] = MBEDTLS_BYTE_2( *olen - 25 );
3463 obuf[15] = obuf[23] = MBEDTLS_BYTE_1( *olen - 25 );
3464 obuf[16] = obuf[24] = MBEDTLS_BYTE_0( *olen - 25 );
3465
3466 MBEDTLS_PUT_UINT16_BE( *olen - 13, obuf, 11 );
3467
3468 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3469 }
3470
3471 /*
3472 * Handle possible client reconnect with the same UDP quadruplet
3473 * (RFC 6347 Section 4.2.8).
3474 *
3475 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3476 * that looks like a ClientHello.
3477 *
3478 * - if the input looks like a ClientHello without cookies,
3479 * send back HelloVerifyRequest, then return 0
3480 * - if the input looks like a ClientHello with a valid cookie,
3481 * reset the session of the current context, and
3482 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3483 * - if anything goes wrong, return a specific error code
3484 *
3485 * This function is called (through ssl_check_client_reconnect()) when an
3486 * unexpected record is found in ssl_get_next_record(), which will discard the
3487 * record if we return 0, and bubble up the return value otherwise (this
3488 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3489 * errors, and is the right thing to do in both cases).
3490 */
3491 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handle_possible_reconnect(mbedtls_ssl_context * ssl)3492 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3493 {
3494 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3495 size_t len;
3496
3497 if( ssl->conf->f_cookie_write == NULL ||
3498 ssl->conf->f_cookie_check == NULL )
3499 {
3500 /* If we can't use cookies to verify reachability of the peer,
3501 * drop the record. */
3502 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3503 "can't check reconnect validity" ) );
3504 return( 0 );
3505 }
3506
3507 ret = mbedtls_ssl_check_dtls_clihlo_cookie(
3508 ssl,
3509 ssl->cli_id, ssl->cli_id_len,
3510 ssl->in_buf, ssl->in_left,
3511 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
3512
3513 MBEDTLS_SSL_DEBUG_RET( 2, "mbedtls_ssl_check_dtls_clihlo_cookie", ret );
3514
3515 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
3516 {
3517 int send_ret;
3518 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3519 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3520 ssl->out_buf, len );
3521 /* Don't check write errors as we can't do anything here.
3522 * If the error is permanent we'll catch it later,
3523 * if it's not, then hopefully it'll work next time. */
3524 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3525 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3526 (void) send_ret;
3527
3528 return( 0 );
3529 }
3530
3531 if( ret == 0 )
3532 {
3533 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
3534 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
3535 {
3536 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3537 return( ret );
3538 }
3539
3540 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
3541 }
3542
3543 return( ret );
3544 }
3545 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3546
3547 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_record_type(uint8_t record_type)3548 static int ssl_check_record_type( uint8_t record_type )
3549 {
3550 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3551 record_type != MBEDTLS_SSL_MSG_ALERT &&
3552 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3553 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3554 {
3555 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3556 }
3557
3558 return( 0 );
3559 }
3560
3561 /*
3562 * ContentType type;
3563 * ProtocolVersion version;
3564 * uint16 epoch; // DTLS only
3565 * uint48 sequence_number; // DTLS only
3566 * uint16 length;
3567 *
3568 * Return 0 if header looks sane (and, for DTLS, the record is expected)
3569 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3570 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3571 *
3572 * With DTLS, mbedtls_ssl_read_record() will:
3573 * 1. proceed with the record if this function returns 0
3574 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3575 * 3. return CLIENT_RECONNECT if this function return that value
3576 * 4. drop the whole datagram if this function returns anything else.
3577 * Point 2 is needed when the peer is resending, and we have already received
3578 * the first record from a datagram but are still waiting for the others.
3579 */
3580 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_record_header(mbedtls_ssl_context const * ssl,unsigned char * buf,size_t len,mbedtls_record * rec)3581 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
3582 unsigned char *buf,
3583 size_t len,
3584 mbedtls_record *rec )
3585 {
3586 mbedtls_ssl_protocol_version tls_version;
3587
3588 size_t const rec_hdr_type_offset = 0;
3589 size_t const rec_hdr_type_len = 1;
3590
3591 size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3592 rec_hdr_type_len;
3593 size_t const rec_hdr_version_len = 2;
3594
3595 size_t const rec_hdr_ctr_len = 8;
3596 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3597 uint32_t rec_epoch;
3598 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset +
3599 rec_hdr_version_len;
3600
3601 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3602 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset +
3603 rec_hdr_ctr_len;
3604 size_t rec_hdr_cid_len = 0;
3605 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3606 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3607
3608 size_t rec_hdr_len_offset; /* To be determined */
3609 size_t const rec_hdr_len_len = 2;
3610
3611 /*
3612 * Check minimum lengths for record header.
3613 */
3614
3615 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3616 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3617 {
3618 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3619 }
3620 else
3621 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3622 {
3623 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3624 }
3625
3626 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3627 {
3628 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3629 (unsigned) len,
3630 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3631 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3632 }
3633
3634 /*
3635 * Parse and validate record content type
3636 */
3637
3638 rec->type = buf[ rec_hdr_type_offset ];
3639
3640 /* Check record content type */
3641 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3642 rec->cid_len = 0;
3643
3644 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3645 ssl->conf->cid_len != 0 &&
3646 rec->type == MBEDTLS_SSL_MSG_CID )
3647 {
3648 /* Shift pointers to account for record header including CID
3649 * struct {
3650 * ContentType outer_type = tls12_cid;
3651 * ProtocolVersion version;
3652 * uint16 epoch;
3653 * uint48 sequence_number;
3654 * opaque cid[cid_length]; // Additional field compared to
3655 * // default DTLS record format
3656 * uint16 length;
3657 * opaque enc_content[DTLSCiphertext.length];
3658 * } DTLSCiphertext;
3659 */
3660
3661 /* So far, we only support static CID lengths
3662 * fixed in the configuration. */
3663 rec_hdr_cid_len = ssl->conf->cid_len;
3664 rec_hdr_len_offset += rec_hdr_cid_len;
3665
3666 if( len < rec_hdr_len_offset + rec_hdr_len_len )
3667 {
3668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3669 (unsigned) len,
3670 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
3671 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3672 }
3673
3674 /* configured CID len is guaranteed at most 255, see
3675 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3676 rec->cid_len = (uint8_t) rec_hdr_cid_len;
3677 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
3678 }
3679 else
3680 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3681 {
3682 if( ssl_check_record_type( rec->type ) )
3683 {
3684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3685 (unsigned) rec->type ) );
3686 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3687 }
3688 }
3689
3690 /*
3691 * Parse and validate record version
3692 */
3693 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3694 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
3695 tls_version = mbedtls_ssl_read_version( buf + rec_hdr_version_offset,
3696 ssl->conf->transport );
3697
3698 if( tls_version > ssl->conf->max_tls_version )
3699 {
3700 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS version mismatch: got %u, expected max %u",
3701 (unsigned) tls_version,
3702 (unsigned) ssl->conf->max_tls_version) );
3703
3704 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3705 }
3706 /*
3707 * Parse/Copy record sequence number.
3708 */
3709
3710 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3711 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3712 {
3713 /* Copy explicit record sequence number from input buffer. */
3714 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3715 rec_hdr_ctr_len );
3716 }
3717 else
3718 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3719 {
3720 /* Copy implicit record sequence number from SSL context structure. */
3721 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3722 }
3723
3724 /*
3725 * Parse record length.
3726 */
3727
3728 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
3729 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3730 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
3731 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
3732
3733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
3734 "version = [0x%x], msglen = %" MBEDTLS_PRINTF_SIZET,
3735 rec->type, (unsigned)tls_version, rec->data_len ) );
3736
3737 rec->buf = buf;
3738 rec->buf_len = rec->data_offset + rec->data_len;
3739
3740 if( rec->data_len == 0 )
3741 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3742
3743 /*
3744 * DTLS-related tests.
3745 * Check epoch before checking length constraint because
3746 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3747 * message gets duplicated before the corresponding Finished message,
3748 * the second ChangeCipherSpec should be discarded because it belongs
3749 * to an old epoch, but not because its length is shorter than
3750 * the minimum record length for packets using the new record transform.
3751 * Note that these two kinds of failures are handled differently,
3752 * as an unexpected record is silently skipped but an invalid
3753 * record leads to the entire datagram being dropped.
3754 */
3755 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3756 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3757 {
3758 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
3759
3760 /* Check that the datagram is large enough to contain a record
3761 * of the advertised length. */
3762 if( len < rec->data_offset + rec->data_len )
3763 {
3764 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3765 (unsigned) len,
3766 (unsigned)( rec->data_offset + rec->data_len ) ) );
3767 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3768 }
3769
3770 /* Records from other, non-matching epochs are silently discarded.
