1 /* 2 * Generic SSL/TLS messaging layer functions 3 * (record layer + retransmission state machine) 4 * 5 * Copyright The Mbed TLS Contributors 6 * SPDX-License-Identifier: Apache-2.0 7 * 8 * Licensed under the Apache License, Version 2.0 (the "License"); you may 9 * not use this file except in compliance with the License. 10 * You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, software 15 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 16 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 17 * See the License for the specific language governing permissions and 18 * limitations under the License. 19 */ 20 /* 21 * The SSL 3.0 specification was drafted by Netscape in 1996, 22 * and became an IETF standard in 1999. 23 * 24 * http://wp.netscape.com/eng/ssl3/ 25 * http://www.ietf.org/rfc/rfc2246.txt 26 * http://www.ietf.org/rfc/rfc4346.txt 27 */ 28 29 #include "common.h" 30 31 #if defined(MBEDTLS_SSL_TLS_C) 32 33 #if defined(MBEDTLS_PLATFORM_C) 34 #include "mbedtls/platform.h" 35 #else 36 #include <stdlib.h> 37 #define mbedtls_calloc calloc 38 #define mbedtls_free free 39 #endif 40 41 #include "mbedtls/ssl.h" 42 #include "mbedtls/ssl_internal.h" 43 #include "mbedtls/debug.h" 44 #include "mbedtls/error.h" 45 #include "mbedtls/platform_util.h" 46 #include "mbedtls/version.h" 47 48 #include "ssl_invasive.h" 49 50 #include <string.h> 51 52 #if defined(MBEDTLS_USE_PSA_CRYPTO) 53 #include "mbedtls/psa_util.h" 54 #include "psa/crypto.h" 55 #endif 56 57 #if defined(MBEDTLS_X509_CRT_PARSE_C) 58 #include "mbedtls/oid.h" 59 #endif 60 61 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ); 62 63 /* 64 * Start a timer. 65 * Passing millisecs = 0 cancels a running timer. 66 */ 67 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs ) 68 { 69 if( ssl->f_set_timer == NULL ) 70 return; 71 72 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) ); 73 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs ); 74 } 75 76 /* 77 * Return -1 is timer is expired, 0 if it isn't. 78 */ 79 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl ) 80 { 81 if( ssl->f_get_timer == NULL ) 82 return( 0 ); 83 84 if( ssl->f_get_timer( ssl->p_timer ) == 2 ) 85 { 86 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) ); 87 return( -1 ); 88 } 89 90 return( 0 ); 91 } 92 93 #if defined(MBEDTLS_SSL_RECORD_CHECKING) 94 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, 95 unsigned char *buf, 96 size_t len, 97 mbedtls_record *rec ); 98 99 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl, 100 unsigned char *buf, 101 size_t buflen ) 102 { 103 int ret = 0; 104 MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) ); 105 MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen ); 106 107 /* We don't support record checking in TLS because 108 * (a) there doesn't seem to be a usecase for it, and 109 * (b) In SSLv3 and TLS 1.0, CBC record decryption has state 110 * and we'd need to backup the transform here. 111 */ 112 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM ) 113 { 114 ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 115 goto exit; 116 } 117 #if defined(MBEDTLS_SSL_PROTO_DTLS) 118 else 119 { 120 mbedtls_record rec; 121 122 ret = ssl_parse_record_header( ssl, buf, buflen, &rec ); 123 if( ret != 0 ) 124 { 125 MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret ); 126 goto exit; 127 } 128 129 if( ssl->transform_in != NULL ) 130 { 131 ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec ); 132 if( ret != 0 ) 133 { 134 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret ); 135 goto exit; 136 } 137 } 138 } 139 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 140 141 exit: 142 /* On success, we have decrypted the buffer in-place, so make 143 * sure we don't leak any plaintext data. */ 144 mbedtls_platform_zeroize( buf, buflen ); 145 146 /* For the purpose of this API, treat messages with unexpected CID 147 * as well as such from future epochs as unexpected. */ 148 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID || 149 ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) 150 { 151 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; 152 } 153 154 MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) ); 155 return( ret ); 156 } 157 #endif /* MBEDTLS_SSL_RECORD_CHECKING */ 158 159 #define SSL_DONT_FORCE_FLUSH 0 160 #define