1 /*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7 /*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12 #include "common.h"
13
14 #if defined(MBEDTLS_SSL_TLS_C)
15
16 #include "mbedtls/platform.h"
17
18 #include "mbedtls/ssl.h"
19 #include "ssl_client.h"
20 #include "ssl_debug_helpers.h"
21 #include "ssl_misc.h"
22 #include "ssl_tls13_keys.h"
23
24 #include "debug_internal.h"
25 #include "mbedtls/error.h"
26 #include "mbedtls/platform_util.h"
27 #include "mbedtls/version.h"
28 #include "mbedtls/constant_time.h"
29
30 #include <string.h>
31
32 #if defined(MBEDTLS_USE_PSA_CRYPTO)
33 #include "mbedtls/psa_util.h"
34 #include "md_psa.h"
35 #include "psa_util_internal.h"
36 #include "psa/crypto.h"
37 #endif
38
39 #if defined(MBEDTLS_X509_CRT_PARSE_C)
40 #include "mbedtls/oid.h"
41 #endif
42
43 #if defined(MBEDTLS_USE_PSA_CRYPTO)
44 /* Define local translating functions to save code size by not using too many
45 * arguments in each translating place. */
local_err_translation(psa_status_t status)46 static int local_err_translation(psa_status_t status)
47 {
48 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
49 ARRAY_LENGTH(psa_to_ssl_errors),
50 psa_generic_status_to_mbedtls);
51 }
52 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
53 #endif
54
55 #if defined(MBEDTLS_TEST_HOOKS)
56 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
57
mbedtls_ssl_set_chk_buf_ptr_fail_args(const uint8_t * cur,const uint8_t * end,size_t need)58 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
59 const uint8_t *cur, const uint8_t *end, size_t need)
60 {
61 chk_buf_ptr_fail_args.cur = cur;
62 chk_buf_ptr_fail_args.end = end;
63 chk_buf_ptr_fail_args.need = need;
64 }
65
mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)66 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
67 {
68 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
69 }
70
mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args * args)71 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
72 {
73 return (chk_buf_ptr_fail_args.cur != args->cur) ||
74 (chk_buf_ptr_fail_args.end != args->end) ||
75 (chk_buf_ptr_fail_args.need != args->need);
76 }
77 #endif /* MBEDTLS_TEST_HOOKS */
78
79 #if defined(MBEDTLS_SSL_PROTO_DTLS)
80
81 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
82 /* Top-level Connection ID API */
83
mbedtls_ssl_conf_cid(mbedtls_ssl_config * conf,size_t len,int ignore_other_cid)84 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
85 size_t len,
86 int ignore_other_cid)
87 {
88 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
89 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
90 }
91
92 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
93 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
94 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
95 }
96
97 conf->ignore_unexpected_cid = ignore_other_cid;
98 conf->cid_len = len;
99 return 0;
100 }
101
mbedtls_ssl_set_cid(mbedtls_ssl_context * ssl,int enable,unsigned char const * own_cid,size_t own_cid_len)102 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
103 int enable,
104 unsigned char const *own_cid,
105 size_t own_cid_len)
106 {
107 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
108 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
109 }
110
111 ssl->negotiate_cid = enable;
112 if (enable == MBEDTLS_SSL_CID_DISABLED) {
113 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
114 return 0;
115 }
116 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
117 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
118
119 if (own_cid_len != ssl->conf->cid_len) {
120 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
121 (unsigned) own_cid_len,
122 (unsigned) ssl->conf->cid_len));
123 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
124 }
125
126 memcpy(ssl->own_cid, own_cid, own_cid_len);
127 /* Truncation is not an issue here because
128 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
129 ssl->own_cid_len = (uint8_t) own_cid_len;
130
131 return 0;
132 }
133
mbedtls_ssl_get_own_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],size_t * own_cid_len)134 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
135 int *enabled,
136 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
137 size_t *own_cid_len)
138 {
139 *enabled = MBEDTLS_SSL_CID_DISABLED;
140
141 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
142 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
143 }
144
145 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
146 * zero as this is indistinguishable from not requesting to use
147 * the CID extension. */
148 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
149 return 0;
150 }
151
152 if (own_cid_len != NULL) {
153 *own_cid_len = ssl->own_cid_len;
154 if (own_cid != NULL) {
155 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
156 }
157 }
158
159 *enabled = MBEDTLS_SSL_CID_ENABLED;
160
161 return 0;
162 }
163
mbedtls_ssl_get_peer_cid(mbedtls_ssl_context * ssl,int * enabled,unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],size_t * peer_cid_len)164 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
165 int *enabled,
166 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
167 size_t *peer_cid_len)
168 {
169 *enabled = MBEDTLS_SSL_CID_DISABLED;
170
171 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
172 mbedtls_ssl_is_handshake_over(ssl) == 0) {
173 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
174 }
175
176 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
177 * were used, but client and server requested the empty CID.
178 * This is indistinguishable from not using the CID extension
179 * in the first place. */
180 if (ssl->transform_in->in_cid_len == 0 &&
181 ssl->transform_in->out_cid_len == 0) {
182 return 0;
183 }
184
185 if (peer_cid_len != NULL) {
186 *peer_cid_len = ssl->transform_in->out_cid_len;
187 if (peer_cid != NULL) {
188 memcpy(peer_cid, ssl->transform_in->out_cid,
189 ssl->transform_in->out_cid_len);
190 }
191 }
192
193 *enabled = MBEDTLS_SSL_CID_ENABLED;
194
195 return 0;
196 }
197 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
198
199 #endif /* MBEDTLS_SSL_PROTO_DTLS */
200
201 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
202 /*
203 * Convert max_fragment_length codes to length.
204 * RFC 6066 says:
205 * enum{
206 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
207 * } MaxFragmentLength;
208 * and we add 0 -> extension unused
209 */
ssl_mfl_code_to_length(int mfl)210 static unsigned int ssl_mfl_code_to_length(int mfl)
211 {
212 switch (mfl) {
213 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
214 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
215 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
216 return 512;
217 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
218 return 1024;
219 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
220 return 2048;
221 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
222 return 4096;
223 default:
224 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
225 }
226 }
227 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
228
mbedtls_ssl_session_copy(mbedtls_ssl_session * dst,const mbedtls_ssl_session * src)229 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
230 const mbedtls_ssl_session *src)
231 {
232 mbedtls_ssl_session_free(dst);
233 memcpy(dst, src, sizeof(mbedtls_ssl_session));
234 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
235 dst->ticket = NULL;
236 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
237 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
238 dst->hostname = NULL;
239 #endif
240 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
241
242 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
243 defined(MBEDTLS_SSL_EARLY_DATA)
244 dst->ticket_alpn = NULL;
245 #endif
246
247 #if defined(MBEDTLS_X509_CRT_PARSE_C)
248
249 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
250 if (src->peer_cert != NULL) {
251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252
253 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
254 if (dst->peer_cert == NULL) {
255 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
256 }
257
258 mbedtls_x509_crt_init(dst->peer_cert);
259
260 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
261 src->peer_cert->raw.len)) != 0) {
262 mbedtls_free(dst->peer_cert);
263 dst->peer_cert = NULL;
264 return ret;
265 }
266 }
267 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
268 if (src->peer_cert_digest != NULL) {
269 dst->peer_cert_digest =
270 mbedtls_calloc(1, src->peer_cert_digest_len);
271 if (dst->peer_cert_digest == NULL) {
272 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
273 }
274
275 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
276 src->peer_cert_digest_len);
277 dst->peer_cert_digest_type = src->peer_cert_digest_type;
278 dst->peer_cert_digest_len = src->peer_cert_digest_len;
279 }
280 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
281
282 #endif /* MBEDTLS_X509_CRT_PARSE_C */
283
284 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
285 defined(MBEDTLS_SSL_EARLY_DATA)
286 {
287 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
288 if (ret != 0) {
289 return ret;
290 }
291 }
292 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
293
294 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
295 if (src->ticket != NULL) {
296 dst->ticket = mbedtls_calloc(1, src->ticket_len);
297 if (dst->ticket == NULL) {
298 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
299 }
300
301 memcpy(dst->ticket, src->ticket, src->ticket_len);
302 }
303
304 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
305 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
306 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
307 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
308 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
309 if (ret != 0) {
310 return ret;
311 }
312 }
313 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
314 MBEDTLS_SSL_SERVER_NAME_INDICATION */
315 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
316
317 return 0;
318 }
319
320 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
321 MBEDTLS_CHECK_RETURN_CRITICAL
resize_buffer(unsigned char ** buffer,size_t len_new,size_t * len_old)322 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
323 {
324 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
325 if (resized_buffer == NULL) {
326 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
327 }
328
329 /* We want to copy len_new bytes when downsizing the buffer, and
330 * len_old bytes when upsizing, so we choose the smaller of two sizes,
331 * to fit one buffer into another. Size checks, ensuring that no data is
332 * lost, are done outside of this function. */
333 memcpy(resized_buffer, *buffer,
334 (len_new < *len_old) ? len_new : *len_old);
335 mbedtls_zeroize_and_free(*buffer, *len_old);
336
337 *buffer = resized_buffer;
338 *len_old = len_new;
339
340 return 0;
341 }
342
handle_buffer_resizing(mbedtls_ssl_context * ssl,int downsizing,size_t in_buf_new_len,size_t out_buf_new_len)343 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
344 size_t in_buf_new_len,
345 size_t out_buf_new_len)
346 {
347 int modified = 0;
348 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
349 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
350 if (ssl->in_buf != NULL) {
351 written_in = ssl->in_msg - ssl->in_buf;
352 iv_offset_in = ssl->in_iv - ssl->in_buf;
353 len_offset_in = ssl->in_len - ssl->in_buf;
354 hdr_in = ssl->in_hdr - ssl->in_buf;
355 if (downsizing ?
356 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
357 ssl->in_buf_len < in_buf_new_len) {
358 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
359 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
360 } else {
361 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
362 in_buf_new_len));
363 modified = 1;
364 }
365 }
366 }
367
368 if (ssl->out_buf != NULL) {
369 written_out = ssl->out_msg - ssl->out_buf;
370 iv_offset_out = ssl->out_iv - ssl->out_buf;
371 len_offset_out = ssl->out_len - ssl->out_buf;
372 if (downsizing ?
373 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
374 ssl->out_buf_len < out_buf_new_len) {
375 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
377 } else {
378 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
379 out_buf_new_len));
380 modified = 1;
381 }
382 }
383 }
384 if (modified) {
385 /* Update pointers here to avoid doing it twice. */
386 ssl->in_hdr = ssl->in_buf + hdr_in;
387 mbedtls_ssl_update_in_pointers(ssl);
388 mbedtls_ssl_reset_out_pointers(ssl);
389
390 /* Fields below might not be properly updated with record
391 * splitting or with CID, so they are manually updated here. */
392 ssl->out_msg = ssl->out_buf + written_out;
393 ssl->out_len = ssl->out_buf + len_offset_out;
394 ssl->out_iv = ssl->out_buf + iv_offset_out;
395
396 ssl->in_msg = ssl->in_buf + written_in;
397 ssl->in_len = ssl->in_buf + len_offset_in;
398 ssl->in_iv = ssl->in_buf + iv_offset_in;
399 }
400 }
401 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
402
403 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
404
405 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
406 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
407 const char *label,
408 const unsigned char *random, size_t rlen,
409 unsigned char *dstbuf, size_t dlen);
410
411 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
412
413 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
414
415 /* Type for the TLS PRF */
416 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
417 const unsigned char *, size_t,
418 unsigned char *, size_t);
419
420 MBEDTLS_CHECK_RETURN_CRITICAL
421 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
422 int ciphersuite,
423 const unsigned char master[48],
424 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
425 int encrypt_then_mac,
426 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
427 ssl_tls_prf_t tls_prf,
428 const unsigned char randbytes[64],
429 mbedtls_ssl_protocol_version tls_version,
430 unsigned endpoint,
431 const mbedtls_ssl_context *ssl);
432
433 #if defined(MBEDTLS_MD_CAN_SHA256)
434 MBEDTLS_CHECK_RETURN_CRITICAL
435 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
436 const char *label,
437 const unsigned char *random, size_t rlen,
438 unsigned char *dstbuf, size_t dlen);
439 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
440 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
441
442 #endif /* MBEDTLS_MD_CAN_SHA256*/
443
444 #if defined(MBEDTLS_MD_CAN_SHA384)
445 MBEDTLS_CHECK_RETURN_CRITICAL
446 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
447 const char *label,
448 const unsigned char *random, size_t rlen,
449 unsigned char *dstbuf, size_t dlen);
450
451 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
452 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
453 #endif /* MBEDTLS_MD_CAN_SHA384*/
454
455 MBEDTLS_CHECK_RETURN_CRITICAL
456 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
457 const unsigned char *buf,
458 size_t len);
459 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
460
461 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
462
463 #if defined(MBEDTLS_MD_CAN_SHA256)
464 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
465 #endif /* MBEDTLS_MD_CAN_SHA256*/
466
467 #if defined(MBEDTLS_MD_CAN_SHA384)
468 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
469 #endif /* MBEDTLS_MD_CAN_SHA384*/
470
mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)471 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
472 const unsigned char *secret, size_t slen,
473 const char *label,
474 const unsigned char *random, size_t rlen,
475 unsigned char *dstbuf, size_t dlen)
476 {
477 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
478
479 switch (prf) {
480 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
481 #if defined(MBEDTLS_MD_CAN_SHA384)
482 case MBEDTLS_SSL_TLS_PRF_SHA384:
483 tls_prf = tls_prf_sha384;
484 break;
485 #endif /* MBEDTLS_MD_CAN_SHA384*/
486 #if defined(MBEDTLS_MD_CAN_SHA256)
487 case MBEDTLS_SSL_TLS_PRF_SHA256:
488 tls_prf = tls_prf_sha256;
489 break;
490 #endif /* MBEDTLS_MD_CAN_SHA256*/
491 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
492 default:
493 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
494 }
495
496 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
497 }
498
499 #if defined(MBEDTLS_X509_CRT_PARSE_C)
ssl_clear_peer_cert(mbedtls_ssl_session * session)500 static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
501 {
502 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
503 if (session->peer_cert != NULL) {
504 mbedtls_x509_crt_free(session->peer_cert);
505 mbedtls_free(session->peer_cert);
506 session->peer_cert = NULL;
507 }
508 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
509 if (session->peer_cert_digest != NULL) {
510 /* Zeroization is not necessary. */
511 mbedtls_free(session->peer_cert_digest);
512 session->peer_cert_digest = NULL;
513 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
514 session->peer_cert_digest_len = 0;
515 }
516 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
517 }
518 #endif /* MBEDTLS_X509_CRT_PARSE_C */
519
mbedtls_ssl_get_extension_id(unsigned int extension_type)520 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
521 {
522 switch (extension_type) {
523 case MBEDTLS_TLS_EXT_SERVERNAME:
524 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
525
526 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
527 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
528
529 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
530 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
531
532 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
533 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
534
535 case MBEDTLS_TLS_EXT_SIG_ALG:
536 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
537
538 case MBEDTLS_TLS_EXT_USE_SRTP:
539 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
540
541 case MBEDTLS_TLS_EXT_HEARTBEAT:
542 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
543
544 case MBEDTLS_TLS_EXT_ALPN:
545 return MBEDTLS_SSL_EXT_ID_ALPN;
546
547 case MBEDTLS_TLS_EXT_SCT:
548 return MBEDTLS_SSL_EXT_ID_SCT;
549
550 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
551 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
552
553 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
554 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
555
556 case MBEDTLS_TLS_EXT_PADDING:
557 return MBEDTLS_SSL_EXT_ID_PADDING;
558
559 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
560 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
561
562 case MBEDTLS_TLS_EXT_EARLY_DATA:
563 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
564
565 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
566 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
567
568 case MBEDTLS_TLS_EXT_COOKIE:
569 return MBEDTLS_SSL_EXT_ID_COOKIE;
570
571 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
572 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
573
574 case MBEDTLS_TLS_EXT_CERT_AUTH:
575 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
576
577 case MBEDTLS_TLS_EXT_OID_FILTERS:
578 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
579
580 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
581 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
582
583 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
584 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
585
586 case MBEDTLS_TLS_EXT_KEY_SHARE:
587 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
588
589 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
590 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
591
592 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
593 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
594
595 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
596 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
597
598 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
599 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
600
601 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
602 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
603
604 case MBEDTLS_TLS_EXT_SESSION_TICKET:
605 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
606
607 }
608
609 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
610 }
611
mbedtls_ssl_get_extension_mask(unsigned int extension_type)612 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
613 {
614 return 1 << mbedtls_ssl_get_extension_id(extension_type);
615 }
616
617 #if defined(MBEDTLS_DEBUG_C)
618 static const char *extension_name_table[] = {
619 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
620 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
621 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
622 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
623 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
624 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
625 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
626 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
627 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
628 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
629 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
630 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
631 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
632 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
633 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
634 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
635 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
636 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
637 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
638 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
639 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
640 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
641 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
642 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
643 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
644 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
645 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
646 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
647 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
648 };
649
650 static const unsigned int extension_type_table[] = {
651 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
652 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
653 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
654 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
655 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
656 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
657 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
658 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
659 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
660 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
661 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
662 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
663 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
664 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
665 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
666 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
667 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
668 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
669 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
670 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
671 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
672 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
673 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
674 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
675 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
676 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
677 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
678 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
679 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
680 };
681
mbedtls_ssl_get_extension_name(unsigned int extension_type)682 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
683 {
684 return extension_name_table[
685 mbedtls_ssl_get_extension_id(extension_type)];
686 }
687
ssl_tls13_get_hs_msg_name(int hs_msg_type)688 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type)
689 {
690 switch (hs_msg_type) {
691 case MBEDTLS_SSL_HS_CLIENT_HELLO:
692 return "ClientHello";
693 case MBEDTLS_SSL_HS_SERVER_HELLO:
694 return "ServerHello";
695 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
696 return "HelloRetryRequest";
697 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
698 return "NewSessionTicket";
699 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
700 return "EncryptedExtensions";
701 case MBEDTLS_SSL_HS_CERTIFICATE:
702 return "Certificate";
703 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
704 return "CertificateRequest";
705 }
706 return "Unknown";
707 }
708
mbedtls_ssl_print_extension(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,unsigned int extension_type,const char * extra_msg0,const char * extra_msg1)709 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
710 int level, const char *file, int line,
711 int hs_msg_type, unsigned int extension_type,
712 const char *extra_msg0, const char *extra_msg1)
713 {
714 const char *extra_msg;
715 if (extra_msg0 && extra_msg1) {
716 mbedtls_debug_print_msg(
717 ssl, level, file, line,
718 "%s: %s(%u) extension %s %s.",
719 ssl_tls13_get_hs_msg_name(hs_msg_type),
720 mbedtls_ssl_get_extension_name(extension_type),
721 extension_type,
722 extra_msg0, extra_msg1);
723 return;
724 }
725
726 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
727 if (extra_msg) {
728 mbedtls_debug_print_msg(
729 ssl, level, file, line,
730 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type),
731 mbedtls_ssl_get_extension_name(extension_type), extension_type,
732 extra_msg);
733 return;
734 }
735
736 mbedtls_debug_print_msg(
737 ssl, level, file, line,
738 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type),
739 mbedtls_ssl_get_extension_name(extension_type), extension_type);
740 }
741
mbedtls_ssl_print_extensions(const mbedtls_ssl_context * ssl,int level,const char * file,int line,int hs_msg_type,uint32_t extensions_mask,const char * extra)742 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
743 int level, const char *file, int line,
744 int hs_msg_type, uint32_t extensions_mask,
745 const char *extra)
746 {
747
748 for (unsigned i = 0;
749 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
750 i++) {
751 mbedtls_ssl_print_extension(
752 ssl, level, file, line, hs_msg_type, extension_type_table[i],
753 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
754 }
755 }
756
757 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
758 static const char *ticket_flag_name_table[] =
759 {
760 [0] = "ALLOW_PSK_RESUMPTION",
761 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
762 [3] = "ALLOW_EARLY_DATA",
763 };
764
mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context * ssl,int level,const char * file,int line,unsigned int flags)765 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
766 int level, const char *file, int line,
767 unsigned int flags)
768 {
769 size_t i;
770
771 mbedtls_debug_print_msg(ssl, level, file, line,
772 "print ticket_flags (0x%02x)", flags);
773
774 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
775
776 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
777 if ((flags & (1 << i))) {
778 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
779 ticket_flag_name_table[i]);
780 }
781 }
782 }
783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
784
785 #endif /* MBEDTLS_DEBUG_C */
786
mbedtls_ssl_optimize_checksum(mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * ciphersuite_info)787 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
788 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
789 {
790 ((void) ciphersuite_info);
791
792 #if defined(MBEDTLS_MD_CAN_SHA384)
793 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
794 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
795 } else
796 #endif
797 #if defined(MBEDTLS_MD_CAN_SHA256)
798 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
799 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
800 } else
801 #endif
802 {
803 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
804 return;
805 }
806 }
807
mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,size_t total_hs_len)808 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
809 unsigned hs_type,
810 size_t total_hs_len)
811 {
812 unsigned char hs_hdr[4];
813
814 /* Build HS header for checksum update. */
815 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
816 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
817 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
818 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
819
820 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
821 }
822
mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context * ssl,unsigned hs_type,unsigned char const * msg,size_t msg_len)823 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
824 unsigned hs_type,
825 unsigned char const *msg,
826 size_t msg_len)
827 {
828 int ret;
829 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
830 if (ret != 0) {
831 return ret;
832 }
833 return ssl->handshake->update_checksum(ssl, msg, msg_len);
834 }
835
mbedtls_ssl_reset_checksum(mbedtls_ssl_context * ssl)836 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
837 {
838 #if defined(MBEDTLS_MD_CAN_SHA256) || \
839 defined(MBEDTLS_MD_CAN_SHA384)
840 #if defined(MBEDTLS_USE_PSA_CRYPTO)
841 psa_status_t status;
842 #else
843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
844 #endif
845 #else /* SHA-256 or SHA-384 */
846 ((void) ssl);
847 #endif /* SHA-256 or SHA-384 */
848 #if defined(MBEDTLS_MD_CAN_SHA256)
849 #if defined(MBEDTLS_USE_PSA_CRYPTO)
850 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
851 if (status != PSA_SUCCESS) {
852 return mbedtls_md_error_from_psa(status);
853 }
854 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
855 if (status != PSA_SUCCESS) {
856 return mbedtls_md_error_from_psa(status);
857 }
858 #else
859 mbedtls_md_free(&ssl->handshake->fin_sha256);
860 mbedtls_md_init(&ssl->handshake->fin_sha256);
861 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
862 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
863 0);
864 if (ret != 0) {
865 return ret;
866 }
867 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
868 if (ret != 0) {
869 return ret;
870 }
871 #endif
872 #endif
873 #if defined(MBEDTLS_MD_CAN_SHA384)
874 #if defined(MBEDTLS_USE_PSA_CRYPTO)
875 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
876 if (status != PSA_SUCCESS) {
877 return mbedtls_md_error_from_psa(status);
878 }
879 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
880 if (status != PSA_SUCCESS) {
881 return mbedtls_md_error_from_psa(status);
882 }
883 #else
884 mbedtls_md_free(&ssl->handshake->fin_sha384);
885 mbedtls_md_init(&ssl->handshake->fin_sha384);
886 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
887 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
888 if (ret != 0) {
889 return ret;
890 }
891 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
892 if (ret != 0) {
893 return ret;
894 }
895 #endif
896 #endif
897 return 0;
898 }
899
ssl_update_checksum_start(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)900 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
901 const unsigned char *buf, size_t len)
902 {
903 #if defined(MBEDTLS_MD_CAN_SHA256) || \
904 defined(MBEDTLS_MD_CAN_SHA384)
905 #if defined(MBEDTLS_USE_PSA_CRYPTO)
906 psa_status_t status;
907 #else
908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
909 #endif
910 #else /* SHA-256 or SHA-384 */
911 ((void) ssl);
912 (void) buf;
913 (void) len;
914 #endif /* SHA-256 or SHA-384 */
915 #if defined(MBEDTLS_MD_CAN_SHA256)
916 #if defined(MBEDTLS_USE_PSA_CRYPTO)
917 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
918 if (status != PSA_SUCCESS) {
919 return mbedtls_md_error_from_psa(status);
920 }
921 #else
922 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
923 if (ret != 0) {
924 return ret;
925 }
926 #endif
927 #endif
928 #if defined(MBEDTLS_MD_CAN_SHA384)
929 #if defined(MBEDTLS_USE_PSA_CRYPTO)
930 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
931 if (status != PSA_SUCCESS) {
932 return mbedtls_md_error_from_psa(status);
933 }
934 #else
935 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
936 if (ret != 0) {
937 return ret;
938 }
939 #endif
940 #endif
941 return 0;
942 }
943
944 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_update_checksum_sha256(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)945 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
946 const unsigned char *buf, size_t len)
947 {
948 #if defined(MBEDTLS_USE_PSA_CRYPTO)
949 return mbedtls_md_error_from_psa(psa_hash_update(
950 &ssl->handshake->fin_sha256_psa, buf, len));
951 #else
952 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
953 #endif
954 }
955 #endif
956
957 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_update_checksum_sha384(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)958 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
959 const unsigned char *buf, size_t len)
960 {
961 #if defined(MBEDTLS_USE_PSA_CRYPTO)
962 return mbedtls_md_error_from_psa(psa_hash_update(
963 &ssl->handshake->fin_sha384_psa, buf, len));
964 #else
965 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
966 #endif
967 }
968 #endif
969
ssl_handshake_params_init(mbedtls_ssl_handshake_params * handshake)970 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
971 {
972 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
973
974 #if defined(MBEDTLS_MD_CAN_SHA256)
975 #if defined(MBEDTLS_USE_PSA_CRYPTO)
976 handshake->fin_sha256_psa = psa_hash_operation_init();
977 #else
978 mbedtls_md_init(&handshake->fin_sha256);
979 #endif
980 #endif
981 #if defined(MBEDTLS_MD_CAN_SHA384)
982 #if defined(MBEDTLS_USE_PSA_CRYPTO)
983 handshake->fin_sha384_psa = psa_hash_operation_init();
984 #else
985 mbedtls_md_init(&handshake->fin_sha384);
986 #endif
987 #endif
988
989 handshake->update_checksum = ssl_update_checksum_start;
990
991 #if defined(MBEDTLS_DHM_C)
992 mbedtls_dhm_init(&handshake->dhm_ctx);
993 #endif
994 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
995 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
996 mbedtls_ecdh_init(&handshake->ecdh_ctx);
997 #endif
998 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
999 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1000 handshake->psa_pake_ctx = psa_pake_operation_init();
1001 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
1002 #else
1003 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
1004 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1005 #if defined(MBEDTLS_SSL_CLI_C)
1006 handshake->ecjpake_cache = NULL;
1007 handshake->ecjpake_cache_len = 0;
1008 #endif
1009 #endif
1010
1011 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1012 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1013 #endif
1014
1015 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1016 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1017 #endif
1018
1019 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1020 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1021 mbedtls_pk_init(&handshake->peer_pubkey);
1022 #endif
1023 }
1024
mbedtls_ssl_transform_init(mbedtls_ssl_transform * transform)1025 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1026 {
1027 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1028
1029 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1030 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1031 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1032 #else
1033 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1034 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1035 #endif
1036
1037 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1038 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1039 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1040 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1041 #else
1042 mbedtls_md_init(&transform->md_ctx_enc);
1043 mbedtls_md_init(&transform->md_ctx_dec);
1044 #endif
1045 #endif
1046 }
1047
mbedtls_ssl_session_init(mbedtls_ssl_session * session)1048 void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1049 {
1050 memset(session, 0, sizeof(mbedtls_ssl_session));
1051 }
1052
1053 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_handshake_init(mbedtls_ssl_context * ssl)1054 static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1055 {
1056 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1057
1058 /* Clear old handshake information if present */
1059 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1060 if (ssl->transform_negotiate) {
1061 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1062 }
1063 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1064 if (ssl->session_negotiate) {
1065 mbedtls_ssl_session_free(ssl->session_negotiate);
1066 }
1067 if (ssl->handshake) {
1068 mbedtls_ssl_handshake_free(ssl);
1069 }
1070
1071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1072 /*
1073 * Either the pointers are now NULL or cleared properly and can be freed.
1074 * Now allocate missing structures.
1075 */
1076 if (ssl->transform_negotiate == NULL) {
1077 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1078 }
1079 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1080
1081 if (ssl->session_negotiate == NULL) {
1082 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1083 }
1084
1085 if (ssl->handshake == NULL) {
1086 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1087 }
1088 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1089 /* If the buffers are too small - reallocate */
1090
1091 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1092 MBEDTLS_SSL_OUT_BUFFER_LEN);
1093 #endif
1094
1095 /* All pointers should exist and can be directly freed without issue */
1096 if (ssl->handshake == NULL ||
1097 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1098 ssl->transform_negotiate == NULL ||
1099 #endif
1100 ssl->session_negotiate == NULL) {
1101 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1102
1103 mbedtls_free(ssl->handshake);
1104 ssl->handshake = NULL;
1105
1106 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1107 mbedtls_free(ssl->transform_negotiate);
1108 ssl->transform_negotiate = NULL;
1109 #endif
1110
1111 mbedtls_free(ssl->session_negotiate);
1112 ssl->session_negotiate = NULL;
1113
1114 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1115 }
1116
1117 #if defined(MBEDTLS_SSL_EARLY_DATA)
1118 #if defined(MBEDTLS_SSL_CLI_C)
1119 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1120 #endif
1121 #if defined(MBEDTLS_SSL_SRV_C)
1122 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1123 #endif
1124 ssl->total_early_data_size = 0;
1125 #endif /* MBEDTLS_SSL_EARLY_DATA */
1126
1127 /* Initialize structures */
1128 mbedtls_ssl_session_init(ssl->session_negotiate);
1129 ssl_handshake_params_init(ssl->handshake);
1130
1131 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1132 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1133 #endif
1134
1135 /* Setup handshake checksums */
1136 ret = mbedtls_ssl_reset_checksum(ssl);
1137 if (ret != 0) {
1138 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1139 return ret;
1140 }
1141
1142 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1143 defined(MBEDTLS_SSL_SRV_C) && \
1144 defined(MBEDTLS_SSL_SESSION_TICKETS)
1145 ssl->handshake->new_session_tickets_count =
1146 ssl->conf->new_session_tickets_count;
1147 #endif
1148
1149 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1150 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1151 ssl->handshake->alt_transform_out = ssl->transform_out;
1152
1153 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1154 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1155 } else {
1156 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1157 }
1158
1159 mbedtls_ssl_set_timer(ssl, 0);
1160 }
1161 #endif
1162
1163 /*
1164 * curve_list is translated to IANA TLS group identifiers here because
1165 * mbedtls_ssl_conf_curves returns void and so can't return
1166 * any error codes.