3771 * (The case of same-port Client reconnects must be considered in
3772 * the caller). */
3773 if( rec_epoch != ssl->in_epoch )
3774 {
3775 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3776 "expected %u, received %lu",
3777 ssl->in_epoch, (unsigned long) rec_epoch ) );
3778
3779 /* Records from the next epoch are considered for buffering
3780 * (concretely: early Finished messages). */
3781 if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
3782 {
3783 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3784 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3785 }
3786
3787 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3788 }
3789 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3790 /* For records from the correct epoch, check whether their
3791 * sequence number has been seen before. */
3792 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3793 &rec->ctr[0] ) != 0 )
3794 {
3795 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3796 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3797 }
3798 #endif
3799 }
3800 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3801
3802 return( 0 );
3803 }
3804
3805
3806 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3807 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_client_reconnect(mbedtls_ssl_context * ssl)3808 static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3809 {
3810 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3811
3812 /*
3813 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3814 * access the first byte of record content (handshake type), as we
3815 * have an active transform (possibly iv_len != 0), so use the
3816 * fact that the record header len is 13 instead.
3817 */
3818 if( rec_epoch == 0 &&
3819 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3820 mbedtls_ssl_is_handshake_over( ssl ) == 1 &&
3821 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3822 ssl->in_left > 13 &&
3823 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3824 {
3825 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3826 "from the same port" ) );
3827 return( ssl_handle_possible_reconnect( ssl ) );
3828 }
3829
3830 return( 0 );
3831 }
3832 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3833
3834 /*
3835 * If applicable, decrypt record content
3836 */
3837 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_record_content(mbedtls_ssl_context * ssl,mbedtls_record * rec)3838 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3839 mbedtls_record *rec )
3840 {
3841 int ret, done = 0;
3842
3843 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3844 rec->buf, rec->buf_len );
3845
3846 /*
3847 * In TLS 1.3, always treat ChangeCipherSpec records
3848 * as unencrypted. The only thing we do with them is
3849 * check the length and content and ignore them.
3850 */
3851 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3852 if( ssl->transform_in != NULL &&
3853 ssl->transform_in->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
3854 {
3855 if( rec->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3856 done = 1;
3857 }
3858 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3859
3860 if( !done && ssl->transform_in != NULL )
3861 {
3862 unsigned char const old_msg_type = rec->type;
3863
3864 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
3865 rec ) ) != 0 )
3866 {
3867 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
3868
3869 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3870 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3871 ssl->conf->ignore_unexpected_cid
3872 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3873 {
3874 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
3875 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3876 }
3877 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3878
3879 return( ret );
3880 }
3881
3882 if( old_msg_type != rec->type )
3883 {
3884 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
3885 old_msg_type, rec->type ) );
3886 }
3887
3888 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3889 rec->buf + rec->data_offset, rec->data_len );
3890
3891 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3892 /* We have already checked the record content type
3893 * in ssl_parse_record_header(), failing or silently
3894 * dropping the record in the case of an unknown type.
3895 *
3896 * Since with the use of CIDs, the record content type
3897 * might change during decryption, re-check the record
3898 * content type, but treat a failure as fatal this time. */
3899 if( ssl_check_record_type( rec->type ) )
3900 {
3901 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3902 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3903 }
3904 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3905
3906 if( rec->data_len == 0 )
3907 {
3908 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3909 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2
3910 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3911 {
3912 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3913 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3914 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3915 }
3916 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3917
3918 ssl->nb_zero++;
3919
3920 /*
3921 * Three or more empty messages may be a DoS attack
3922 * (excessive CPU consumption).
3923 */
3924 if( ssl->nb_zero > 3 )
3925 {
3926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
3927 "messages, possible DoS attack" ) );
3928 /* Treat the records as if they were not properly authenticated,
3929 * thereby failing the connection if we see more than allowed
3930 * by the configured bad MAC threshold. */
3931 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3932 }
3933 }
3934 else
3935 ssl->nb_zero = 0;
3936
3937 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3938 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3939 {
3940 ; /* in_ctr read from peer, not maintained internally */
3941 }
3942 else
3943 #endif
3944 {
3945 unsigned i;
3946 for( i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
3947 i > mbedtls_ssl_ep_len( ssl ); i-- )
3948 {
3949 if( ++ssl->in_ctr[i - 1] != 0 )
3950 break;
3951 }
3952
3953 /* The loop goes to its end iff the counter is wrapping */
3954 if( i == mbedtls_ssl_ep_len( ssl ) )
3955 {
3956 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3957 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3958 }
3959 }
3960
3961 }
3962
3963 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3964 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3965 {
3966 mbedtls_ssl_dtls_replay_update( ssl );
3967 }
3968 #endif
3969
3970 /* Check actual (decrypted) record content length against
3971 * configured maximum. */
3972 if( rec->data_len > MBEDTLS_SSL_IN_CONTENT_LEN )
3973 {
3974 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3975 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3976 }
3977
3978 return( 0 );
3979 }
3980
3981 /*
3982 * Read a record.
3983 *
3984 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3985 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3986 *
3987 */
3988
3989 /* Helper functions for mbedtls_ssl_read_record(). */
3990 MBEDTLS_CHECK_RETURN_CRITICAL
3991 static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
3992 MBEDTLS_CHECK_RETURN_CRITICAL
3993 static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3994 MBEDTLS_CHECK_RETURN_CRITICAL
3995 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
3996
mbedtls_ssl_read_record(mbedtls_ssl_context * ssl,unsigned update_hs_digest)3997 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
3998 unsigned update_hs_digest )
3999 {
4000 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4001
4002 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
4003
4004 if( ssl->keep_current_message == 0 )
4005 {
4006 do {
4007
4008 ret = ssl_consume_current_message( ssl );
4009 if( ret != 0 )
4010 return( ret );
4011
4012 if( ssl_record_is_in_progress( ssl ) == 0 )
4013 {
4014 int dtls_have_buffered = 0;
4015 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4016
4017 /* We only check for buffered messages if the
4018 * current datagram is fully consumed. */
4019 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4020 ssl_next_record_is_in_datagram( ssl ) == 0 )
4021 {
4022 if( ssl_load_buffered_message( ssl ) == 0 )
4023 dtls_have_buffered = 1;
4024 }
4025
4026 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4027 if( dtls_have_buffered == 0 )
4028 {
4029 ret = ssl_get_next_record( ssl );
4030 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4031 continue;
4032
4033 if( ret != 0 )
4034 {
4035 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
4036 return( ret );
4037 }
4038 }
4039 }
4040
4041 ret = mbedtls_ssl_handle_message_type( ssl );
4042
4043 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4044 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4045 {
4046 /* Buffer future message */
4047 ret = ssl_buffer_message( ssl );
4048 if( ret != 0 )
4049 return( ret );
4050
4051 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4052 }
4053 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4054
4055 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4056 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
4057
4058 if( 0 != ret )
4059 {
4060 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
4061 return( ret );
4062 }
4063
4064 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4065 update_hs_digest == 1 )
4066 {
4067 mbedtls_ssl_update_handshake_status( ssl );
4068 }
4069 }
4070 else
4071 {
4072 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
4073 ssl->keep_current_message = 0;
4074 }
4075
4076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4077
4078 return( 0 );
4079 }
4080
4081 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4082 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_next_record_is_in_datagram(mbedtls_ssl_context * ssl)4083 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
4084 {
4085 if( ssl->in_left > ssl->next_record_offset )
4086 return( 1 );
4087
4088 return( 0 );
4089 }
4090
4091 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_load_buffered_message(mbedtls_ssl_context * ssl)4092 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4093 {
4094 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4095 mbedtls_ssl_hs_buffer * hs_buf;
4096 int ret = 0;
4097
4098 if( hs == NULL )
4099 return( -1 );
4100
4101 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_message" ) );
4102
4103 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4104 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4105 {
4106 /* Check if we have seen a ChangeCipherSpec before.