SSL_FORCE_FLUSH 1 161 162 #if defined(MBEDTLS_SSL_PROTO_DTLS) 163 164 /* Forward declarations for functions related to message buffering. */ 165 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, 166 uint8_t slot ); 167 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ); 168 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ); 169 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ); 170 static int ssl_buffer_message( mbedtls_ssl_context *ssl ); 171 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, 172 mbedtls_record const *rec ); 173 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ); 174 175 static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl ) 176 { 177 size_t mtu = mbedtls_ssl_get_current_mtu( ssl ); 178 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 179 size_t out_buf_len = ssl->out_buf_len; 180 #else 181 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 182 #endif 183 184 if( mtu != 0 && mtu < out_buf_len ) 185 return( mtu ); 186 187 return( out_buf_len ); 188 } 189 190 static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl ) 191 { 192 size_t const bytes_written = ssl->out_left; 193 size_t const mtu = ssl_get_maximum_datagram_size( ssl ); 194 195 /* Double-check that the write-index hasn't gone 196 * past what we can transmit in a single datagram. */ 197 if( bytes_written > mtu ) 198 { 199 /* Should never happen... */ 200 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 201 } 202 203 return( (int) ( mtu - bytes_written ) ); 204 } 205 206 static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl ) 207 { 208 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 209 size_t remaining, expansion; 210 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 211 212 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 213 const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl ); 214 215 if( max_len > mfl ) 216 max_len = mfl; 217 218 /* By the standard (RFC 6066 Sect. 4), the MFL extension 219 * only limits the maximum record payload size, so in theory 220 * we would be allowed to pack multiple records of payload size 221 * MFL into a single datagram. However, this would mean that there's 222 * no way to explicitly communicate MTU restrictions to the peer. 223 * 224 * The following reduction of max_len makes sure that we never 225 * write datagrams larger than MFL + Record Expansion Overhead. 226 */ 227 if( max_len <= ssl->out_left ) 228 return( 0 ); 229 230 max_len -= ssl->out_left; 231 #endif 232 233 ret = ssl_get_remaining_space_in_datagram( ssl ); 234 if( ret < 0 ) 235 return( ret ); 236 remaining = (size_t) ret; 237 238 ret = mbedtls_ssl_get_record_expansion( ssl ); 239 if( ret < 0 ) 240 return( ret ); 241 expansion = (size_t) ret; 242 243 if( remaining <= expansion ) 244 return( 0 ); 245 246 remaining -= expansion; 247 if( remaining >= max_len ) 248 remaining = max_len; 249 250 return( (int) remaining ); 251 } 252 253 /* 254 * Double the retransmit timeout value, within the allowed range, 255 * returning -1 if the maximum value has already been reached. 256 */ 257 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl ) 258 { 259 uint32_t new_timeout; 260 261 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max ) 262 return( -1 ); 263 264 /* Implement the final paragraph of RFC 6347 section 4.1.1.1 265 * in the following way: after the initial transmission and a first 266 * retransmission, back off to a temporary estimated MTU of 508 bytes. 267 * This value is guaranteed to be deliverable (if not guaranteed to be 268 * delivered) of any compliant IPv4 (and IPv6) network, and should work 269 * on most non-IP stacks too. */ 270 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min ) 271 { 272 ssl->handshake->mtu = 508; 273 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) ); 274 } 275 276 new_timeout = 2 * ssl->handshake->retransmit_timeout; 277 278 /* Avoid arithmetic overflow and range overflow */ 279 if( new_timeout < ssl->handshake->retransmit_timeout || 280 new_timeout > ssl->conf->hs_timeout_max ) 281 { 282 new_timeout = ssl->conf->hs_timeout_max; 283 } 284 285 ssl->handshake->retransmit_timeout = new_timeout; 286 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", 287 (unsigned long) ssl->handshake->retransmit_timeout ) ); 288 289 return( 0 ); 290 } 291 292 