1167 */
1168 #if defined(MBEDTLS_ECP_C)
1169 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1170 /* Heap allocate and translate curve_list from internal to IANA group ids */
1171 if (ssl->conf->curve_list != NULL) {
1172 size_t length;
1173 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1174
1175 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1176 }
1177
1178 /* Leave room for zero termination */
1179 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1180 if (group_list == NULL) {
1181 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1182 }
1183
1184 for (size_t i = 0; i < length; i++) {
1185 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1186 curve_list[i]);
1187 if (tls_id == 0) {
1188 mbedtls_free(group_list);
1189 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1190 }
1191 group_list[i] = tls_id;
1192 }
1193
1194 group_list[length] = 0;
1195
1196 ssl->handshake->group_list = group_list;
1197 ssl->handshake->group_list_heap_allocated = 1;
1198 } else {
1199 ssl->handshake->group_list = ssl->conf->group_list;
1200 ssl->handshake->group_list_heap_allocated = 0;
1201 }
1202 #endif /* MBEDTLS_DEPRECATED_REMOVED */
1203 #endif /* MBEDTLS_ECP_C */
1204
1205 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1206 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
1207 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1208 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1209 signature algorithms IANA identifiers. */
1210 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1211 ssl->conf->sig_hashes != NULL) {
1212 const int *md;
1213 const int *sig_hashes = ssl->conf->sig_hashes;
1214 size_t sig_algs_len = 0;
1215 uint16_t *p;
1216
1217 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1218 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1219 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1220
1221 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1222 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1223 continue;
1224 }
1225 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1226 sig_algs_len += sizeof(uint16_t);
1227 #endif
1228
1229 #if defined(MBEDTLS_RSA_C)
1230 sig_algs_len += sizeof(uint16_t);
1231 #endif
1232 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1233 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1234 }
1235 }
1236
1237 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1238 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1239 }
1240
1241 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1242 sizeof(uint16_t));
1243 if (ssl->handshake->sig_algs == NULL) {
1244 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1245 }
1246
1247 p = (uint16_t *) ssl->handshake->sig_algs;
1248 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1249 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1250 if (hash == MBEDTLS_SSL_HASH_NONE) {
1251 continue;
1252 }
1253 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1254 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1255 p++;
1256 #endif
1257 #if defined(MBEDTLS_RSA_C)
1258 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1259 p++;
1260 #endif
1261 }
1262 *p = MBEDTLS_TLS_SIG_NONE;
1263 ssl->handshake->sig_algs_heap_allocated = 1;
1264 } else
1265 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1266 {
1267 ssl->handshake->sig_algs_heap_allocated = 0;
1268 }
1269 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
1270 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1271 return 0;
1272 }
1273
1274 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1275 /* Dummy cookie callbacks for defaults */
1276 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_write_dummy(void * ctx,unsigned char ** p,unsigned char * end,const unsigned char * cli_id,size_t cli_id_len)1277 static int ssl_cookie_write_dummy(void *ctx,
1278 unsigned char **p, unsigned char *end,
1279 const unsigned char *cli_id, size_t cli_id_len)
1280 {
1281 ((void) ctx);
1282 ((void) p);
1283 ((void) end);
1284 ((void) cli_id);
1285 ((void) cli_id_len);
1286
1287 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1288 }
1289
1290 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_cookie_check_dummy(void * ctx,const unsigned char * cookie,size_t cookie_len,const unsigned char * cli_id,size_t cli_id_len)1291 static int ssl_cookie_check_dummy(void *ctx,
1292 const unsigned char *cookie, size_t cookie_len,
1293 const unsigned char *cli_id, size_t cli_id_len)
1294 {
1295 ((void) ctx);
1296 ((void) cookie);
1297 ((void) cookie_len);
1298 ((void) cli_id);
1299 ((void) cli_id_len);
1300
1301 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1302 }
1303 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1304
1305 /*
1306 * Initialize an SSL context
1307 */
mbedtls_ssl_init(mbedtls_ssl_context * ssl)1308 void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1309 {
1310 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1311 }
1312
1313 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_version_check(const mbedtls_ssl_context * ssl)1314 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1315 {
1316 const mbedtls_ssl_config *conf = ssl->conf;
1317
1318 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1319 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1320 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1321 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1322 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1323 }
1324
1325 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1326 return 0;
1327 }
1328 #endif
1329
1330 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1331 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1332 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1333 return 0;
1334 }
1335 #endif
1336
1337 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1338 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1339 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1340 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1341 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1342 }
1343
1344 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1345 return 0;
1346 }
1347 #endif
1348
1349 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1350 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1351 }
1352
1353 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_check(const mbedtls_ssl_context * ssl)1354 static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1355 {
1356 int ret;
1357 ret = ssl_conf_version_check(ssl);
1358 if (ret != 0) {
1359 return ret;
1360 }
1361
1362 if (ssl->conf->f_rng == NULL) {
1363 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1364 return MBEDTLS_ERR_SSL_NO_RNG;
1365 }
1366
1367 /* Space for further checks */
1368
1369 return 0;
1370 }
1371
1372 /*
1373 * Setup an SSL context
1374 */
1375
mbedtls_ssl_setup(mbedtls_ssl_context * ssl,const mbedtls_ssl_config * conf)1376 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1377 const mbedtls_ssl_config *conf)
1378 {
1379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1380 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1381 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1382
1383 ssl->conf = conf;
1384
1385 if ((ret = ssl_conf_check(ssl)) != 0) {
1386 return ret;
1387 }
1388 ssl->tls_version = ssl->conf->max_tls_version;
1389
1390 /*
1391 * Prepare base structures
1392 */
1393
1394 /* Set to NULL in case of an error condition */
1395 ssl->out_buf = NULL;
1396
1397 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1398 ssl->in_buf_len = in_buf_len;
1399 #endif
1400 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1401 if (ssl->in_buf == NULL) {
1402 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1403 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1404 goto error;
1405 }
1406
1407 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1408 ssl->out_buf_len = out_buf_len;
1409 #endif
1410 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1411 if (ssl->out_buf == NULL) {
1412 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1413 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1414 goto error;
1415 }
1416
1417 mbedtls_ssl_reset_in_pointers(ssl);
1418 mbedtls_ssl_reset_out_pointers(ssl);
1419
1420 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1421 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1422 #endif
1423
1424 if ((ret = ssl_handshake_init(ssl)) != 0) {
1425 goto error;
1426 }
1427
1428 return 0;
1429
1430 error:
1431 mbedtls_free(ssl->in_buf);
1432 mbedtls_free(ssl->out_buf);
1433
1434 ssl->conf = NULL;
1435
1436 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1437 ssl->in_buf_len = 0;
1438 ssl->out_buf_len = 0;
1439 #endif
1440 ssl->in_buf = NULL;
1441 ssl->out_buf = NULL;
1442
1443 ssl->in_hdr = NULL;
1444 ssl->in_ctr = NULL;
1445 ssl->in_len = NULL;
1446 ssl->in_iv = NULL;
1447 ssl->in_msg = NULL;
1448
1449 ssl->out_hdr = NULL;
1450 ssl->out_ctr = NULL;
1451 ssl->out_len = NULL;
1452 ssl->out_iv = NULL;
1453 ssl->out_msg = NULL;
1454
1455 return ret;
1456 }
1457
1458 /*
1459 * Reset an initialized and used SSL context for re-use while retaining
1460 * all application-set variables, function pointers and data.
1461 *
1462 * If partial is non-zero, keep data in the input buffer and client ID.
1463 * (Use when a DTLS client reconnects from the same port.)
1464 */
mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context * ssl,int partial)1465 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1466 int partial)
1467 {
1468 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1469 size_t in_buf_len = ssl->in_buf_len;
1470 size_t out_buf_len = ssl->out_buf_len;
1471 #else
1472 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1473 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1474 #endif
1475
1476 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1477 partial = 0;
1478 #endif
1479
1480 /* Cancel any possibly running timer */
1481 mbedtls_ssl_set_timer(ssl, 0);
1482
1483 mbedtls_ssl_reset_in_pointers(ssl);
1484 mbedtls_ssl_reset_out_pointers(ssl);
1485
1486 /* Reset incoming message parsing */
1487 ssl->in_offt = NULL;
1488 ssl->nb_zero = 0;
1489 ssl->in_msgtype = 0;
1490 ssl->in_msglen = 0;
1491 ssl->in_hslen = 0;
1492 ssl->keep_current_message = 0;
1493 ssl->transform_in = NULL;
1494
1495 /* TLS: reset in_hsfraglen, which is part of message parsing.
1496 * DTLS: on a client reconnect, don't reset badmac_seen. */
1497 if (!partial) {
1498 ssl->badmac_seen_or_in_hsfraglen = 0;
1499 }
1500
1501 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1502 ssl->next_record_offset = 0;
1503 ssl->in_epoch = 0;
1504 #endif
1505
1506 /* Keep current datagram if partial == 1 */
1507 if (partial == 0) {
1508 ssl->in_left = 0;
1509 memset(ssl->in_buf, 0, in_buf_len);
1510 }
1511
1512 ssl->send_alert = 0;
1513
1514 /* Reset outgoing message writing */
1515 ssl->out_msgtype = 0;
1516 ssl->out_msglen = 0;
1517 ssl->out_left = 0;
1518 memset(ssl->out_buf, 0, out_buf_len);
1519 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1520 ssl->transform_out = NULL;
1521
1522 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1523 mbedtls_ssl_dtls_replay_reset(ssl);
1524 #endif
1525
1526 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1527 if (ssl->transform) {
1528 mbedtls_ssl_transform_free(ssl->transform);
1529 mbedtls_free(ssl->transform);
1530 ssl->transform = NULL;
1531 }
1532 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1533
1534 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1535 mbedtls_ssl_transform_free(ssl->transform_application);
1536 mbedtls_free(ssl->transform_application);
1537 ssl->transform_application = NULL;
1538
1539 if (ssl->handshake != NULL) {
1540 #if defined(MBEDTLS_SSL_EARLY_DATA)
1541 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1542 mbedtls_free(ssl->handshake->transform_earlydata);
1543 ssl->handshake->transform_earlydata = NULL;
1544 #endif
1545
1546 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1547 mbedtls_free(ssl->handshake->transform_handshake);
1548 ssl->handshake->transform_handshake = NULL;
1549 }
1550
1551 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1552 }
1553
mbedtls_ssl_session_reset_int(mbedtls_ssl_context * ssl,int partial)1554 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1555 {
1556 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1557
1558 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
1559 ssl->tls_version = ssl->conf->max_tls_version;
1560
1561 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1562
1563 /* Reset renegotiation state */
1564 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1565 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1566 ssl->renego_records_seen = 0;
1567
1568 ssl->verify_data_len = 0;
1569 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1570 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1571 #endif
1572 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1573
1574 ssl->session_in = NULL;
1575 ssl->session_out = NULL;
1576 if (ssl->session) {
1577 mbedtls_ssl_session_free(ssl->session);
1578 mbedtls_free(ssl->session);
1579 ssl->session = NULL;
1580 }
1581
1582 #if defined(MBEDTLS_SSL_ALPN)
1583 ssl->alpn_chosen = NULL;
1584 #endif
1585
1586 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1587 int free_cli_id = 1;
1588 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1589 free_cli_id = (partial == 0);
1590 #endif
1591 if (free_cli_id) {
1592 mbedtls_free(ssl->cli_id);
1593 ssl->cli_id = NULL;
1594 ssl->cli_id_len = 0;
1595 }
1596 #endif
1597
1598 if ((ret = ssl_handshake_init(ssl)) != 0) {
1599 return ret;
1600 }
1601
1602 return 0;
1603 }
1604
1605 /*
1606 * Reset an initialized and used SSL context for re-use while retaining
1607 * all application-set variables, function pointers and data.
1608 */
mbedtls_ssl_session_reset(mbedtls_ssl_context * ssl)1609 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1610 {
1611 return mbedtls_ssl_session_reset_int(ssl, 0);
1612 }
1613
1614 /*
1615 * SSL set accessors
1616 */
mbedtls_ssl_conf_endpoint(mbedtls_ssl_config * conf,int endpoint)1617 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1618 {
1619 conf->endpoint = endpoint;
1620 }
1621
mbedtls_ssl_conf_transport(mbedtls_ssl_config * conf,int transport)1622 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1623 {
1624 conf->transport = transport;
1625 }
1626
1627 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config * conf,char mode)1628 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1629 {
1630 conf->anti_replay = mode;
1631 }
1632 #endif
1633
mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config * conf,unsigned limit)1634 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1635 {
1636 conf->badmac_limit = limit;
1637 }
1638
1639 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1640
mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context * ssl,unsigned allow_packing)1641 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1642 unsigned allow_packing)
1643 {
1644 ssl->disable_datagram_packing = !allow_packing;
1645 }
1646
mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config * conf,uint32_t min,uint32_t max)1647 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1648 uint32_t min, uint32_t max)
1649 {
1650 conf->hs_timeout_min = min;
1651 conf->hs_timeout_max = max;
1652 }
1653 #endif
1654
mbedtls_ssl_conf_authmode(mbedtls_ssl_config * conf,int authmode)1655 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1656 {
1657 conf->authmode = authmode;
1658 }
1659
1660 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_verify(mbedtls_ssl_config * conf,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1661 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1662 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1663 void *p_vrfy)
1664 {
1665 conf->f_vrfy = f_vrfy;
1666 conf->p_vrfy = p_vrfy;
1667 }
1668 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1669
mbedtls_ssl_conf_rng(mbedtls_ssl_config * conf,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)1670 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1671 int (*f_rng)(void *, unsigned char *, size_t),
1672 void *p_rng)
1673 {
1674 conf->f_rng = f_rng;
1675 conf->p_rng = p_rng;
1676 }
1677
mbedtls_ssl_conf_dbg(mbedtls_ssl_config * conf,void (* f_dbg)(void *,int,const char *,int,const char *),void * p_dbg)1678 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1679 void (*f_dbg)(void *, int, const char *, int, const char *),
1680 void *p_dbg)
1681 {
1682 conf->f_dbg = f_dbg;
1683 conf->p_dbg = p_dbg;
1684 }
1685
mbedtls_ssl_set_bio(mbedtls_ssl_context * ssl,void * p_bio,mbedtls_ssl_send_t * f_send,mbedtls_ssl_recv_t * f_recv,mbedtls_ssl_recv_timeout_t * f_recv_timeout)1686 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1687 void *p_bio,
1688 mbedtls_ssl_send_t *f_send,
1689 mbedtls_ssl_recv_t *f_recv,
1690 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1691 {
1692 ssl->p_bio = p_bio;
1693 ssl->f_send = f_send;
1694 ssl->f_recv = f_recv;
1695 ssl->f_recv_timeout = f_recv_timeout;
1696 }
1697
1698 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_set_mtu(mbedtls_ssl_context * ssl,uint16_t mtu)1699 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1700 {
1701 ssl->mtu = mtu;
1702 }
1703 #endif
1704
mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config * conf,uint32_t timeout)1705 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1706 {
1707 conf->read_timeout = timeout;
1708 }
1709
mbedtls_ssl_set_timer_cb(mbedtls_ssl_context * ssl,void * p_timer,mbedtls_ssl_set_timer_t * f_set_timer,mbedtls_ssl_get_timer_t * f_get_timer)1710 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1711 void *p_timer,
1712 mbedtls_ssl_set_timer_t *f_set_timer,
1713 mbedtls_ssl_get_timer_t *f_get_timer)
1714 {
1715 ssl->p_timer = p_timer;
1716 ssl->f_set_timer = f_set_timer;
1717 ssl->f_get_timer = f_get_timer;
1718
1719 /* Make sure we start with no timer running */
1720 mbedtls_ssl_set_timer(ssl, 0);
1721 }
1722
1723 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_session_cache(mbedtls_ssl_config * conf,void * p_cache,mbedtls_ssl_cache_get_t * f_get_cache,mbedtls_ssl_cache_set_t * f_set_cache)1724 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1725 void *p_cache,
1726 mbedtls_ssl_cache_get_t *f_get_cache,
1727 mbedtls_ssl_cache_set_t *f_set_cache)
1728 {
1729 conf->p_cache = p_cache;
1730 conf->f_get_cache = f_get_cache;
1731 conf->f_set_cache = f_set_cache;
1732 }
1733 #endif /* MBEDTLS_SSL_SRV_C */
1734
1735 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_set_session(mbedtls_ssl_context * ssl,const mbedtls_ssl_session * session)1736 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1737 {
1738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1739
1740 if (ssl == NULL ||
1741 session == NULL ||
1742 ssl->session_negotiate == NULL ||
1743 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1745 }
1746
1747 if (ssl->handshake->resume == 1) {
1748 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1749 }
1750
1751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1752 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1753 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
1754 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1755 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1756
1757 if (mbedtls_ssl_validate_ciphersuite(
1758 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1759 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1760 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1761 session->ciphersuite));
1762 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1763 }
1764 #else
1765 /*
1766 * If session tickets are not enabled, it is not possible to resume a
1767 * TLS 1.3 session, thus do not make any change to the SSL context in
1768 * the first place.
1769 */
1770 return 0;
1771 #endif
1772 }
1773 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1774
1775 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1776 session)) != 0) {
1777 return ret;
1778 }
1779
1780 ssl->handshake->resume = 1;
1781
1782 return 0;
1783 }
1784 #endif /* MBEDTLS_SSL_CLI_C */
1785
mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config * conf,const int * ciphersuites)1786 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1787 const int *ciphersuites)
1788 {
1789 conf->ciphersuite_list = ciphersuites;
1790 }
1791
1792 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config * conf,const int kex_modes)1793 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1794 const int kex_modes)
1795 {
1796 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1797 }
1798
1799 #if defined(MBEDTLS_SSL_EARLY_DATA)
mbedtls_ssl_conf_early_data(mbedtls_ssl_config * conf,int early_data_enabled)1800 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1801 int early_data_enabled)
1802 {
1803 conf->early_data_enabled = early_data_enabled;
1804 }
1805
1806 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_max_early_data_size(mbedtls_ssl_config * conf,uint32_t max_early_data_size)1807 void mbedtls_ssl_conf_max_early_data_size(
1808 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1809 {
1810 conf->max_early_data_size = max_early_data_size;
1811 }
1812 #endif /* MBEDTLS_SSL_SRV_C */
1813
1814 #endif /* MBEDTLS_SSL_EARLY_DATA */
1815 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1816
1817 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config * conf,const mbedtls_x509_crt_profile * profile)1818 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1819 const mbedtls_x509_crt_profile *profile)
1820 {
1821 conf->cert_profile = profile;
1822 }
1823
ssl_key_cert_free(mbedtls_ssl_key_cert * key_cert)1824 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1825 {
1826 mbedtls_ssl_key_cert *cur = key_cert, *next;
1827
1828 while (cur != NULL) {
1829 next = cur->next;
1830 mbedtls_free(cur);
1831 cur = next;
1832 }
1833 }
1834
1835 /* Append a new keycert entry to a (possibly empty) list */
1836 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_append_key_cert(mbedtls_ssl_key_cert ** head,mbedtls_x509_crt * cert,mbedtls_pk_context * key)1837 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1838 mbedtls_x509_crt *cert,
1839 mbedtls_pk_context *key)
1840 {
1841 mbedtls_ssl_key_cert *new_cert;
1842
1843 if (cert == NULL) {
1844 /* Free list if cert is null */
1845 ssl_key_cert_free(*head);
1846 *head = NULL;
1847 return 0;
1848 }
1849
1850 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1851 if (new_cert == NULL) {
1852 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1853 }
1854
1855 new_cert->cert = cert;
1856 new_cert->key = key;
1857 new_cert->next = NULL;
1858
1859 /* Update head if the list was null, else add to the end */
1860 if (*head == NULL) {
1861 *head = new_cert;
1862 } else {
1863 mbedtls_ssl_key_cert *cur = *head;
1864 while (cur->next != NULL) {
1865 cur = cur->next;
1866 }
1867 cur->next = new_cert;
1868 }
1869
1870 return 0;
1871 }
1872
mbedtls_ssl_conf_own_cert(mbedtls_ssl_config * conf,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1873 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1874 mbedtls_x509_crt *own_cert,
1875 mbedtls_pk_context *pk_key)
1876 {
1877 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1878 }
1879
mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config * conf,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1880 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1881 mbedtls_x509_crt *ca_chain,
1882 mbedtls_x509_crl *ca_crl)
1883 {
1884 conf->ca_chain = ca_chain;
1885 conf->ca_crl = ca_crl;
1886
1887 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1888 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1889 * cannot be used together. */
1890 conf->f_ca_cb = NULL;
1891 conf->p_ca_cb = NULL;
1892 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1893 }
1894
1895 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config * conf,mbedtls_x509_crt_ca_cb_t f_ca_cb,void * p_ca_cb)1896 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1897 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1898 void *p_ca_cb)
1899 {
1900 conf->f_ca_cb = f_ca_cb;
1901 conf->p_ca_cb = p_ca_cb;
1902
1903 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1904 * cannot be used together. */
1905 conf->ca_chain = NULL;
1906 conf->ca_crl = NULL;
1907 }
1908 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1909 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1910
1911 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_get_hs_sni(mbedtls_ssl_context * ssl,size_t * name_len)1912 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1913 size_t *name_len)
1914 {
1915 *name_len = ssl->handshake->sni_name_len;
1916 return ssl->handshake->sni_name;
1917 }
1918
mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context * ssl,mbedtls_x509_crt * own_cert,mbedtls_pk_context * pk_key)1919 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1920 mbedtls_x509_crt *own_cert,
1921 mbedtls_pk_context *pk_key)
1922 {
1923 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1924 own_cert, pk_key);
1925 }
1926
mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * ca_chain,mbedtls_x509_crl * ca_crl)1927 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1928 mbedtls_x509_crt *ca_chain,
1929 mbedtls_x509_crl *ca_crl)
1930 {
1931 ssl->handshake->sni_ca_chain = ca_chain;
1932 ssl->handshake->sni_ca_crl = ca_crl;
1933 }
1934
1935 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context * ssl,const mbedtls_x509_crt * crt)1936 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1937 const mbedtls_x509_crt *crt)
1938 {
1939 ssl->handshake->dn_hints = crt;
1940 }
1941 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1942
mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context * ssl,int authmode)1943 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1944 int authmode)
1945 {
1946 ssl->handshake->sni_authmode = authmode;
1947 }
1948 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1949
1950 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_set_verify(mbedtls_ssl_context * ssl,int (* f_vrfy)(void *,mbedtls_x509_crt *,int,uint32_t *),void * p_vrfy)1951 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1952 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1953 void *p_vrfy)
1954 {
1955 ssl->f_vrfy = f_vrfy;
1956 ssl->p_vrfy = p_vrfy;
1957 }
1958 #endif
1959
1960 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1961
1962 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1963 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1964 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1965
mbedtls_ssl_set_hs_ecjpake_password_common(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)1966 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1967 mbedtls_ssl_context *ssl,
1968 mbedtls_svc_key_id_t pwd)
1969 {
1970 psa_status_t status;
1971 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1972 const uint8_t *user = NULL;
1973 size_t user_len = 0;
1974 const uint8_t *peer = NULL;
1975 size_t peer_len = 0;
1976 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1977 psa_pake_cs_set_primitive(&cipher_suite,
1978 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1979 PSA_ECC_FAMILY_SECP_R1,
1980 256));
1981 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1982
1983 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1984 if (status != PSA_SUCCESS) {
1985 return status;
1986 }
1987
1988 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1989 user = jpake_server_id;
1990 user_len = sizeof(jpake_server_id);
1991 peer = jpake_client_id;
1992 peer_len = sizeof(jpake_client_id);
1993 } else {
1994 user = jpake_client_id;
1995 user_len = sizeof(jpake_client_id);
1996 peer = jpake_server_id;
1997 peer_len = sizeof(jpake_server_id);
1998 }
1999
2000 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
2001 if (status != PSA_SUCCESS) {
2002 return status;
2003 }
2004
2005 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
2006 if (status != PSA_SUCCESS) {
2007 return status;
2008 }
2009
2010 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
2011 if (status != PSA_SUCCESS) {
2012 return status;
2013 }
2014
2015 ssl->handshake->psa_pake_ctx_is_ok = 1;
2016
2017 return PSA_SUCCESS;
2018 }
2019
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2020 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2021 const unsigned char *pw,
2022 size_t pw_len)
2023 {
2024 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2025 psa_status_t status;
2026
2027 if (ssl->handshake == NULL || ssl->conf == NULL) {
2028 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2029 }
2030
2031 /* Empty password is not valid */
2032 if ((pw == NULL) || (pw_len == 0)) {
2033 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2034 }
2035
2036 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2037 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2038 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2039
2040 status = psa_import_key(&attributes, pw, pw_len,
2041 &ssl->handshake->psa_pake_password);
2042 if (status != PSA_SUCCESS) {
2043 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2044 }
2045
2046 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2047 ssl->handshake->psa_pake_password);
2048 if (status != PSA_SUCCESS) {
2049 psa_destroy_key(ssl->handshake->psa_pake_password);
2050 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2051 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2052 }
2053
2054 return 0;
2055 }
2056
mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t pwd)2057 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2058 mbedtls_svc_key_id_t pwd)
2059 {
2060 psa_status_t status;
2061
2062 if (ssl->handshake == NULL || ssl->conf == NULL) {
2063 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2064 }
2065
2066 if (mbedtls_svc_key_id_is_null(pwd)) {
2067 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2068 }
2069
2070 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2071 if (status != PSA_SUCCESS) {
2072 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2073 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2074 }
2075
2076 return 0;
2077 }
2078 #else /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context * ssl,const unsigned char * pw,size_t pw_len)2079 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2080 const unsigned char *pw,
2081 size_t pw_len)
2082 {
2083 mbedtls_ecjpake_role role;
2084
2085 if (ssl->handshake == NULL || ssl->conf == NULL) {
2086 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2087 }
2088
2089 /* Empty password is not valid */
2090 if ((pw == NULL) || (pw_len == 0)) {
2091 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2092 }
2093
2094 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2095 role = MBEDTLS_ECJPAKE_SERVER;
2096 } else {
2097 role = MBEDTLS_ECJPAKE_CLIENT;
2098 }
2099
2100 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2101 role,
2102 MBEDTLS_MD_SHA256,
2103 MBEDTLS_ECP_DP_SECP256R1,
2104 pw, pw_len);
2105 }
2106 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2107 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2108
2109 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const * conf)2110 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2111 {
2112 if (conf->psk_identity == NULL ||
2113 conf->psk_identity_len == 0) {
2114 return 0;
2115 }
2116
2117 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2118 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2119 return 1;
2120 }
2121 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2122
2123 if (conf->psk != NULL && conf->psk_len != 0) {
2124 return 1;
2125 }
2126
2127 return 0;
2128 }
2129
ssl_conf_remove_psk(mbedtls_ssl_config * conf)2130 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2131 {
2132 /* Remove reference to existing PSK, if any. */
2133 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2134 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2135 /* The maintenance of the PSK key slot is the
2136 * user's responsibility. */
2137 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2138 }
2139 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2140 if (conf->psk != NULL) {
2141 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2142 conf->psk = NULL;
2143 conf->psk_len = 0;
2144 }
2145
2146 /* Remove reference to PSK identity, if any. */
2147 if (conf->psk_identity != NULL) {
2148 mbedtls_free(conf->psk_identity);
2149 conf->psk_identity = NULL;
2150 conf->psk_identity_len = 0;
2151 }
2152 }
2153
2154 /* This function assumes that PSK identity in the SSL config is unset.
2155 * It checks that the provided identity is well-formed and attempts
2156 * to make a copy of it in the SSL config.