4107 * If yes, synthesize a CCS record. */
4108 if( !hs->buffering.seen_ccs )
4109 {
4110 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4111 ret = -1;
4112 goto exit;
4113 }
4114
4115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
4116 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4117 ssl->in_msglen = 1;
4118 ssl->in_msg[0] = 1;
4119
4120 /* As long as they are equal, the exact value doesn't matter. */
4121 ssl->in_left = 0;
4122 ssl->next_record_offset = 0;
4123
4124 hs->buffering.seen_ccs = 0;
4125 goto exit;
4126 }
4127
4128 #if defined(MBEDTLS_DEBUG_C)
4129 /* Debug only */
4130 {
4131 unsigned offset;
4132 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4133 {
4134 hs_buf = &hs->buffering.hs[offset];
4135 if( hs_buf->is_valid == 1 )
4136 {
4137 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4138 hs->in_msg_seq + offset,
4139 hs_buf->is_complete ? "fully" : "partially" ) );
4140 }
4141 }
4142 }
4143 #endif /* MBEDTLS_DEBUG_C */
4144
4145 /* Check if we have buffered and/or fully reassembled the
4146 * next handshake message. */
4147 hs_buf = &hs->buffering.hs[0];
4148 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4149 {
4150 /* Synthesize a record containing the buffered HS message. */
4151 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4152 ( hs_buf->data[2] << 8 ) |
4153 hs_buf->data[3];
4154
4155 /* Double-check that we haven't accidentally buffered
4156 * a message that doesn't fit into the input buffer. */
4157 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4158 {
4159 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4160 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4161 }
4162
4163 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4164 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4165 hs_buf->data, msg_len + 12 );
4166
4167 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4168 ssl->in_hslen = msg_len + 12;
4169 ssl->in_msglen = msg_len + 12;
4170 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4171
4172 ret = 0;
4173 goto exit;
4174 }
4175 else
4176 {
4177 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4178 hs->in_msg_seq ) );
4179 }
4180
4181 ret = -1;
4182
4183 exit:
4184
4185 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4186 return( ret );
4187 }
4188
4189 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_buffer_make_space(mbedtls_ssl_context * ssl,size_t desired)4190 static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4191 size_t desired )
4192 {
4193 int offset;
4194 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4196 (unsigned) desired ) );
4197
4198 /* Get rid of future records epoch first, if such exist. */
4199 ssl_free_buffered_record( ssl );
4200
4201 /* Check if we have enough space available now. */
4202 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4203 hs->buffering.total_bytes_buffered ) )
4204 {
4205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
4206 return( 0 );
4207 }
4208
4209 /* We don't have enough space to buffer the next expected handshake
4210 * message. Remove buffers used for future messages to gain space,
4211 * starting with the most distant one. */
4212 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4213 offset >= 0; offset-- )
4214 {
4215 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4216 offset ) );
4217
4218 ssl_buffering_free_slot( ssl, (uint8_t) offset );
4219
4220 /* Check if we have enough space available now. */
4221 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4222 hs->buffering.total_bytes_buffered ) )
4223 {
4224 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
4225 return( 0 );
4226 }
4227 }
4228
4229 return( -1 );
4230 }
4231
4232 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_buffer_message(mbedtls_ssl_context * ssl)4233 static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4234 {
4235 int ret = 0;
4236 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4237
4238 if( hs == NULL )
4239 return( 0 );
4240
4241 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4242
4243 switch( ssl->in_msgtype )
4244 {
4245 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4246 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
4247
4248 hs->buffering.seen_ccs = 1;
4249 break;
4250
4251 case MBEDTLS_SSL_MSG_HANDSHAKE:
4252 {
4253 unsigned recv_msg_seq_offset;
4254 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4255 mbedtls_ssl_hs_buffer *hs_buf;
4256 size_t msg_len = ssl->in_hslen - 12;
4257
4258 /* We should never receive an old handshake
4259 * message - double-check nonetheless. */
4260 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4261 {
4262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4263 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4264 }
4265
4266 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4267 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4268 {
4269 /* Silently ignore -- message too far in the future */
4270 MBEDTLS_SSL_DEBUG_MSG( 2,
4271 ( "Ignore future HS message with sequence number %u, "
4272 "buffering window %u - %u",
4273 recv_msg_seq, ssl->handshake->in_msg_seq,
4274 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4275
4276 goto exit;
4277 }
4278
4279 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4280 recv_msg_seq, recv_msg_seq_offset ) );
4281
4282 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4283
4284 /* Check if the buffering for this seq nr has already commenced. */
4285 if( !hs_buf->is_valid )
4286 {
4287 size_t reassembly_buf_sz;
4288
4289 hs_buf->is_fragmented =
4290 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4291
4292 /* We copy the message back into the input buffer
4293 * after reassembly, so check that it's not too large.
4294 * This is an implementation-specific limitation
4295 * and not one from the standard, hence it is not
4296 * checked in ssl_check_hs_header(). */
4297 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4298 {
4299 /* Ignore message */
4300 goto exit;
4301 }
4302
4303 /* Check if we have enough space to buffer the message. */
4304 if( hs->buffering.total_bytes_buffered >
4305 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4306 {
4307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4308 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4309 }
4310
4311 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4312 hs_buf->is_fragmented );
4313
4314 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4315 hs->buffering.total_bytes_buffered ) )
4316 {
4317 if( recv_msg_seq_offset > 0 )
4318 {
4319 /* If we can't buffer a future message because
4320 * of space limitations -- ignore. */
4321 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4322 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4323 " (already %" MBEDTLS_PRINTF_SIZET
4324 " bytes buffered) -- ignore\n",
4325 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4326 hs->buffering.total_bytes_buffered ) );
4327 goto exit;
4328 }
4329 else
4330 {
4331 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4332 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4333 " (already %" MBEDTLS_PRINTF_SIZET
4334 " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4335 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4336 hs->buffering.total_bytes_buffered ) );
4337 }
4338
4339 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4340 {
4341 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
4342 " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
4343 " the compile-time limit %" MBEDTLS_PRINTF_SIZET
4344 " (already %" MBEDTLS_PRINTF_SIZET
4345 " bytes buffered) -- fail\n",
4346 msg_len,
4347 reassembly_buf_sz,
4348 (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4349 hs->buffering.total_bytes_buffered ) );
4350 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4351 goto exit;
4352 }
4353 }
4354
4355 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
4356 msg_len ) );
4357
4358 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4359 if( hs_buf->data == NULL )
4360 {
4361 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
4362 goto exit;
4363 }
4364 hs_buf->data_len = reassembly_buf_sz;
4365
4366 /* Prepare final header: copy msg_type, length and message_seq,
4367 * then add standardised fragment_offset and fragment_length */
4368 memcpy( hs_buf->data, ssl->in_msg, 6 );
4369 memset( hs_buf->data + 6, 0, 3 );
4370 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4371
4372 hs_buf->is_valid = 1;
4373
4374 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4375 }
4376 else
4377 {
4378 /* Make sure msg_type and length are consistent */
4379 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4380 {
4381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4382 /* Ignore */
4383 goto exit;
4384 }
4385 }
4386
4387 if( !hs_buf->is_complete )
4388 {
4389 size_t frag_len, frag_off;
4390 unsigned char * const msg = hs_buf->data + 12;
4391
4392 /*
4393 * Check and copy current fragment
4394 */
4395
4396 /* Validation of header fields already done in
4397 * mbedtls_ssl_prepare_handshake_record(). */
4398 frag_off = ssl_get_hs_frag_off( ssl );
4399 frag_len = ssl_get_hs_frag_len( ssl );
4400
4401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
4402 ", length = %" MBEDTLS_PRINTF_SIZET,
4403 frag_off, frag_len ) );
4404 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4405
4406 if( hs_buf->is_fragmented )
4407 {
4408 unsigned char * const bitmask = msg + msg_len;
4409 ssl_bitmask_set( bitmask, frag_off, frag_len );
4410 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4411 msg_len ) == 0 );
4412 }
4413 else
4414 {
4415 hs_buf->is_complete = 1;
4416 }
4417
4418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4419 hs_buf->is_complete ? "" : "not yet " ) );
4420 }
4421
4422 break;
4423 }
4424
4425 default:
4426 /* We don't buffer other types of messages. */
4427 break;
4428 }
4429
4430 exit:
4431
4432 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4433 return( ret );
4434 }
4435 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4436
4437 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_consume_current_message(mbedtls_ssl_context * ssl)4438 static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
4439 {
4440 /*
4441 * Consume last content-layer message and potentially
4442 * update in_msglen which keeps track of the contents'
4443 * consumption state.
4444 *
4445 * (1) Handshake messages:
4446 * Remove last handshake message, move content
4447 * and adapt in_msglen.
4448 *
4449 * (2) Alert messages:
4450 * Consume whole record content, in_msglen = 0.
4451 *
4452 * (3) Change cipher spec:
4453 * Consume whole record content, in_msglen = 0.
4454 *
4455 * (4) Application data:
4456 * Don't do anything - the record layer provides
4457 * the application data as a stream transport
4458 * and consumes through mbedtls_ssl_read only.