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl ) 293 { 294 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min; 295 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs", 296 (unsigned long) ssl->handshake->retransmit_timeout ) ); 297 } 298 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 299 300 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 301 int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl, 302 const unsigned char *key_enc, const unsigned char *key_dec, 303 size_t keylen, 304 const unsigned char *iv_enc, const unsigned char *iv_dec, 305 size_t ivlen, 306 const unsigned char *mac_enc, const unsigned char *mac_dec, 307 size_t maclen ) = NULL; 308 int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL; 309 int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL; 310 int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL; 311 int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL; 312 int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL; 313 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 314 315 /* 316 * Encryption/decryption functions 317 */ 318 319 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) || \ 320 defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) 321 322 static size_t ssl_compute_padding_length( size_t len, 323 size_t granularity ) 324 { 325 return( ( granularity - ( len + 1 ) % granularity ) % granularity ); 326 } 327 328 /* This functions transforms a (D)TLS plaintext fragment and a record content 329 * type into an instance of the (D)TLSInnerPlaintext structure. This is used 330 * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect 331 * a record's content type. 332 * 333 * struct { 334 * opaque content[DTLSPlaintext.length]; 335 * ContentType real_type; 336 * uint8 zeros[length_of_padding]; 337 * } (D)TLSInnerPlaintext; 338 * 339 * Input: 340 * - `content`: The beginning of the buffer holding the 341 * plaintext to be wrapped. 342 * - `*content_size`: The length of the plaintext in Bytes. 343 * - `max_len`: The number of Bytes available starting from 344 * `content`. This must be `>= *content_size`. 345 * - `rec_type`: The desired record content type. 346 * 347 * Output: 348 * - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure. 349 * - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure. 350 * 351 * Returns: 352 * - `0` on success. 353 * - A negative error code if `max_len` didn't offer enough space 354 * for the expansion. 355 */ 356 static int ssl_build_inner_plaintext( unsigned char *content, 357 size_t *content_size, 358 size_t remaining, 359 uint8_t rec_type, 360 size_t pad ) 361 { 362 size_t len = *content_size; 363 364 /* Write real content type */ 365 if( remaining == 0 ) 366 return( -1 ); 367 content[ len ] = rec_type; 368 len++; 369 remaining--; 370 371 if( remaining < pad ) 372 return( -1 ); 373 memset( content + len, 0, pad ); 374 len += pad; 375 remaining -= pad; 376 377 *content_size = len; 378 return( 0 ); 379 } 380 381 /* This function parses a (D)TLSInnerPlaintext structure. 382 * See ssl_build_inner_plaintext() for details. */ 383 static int ssl_parse_inner_plaintext( unsigned char const *content, 384 size_t *content_size, 385 uint8_t *rec_type ) 386 { 387 size_t remaining = *content_size; 388 389 /* Determine length of padding by skipping zeroes from the back. */ 390 do 391 { 392 if( remaining == 0 ) 393 return( -1 ); 394 remaining--; 395 } while( content[ remaining ] == 0 ); 396 397 *content_size = remaining; 398 *rec_type = content[ remaining ]; 399 400 return( 0 ); 401 } 402 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID || 403 MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ 404 405 /* `add_data` must have size 13 Bytes if the CID extension is disabled, 406 * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */ 407 static void ssl_extract_add_data_from_record( unsigned char* add_data, 408 size_t *add_data_len, 409 mbedtls_record *rec, 410 unsigned minor_ver ) 411 { 412 /* Quoting RFC 5246 (TLS 1.2): 413 * 414 * additional_data = seq_num + TLSCompressed.type + 415 * TLSCompressed.version + TLSCompressed.length; 416 * 417 * For the CID extension, this is extended as follows 418 * (quoting draft-ietf-tls-dtls-connection-id-05, 419 * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05): 420 * 421 * additional_data = seq_num + DTLSPlaintext.type + 422 * DTLSPlaintext.version + 423 * cid + 424 * cid_length + 425 * length_of_DTLSInnerPlaintext; 426 * 427 * For TLS 1.3, the record sequence number is dropped from the AAD 428 * and encoded within the nonce of the AEAD operation instead. 