2157 * On failure, the PSK identity in the config remains unset. */
2158 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_conf_set_psk_identity(mbedtls_ssl_config * conf,unsigned char const * psk_identity,size_t psk_identity_len)2159 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2160 unsigned char const *psk_identity,
2161 size_t psk_identity_len)
2162 {
2163 /* Identity len will be encoded on two bytes */
2164 if (psk_identity == NULL ||
2165 psk_identity_len == 0 ||
2166 (psk_identity_len >> 16) != 0 ||
2167 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2168 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2169 }
2170
2171 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2172 if (conf->psk_identity == NULL) {
2173 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2174 }
2175
2176 conf->psk_identity_len = psk_identity_len;
2177 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2178
2179 return 0;
2180 }
2181
mbedtls_ssl_conf_psk(mbedtls_ssl_config * conf,const unsigned char * psk,size_t psk_len,const unsigned char * psk_identity,size_t psk_identity_len)2182 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2183 const unsigned char *psk, size_t psk_len,
2184 const unsigned char *psk_identity, size_t psk_identity_len)
2185 {
2186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2187
2188 /* We currently only support one PSK, raw or opaque. */
2189 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2190 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2191 }
2192
2193 /* Check and set raw PSK */
2194 if (psk == NULL) {
2195 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2196 }
2197 if (psk_len == 0) {
2198 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2199 }
2200 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2201 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2202 }
2203
2204 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2205 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2206 }
2207 conf->psk_len = psk_len;
2208 memcpy(conf->psk, psk, conf->psk_len);
2209
2210 /* Check and set PSK Identity */
2211 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2212 if (ret != 0) {
2213 ssl_conf_remove_psk(conf);
2214 }
2215
2216 return ret;
2217 }
2218
ssl_remove_psk(mbedtls_ssl_context * ssl)2219 static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2220 {
2221 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2222 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2223 /* The maintenance of the external PSK key slot is the
2224 * user's responsibility. */
2225 if (ssl->handshake->psk_opaque_is_internal) {
2226 psa_destroy_key(ssl->handshake->psk_opaque);
2227 ssl->handshake->psk_opaque_is_internal = 0;
2228 }
2229 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2230 }
2231 #else
2232 if (ssl->handshake->psk != NULL) {
2233 mbedtls_zeroize_and_free(ssl->handshake->psk,
2234 ssl->handshake->psk_len);
2235 ssl->handshake->psk_len = 0;
2236 ssl->handshake->psk = NULL;
2237 }
2238 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2239 }
2240
mbedtls_ssl_set_hs_psk(mbedtls_ssl_context * ssl,const unsigned char * psk,size_t psk_len)2241 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2242 const unsigned char *psk, size_t psk_len)
2243 {
2244 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2245 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2246 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2247 psa_algorithm_t alg = PSA_ALG_NONE;
2248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2249 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2250
2251 if (psk == NULL || ssl->handshake == NULL) {
2252 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2253 }
2254
2255 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2256 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2257 }
2258
2259 ssl_remove_psk(ssl);
2260
2261 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2262 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2263 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2264 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2265 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2266 } else {
2267 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2268 }
2269 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2270 }
2271 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2272
2273 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2274 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2275 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2276 psa_set_key_usage_flags(&key_attributes,
2277 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2278 }
2279 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2280
2281 psa_set_key_algorithm(&key_attributes, alg);
2282 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2283
2284 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2285 if (status != PSA_SUCCESS) {
2286 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2287 }
2288
2289 /* Allow calling psa_destroy_key() on psk remove */
2290 ssl->handshake->psk_opaque_is_internal = 1;
2291 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2292 #else
2293 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2294 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2295 }
2296
2297 ssl->handshake->psk_len = psk_len;
2298 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2299
2300 return 0;
2301 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2302 }
2303
2304 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config * conf,mbedtls_svc_key_id_t psk,const unsigned char * psk_identity,size_t psk_identity_len)2305 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2306 mbedtls_svc_key_id_t psk,
2307 const unsigned char *psk_identity,
2308 size_t psk_identity_len)
2309 {
2310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2311
2312 /* We currently only support one PSK, raw or opaque. */
2313 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2314 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2315 }
2316
2317 /* Check and set opaque PSK */
2318 if (mbedtls_svc_key_id_is_null(psk)) {
2319 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2320 }
2321 conf->psk_opaque = psk;
2322
2323 /* Check and set PSK Identity */
2324 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2325 psk_identity_len);
2326 if (ret != 0) {
2327 ssl_conf_remove_psk(conf);
2328 }
2329
2330 return ret;
2331 }
2332
mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context * ssl,mbedtls_svc_key_id_t psk)2333 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2334 mbedtls_svc_key_id_t psk)
2335 {
2336 if ((mbedtls_svc_key_id_is_null(psk)) ||
2337 (ssl->handshake == NULL)) {
2338 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2339 }
2340
2341 ssl_remove_psk(ssl);
2342 ssl->handshake->psk_opaque = psk;
2343 return 0;
2344 }
2345 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2346
2347 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config * conf,int (* f_psk)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_psk)2348 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2349 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2350 size_t),
2351 void *p_psk)
2352 {
2353 conf->f_psk = f_psk;
2354 conf->p_psk = p_psk;
2355 }
2356 #endif /* MBEDTLS_SSL_SRV_C */
2357
2358 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2359
2360 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_base_mode(psa_algorithm_t alg)2361 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2362 psa_algorithm_t alg)
2363 {
2364 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2365 if (alg == PSA_ALG_CBC_NO_PADDING) {
2366 return MBEDTLS_SSL_MODE_CBC;
2367 }
2368 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2369 if (PSA_ALG_IS_AEAD(alg)) {
2370 return MBEDTLS_SSL_MODE_AEAD;
2371 }
2372 return MBEDTLS_SSL_MODE_STREAM;
2373 }
2374
2375 #else /* MBEDTLS_USE_PSA_CRYPTO */
2376
mbedtls_ssl_get_base_mode(mbedtls_cipher_mode_t mode)2377 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2378 mbedtls_cipher_mode_t mode)
2379 {
2380 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2381 if (mode == MBEDTLS_MODE_CBC) {
2382 return MBEDTLS_SSL_MODE_CBC;
2383 }
2384 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2385
2386 #if defined(MBEDTLS_GCM_C) || \
2387 defined(MBEDTLS_CCM_C) || \
2388 defined(MBEDTLS_CHACHAPOLY_C)
2389 if (mode == MBEDTLS_MODE_GCM ||
2390 mode == MBEDTLS_MODE_CCM ||
2391 mode == MBEDTLS_MODE_CHACHAPOLY) {
2392 return MBEDTLS_SSL_MODE_AEAD;
2393 }
2394 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2395
2396 return MBEDTLS_SSL_MODE_STREAM;
2397 }
2398 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2399
mbedtls_ssl_get_actual_mode(mbedtls_ssl_mode_t base_mode,int encrypt_then_mac)2400 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2401 mbedtls_ssl_mode_t base_mode,
2402 int encrypt_then_mac)
2403 {
2404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2405 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2406 base_mode == MBEDTLS_SSL_MODE_CBC) {
2407 return MBEDTLS_SSL_MODE_CBC_ETM;
2408 }
2409 #else
2410 (void) encrypt_then_mac;
2411 #endif
2412 return base_mode;
2413 }
2414
mbedtls_ssl_get_mode_from_transform(const mbedtls_ssl_transform * transform)2415 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2416 const mbedtls_ssl_transform *transform)
2417 {
2418 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2419 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2420 transform->psa_alg
2421 #else
2422 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2423 #endif
2424 );
2425
2426 int encrypt_then_mac = 0;
2427 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2428 encrypt_then_mac = transform->encrypt_then_mac;
2429 #endif
2430 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2431 }
2432
mbedtls_ssl_get_mode_from_ciphersuite(int encrypt_then_mac,const mbedtls_ssl_ciphersuite_t * suite)2433 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2434 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2435 int encrypt_then_mac,
2436 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2437 const mbedtls_ssl_ciphersuite_t *suite)
2438 {
2439 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2440
2441 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2442 psa_status_t status;
2443 psa_algorithm_t alg;
2444 psa_key_type_t type;
2445 size_t size;
2446 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2447 0, &alg, &type, &size);
2448 if (status == PSA_SUCCESS) {
2449 base_mode = mbedtls_ssl_get_base_mode(alg);
2450 }
2451 #else
2452 const mbedtls_cipher_info_t *cipher =
2453 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2454 if (cipher != NULL) {
2455 base_mode =
2456 mbedtls_ssl_get_base_mode(
2457 mbedtls_cipher_info_get_mode(cipher));
2458 }
2459 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2460
2461 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2462 int encrypt_then_mac = 0;
2463 #endif
2464 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2465 }
2466
2467 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2468
mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,size_t taglen,psa_algorithm_t * alg,psa_key_type_t * key_type,size_t * key_size)2469 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2470 size_t taglen,
2471 psa_algorithm_t *alg,
2472 psa_key_type_t *key_type,
2473 size_t *key_size)
2474 {
2475 #if !defined(MBEDTLS_SSL_HAVE_CCM)
2476 (void) taglen;
2477 #endif
2478 switch (mbedtls_cipher_type) {
2479 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2480 case MBEDTLS_CIPHER_AES_128_CBC:
2481 *alg = PSA_ALG_CBC_NO_PADDING;
2482 *key_type = PSA_KEY_TYPE_AES;
2483 *key_size = 128;
2484 break;
2485 #endif
2486 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2487 case MBEDTLS_CIPHER_AES_128_CCM:
2488 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2489 *key_type = PSA_KEY_TYPE_AES;
2490 *key_size = 128;
2491 break;
2492 #endif
2493 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2494 case MBEDTLS_CIPHER_AES_128_GCM:
2495 *alg = PSA_ALG_GCM;
2496 *key_type = PSA_KEY_TYPE_AES;
2497 *key_size = 128;
2498 break;
2499 #endif
2500 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2501 case MBEDTLS_CIPHER_AES_192_CCM:
2502 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2503 *key_type = PSA_KEY_TYPE_AES;
2504 *key_size = 192;
2505 break;
2506 #endif
2507 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2508 case MBEDTLS_CIPHER_AES_192_GCM:
2509 *alg = PSA_ALG_GCM;
2510 *key_type = PSA_KEY_TYPE_AES;
2511 *key_size = 192;
2512 break;
2513 #endif
2514 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2515 case MBEDTLS_CIPHER_AES_256_CBC:
2516 *alg = PSA_ALG_CBC_NO_PADDING;
2517 *key_type = PSA_KEY_TYPE_AES;
2518 *key_size = 256;
2519 break;
2520 #endif
2521 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2522 case MBEDTLS_CIPHER_AES_256_CCM:
2523 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2524 *key_type = PSA_KEY_TYPE_AES;
2525 *key_size = 256;
2526 break;
2527 #endif
2528 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2529 case MBEDTLS_CIPHER_AES_256_GCM:
2530 *alg = PSA_ALG_GCM;
2531 *key_type = PSA_KEY_TYPE_AES;
2532 *key_size = 256;
2533 break;
2534 #endif
2535 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2536 case MBEDTLS_CIPHER_ARIA_128_CBC:
2537 *alg = PSA_ALG_CBC_NO_PADDING;
2538 *key_type = PSA_KEY_TYPE_ARIA;
2539 *key_size = 128;
2540 break;
2541 #endif
2542 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2543 case MBEDTLS_CIPHER_ARIA_128_CCM:
2544 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2545 *key_type = PSA_KEY_TYPE_ARIA;
2546 *key_size = 128;
2547 break;
2548 #endif
2549 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2550 case MBEDTLS_CIPHER_ARIA_128_GCM:
2551 *alg = PSA_ALG_GCM;
2552 *key_type = PSA_KEY_TYPE_ARIA;
2553 *key_size = 128;
2554 break;
2555 #endif
2556 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2557 case MBEDTLS_CIPHER_ARIA_192_CCM:
2558 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2559 *key_type = PSA_KEY_TYPE_ARIA;
2560 *key_size = 192;
2561 break;
2562 #endif
2563 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2564 case MBEDTLS_CIPHER_ARIA_192_GCM:
2565 *alg = PSA_ALG_GCM;
2566 *key_type = PSA_KEY_TYPE_ARIA;
2567 *key_size = 192;
2568 break;
2569 #endif
2570 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2571 case MBEDTLS_CIPHER_ARIA_256_CBC:
2572 *alg = PSA_ALG_CBC_NO_PADDING;
2573 *key_type = PSA_KEY_TYPE_ARIA;
2574 *key_size = 256;
2575 break;
2576 #endif
2577 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2578 case MBEDTLS_CIPHER_ARIA_256_CCM:
2579 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2580 *key_type = PSA_KEY_TYPE_ARIA;
2581 *key_size = 256;
2582 break;
2583 #endif
2584 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2585 case MBEDTLS_CIPHER_ARIA_256_GCM:
2586 *alg = PSA_ALG_GCM;
2587 *key_type = PSA_KEY_TYPE_ARIA;
2588 *key_size = 256;
2589 break;
2590 #endif
2591 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2592 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2593 *alg = PSA_ALG_CBC_NO_PADDING;
2594 *key_type = PSA_KEY_TYPE_CAMELLIA;
2595 *key_size = 128;
2596 break;
2597 #endif
2598 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2599 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2600 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2601 *key_type = PSA_KEY_TYPE_CAMELLIA;
2602 *key_size = 128;
2603 break;
2604 #endif
2605 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2606 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2607 *alg = PSA_ALG_GCM;
2608 *key_type = PSA_KEY_TYPE_CAMELLIA;
2609 *key_size = 128;
2610 break;
2611 #endif
2612 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2613 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2614 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2615 *key_type = PSA_KEY_TYPE_CAMELLIA;
2616 *key_size = 192;
2617 break;
2618 #endif
2619 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2620 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2621 *alg = PSA_ALG_GCM;
2622 *key_type = PSA_KEY_TYPE_CAMELLIA;
2623 *key_size = 192;
2624 break;
2625 #endif
2626 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2627 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2628 *alg = PSA_ALG_CBC_NO_PADDING;
2629 *key_type = PSA_KEY_TYPE_CAMELLIA;
2630 *key_size = 256;
2631 break;
2632 #endif
2633 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2634 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2635 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2636 *key_type = PSA_KEY_TYPE_CAMELLIA;
2637 *key_size = 256;
2638 break;
2639 #endif
2640 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2641 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2642 *alg = PSA_ALG_GCM;
2643 *key_type = PSA_KEY_TYPE_CAMELLIA;
2644 *key_size = 256;
2645 break;
2646 #endif
2647 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2648 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2649 *alg = PSA_ALG_CHACHA20_POLY1305;
2650 *key_type = PSA_KEY_TYPE_CHACHA20;
2651 *key_size = 256;
2652 break;
2653 #endif
2654 case MBEDTLS_CIPHER_NULL:
2655 *alg = MBEDTLS_SSL_NULL_CIPHER;
2656 *key_type = 0;
2657 *key_size = 0;
2658 break;
2659 default:
2660 return PSA_ERROR_NOT_SUPPORTED;
2661 }
2662
2663 return PSA_SUCCESS;
2664 }
2665 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2666
2667 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config * conf,const unsigned char * dhm_P,size_t P_len,const unsigned char * dhm_G,size_t G_len)2668 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2669 const unsigned char *dhm_P, size_t P_len,
2670 const unsigned char *dhm_G, size_t G_len)
2671 {
2672 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2673
2674 mbedtls_mpi_free(&conf->dhm_P);
2675 mbedtls_mpi_free(&conf->dhm_G);
2676
2677 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2678 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2679 mbedtls_mpi_free(&conf->dhm_P);
2680 mbedtls_mpi_free(&conf->dhm_G);
2681 return ret;
2682 }
2683
2684 return 0;
2685 }
2686
mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config * conf,mbedtls_dhm_context * dhm_ctx)2687 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2688 {
2689 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2690
2691 mbedtls_mpi_free(&conf->dhm_P);
2692 mbedtls_mpi_free(&conf->dhm_G);
2693
2694 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2695 &conf->dhm_P)) != 0 ||
2696 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2697 &conf->dhm_G)) != 0) {
2698 mbedtls_mpi_free(&conf->dhm_P);
2699 mbedtls_mpi_free(&conf->dhm_G);
2700 return ret;
2701 }
2702
2703 return 0;
2704 }
2705 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2706
2707 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2708 /*
2709 * Set the minimum length for Diffie-Hellman parameters
2710 */
mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config * conf,unsigned int bitlen)2711 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2712 unsigned int bitlen)
2713 {
2714 conf->dhm_min_bitlen = bitlen;
2715 }
2716 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2717
2718 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2719 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2720 /*
2721 * Set allowed/preferred hashes for handshake signatures
2722 */
mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config * conf,const int * hashes)2723 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2724 const int *hashes)
2725 {
2726 conf->sig_hashes = hashes;
2727 }
2728 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2729
2730 /* Configure allowed signature algorithms for handshake */
mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config * conf,const uint16_t * sig_algs)2731 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2732 const uint16_t *sig_algs)
2733 {
2734 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2735 conf->sig_hashes = NULL;
2736 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2737 conf->sig_algs = sig_algs;
2738 }
2739 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2740
2741 #if defined(MBEDTLS_ECP_C)
2742 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2743 /*
2744 * Set the allowed elliptic curves
2745 *
2746 * mbedtls_ssl_setup() takes the provided list
2747 * and translates it to a list of IANA TLS group identifiers,
2748 * stored in ssl->handshake->group_list.
2749 *
2750 */
mbedtls_ssl_conf_curves(mbedtls_ssl_config * conf,const mbedtls_ecp_group_id * curve_list)2751 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2752 const mbedtls_ecp_group_id *curve_list)
2753 {
2754 conf->curve_list = curve_list;
2755 conf->group_list = NULL;
2756 }
2757 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2758 #endif /* MBEDTLS_ECP_C */
2759
2760 /*
2761 * Set the allowed groups
2762 */
mbedtls_ssl_conf_groups(mbedtls_ssl_config * conf,const uint16_t * group_list)2763 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2764 const uint16_t *group_list)
2765 {
2766 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2767 conf->curve_list = NULL;
2768 #endif
2769 conf->group_list = group_list;
2770 }
2771
2772 #if defined(MBEDTLS_X509_CRT_PARSE_C)
2773
2774 /* A magic value for `ssl->hostname` indicating that
2775 * mbedtls_ssl_set_hostname() has been called with `NULL`.
2776 * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
2777 * `ssl->hostname == NULL`. */
2778 static const char *const ssl_hostname_skip_cn_verification = "";
2779
2780 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2781 /** Whether mbedtls_ssl_set_hostname() has been called.
2782 *
2783 * \param[in] ssl SSL context
2784 *
2785 * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
2786 * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
2787 * otherwise \c 0.
2788 */
mbedtls_ssl_has_set_hostname_been_called(const mbedtls_ssl_context * ssl)2789 static int mbedtls_ssl_has_set_hostname_been_called(
2790 const mbedtls_ssl_context *ssl)
2791 {
2792 return ssl->hostname != NULL;
2793 }
2794 #endif
2795
2796 /* Micro-optimization: don't export this function if it isn't needed outside
2797 * of this source file. */
2798 #if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2799 static
2800 #endif
mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context * ssl)2801 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
2802 {
2803 if (ssl->hostname == ssl_hostname_skip_cn_verification) {
2804 return NULL;
2805 }
2806 return ssl->hostname;
2807 }
2808
mbedtls_ssl_free_hostname(mbedtls_ssl_context * ssl)2809 static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
2810 {
2811 if (ssl->hostname != NULL &&
2812 ssl->hostname != ssl_hostname_skip_cn_verification) {
2813 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2814 }
2815 ssl->hostname = NULL;
2816 }
2817
mbedtls_ssl_set_hostname(mbedtls_ssl_context * ssl,const char * hostname)2818 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2819 {
2820 /* Initialize to suppress unnecessary compiler warning */
2821 size_t hostname_len = 0;
2822
2823 /* Check if new hostname is valid before
2824 * making any change to current one */
2825 if (hostname != NULL) {
2826 hostname_len = strlen(hostname);
2827
2828 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2829 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2830 }
2831 }
2832
2833 /* Now it's clear that we will overwrite the old hostname,
2834 * so we can free it safely */
2835 mbedtls_ssl_free_hostname(ssl);
2836
2837 if (hostname == NULL) {
2838 /* Passing NULL as hostname clears the old one, but leaves a
2839 * special marker to indicate that mbedtls_ssl_set_hostname()
2840 * has been called. */
2841 /* ssl->hostname should be const, but isn't. We won't actually
2842 * write to the buffer, so it's ok to cast away the const. */
2843 ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
2844 } else {
2845 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2846 if (ssl->hostname == NULL) {
2847 /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
2848 * Leave ssl->hostname in the same state as if the function had
2849 * not been called, i.e. a null pointer. */
2850 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2851 }
2852
2853 memcpy(ssl->hostname, hostname, hostname_len);
2854
2855 ssl->hostname[hostname_len] = '\0';
2856 }
2857
2858 return 0;
2859 }
2860 #endif /* MBEDTLS_X509_CRT_PARSE_C */
2861
2862 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
mbedtls_ssl_conf_sni(mbedtls_ssl_config * conf,int (* f_sni)(void *,mbedtls_ssl_context *,const unsigned char *,size_t),void * p_sni)2863 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2864 int (*f_sni)(void *, mbedtls_ssl_context *,
2865 const unsigned char *, size_t),
2866 void *p_sni)
2867 {
2868 conf->f_sni = f_sni;
2869 conf->p_sni = p_sni;
2870 }
2871 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2872
2873 #if defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config * conf,const char ** protos)2874 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2875 {
2876 size_t cur_len, tot_len;
2877 const char **p;
2878
2879 /*
2880 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2881 * MUST NOT be truncated."
2882 * We check lengths now rather than later.
2883 */
2884 tot_len = 0;
2885 for (p = protos; *p != NULL; p++) {
2886 cur_len = strlen(*p);
2887 tot_len += cur_len;
2888
2889 if ((cur_len == 0) ||
2890 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2891 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2892 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2893 }
2894 }
2895
2896 conf->alpn_list = protos;
2897
2898 return 0;
2899 }
2900
mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context * ssl)2901 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2902 {
2903 return ssl->alpn_chosen;
2904 }
2905 #endif /* MBEDTLS_SSL_ALPN */
2906
2907 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config * conf,int support_mki_value)2908 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2909 int support_mki_value)
2910 {
2911 conf->dtls_srtp_mki_support = support_mki_value;
2912 }
2913
mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context * ssl,unsigned char * mki_value,uint16_t mki_len)2914 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2915 unsigned char *mki_value,
2916 uint16_t mki_len)
2917 {
2918 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2919 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2920 }
2921
2922 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2923 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2924 }
2925
2926 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2927 ssl->dtls_srtp_info.mki_len = mki_len;
2928 return 0;
2929 }
2930
mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config * conf,const mbedtls_ssl_srtp_profile * profiles)2931 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2932 const mbedtls_ssl_srtp_profile *profiles)
2933 {
2934 const mbedtls_ssl_srtp_profile *p;
2935 size_t list_size = 0;
2936
2937 /* check the profiles list: all entry must be valid,
2938 * its size cannot be more than the total number of supported profiles, currently 4 */
2939 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2940 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2941 p++) {
2942 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2943 list_size++;
2944 } else {
2945 /* unsupported value, stop parsing and set the size to an error value */
2946 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2947 }
2948 }
2949
2950 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2951 conf->dtls_srtp_profile_list = NULL;
2952 conf->dtls_srtp_profile_list_len = 0;
2953 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2954 }
2955
2956 conf->dtls_srtp_profile_list = profiles;
2957 conf->dtls_srtp_profile_list_len = list_size;
2958
2959 return 0;
2960 }
2961
mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context * ssl,mbedtls_dtls_srtp_info * dtls_srtp_info)2962 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2963 mbedtls_dtls_srtp_info *dtls_srtp_info)
2964 {
2965 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2966 /* do not copy the mki value if there is no chosen profile */
2967 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2968 dtls_srtp_info->mki_len = 0;
2969 } else {
2970 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2971 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2972 ssl->dtls_srtp_info.mki_len);
2973 }
2974 }
2975 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2976
2977 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
mbedtls_ssl_conf_max_version(mbedtls_ssl_config * conf,int major,int minor)2978 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2979 {
2980 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2981 }
2982
mbedtls_ssl_conf_min_version(mbedtls_ssl_config * conf,int major,int minor)2983 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2984 {
2985 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2986 }
2987 #endif /* MBEDTLS_DEPRECATED_REMOVED */
2988
2989 #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config * conf,char cert_req_ca_list)2990 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
2991 char cert_req_ca_list)
2992 {
2993 conf->cert_req_ca_list = cert_req_ca_list;
2994 }
2995 #endif
2996
2997 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config * conf,char etm)2998 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
2999 {
3000 conf->encrypt_then_mac = etm;
3001 }
3002 #endif
3003
3004 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config * conf,char ems)3005 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
3006 {
3007 conf->extended_ms = ems;
3008 }
3009 #endif
3010
3011 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config * conf,unsigned char mfl_code)3012 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
3013 {
3014 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
3015 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
3016 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3017 }
3018
3019 conf->mfl_code = mfl_code;
3020
3021 return 0;
3022 }
3023 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3024
mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config * conf,int allow_legacy)3025 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3026 {
3027 conf->allow_legacy_renegotiation = allow_legacy;
3028 }
3029
3030 #if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config * conf,int renegotiation)3031 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3032 {
3033 conf->disable_renegotiation = renegotiation;
3034 }
3035
mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config * conf,int max_records)3036 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3037 {
3038 conf->renego_max_records = max_records;
3039 }
3040
mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config * conf,const unsigned char period[8])3041 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3042 const unsigned char period[8])
3043 {
3044 memcpy(conf->renego_period, period, 8);
3045 }
3046 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3047
3048 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3049 #if defined(MBEDTLS_SSL_CLI_C)
3050
mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config * conf,int use_tickets)3051 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3052 {
3053 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
3054 conf->session_tickets |= (use_tickets != 0) <<
3055 MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
3056 }
3057
3058 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(mbedtls_ssl_config * conf,int signal_new_session_tickets)3059 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
3060 mbedtls_ssl_config *conf, int signal_new_session_tickets)
3061 {
3062 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
3063 conf->session_tickets |= (signal_new_session_tickets != 0) <<
3064 MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
3065 }
3066 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3067 #endif /* MBEDTLS_SSL_CLI_C */
3068
3069 #if defined(MBEDTLS_SSL_SRV_C)
3070
3071 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config * conf,uint16_t num_tickets)3072 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3073 uint16_t num_tickets)
3074 {
3075 conf->new_session_tickets_count = num_tickets;
3076 }
3077 #endif
3078
mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config * conf,mbedtls_ssl_ticket_write_t * f_ticket_write,mbedtls_ssl_ticket_parse_t * f_ticket_parse,void * p_ticket)3079 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3080 mbedtls_ssl_ticket_write_t *f_ticket_write,
3081 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3082 void *p_ticket)
3083 {
3084 conf->f_ticket_write = f_ticket_write;
3085 conf->f_ticket_parse = f_ticket_parse;
3086 conf->p_ticket = p_ticket;
3087 }
3088 #endif
3089 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3090
mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context * ssl,mbedtls_ssl_export_keys_t * f_export_keys,void * p_export_keys)3091 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3092 mbedtls_ssl_export_keys_t *f_export_keys,
3093 void *p_export_keys)
3094 {
3095 ssl->f_export_keys = f_export_keys;
3096 ssl->p_export_keys = p_export_keys;
3097 }
3098
3099 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
mbedtls_ssl_conf_async_private_cb(mbedtls_ssl_config * conf,mbedtls_ssl_async_sign_t * f_async_sign,mbedtls_ssl_async_decrypt_t * f_async_decrypt,mbedtls_ssl_async_resume_t * f_async_resume,mbedtls_ssl_async_cancel_t * f_async_cancel,void * async_config_data)3100 void mbedtls_ssl_conf_async_private_cb(
3101 mbedtls_ssl_config *conf,
3102 mbedtls_ssl_async_sign_t *f_async_sign,
3103 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3104 mbedtls_ssl_async_resume_t *f_async_resume,
3105 mbedtls_ssl_async_cancel_t *f_async_cancel,
3106 void *async_config_data)
3107 {
3108 conf->f_async_sign_start = f_async_sign;
3109 conf->f_async_decrypt_start = f_async_decrypt;
3110 conf->f_async_resume = f_async_resume;
3111 conf->f_async_cancel = f_async_cancel;
3112 conf->p_async_config_data = async_config_data;
3113 }
3114
mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config * conf)3115 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3116 {
3117 return conf->p_async_config_data;
3118 }
3119
mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context * ssl)3120 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3121 {
3122 if (ssl->handshake == NULL) {
3123 return NULL;
3124 } else {
3125 return ssl->handshake->user_async_ctx;
3126 }
3127 }
3128
mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context * ssl,void * ctx)3129 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3130 void *ctx)
3131 {
3132 if (ssl->handshake != NULL) {
3133 ssl->handshake->user_async_ctx = ctx;
3134 }
3135 }
3136 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3137
3138 /*
3139 * SSL get accessors
3140 */
mbedtls_ssl_get_verify_result(const mbedtls_ssl_context * ssl)3141 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3142 {
3143 if (ssl->session != NULL) {
3144 return ssl->session->verify_result;
3145 }
3146
3147 if (ssl->session_negotiate != NULL) {
3148 return ssl->session_negotiate->verify_result;
3149 }
3150
3151 return 0xFFFFFFFF;
3152 }
3153
mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context * ssl)3154 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3155 {
3156 if (ssl == NULL || ssl->session == NULL) {
3157 return 0;
3158 }
3159
3160 return ssl->session->ciphersuite;
3161 }
3162
mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context * ssl)3163 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3164 {
3165 if (ssl == NULL || ssl->session == NULL) {
3166 return NULL;
3167 }
3168
3169 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3170 }
3171
mbedtls_ssl_get_version(const mbedtls_ssl_context * ssl)3172 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3173 {
3174 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3175 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3176 switch (ssl->tls_version) {
3177 case MBEDTLS_SSL_VERSION_TLS1_2:
3178 return "DTLSv1.2";
3179 default:
3180 return "unknown (DTLS)";
3181 }
3182 }
3183 #endif
3184
3185 switch (ssl->tls_version) {
3186 case MBEDTLS_SSL_VERSION_TLS1_2:
3187 return "TLSv1.2";
3188 case MBEDTLS_SSL_VERSION_TLS1_3:
3189 return "TLSv1.3";
3190 default:
3191 return "unknown";
3192 }
3193 }
3194
3195 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3196
mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context * ssl)3197 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3198 {
3199 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3200 size_t record_size_limit = max_len;
3201
3202 if (ssl->session != NULL &&
3203 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3204 ssl->session->record_size_limit < max_len) {
3205 record_size_limit = ssl->session->record_size_limit;
3206 }
3207
3208 // TODO: this is currently untested
3209 /* During a handshake, use the value being negotiated */
3210 if (ssl->session_negotiate != NULL &&
3211 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3212 ssl->session_negotiate->record_size_limit < max_len) {
3213 record_size_limit = ssl->session_negotiate->record_size_limit;
3214 }
3215
3216 return record_size_limit;
3217 }
3218 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3219
3220 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context * ssl)3221 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3222 {
3223 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3224 size_t read_mfl;
3225
3226 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3227 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3228 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3229 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3230 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3231 }
3232 #endif
3233
3234 /* Check if a smaller max length was negotiated */
3235 if (ssl->session_out != NULL) {
3236 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3237 if (read_mfl < max_len) {
3238 max_len = read_mfl;
3239 }
3240 }
3241
3242 /* During a handshake, use the value being negotiated */
3243 if (ssl->session_negotiate != NULL) {
3244 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3245 if (read_mfl < max_len) {
3246 max_len = read_mfl;
3247 }
3248 }
3249
3250 return max_len;
3251 }
3252
mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context * ssl)3253 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3254 {
3255 size_t max_len;
3256
3257 /*
3258 * Assume mfl_code is correct since it was checked when set
3259 */
3260 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3261
3262 /* Check if a smaller max length was negotiated */
3263 if (ssl->session_out != NULL &&
3264 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3265 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3266 }
3267
3268 /* During a handshake, use the value being negotiated */
3269 if (ssl->session_negotiate != NULL &&
3270 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3271 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3272 }
3273
3274 return max_len;
3275 }
3276 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3277
3278 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context * ssl)3279 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3280 {
3281 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
3282 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3283 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
3284 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) {
3285 return 0;
3286 }
3287
3288 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3289 return ssl->mtu;
3290 }
3291
3292 if (ssl->mtu == 0) {
3293 return ssl->handshake->mtu;
3294 }
3295
3296 return ssl->mtu < ssl->handshake->mtu ?
3297 ssl->mtu : ssl->handshake->mtu;
3298 }
3299 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3300
mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context * ssl)3301 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3302 {
3303 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3304
3305 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3306 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3307 !defined(MBEDTLS_SSL_PROTO_DTLS)
3308 (void) ssl;
3309 #endif
3310
3311 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3312 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3313
3314 if (max_len > mfl) {
3315 max_len = mfl;
3316 }
3317 #endif
3318
3319 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3320 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3321
3322 if (max_len > record_size_limit) {
3323 max_len = record_size_limit;
3324 }
3325 #endif
3326
3327 if (ssl->transform_out != NULL &&
3328 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3329 /*
3330 * In TLS 1.3 case, when records are protected, `max_len` as computed
3331 * above is the maximum length of the TLSInnerPlaintext structure that
3332 * along the plaintext payload contains the inner content type (one byte)
3333 * and some zero padding. Given the algorithm used for padding
3334 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3335 * the plaintext payload. Round down to a multiple of
3336 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3337 * subtract 1.
3338 */
3339 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3340 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3341 }
3342
3343 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3344 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3345 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3346 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3347 const size_t overhead = (size_t) ret;
3348
3349 if (ret < 0) {
3350 return ret;
3351 }
3352
3353 if (mtu <= overhead) {
3354 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3355 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3356 }
3357
3358 if (max_len > mtu - overhead) {
3359 max_len = mtu - overhead;
3360 }
3361 }
3362 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3363
3364 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3365 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3366 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3367 ((void) ssl);
3368 #endif
3369
3370 return (int) max_len;
3371 }
3372
mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context * ssl)3373 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3374 {
3375 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3376
3377 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3378 (void) ssl;
3379 #endif
3380
3381 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3382 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3383
3384 if (max_len > mfl) {
3385 max_len = mfl;
3386 }
3387 #endif
3388
3389 return (int) max_len;
3390 }
3391
3392 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context * ssl)3393 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3394 {
3395 if (ssl == NULL || ssl->session == NULL) {
3396 return NULL;
3397 }
3398
3399 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3400 return ssl->session->peer_cert;
3401 #else
3402 return NULL;
3403 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3404 }
3405 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3406
3407 #if defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_get_session(const mbedtls_ssl_context * ssl,mbedtls_ssl_session * dst)3408 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3409 mbedtls_ssl_session *dst)
3410 {
3411 int ret;
3412
3413 if (ssl == NULL ||
3414 dst == NULL ||
3415 ssl->session == NULL ||
3416 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3417 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3418 }
3419
3420 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3421 * idempotent: Each session can only be exported once.
3422 *
3423 * (This is in preparation for TLS 1.3 support where we will
3424 * need the ability to export multiple sessions (aka tickets),
3425 * which will be achieved by calling mbedtls_ssl_get_session()
3426 * multiple times until it fails.)
3427 *
3428 * Check whether we have already exported the current session,
3429 * and fail if so.
3430 */
3431 if (ssl->session->exported == 1) {
3432 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3433 }
3434
3435 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3436 if (ret != 0) {
3437 return ret;
3438 }
3439
3440 /* Remember that we've exported the session. */
3441 ssl->session->exported = 1;
3442 return 0;
3443 }
3444 #endif /* MBEDTLS_SSL_CLI_C */
3445
3446 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3447
3448 /* Serialization of TLS 1.2 sessions
3449 *
3450 * For more detail, see the description of ssl_session_save().
3451 */
ssl_tls12_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len)3452 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3453 unsigned char *buf,
3454 size_t buf_len)
3455 {
3456 unsigned char *p = buf;
3457 size_t used = 0;
3458
3459 #if defined(MBEDTLS_HAVE_TIME)
3460 uint64_t start;
3461 #endif
3462 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3463 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3464 size_t cert_len;
3465 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3466 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3467
3468 /*
3469 * Time
3470 */
3471 #if defined(MBEDTLS_HAVE_TIME)
3472 used += 8;
3473
3474 if (used <= buf_len) {
3475 start = (uint64_t) session->start;
3476
3477 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3478 p += 8;
3479 }
3480 #endif /* MBEDTLS_HAVE_TIME */
3481
3482 /*
3483 * Basic mandatory fields
3484 */
3485 used += 1 /* id_len */
3486 + sizeof(session->id)
3487 + sizeof(session->master)
3488 + 4; /* verify_result */
3489
3490 if (used <= buf_len) {
3491 *p++ = MBEDTLS_BYTE_0(session->id_len);
3492 memcpy(p, session->id, 32);
3493 p += 32;
3494
3495 memcpy(p, session->master, 48);
3496 p += 48;
3497
3498 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3499 p += 4;
3500 }
3501
3502 /*
3503 * Peer's end-entity certificate
3504 */
3505 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3506 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3507 if (session->peer_cert == NULL) {
3508 cert_len = 0;
3509 } else {
3510 cert_len = session->peer_cert->raw.len;
3511 }
3512
3513 used += 3 + cert_len;
3514
3515 if (used <= buf_len) {
3516 *p++ = MBEDTLS_BYTE_2(cert_len);
3517 *p++ = MBEDTLS_BYTE_1(cert_len);
3518 *p++ = MBEDTLS_BYTE_0(cert_len);
3519
3520 if (session->peer_cert != NULL) {
3521 memcpy(p, session->peer_cert->raw.p, cert_len);
3522 p += cert_len;
3523 }
3524 }
3525 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3526 if (session->peer_cert_digest != NULL) {
3527 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3528 if (used <= buf_len) {
3529 *p++ = (unsigned char) session->peer_cert_digest_type;
3530 *p++ = (unsigned char) session->peer_cert_digest_len;
3531 memcpy(p, session->peer_cert_digest,
3532 session->peer_cert_digest_len);
3533 p += session->peer_cert_digest_len;
3534 }
3535 } else {
3536 used += 2;
3537 if (used <= buf_len) {
3538 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3539 *p++ = 0;
3540 }
3541 }
3542 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3543 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3544
3545 /*
3546 * Session ticket if any, plus associated data
3547 */
3548 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3549 #if defined(MBEDTLS_SSL_CLI_C)
3550 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3551 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3552
3553 if (used <= buf_len) {
3554 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3555 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3556 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3557
3558 if (session->ticket != NULL) {
3559 memcpy(p, session->ticket, session->ticket_len);
3560 p += session->ticket_len;
3561 }
3562
3563 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3564 p += 4;
3565 }
3566 }
3567 #endif /* MBEDTLS_SSL_CLI_C */
3568 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3569 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3570 used += 8;
3571
3572 if (used <= buf_len) {
3573 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3574 p += 8;
3575 }
3576 }
3577 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3578 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3579
3580 /*
3581 * Misc extension-related info
3582 */
3583 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3584 used += 1;
3585
3586 if (used <= buf_len) {
3587 *p++ = session->mfl_code;
3588 }
3589 #endif
3590
3591 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3592 used += 1;
3593
3594 if (used <= buf_len) {
3595 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3596 }
3597 #endif
3598
3599 return used;
3600 }
3601
3602 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3603 static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3604 const unsigned char *buf,
3605 size_t len)
3606 {
3607 #if defined(MBEDTLS_HAVE_TIME)
3608 uint64_t start;
3609 #endif
3610 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3611 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3612 size_t cert_len;
3613 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3614 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3615
3616 const unsigned char *p = buf;
3617 const unsigned char * const end = buf + len;
3618
3619 /*
3620 * Time
3621 */
3622 #if defined(MBEDTLS_HAVE_TIME)
3623 if (8 > (size_t) (end - p)) {
3624 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3625 }
3626
3627 start = MBEDTLS_GET_UINT64_BE(p, 0);
3628 p += 8;
3629
3630 session->start = (time_t) start;
3631 #endif /* MBEDTLS_HAVE_TIME */
3632
3633 /*
3634 * Basic mandatory fields
3635 */
3636 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3637 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3638 }
3639
3640 session->id_len = *p++;
3641 memcpy(session->id, p, 32);
3642 p += 32;
3643
3644 memcpy(session->master, p, 48);
3645 p += 48;
3646
3647 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3648 p += 4;
3649
3650 /* Immediately clear invalid pointer values that have been read, in case
3651 * we exit early before we replaced them with valid ones. */
3652 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3653 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3654 session->peer_cert = NULL;
3655 #else
3656 session->peer_cert_digest = NULL;
3657 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3658 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3659 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3660 session->ticket = NULL;
3661 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3662
3663 /*
3664 * Peer certificate
3665 */
3666 #if defined(MBEDTLS_X509_CRT_PARSE_C)
3667 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3668 /* Deserialize CRT from the end of the ticket. */
3669 if (3 > (size_t) (end - p)) {
3670 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3671 }
3672
3673 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3674 p += 3;
3675
3676 if (cert_len != 0) {
3677 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3678
3679 if (cert_len > (size_t) (end - p)) {
3680 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3681 }
3682
3683 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3684
3685 if (session->peer_cert == NULL) {
3686 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3687 }
3688
3689 mbedtls_x509_crt_init(session->peer_cert);
3690
3691 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3692 p, cert_len)) != 0) {
3693 mbedtls_x509_crt_free(session->peer_cert);
3694 mbedtls_free(session->peer_cert);
3695 session->peer_cert = NULL;
3696 return ret;
3697 }
3698
3699 p += cert_len;
3700 }
3701 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3702 /* Deserialize CRT digest from the end of the ticket. */
3703 if (2 > (size_t) (end - p)) {
3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3705 }
3706
3707 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3708 session->peer_cert_digest_len = (size_t) *p++;
3709
3710 if (session->peer_cert_digest_len != 0) {
3711 const mbedtls_md_info_t *md_info =
3712 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3713 if (md_info == NULL) {
3714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3715 }
3716 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3717 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3718 }
3719
3720 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3721 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3722 }
3723
3724 session->peer_cert_digest =
3725 mbedtls_calloc(1, session->peer_cert_digest_len);
3726 if (session->peer_cert_digest == NULL) {
3727 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3728 }
3729
3730 memcpy(session->peer_cert_digest, p,
3731 session->peer_cert_digest_len);
3732 p += session->peer_cert_digest_len;
3733 }
3734 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3735 #endif /* MBEDTLS_X509_CRT_PARSE_C */
3736
3737 /*
3738 * Session ticket and associated data
3739 */
3740 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3741 #if defined(MBEDTLS_SSL_CLI_C)
3742 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3743 if (3 > (size_t) (end - p)) {
3744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3745 }
3746
3747 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3748 p += 3;
3749
3750 if (session->ticket_len != 0) {
3751 if (session->ticket_len > (size_t) (end - p)) {
3752 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3753 }
3754
3755 session->ticket = mbedtls_calloc(1, session->ticket_len);
3756 if (session->ticket == NULL) {
3757 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3758 }
3759
3760 memcpy(session->ticket, p, session->ticket_len);
3761 p += session->ticket_len;
3762 }
3763
3764 if (4 > (size_t) (end - p)) {
3765 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3766 }
3767
3768 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3769 p += 4;
3770 }
3771 #endif /* MBEDTLS_SSL_CLI_C */
3772 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3773 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3774 if (8 > (size_t) (end - p)) {
3775 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3776 }
3777 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3778 p += 8;
3779 }
3780 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3781 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
3782
3783 /*
3784 * Misc extension-related info
3785 */
3786 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3787 if (1 > (size_t) (end - p)) {
3788 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3789 }
3790
3791 session->mfl_code = *p++;
3792 #endif
3793
3794 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3795 if (1 > (size_t) (end - p)) {
3796 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3797 }
3798
3799 session->encrypt_then_mac = *p++;
3800 #endif
3801
3802 /* Done, should have consumed entire buffer */
3803 if (p != end) {
3804 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3805 }
3806
3807 return 0;
3808 }
3809
3810 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3811
3812 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3813 /* Serialization of TLS 1.3 sessions:
3814 *
3815 * For more detail, see the description of ssl_session_save().