4459 *
4460 */
4461
4462 /* Case (1): Handshake messages */
4463 if( ssl->in_hslen != 0 )
4464 {
4465 /* Hard assertion to be sure that no application data
4466 * is in flight, as corrupting ssl->in_msglen during
4467 * ssl->in_offt != NULL is fatal. */
4468 if( ssl->in_offt != NULL )
4469 {
4470 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4471 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4472 }
4473
4474 /*
4475 * Get next Handshake message in the current record
4476 */
4477
4478 /* Notes:
4479 * (1) in_hslen is not necessarily the size of the
4480 * current handshake content: If DTLS handshake
4481 * fragmentation is used, that's the fragment
4482 * size instead. Using the total handshake message
4483 * size here is faulty and should be changed at
4484 * some point.
4485 * (2) While it doesn't seem to cause problems, one
4486 * has to be very careful not to assume that in_hslen
4487 * is always <= in_msglen in a sensible communication.
4488 * Again, it's wrong for DTLS handshake fragmentation.
4489 * The following check is therefore mandatory, and
4490 * should not be treated as a silently corrected assertion.
4491 * Additionally, ssl->in_hslen might be arbitrarily out of
4492 * bounds after handling a DTLS message with an unexpected
4493 * sequence number, see mbedtls_ssl_prepare_handshake_record.
4494 */
4495 if( ssl->in_hslen < ssl->in_msglen )
4496 {
4497 ssl->in_msglen -= ssl->in_hslen;
4498 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4499 ssl->in_msglen );
4500
4501 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4502 ssl->in_msg, ssl->in_msglen );
4503 }
4504 else
4505 {
4506 ssl->in_msglen = 0;
4507 }
4508
4509 ssl->in_hslen = 0;
4510 }
4511 /* Case (4): Application data */
4512 else if( ssl->in_offt != NULL )
4513 {
4514 return( 0 );
4515 }
4516 /* Everything else (CCS & Alerts) */
4517 else
4518 {
4519 ssl->in_msglen = 0;
4520 }
4521
4522 return( 0 );
4523 }
4524
4525 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_record_is_in_progress(mbedtls_ssl_context * ssl)4526 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4527 {
4528 if( ssl->in_msglen > 0 )
4529 return( 1 );
4530
4531 return( 0 );
4532 }
4533
4534 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4535
ssl_free_buffered_record(mbedtls_ssl_context * ssl)4536 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4537 {
4538 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4539 if( hs == NULL )
4540 return;
4541
4542 if( hs->buffering.future_record.data != NULL )
4543 {
4544 hs->buffering.total_bytes_buffered -=
4545 hs->buffering.future_record.len;
4546
4547 mbedtls_free( hs->buffering.future_record.data );
4548 hs->buffering.future_record.data = NULL;
4549 }
4550 }
4551
4552 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_load_buffered_record(mbedtls_ssl_context * ssl)4553 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4554 {
4555 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4556 unsigned char * rec;
4557 size_t rec_len;
4558 unsigned rec_epoch;
4559 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4560 size_t in_buf_len = ssl->in_buf_len;
4561 #else
4562 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4563 #endif
4564 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4565 return( 0 );
4566
4567 if( hs == NULL )
4568 return( 0 );
4569
4570 rec = hs->buffering.future_record.data;
4571 rec_len = hs->buffering.future_record.len;
4572 rec_epoch = hs->buffering.future_record.epoch;
4573
4574 if( rec == NULL )
4575 return( 0 );
4576
4577 /* Only consider loading future records if the
4578 * input buffer is empty. */
4579 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
4580 return( 0 );
4581
4582 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4583
4584 if( rec_epoch != ssl->in_epoch )
4585 {
4586 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4587 goto exit;
4588 }
4589
4590 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4591
4592 /* Double-check that the record is not too large */
4593 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
4594 {
4595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4596 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4597 }
4598
4599 memcpy( ssl->in_hdr, rec, rec_len );
4600 ssl->in_left = rec_len;
4601 ssl->next_record_offset = 0;
4602
4603 ssl_free_buffered_record( ssl );
4604
4605 exit:
4606 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4607 return( 0 );
4608 }
4609
4610 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_buffer_future_record(mbedtls_ssl_context * ssl,mbedtls_record const * rec)4611 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4612 mbedtls_record const *rec )
4613 {
4614 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4615
4616 /* Don't buffer future records outside handshakes. */
4617 if( hs == NULL )
4618 return( 0 );
4619
4620 /* Only buffer handshake records (we are only interested
4621 * in Finished messages). */
4622 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
4623 return( 0 );
4624
4625 /* Don't buffer more than one future epoch record. */
4626 if( hs->buffering.future_record.data != NULL )
4627 return( 0 );
4628
4629 /* Don't buffer record if there's not enough buffering space remaining. */
4630 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4631 hs->buffering.total_bytes_buffered ) )
4632 {
4633 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
4634 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4635 " (already %" MBEDTLS_PRINTF_SIZET
4636 " bytes buffered) -- ignore\n",
4637 rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4638 hs->buffering.total_bytes_buffered ) );
4639 return( 0 );
4640 }
4641
4642 /* Buffer record */
4643 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4644 ssl->in_epoch + 1U ) );
4645 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
4646
4647 /* ssl_parse_record_header() only considers records
4648 * of the next epoch as candidates for buffering. */
4649 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
4650 hs->buffering.future_record.len = rec->buf_len;
4651
4652 hs->buffering.future_record.data =
4653 mbedtls_calloc( 1, hs->buffering.future_record.len );
4654 if( hs->buffering.future_record.data == NULL )
4655 {
4656 /* If we run out of RAM trying to buffer a
4657 * record from the next epoch, just ignore. */
4658 return( 0 );
4659 }
4660
4661 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
4662
4663 hs->buffering.total_bytes_buffered += rec->buf_len;
4664 return( 0 );
4665 }
4666
4667 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4668
4669 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_next_record(mbedtls_ssl_context * ssl)4670 static int ssl_get_next_record( mbedtls_ssl_context *ssl )
4671 {
4672 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4673 mbedtls_record rec;
4674
4675 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4676 /* We might have buffered a future record; if so,
4677 * and if the epoch matches now, load it.
4678 * On success, this call will set ssl->in_left to
4679 * the length of the buffered record, so that
4680 * the calls to ssl_fetch_input() below will
4681 * essentially be no-ops. */
4682 ret = ssl_load_buffered_record( ssl );
4683 if( ret != 0 )
4684 return( ret );
4685 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4686
4687 /* Ensure that we have enough space available for the default form
4688 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4689 * with no space for CIDs counted in). */
4690 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4691 if( ret != 0 )
4692 {
4693 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4694 return( ret );
4695 }
4696
4697 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4698 if( ret != 0 )
4699 {
4700 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4701 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4702 {
4703 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4704 {
4705 ret = ssl_buffer_future_record( ssl, &rec );
4706 if( ret != 0 )
4707 return( ret );
4708
4709 /* Fall through to handling of unexpected records */
4710 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4711 }
4712
4713 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4714 {
4715 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4716 /* Reset in pointers to default state for TLS/DTLS records,
4717 * assuming no CID and no offset between record content and
4718 * record plaintext. */
4719 mbedtls_ssl_update_in_pointers( ssl );
4720
4721 /* Setup internal message pointers from record structure. */
4722 ssl->in_msgtype = rec.type;
4723 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4724 ssl->in_len = ssl->in_cid + rec.cid_len;
4725 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4726 ssl->in_iv = ssl->in_msg = ssl->in_len + 2;
4727 ssl->in_msglen = rec.data_len;
4728
4729 ret = ssl_check_client_reconnect( ssl );
4730 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
4731 if( ret != 0 )
4732 return( ret );
4733 #endif
4734
4735 /* Skip unexpected record (but not whole datagram) */
4736 ssl->next_record_offset = rec.buf_len;
4737
4738 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4739 "(header)" ) );
4740 }
4741 else
4742 {
4743 /* Skip invalid record and the rest of the datagram */
4744 ssl->next_record_offset = 0;
4745 ssl->in_left = 0;
4746
4747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4748 "(header)" ) );
4749 }
4750
4751 /* Get next record */
4752 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4753 }
4754 else
4755 #endif
4756 {
4757 return( ret );
4758 }
4759 }
4760
4761 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4762 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4763 {
4764 /* Remember offset of next record within datagram. */
4765 ssl->next_record_offset = rec.buf_len;
4766 if( ssl->next_record_offset < ssl->in_left )
4767 {
4768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4769 }
4770 }
4771 else
4772 #endif
4773 {
4774 /*
4775 * Fetch record contents from underlying transport.