429 */ 430 431 unsigned char *cur = add_data; 432 433 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) 434 if( minor_ver != MBEDTLS_SSL_MINOR_VERSION_4 ) 435 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ 436 { 437 ((void) minor_ver); 438 memcpy( cur, rec->ctr, sizeof( rec->ctr ) ); 439 cur += sizeof( rec->ctr ); 440 } 441 442 *cur = rec->type; 443 cur++; 444 445 memcpy( cur, rec->ver, sizeof( rec->ver ) ); 446 cur += sizeof( rec->ver ); 447 448 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 449 if( rec->cid_len != 0 ) 450 { 451 memcpy( cur, rec->cid, rec->cid_len ); 452 cur += rec->cid_len; 453 454 *cur = rec->cid_len; 455 cur++; 456 457 cur[0] = ( rec->data_len >> 8 ) & 0xFF; 458 cur[1] = ( rec->data_len >> 0 ) & 0xFF; 459 cur += 2; 460 } 461 else 462 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 463 { 464 cur[0] = ( rec->data_len >> 8 ) & 0xFF; 465 cur[1] = ( rec->data_len >> 0 ) & 0xFF; 466 cur += 2; 467 } 468 469 *add_data_len = cur - add_data; 470 } 471 472 #if defined(MBEDTLS_SSL_PROTO_SSL3) 473 474 #define SSL3_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */ 475 476 /* 477 * SSLv3.0 MAC functions 478 */ 479 static void ssl_mac( mbedtls_md_context_t *md_ctx, 480 const unsigned char *secret, 481 const unsigned char *buf, size_t len, 482 const unsigned char *ctr, int type, 483 unsigned char out[SSL3_MAC_MAX_BYTES] ) 484 { 485 unsigned char header[11]; 486 unsigned char padding[48]; 487 int padlen; 488 int md_size = mbedtls_md_get_size( md_ctx->md_info ); 489 int md_type = mbedtls_md_get_type( md_ctx->md_info ); 490 491 /* Only MD5 and SHA-1 supported */ 492 if( md_type == MBEDTLS_MD_MD5 ) 493 padlen = 48; 494 else 495 padlen = 40; 496 497 memcpy( header, ctr, 8 ); 498 header[ 8] = (unsigned char) type; 499 header[ 9] = (unsigned char)( len >> 8 ); 500 header[10] = (unsigned char)( len ); 501 502 memset( padding, 0x36, padlen ); 503 mbedtls_md_starts( md_ctx ); 504 mbedtls_md_update( md_ctx, secret, md_size ); 505 mbedtls_md_update( md_ctx, padding, padlen ); 506 mbedtls_md_update( md_ctx, header, 11 ); 507 mbedtls_md_update( md_ctx, buf, len ); 508 mbedtls_md_finish( md_ctx, out ); 509 510 memset( padding, 0x5C, padlen ); 511 mbedtls_md_starts( md_ctx ); 512 mbedtls_md_update( md_ctx, secret, md_size ); 513 mbedtls_md_update( md_ctx, padding, padlen ); 514 mbedtls_md_update( md_ctx, out, md_size ); 515 mbedtls_md_finish( md_ctx, out ); 516 } 517 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 518 519 #if defined(MBEDTLS_GCM_C) || \ 520 defined(MBEDTLS_CCM_C) || \ 521 defined(MBEDTLS_CHACHAPOLY_C) 522 static int ssl_transform_aead_dynamic_iv_is_explicit( 523 mbedtls_ssl_transform const *transform ) 524 { 525 return( transform->ivlen != transform->fixed_ivlen ); 526 } 527 528 /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV ) 529 * 530 * Concretely, this occurs in two variants: 531 * 532 * a) Fixed and dynamic IV lengths add up to total IV length, giving 533 * IV = fixed_iv || dynamic_iv 534 * 535 * This variant is used in TLS 1.2 when used with GCM or CCM. 536 * 537 * b) Fixed IV lengths matches total IV length, giving 538 * IV = fixed_iv XOR ( 0 || dynamic_iv ) 539 * 540 * This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly. 541 * 542 * See also the documentation of mbedtls_ssl_transform. 543 * 544 * This function has the precondition that 545 * 546 * dst_iv_len >= max( fixed_iv_len, dynamic_iv_len ) 547 * 548 * which has to be ensured by the caller. If this precondition 549 * violated, the behavior of this function is undefined. 