3816 */
3817 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
3818 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)3819 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3820 unsigned char *buf,
3821 size_t buf_len,
3822 size_t *olen)
3823 {
3824 unsigned char *p = buf;
3825 #if defined(MBEDTLS_SSL_CLI_C) && \
3826 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3827 size_t hostname_len = (session->hostname == NULL) ?
3828 0 : strlen(session->hostname) + 1;
3829 #endif
3830
3831 #if defined(MBEDTLS_SSL_SRV_C) && \
3832 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3833 const size_t alpn_len = (session->ticket_alpn == NULL) ?
3834 0 : strlen(session->ticket_alpn) + 1;
3835 #endif
3836 size_t needed = 4 /* ticket_age_add */
3837 + 1 /* ticket_flags */
3838 + 1; /* resumption_key length */
3839
3840 *olen = 0;
3841
3842 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3843 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3844 }
3845 needed += session->resumption_key_len; /* resumption_key */
3846
3847 #if defined(MBEDTLS_SSL_EARLY_DATA)
3848 needed += 4; /* max_early_data_size */
3849 #endif
3850 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3851 needed += 2; /* record_size_limit */
3852 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3853
3854 #if defined(MBEDTLS_HAVE_TIME)
3855 needed += 8; /* ticket_creation_time or ticket_reception_time */
3856 #endif
3857
3858 #if defined(MBEDTLS_SSL_SRV_C)
3859 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3860 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3861 needed += 2 /* alpn_len */
3862 + alpn_len; /* alpn */
3863 #endif
3864 }
3865 #endif /* MBEDTLS_SSL_SRV_C */
3866
3867 #if defined(MBEDTLS_SSL_CLI_C)
3868 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3869 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3870 needed += 2 /* hostname_len */
3871 + hostname_len; /* hostname */
3872 #endif
3873
3874 needed += 4 /* ticket_lifetime */
3875 + 2; /* ticket_len */
3876
3877 /* Check size_t overflow */
3878 if (session->ticket_len > SIZE_MAX - needed) {
3879 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3880 }
3881
3882 needed += session->ticket_len; /* ticket */
3883 }
3884 #endif /* MBEDTLS_SSL_CLI_C */
3885
3886 *olen = needed;
3887 if (needed > buf_len) {
3888 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3889 }
3890
3891 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3892 p[4] = session->ticket_flags;
3893
3894 /* save resumption_key */
3895 p[5] = session->resumption_key_len;
3896 p += 6;
3897 memcpy(p, session->resumption_key, session->resumption_key_len);
3898 p += session->resumption_key_len;
3899
3900 #if defined(MBEDTLS_SSL_EARLY_DATA)
3901 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3902 p += 4;
3903 #endif
3904 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3905 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3906 p += 2;
3907 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3908
3909 #if defined(MBEDTLS_SSL_SRV_C)
3910 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3911 #if defined(MBEDTLS_HAVE_TIME)
3912 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3913 p += 8;
3914 #endif /* MBEDTLS_HAVE_TIME */
3915
3916 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3917 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3918 p += 2;
3919
3920 if (alpn_len > 0) {
3921 /* save chosen alpn */
3922 memcpy(p, session->ticket_alpn, alpn_len);
3923 p += alpn_len;
3924 }
3925 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3926 }
3927 #endif /* MBEDTLS_SSL_SRV_C */
3928
3929 #if defined(MBEDTLS_SSL_CLI_C)
3930 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3931 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3932 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3933 p += 2;
3934 if (hostname_len > 0) {
3935 /* save host name */
3936 memcpy(p, session->hostname, hostname_len);
3937 p += hostname_len;
3938 }
3939 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3940
3941 #if defined(MBEDTLS_HAVE_TIME)
3942 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3943 p += 8;
3944 #endif
3945 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3946 p += 4;
3947
3948 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3949 p += 2;
3950
3951 if (session->ticket != NULL && session->ticket_len > 0) {
3952 memcpy(p, session->ticket, session->ticket_len);
3953 p += session->ticket_len;
3954 }
3955 }
3956 #endif /* MBEDTLS_SSL_CLI_C */
3957 return 0;
3958 }
3959
3960 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)3961 static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3962 const unsigned char *buf,
3963 size_t len)
3964 {
3965 const unsigned char *p = buf;
3966 const unsigned char *end = buf + len;
3967
3968 if (end - p < 6) {
3969 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3970 }
3971 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3972 session->ticket_flags = p[4];
3973
3974 /* load resumption_key */
3975 session->resumption_key_len = p[5];
3976 p += 6;
3977
3978 if (end - p < session->resumption_key_len) {
3979 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3980 }
3981
3982 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3984 }
3985 memcpy(session->resumption_key, p, session->resumption_key_len);
3986 p += session->resumption_key_len;
3987
3988 #if defined(MBEDTLS_SSL_EARLY_DATA)
3989 if (end - p < 4) {
3990 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3991 }
3992 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3993 p += 4;
3994 #endif
3995 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3996 if (end - p < 2) {
3997 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3998 }
3999 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
4000 p += 2;
4001 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4002
4003 #if defined(MBEDTLS_SSL_SRV_C)
4004 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
4005 #if defined(MBEDTLS_HAVE_TIME)
4006 if (end - p < 8) {
4007 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4008 }
4009 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
4010 p += 8;
4011 #endif /* MBEDTLS_HAVE_TIME */
4012
4013 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4014 size_t alpn_len;
4015
4016 if (end - p < 2) {
4017 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4018 }
4019
4020 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
4021 p += 2;
4022
4023 if (end - p < (long int) alpn_len) {
4024 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4025 }
4026
4027 if (alpn_len > 0) {
4028 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
4029 if (ret != 0) {
4030 return ret;
4031 }
4032 p += alpn_len;
4033 }
4034 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
4035 }
4036 #endif /* MBEDTLS_SSL_SRV_C */
4037
4038 #if defined(MBEDTLS_SSL_CLI_C)
4039 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4040 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4041 size_t hostname_len;
4042 /* load host name */
4043 if (end - p < 2) {
4044 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4045 }
4046 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
4047 p += 2;
4048
4049 if (end - p < (long int) hostname_len) {
4050 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4051 }
4052 if (hostname_len > 0) {
4053 session->hostname = mbedtls_calloc(1, hostname_len);
4054 if (session->hostname == NULL) {
4055 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4056 }
4057 memcpy(session->hostname, p, hostname_len);
4058 p += hostname_len;
4059 }
4060 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4061
4062 #if defined(MBEDTLS_HAVE_TIME)
4063 if (end - p < 8) {
4064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4065 }
4066 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
4067 p += 8;
4068 #endif
4069 if (end - p < 4) {
4070 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4071 }
4072 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
4073 p += 4;
4074
4075 if (end - p < 2) {
4076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4077 }
4078 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
4079 p += 2;
4080
4081 if (end - p < (long int) session->ticket_len) {
4082 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4083 }
4084 if (session->ticket_len > 0) {
4085 session->ticket = mbedtls_calloc(1, session->ticket_len);
4086 if (session->ticket == NULL) {
4087 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4088 }
4089 memcpy(session->ticket, p, session->ticket_len);
4090 p += session->ticket_len;
4091 }
4092 }
4093 #endif /* MBEDTLS_SSL_CLI_C */
4094
4095 return 0;
4096
4097 }
4098 #else /* MBEDTLS_SSL_SESSION_TICKETS */
4099 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls13_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4100 static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4101 unsigned char *buf,
4102 size_t buf_len,
4103 size_t *olen)
4104 {
4105 ((void) session);
4106 ((void) buf);
4107 ((void) buf_len);
4108 *olen = 0;
4109 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4110 }
4111
ssl_tls13_session_load(const mbedtls_ssl_session * session,const unsigned char * buf,size_t buf_len)4112 static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4113 const unsigned char *buf,
4114 size_t buf_len)
4115 {
4116 ((void) session);
4117 ((void) buf);
4118 ((void) buf_len);
4119 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4120 }
4121 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4122 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4123
4124 /*
4125 * Define ticket header determining Mbed TLS version
4126 * and structure of the ticket.
4127 */
4128
4129 /*
4130 * Define bitflag determining compile-time settings influencing
4131 * structure of serialized SSL sessions.
4132 */
4133
4134 #if defined(MBEDTLS_HAVE_TIME)
4135 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4136 #else
4137 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4138 #endif /* MBEDTLS_HAVE_TIME */
4139
4140 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4141 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4142 #else
4143 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4144 #endif /* MBEDTLS_X509_CRT_PARSE_C */
4145
4146 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4147 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4148 #else
4149 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4150 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4151
4152 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4153 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4154 #else
4155 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4156 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4157
4158 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4159 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4160 #else
4161 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4162 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4163
4164 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4165 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4166 #else
4167 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4168 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4169
4170 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4171 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4172 #else
4173 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4174 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
4175
4176 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4177 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4178 #else
4179 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4180 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4181
4182 #if defined(MBEDTLS_SSL_EARLY_DATA)
4183 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4184 #else
4185 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4186 #endif /* MBEDTLS_SSL_EARLY_DATA */
4187
4188 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4189 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4190 #else
4191 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4192 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4193
4194 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4195 defined(MBEDTLS_SSL_EARLY_DATA)
4196 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4197 #else
4198 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4199 #endif /* MBEDTLS_SSL_ALPN */
4200
4201 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4202 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4203 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4204 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4205 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4206 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4207 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4208 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4209 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4210 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4211 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4212
4213 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4214 ((uint16_t) ( \
4215 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4216 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4217 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4218 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4219 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4220 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4221 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4222 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4223 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4224 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4225 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4226 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4227 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4228 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4229 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4230 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4231
4232 static const unsigned char ssl_serialized_session_header[] = {
4233 MBEDTLS_VERSION_MAJOR,
4234 MBEDTLS_VERSION_MINOR,
4235 MBEDTLS_VERSION_PATCH,
4236 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4237 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4238 };
4239
4240 /*
4241 * Serialize a session in the following format:
4242 * (in the presentation language of TLS, RFC 8446 section 3)
4243 *
4244 * TLS 1.2 session:
4245 *
4246 * struct {
4247 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4248 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4249 * uint32 ticket_lifetime;
4250 * #endif
4251 * } ClientOnlyData;
4252 *
4253 * struct {
4254 * #if defined(MBEDTLS_HAVE_TIME)
4255 * uint64 start_time;
4256 * #endif
4257 * uint8 session_id_len; // at most 32
4258 * opaque session_id[32];
4259 * opaque master[48]; // fixed length in the standard
4260 * uint32 verify_result;
4261 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4262 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4263 * #else
4264 * uint8 peer_cert_digest_type;
4265 * opaque peer_cert_digest<0..2^8-1>
4266 * #endif
4267 * select (endpoint) {
4268 * case client: ClientOnlyData;
4269 * case server: uint64 ticket_creation_time;
4270 * };
4271 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4272 * uint8 mfl_code; // up to 255 according to standard
4273 * #endif
4274 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4275 * uint8 encrypt_then_mac; // 0 or 1
4276 * #endif
4277 * } serialized_session_tls12;
4278 *
4279 *
4280 * TLS 1.3 Session:
4281 *
4282 * struct {
4283 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4284 * opaque hostname<0..2^16-1>;
4285 * #endif
4286 * #if defined(MBEDTLS_HAVE_TIME)
4287 * uint64 ticket_reception_time;
4288 * #endif
4289 * uint32 ticket_lifetime;
4290 * opaque ticket<1..2^16-1>;
4291 * } ClientOnlyData;
4292 *
4293 * struct {
4294 * uint32 ticket_age_add;
4295 * uint8 ticket_flags;
4296 * opaque resumption_key<0..255>;
4297 * #if defined(MBEDTLS_SSL_EARLY_DATA)
4298 * uint32 max_early_data_size;
4299 * #endif
4300 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4301 * uint16 record_size_limit;
4302 * #endif
4303 * select ( endpoint ) {
4304 * case client: ClientOnlyData;
4305 * case server:
4306 * #if defined(MBEDTLS_HAVE_TIME)
4307 * uint64 ticket_creation_time;
4308 * #endif
4309 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4310 * opaque ticket_alpn<0..256>;
4311 * #endif
4312 * };
4313 * } serialized_session_tls13;
4314 *
4315 *
4316 * SSL session:
4317 *
4318 * struct {
4319 *
4320 * opaque mbedtls_version[3]; // library version: major, minor, patch
4321 * opaque session_format[2]; // library-version specific 16-bit field
4322 * // determining the format of the remaining
4323 * // serialized data.
4324 *
4325 * Note: When updating the format, remember to keep
4326 * these version+format bytes.
4327 *
4328 * // In this version, `session_format` determines
4329 * // the setting of those compile-time
4330 * // configuration options which influence
4331 * // the structure of mbedtls_ssl_session.
4332 *
4333 * uint8_t minor_ver; // Protocol minor version. Possible values:
4334 * // - TLS 1.2 (0x0303)
4335 * // - TLS 1.3 (0x0304)
4336 * uint8_t endpoint;
4337 * uint16_t ciphersuite;
4338 *
4339 * select (serialized_session.tls_version) {
4340 *
4341 * case MBEDTLS_SSL_VERSION_TLS1_2:
4342 * serialized_session_tls12 data;
4343 * case MBEDTLS_SSL_VERSION_TLS1_3:
4344 * serialized_session_tls13 data;
4345 *
4346 * };
4347 *
4348 * } serialized_session;
4349 *
4350 */
4351
4352 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_save(const mbedtls_ssl_session * session,unsigned char omit_header,unsigned char * buf,size_t buf_len,size_t * olen)4353 static int ssl_session_save(const mbedtls_ssl_session *session,
4354 unsigned char omit_header,
4355 unsigned char *buf,
4356 size_t buf_len,
4357 size_t *olen)
4358 {
4359 unsigned char *p = buf;
4360 size_t used = 0;
4361 size_t remaining_len;
4362 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4363 size_t out_len;
4364 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4365 #endif
4366 if (session == NULL) {
4367 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4368 }
4369
4370 if (!omit_header) {
4371 /*
4372 * Add Mbed TLS version identifier
4373 */
4374 used += sizeof(ssl_serialized_session_header);
4375
4376 if (used <= buf_len) {
4377 memcpy(p, ssl_serialized_session_header,
4378 sizeof(ssl_serialized_session_header));
4379 p += sizeof(ssl_serialized_session_header);
4380 }
4381 }
4382
4383 /*
4384 * TLS version identifier, endpoint, ciphersuite
4385 */
4386 used += 1 /* TLS version */
4387 + 1 /* endpoint */
4388 + 2; /* ciphersuite */
4389 if (used <= buf_len) {
4390 *p++ = MBEDTLS_BYTE_0(session->tls_version);
4391 *p++ = session->endpoint;
4392 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4393 p += 2;
4394 }
4395
4396 /* Forward to version-specific serialization routine. */
4397 remaining_len = (buf_len >= used) ? buf_len - used : 0;
4398 switch (session->tls_version) {
4399 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4400 case MBEDTLS_SSL_VERSION_TLS1_2:
4401 used += ssl_tls12_session_save(session, p, remaining_len);
4402 break;
4403 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4404
4405 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4406 case MBEDTLS_SSL_VERSION_TLS1_3:
4407 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4408 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4409 return ret;
4410 }
4411 used += out_len;
4412 break;
4413 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4414
4415 default:
4416 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4417 }
4418
4419 *olen = used;
4420 if (used > buf_len) {
4421 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4422 }
4423
4424 return 0;
4425 }
4426
4427 /*
4428 * Public wrapper for ssl_session_save()
4429 */
mbedtls_ssl_session_save(const mbedtls_ssl_session * session,unsigned char * buf,size_t buf_len,size_t * olen)4430 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4431 unsigned char *buf,
4432 size_t buf_len,
4433 size_t *olen)
4434 {
4435 return ssl_session_save(session, 0, buf, buf_len, olen);
4436 }
4437
4438 /*
4439 * Deserialize session, see mbedtls_ssl_session_save() for format.
4440 *
4441 * This internal version is wrapped by a public function that cleans up in
4442 * case of error, and has an extra option omit_header.
4443 */
4444 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_session_load(mbedtls_ssl_session * session,unsigned char omit_header,const unsigned char * buf,size_t len)4445 static int ssl_session_load(mbedtls_ssl_session *session,
4446 unsigned char omit_header,
4447 const unsigned char *buf,
4448 size_t len)
4449 {
4450 const unsigned char *p = buf;
4451 const unsigned char * const end = buf + len;
4452 size_t remaining_len;
4453
4454
4455 if (session == NULL) {
4456 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4457 }
4458
4459 if (!omit_header) {
4460 /*
4461 * Check Mbed TLS version identifier
4462 */
4463
4464 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4465 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4466 }
4467
4468 if (memcmp(p, ssl_serialized_session_header,
4469 sizeof(ssl_serialized_session_header)) != 0) {
4470 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4471 }
4472 p += sizeof(ssl_serialized_session_header);
4473 }
4474
4475 /*
4476 * TLS version identifier, endpoint, ciphersuite
4477 */
4478 if (4 > (size_t) (end - p)) {
4479 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4480 }
4481 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4482 session->endpoint = *p++;
4483 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4484 p += 2;
4485
4486 /* Dispatch according to TLS version. */
4487 remaining_len = (size_t) (end - p);
4488 switch (session->tls_version) {
4489 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4490 case MBEDTLS_SSL_VERSION_TLS1_2:
4491 return ssl_tls12_session_load(session, p, remaining_len);
4492 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4493
4494 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4495 case MBEDTLS_SSL_VERSION_TLS1_3:
4496 return ssl_tls13_session_load(session, p, remaining_len);
4497 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4498
4499 default:
4500 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4501 }
4502 }
4503
4504 /*
4505 * Deserialize session: public wrapper for error cleaning
4506 */
mbedtls_ssl_session_load(mbedtls_ssl_session * session,const unsigned char * buf,size_t len)4507 int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4508 const unsigned char *buf,
4509 size_t len)
4510 {
4511 int ret = ssl_session_load(session, 0, buf, len);
4512
4513 if (ret != 0) {
4514 mbedtls_ssl_session_free(session);
4515 }
4516
4517 return ret;
4518 }
4519
4520 /*
4521 * Perform a single step of the SSL handshake
4522 */
4523 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_prepare_handshake_step(mbedtls_ssl_context * ssl)4524 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4525 {
4526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4527
4528 /*
4529 * We may have not been able to send to the peer all the handshake data
4530 * that were written into the output buffer by the previous handshake step,
4531 * if the write to the network callback returned with the
4532 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4533 * We proceed to the next handshake step only when all data from the
4534 * previous one have been sent to the peer, thus we make sure that this is
4535 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4536 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4537 * we have to wait before to go ahead.
4538 * In the case of TLS 1.3, handshake step handlers do not send data to the
4539 * peer. Data are only sent here and through
4540 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4541 * alert occurred.
4542 */
4543 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4544 return ret;
4545 }
4546
4547 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4548 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4549 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4550 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4551 return ret;
4552 }
4553 }
4554 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4555
4556 return ret;
4557 }
4558
mbedtls_ssl_handshake_step(mbedtls_ssl_context * ssl)4559 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
4560 {
4561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4562
4563 if (ssl == NULL ||
4564 ssl->conf == NULL ||
4565 ssl->handshake == NULL ||
4566 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4567 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4568 }
4569
4570 ret = ssl_prepare_handshake_step(ssl);
4571 if (ret != 0) {
4572 return ret;
4573 }
4574
4575 ret = mbedtls_ssl_handle_pending_alert(ssl);
4576 if (ret != 0) {
4577 goto cleanup;
4578 }
4579
4580 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4581 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4582 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4583
4584 #if defined(MBEDTLS_SSL_CLI_C)
4585 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4586 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4587 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
4588
4589 switch (ssl->state) {
4590 case MBEDTLS_SSL_HELLO_REQUEST:
4591 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
4592 ret = 0;
4593 break;
4594
4595 case MBEDTLS_SSL_CLIENT_HELLO:
4596 ret = mbedtls_ssl_write_client_hello(ssl);
4597 break;
4598
4599 default:
4600 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4601 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4602 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4603 } else {
4604 ret = mbedtls_ssl_handshake_client_step(ssl);
4605 }
4606 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4607 ret = mbedtls_ssl_handshake_client_step(ssl);
4608 #else
4609 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4610 #endif
4611 }
4612 }
4613 #endif /* MBEDTLS_SSL_CLI_C */
4614
4615 #if defined(MBEDTLS_SSL_SRV_C)
4616 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4617 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4618 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4619 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4620 } else {
4621 ret = mbedtls_ssl_handshake_server_step(ssl);
4622 }
4623 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4624 ret = mbedtls_ssl_handshake_server_step(ssl);
4625 #else
4626 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4627 #endif
4628 }
4629 #endif /* MBEDTLS_SSL_SRV_C */
4630
4631 if (ret != 0) {
4632 /* handshake_step return error. And it is same
4633 * with alert_reason.
4634 */
4635 if (ssl->send_alert) {
4636 ret = mbedtls_ssl_handle_pending_alert(ssl);
4637 goto cleanup;
4638 }
4639 }
4640
4641 cleanup:
4642 return ret;
4643 }
4644
4645 /*
4646 * Perform the SSL handshake
4647 */
mbedtls_ssl_handshake(mbedtls_ssl_context * ssl)4648 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
4649 {
4650 int ret = 0;
4651
4652 /* Sanity checks */
4653
4654 if (ssl == NULL || ssl->conf == NULL) {
4655 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4656 }
4657
4658 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4659 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4660 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4661 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4662 "mbedtls_ssl_set_timer_cb() for DTLS"));
4663 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4664 }
4665 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4666
4667 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4668
4669 /* Main handshake loop */
4670 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4671 ret = mbedtls_ssl_handshake_step(ssl);
4672
4673 if (ret != 0) {
4674 break;
4675 }
4676 }
4677
4678 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4679
4680 return ret;
4681 }
4682
4683 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4684 #if defined(MBEDTLS_SSL_SRV_C)
4685 /*
4686 * Write HelloRequest to request renegotiation on server
4687 */
4688 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_write_hello_request(mbedtls_ssl_context * ssl)4689 static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4690 {
4691 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4692
4693 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4694
4695 ssl->out_msglen = 4;
4696 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4697 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4698
4699 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4700 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4701 return ret;
4702 }
4703
4704 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4705
4706 return 0;
4707 }
4708 #endif /* MBEDTLS_SSL_SRV_C */
4709
4710 /*
4711 * Actually renegotiate current connection, triggered by either:
4712 * - any side: calling mbedtls_ssl_renegotiate(),
4713 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4714 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4715 * the initial handshake is completed.
4716 * If the handshake doesn't complete due to waiting for I/O, it will continue
4717 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4718 */
mbedtls_ssl_start_renegotiation(mbedtls_ssl_context * ssl)4719 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
4720 {
4721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4722
4723 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4724
4725 if ((ret = ssl_handshake_init(ssl)) != 0) {
4726 return ret;
4727 }
4728
4729 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4730 * the ServerHello will have message_seq = 1" */
4731 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4732 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4733 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4734 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4735 ssl->handshake->out_msg_seq = 1;
4736 } else {
4737 ssl->handshake->in_msg_seq = 1;
4738 }
4739 }
4740 #endif
4741
4742 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
4743 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4744
4745 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4746 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4747 return ret;
4748 }
4749
4750 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4751
4752 return 0;
4753 }
4754
4755 /*
4756 * Renegotiate current connection on client,
4757 * or request renegotiation on server
4758 */
mbedtls_ssl_renegotiate(mbedtls_ssl_context * ssl)4759 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4760 {
4761 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4762
4763 if (ssl == NULL || ssl->conf == NULL) {
4764 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4765 }
4766
4767 #if defined(MBEDTLS_SSL_SRV_C)
4768 /* On server, just send the request */
4769 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4770 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4771 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4772 }
4773
4774 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4775
4776 /* Did we already try/start sending HelloRequest? */
4777 if (ssl->out_left != 0) {
4778 return mbedtls_ssl_flush_output(ssl);
4779 }
4780
4781 return ssl_write_hello_request(ssl);
4782 }
4783 #endif /* MBEDTLS_SSL_SRV_C */
4784
4785 #if defined(MBEDTLS_SSL_CLI_C)
4786 /*
4787 * On client, either start the renegotiation process or,
4788 * if already in progress, continue the handshake
4789 */
4790 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4791 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4792 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4793 }
4794
4795 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4796 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4797 return ret;
4798 }
4799 } else {
4800 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4801 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4802 return ret;
4803 }
4804 }
4805 #endif /* MBEDTLS_SSL_CLI_C */
4806
4807 return ret;
4808 }
4809 #endif /* MBEDTLS_SSL_RENEGOTIATION */
4810
mbedtls_ssl_handshake_free(mbedtls_ssl_context * ssl)4811 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4812 {
4813 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4814
4815 if (handshake == NULL) {
4816 return;
4817 }
4818
4819 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4820 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4821 if (ssl->handshake->group_list_heap_allocated) {
4822 mbedtls_free((void *) handshake->group_list);
4823 }
4824 handshake->group_list = NULL;
4825 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4826 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4827
4828 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4829 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
4830 if (ssl->handshake->sig_algs_heap_allocated) {
4831 mbedtls_free((void *) handshake->sig_algs);
4832 }
4833 handshake->sig_algs = NULL;
4834 #endif /* MBEDTLS_DEPRECATED_REMOVED */
4835 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4836 if (ssl->handshake->certificate_request_context) {
4837 mbedtls_free((void *) handshake->certificate_request_context);
4838 }
4839 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4840 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4841
4842 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4843 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4844 ssl->conf->f_async_cancel(ssl);
4845 handshake->async_in_progress = 0;
4846 }
4847 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4848
4849 #if defined(MBEDTLS_MD_CAN_SHA256)
4850 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4851 psa_hash_abort(&handshake->fin_sha256_psa);
4852 #else
4853 mbedtls_md_free(&handshake->fin_sha256);
4854 #endif
4855 #endif
4856 #if defined(MBEDTLS_MD_CAN_SHA384)
4857 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4858 psa_hash_abort(&handshake->fin_sha384_psa);
4859 #else
4860 mbedtls_md_free(&handshake->fin_sha384);
4861 #endif
4862 #endif
4863
4864 #if defined(MBEDTLS_DHM_C)
4865 mbedtls_dhm_free(&handshake->dhm_ctx);
4866 #endif
4867 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4868 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4869 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4870 #endif
4871
4872 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4873 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4874 psa_pake_abort(&handshake->psa_pake_ctx);
4875 /*
4876 * Opaque keys are not stored in the handshake's data and it's the user
4877 * responsibility to destroy them. Clear ones, instead, are created by
4878 * the TLS library and should be destroyed at the same level
4879 */
4880 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4881 psa_destroy_key(handshake->psa_pake_password);
4882 }
4883 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4884 #else
4885 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4886 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4887 #if defined(MBEDTLS_SSL_CLI_C)
4888 mbedtls_free(handshake->ecjpake_cache);
4889 handshake->ecjpake_cache = NULL;
4890 handshake->ecjpake_cache_len = 0;
4891 #endif
4892 #endif
4893
4894 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4895 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4896 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4897 /* explicit void pointer cast for buggy MS compiler */
4898 mbedtls_free((void *) handshake->curves_tls_id);
4899 #endif
4900
4901 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4902 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4903 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4904 /* The maintenance of the external PSK key slot is the
4905 * user's responsibility. */
4906 if (ssl->handshake->psk_opaque_is_internal) {
4907 psa_destroy_key(ssl->handshake->psk_opaque);
4908 ssl->handshake->psk_opaque_is_internal = 0;
4909 }
4910 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4911 }
4912 #else
4913 if (handshake->psk != NULL) {
4914 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4915 }
4916 #endif /* MBEDTLS_USE_PSA_CRYPTO */
4917 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4918
4919 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4920 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4921 /*
4922 * Free only the linked list wrapper, not the keys themselves
4923 * since the belong to the SNI callback
4924 */
4925 ssl_key_cert_free(handshake->sni_key_cert);
4926 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4927
4928 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4929 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4930 if (handshake->ecrs_peer_cert != NULL) {
4931 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4932 mbedtls_free(handshake->ecrs_peer_cert);
4933 }
4934 #endif
4935
4936 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4937 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4938 mbedtls_pk_free(&handshake->peer_pubkey);
4939 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4940
4941 #if defined(MBEDTLS_SSL_CLI_C) && \
4942 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4943 mbedtls_free(handshake->cookie);
4944 #endif /* MBEDTLS_SSL_CLI_C &&
4945 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4946
4947 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4948 mbedtls_ssl_flight_free(handshake->flight);
4949 mbedtls_ssl_buffering_free(ssl);
4950 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4951
4952 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4953 if (handshake->xxdh_psa_privkey_is_external == 0) {
4954 psa_destroy_key(handshake->xxdh_psa_privkey);
4955 }
4956 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4957
4958 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4959 mbedtls_ssl_transform_free(handshake->transform_handshake);
4960 mbedtls_free(handshake->transform_handshake);
4961 #if defined(MBEDTLS_SSL_EARLY_DATA)
4962 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4963 mbedtls_free(handshake->transform_earlydata);
4964 #endif
4965 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4966
4967
4968 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4969 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4970 * processes datagrams and the fact that a datagram is allowed to have
4971 * several records in it, it is possible that the I/O buffers are not
4972 * empty at this stage */
4973 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4974 mbedtls_ssl_get_output_buflen(ssl));
4975 #endif
4976
4977 /* mbedtls_platform_zeroize MUST be last one in this function */
4978 mbedtls_platform_zeroize(handshake,
4979 sizeof(mbedtls_ssl_handshake_params));
4980 }
4981
mbedtls_ssl_session_free(mbedtls_ssl_session * session)4982 void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4983 {
4984 if (session == NULL) {
4985 return;
4986 }
4987
4988 #if defined(MBEDTLS_X509_CRT_PARSE_C)
4989 ssl_clear_peer_cert(session);
4990 #endif
4991
4992 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4993 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4994 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4995 mbedtls_free(session->hostname);
4996 #endif
4997 mbedtls_free(session->ticket);
4998 #endif
4999
5000 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
5001 defined(MBEDTLS_SSL_SRV_C)
5002 mbedtls_free(session->ticket_alpn);
5003 #endif
5004
5005 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
5006 }
5007
5008 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
5009
5010 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5011 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5012 #else
5013 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5014 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5015
5016 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
5017
5018 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5019 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5020 #else
5021 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5022 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5023
5024 #if defined(MBEDTLS_SSL_ALPN)
5025 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5026 #else
5027 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5028 #endif /* MBEDTLS_SSL_ALPN */
5029
5030 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5031 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5032 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5033 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5034
5035 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5036 ((uint32_t) ( \
5037 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
5038 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
5039 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
5040 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
5041 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
5042 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
5043 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
5044 0u))
5045
5046 static const unsigned char ssl_serialized_context_header[] = {
5047 MBEDTLS_VERSION_MAJOR,
5048 MBEDTLS_VERSION_MINOR,
5049 MBEDTLS_VERSION_PATCH,
5050 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5051 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5052 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5053 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5054 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5055 };
5056
5057 /*
5058 * Serialize a full SSL context
5059 *
5060 * The format of the serialized data is:
5061 * (in the presentation language of TLS, RFC 8446 section 3)
5062 *
5063 * // header
5064 * opaque mbedtls_version[3]; // major, minor, patch
5065 * opaque context_format[5]; // version-specific field determining
5066 * // the format of the remaining
5067 * // serialized data.