4776 */
4777 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
4778 if( ret != 0 )
4779 {
4780 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4781 return( ret );
4782 }
4783
4784 ssl->in_left = 0;
4785 }
4786
4787 /*
4788 * Decrypt record contents.
4789 */
4790
4791 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
4792 {
4793 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4794 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4795 {
4796 /* Silently discard invalid records */
4797 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4798 {
4799 /* Except when waiting for Finished as a bad mac here
4800 * probably means something went wrong in the handshake
4801 * (eg wrong psk used, mitm downgrade attempt, etc.) */
4802 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4803 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4804 {
4805 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4806 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4807 {
4808 mbedtls_ssl_send_alert_message( ssl,
4809 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4810 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4811 }
4812 #endif
4813 return( ret );
4814 }
4815
4816 if( ssl->conf->badmac_limit != 0 &&
4817 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
4818 {
4819 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4820 return( MBEDTLS_ERR_SSL_INVALID_MAC );
4821 }
4822
4823 /* As above, invalid records cause
4824 * dismissal of the whole datagram. */
4825
4826 ssl->next_record_offset = 0;
4827 ssl->in_left = 0;
4828
4829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
4830 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4831 }
4832
4833 return( ret );
4834 }
4835 else
4836 #endif
4837 {
4838 /* Error out (and send alert) on invalid records */
4839 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4840 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4841 {
4842 mbedtls_ssl_send_alert_message( ssl,
4843 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4844 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4845 }
4846 #endif
4847 return( ret );
4848 }
4849 }
4850
4851
4852 /* Reset in pointers to default state for TLS/DTLS records,
4853 * assuming no CID and no offset between record content and
4854 * record plaintext. */
4855 mbedtls_ssl_update_in_pointers( ssl );
4856 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4857 ssl->in_len = ssl->in_cid + rec.cid_len;
4858 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4859 ssl->in_iv = ssl->in_len + 2;
4860
4861 /* The record content type may change during decryption,
4862 * so re-read it. */
4863 ssl->in_msgtype = rec.type;
4864 /* Also update the input buffer, because unfortunately
4865 * the server-side ssl_parse_client_hello() reparses the
4866 * record header when receiving a ClientHello initiating
4867 * a renegotiation. */
4868 ssl->in_hdr[0] = rec.type;
4869 ssl->in_msg = rec.buf + rec.data_offset;
4870 ssl->in_msglen = rec.data_len;
4871 MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->in_len, 0 );
4872
4873 return( 0 );
4874 }
4875
mbedtls_ssl_handle_message_type(mbedtls_ssl_context * ssl)4876 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4877 {
4878 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4879
4880 /*
4881 * Handle particular types of records
4882 */
4883 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
4884 {
4885 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4886 {
4887 return( ret );
4888 }
4889 }
4890
4891 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4892 {
4893 if( ssl->in_msglen != 1 )
4894 {
4895 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
4896 ssl->in_msglen ) );
4897 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4898 }
4899
4900 if( ssl->in_msg[0] != 1 )
4901 {
4902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4903 ssl->in_msg[0] ) );
4904 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4905 }
4906
4907 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4908 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4909 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
4910 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4911 {
4912 if( ssl->handshake == NULL )
4913 {
4914 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4915 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4916 }
4917
4918 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4919 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4920 }
4921 #endif
4922
4923 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4924 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
4925 {
4926 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
4927 MBEDTLS_SSL_DEBUG_MSG( 1,
4928 ( "Ignore ChangeCipherSpec in TLS 1.3 compatibility mode" ) );
4929 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4930 #else
4931 MBEDTLS_SSL_DEBUG_MSG( 1,
4932 ( "ChangeCipherSpec invalid in TLS 1.3 without compatibility mode" ) );
4933 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4934 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
4935 }
4936 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4937 }
4938
4939 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
4940 {
4941 if( ssl->in_msglen != 2 )
4942 {
4943 /* Note: Standard allows for more than one 2 byte alert
4944 to be packed in a single message, but Mbed TLS doesn't
4945 currently support this. */
4946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
4947 ssl->in_msglen ) );
4948 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4949 }
4950
4951 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]",
4952 ssl->in_msg[0], ssl->in_msg[1] ) );
4953
4954 /*
4955 * Ignore non-fatal alerts, except close_notify and no_renegotiation
4956 */
4957 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
4958 {
4959 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
4960 ssl->in_msg[1] ) );
4961 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
4962 }
4963
4964 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4965 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
4966 {
4967 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4968 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
4969 }
4970
4971 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4972 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4973 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4974 {
4975 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a no renegotiation alert" ) );
4976 /* Will be handled when trying to parse ServerHello */
4977 return( 0 );
4978 }
4979 #endif
4980 /* Silently ignore: fetch new message */
4981 return MBEDTLS_ERR_SSL_NON_FATAL;
4982 }
4983
4984 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4985 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4986 {
4987 /* Drop unexpected ApplicationData records,
4988 * except at the beginning of renegotiations */
4989 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4990 mbedtls_ssl_is_handshake_over( ssl ) == 0
4991 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4992 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4993 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4994 #endif
4995 )
4996 {
4997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4998 return( MBEDTLS_ERR_SSL_NON_FATAL );
4999 }
5000
5001 if( ssl->handshake != NULL &&
5002 mbedtls_ssl_is_handshake_over( ssl ) == 1 )
5003 {
5004 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
5005 }
5006 }
5007 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5008
5009 return( 0 );
5010 }
5011
mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context * ssl)5012 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
5013 {
5014 return( mbedtls_ssl_send_alert_message( ssl,
5015 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5016 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
5017 }
5018
mbedtls_ssl_send_alert_message(mbedtls_ssl_context * ssl,unsigned char level,unsigned char message)5019 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
5020 unsigned char level,
5021 unsigned char message )
5022 {
5023 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5024
5025 if( ssl == NULL || ssl->conf == NULL )
5026 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5027
5028 if( ssl->out_left != 0 )
5029 return( mbedtls_ssl_flush_output( ssl ) );
5030
5031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
5032 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
5033
5034 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5035 ssl->out_msglen = 2;
5036 ssl->out_msg[0] = level;
5037 ssl->out_msg[1] = message;
5038
5039 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5040 {
5041 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5042 return( ret );
5043 }
5044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
5045
5046 return( 0 );
5047 }
5048
mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context * ssl)5049 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
5050 {
5051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5052
5053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
5054
5055 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
5056 ssl->out_msglen = 1;
5057 ssl->out_msg[0] = 1;
5058
5059 ssl->state++;
5060
5061 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
5062 {
5063 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
5064 return( ret );
5065 }
5066
5067 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
5068
5069 return( 0 );
5070 }
5071
mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context * ssl)5072 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
5073 {
5074 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5075
5076 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
5077
5078 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5079 {
5080 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5081 return( ret );
5082 }
5083
5084 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
5085 {
5086 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
5087 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5088 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5089 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5090 }
5091
5092 /* CCS records are only accepted if they have length 1 and content '1',
5093 * so we don't need to check this here. */
5094
5095 /*
5096 * Switch to our negotiated transform and session parameters for inbound
5097 * data.
5098 */
5099 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
5100 ssl->transform_in = ssl->transform_negotiate;
5101 ssl->session_in = ssl->session_negotiate;
5102
5103 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5104 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5105 {
5106 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5107 mbedtls_ssl_dtls_replay_reset( ssl );
5108 #endif
5109
5110 /* Increment epoch */
5111 if( ++ssl->in_epoch == 0 )
5112 {
5113 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
5114 /* This is highly unlikely to happen for legitimate reasons, so
5115 treat it as an attack and don't send an alert. */
5116 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
5117 }
5118 }
5119 else
5120 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5121 memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
5122
5123 mbedtls_ssl_update_in_pointers( ssl );
5124
5125 ssl->state++;
5126
5127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
5128
5129 return( 0 );
5130 }
5131
5132 /* Once ssl->out_hdr as the address of the beginning of the
5133 * next outgoing record is set, deduce the other pointers.
5134 *
5135 * Note: For TLS, we save the implicit record sequence number
5136 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
5137 * and the caller has to make sure there's space for this.