550 */ 551 static void ssl_build_record_nonce( unsigned char *dst_iv, 552 size_t dst_iv_len, 553 unsigned char const *fixed_iv, 554 size_t fixed_iv_len, 555 unsigned char const *dynamic_iv, 556 size_t dynamic_iv_len ) 557 { 558 size_t i; 559 560 /* Start with Fixed IV || 0 */ 561 memset( dst_iv, 0, dst_iv_len ); 562 memcpy( dst_iv, fixed_iv, fixed_iv_len ); 563 564 dst_iv += dst_iv_len - dynamic_iv_len; 565 for( i = 0; i < dynamic_iv_len; i++ ) 566 dst_iv[i] ^= dynamic_iv[i]; 567 } 568 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 569 570 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl, 571 mbedtls_ssl_transform *transform, 572 mbedtls_record *rec, 573 int (*f_rng)(void *, unsigned char *, size_t), 574 void *p_rng ) 575 { 576 mbedtls_cipher_mode_t mode; 577 int auth_done = 0; 578 unsigned char * data; 579 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ]; 580 size_t add_data_len; 581 size_t post_avail; 582 583 /* The SSL context is only used for debugging purposes! */ 584 #if !defined(MBEDTLS_DEBUG_C) 585 ssl = NULL; /* make sure we don't use it except for debug */ 586 ((void) ssl); 587 #endif 588 589 /* The PRNG is used for dynamic IV generation that's used 590 * for CBC transformations in TLS 1.1 and TLS 1.2. */ 591 #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 592 ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) ) 593 ((void) f_rng); 594 ((void) p_rng); 595 #endif 596 597 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) ); 598 599 if( transform == NULL ) 600 { 601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) ); 602 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 603 } 604 if( rec == NULL 605 || rec->buf == NULL 606 || rec->buf_len < rec->data_offset 607 || rec->buf_len - rec->data_offset < rec->data_len 608 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 609 || rec->cid_len != 0 610 #endif 611 ) 612 { 613 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) ); 614 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 615 } 616 617 data = rec->buf + rec->data_offset; 618 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); 619 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload", 620 data, rec->data_len ); 621 622 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ); 623 624 if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN ) 625 { 626 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET 627 " too large, maximum %" MBEDTLS_PRINTF_SIZET, 628 rec->data_len, 629 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); 630 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 631 } 632 633 /* The following two code paths implement the (D)TLSInnerPlaintext 634 * structure present in TLS 1.3 and DTLS 1.2 + CID. 635 * 636 * See ssl_build_inner_plaintext() for more information. 637 * 638 * Note that this changes `rec->data_len`, and hence 639 * `post_avail` needs to be recalculated afterwards. 640 * 641 * Note also that the two code paths cannot occur simultaneously 642 * since they apply to different versions of the protocol. There 643 * is hence no risk of double-addition of the inner plaintext. 644 */ 645 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) 646 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) 647 { 648 size_t padding = 649 ssl_compute_padding_length( rec->data_len, 650 MBEDTLS_SSL_TLS1_3_PADDING_GRANULARITY ); 651 if( ssl_build_inner_plaintext( data, 652 &rec->data_len, 653 post_avail, 654 rec->type, 655 padding ) != 0 ) 656 { 657 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 658 } 659 660 rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA; 661 } 662 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ 663 664 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 665 /* 666 * Add CID information 667 */ 668 rec->cid_len = transform->out_cid_len; 669 memcpy( rec->cid, transform->out_cid, transform->out_cid_len ); 670 MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len ); 671 672 if( rec->cid_len != 0 ) 673 { 674 size_t padding = 675 ssl_compute_padding_length( rec->data_len, 676 MBEDTLS_SSL_CID_PADDING_GRANULARITY ); 677 /* 678 * Wrap plaintext into DTLSInnerPlaintext structure. 679 * See ssl_build_inner_plaintext() for more information. 680 * 681 * Note that this changes `rec->data_len`, and hence 682 * `post_avail` needs to be recalculated afterwards. 