5068 * Note: When updating the format, remember to keep these
5069 * version+format bytes. (We may make their size part of the API.)
5070 *
5071 * // session sub-structure
5072 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5073 * // transform sub-structure
5074 * uint8 random[64]; // ServerHello.random+ClientHello.random
5075 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5076 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5077 * // fields from ssl_context
5078 * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC
5079 * uint64 in_window_top; // DTLS: last validated record seq_num
5080 * uint64 in_window; // DTLS: bitmask for replay protection
5081 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5082 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5083 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5084 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5085 *
5086 * Note that many fields of the ssl_context or sub-structures are not
5087 * serialized, as they fall in one of the following categories:
5088 *
5089 * 1. forced value (eg in_left must be 0)
5090 * 2. pointer to dynamically-allocated memory (eg session, transform)
5091 * 3. value can be re-derived from other data (eg session keys from MS)
5092 * 4. value was temporary (eg content of input buffer)
5093 * 5. value will be provided by the user again (eg I/O callbacks and context)
5094 */
mbedtls_ssl_context_save(mbedtls_ssl_context * ssl,unsigned char * buf,size_t buf_len,size_t * olen)5095 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
5096 unsigned char *buf,
5097 size_t buf_len,
5098 size_t *olen)
5099 {
5100 unsigned char *p = buf;
5101 size_t used = 0;
5102 size_t session_len;
5103 int ret = 0;
5104
5105 /*
5106 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5107 * this function's documentation.
5108 *
5109 * These are due to assumptions/limitations in the implementation. Some of
5110 * them are likely to stay (no handshake in progress) some might go away
5111 * (only DTLS) but are currently used to simplify the implementation.
5112 */
5113 /* The initial handshake must be over */
5114 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5115 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5116 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5117 }
5118 if (ssl->handshake != NULL) {
5119 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5120 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5121 }
5122 /* Double-check that sub-structures are indeed ready */
5123 if (ssl->transform == NULL || ssl->session == NULL) {
5124 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5125 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5126 }
5127 /* There must be no pending incoming or outgoing data */
5128 if (mbedtls_ssl_check_pending(ssl) != 0) {
5129 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5130 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5131 }
5132 if (ssl->out_left != 0) {
5133 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5134 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5135 }
5136 /* Protocol must be DTLS, not TLS */
5137 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5138 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5139 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5140 }
5141 /* Version must be 1.2 */
5142 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5143 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5144 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5145 }
5146 /* We must be using an AEAD ciphersuite */
5147 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5148 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5149 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5150 }
5151 /* Renegotiation must not be enabled */
5152 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5153 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5154 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5156 }
5157 #endif
5158
5159 /*
5160 * Version and format identifier
5161 */
5162 used += sizeof(ssl_serialized_context_header);
5163
5164 if (used <= buf_len) {
5165 memcpy(p, ssl_serialized_context_header,
5166 sizeof(ssl_serialized_context_header));
5167 p += sizeof(ssl_serialized_context_header);
5168 }
5169
5170 /*
5171 * Session (length + data)
5172 */
5173 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5174 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5175 return ret;
5176 }
5177
5178 used += 4 + session_len;
5179 if (used <= buf_len) {
5180 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5181 p += 4;
5182
5183 ret = ssl_session_save(ssl->session, 1,
5184 p, session_len, &session_len);
5185 if (ret != 0) {
5186 return ret;
5187 }
5188
5189 p += session_len;
5190 }
5191
5192 /*
5193 * Transform
5194 */
5195 used += sizeof(ssl->transform->randbytes);
5196 if (used <= buf_len) {
5197 memcpy(p, ssl->transform->randbytes,
5198 sizeof(ssl->transform->randbytes));
5199 p += sizeof(ssl->transform->randbytes);
5200 }
5201
5202 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5203 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5204 if (used <= buf_len) {
5205 *p++ = ssl->transform->in_cid_len;
5206 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5207 p += ssl->transform->in_cid_len;
5208
5209 *p++ = ssl->transform->out_cid_len;
5210 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5211 p += ssl->transform->out_cid_len;
5212 }
5213 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5214
5215 /*
5216 * Saved fields from top-level ssl_context structure
5217 */
5218 used += 4;
5219 if (used <= buf_len) {
5220 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0);
5221 p += 4;
5222 }
5223
5224 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5225 used += 16;
5226 if (used <= buf_len) {
5227 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5228 p += 8;
5229
5230 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5231 p += 8;
5232 }
5233 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5234
5235 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5236 used += 1;
5237 if (used <= buf_len) {
5238 *p++ = ssl->disable_datagram_packing;
5239 }
5240 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5241
5242 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5243 if (used <= buf_len) {
5244 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5245 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5246 }
5247
5248 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5249 used += 2;
5250 if (used <= buf_len) {
5251 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5252 p += 2;
5253 }
5254 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5255
5256 #if defined(MBEDTLS_SSL_ALPN)
5257 {
5258 const uint8_t alpn_len = ssl->alpn_chosen
5259 ? (uint8_t) strlen(ssl->alpn_chosen)
5260 : 0;
5261
5262 used += 1 + alpn_len;
5263 if (used <= buf_len) {
5264 *p++ = alpn_len;
5265
5266 if (ssl->alpn_chosen != NULL) {
5267 memcpy(p, ssl->alpn_chosen, alpn_len);
5268 p += alpn_len;
5269 }
5270 }
5271 }
5272 #endif /* MBEDTLS_SSL_ALPN */
5273
5274 /*
5275 * Done
5276 */
5277 *olen = used;
5278
5279 if (used > buf_len) {
5280 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5281 }
5282
5283 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5284
5285 return mbedtls_ssl_session_reset_int(ssl, 0);
5286 }
5287
5288 /*
5289 * Deserialize context, see mbedtls_ssl_context_save() for format.
5290 *
5291 * This internal version is wrapped by a public function that cleans up in
5292 * case of error.
5293 */
5294 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_context_load(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5295 static int ssl_context_load(mbedtls_ssl_context *ssl,
5296 const unsigned char *buf,
5297 size_t len)
5298 {
5299 const unsigned char *p = buf;
5300 const unsigned char * const end = buf + len;
5301 size_t session_len;
5302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5303 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5304 tls_prf_fn prf_func = NULL;
5305 #endif
5306
5307 /*
5308 * The context should have been freshly setup or reset.
5309 * Give the user an error in case of obvious misuse.
5310 * (Checking session is useful because it won't be NULL if we're
5311 * renegotiating, or if the user mistakenly loaded a session first.)
5312 */
5313 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5314 ssl->session != NULL) {
5315 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5316 }
5317
5318 /*
5319 * We can't check that the config matches the initial one, but we can at
5320 * least check it matches the requirements for serializing.
5321 */
5322 if (
5323 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5324 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5325 #endif
5326 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5327 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5328 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5329 ) {
5330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5331 }
5332
5333 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5334
5335 /*
5336 * Check version identifier
5337 */
5338 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5339 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5340 }
5341
5342 if (memcmp(p, ssl_serialized_context_header,
5343 sizeof(ssl_serialized_context_header)) != 0) {
5344 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
5345 }
5346 p += sizeof(ssl_serialized_context_header);
5347
5348 /*
5349 * Session
5350 */
5351 if ((size_t) (end - p) < 4) {
5352 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5353 }
5354
5355 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5356 p += 4;
5357
5358 /* This has been allocated by ssl_handshake_init(), called by
5359 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5360 ssl->session = ssl->session_negotiate;
5361 ssl->session_in = ssl->session;
5362 ssl->session_out = ssl->session;
5363 ssl->session_negotiate = NULL;
5364
5365 if ((size_t) (end - p) < session_len) {
5366 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5367 }
5368
5369 ret = ssl_session_load(ssl->session, 1, p, session_len);
5370 if (ret != 0) {
5371 mbedtls_ssl_session_free(ssl->session);
5372 return ret;
5373 }
5374
5375 p += session_len;
5376
5377 /*
5378 * Transform
5379 */
5380
5381 /* This has been allocated by ssl_handshake_init(), called by
5382 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5383 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5384 ssl->transform = ssl->transform_negotiate;
5385 ssl->transform_in = ssl->transform;
5386 ssl->transform_out = ssl->transform;
5387 ssl->transform_negotiate = NULL;
5388 #endif
5389
5390 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5391 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5392 if (prf_func == NULL) {
5393 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5394 }
5395
5396 /* Read random bytes and populate structure */
5397 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5398 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5399 }
5400
5401 ret = ssl_tls12_populate_transform(ssl->transform,
5402 ssl->session->ciphersuite,
5403 ssl->session->master,
5404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5405 ssl->session->encrypt_then_mac,
5406 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5407 prf_func,
5408 p, /* currently pointing to randbytes */
5409 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5410 ssl->conf->endpoint,
5411 ssl);
5412 if (ret != 0) {
5413 return ret;
5414 }
5415 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5416 p += sizeof(ssl->transform->randbytes);
5417
5418 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5419 /* Read connection IDs and store them */
5420 if ((size_t) (end - p) < 1) {
5421 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5422 }
5423
5424 ssl->transform->in_cid_len = *p++;
5425
5426 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5427 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5428 }
5429
5430 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5431 p += ssl->transform->in_cid_len;
5432
5433 ssl->transform->out_cid_len = *p++;
5434
5435 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5436 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5437 }
5438
5439 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5440 p += ssl->transform->out_cid_len;
5441 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5442
5443 /*
5444 * Saved fields from top-level ssl_context structure
5445 */
5446 if ((size_t) (end - p) < 4) {
5447 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5448 }
5449
5450 ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0);
5451 p += 4;
5452
5453 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5454 if ((size_t) (end - p) < 16) {
5455 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5456 }
5457
5458 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5459 p += 8;
5460
5461 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5462 p += 8;
5463 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5464
5465 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5466 if ((size_t) (end - p) < 1) {
5467 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5468 }
5469
5470 ssl->disable_datagram_packing = *p++;
5471 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5472
5473 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5474 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5475 }
5476 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5477 p += sizeof(ssl->cur_out_ctr);
5478
5479 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5480 if ((size_t) (end - p) < 2) {
5481 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5482 }
5483
5484 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5485 p += 2;
5486 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5487
5488 #if defined(MBEDTLS_SSL_ALPN)
5489 {
5490 uint8_t alpn_len;
5491 const char **cur;
5492
5493 if ((size_t) (end - p) < 1) {
5494 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5495 }
5496
5497 alpn_len = *p++;
5498
5499 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5500 /* alpn_chosen should point to an item in the configured list */
5501 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5502 if (strlen(*cur) == alpn_len &&
5503 memcmp(p, *cur, alpn_len) == 0) {
5504 ssl->alpn_chosen = *cur;
5505 break;
5506 }
5507 }
5508 }
5509
5510 /* can only happen on conf mismatch */
5511 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5512 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5513 }
5514
5515 p += alpn_len;
5516 }
5517 #endif /* MBEDTLS_SSL_ALPN */
5518
5519 /*
5520 * Forced fields from top-level ssl_context structure
5521 *
5522 * Most of them already set to the correct value by mbedtls_ssl_init() and
5523 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5524 */
5525 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
5526 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5527
5528 /* Adjust pointers for header fields of outgoing records to
5529 * the given transform, accounting for explicit IV and CID. */
5530 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5531
5532 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5533 ssl->in_epoch = 1;
5534 #endif
5535
5536 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5537 * which we don't want - otherwise we'd end up freeing the wrong transform
5538 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5539 * inappropriately. */
5540 if (ssl->handshake != NULL) {
5541 mbedtls_ssl_handshake_free(ssl);
5542 mbedtls_free(ssl->handshake);
5543 ssl->handshake = NULL;
5544 }
5545
5546 /*
5547 * Done - should have consumed entire buffer
5548 */
5549 if (p != end) {
5550 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5551 }
5552
5553 return 0;
5554 }
5555
5556 /*
5557 * Deserialize context: public wrapper for error cleaning
5558 */
mbedtls_ssl_context_load(mbedtls_ssl_context * context,const unsigned char * buf,size_t len)5559 int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5560 const unsigned char *buf,
5561 size_t len)
5562 {
5563 int ret = ssl_context_load(context, buf, len);
5564
5565 if (ret != 0) {
5566 mbedtls_ssl_free(context);
5567 }
5568
5569 return ret;
5570 }
5571 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5572
5573 /*
5574 * Free an SSL context
5575 */
mbedtls_ssl_free(mbedtls_ssl_context * ssl)5576 void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
5577 {
5578 if (ssl == NULL) {
5579 return;
5580 }
5581
5582 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5583
5584 if (ssl->out_buf != NULL) {
5585 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5586 size_t out_buf_len = ssl->out_buf_len;
5587 #else
5588 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5589 #endif
5590
5591 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5592 ssl->out_buf = NULL;
5593 }
5594
5595 if (ssl->in_buf != NULL) {
5596 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5597 size_t in_buf_len = ssl->in_buf_len;
5598 #else
5599 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5600 #endif
5601
5602 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5603 ssl->in_buf = NULL;
5604 }
5605
5606 if (ssl->transform) {
5607 mbedtls_ssl_transform_free(ssl->transform);
5608 mbedtls_free(ssl->transform);
5609 }
5610
5611 if (ssl->handshake) {
5612 mbedtls_ssl_handshake_free(ssl);
5613 mbedtls_free(ssl->handshake);
5614
5615 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5616 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5617 mbedtls_free(ssl->transform_negotiate);
5618 #endif
5619
5620 mbedtls_ssl_session_free(ssl->session_negotiate);
5621 mbedtls_free(ssl->session_negotiate);
5622 }
5623
5624 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5625 mbedtls_ssl_transform_free(ssl->transform_application);
5626 mbedtls_free(ssl->transform_application);
5627 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5628
5629 if (ssl->session) {
5630 mbedtls_ssl_session_free(ssl->session);
5631 mbedtls_free(ssl->session);
5632 }
5633
5634 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5635 mbedtls_ssl_free_hostname(ssl);
5636 #endif
5637
5638 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5639 mbedtls_free(ssl->cli_id);
5640 #endif
5641
5642 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5643
5644 /* Actually clear after last debug message */
5645 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
5646 }
5647
5648 /*
5649 * Initialize mbedtls_ssl_config
5650 */
mbedtls_ssl_config_init(mbedtls_ssl_config * conf)5651 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
5652 {
5653 memset(conf, 0, sizeof(mbedtls_ssl_config));
5654 }
5655
5656 /* The selection should be the same as mbedtls_x509_crt_profile_default in
5657 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5658 * curves with a lower resource usage come first.
5659 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5660 * about this list.
5661 */
5662 static const uint16_t ssl_preset_default_groups[] = {
5663 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5664 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
5665 #endif
5666 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5667 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5668 #endif
5669 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5670 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5671 #endif
5672 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
5673 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
5674 #endif
5675 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5676 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
5677 #endif
5678 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
5679 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
5680 #endif
5681 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
5682 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
5683 #endif
5684 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
5685 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
5686 #endif
5687 #if defined(PSA_WANT_ALG_FFDH)
5688 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5689 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5690 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5691 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5692 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5693 #endif
5694 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5695 };
5696
5697 static const int ssl_preset_suiteb_ciphersuites[] = {
5698 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5699 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5700 0
5701 };
5702
5703 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5704
5705 /* NOTICE:
5706 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5707 * rules SHOULD be upheld.
5708 * - No duplicate entries.
5709 * - But if there is a good reason, do not change the order of the algorithms.
5710 * - ssl_tls12_preset* is for TLS 1.2 use only.
5711 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5712 */
5713 static const uint16_t ssl_preset_default_sig_algs[] = {
5714
5715 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5716 defined(MBEDTLS_MD_CAN_SHA256) && \
5717 defined(PSA_WANT_ECC_SECP_R1_256)
5718 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5719 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5720 #endif
5721
5722 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5723 defined(MBEDTLS_MD_CAN_SHA384) && \
5724 defined(PSA_WANT_ECC_SECP_R1_384)
5725 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5726 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5727 #endif
5728
5729 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5730 defined(MBEDTLS_MD_CAN_SHA512) && \
5731 defined(PSA_WANT_ECC_SECP_R1_521)
5732 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5733 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5734 #endif
5735
5736 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5737 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5738 #endif
5739
5740 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5741 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5742 #endif
5743
5744 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5745 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5746 #endif
5747
5748 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5749 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5750 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5751
5752 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5753 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5754 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5755
5756 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5757 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5758 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5759
5760 MBEDTLS_TLS_SIG_NONE
5761 };
5762
5763 /* NOTICE: see above */
5764 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5765 static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
5766
5767 #if defined(MBEDTLS_MD_CAN_SHA512)
5768 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5769 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5770 #endif
5771 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5772 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5773 #endif
5774 #if defined(MBEDTLS_RSA_C)
5775 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5776 #endif
5777 #endif /* MBEDTLS_MD_CAN_SHA512 */
5778
5779 #if defined(MBEDTLS_MD_CAN_SHA384)
5780 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5781 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5782 #endif
5783 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5784 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5785 #endif
5786 #if defined(MBEDTLS_RSA_C)
5787 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5788 #endif
5789 #endif /* MBEDTLS_MD_CAN_SHA384 */
5790
5791 #if defined(MBEDTLS_MD_CAN_SHA256)
5792 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5793 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5794 #endif
5795 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5796 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5797 #endif
5798 #if defined(MBEDTLS_RSA_C)
5799 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5800 #endif
5801 #endif /* MBEDTLS_MD_CAN_SHA256 */
5802
5803 MBEDTLS_TLS_SIG_NONE
5804 };
5805 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5806
5807 /* NOTICE: see above */
5808 static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5809
5810 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5811 defined(MBEDTLS_MD_CAN_SHA256) && \
5812 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5813 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5814 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5815 #endif
5816
5817 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5818 defined(MBEDTLS_MD_CAN_SHA384) && \
5819 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5820 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5821 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5822 #endif
5823
5824 MBEDTLS_TLS_SIG_NONE
5825 };
5826
5827 /* NOTICE: see above */
5828 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5829 static const uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5830
5831 #if defined(MBEDTLS_MD_CAN_SHA256)
5832 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5833 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5834 #endif
5835 #endif /* MBEDTLS_MD_CAN_SHA256 */
5836
5837 #if defined(MBEDTLS_MD_CAN_SHA384)
5838 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5839 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5840 #endif
5841 #endif /* MBEDTLS_MD_CAN_SHA384 */
5842
5843 MBEDTLS_TLS_SIG_NONE
5844 };
5845 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5846
5847 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5848
5849 static const uint16_t ssl_preset_suiteb_groups[] = {
5850 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5851 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5852 #endif
5853 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5854 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5855 #endif
5856 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5857 };
5858
5859 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5860 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5861 * to make sure there are no duplicated signature algorithm entries. */
5862 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_no_sig_alg_duplication(const uint16_t * sig_algs)5863 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5864 {
5865 size_t i, j;
5866 int ret = 0;
5867
5868 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5869 for (j = 0; j < i; j++) {
5870 if (sig_algs[i] != sig_algs[j]) {
5871 continue;
5872 }
5873 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5874 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5875 sig_algs[i], j, i);
5876 ret = -1;
5877 }
5878 }
5879 return ret;
5880 }
5881
5882 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5883
5884 /*
5885 * Load default in mbedtls_ssl_config
5886 */
mbedtls_ssl_config_defaults(mbedtls_ssl_config * conf,int endpoint,int transport,int preset)5887 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5888 int endpoint, int transport, int preset)
5889 {
5890 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5891 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5892 #endif
5893
5894 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5895 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5896 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5897 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5898 }
5899
5900 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5901 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5902 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5903 }
5904
5905 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5906 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5907 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5908 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5909 }
5910
5911 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5912 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5913 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5914 }
5915 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5916 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5917
5918 /* Use the functions here so that they are covered in tests,
5919 * but otherwise access member directly for efficiency */
5920 mbedtls_ssl_conf_endpoint(conf, endpoint);
5921 mbedtls_ssl_conf_transport(conf, transport);
5922
5923 /*
5924 * Things that are common to all presets
5925 */
5926 #if defined(MBEDTLS_SSL_CLI_C)
5927 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5928 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5929 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
5930 mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
5931 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5932 /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
5933 * handling is disabled by default in Mbed TLS 3.6.x for backward
5934 * compatibility with client applications developed using Mbed TLS 3.5
5935 * or earlier with the default configuration.
5936 *
5937 * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
5938 * disabled, and a Mbed TLS client with the default configuration would
5939 * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
5940 * server.
5941 *
5942 * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
5943 * an Mbed TLS client with the default configuration establishes a
5944 * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
5945 * following the handshake the TLS 1.3 server sends NewSessionTicket
5946 * messages and the Mbed TLS client processes them, this results in
5947 * Mbed TLS high level APIs (mbedtls_ssl_read(),
5948 * mbedtls_ssl_handshake(), ...) to eventually return an
5949 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
5950 * (see the documentation of mbedtls_ssl_read() for more information on
5951 * that error code). Applications unaware of that TLS 1.3 specific non
5952 * fatal error code are then failing.
5953 */
5954 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
5955 conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
5956 #endif
5957 #endif
5958 }
5959 #endif
5960
5961 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5962 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5963 #endif
5964
5965 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5966 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5967 #endif
5968
5969 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5970 conf->f_cookie_write = ssl_cookie_write_dummy;
5971 conf->f_cookie_check = ssl_cookie_check_dummy;
5972 #endif
5973
5974 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5975 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5976 #endif
5977
5978 #if defined(MBEDTLS_SSL_SRV_C)
5979 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5980 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5981 #endif
5982
5983 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5984 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5985 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5986 #endif
5987
5988 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5989 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5990 memset(conf->renego_period, 0x00, 2);
5991 memset(conf->renego_period + 2, 0xFF, 6);
5992 #endif
5993
5994 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5995 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
5996 const unsigned char dhm_p[] =
5997 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
5998 const unsigned char dhm_g[] =
5999 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
6000
6001 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
6002 dhm_p, sizeof(dhm_p),
6003 dhm_g, sizeof(dhm_g))) != 0) {
6004 return ret;
6005 }
6006 }
6007 #endif
6008
6009 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
6010
6011 #if defined(MBEDTLS_SSL_EARLY_DATA)
6012 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
6013 #if defined(MBEDTLS_SSL_SRV_C)
6014 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
6015 #endif
6016 #endif /* MBEDTLS_SSL_EARLY_DATA */
6017
6018 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
6019 mbedtls_ssl_conf_new_session_tickets(
6020 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
6021 #endif
6022 /*
6023 * Allow all TLS 1.3 key exchange modes by default.
6024 */
6025 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
6026 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
6027
6028 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
6029 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6030 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6031 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6032 #else
6033 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6034 #endif
6035 } else {
6036 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
6037 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6038 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6039 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
6040 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6041 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6042 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
6043 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6044 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6045 #else
6046 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6047 #endif
6048 }
6049
6050 /*
6051 * Preset-specific defaults
6052 */
6053 switch (preset) {
6054 /*
6055 * NSA Suite B
6056 */
6057 case MBEDTLS_SSL_PRESET_SUITEB:
6058
6059 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
6060
6061 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6062 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
6063 #endif
6064
6065 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6067 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6068 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
6069 } else
6070 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6071 conf->sig_algs = ssl_preset_suiteb_sig_algs;
6072 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6073
6074 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6075 conf->curve_list = NULL;
6076 #endif
6077 conf->group_list = ssl_preset_suiteb_groups;
6078 break;
6079
6080 /*
6081 * Default
6082 */
6083 default:
6084
6085 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6086
6087 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6088 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6089 #endif
6090
6091 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6093 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6094 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
6095 } else
6096 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6097 conf->sig_algs = ssl_preset_default_sig_algs;
6098 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6099
6100 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6101 conf->curve_list = NULL;
6102 #endif
6103 conf->group_list = ssl_preset_default_groups;
6104
6105 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6106 conf->dhm_min_bitlen = 1024;
6107 #endif
6108 }
6109
6110 return 0;
6111 }
6112
6113 /*
6114 * Free mbedtls_ssl_config
6115 */
mbedtls_ssl_config_free(mbedtls_ssl_config * conf)6116 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
6117 {
6118 if (conf == NULL) {
6119 return;
6120 }
6121
6122 #if defined(MBEDTLS_DHM_C)
6123 mbedtls_mpi_free(&conf->dhm_P);
6124 mbedtls_mpi_free(&conf->dhm_G);
6125 #endif
6126
6127 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6128 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6129 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6130 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6131 }
6132 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6133 if (conf->psk != NULL) {
6134 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6135 conf->psk = NULL;
6136 conf->psk_len = 0;
6137 }
6138
6139 if (conf->psk_identity != NULL) {
6140 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6141 conf->psk_identity = NULL;
6142 conf->psk_identity_len = 0;
6143 }
6144 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6145
6146 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6147 ssl_key_cert_free(conf->key_cert);
6148 #endif
6149
6150 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
6151 }
6152
6153 #if defined(MBEDTLS_PK_C) && \
6154 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6155 /*
6156 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6157 */
mbedtls_ssl_sig_from_pk(mbedtls_pk_context * pk)6158 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
6159 {
6160 #if defined(MBEDTLS_RSA_C)
6161 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6162 return MBEDTLS_SSL_SIG_RSA;
6163 }
6164 #endif
6165 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6166 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
6167 return MBEDTLS_SSL_SIG_ECDSA;
6168 }
6169 #endif
6170 return MBEDTLS_SSL_SIG_ANON;
6171 }
6172
mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)6173 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
6174 {
6175 switch (type) {
6176 case MBEDTLS_PK_RSA:
6177 return MBEDTLS_SSL_SIG_RSA;
6178 case MBEDTLS_PK_ECDSA:
6179 case MBEDTLS_PK_ECKEY:
6180 return MBEDTLS_SSL_SIG_ECDSA;
6181 default:
6182 return MBEDTLS_SSL_SIG_ANON;
6183 }
6184 }
6185
mbedtls_ssl_pk_alg_from_sig(unsigned char sig)6186 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
6187 {
6188 switch (sig) {
6189 #if defined(MBEDTLS_RSA_C)
6190 case MBEDTLS_SSL_SIG_RSA:
6191 return MBEDTLS_PK_RSA;
6192 #endif
6193 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6194 case MBEDTLS_SSL_SIG_ECDSA:
6195 return MBEDTLS_PK_ECDSA;
6196 #endif
6197 default:
6198 return MBEDTLS_PK_NONE;
6199 }
6200 }
6201 #endif /* MBEDTLS_PK_C &&
6202 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6203
6204 /*
6205 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6206 */
mbedtls_ssl_md_alg_from_hash(unsigned char hash)6207 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
6208 {
6209 switch (hash) {
6210 #if defined(MBEDTLS_MD_CAN_MD5)
6211 case MBEDTLS_SSL_HASH_MD5:
6212 return MBEDTLS_MD_MD5;
6213 #endif
6214 #if defined(MBEDTLS_MD_CAN_SHA1)
6215 case MBEDTLS_SSL_HASH_SHA1:
6216 return MBEDTLS_MD_SHA1;
6217 #endif
6218 #if defined(MBEDTLS_MD_CAN_SHA224)
6219 case MBEDTLS_SSL_HASH_SHA224:
6220 return MBEDTLS_MD_SHA224;
6221 #endif
6222 #if defined(MBEDTLS_MD_CAN_SHA256)
6223 case MBEDTLS_SSL_HASH_SHA256:
6224 return MBEDTLS_MD_SHA256;
6225 #endif
6226 #if defined(MBEDTLS_MD_CAN_SHA384)
6227 case MBEDTLS_SSL_HASH_SHA384:
6228 return MBEDTLS_MD_SHA384;
6229 #endif
6230 #if defined(MBEDTLS_MD_CAN_SHA512)
6231 case MBEDTLS_SSL_HASH_SHA512:
6232 return MBEDTLS_MD_SHA512;
6233 #endif
6234 default:
6235 return MBEDTLS_MD_NONE;
6236 }
6237 }
6238
6239 /*
6240 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6241 */
mbedtls_ssl_hash_from_md_alg(int md)6242 unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6243 {
6244 switch (md) {
6245 #if defined(MBEDTLS_MD_CAN_MD5)
6246 case MBEDTLS_MD_MD5:
6247 return MBEDTLS_SSL_HASH_MD5;
6248 #endif
6249 #if defined(MBEDTLS_MD_CAN_SHA1)
6250 case MBEDTLS_MD_SHA1:
6251 return MBEDTLS_SSL_HASH_SHA1;
6252 #endif
6253 #if defined(MBEDTLS_MD_CAN_SHA224)
6254 case MBEDTLS_MD_SHA224:
6255 return MBEDTLS_SSL_HASH_SHA224;
6256 #endif
6257 #if defined(MBEDTLS_MD_CAN_SHA256)
6258 case MBEDTLS_MD_SHA256:
6259 return MBEDTLS_SSL_HASH_SHA256;
6260 #endif
6261 #if defined(MBEDTLS_MD_CAN_SHA384)
6262 case MBEDTLS_MD_SHA384:
6263 return MBEDTLS_SSL_HASH_SHA384;
6264 #endif
6265 #if defined(MBEDTLS_MD_CAN_SHA512)
6266 case MBEDTLS_MD_SHA512:
6267 return MBEDTLS_SSL_HASH_SHA512;
6268 #endif
6269 default:
6270 return MBEDTLS_SSL_HASH_NONE;
6271 }
6272 }
6273
6274 /*
6275 * Check if a curve proposed by the peer is in our list.
6276 * Return 0 if we're willing to use it, -1 otherwise.