5138 */
5139
ssl_transform_get_explicit_iv_len(mbedtls_ssl_transform const * transform)5140 static size_t ssl_transform_get_explicit_iv_len(
5141 mbedtls_ssl_transform const *transform )
5142 {
5143 return( transform->ivlen - transform->fixed_ivlen );
5144 }
5145
mbedtls_ssl_update_out_pointers(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)5146 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
5147 mbedtls_ssl_transform *transform )
5148 {
5149 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5150 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5151 {
5152 ssl->out_ctr = ssl->out_hdr + 3;
5153 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5154 ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5155 ssl->out_len = ssl->out_cid;
5156 if( transform != NULL )
5157 ssl->out_len += transform->out_cid_len;
5158 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5159 ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5160 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5161 ssl->out_iv = ssl->out_len + 2;
5162 }
5163 else
5164 #endif
5165 {
5166 ssl->out_len = ssl->out_hdr + 3;
5167 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5168 ssl->out_cid = ssl->out_len;
5169 #endif
5170 ssl->out_iv = ssl->out_hdr + 5;
5171 }
5172
5173 ssl->out_msg = ssl->out_iv;
5174 /* Adjust out_msg to make space for explicit IV, if used. */
5175 if( transform != NULL )
5176 ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
5177 }
5178
5179 /* Once ssl->in_hdr as the address of the beginning of the
5180 * next incoming record is set, deduce the other pointers.
5181 *
5182 * Note: For TLS, we save the implicit record sequence number
5183 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
5184 * and the caller has to make sure there's space for this.
5185 */
5186
mbedtls_ssl_update_in_pointers(mbedtls_ssl_context * ssl)5187 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
5188 {
5189 /* This function sets the pointers to match the case
5190 * of unprotected TLS/DTLS records, with both ssl->in_iv
5191 * and ssl->in_msg pointing to the beginning of the record
5192 * content.
5193 *
5194 * When decrypting a protected record, ssl->in_msg
5195 * will be shifted to point to the beginning of the
5196 * record plaintext.
5197 */
5198
5199 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5200 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5201 {
5202 /* This sets the header pointers to match records
5203 * without CID. When we receive a record containing
5204 * a CID, the fields are shifted accordingly in
5205 * ssl_parse_record_header(). */
5206 ssl->in_ctr = ssl->in_hdr + 3;
5207 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5208 ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5209 ssl->in_len = ssl->in_cid; /* Default: no CID */
5210 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5211 ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5212 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5213 ssl->in_iv = ssl->in_len + 2;
5214 }
5215 else
5216 #endif
5217 {
5218 ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5219 ssl->in_len = ssl->in_hdr + 3;
5220 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5221 ssl->in_cid = ssl->in_len;
5222 #endif
5223 ssl->in_iv = ssl->in_hdr + 5;
5224 }
5225
5226 /* This will be adjusted at record decryption time. */
5227 ssl->in_msg = ssl->in_iv;
5228 }
5229
5230 /*
5231 * Setup an SSL context
5232 */
5233
mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context * ssl)5234 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
5235 {
5236 /* Set the incoming and outgoing record pointers. */
5237 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5238 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5239 {
5240 ssl->out_hdr = ssl->out_buf;
5241 ssl->in_hdr = ssl->in_buf;
5242 }
5243 else
5244 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5245 {
5246 ssl->out_ctr = ssl->out_buf;
5247 ssl->out_hdr = ssl->out_buf + 8;
5248 ssl->in_hdr = ssl->in_buf + 8;
5249 }
5250
5251 /* Derive other internal pointers. */
5252 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
5253 mbedtls_ssl_update_in_pointers ( ssl );
5254 }
5255
5256 /*
5257 * SSL get accessors
5258 */
mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context * ssl)5259 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
5260 {
5261 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
5262 }
5263
mbedtls_ssl_check_pending(const mbedtls_ssl_context * ssl)5264 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
5265 {
5266 /*
5267 * Case A: We're currently holding back
5268 * a message for further processing.
5269 */
5270
5271 if( ssl->keep_current_message == 1 )
5272 {
5273 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
5274 return( 1 );
5275 }
5276
5277 /*
5278 * Case B: Further records are pending in the current datagram.
5279 */
5280
5281 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5282 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5283 ssl->in_left > ssl->next_record_offset )
5284 {
5285 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
5286 return( 1 );
5287 }
5288 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5289
5290 /*
5291 * Case C: A handshake message is being processed.
5292 */
5293
5294 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
5295 {
5296 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
5297 return( 1 );
5298 }
5299
5300 /*
5301 * Case D: An application data message is being processed
5302 */
5303 if( ssl->in_offt != NULL )
5304 {
5305 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
5306 return( 1 );
5307 }
5308
5309 /*
5310 * In all other cases, the rest of the message can be dropped.
5311 * As in ssl_get_next_record, this needs to be adapted if
5312 * we implement support for multiple alerts in single records.
5313 */
5314
5315 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5316 return( 0 );
5317 }
5318
5319
mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context * ssl)5320 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
5321 {
5322 size_t transform_expansion = 0;
5323 const mbedtls_ssl_transform *transform = ssl->transform_out;
5324 unsigned block_size;
5325 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5326 psa_key_attributes_t attr = PSA_KEY_ATTRIBUTES_INIT;
5327 psa_key_type_t key_type;
5328 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5329
5330 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5331
5332 if( transform == NULL )
5333 return( (int) out_hdr_len );
5334
5335
5336 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5337 if ( transform->psa_alg == PSA_ALG_GCM ||
5338 transform->psa_alg == PSA_ALG_CCM ||
5339 transform->psa_alg == PSA_ALG_AEAD_WITH_SHORTENED_TAG( PSA_ALG_CCM, 8 ) ||
5340 transform->psa_alg == PSA_ALG_CHACHA20_POLY1305 ||
5341 transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER )
5342 {
5343 transform_expansion = transform->minlen;
5344 }
5345 else if ( transform->psa_alg == PSA_ALG_CBC_NO_PADDING )
5346 {
5347 (void) psa_get_key_attributes( transform->psa_key_enc, &attr );
5348 key_type = psa_get_key_type( &attr );
5349
5350 block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type );
5351
5352 /* Expansion due to the addition of the MAC. */
5353 transform_expansion += transform->maclen;
5354
5355 /* Expansion due to the addition of CBC padding;
5356 * Theoretically up to 256 bytes, but we never use
5357 * more than the block size of the underlying cipher. */
5358 transform_expansion += block_size;
5359
5360 /* For TLS 1.2 or higher, an explicit IV is added
5361 * after the record header. */
5362 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5363 transform_expansion += block_size;
5364 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5365 }
5366 else
5367 {
5368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported psa_alg spotted in mbedtls_ssl_get_record_expansion()" ) );
5369 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5370 }
5371 #else
5372 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
5373 {
5374 case MBEDTLS_MODE_GCM:
5375 case MBEDTLS_MODE_CCM:
5376 case MBEDTLS_MODE_CHACHAPOLY:
5377 case MBEDTLS_MODE_STREAM:
5378 transform_expansion = transform->minlen;
5379 break;
5380
5381 case MBEDTLS_MODE_CBC:
5382
5383 block_size = mbedtls_cipher_get_block_size(
5384 &transform->cipher_ctx_enc );
5385
5386 /* Expansion due to the addition of the MAC. */
5387 transform_expansion += transform->maclen;
5388
5389 /* Expansion due to the addition of CBC padding;
5390 * Theoretically up to 256 bytes, but we never use
5391 * more than the block size of the underlying cipher. */
5392 transform_expansion += block_size;
5393
5394 /* For TLS 1.2 or higher, an explicit IV is added
5395 * after the record header. */
5396 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5397 transform_expansion += block_size;
5398 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5399
5400 break;
5401
5402 default:
5403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5404 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5405 }
5406 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5407
5408 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5409 if( transform->out_cid_len != 0 )
5410 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
5411 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5412
5413 return( (int)( out_hdr_len + transform_expansion ) );
5414 }
5415
5416 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5417 /*
5418 * Check record counters and renegotiate if they're above the limit.