6277 */
mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context * ssl,uint16_t tls_id)6278 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
6279 {
6280 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6281
6282 if (group_list == NULL) {
6283 return -1;
6284 }
6285
6286 for (; *group_list != 0; group_list++) {
6287 if (*group_list == tls_id) {
6288 return 0;
6289 }
6290 }
6291
6292 return -1;
6293 }
6294
6295 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6296 /*
6297 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6298 */
mbedtls_ssl_check_curve(const mbedtls_ssl_context * ssl,mbedtls_ecp_group_id grp_id)6299 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
6300 {
6301 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
6302
6303 if (tls_id == 0) {
6304 return -1;
6305 }
6306
6307 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6308 }
6309 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6310
6311 static const struct {
6312 uint16_t tls_id;
6313 mbedtls_ecp_group_id ecp_group_id;
6314 psa_ecc_family_t psa_family;
6315 uint16_t bits;
6316 } tls_id_match_table[] =
6317 {
6318 #if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6319 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
6320 #endif
6321 #if defined(MBEDTLS_ECP_HAVE_BP512R1)
6322 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
6323 #endif
6324 #if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6325 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
6326 #endif
6327 #if defined(MBEDTLS_ECP_HAVE_BP384R1)
6328 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
6329 #endif
6330 #if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6331 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
6332 #endif
6333 #if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6334 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
6335 #endif
6336 #if defined(MBEDTLS_ECP_HAVE_BP256R1)
6337 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
6338 #endif
6339 #if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6340 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
6341 #endif
6342 #if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6343 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
6344 #endif
6345 #if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6346 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
6347 #endif
6348 #if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6349 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
6350 #endif
6351 #if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6352 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
6353 #endif
6354 #if defined(MBEDTLS_ECP_HAVE_CURVE448)
6355 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
6356 #endif
6357 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6358 };
6359
mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,psa_key_type_t * type,size_t * bits)6360 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
6361 psa_key_type_t *type,
6362 size_t *bits)
6363 {
6364 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6365 if (tls_id_match_table[i].tls_id == tls_id) {
6366 if (type != NULL) {
6367 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6368 }
6369 if (bits != NULL) {
6370 *bits = tls_id_match_table[i].bits;
6371 }
6372 return PSA_SUCCESS;
6373 }
6374 }
6375
6376 return PSA_ERROR_NOT_SUPPORTED;
6377 }
6378
mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)6379 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
6380 {
6381 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6382 if (tls_id_match_table[i].tls_id == tls_id) {
6383 return tls_id_match_table[i].ecp_group_id;
6384 }
6385 }
6386
6387 return MBEDTLS_ECP_DP_NONE;
6388 }
6389
mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)6390 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
6391 {
6392 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
6393 i++) {
6394 if (tls_id_match_table[i].ecp_group_id == grp_id) {
6395 return tls_id_match_table[i].tls_id;
6396 }
6397 }
6398
6399 return 0;
6400 }
6401
6402 #if defined(MBEDTLS_DEBUG_C)
6403 static const struct {
6404 uint16_t tls_id;
6405 const char *name;
6406 } tls_id_curve_name_table[] =
6407 {
6408 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
6409 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
6410 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
6411 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
6412 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
6413 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
6414 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
6415 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
6416 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
6417 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
6418 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
6419 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
6420 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
6421 { 0, NULL },
6422 };
6423
mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)6424 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
6425 {
6426 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
6427 if (tls_id_curve_name_table[i].tls_id == tls_id) {
6428 return tls_id_curve_name_table[i].name;
6429 }
6430 }
6431
6432 return NULL;
6433 }
6434 #endif
6435
6436 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6437 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6438 const mbedtls_md_type_t md,
6439 unsigned char *dst,
6440 size_t dst_len,
6441 size_t *olen)
6442 {
6443 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6444 psa_hash_operation_t *hash_operation_to_clone;
6445 psa_hash_operation_t hash_operation = psa_hash_operation_init();
6446
6447 *olen = 0;
6448
6449 switch (md) {
6450 #if defined(MBEDTLS_MD_CAN_SHA384)
6451 case MBEDTLS_MD_SHA384:
6452 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
6453 break;
6454 #endif
6455
6456 #if defined(MBEDTLS_MD_CAN_SHA256)
6457 case MBEDTLS_MD_SHA256:
6458 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
6459 break;
6460 #endif
6461
6462 default:
6463 goto exit;
6464 }
6465
6466 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6467 if (status != PSA_SUCCESS) {
6468 goto exit;
6469 }
6470
6471 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6472 if (status != PSA_SUCCESS) {
6473 goto exit;
6474 }
6475
6476 exit:
6477 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6478 !defined(MBEDTLS_MD_CAN_SHA256)
6479 (void) ssl;
6480 #endif
6481 return PSA_TO_MBEDTLS_ERR(status);
6482 }
6483 #else /* MBEDTLS_USE_PSA_CRYPTO */
6484
6485 #if defined(MBEDTLS_MD_CAN_SHA384)
6486 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha384(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6487 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
6488 unsigned char *dst,
6489 size_t dst_len,
6490 size_t *olen)
6491 {
6492 int ret;
6493 mbedtls_md_context_t sha384;
6494
6495 if (dst_len < 48) {
6496 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6497 }
6498
6499 mbedtls_md_init(&sha384);
6500 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6501 if (ret != 0) {
6502 goto exit;
6503 }
6504 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6505 if (ret != 0) {
6506 goto exit;
6507 }
6508
6509 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
6510 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6511 goto exit;
6512 }
6513
6514 *olen = 48;
6515
6516 exit:
6517
6518 mbedtls_md_free(&sha384);
6519 return ret;
6520 }
6521 #endif /* MBEDTLS_MD_CAN_SHA384 */
6522
6523 #if defined(MBEDTLS_MD_CAN_SHA256)
6524 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_get_handshake_transcript_sha256(mbedtls_ssl_context * ssl,unsigned char * dst,size_t dst_len,size_t * olen)6525 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
6526 unsigned char *dst,
6527 size_t dst_len,
6528 size_t *olen)
6529 {
6530 int ret;
6531 mbedtls_md_context_t sha256;
6532
6533 if (dst_len < 32) {
6534 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6535 }
6536
6537 mbedtls_md_init(&sha256);
6538 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6539 if (ret != 0) {
6540 goto exit;
6541 }
6542 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6543 if (ret != 0) {
6544 goto exit;
6545 }
6546
6547 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
6548 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6549 goto exit;
6550 }
6551
6552 *olen = 32;
6553
6554 exit:
6555
6556 mbedtls_md_free(&sha256);
6557 return ret;
6558 }
6559 #endif /* MBEDTLS_MD_CAN_SHA256 */
6560
mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context * ssl,const mbedtls_md_type_t md,unsigned char * dst,size_t dst_len,size_t * olen)6561 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6562 const mbedtls_md_type_t md,
6563 unsigned char *dst,
6564 size_t dst_len,
6565 size_t *olen)
6566 {
6567 switch (md) {
6568
6569 #if defined(MBEDTLS_MD_CAN_SHA384)
6570 case MBEDTLS_MD_SHA384:
6571 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
6572 #endif /* MBEDTLS_MD_CAN_SHA384*/
6573
6574 #if defined(MBEDTLS_MD_CAN_SHA256)
6575 case MBEDTLS_MD_SHA256:
6576 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
6577 #endif /* MBEDTLS_MD_CAN_SHA256*/
6578
6579 default:
6580 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
6581 !defined(MBEDTLS_MD_CAN_SHA256)
6582 (void) ssl;
6583 (void) dst;
6584 (void) dst_len;
6585 (void) olen;
6586 #endif
6587 break;
6588 }
6589 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6590 }
6591
6592 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
6593
6594 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6595 /* mbedtls_ssl_parse_sig_alg_ext()
6596 *
6597 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6598 * value (TLS 1.3 RFC8446):
6599 * enum {
6600 * ....
6601 * ecdsa_secp256r1_sha256( 0x0403 ),
6602 * ecdsa_secp384r1_sha384( 0x0503 ),
6603 * ecdsa_secp521r1_sha512( 0x0603 ),
6604 * ....
6605 * } SignatureScheme;
6606 *
6607 * struct {
6608 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6609 * } SignatureSchemeList;
6610 *
6611 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6612 * value (TLS 1.2 RFC5246):
6613 * enum {
6614 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6615 * sha512(6), (255)
6616 * } HashAlgorithm;
6617 *
6618 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6619 * SignatureAlgorithm;
6620 *
6621 * struct {
6622 * HashAlgorithm hash;
6623 * SignatureAlgorithm signature;
6624 * } SignatureAndHashAlgorithm;
6625 *
6626 * SignatureAndHashAlgorithm
6627 * supported_signature_algorithms<2..2^16-2>;
6628 *
6629 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6630 * generalization of the TLS 1.2 signature algorithm extension.
6631 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6632 * `SignatureScheme` field of TLS 1.3
6633 *
6634 */
mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)6635 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6636 const unsigned char *buf,
6637 const unsigned char *end)
6638 {
6639 const unsigned char *p = buf;
6640 size_t supported_sig_algs_len = 0;
6641 const unsigned char *supported_sig_algs_end;
6642 uint16_t sig_alg;
6643 uint32_t common_idx = 0;
6644
6645 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6646 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
6647 p += 2;
6648
6649 memset(ssl->handshake->received_sig_algs, 0,
6650 sizeof(ssl->handshake->received_sig_algs));
6651
6652 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
6653 supported_sig_algs_end = p + supported_sig_algs_len;
6654 while (p < supported_sig_algs_end) {
6655 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6656 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
6657 p += 2;
6658 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6659 sig_alg,
6660 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6661 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6662 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6663 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6664 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
6665 continue;
6666 }
6667 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6668
6669 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6670 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6671
6672 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
6673 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6674 common_idx += 1;
6675 }
6676 }
6677 /* Check that we consumed all the message. */
6678 if (p != end) {
6679 MBEDTLS_SSL_DEBUG_MSG(1,
6680 ("Signature algorithms extension length misaligned"));
6681 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6682 MBEDTLS_ERR_SSL_DECODE_ERROR);
6683 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6684 }
6685
6686 if (common_idx == 0) {
6687 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6688 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6689 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6690 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6691 }
6692
6693 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6694 return 0;
6695 }
6696
6697 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6698
6699 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6700
6701 #if defined(MBEDTLS_USE_PSA_CRYPTO)
6702
setup_psa_key_derivation(psa_key_derivation_operation_t * derivation,mbedtls_svc_key_id_t key,psa_algorithm_t alg,const unsigned char * raw_psk,size_t raw_psk_length,const unsigned char * seed,size_t seed_length,const unsigned char * label,size_t label_length,const unsigned char * other_secret,size_t other_secret_length,size_t capacity)6703 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6704 mbedtls_svc_key_id_t key,
6705 psa_algorithm_t alg,
6706 const unsigned char *raw_psk, size_t raw_psk_length,
6707 const unsigned char *seed, size_t seed_length,
6708 const unsigned char *label, size_t label_length,
6709 const unsigned char *other_secret,
6710 size_t other_secret_length,
6711 size_t capacity)
6712 {
6713 psa_status_t status;
6714
6715 status = psa_key_derivation_setup(derivation, alg);
6716 if (status != PSA_SUCCESS) {
6717 return status;
6718 }
6719
6720 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6721 status = psa_key_derivation_input_bytes(derivation,
6722 PSA_KEY_DERIVATION_INPUT_SEED,
6723 seed, seed_length);
6724 if (status != PSA_SUCCESS) {
6725 return status;
6726 }
6727
6728 if (other_secret != NULL) {
6729 status = psa_key_derivation_input_bytes(derivation,
6730 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6731 other_secret, other_secret_length);
6732 if (status != PSA_SUCCESS) {
6733 return status;
6734 }
6735 }
6736
6737 if (mbedtls_svc_key_id_is_null(key)) {
6738 status = psa_key_derivation_input_bytes(
6739 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6740 raw_psk, raw_psk_length);
6741 } else {
6742 status = psa_key_derivation_input_key(
6743 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6744 }
6745 if (status != PSA_SUCCESS) {
6746 return status;
6747 }
6748
6749 status = psa_key_derivation_input_bytes(derivation,
6750 PSA_KEY_DERIVATION_INPUT_LABEL,
6751 label, label_length);
6752 if (status != PSA_SUCCESS) {
6753 return status;
6754 }
6755 } else {
6756 return PSA_ERROR_NOT_SUPPORTED;
6757 }
6758
6759 status = psa_key_derivation_set_capacity(derivation, capacity);
6760 if (status != PSA_SUCCESS) {
6761 return status;
6762 }
6763
6764 return PSA_SUCCESS;
6765 }
6766
6767 #if defined(PSA_WANT_ALG_SHA_384) || \
6768 defined(PSA_WANT_ALG_SHA_256)
6769 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,size_t label_len,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6770 static int tls_prf_generic(mbedtls_md_type_t md_type,
6771 const unsigned char *secret, size_t slen,
6772 const char *label, size_t label_len,
6773 const unsigned char *random, size_t rlen,
6774 unsigned char *dstbuf, size_t dlen)
6775 {
6776 psa_status_t status;
6777 psa_algorithm_t alg;
6778 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6779 psa_key_derivation_operation_t derivation =
6780 PSA_KEY_DERIVATION_OPERATION_INIT;
6781
6782 if (md_type == MBEDTLS_MD_SHA384) {
6783 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6784 } else {
6785 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6786 }
6787
6788 /* Normally a "secret" should be long enough to be impossible to
6789 * find by brute force, and in particular should not be empty. But
6790 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6791 * and for this use case it makes sense to have a 0-length "secret".
6792 * Since the key API doesn't allow importing a key of length 0,
6793 * keep master_key=0, which setup_psa_key_derivation() understands
6794 * to mean a 0-length "secret" input. */
6795 if (slen != 0) {
6796 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6797 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6798 psa_set_key_algorithm(&key_attributes, alg);
6799 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6800
6801 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6802 if (status != PSA_SUCCESS) {
6803 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6804 }
6805 }
6806
6807 status = setup_psa_key_derivation(&derivation,
6808 master_key, alg,
6809 NULL, 0,
6810 random, rlen,
6811 (unsigned char const *) label,
6812 label_len,
6813 NULL, 0,
6814 dlen);
6815 if (status != PSA_SUCCESS) {
6816 psa_key_derivation_abort(&derivation);
6817 psa_destroy_key(master_key);
6818 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6819 }
6820
6821 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6822 if (status != PSA_SUCCESS) {
6823 psa_key_derivation_abort(&derivation);
6824 psa_destroy_key(master_key);
6825 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6826 }
6827
6828 status = psa_key_derivation_abort(&derivation);
6829 if (status != PSA_SUCCESS) {
6830 psa_destroy_key(master_key);
6831 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6832 }
6833
6834 if (!mbedtls_svc_key_id_is_null(master_key)) {
6835 status = psa_destroy_key(master_key);
6836 }
6837 if (status != PSA_SUCCESS) {
6838 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6839 }
6840
6841 return 0;
6842 }
6843 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6844 #else /* MBEDTLS_USE_PSA_CRYPTO */
6845
6846 #if defined(MBEDTLS_MD_C) && \
6847 (defined(MBEDTLS_MD_CAN_SHA256) || \
6848 defined(MBEDTLS_MD_CAN_SHA384))
6849 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_generic(mbedtls_md_type_t md_type,const unsigned char * secret,size_t slen,const char * label,size_t label_len,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6850 static int tls_prf_generic(mbedtls_md_type_t md_type,
6851 const unsigned char *secret, size_t slen,
6852 const char *label, size_t label_len,
6853 const unsigned char *random, size_t rlen,
6854 unsigned char *dstbuf, size_t dlen)
6855 {
6856 size_t nb;
6857 size_t i, j, k, md_len;
6858 unsigned char *tmp;
6859 size_t tmp_len = 0;
6860 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6861 const mbedtls_md_info_t *md_info;
6862 mbedtls_md_context_t md_ctx;
6863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6864
6865 mbedtls_md_init(&md_ctx);
6866
6867 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6868 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6869 }
6870
6871 md_len = mbedtls_md_get_size(md_info);
6872
6873 tmp_len = md_len + label_len + rlen;
6874 tmp = mbedtls_calloc(1, tmp_len);
6875 if (tmp == NULL) {
6876 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6877 goto exit;
6878 }
6879
6880 nb = label_len;
6881 memcpy(tmp + md_len, label, nb);
6882 memcpy(tmp + md_len + nb, random, rlen);
6883 nb += rlen;
6884
6885 /*
6886 * Compute P_<hash>(secret, label + random)[0..dlen]
6887 */
6888 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6889 goto exit;
6890 }
6891
6892 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6893 if (ret != 0) {
6894 goto exit;
6895 }
6896 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6897 if (ret != 0) {
6898 goto exit;
6899 }
6900 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6901 if (ret != 0) {
6902 goto exit;
6903 }
6904
6905 for (i = 0; i < dlen; i += md_len) {
6906 ret = mbedtls_md_hmac_reset(&md_ctx);
6907 if (ret != 0) {
6908 goto exit;
6909 }
6910 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6911 if (ret != 0) {
6912 goto exit;
6913 }
6914 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6915 if (ret != 0) {
6916 goto exit;
6917 }
6918
6919 ret = mbedtls_md_hmac_reset(&md_ctx);
6920 if (ret != 0) {
6921 goto exit;
6922 }
6923 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6924 if (ret != 0) {
6925 goto exit;
6926 }
6927 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6928 if (ret != 0) {
6929 goto exit;
6930 }
6931
6932 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6933
6934 for (j = 0; j < k; j++) {
6935 dstbuf[i + j] = h_i[j];
6936 }
6937 }
6938
6939 exit:
6940 mbedtls_md_free(&md_ctx);
6941
6942 if (tmp != NULL) {
6943 mbedtls_platform_zeroize(tmp, tmp_len);
6944 }
6945
6946 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6947
6948 mbedtls_free(tmp);
6949
6950 return ret;
6951 }
6952 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6953 #endif /* MBEDTLS_USE_PSA_CRYPTO */
6954
6955 #if defined(MBEDTLS_MD_CAN_SHA256)
6956 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha256(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6957 static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6958 const char *label,
6959 const unsigned char *random, size_t rlen,
6960 unsigned char *dstbuf, size_t dlen)
6961 {
6962 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6963 label, strlen(label), random, rlen, dstbuf, dlen);
6964 }
6965 #endif /* MBEDTLS_MD_CAN_SHA256*/
6966
6967 #if defined(MBEDTLS_MD_CAN_SHA384)
6968 MBEDTLS_CHECK_RETURN_CRITICAL
tls_prf_sha384(const unsigned char * secret,size_t slen,const char * label,const unsigned char * random,size_t rlen,unsigned char * dstbuf,size_t dlen)6969 static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6970 const char *label,
6971 const unsigned char *random, size_t rlen,
6972 unsigned char *dstbuf, size_t dlen)
6973 {
6974 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6975 label, strlen(label), random, rlen, dstbuf, dlen);
6976 }
6977 #endif /* MBEDTLS_MD_CAN_SHA384*/
6978
6979 /*
6980 * Set appropriate PRF function and other SSL / TLS1.2 functions
6981 *
6982 * Inputs:
6983 * - hash associated with the ciphersuite (only used by TLS 1.2)
6984 *
6985 * Outputs:
6986 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6987 */
6988 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_set_handshake_prfs(mbedtls_ssl_handshake_params * handshake,mbedtls_md_type_t hash)6989 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6990 mbedtls_md_type_t hash)
6991 {
6992 #if defined(MBEDTLS_MD_CAN_SHA384)
6993 if (hash == MBEDTLS_MD_SHA384) {
6994 handshake->tls_prf = tls_prf_sha384;
6995 handshake->calc_verify = ssl_calc_verify_tls_sha384;
6996 handshake->calc_finished = ssl_calc_finished_tls_sha384;
6997 } else
6998 #endif
6999 #if defined(MBEDTLS_MD_CAN_SHA256)
7000 {
7001 (void) hash;
7002 handshake->tls_prf = tls_prf_sha256;
7003 handshake->calc_verify = ssl_calc_verify_tls_sha256;
7004 handshake->calc_finished = ssl_calc_finished_tls_sha256;
7005 }
7006 #else
7007 {
7008 (void) handshake;
7009 (void) hash;
7010 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7011 }
7012 #endif
7013
7014 return 0;
7015 }
7016
7017 /*
7018 * Compute master secret if needed
7019 *
7020 * Parameters:
7021 * [in/out] handshake
7022 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
7023 * (PSA-PSK) ciphersuite_info, psk_opaque
7024 * [out] premaster (cleared)
7025 * [out] master
7026 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
7027 * debug: conf->f_dbg, conf->p_dbg
7028 * EMS: passed to calc_verify (debug + session_negotiate)
7029 * PSA-PSA: conf
7030 */
7031 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_compute_master(mbedtls_ssl_handshake_params * handshake,unsigned char * master,const mbedtls_ssl_context * ssl)7032 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
7033 unsigned char *master,
7034 const mbedtls_ssl_context *ssl)
7035 {
7036 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7037
7038 /* cf. RFC 5246, Section 8.1:
7039 * "The master secret is always exactly 48 bytes in length." */
7040 size_t const master_secret_len = 48;
7041
7042 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7043 unsigned char session_hash[48];
7044 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7045
7046 /* The label for the KDF used for key expansion.
7047 * This is either "master secret" or "extended master secret"
7048 * depending on whether the Extended Master Secret extension
7049 * is used. */
7050 char const *lbl = "master secret";
7051
7052 /* The seed for the KDF used for key expansion.
7053 * - If the Extended Master Secret extension is not used,
7054 * this is ClientHello.Random + ServerHello.Random
7055 * (see Sect. 8.1 in RFC 5246).
7056 * - If the Extended Master Secret extension is used,
7057 * this is the transcript of the handshake so far.
7058 * (see Sect. 4 in RFC 7627). */
7059 unsigned char const *seed = handshake->randbytes;
7060 size_t seed_len = 64;
7061
7062 #if !defined(MBEDTLS_DEBUG_C) && \
7063 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
7064 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
7065 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
7066 ssl = NULL; /* make sure we don't use it except for those cases */
7067 (void) ssl;
7068 #endif
7069
7070 if (handshake->resume != 0) {
7071 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
7072 return 0;
7073 }
7074
7075 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7076 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
7077 lbl = "extended master secret";
7078 seed = session_hash;
7079 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
7080 if (ret != 0) {
7081 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
7082 }
7083
7084 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
7085 session_hash, seed_len);
7086 }
7087 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7088
7089 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7090 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
7091 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
7092 /* Perform PSK-to-MS expansion in a single step. */
7093 psa_status_t status;
7094 psa_algorithm_t alg;
7095 mbedtls_svc_key_id_t psk;
7096 psa_key_derivation_operation_t derivation =
7097 PSA_KEY_DERIVATION_OPERATION_INIT;
7098 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
7099
7100 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
7101
7102 psk = mbedtls_ssl_get_opaque_psk(ssl);
7103
7104 if (hash_alg == MBEDTLS_MD_SHA384) {
7105 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
7106 } else {
7107 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
7108 }
7109
7110 size_t other_secret_len = 0;
7111 unsigned char *other_secret = NULL;
7112
7113 switch (handshake->ciphersuite_info->key_exchange) {
7114 /* Provide other secret.
7115 * Other secret is stored in premaster, where first 2 bytes hold the
7116 * length of the other key.
7117 */
7118 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7119 /* For RSA-PSK other key length is always 48 bytes. */
7120 other_secret_len = 48;
7121 other_secret = handshake->premaster + 2;
7122 break;
7123 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7124 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7125 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
7126 other_secret = handshake->premaster + 2;
7127 break;
7128 default:
7129 break;
7130 }
7131
7132 status = setup_psa_key_derivation(&derivation, psk, alg,
7133 ssl->conf->psk, ssl->conf->psk_len,
7134 seed, seed_len,
7135 (unsigned char const *) lbl,
7136 (size_t) strlen(lbl),
7137 other_secret, other_secret_len,
7138 master_secret_len);
7139 if (status != PSA_SUCCESS) {
7140 psa_key_derivation_abort(&derivation);
7141 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7142 }
7143
7144 status = psa_key_derivation_output_bytes(&derivation,
7145 master,
7146 master_secret_len);
7147 if (status != PSA_SUCCESS) {
7148 psa_key_derivation_abort(&derivation);
7149 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7150 }
7151
7152 status = psa_key_derivation_abort(&derivation);
7153 if (status != PSA_SUCCESS) {
7154 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7155 }
7156 } else
7157 #endif
7158 {
7159 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7160 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7161 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
7162 psa_status_t status;
7163 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
7164 psa_key_derivation_operation_t derivation =
7165 PSA_KEY_DERIVATION_OPERATION_INIT;
7166
7167 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
7168
7169 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
7170
7171 status = psa_key_derivation_setup(&derivation, alg);
7172 if (status != PSA_SUCCESS) {
7173 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7174 }
7175
7176 status = psa_key_derivation_set_capacity(&derivation,
7177 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7178 if (status != PSA_SUCCESS) {
7179 psa_key_derivation_abort(&derivation);
7180 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7181 }
7182
7183 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
7184 &derivation);
7185 if (status != PSA_SUCCESS) {
7186 psa_key_derivation_abort(&derivation);
7187 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7188 }
7189
7190 status = psa_key_derivation_output_bytes(&derivation,
7191 handshake->premaster,
7192 handshake->pmslen);
7193 if (status != PSA_SUCCESS) {
7194 psa_key_derivation_abort(&derivation);
7195 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7196 }
7197
7198 status = psa_key_derivation_abort(&derivation);
7199 if (status != PSA_SUCCESS) {
7200 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7201 }
7202 }
7203 #endif
7204 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
7205 lbl, seed, seed_len,
7206 master,
7207 master_secret_len);
7208 if (ret != 0) {
7209 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7210 return ret;
7211 }
7212
7213 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
7214 handshake->premaster,
7215 handshake->pmslen);
7216
7217 mbedtls_platform_zeroize(handshake->premaster,
7218 sizeof(handshake->premaster));
7219 }
7220
7221 return 0;
7222 }
7223
mbedtls_ssl_derive_keys(mbedtls_ssl_context * ssl)7224 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
7225 {
7226 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7227 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
7228 ssl->handshake->ciphersuite_info;
7229
7230 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
7231
7232 /* Set PRF, calc_verify and calc_finished function pointers */
7233 ret = ssl_set_handshake_prfs(ssl->handshake,
7234 (mbedtls_md_type_t) ciphersuite_info->mac);
7235 if (ret != 0) {
7236 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
7237 return ret;
7238 }
7239
7240 /* Compute master secret if needed */
7241 ret = ssl_compute_master(ssl->handshake,
7242 ssl->session_negotiate->master,
7243 ssl);
7244 if (ret != 0) {
7245 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
7246 return ret;
7247 }
7248
7249 /* Swap the client and server random values:
7250 * - MS derivation wanted client+server (RFC 5246 8.1)
7251 * - key derivation wants server+client (RFC 5246 6.3) */
7252 {
7253 unsigned char tmp[64];
7254 memcpy(tmp, ssl->handshake->randbytes, 64);
7255 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
7256 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
7257 mbedtls_platform_zeroize(tmp, sizeof(tmp));
7258 }
7259
7260 /* Populate transform structure */
7261 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
7262 ssl->session_negotiate->ciphersuite,
7263 ssl->session_negotiate->master,
7264 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
7265 ssl->session_negotiate->encrypt_then_mac,
7266 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
7267 ssl->handshake->tls_prf,
7268 ssl->handshake->randbytes,
7269 ssl->tls_version,
7270 ssl->conf->endpoint,
7271 ssl);
7272 if (ret != 0) {
7273 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
7274 return ret;
7275 }
7276
7277 /* We no longer need Server/ClientHello.random values */
7278 mbedtls_platform_zeroize(ssl->handshake->randbytes,
7279 sizeof(ssl->handshake->randbytes));
7280
7281 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
7282
7283 return 0;
7284 }
7285
mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context * ssl,int md)7286 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
7287 {
7288 switch (md) {
7289 #if defined(MBEDTLS_MD_CAN_SHA384)
7290 case MBEDTLS_SSL_HASH_SHA384:
7291 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7292 break;
7293 #endif
7294 #if defined(MBEDTLS_MD_CAN_SHA256)
7295 case MBEDTLS_SSL_HASH_SHA256:
7296 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7297 break;
7298 #endif
7299 default:
7300 return -1;
7301 }
7302 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
7303 !defined(MBEDTLS_MD_CAN_SHA256)
7304 (void) ssl;
7305 #endif
7306 return 0;
7307 }
7308
7309 #if defined(MBEDTLS_USE_PSA_CRYPTO)
ssl_calc_verify_tls_psa(const mbedtls_ssl_context * ssl,const psa_hash_operation_t * hs_op,size_t buffer_size,unsigned char * hash,size_t * hlen)7310 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
7311 const psa_hash_operation_t *hs_op,
7312 size_t buffer_size,
7313 unsigned char *hash,
7314 size_t *hlen)
7315 {
7316 psa_status_t status;
7317 psa_hash_operation_t cloned_op = psa_hash_operation_init();
7318
7319 #if !defined(MBEDTLS_DEBUG_C)
7320 (void) ssl;
7321 #endif
7322 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
7323 status = psa_hash_clone(hs_op, &cloned_op);
7324 if (status != PSA_SUCCESS) {
7325 goto exit;
7326 }
7327
7328 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
7329 if (status != PSA_SUCCESS) {
7330 goto exit;
7331 }
7332
7333 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
7334 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
7335
7336 exit:
7337 psa_hash_abort(&cloned_op);
7338 return mbedtls_md_error_from_psa(status);
7339 }
7340 #else
ssl_calc_verify_tls_legacy(const mbedtls_ssl_context * ssl,const mbedtls_md_context_t * hs_ctx,unsigned char * hash,size_t * hlen)7341 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
7342 const mbedtls_md_context_t *hs_ctx,
7343 unsigned char *hash,
7344 size_t *hlen)
7345 {
7346 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7347 mbedtls_md_context_t cloned_ctx;
7348
7349 mbedtls_md_init(&cloned_ctx);
7350
7351 #if !defined(MBEDTLS_DEBUG_C)
7352 (void) ssl;
7353 #endif
7354 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
7355
7356 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7357 if (ret != 0) {
7358 goto exit;
7359 }
7360 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7361 if (ret != 0) {
7362 goto exit;
7363 }
7364
7365 ret = mbedtls_md_finish(&cloned_ctx, hash);
7366 if (ret != 0) {
7367 goto exit;
7368 }
7369
7370 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
7371
7372 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
7373 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
7374
7375 exit:
7376 mbedtls_md_free(&cloned_ctx);
7377 return ret;
7378 }
7379 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7380
7381 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_verify_tls_sha256(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7382 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
7383 unsigned char *hash,
7384 size_t *hlen)
7385 {
7386 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7387 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
7388 hash, hlen);
7389 #else
7390 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
7391 hash, hlen);
7392 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7393 }
7394 #endif /* MBEDTLS_MD_CAN_SHA256 */
7395
7396 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_verify_tls_sha384(const mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hlen)7397 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
7398 unsigned char *hash,
7399 size_t *hlen)
7400 {
7401 #if defined(MBEDTLS_USE_PSA_CRYPTO)
7402 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
7403 hash, hlen);
7404 #else
7405 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
7406 hash, hlen);
7407 #endif /* MBEDTLS_USE_PSA_CRYPTO */
7408 }
7409 #endif /* MBEDTLS_MD_CAN_SHA384 */
7410
7411 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
7412 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context * ssl,mbedtls_key_exchange_type_t key_ex)7413 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
7414 {
7415 unsigned char *p = ssl->handshake->premaster;
7416 unsigned char *end = p + sizeof(ssl->handshake->premaster);
7417 const unsigned char *psk = NULL;
7418 size_t psk_len = 0;
7419 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
7420
7421 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
7422 /*
7423 * This should never happen because the existence of a PSK is always
7424 * checked before calling this function.
7425 *
7426 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
7427 * the shared secret without PSK.
7428 */
7429 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7430 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7431 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7432 }
7433 }
7434
7435 /*
7436 * PMS = struct {
7437 * opaque other_secret<0..2^16-1>;
7438 * opaque psk<0..2^16-1>;
7439 * };
7440 * with "other_secret" depending on the particular key exchange
7441 */
7442 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
7443 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
7444 if (end - p < 2) {
7445 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7446 }
7447
7448 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7449 p += 2;
7450
7451 if (end < p || (size_t) (end - p) < psk_len) {
7452 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7453 }
7454
7455 memset(p, 0, psk_len);
7456 p += psk_len;
7457 } else
7458 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
7459 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
7460 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7461 /*
7462 * other_secret already set by the ClientKeyExchange message,
7463 * and is 48 bytes long
7464 */
7465 if (end - p < 2) {
7466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7467 }
7468
7469 *p++ = 0;
7470 *p++ = 48;
7471 p += 48;
7472 } else
7473 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
7474 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
7475 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7476 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7477 size_t len;
7478
7479 /* Write length only when we know the actual value */
7480 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
7481 p + 2, (size_t) (end - (p + 2)), &len,
7482 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
7484 return ret;
7485 }
7486 MBEDTLS_PUT_UINT16_BE(len, p, 0);
7487 p += 2 + len;
7488
7489 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
7490 } else
7491 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
7492 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
7493 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
7494 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7495 size_t zlen;
7496
7497 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
7498 p + 2, (size_t) (end - (p + 2)),
7499 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7500 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
7501 return ret;
7502 }
7503
7504 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
7505 p += 2 + zlen;
7506
7507 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
7508 MBEDTLS_DEBUG_ECDH_Z);
7509 } else
7510 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
7511 {
7512 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7513 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7514 }
7515
7516 /* opaque psk<0..2^16-1>; */
7517 if (end - p < 2) {
7518 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7519 }
7520
7521 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7522 p += 2;
7523
7524 if (end < p || (size_t) (end - p) < psk_len) {
7525 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7526 }
7527
7528 memcpy(p, psk, psk_len);
7529 p += psk_len;
7530
7531 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
7532
7533 return 0;
7534 }
7535 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
7536
7537 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
7538 MBEDTLS_CHECK_RETURN_CRITICAL
7539 static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
7540
7541 #if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_resend_hello_request(mbedtls_ssl_context * ssl)7542 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
7543 {
7544 /* If renegotiation is not enforced, retransmit until we would reach max
7545 * timeout if we were using the usual handshake doubling scheme */
7546 if (ssl->conf->renego_max_records < 0) {
7547 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
7548 unsigned char doublings = 1;
7549
7550 while (ratio != 0) {
7551 ++doublings;
7552 ratio >>= 1;
7553 }
7554
7555 if (++ssl->renego_records_seen > doublings) {
7556 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
7557 return 0;
7558 }
7559 }
7560
7561 return ssl_write_hello_request(ssl);
7562 }
7563 #endif
7564 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
7565
7566 /*
7567 * Handshake functions
7568 */
7569 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7570 /* No certificate support -> dummy functions */
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7571 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7572 {
7573 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7574 ssl->handshake->ciphersuite_info;
7575
7576 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7577
7578 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7579 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7580 mbedtls_ssl_handshake_increment_state(ssl);
7581 return 0;
7582 }
7583
7584 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7585 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7586 }
7587
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)7588 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7589 {
7590 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7591 ssl->handshake->ciphersuite_info;
7592
7593 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7594
7595 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7596 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7597 mbedtls_ssl_handshake_increment_state(ssl);
7598 return 0;
7599 }
7600
7601 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7602 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7603 }
7604
7605 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7606 /* Some certificate support -> implement write and parse */
7607
mbedtls_ssl_write_certificate(mbedtls_ssl_context * ssl)7608 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7609 {
7610 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
7611 size_t i, n;
7612 const mbedtls_x509_crt *crt;
7613 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7614 ssl->handshake->ciphersuite_info;
7615
7616 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7617
7618 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7619 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7620 mbedtls_ssl_handshake_increment_state(ssl);
7621 return 0;
7622 }
7623
7624 #if defined(MBEDTLS_SSL_CLI_C)
7625 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7626 if (ssl->handshake->client_auth == 0) {
7627 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7628 mbedtls_ssl_handshake_increment_state(ssl);
7629 return 0;
7630 }
7631 }
7632 #endif /* MBEDTLS_SSL_CLI_C */
7633 #if defined(MBEDTLS_SSL_SRV_C)
7634 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7635 if (mbedtls_ssl_own_cert(ssl) == NULL) {
7636 /* Should never happen because we shouldn't have picked the
7637 * ciphersuite if we don't have a certificate. */
7638 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7639 }
7640 }
7641 #endif
7642
7643 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
7644
7645 /*
7646 * 0 . 0 handshake type
7647 * 1 . 3 handshake length
7648 * 4 . 6 length of all certs
7649 * 7 . 9 length of cert. 1
7650 * 10 . n-1 peer certificate
7651 * n . n+2 length of cert. 2
7652 * n+3 . ... upper level cert, etc.