5419 */
5420 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_ctr_renegotiate(mbedtls_ssl_context * ssl)5421 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
5422 {
5423 size_t ep_len = mbedtls_ssl_ep_len( ssl );
5424 int in_ctr_cmp;
5425 int out_ctr_cmp;
5426
5427 if( mbedtls_ssl_is_handshake_over( ssl ) == 0 ||
5428 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
5429 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
5430 {
5431 return( 0 );
5432 }
5433
5434 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5435 &ssl->conf->renego_period[ep_len],
5436 MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len );
5437 out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len],
5438 &ssl->conf->renego_period[ep_len],
5439 sizeof( ssl->cur_out_ctr ) - ep_len );
5440
5441 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
5442 {
5443 return( 0 );
5444 }
5445
5446 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
5447 return( mbedtls_ssl_renegotiate( ssl ) );
5448 }
5449 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5450
5451 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5452
5453 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5454 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_check_new_session_ticket(mbedtls_ssl_context * ssl)5455 static int ssl_tls13_check_new_session_ticket( mbedtls_ssl_context *ssl )
5456 {
5457
5458 if( ( ssl->in_hslen == mbedtls_ssl_hs_hdr_len( ssl ) ) ||
5459 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_NEW_SESSION_TICKET ) )
5460 {
5461 return( 0 );
5462 }
5463
5464 ssl->keep_current_message = 1;
5465
5466 MBEDTLS_SSL_DEBUG_MSG( 3, ( "NewSessionTicket received" ) );
5467 mbedtls_ssl_handshake_set_state( ssl,
5468 MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET );
5469
5470 return( MBEDTLS_ERR_SSL_WANT_READ );
5471 }
5472 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5473
5474 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_handle_hs_message_post_handshake(mbedtls_ssl_context * ssl)5475 static int ssl_tls13_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
5476 {
5477
5478 MBEDTLS_SSL_DEBUG_MSG( 3, ( "received post-handshake message" ) );
5479
5480 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
5481 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5482 {
5483 int ret = ssl_tls13_check_new_session_ticket( ssl );
5484 if( ret != 0 )
5485 return( ret );
5486 }
5487 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
5488
5489 /* Fail in all other cases. */
5490 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5491 }
5492 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5493
5494 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5495 /* This function is called from mbedtls_ssl_read() when a handshake message is
5496 * received after the initial handshake. In this context, handshake messages
5497 * may only be sent for the purpose of initiating renegotiations.
5498 *
5499 * This function is introduced as a separate helper since the handling
5500 * of post-handshake handshake messages changes significantly in TLS 1.3,
5501 * and having a helper function allows to distinguish between TLS <= 1.2 and
5502 * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
5503 */
5504 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_handle_hs_message_post_handshake(mbedtls_ssl_context * ssl)5505 static int ssl_tls12_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
5506 {
5507 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5508
5509 /*
5510 * - For client-side, expect SERVER_HELLO_REQUEST.
5511 * - For server-side, expect CLIENT_HELLO.
5512 * - Fail (TLS) or silently drop record (DTLS) in other cases.
5513 */
5514
5515 #if defined(MBEDTLS_SSL_CLI_C)
5516 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5517 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
5518 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
5519 {
5520 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
5521
5522 /* With DTLS, drop the packet (probably from last handshake) */
5523 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5524 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5525 {
5526 return( 0 );
5527 }
5528 #endif
5529 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5530 }
5531 #endif /* MBEDTLS_SSL_CLI_C */
5532
5533 #if defined(MBEDTLS_SSL_SRV_C)
5534 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5535 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
5536 {
5537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
5538
5539 /* With DTLS, drop the packet (probably from last handshake) */
5540 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5541 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5542 {
5543 return( 0 );
5544 }
5545 #endif
5546 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5547 }
5548 #endif /* MBEDTLS_SSL_SRV_C */
5549
5550 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5551 /* Determine whether renegotiation attempt should be accepted */
5552 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5553 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5554 ssl->conf->allow_legacy_renegotiation ==
5555 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5556 {
5557 /*
5558 * Accept renegotiation request
5559 */
5560
5561 /* DTLS clients need to know renego is server-initiated */
5562 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5563 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5564 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5565 {
5566 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5567 }
5568 #endif
5569 ret = mbedtls_ssl_start_renegotiation( ssl );
5570 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5571 ret != 0 )
5572 {
5573 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5574 ret );
5575 return( ret );
5576 }
5577 }
5578 else
5579 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5580 {
5581 /*
5582 * Refuse renegotiation
5583 */
5584
5585 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
5586
5587 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5588 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5589 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
5590 {
5591 return( ret );
5592 }
5593 }
5594
5595 return( 0 );
5596 }
5597 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5598
5599 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handle_hs_message_post_handshake(mbedtls_ssl_context * ssl)5600 static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
5601 {
5602 /* Check protocol version and dispatch accordingly. */
5603 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5604 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
5605 {
5606 return( ssl_tls13_handle_hs_message_post_handshake( ssl ) );
5607 }
5608 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5609
5610 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5611 if( ssl->tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 )
5612 {
5613 return( ssl_tls12_handle_hs_message_post_handshake( ssl ) );
5614 }
5615 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5616
5617 /* Should never happen */
5618 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5619 }
5620
5621 /*
5622 * Receive application data decrypted from the SSL layer
5623 */
mbedtls_ssl_read(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)5624 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
5625 {
5626 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5627 size_t n;
5628
5629 if( ssl == NULL || ssl->conf == NULL )
5630 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5631
5632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
5633
5634 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5635 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5636 {
5637 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5638 return( ret );
5639
5640 if( ssl->handshake != NULL &&
5641 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5642 {
5643 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5644 return( ret );
5645 }
5646 }
5647 #endif
5648
5649 /*
5650 * Check if renegotiation is necessary and/or handshake is
5651 * in process. If yes, perform/continue, and fall through
5652 * if an unexpected packet is received while the client
5653 * is waiting for the ServerHello.
5654 *
5655 * (There is no equivalent to the last condition on
5656 * the server-side as it is not treated as within
5657 * a handshake while waiting for the ClientHello
5658 * after a renegotiation request.)
5659 */
5660
5661 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5662 ret = ssl_check_ctr_renegotiate( ssl );
5663 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5664 ret != 0 )
5665 {
5666 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5667 return( ret );
5668 }
5669 #endif
5670
5671 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5672 {
5673 ret = mbedtls_ssl_handshake( ssl );
5674 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5675 ret != 0 )
5676 {
5677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5678 return( ret );
5679 }
5680 }
5681
5682 /* Loop as long as no application data record is available */
5683 while( ssl->in_offt == NULL )
5684 {
5685 /* Start timer if not already running */
5686 if( ssl->f_get_timer != NULL &&
5687 ssl->f_get_timer( ssl->p_timer ) == -1 )
5688 {
5689 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
5690 }
5691
5692 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5693 {
5694 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5695 return( 0 );
5696
5697 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5698 return( ret );
5699 }
5700
5701 if( ssl->in_msglen == 0 &&
5702 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
5703 {
5704 /*
5705 * OpenSSL sends empty messages to randomize the IV
5706 */
5707 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5708 {
5709 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5710 return( 0 );
5711
5712 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5713 return( ret );
5714 }
5715 }
5716
5717 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
5718 {
5719 ret = ssl_handle_hs_message_post_handshake( ssl );
5720 if( ret != 0)
5721 {
5722 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_handle_hs_message_post_handshake",
5723 ret );
5724 return( ret );
5725 }
5726
5727 /* At this point, we don't know whether the renegotiation triggered
5728 * by the post-handshake message has been completed or not. The cases
5729 * to consider are the following:
5730 * 1) The renegotiation is complete. In this case, no new record
5731 * has been read yet.
5732 * 2) The renegotiation is incomplete because the client received
5733 * an application data record while awaiting the ServerHello.
5734 * 3) The renegotiation is incomplete because the client received
5735 * a non-handshake, non-application data message while awaiting
5736 * the ServerHello.
5737 *
5738 * In each of these cases, looping will be the proper action:
5739 * - For 1), the next iteration will read a new record and check
5740 * if it's application data.
5741 * - For 2), the loop condition isn't satisfied as application data
5742 * is present, hence continue is the same as break
5743 * - For 3), the loop condition is satisfied and read_record
5744 * will re-deliver the message that was held back by the client
5745 * when expecting the ServerHello.
5746 */
5747
5748 continue;
5749 }
5750 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5751 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5752 {
5753 if( ssl->conf->renego_max_records >= 0 )
5754 {
5755 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
5756 {
5757 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
5758 "but not honored by client" ) );
5759 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5760 }
5761 }
5762 }
5763 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5764
5765 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5766 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
5767 {
5768 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
5769 return( MBEDTLS_ERR_SSL_WANT_READ );
5770 }
5771
5772 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
5773 {
5774 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5775 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5776 }
5777
5778 ssl->in_offt = ssl->in_msg;
5779
5780 /* We're going to return something now, cancel timer,
5781 * except if handshake (renegotiation) is in progress */
5782 if( mbedtls_ssl_is_handshake_over( ssl ) == 1 )
5783 mbedtls_ssl_set_timer( ssl, 0 );
5784
5785 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5786 /* If we requested renego but received AppData, resend HelloRequest.