7653 */
7654 i = 7;
7655 crt = mbedtls_ssl_own_cert(ssl);
7656
7657 while (crt != NULL) {
7658 n = crt->raw.len;
7659 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7660 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7661 " > %" MBEDTLS_PRINTF_SIZET,
7662 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7663 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7664 }
7665
7666 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7667 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7668 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7669
7670 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7671 i += n; crt = crt->next;
7672 }
7673
7674 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7675 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7676 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7677
7678 ssl->out_msglen = i;
7679 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7680 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7681
7682 mbedtls_ssl_handshake_increment_state(ssl);
7683
7684 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7686 return ret;
7687 }
7688
7689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7690
7691 return ret;
7692 }
7693
7694 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7695
7696 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7697 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7698 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7699 unsigned char *crt_buf,
7700 size_t crt_buf_len)
7701 {
7702 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7703
7704 if (peer_crt == NULL) {
7705 return -1;
7706 }
7707
7708 if (peer_crt->raw.len != crt_buf_len) {
7709 return -1;
7710 }
7711
7712 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7713 }
7714 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7715 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_check_peer_crt_unchanged(mbedtls_ssl_context * ssl,unsigned char * crt_buf,size_t crt_buf_len)7716 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7717 unsigned char *crt_buf,
7718 size_t crt_buf_len)
7719 {
7720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7721 unsigned char const * const peer_cert_digest =
7722 ssl->session->peer_cert_digest;
7723 mbedtls_md_type_t const peer_cert_digest_type =
7724 ssl->session->peer_cert_digest_type;
7725 mbedtls_md_info_t const * const digest_info =
7726 mbedtls_md_info_from_type(peer_cert_digest_type);
7727 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7728 size_t digest_len;
7729
7730 if (peer_cert_digest == NULL || digest_info == NULL) {
7731 return -1;
7732 }
7733
7734 digest_len = mbedtls_md_get_size(digest_info);
7735 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7736 return -1;
7737 }
7738
7739 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7740 if (ret != 0) {
7741 return -1;
7742 }
7743
7744 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7745 }
7746 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7747 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7748
7749 /*
7750 * Once the certificate message is read, parse it into a cert chain and
7751 * perform basic checks, but leave actual verification to the caller
7752 */
7753 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_chain(mbedtls_ssl_context * ssl,mbedtls_x509_crt * chain)7754 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7755 mbedtls_x509_crt *chain)
7756 {
7757 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7758 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7759 int crt_cnt = 0;
7760 #endif
7761 size_t i, n;
7762 uint8_t alert;
7763
7764 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7765 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7766 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7767 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7768 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7769 }
7770
7771 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7772 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7773 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7774 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7775 }
7776
7777 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7778 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7779 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7780 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7781 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7782 }
7783
7784 i = mbedtls_ssl_hs_hdr_len(ssl);
7785
7786 /*
7787 * Same message structure as in mbedtls_ssl_write_certificate()
7788 */
7789 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7790
7791 if (ssl->in_msg[i] != 0 ||
7792 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7793 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7794 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7795 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7796 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7797 }
7798
7799 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7800 i += 3;
7801
7802 /* Iterate through and parse the CRTs in the provided chain. */
7803 while (i < ssl->in_hslen) {
7804 /* Check that there's room for the next CRT's length fields. */
7805 if (i + 3 > ssl->in_hslen) {
7806 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7807 mbedtls_ssl_send_alert_message(ssl,
7808 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7809 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7810 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7811 }
7812 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7813 * anything beyond 2**16 ~ 64K. */
7814 if (ssl->in_msg[i] != 0) {
7815 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7816 mbedtls_ssl_send_alert_message(ssl,
7817 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7818 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7819 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7820 }
7821
7822 /* Read length of the next CRT in the chain. */
7823 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7824 i += 3;
7825
7826 if (n < 128 || i + n > ssl->in_hslen) {
7827 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7828 mbedtls_ssl_send_alert_message(ssl,
7829 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7830 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7831 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7832 }
7833
7834 /* Check if we're handling the first CRT in the chain. */
7835 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7836 if (crt_cnt++ == 0 &&
7837 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7838 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7839 /* During client-side renegotiation, check that the server's
7840 * end-CRTs hasn't changed compared to the initial handshake,
7841 * mitigating the triple handshake attack. On success, reuse
7842 * the original end-CRT instead of parsing it again. */
7843 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7844 if (ssl_check_peer_crt_unchanged(ssl,
7845 &ssl->in_msg[i],
7846 n) != 0) {
7847 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7848 mbedtls_ssl_send_alert_message(ssl,
7849 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7850 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7851 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7852 }
7853
7854 /* Now we can safely free the original chain. */
7855 ssl_clear_peer_cert(ssl->session);
7856 }
7857 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7858
7859 /* Parse the next certificate in the chain. */
7860 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7861 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7862 #else
7863 /* If we don't need to store the CRT chain permanently, parse
7864 * it in-place from the input buffer instead of making a copy. */
7865 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7866 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7867 switch (ret) {
7868 case 0: /*ok*/
7869 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7870 /* Ignore certificate with an unknown algorithm: maybe a
7871 prior certificate was already trusted. */
7872 break;
7873
7874 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7875 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7876 goto crt_parse_der_failed;
7877
7878 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7879 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7880 goto crt_parse_der_failed;
7881
7882 default:
7883 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7884 crt_parse_der_failed:
7885 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7886 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7887 return ret;
7888 }
7889
7890 i += n;
7891 }
7892
7893 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7894 return 0;
7895 }
7896
7897 #if defined(MBEDTLS_SSL_SRV_C)
7898 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context * ssl)7899 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7900 {
7901 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7902 return -1;
7903 }
7904
7905 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7906 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7907 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7908 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7909 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7910 return 0;
7911 }
7912 return -1;
7913 }
7914 #endif /* MBEDTLS_SSL_SRV_C */
7915
7916 /* Check if a certificate message is expected.
7917 * Return either
7918 * - SSL_CERTIFICATE_EXPECTED, or
7919 * - SSL_CERTIFICATE_SKIP
7920 * indicating whether a Certificate message is expected or not.
7921 */
7922 #define SSL_CERTIFICATE_EXPECTED 0
7923 #define SSL_CERTIFICATE_SKIP 1
7924 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_parse_certificate_coordinate(mbedtls_ssl_context * ssl,int authmode)7925 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7926 int authmode)
7927 {
7928 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7929 ssl->handshake->ciphersuite_info;
7930
7931 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7932 return SSL_CERTIFICATE_SKIP;
7933 }
7934
7935 #if defined(MBEDTLS_SSL_SRV_C)
7936 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7937 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7938 return SSL_CERTIFICATE_SKIP;
7939 }
7940
7941 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7942 ssl->session_negotiate->verify_result =
7943 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7944 return SSL_CERTIFICATE_SKIP;
7945 }
7946 }
7947 #else
7948 ((void) authmode);
7949 #endif /* MBEDTLS_SSL_SRV_C */
7950
7951 return SSL_CERTIFICATE_EXPECTED;
7952 }
7953
7954 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7955 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_crt_digest(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7956 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7957 unsigned char *start, size_t len)
7958 {
7959 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7960 /* Remember digest of the peer's end-CRT. */
7961 ssl->session_negotiate->peer_cert_digest =
7962 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7963 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7964 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7965 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7966 mbedtls_ssl_send_alert_message(ssl,
7967 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7968 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7969
7970 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7971 }
7972
7973 ret = mbedtls_md(mbedtls_md_info_from_type(
7974 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7975 start, len,
7976 ssl->session_negotiate->peer_cert_digest);
7977
7978 ssl->session_negotiate->peer_cert_digest_type =
7979 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7980 ssl->session_negotiate->peer_cert_digest_len =
7981 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7982
7983 return ret;
7984 }
7985
7986 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_remember_peer_pubkey(mbedtls_ssl_context * ssl,unsigned char * start,size_t len)7987 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7988 unsigned char *start, size_t len)
7989 {
7990 unsigned char *end = start + len;
7991 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7992
7993 /* Make a copy of the peer's raw public key. */
7994 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
7995 ret = mbedtls_pk_parse_subpubkey(&start, end,
7996 &ssl->handshake->peer_pubkey);
7997 if (ret != 0) {
7998 /* We should have parsed the public key before. */
7999 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8000 }
8001
8002 return 0;
8003 }
8004 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8005
mbedtls_ssl_parse_certificate(mbedtls_ssl_context * ssl)8006 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
8007 {
8008 int ret = 0;
8009 int crt_expected;
8010 /* Authmode: precedence order is SNI if used else configuration */
8011 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
8012 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
8013 ? ssl->handshake->sni_authmode
8014 : ssl->conf->authmode;
8015 #else
8016 const int authmode = ssl->conf->authmode;
8017 #endif
8018 void *rs_ctx = NULL;
8019 mbedtls_x509_crt *chain = NULL;
8020
8021 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
8022
8023 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
8024 if (crt_expected == SSL_CERTIFICATE_SKIP) {
8025 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
8026 goto exit;
8027 }
8028
8029 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8030 if (ssl->handshake->ecrs_enabled &&
8031 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
8032 chain = ssl->handshake->ecrs_peer_cert;
8033 ssl->handshake->ecrs_peer_cert = NULL;
8034 goto crt_verify;
8035 }
8036 #endif
8037
8038 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8039 /* mbedtls_ssl_read_record may have sent an alert already. We
8040 let it decide whether to alert. */
8041 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8042 goto exit;
8043 }
8044
8045 #if defined(MBEDTLS_SSL_SRV_C)
8046 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
8047 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
8048
8049 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
8050 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
8051 }
8052
8053 goto exit;
8054 }
8055 #endif /* MBEDTLS_SSL_SRV_C */
8056
8057 /* Clear existing peer CRT structure in case we tried to
8058 * reuse a session but it failed, and allocate a new one. */
8059 ssl_clear_peer_cert(ssl->session_negotiate);
8060
8061 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
8062 if (chain == NULL) {
8063 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
8064 sizeof(mbedtls_x509_crt)));
8065 mbedtls_ssl_send_alert_message(ssl,
8066 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8067 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8068
8069 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
8070 goto exit;
8071 }
8072 mbedtls_x509_crt_init(chain);
8073
8074 ret = ssl_parse_certificate_chain(ssl, chain);
8075 if (ret != 0) {
8076 goto exit;
8077 }
8078
8079 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8080 if (ssl->handshake->ecrs_enabled) {
8081 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
8082 }
8083
8084 crt_verify:
8085 if (ssl->handshake->ecrs_enabled) {
8086 rs_ctx = &ssl->handshake->ecrs_ctx;
8087 }
8088 #endif
8089
8090 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
8091 ssl->handshake->ciphersuite_info,
8092 rs_ctx);
8093 if (ret != 0) {
8094 goto exit;
8095 }
8096
8097 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8098 {
8099 unsigned char *crt_start, *pk_start;
8100 size_t crt_len, pk_len;
8101
8102 /* We parse the CRT chain without copying, so
8103 * these pointers point into the input buffer,
8104 * and are hence still valid after freeing the
8105 * CRT chain. */
8106
8107 crt_start = chain->raw.p;
8108 crt_len = chain->raw.len;
8109
8110 pk_start = chain->pk_raw.p;
8111 pk_len = chain->pk_raw.len;
8112
8113 /* Free the CRT structures before computing
8114 * digest and copying the peer's public key. */
8115 mbedtls_x509_crt_free(chain);
8116 mbedtls_free(chain);
8117 chain = NULL;
8118
8119 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
8120 if (ret != 0) {
8121 goto exit;
8122 }
8123
8124 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
8125 if (ret != 0) {
8126 goto exit;
8127 }
8128 }
8129 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8130 /* Pass ownership to session structure. */
8131 ssl->session_negotiate->peer_cert = chain;
8132 chain = NULL;
8133 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8134
8135 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
8136
8137 exit:
8138
8139 if (ret == 0) {
8140 mbedtls_ssl_handshake_increment_state(ssl);
8141 }
8142
8143 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8144 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
8145 ssl->handshake->ecrs_peer_cert = chain;
8146 chain = NULL;
8147 }
8148 #endif
8149
8150 if (chain != NULL) {
8151 mbedtls_x509_crt_free(chain);
8152 mbedtls_free(chain);
8153 }
8154
8155 return ret;
8156 }
8157 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8158
ssl_calc_finished_tls_generic(mbedtls_ssl_context * ssl,void * ctx,unsigned char * padbuf,size_t hlen,unsigned char * buf,int from)8159 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
8160 unsigned char *padbuf, size_t hlen,
8161 unsigned char *buf, int from)
8162 {
8163 unsigned int len = 12;
8164 const char *sender;
8165 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8166 psa_status_t status;
8167 psa_hash_operation_t *hs_op = ctx;
8168 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
8169 size_t hash_size;
8170 #else
8171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8172 mbedtls_md_context_t *hs_ctx = ctx;
8173 mbedtls_md_context_t cloned_ctx;
8174 mbedtls_md_init(&cloned_ctx);
8175 #endif
8176
8177 mbedtls_ssl_session *session = ssl->session_negotiate;
8178 if (!session) {
8179 session = ssl->session;
8180 }
8181
8182 sender = (from == MBEDTLS_SSL_IS_CLIENT)
8183 ? "client finished"
8184 : "server finished";
8185
8186 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8187 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
8188
8189 status = psa_hash_clone(hs_op, &cloned_op);
8190 if (status != PSA_SUCCESS) {
8191 goto exit;
8192 }
8193
8194 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
8195 if (status != PSA_SUCCESS) {
8196 goto exit;
8197 }
8198 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
8199 #else
8200 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
8201
8202 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
8203 if (ret != 0) {
8204 goto exit;
8205 }
8206 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
8207 if (ret != 0) {
8208 goto exit;
8209 }
8210
8211 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
8212 if (ret != 0) {
8213 goto exit;
8214 }
8215 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8216
8217 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
8218
8219 /*
8220 * TLSv1.2:
8221 * hash = PRF( master, finished_label,
8222 * Hash( handshake ) )[0.11]
8223 */
8224 ssl->handshake->tls_prf(session->master, 48, sender,
8225 padbuf, hlen, buf, len);
8226
8227 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
8228
8229 mbedtls_platform_zeroize(padbuf, hlen);
8230
8231 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
8232
8233 exit:
8234 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8235 psa_hash_abort(&cloned_op);
8236 return mbedtls_md_error_from_psa(status);
8237 #else
8238 mbedtls_md_free(&cloned_ctx);
8239 return ret;
8240 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8241 }
8242
8243 #if defined(MBEDTLS_MD_CAN_SHA256)
ssl_calc_finished_tls_sha256(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8244 static int ssl_calc_finished_tls_sha256(
8245 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8246 {
8247 unsigned char padbuf[32];
8248 return ssl_calc_finished_tls_generic(ssl,
8249 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8250 &ssl->handshake->fin_sha256_psa,
8251 #else
8252 &ssl->handshake->fin_sha256,
8253 #endif
8254 padbuf, sizeof(padbuf),
8255 buf, from);
8256 }
8257 #endif /* MBEDTLS_MD_CAN_SHA256*/
8258
8259
8260 #if defined(MBEDTLS_MD_CAN_SHA384)
ssl_calc_finished_tls_sha384(mbedtls_ssl_context * ssl,unsigned char * buf,int from)8261 static int ssl_calc_finished_tls_sha384(
8262 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8263 {
8264 unsigned char padbuf[48];
8265 return ssl_calc_finished_tls_generic(ssl,
8266 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8267 &ssl->handshake->fin_sha384_psa,
8268 #else
8269 &ssl->handshake->fin_sha384,
8270 #endif
8271 padbuf, sizeof(padbuf),
8272 buf, from);
8273 }
8274 #endif /* MBEDTLS_MD_CAN_SHA384*/
8275
mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context * ssl)8276 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
8277 {
8278 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
8279
8280 /*
8281 * Free our handshake params
8282 */
8283 mbedtls_ssl_handshake_free(ssl);
8284 mbedtls_free(ssl->handshake);
8285 ssl->handshake = NULL;
8286
8287 /*
8288 * Free the previous transform and switch in the current one
8289 */
8290 if (ssl->transform) {
8291 mbedtls_ssl_transform_free(ssl->transform);
8292 mbedtls_free(ssl->transform);
8293 }
8294 ssl->transform = ssl->transform_negotiate;
8295 ssl->transform_negotiate = NULL;
8296
8297 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
8298 }
8299
mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context * ssl)8300 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
8301 {
8302 int resume = ssl->handshake->resume;
8303
8304 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
8305
8306 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8307 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
8308 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
8309 ssl->renego_records_seen = 0;
8310 }
8311 #endif
8312
8313 /*
8314 * Free the previous session and switch in the current one
8315 */
8316 if (ssl->session) {
8317 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8318 /* RFC 7366 3.1: keep the EtM state */
8319 ssl->session_negotiate->encrypt_then_mac =
8320 ssl->session->encrypt_then_mac;
8321 #endif
8322
8323 mbedtls_ssl_session_free(ssl->session);
8324 mbedtls_free(ssl->session);
8325 }
8326 ssl->session = ssl->session_negotiate;
8327 ssl->session_negotiate = NULL;
8328
8329 /*
8330 * Add cache entry
8331 */
8332 if (ssl->conf->f_set_cache != NULL &&
8333 ssl->session->id_len != 0 &&
8334 resume == 0) {
8335 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
8336 ssl->session->id,
8337 ssl->session->id_len,
8338 ssl->session) != 0) {
8339 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
8340 }
8341 }
8342
8343 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8344 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8345 ssl->handshake->flight != NULL) {
8346 /* Cancel handshake timer */
8347 mbedtls_ssl_set_timer(ssl, 0);
8348
8349 /* Keep last flight around in case we need to resend it:
8350 * we need the handshake and transform structures for that */
8351 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
8352 } else
8353 #endif
8354 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
8355
8356 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
8357
8358 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
8359 }
8360
mbedtls_ssl_write_finished(mbedtls_ssl_context * ssl)8361 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
8362 {
8363 int ret;
8364 unsigned int hash_len;
8365
8366 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
8367
8368 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
8369
8370 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
8371 if (ret != 0) {
8372 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8373 return ret;
8374 }
8375
8376 /*
8377 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
8378 * may define some other value. Currently (early 2016), no defined
8379 * ciphersuite does this (and this is unlikely to change as activity has
8380 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
8381 */
8382 hash_len = 12;
8383
8384 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8385 ssl->verify_data_len = hash_len;
8386 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
8387 #endif
8388
8389 ssl->out_msglen = 4 + hash_len;
8390 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8391 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
8392
8393 /*
8394 * In case of session resuming, invert the client and server
8395 * ChangeCipherSpec messages order.
8396 */
8397 if (ssl->handshake->resume != 0) {
8398 #if defined(MBEDTLS_SSL_CLI_C)
8399 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8400 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
8401 }
8402 #endif
8403 #if defined(MBEDTLS_SSL_SRV_C)
8404 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8405 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
8406 }
8407 #endif
8408 } else {
8409 mbedtls_ssl_handshake_increment_state(ssl);
8410 }
8411
8412 /*
8413 * Switch to our negotiated transform and session parameters for outbound
8414 * data.
8415 */
8416 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8417
8418 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8419 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8420 unsigned char i;
8421
8422 /* Remember current epoch settings for resending */
8423 ssl->handshake->alt_transform_out = ssl->transform_out;
8424 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8425 sizeof(ssl->handshake->alt_out_ctr));
8426
8427 /* Set sequence_number to zero */
8428 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8429
8430
8431 /* Increment epoch */
8432 for (i = 2; i > 0; i--) {
8433 if (++ssl->cur_out_ctr[i - 1] != 0) {
8434 break;
8435 }
8436 }
8437
8438 /* The loop goes to its end iff the counter is wrapping */
8439 if (i == 0) {
8440 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8441 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8442 }
8443 } else
8444 #endif /* MBEDTLS_SSL_PROTO_DTLS */
8445 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8446
8447 ssl->transform_out = ssl->transform_negotiate;
8448 ssl->session_out = ssl->session_negotiate;
8449
8450 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8451 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8452 mbedtls_ssl_send_flight_completed(ssl);
8453 }
8454 #endif
8455
8456 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8457 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8458 return ret;
8459 }
8460
8461 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8462 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8463 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8464 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8465 return ret;
8466 }
8467 #endif
8468
8469 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8470
8471 return 0;
8472 }
8473
8474 #define SSL_MAX_HASH_LEN 12
8475
mbedtls_ssl_parse_finished(mbedtls_ssl_context * ssl)8476 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8477 {
8478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8479 unsigned int hash_len = 12;
8480 unsigned char buf[SSL_MAX_HASH_LEN];
8481
8482 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8483
8484 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8485 if (ret != 0) {
8486 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8487 return ret;
8488 }
8489
8490 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8491 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8492 goto exit;
8493 }
8494
8495 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8496 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8497 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8498 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8499 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8500 goto exit;
8501 }
8502
8503 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8504 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8505 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8506 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8507 goto exit;
8508 }
8509
8510 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8511 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8512 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8513 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8514 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8515 goto exit;
8516 }
8517
8518 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8519 buf, hash_len) != 0) {
8520 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8521 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8522 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8523 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8524 goto exit;
8525 }
8526
8527 #if defined(MBEDTLS_SSL_RENEGOTIATION)
8528 ssl->verify_data_len = hash_len;
8529 memcpy(ssl->peer_verify_data, buf, hash_len);
8530 #endif
8531
8532 if (ssl->handshake->resume != 0) {
8533 #if defined(MBEDTLS_SSL_CLI_C)
8534 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8535 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
8536 }
8537 #endif
8538 #if defined(MBEDTLS_SSL_SRV_C)
8539 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8540 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
8541 }
8542 #endif
8543 } else {
8544 mbedtls_ssl_handshake_increment_state(ssl);
8545 }
8546
8547 #if defined(MBEDTLS_SSL_PROTO_DTLS)
8548 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8549 mbedtls_ssl_recv_flight_completed(ssl);
8550 }
8551 #endif
8552
8553 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8554
8555 exit:
8556 mbedtls_platform_zeroize(buf, hash_len);
8557 return ret;
8558 }
8559
8560 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8561 /*
8562 * Helper to get TLS 1.2 PRF from ciphersuite
8563 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8564 */
ssl_tls12prf_from_cs(int ciphersuite_id)8565 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8566 {
8567 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8568 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8569 #if defined(MBEDTLS_MD_CAN_SHA384)
8570 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8571 return tls_prf_sha384;
8572 } else
8573 #endif
8574 #if defined(MBEDTLS_MD_CAN_SHA256)
8575 {
8576 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8577 return tls_prf_sha256;
8578 }
8579 }
8580 #endif
8581 #if !defined(MBEDTLS_MD_CAN_SHA384) && \
8582 !defined(MBEDTLS_MD_CAN_SHA256)
8583 (void) ciphersuite_info;
8584 #endif
8585
8586 return NULL;
8587 }
8588 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8589
tls_prf_get_type(mbedtls_ssl_tls_prf_cb * tls_prf)8590 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8591 {
8592 ((void) tls_prf);
8593 #if defined(MBEDTLS_MD_CAN_SHA384)
8594 if (tls_prf == tls_prf_sha384) {
8595 return MBEDTLS_SSL_TLS_PRF_SHA384;
8596 } else
8597 #endif
8598 #if defined(MBEDTLS_MD_CAN_SHA256)
8599 if (tls_prf == tls_prf_sha256) {
8600 return MBEDTLS_SSL_TLS_PRF_SHA256;
8601 } else
8602 #endif
8603 return MBEDTLS_SSL_TLS_PRF_NONE;
8604 }
8605
8606 /*
8607 * Populate a transform structure with session keys and all the other
8608 * necessary information.
8609 *
8610 * Parameters:
8611 * - [in/out]: transform: structure to populate
8612 * [in] must be just initialised with mbedtls_ssl_transform_init()
8613 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8614 * - [in] ciphersuite
8615 * - [in] master
8616 * - [in] encrypt_then_mac
8617 * - [in] tls_prf: pointer to PRF to use for key derivation
8618 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8619 * - [in] tls_version: TLS version
8620 * - [in] endpoint: client or server
8621 * - [in] ssl: used for:
8622 * - ssl->conf->{f,p}_export_keys
8623 * [in] optionally used for:
8624 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8625 */
8626 MBEDTLS_CHECK_RETURN_CRITICAL
ssl_tls12_populate_transform(mbedtls_ssl_transform * transform,int ciphersuite,const unsigned char master[48],int encrypt_then_mac,ssl_tls_prf_t tls_prf,const unsigned char randbytes[64],mbedtls_ssl_protocol_version tls_version,unsigned endpoint,const mbedtls_ssl_context * ssl)8627 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8628 int ciphersuite,
8629 const unsigned char master[48],
8630 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8631 int encrypt_then_mac,
8632 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8633 ssl_tls_prf_t tls_prf,
8634 const unsigned char randbytes[64],
8635 mbedtls_ssl_protocol_version tls_version,
8636 unsigned endpoint,
8637 const mbedtls_ssl_context *ssl)
8638 {
8639 int ret = 0;
8640 unsigned char keyblk[256];
8641 unsigned char *key1;
8642 unsigned char *key2;
8643 unsigned char *mac_enc;
8644 unsigned char *mac_dec;
8645 size_t mac_key_len = 0;
8646 size_t iv_copy_len;
8647 size_t keylen;
8648 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8649 mbedtls_ssl_mode_t ssl_mode;
8650 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
8651 const mbedtls_cipher_info_t *cipher_info;
8652 const mbedtls_md_info_t *md_info;
8653 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
8654
8655 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8656 psa_key_type_t key_type;
8657 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8658 psa_algorithm_t alg;
8659 psa_algorithm_t mac_alg = 0;
8660 size_t key_bits;
8661 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8662 #endif
8663
8664 /*
8665 * Some data just needs copying into the structure
8666 */
8667 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8668 transform->encrypt_then_mac = encrypt_then_mac;
8669 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8670 transform->tls_version = tls_version;
8671
8672 #if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
8673 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8674 #endif
8675
8676 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8677 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8678 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8679 * generation separate. This should never happen. */
8680 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8681 }
8682 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8683
8684 /*
8685 * Get various info structures
8686 */
8687 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8688 if (ciphersuite_info == NULL) {
8689 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8690 ciphersuite));
8691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8692 }
8693
8694 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8695 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8696 encrypt_then_mac,
8697 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8698 ciphersuite_info);
8699
8700 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8701 transform->taglen =
8702 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8703 }
8704
8705 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8706 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
8707 transform->taglen,
8708 &alg,
8709 &key_type,
8710 &key_bits)) != PSA_SUCCESS) {
8711 ret = PSA_TO_MBEDTLS_ERR(status);
8712 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8713 goto end;
8714 }
8715 #else
8716 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8717 if (cipher_info == NULL) {
8718 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8719 ciphersuite_info->cipher));
8720 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8721 }
8722 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8723
8724 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8725 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8726 if (mac_alg == 0) {
8727 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8728 (unsigned) ciphersuite_info->mac));
8729 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8730 }
8731 #else
8732 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8733 if (md_info == NULL) {
8734 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8735 (unsigned) ciphersuite_info->mac));
8736 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8737 }
8738 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8739
8740 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8741 /* Copy own and peer's CID if the use of the CID
8742 * extension has been negotiated. */
8743 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8744 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8745
8746 transform->in_cid_len = ssl->own_cid_len;
8747 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8748 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8749 transform->in_cid_len);
8750
8751 transform->out_cid_len = ssl->handshake->peer_cid_len;
8752 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8753 ssl->handshake->peer_cid_len);
8754 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8755 transform->out_cid_len);
8756 }
8757 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8758
8759 /*
8760 * Compute key block using the PRF
8761 */
8762 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8763 if (ret != 0) {
8764 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8765 return ret;
8766 }
8767
8768 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8769 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8770 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8771 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8772 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8773
8774 /*
8775 * Determine the appropriate key, IV and MAC length.
8776 */
8777
8778 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8779 keylen = PSA_BITS_TO_BYTES(key_bits);
8780 #else
8781 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8782 #endif
8783
8784 #if defined(MBEDTLS_SSL_HAVE_AEAD)
8785 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8786 size_t explicit_ivlen;
8787
8788 transform->maclen = 0;
8789 mac_key_len = 0;
8790
8791 /* All modes haves 96-bit IVs, but the length of the static parts vary
8792 * with mode and version:
8793 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8794 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8795 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8796 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8797 * sequence number).
8798 */
8799 transform->ivlen = 12;
8800
8801 int is_chachapoly = 0;
8802 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8803 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8804 #else
8805 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8806 == MBEDTLS_MODE_CHACHAPOLY);
8807 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8808
8809 if (is_chachapoly) {
8810 transform->fixed_ivlen = 12;
8811 } else {
8812 transform->fixed_ivlen = 4;
8813 }
8814
8815 /* Minimum length of encrypted record */
8816 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8817 transform->minlen = explicit_ivlen + transform->taglen;
8818 } else
8819 #endif /* MBEDTLS_SSL_HAVE_AEAD */
8820 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8821 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8822 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8823 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8824 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8825 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8826 #else
8827 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8828 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8829
8830 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8831 /* Get MAC length */
8832 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8833 #else
8834 /* Initialize HMAC contexts */
8835 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8836 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8837 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8838 goto end;
8839 }
8840
8841 /* Get MAC length */
8842 mac_key_len = mbedtls_md_get_size(md_info);
8843 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8844 transform->maclen = mac_key_len;
8845
8846 /* IV length */
8847 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8848 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8849 #else
8850 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8851 #endif /* MBEDTLS_USE_PSA_CRYPTO */
8852
8853 /* Minimum length */
8854 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8855 transform->minlen = transform->maclen;
8856 } else {
8857 /*
8858 * GenericBlockCipher:
8859 * 1. if EtM is in use: one block plus MAC
8860 * otherwise: * first multiple of blocklen greater than maclen
8861 * 2. IV
8862 */
8863 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8864 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8865 transform->minlen = transform->maclen
8866 + block_size;
8867 } else
8868 #endif
8869 {
8870 transform->minlen = transform->maclen
8871 + block_size
8872 - transform->maclen % block_size;
8873 }
8874
8875 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8876 transform->minlen += transform->ivlen;
8877 } else {
8878 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8879 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8880 goto end;
8881 }
8882 }
8883 } else
8884 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8885 {
8886 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8887 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8888 }
8889
8890 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8891 (unsigned) keylen,
8892 (unsigned) transform->minlen,
8893 (unsigned) transform->ivlen,
8894 (unsigned) transform->maclen));
8895
8896 /*
8897 * Finally setup the cipher contexts, IVs and MAC secrets.
8898 */
8899 #if defined(MBEDTLS_SSL_CLI_C)
8900 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8901 key1 = keyblk + mac_key_len * 2;
8902 key2 = keyblk + mac_key_len * 2 + keylen;
8903
8904 mac_enc = keyblk;
8905 mac_dec = keyblk + mac_key_len;
8906
8907 iv_copy_len = (transform->fixed_ivlen) ?
8908 transform->fixed_ivlen : transform->ivlen;
8909 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8910 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8911 iv_copy_len);
8912 } else
8913 #endif /* MBEDTLS_SSL_CLI_C */
8914 #if defined(MBEDTLS_SSL_SRV_C)
8915 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8916 key1 = keyblk + mac_key_len * 2 + keylen;
8917 key2 = keyblk + mac_key_len * 2;
8918
8919 mac_enc = keyblk + mac_key_len;
8920 mac_dec = keyblk;
8921
8922 iv_copy_len = (transform->fixed_ivlen) ?
8923 transform->fixed_ivlen : transform->ivlen;
8924 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8925 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8926 iv_copy_len);
8927 } else
8928 #endif /* MBEDTLS_SSL_SRV_C */
8929 {
8930 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8931 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8932 goto end;
8933 }
8934
8935 if (ssl->f_export_keys != NULL) {
8936 ssl->f_export_keys(ssl->p_export_keys,
8937 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8938 master, 48,
8939 randbytes + 32,
8940 randbytes,
8941 tls_prf_get_type(tls_prf));
8942 }
8943
8944 #if defined(MBEDTLS_USE_PSA_CRYPTO)
8945 transform->psa_alg = alg;
8946
8947 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8948 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8949 psa_set_key_algorithm(&attributes, alg);
8950 psa_set_key_type(&attributes, key_type);
8951
8952 if ((status = psa_import_key(&attributes,
8953 key1,
8954 PSA_BITS_TO_BYTES(key_bits),
8955 &transform->psa_key_enc)) != PSA_SUCCESS) {
8956 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8957 ret = PSA_TO_MBEDTLS_ERR(status);
8958 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8959 goto end;
8960 }
8961
8962 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8963
8964 if ((status = psa_import_key(&attributes,
8965 key2,
8966 PSA_BITS_TO_BYTES(key_bits),
8967 &transform->psa_key_dec)) != PSA_SUCCESS) {
8968 ret = PSA_TO_MBEDTLS_ERR(status);
8969 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8970 goto end;
8971 }
8972 }
8973 #else
8974 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8975 cipher_info)) != 0) {
8976 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8977 goto end;
8978 }
8979
8980 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8981 cipher_info)) != 0) {
8982 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8983 goto end;
8984 }
8985
8986 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8987 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8988 MBEDTLS_ENCRYPT)) != 0) {
8989 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8990 goto end;
8991 }
8992
8993 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8994 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8995 MBEDTLS_DECRYPT)) != 0) {
8996 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8997 goto end;
8998 }
8999
9000 #if defined(MBEDTLS_CIPHER_MODE_CBC)
9001 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
9002 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
9003 MBEDTLS_PADDING_NONE)) != 0) {
9004 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
9005 goto end;
9006 }
9007
9008 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
9009 MBEDTLS_PADDING_NONE)) != 0) {
9010 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
9011 goto end;
9012 }
9013 }
9014 #endif /* MBEDTLS_CIPHER_MODE_CBC */
9015 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9016
9017 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
9018 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
9019 For AEAD-based ciphersuites, there is nothing to do here. */
9020 if (mac_key_len != 0) {
9021 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9022 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
9023
9024 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
9025 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
9026 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
9027
9028 if ((status = psa_import_key(&attributes,
9029 mac_enc, mac_key_len,
9030 &transform->psa_mac_enc)) != PSA_SUCCESS) {
9031 ret = PSA_TO_MBEDTLS_ERR(status);
9032 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
9033 goto end;
9034 }
9035
9036 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
9037 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
9038 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
9039 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
9040 #endif
9041 )) {
9042 /* mbedtls_ct_hmac() requires the key to be exportable */
9043 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
9044 PSA_KEY_USAGE_VERIFY_HASH);
9045 } else {
9046 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
9047 }
9048
9049 if ((status = psa_import_key(&attributes,
9050 mac_dec, mac_key_len,
9051 &transform->psa_mac_dec)) != PSA_SUCCESS) {
9052 ret = PSA_TO_MBEDTLS_ERR(status);
9053 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
9054 goto end;
9055 }
9056 #else
9057 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
9058 if (ret != 0) {
9059 goto end;
9060 }
9061 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
9062 if (ret != 0) {
9063 goto end;
9064 }
9065 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9066 }
9067 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
9068
9069 ((void) mac_dec);
9070 ((void) mac_enc);
9071
9072 end:
9073 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
9074 return ret;
9075 }
9076
9077 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
9078 defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_ecjpake_read_round(psa_pake_operation_t * pake_ctx,const unsigned char * buf,size_t len,mbedtls_ecjpake_rounds_t round)9079 int mbedtls_psa_ecjpake_read_round(
9080 psa_pake_operation_t *pake_ctx,
9081 const unsigned char *buf,
9082 size_t len, mbedtls_ecjpake_rounds_t round)
9083 {
9084 psa_status_t status;
9085 size_t input_offset = 0;
9086 /*
9087 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9088 * At round two perform a single cycle
9089 */
9090 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9091
9092 for (; remaining_steps > 0; remaining_steps--) {
9093 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9094 step <= PSA_PAKE_STEP_ZK_PROOF;
9095 ++step) {
9096 /* Length is stored at the first byte */
9097 size_t length = buf[input_offset];
9098 input_offset += 1;
9099
9100 if (input_offset + length > len) {
9101 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9102 }
9103
9104 status = psa_pake_input(pake_ctx, step,
9105 buf + input_offset, length);
9106 if (status != PSA_SUCCESS) {
9107 return PSA_TO_MBEDTLS_ERR(status);
9108 }
9109
9110 input_offset += length;
9111 }
9112 }
9113
9114 if (input_offset != len) {
9115 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9116 }
9117
9118 return 0;
9119 }
9120
mbedtls_psa_ecjpake_write_round(psa_pake_operation_t * pake_ctx,unsigned char * buf,size_t len,size_t * olen,mbedtls_ecjpake_rounds_t round)9121 int mbedtls_psa_ecjpake_write_round(
9122 psa_pake_operation_t *pake_ctx,
9123 unsigned char *buf,
9124 size_t len, size_t *olen,
9125 mbedtls_ecjpake_rounds_t round)
9126 {
9127 psa_status_t status;
9128 size_t output_offset = 0;
9129 size_t output_len;
9130 /*
9131 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9132 * At round two perform a single cycle
9133 */
9134 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9135
9136 for (; remaining_steps > 0; remaining_steps--) {
9137 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9138 step <= PSA_PAKE_STEP_ZK_PROOF;
9139 ++step) {
9140 /*
9141 * For each step, prepend 1 byte with the length of the data as
9142 * given by psa_pake_output().
9143 */
9144 status = psa_pake_output(pake_ctx, step,
9145 buf + output_offset + 1,
9146 len - output_offset - 1,
9147 &output_len);
9148 if (status != PSA_SUCCESS) {
9149 return PSA_TO_MBEDTLS_ERR(status);
9150 }
9151
9152 *(buf + output_offset) = (uint8_t) output_len;
9153
9154 output_offset += output_len + 1;
9155 }
9156 }
9157
9158 *olen = output_offset;
9159
9160 return 0;
9161 }
9162 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
9163
9164 #if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9165 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9166 unsigned char *hash, size_t *hashlen,
9167 unsigned char *data, size_t data_len,
9168 mbedtls_md_type_t md_alg)
9169 {
9170 psa_status_t status;
9171 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
9172 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
9173
9174 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
9175
9176 if ((status = psa_hash_setup(&hash_operation,
9177 hash_alg)) != PSA_SUCCESS) {
9178 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
9179 goto exit;
9180 }
9181
9182 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
9183 64)) != PSA_SUCCESS) {
9184 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9185 goto exit;
9186 }
9187
9188 if ((status = psa_hash_update(&hash_operation,
9189 data, data_len)) != PSA_SUCCESS) {
9190 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9191 goto exit;
9192 }
9193
9194 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
9195 hashlen)) != PSA_SUCCESS) {
9196 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
9197 goto exit;
9198 }
9199
9200 exit:
9201 if (status != PSA_SUCCESS) {
9202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9203 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9204 switch (status) {
9205 case PSA_ERROR_NOT_SUPPORTED:
9206 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
9207 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
9208 case PSA_ERROR_BUFFER_TOO_SMALL:
9209 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
9210 case PSA_ERROR_INSUFFICIENT_MEMORY:
9211 return MBEDTLS_ERR_MD_ALLOC_FAILED;
9212 default:
9213 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
9214 }
9215 }
9216 return 0;
9217 }
9218
9219 #else
9220
mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context * ssl,unsigned char * hash,size_t * hashlen,unsigned char * data,size_t data_len,mbedtls_md_type_t md_alg)9221 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9222 unsigned char *hash, size_t *hashlen,
9223 unsigned char *data, size_t data_len,
9224 mbedtls_md_type_t md_alg)
9225 {
9226 int ret = 0;
9227 mbedtls_md_context_t ctx;
9228 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
9229 *hashlen = mbedtls_md_get_size(md_info);
9230
9231 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
9232
9233 mbedtls_md_init(&ctx);
9234
9235 /*
9236 * digitally-signed struct {
9237 * opaque client_random[32];
9238 * opaque server_random[32];
9239 * ServerDHParams params;
9240 * };
9241 */
9242 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
9243 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
9244 goto exit;
9245 }
9246 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
9247 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
9248 goto exit;
9249 }
9250 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
9251 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9252 goto exit;
9253 }
9254 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
9255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9256 goto exit;
9257 }
9258 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
9259 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
9260 goto exit;
9261 }
9262
9263 exit:
9264 mbedtls_md_free(&ctx);
9265
9266 if (ret != 0) {
9267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9268 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9269 }
9270
9271 return ret;
9272 }
9273 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9274
9275 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
9276
9277 /* Find the preferred hash for a given signature algorithm. */
mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(mbedtls_ssl_context * ssl,unsigned int sig_alg)9278 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
9279 mbedtls_ssl_context *ssl,
9280 unsigned int sig_alg)
9281 {
9282 unsigned int i;
9283 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
9284
9285 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
9286 return MBEDTLS_SSL_HASH_NONE;
9287 }
9288
9289 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
9290 unsigned int hash_alg_received =
9291 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
9292 received_sig_algs[i]);
9293 unsigned int sig_alg_received =
9294 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
9295 received_sig_algs[i]);
9296
9297 mbedtls_md_type_t md_alg =
9298 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
9299 if (md_alg == MBEDTLS_MD_NONE) {
9300 continue;
9301 }
9302
9303 if (sig_alg == sig_alg_received) {
9304 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9305 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
9306 psa_algorithm_t psa_hash_alg =
9307 mbedtls_md_psa_alg_from_type(md_alg);
9308
9309 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
9310 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9311 PSA_ALG_ECDSA(psa_hash_alg),
9312 PSA_KEY_USAGE_SIGN_HASH)) {
9313 continue;
9314 }
9315
9316 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
9317 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9318 PSA_ALG_RSA_PKCS1V15_SIGN(
9319 psa_hash_alg),
9320 PSA_KEY_USAGE_SIGN_HASH)) {
9321 continue;
9322 }
9323 }
9324 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9325
9326 return hash_alg_received;
9327 }
9328 }
9329
9330 return MBEDTLS_SSL_HASH_NONE;
9331 }
9332
9333 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
9334
9335 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9336
mbedtls_ssl_validate_ciphersuite(const mbedtls_ssl_context * ssl,const mbedtls_ssl_ciphersuite_t * suite_info,mbedtls_ssl_protocol_version min_tls_version,mbedtls_ssl_protocol_version max_tls_version)9337 int mbedtls_ssl_validate_ciphersuite(
9338 const mbedtls_ssl_context *ssl,
9339 const mbedtls_ssl_ciphersuite_t *suite_info,
9340 mbedtls_ssl_protocol_version min_tls_version,
9341 mbedtls_ssl_protocol_version max_tls_version)
9342 {
9343 (void) ssl;
9344
9345 if (suite_info == NULL) {
9346 return -1;
9347 }
9348
9349 if ((suite_info->min_tls_version > max_tls_version) ||
9350 (suite_info->max_tls_version < min_tls_version)) {
9351 return -1;
9352 }
9353
9354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9355 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9356 #if defined(MBEDTLS_USE_PSA_CRYPTO)
9357 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9358 ssl->handshake->psa_pake_ctx_is_ok != 1)
9359 #else
9360 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9361 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9362 #endif /* MBEDTLS_USE_PSA_CRYPTO */
9363 {
9364 return -1;
9365 }
9366 #endif
9367
9368 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9369 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9370 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9371 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9372 return -1;
9373 }
9374 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9375 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9376
9377 return 0;
9378 }
9379
9380 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9381 /*
9382 * Function for writing a signature algorithm extension.
9383 *
9384 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9385 * value (TLS 1.3 RFC8446):
9386 * enum {
9387 * ....
9388 * ecdsa_secp256r1_sha256( 0x0403 ),
9389 * ecdsa_secp384r1_sha384( 0x0503 ),
9390 * ecdsa_secp521r1_sha512( 0x0603 ),
9391 * ....
9392 * } SignatureScheme;
9393 *
9394 * struct {
9395 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9396 * } SignatureSchemeList;
9397 *
9398 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9399 * value (TLS 1.2 RFC5246):
9400 * enum {
9401 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9402 * sha512(6), (255)
9403 * } HashAlgorithm;
9404 *
9405 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9406 * SignatureAlgorithm;
9407 *
9408 * struct {
9409 * HashAlgorithm hash;
9410 * SignatureAlgorithm signature;
9411 * } SignatureAndHashAlgorithm;
9412 *
9413 * SignatureAndHashAlgorithm
9414 * supported_signature_algorithms<2..2^16-2>;
9415 *
9416 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9417 * generalization of the TLS 1.2 signature algorithm extension.
9418 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9419 * `SignatureScheme` field of TLS 1.3
9420 *
9421 */
mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context * ssl,unsigned char * buf,const unsigned char * end,size_t * out_len)9422 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9423 const unsigned char *end, size_t *out_len)
9424 {
9425 unsigned char *p = buf;
9426 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9427 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9428
9429 *out_len = 0;
9430
9431 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9432
9433 /* Check if we have space for header and length field:
9434 * - extension_type (2 bytes)
9435 * - extension_data_length (2 bytes)
9436 * - supported_signature_algorithms_length (2 bytes)
9437 */
9438 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9439 p += 6;
9440
9441 /*
9442 * Write supported_signature_algorithms
9443 */
9444 supported_sig_alg = p;
9445 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9446 if (sig_alg == NULL) {
9447 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9448 }
9449
9450 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9451 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9452 *sig_alg,
9453 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9454 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9455 continue;
9456 }
9457 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9458 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9459 p += 2;
9460 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9461 *sig_alg,
9462 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9463 }
9464
9465 /* Length of supported_signature_algorithms */
9466 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
9467 if (supported_sig_alg_len == 0) {
9468 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9469 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9470 }
9471
9472 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9473 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9474 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9475
9476 *out_len = (size_t) (p - buf);
9477
9478 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9479 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9480 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9481
9482 return 0;
9483 }
9484 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9485
9486 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9487 /*
9488 * mbedtls_ssl_parse_server_name_ext
9489 *
9490 * Structure of server_name extension:
9491 *
9492 * enum {
9493 * host_name(0), (255)
9494 * } NameType;
9495 * opaque HostName<1..2^16-1>;
9496 *
9497 * struct {
9498 * NameType name_type;
9499 * select (name_type) {
9500 * case host_name: HostName;
9501 * } name;
9502 * } ServerName;
9503 * struct {
9504 * ServerName server_name_list<1..2^16-1>
9505 * } ServerNameList;
9506 */
9507 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9508 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9509 const unsigned char *buf,
9510 const unsigned char *end)
9511 {
9512 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9513 const unsigned char *p = buf;
9514 size_t server_name_list_len, hostname_len;
9515 const unsigned char *server_name_list_end;
9516
9517 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9518
9519 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9520 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9521 p += 2;
9522
9523 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9524 server_name_list_end = p + server_name_list_len;
9525 while (p < server_name_list_end) {
9526 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9527 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9528 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9529 hostname_len + 3);
9530
9531 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9532 /* sni_name is intended to be used only during the parsing of the
9533 * ClientHello message (it is reset to NULL before the end of
9534 * the message parsing). Thus it is ok to just point to the
9535 * reception buffer and not make a copy of it.
9536 */
9537 ssl->handshake->sni_name = p + 3;
9538 ssl->handshake->sni_name_len = hostname_len;
9539 if (ssl->conf->f_sni == NULL) {
9540 return 0;
9541 }
9542 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9543 ssl, p + 3, hostname_len);
9544 if (ret != 0) {
9545 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9546 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9547 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9548 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9549 }
9550 return 0;
9551 }
9552
9553 p += hostname_len + 3;
9554 }
9555
9556 return 0;
9557 }
9558 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9559
9560 #if defined(MBEDTLS_SSL_ALPN)
9561 MBEDTLS_CHECK_RETURN_CRITICAL
mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context * ssl,const unsigned char * buf,const unsigned char * end)9562 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9563 const unsigned char *buf,
9564 const unsigned char *end)
9565 {
9566 const unsigned char *p = buf;
9567 size_t protocol_name_list_len;
9568 const unsigned char *protocol_name_list;
9569 const unsigned char *protocol_name_list_end;
9570 size_t protocol_name_len;
9571
9572 /* If ALPN not configured, just ignore the extension */
9573 if (ssl->conf->alpn_list == NULL) {
9574 return 0;
9575 }
9576
9577 /*
9578 * RFC7301, section 3.1
9579 * opaque ProtocolName<1..2^8-1>;
9580 *
9581 * struct {
9582 * ProtocolName protocol_name_list<2..2^16-1>
9583 * } ProtocolNameList;
9584 */
9585
9586 /*
9587 * protocol_name_list_len 2 bytes
9588 * protocol_name_len 1 bytes
9589 * protocol_name >=1 byte
9590 */
9591 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9592
9593 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9594 p += 2;
9595 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9596 protocol_name_list = p;
9597 protocol_name_list_end = p + protocol_name_list_len;
9598
9599 /* Validate peer's list (lengths) */
9600 while (p < protocol_name_list_end) {
9601 protocol_name_len = *p++;
9602 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9603 protocol_name_len);
9604 if (protocol_name_len == 0) {
9605 MBEDTLS_SSL_PEND_FATAL_ALERT(
9606 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9607 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9608 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9609 }
9610
9611 p += protocol_name_len;
9612 }
9613
9614 /* Use our order of preference */
9615 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9616 size_t const alpn_len = strlen(*alpn);
9617 p = protocol_name_list;
9618 while (p < protocol_name_list_end) {
9619 protocol_name_len = *p++;
9620 if (protocol_name_len == alpn_len &&
9621 memcmp(p, *alpn, alpn_len) == 0) {
9622 ssl->alpn_chosen = *alpn;
9623 return 0;
9624 }
9625
9626 p += protocol_name_len;
9627 }
9628 }
9629
9630 /* If we get here, no match was found */
9631 MBEDTLS_SSL_PEND_FATAL_ALERT(
9632 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9633 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9634 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9635 }
9636
mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context * ssl,unsigned char * buf,unsigned char * end,size_t * out_len)9637 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9638 unsigned char *buf,
9639 unsigned char *end,
9640 size_t *out_len)
9641 {
9642 unsigned char *p = buf;
9643 size_t protocol_name_len;
9644 *out_len = 0;
9645
9646 if (ssl->alpn_chosen == NULL) {
9647 return 0;
9648 }
9649
9650 protocol_name_len = strlen(ssl->alpn_chosen);
9651 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9652
9653 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9654 /*
9655 * 0 . 1 ext identifier
9656 * 2 . 3 ext length
9657 * 4 . 5 protocol list length
9658 * 6 . 6 protocol name length
9659 * 7 . 7+n protocol name
9660 */
9661 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9662
9663 *out_len = 7 + protocol_name_len;
9664
9665 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9666 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9667 /* Note: the length of the chosen protocol has been checked to be less
9668 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9669 */
9670 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9671
9672 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9673
9674 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9675 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9676 #endif
9677
9678 return 0;
9679 }
9680 #endif /* MBEDTLS_SSL_ALPN */
9681
9682 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9683 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9684 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9685 defined(MBEDTLS_SSL_CLI_C)
mbedtls_ssl_session_set_hostname(mbedtls_ssl_session * session,const char * hostname)9686 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9687 const char *hostname)
9688 {
9689 /* Initialize to suppress unnecessary compiler warning */
9690 size_t hostname_len = 0;
9691
9692 /* Check if new hostname is valid before
9693 * making any change to current one */
9694 if (hostname != NULL) {
9695 hostname_len = strlen(hostname);
9696
9697 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9698 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9699 }
9700 }
9701
9702 /* Now it's clear that we will overwrite the old hostname,
9703 * so we can free it safely */
9704 if (session->hostname != NULL) {
9705 mbedtls_zeroize_and_free(session->hostname,
9706 strlen(session->hostname));
9707 }
9708
9709 /* Passing NULL as hostname shall clear the old one */
9710 if (hostname == NULL) {
9711 session->hostname = NULL;
9712 } else {
9713 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9714 if (session->hostname == NULL) {
9715 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9716 }
9717
9718 memcpy(session->hostname, hostname, hostname_len);
9719 }
9720
9721 return 0;
9722 }
9723 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9724 MBEDTLS_SSL_SESSION_TICKETS &&
9725 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9726 MBEDTLS_SSL_CLI_C */
9727
9728 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
9729 defined(MBEDTLS_SSL_ALPN)
mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session * session,const char * alpn)9730 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
9731 const char *alpn)
9732 {
9733 size_t alpn_len = 0;
9734
9735 if (alpn != NULL) {
9736 alpn_len = strlen(alpn);
9737
9738 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
9739 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9740 }
9741 }
9742
9743 if (session->ticket_alpn != NULL) {
9744 mbedtls_zeroize_and_free(session->ticket_alpn,
9745 strlen(session->ticket_alpn));
9746 session->ticket_alpn = NULL;
9747 }
9748
9749 if (alpn != NULL) {
9750 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
9751 if (session->ticket_alpn == NULL) {
9752 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9753 }
9754 memcpy(session->ticket_alpn, alpn, alpn_len);
9755 }
9756
9757 return 0;
9758 }
9759 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
9760
9761 /*
9762 * The following functions are used by 1.2 and 1.3, client and server.
9763 */
9764 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt * cert,const mbedtls_ssl_ciphersuite_t * ciphersuite,int recv_endpoint,mbedtls_ssl_protocol_version tls_version,uint32_t * flags)9765 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
9766 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9767 int recv_endpoint,
9768 mbedtls_ssl_protocol_version tls_version,
9769 uint32_t *flags)
9770 {
9771 int ret = 0;
9772 unsigned int usage = 0;
9773 const char *ext_oid;
9774 size_t ext_len;
9775
9776 /*
9777 * keyUsage
9778 */
9779
9780 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
9781 * to check what a compliant client will think while choosing which cert
9782 * to send to the client. */
9783 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9784 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9785 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9786 /* TLS 1.2 server part of the key exchange */
9787 switch (ciphersuite->key_exchange) {
9788 case MBEDTLS_KEY_EXCHANGE_RSA:
9789 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9790 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9791 break;
9792
9793 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9794 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9795 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9796 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9797 break;
9798
9799 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9800 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9801 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9802 break;
9803
9804 /* Don't use default: we want warnings when adding new values */
9805 case MBEDTLS_KEY_EXCHANGE_NONE:
9806 case MBEDTLS_KEY_EXCHANGE_PSK:
9807 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9808 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9809 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9810 usage = 0;
9811 }
9812 } else
9813 #endif
9814 {
9815 /* This is either TLS 1.3 authentication, which always uses signatures,
9816 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
9817 * options we implement, both using signatures. */
9818 (void) tls_version;
9819 (void) ciphersuite;
9820 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9821 }
9822
9823 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
9824 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9825 ret = -1;
9826 }
9827
9828 /*
9829 * extKeyUsage
9830 */
9831
9832 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9833 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9834 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
9835 } else {
9836 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9837 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
9838 }
9839
9840 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
9841 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9842 ret = -1;
9843 }
9844
9845 return ret;
9846 }
9847
get_hostname_for_verification(mbedtls_ssl_context * ssl,const char ** hostname)9848 static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
9849 const char **hostname)
9850 {
9851 if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
9852 MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
9853 #if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
9854 if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
9855 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9856 return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
9857 }
9858 #endif
9859 }
9860
9861 *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
9862 if (*hostname == NULL) {
9863 MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
9864 }
9865
9866 return 0;
9867 }
9868
mbedtls_ssl_verify_certificate(mbedtls_ssl_context * ssl,int authmode,mbedtls_x509_crt * chain,const mbedtls_ssl_ciphersuite_t * ciphersuite_info,void * rs_ctx)9869 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
9870 int authmode,
9871 mbedtls_x509_crt *chain,
9872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
9873 void *rs_ctx)
9874 {
9875 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
9876 return 0;
9877 }
9878
9879 /*
9880 * Primary check: use the appropriate X.509 verification function
9881 */
9882 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
9883 void *p_vrfy;
9884 if (ssl->f_vrfy != NULL) {
9885 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
9886 f_vrfy = ssl->f_vrfy;
9887 p_vrfy = ssl->p_vrfy;
9888 } else {
9889 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
9890 f_vrfy = ssl->conf->f_vrfy;
9891 p_vrfy = ssl->conf->p_vrfy;
9892 }
9893
9894 const char *hostname = "";
9895 int ret = get_hostname_for_verification(ssl, &hostname);
9896 if (ret != 0) {
9897 MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
9898 return ret;
9899 }
9900
9901 int have_ca_chain_or_callback = 0;
9902 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
9903 if (ssl->conf->f_ca_cb != NULL) {
9904 ((void) rs_ctx);
9905 have_ca_chain_or_callback = 1;
9906
9907 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
9908 ret = mbedtls_x509_crt_verify_with_ca_cb(
9909 chain,
9910 ssl->conf->f_ca_cb,
9911 ssl->conf->p_ca_cb,
9912 ssl->conf->cert_profile,
9913 hostname,
9914 &ssl->session_negotiate->verify_result,
9915 f_vrfy, p_vrfy);
9916 } else
9917 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
9918 {
9919 mbedtls_x509_crt *ca_chain;
9920 mbedtls_x509_crl *ca_crl;
9921 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9922 if (ssl->handshake->sni_ca_chain != NULL) {
9923 ca_chain = ssl->handshake->sni_ca_chain;
9924 ca_crl = ssl->handshake->sni_ca_crl;
9925 } else
9926 #endif
9927 {
9928 ca_chain = ssl->conf->ca_chain;
9929 ca_crl = ssl->conf->ca_crl;
9930 }
9931
9932 if (ca_chain != NULL) {
9933 have_ca_chain_or_callback = 1;
9934 }
9935
9936 ret = mbedtls_x509_crt_verify_restartable(
9937 chain,
9938 ca_chain, ca_crl,
9939 ssl->conf->cert_profile,
9940 hostname,
9941 &ssl->session_negotiate->verify_result,
9942 f_vrfy, p_vrfy, rs_ctx);
9943 }
9944
9945 if (ret != 0) {
9946 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
9947 }
9948
9949 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
9950 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
9951 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
9952 }
9953 #endif
9954
9955 /*
9956 * Secondary checks: always done, but change 'ret' only if it was 0
9957 */
9958
9959 /* With TLS 1.2 and ECC certs, check that the curve used by the
9960 * certificate is on our list of acceptable curves.
9961 *
9962 * With TLS 1.3 this is not needed because the curve is part of the
9963 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
9964 * we validate the signature made with the key associated to this cert.
9965 */
9966 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9967 defined(MBEDTLS_PK_HAVE_ECC_KEYS)
9968 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9969 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
9970 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
9971 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
9972 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
9973 if (ret == 0) {
9974 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9975 }
9976 }
9977 }
9978 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
9979
9980 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
9981 if (mbedtls_ssl_check_cert_usage(chain,
9982 ciphersuite_info,
9983 ssl->conf->endpoint,
9984 ssl->tls_version,
9985 &ssl->session_negotiate->verify_result) != 0) {
9986 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
9987 if (ret == 0) {
9988 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9989 }
9990 }
9991
9992 /* With authmode optional, we want to keep going if the certificate was
9993 * unacceptable, but still fail on other errors (out of memory etc),
9994 * including fatal errors from the f_vrfy callback.
9995 *
9996 * The only acceptable errors are:
9997 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
9998 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
9999 * Anything else is a fatal error. */
10000 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
10001 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
10002 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
10003 ret = 0;
10004 }
10005
10006 /* Return a specific error as this is a user error: inconsistent
10007 * configuration - can't verify without trust anchors. */
10008 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
10009 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
10010 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
10011 }
10012
10013 if (ret != 0) {
10014 uint8_t alert;
10015
10016 /* The certificate may have been rejected for several reasons.
10017 Pick one and send the corresponding alert. Which alert to send
10018 may be a subject of debate in some cases. */
10019 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
10020 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
10021 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
10022 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
10023 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
10024 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10025 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
10026 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10027 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
10028 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10029 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
10030 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10031 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
10032 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
10033 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
10034 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
10035 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
10036 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
10037 } else {
10038 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
10039 }
10040 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10041 alert);
10042 }
10043
10044 #if defined(MBEDTLS_DEBUG_C)
10045 if (ssl->session_negotiate->verify_result != 0) {
10046 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
10047 (unsigned int) ssl->session_negotiate->verify_result));
10048 } else {
10049 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
10050 }
10051 #endif /* MBEDTLS_DEBUG_C */
10052
10053 return ret;
10054 }
10055 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
10056
10057 #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
10058
10059 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context * ssl,const mbedtls_md_type_t hash_alg,uint8_t * out,const size_t key_len,const char * label,const size_t label_len,const unsigned char * context,const size_t context_len,const int use_context)10060 static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
10061 const mbedtls_md_type_t hash_alg,
10062 uint8_t *out,
10063 const size_t key_len,
10064 const char *label,
10065 const size_t label_len,
10066 const unsigned char *context,
10067 const size_t context_len,
10068 const int use_context)
10069 {
10070 int ret = 0;
10071 unsigned char *prf_input = NULL;
10072
10073 /* The input to the PRF is client_random, then server_random.
10074 * If a context is provided, this is then followed by the context length
10075 * as a 16-bit big-endian integer, and then the context itself. */
10076 const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN;
10077 size_t prf_input_len = randbytes_len;
10078 if (use_context) {
10079 if (context_len > UINT16_MAX) {
10080 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10081 }
10082
10083 /* This does not overflow a 32-bit size_t because the current value of
10084 * prf_input_len is 64 (length of client_random + server_random) and
10085 * context_len fits into two bytes (checked above). */
10086 prf_input_len += sizeof(uint16_t) + context_len;
10087 }
10088
10089 prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char));
10090 if (prf_input == NULL) {
10091 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
10092 }
10093
10094 memcpy(prf_input,
10095 ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN,
10096 MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
10097 memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
10098 ssl->transform->randbytes,
10099 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
10100 if (use_context) {
10101 MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len);
10102 memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len);
10103 }
10104 ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master),
10105 label, label_len,
10106 prf_input, prf_input_len,
10107 out, key_len);
10108 mbedtls_free(prf_input);
10109 return ret;
10110 }
10111 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
10112
10113 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context * ssl,const mbedtls_md_type_t hash_alg,uint8_t * out,const size_t key_len,const char * label,const size_t label_len,const unsigned char * context,const size_t context_len)10114 static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
10115 const mbedtls_md_type_t hash_alg,
10116 uint8_t *out,
10117 const size_t key_len,
10118 const char *label,
10119 const size_t label_len,
10120 const unsigned char *context,
10121 const size_t context_len)
10122 {
10123 const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg);
10124 const size_t hash_len = PSA_HASH_LENGTH(hash_alg);
10125 const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
10126
10127 /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
10128 * struct as defined in RFC 8446, Section 7.1.
10129 *
10130 * The length of the context is unlimited even though the context field in the
10131 * struct can only hold up to 255 bytes. This is because we place a *hash* of
10132 * the context in the field. */
10133 if (label_len > 249) {
10134 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10135 }
10136
10137 return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len,
10138 (const unsigned char *) label, label_len,
10139 context, context_len, out, key_len);
10140 }
10141 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
10142
mbedtls_ssl_export_keying_material(mbedtls_ssl_context * ssl,uint8_t * out,const size_t key_len,const char * label,const size_t label_len,const unsigned char * context,const size_t context_len,const int use_context)10143 int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
10144 uint8_t *out, const size_t key_len,
10145 const char *label, const size_t label_len,
10146 const unsigned char *context, const size_t context_len,
10147 const int use_context)
10148 {
10149 if (!mbedtls_ssl_is_handshake_over(ssl)) {
10150 /* TODO: Change this to a more appropriate error code when one is available. */
10151 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10152 }
10153
10154 if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) {
10155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10156 }
10157
10158 int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
10159 const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
10160 const mbedtls_md_type_t hash_alg = ciphersuite->mac;
10161
10162 switch (mbedtls_ssl_get_version_number(ssl)) {
10163 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10164 case MBEDTLS_SSL_VERSION_TLS1_2:
10165 return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len,
10166 label, label_len,
10167 context, context_len, use_context);
10168 #endif
10169 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
10170 case MBEDTLS_SSL_VERSION_TLS1_3:
10171 return mbedtls_ssl_tls13_export_keying_material(ssl,
10172 hash_alg,
10173 out,
10174 key_len,
10175 label,
10176 label_len,
10177 use_context ? context : NULL,
10178 use_context ? context_len : 0);
10179 #endif
10180 default:
10181 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
10182 }
10183 }
10184
10185 #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
10186
10187 #endif /* MBEDTLS_SSL_TLS_C */
10188