5787 * Do it now, after setting in_offt, to avoid taking this branch
5788 * again if ssl_write_hello_request() returns WANT_WRITE */
5789 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
5790 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5791 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5792 {
5793 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
5794 {
5795 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5796 ret );
5797 return( ret );
5798 }
5799 }
5800 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
5801 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5802 }
5803
5804 n = ( len < ssl->in_msglen )
5805 ? len : ssl->in_msglen;
5806
5807 memcpy( buf, ssl->in_offt, n );
5808 ssl->in_msglen -= n;
5809
5810 /* Zeroising the plaintext buffer to erase unused application data
5811 from the memory. */
5812 mbedtls_platform_zeroize( ssl->in_offt, n );
5813
5814 if( ssl->in_msglen == 0 )
5815 {
5816 /* all bytes consumed */
5817 ssl->in_offt = NULL;
5818 ssl->keep_current_message = 0;
5819 }
5820 else
5821 {
5822 /* more data available */
5823 ssl->in_offt += n;
5824 }
5825
5826 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
5827
5828 return( (int) n );
5829 }
5830
5831 /*
5832 * Send application data to be encrypted by the SSL layer, taking care of max
5833 * fragment length and buffer size.
5834 *
5835 * According to RFC 5246 Section 6.2.1:
5836 *
5837 * Zero-length fragments of Application data MAY be sent as they are
5838 * potentially useful as a traffic analysis countermeasure.
5839 *
5840 * Therefore, it is possible that the input message length is 0 and the
5841 * corresponding return code is 0 on success.
5842 */
5843 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_real(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5844 static int ssl_write_real( mbedtls_ssl_context *ssl,
5845 const unsigned char *buf, size_t len )
5846 {
5847 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5848 const size_t max_len = (size_t) ret;
5849
5850 if( ret < 0 )
5851 {
5852 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5853 return( ret );
5854 }
5855
5856 if( len > max_len )
5857 {
5858 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5859 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5860 {
5861 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
5862 "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
5863 " > %" MBEDTLS_PRINTF_SIZET,
5864 len, max_len ) );
5865 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5866 }
5867 else
5868 #endif
5869 len = max_len;
5870 }
5871
5872 if( ssl->out_left != 0 )
5873 {
5874 /*
5875 * The user has previously tried to send the data and
5876 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5877 * written. In this case, we expect the high-level write function
5878 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5879 */
5880 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5881 {
5882 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
5883 return( ret );
5884 }
5885 }
5886 else
5887 {
5888 /*
5889 * The user is trying to send a message the first time, so we need to
5890 * copy the data into the internal buffers and setup the data structure
5891 * to keep track of partial writes
5892 */
5893 ssl->out_msglen = len;
5894 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
5895 memcpy( ssl->out_msg, buf, len );
5896
5897 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5898 {
5899 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5900 return( ret );
5901 }
5902 }
5903
5904 return( (int) len );
5905 }
5906
5907 /*
5908 * Write application data (public-facing wrapper)
5909 */
mbedtls_ssl_write(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5910 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
5911 {
5912 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5913
5914 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
5915
5916 if( ssl == NULL || ssl->conf == NULL )
5917 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5918
5919 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5920 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5921 {
5922 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5923 return( ret );
5924 }
5925 #endif
5926
5927 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5928 {
5929 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5930 {
5931 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5932 return( ret );
5933 }
5934 }
5935
5936 ret = ssl_write_real( ssl, buf, len );
5937
5938 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
5939
5940 return( ret );
5941 }
5942
5943 /*
5944 * Notify the peer that the connection is being closed
5945 */
mbedtls_ssl_close_notify(mbedtls_ssl_context * ssl)5946 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
5947 {
5948 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5949
5950 if( ssl == NULL || ssl->conf == NULL )
5951 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5952
5953 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
5954
5955 if( mbedtls_ssl_is_handshake_over( ssl ) == 1 )
5956 {
5957 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5958 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5959 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
5960 {
5961 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
5962 return( ret );
5963 }
5964 }
5965
5966 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
5967
5968 return( 0 );
5969 }
5970
mbedtls_ssl_transform_free(mbedtls_ssl_transform * transform)5971 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
5972 {
5973 if( transform == NULL )
5974 return;
5975
5976 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5977 psa_destroy_key( transform->psa_key_enc );
5978 psa_destroy_key( transform->psa_key_dec );
5979 #else
5980 mbedtls_cipher_free( &transform->cipher_ctx_enc );
5981 mbedtls_cipher_free( &transform->cipher_ctx_dec );
5982 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5983
5984 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
5985 #if defined(MBEDTLS_USE_PSA_CRYPTO)
5986 psa_destroy_key( transform->psa_mac_enc );
5987 psa_destroy_key( transform->psa_mac_dec );
5988 #else
5989 mbedtls_md_free( &transform->md_ctx_enc );
5990 mbedtls_md_free( &transform->md_ctx_dec );
5991 #endif /* MBEDTLS_USE_PSA_CRYPTO */
5992 #endif
5993
5994 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
5995 }
5996
mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)5997 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
5998 mbedtls_ssl_transform *transform )
5999 {
6000 ssl->transform_in = transform;
6001 memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
6002 }
6003
mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)6004 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
6005 mbedtls_ssl_transform *transform )
6006 {
6007 ssl->transform_out = transform;
6008 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
6009 }
6010
6011 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6012
mbedtls_ssl_buffering_free(mbedtls_ssl_context * ssl)6013 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
6014 {
6015 unsigned offset;
6016 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
6017
6018 if( hs == NULL )
6019 return;
6020
6021 ssl_free_buffered_record( ssl );
6022
6023 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
6024 ssl_buffering_free_slot( ssl, offset );
6025 }
6026
ssl_buffering_free_slot(mbedtls_ssl_context * ssl,uint8_t slot)6027 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
6028 uint8_t slot )
6029 {
6030 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
6031 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
6032
6033 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
6034 return;
6035
6036 if( hs_buf->is_valid == 1 )
6037 {
6038 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
6039 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
6040 mbedtls_free( hs_buf->data );
6041 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
6042 }
6043 }
6044
6045 #endif /* MBEDTLS_SSL_PROTO_DTLS */
6046
6047 /*
6048 * Convert version numbers to/from wire format
6049 * and, for DTLS, to/from TLS equivalent.
6050 *
6051 * For TLS this is the identity.
6052 * For DTLS, map as follows, then use 1's complement (v -> ~v):
6053 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
6054 * DTLS 1.0 is stored as TLS 1.1 internally
6055 */
mbedtls_ssl_write_version(unsigned char version[2],int transport,mbedtls_ssl_protocol_version tls_version)6056 void mbedtls_ssl_write_version( unsigned char version[2], int transport,
6057 mbedtls_ssl_protocol_version tls_version )
6058 {
6059 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6060 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6061 tls_version =
6062 ~( tls_version - ( tls_version == 0x0302 ? 0x0202 : 0x0201 ) );
6063 #else
6064 ((void) transport);
6065 #endif
6066 MBEDTLS_PUT_UINT16_BE( tls_version, version, 0 );
6067 }
6068
mbedtls_ssl_read_version(const unsigned char version[2],int transport)6069 uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
6070 int transport )
6071 {
6072 uint16_t tls_version = MBEDTLS_GET_UINT16_BE( version, 0 );
6073 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6074 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6075 tls_version =
6076 ~( tls_version - ( tls_version == 0xfeff ? 0x0202 : 0x0201 ) );
6077 #else
6078 ((void) transport);
6079 #endif
6080 return tls_version;
6081 }
6082
6083 /*
6084 * Send pending fatal alert.
6085 * 0, No alert message.
6086 * !0, if mbedtls_ssl_send_alert_message() returned in error, the error code it
6087 * returned, ssl->alert_reason otherwise.
6088 */
mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context * ssl)6089 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl )
6090 {
6091 int ret;
6092
6093 /* No pending alert, return success*/
6094 if( ssl->send_alert == 0 )
6095 return( 0 );
6096
6097 ret = mbedtls_ssl_send_alert_message( ssl,
6098 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6099 ssl->alert_type );
6100
6101 /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE,
6102 * do not clear the alert to be able to send it later.
6103 */
6104 if( ret != MBEDTLS_ERR_SSL_WANT_WRITE )
6105 {
6106 ssl->send_alert = 0;
6107 }
6108
6109 if( ret != 0 )
6110 return( ret );
6111
6112 return( ssl->alert_reason );
6113 }
6114
6115 /*
6116 * Set pending fatal alert flag.
6117 */
mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context * ssl,unsigned char alert_type,int alert_reason)6118 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
6119 unsigned char alert_type,
6120 int alert_reason )
6121 {
6122 ssl->send_alert = 1;
6123 ssl->alert_type = alert_type;
6124 ssl->alert_reason = alert_reason;
6125 }
6126
6127 #endif /* MBEDTLS_SSL_TLS_C */
6128