683 */ 684 if( ssl_build_inner_plaintext( data, 685 &rec->data_len, 686 post_avail, 687 rec->type, 688 padding ) != 0 ) 689 { 690 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 691 } 692 693 rec->type = MBEDTLS_SSL_MSG_CID; 694 } 695 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 696 697 post_avail = rec->buf_len - ( rec->data_len + rec->data_offset ); 698 699 /* 700 * Add MAC before if needed 701 */ 702 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 703 if( mode == MBEDTLS_MODE_STREAM || 704 ( mode == MBEDTLS_MODE_CBC 705 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 706 && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED 707 #endif 708 ) ) 709 { 710 if( post_avail < transform->maclen ) 711 { 712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 713 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 714 } 715 716 #if defined(MBEDTLS_SSL_PROTO_SSL3) 717 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 718 { 719 unsigned char mac[SSL3_MAC_MAX_BYTES]; 720 ssl_mac( &transform->md_ctx_enc, transform->mac_enc, 721 data, rec->data_len, rec->ctr, rec->type, mac ); 722 memcpy( data + rec->data_len, mac, transform->maclen ); 723 } 724 else 725 #endif 726 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 727 defined(MBEDTLS_SSL_PROTO_TLS1_2) 728 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 729 { 730 unsigned char mac[MBEDTLS_SSL_MAC_ADD]; 731 732 ssl_extract_add_data_from_record( add_data, &add_data_len, rec, 733 transform->minor_ver ); 734 735 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, 736 add_data_len ); 737 mbedtls_md_hmac_update( &transform->md_ctx_enc, 738 data, rec->data_len ); 739 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); 740 mbedtls_md_hmac_reset( &transform->md_ctx_enc ); 741 742 memcpy( data + rec->data_len, mac, transform->maclen ); 743 } 744 else 745 #endif 746 { 747 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 748 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 749 } 750 751 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len, 752 transform->maclen ); 753 754 rec->data_len += transform->maclen; 755 post_avail -= transform->maclen; 756 auth_done++; 757 } 758 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ 759 760 /* 761 * Encrypt 762 */ 763 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 764 if( mode == MBEDTLS_MODE_STREAM ) 765 { 766 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 767 size_t olen; 768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " 769 "including %d bytes of padding", 770 rec->data_len, 0 ) ); 771 772 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, 773 transform->iv_enc, transform->ivlen, 774 data, rec->data_len, 775 data, &olen ) ) != 0 ) 776 { 777 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 778 return( ret ); 779 } 780 781 if( rec->data_len != olen ) 782 { 783 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 784 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 785 } 786 } 787 else 788 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 789 790 #if defined(MBEDTLS_GCM_C) || \ 791 defined(MBEDTLS_CCM_C) || \ 792 defined(MBEDTLS_CHACHAPOLY_C) 793 if( mode == MBEDTLS_MODE_GCM || 794 mode == MBEDTLS_MODE_CCM || 795 mode == MBEDTLS_MODE_CHACHAPOLY ) 796 { 797 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 798 unsigned char iv[12]; 799 unsigned char *dynamic_iv; 800 size_t dynamic_iv_len; 801 int dynamic_iv_is_explicit = 802 ssl_transform_aead_dynamic_iv_is_explicit( transform ); 803 804 /* Check that there's space for the authentication tag. */ 805 if( post_avail < transform->taglen ) 806 { 807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 808 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 809 } 810 811 /* 812 * Build nonce for AEAD encryption. 813 * 814 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic 815 * part of the IV is prepended to the ciphertext and 816 * can be chosen freely - in particular, it need not 817 * agree with the record sequence number. 818 * However, since ChaChaPoly as well as all AEAD modes 819 * in TLS 1.3 use the record sequence number as the 820 * dynamic part of the nonce, we uniformly use the 821 * record sequence number here in all cases. 822 */ 823 dynamic_iv = rec->ctr; 824 dynamic_iv_len = sizeof( rec->ctr ); 825 826 ssl_build_record_nonce( iv, sizeof( iv ), 827 transform->iv_enc, 828 transform->fixed_ivlen, 829 dynamic_iv, 830 dynamic_iv_len ); 831 832 /* 833 * Build additional data for AEAD encryption. 834 * This depends on the TLS version. 835 */ 836 ssl_extract_add_data_from_record( add_data, &add_data_len, rec, 837 transform->minor_ver ); 838 839 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)", 840 iv, transform->ivlen ); 841 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)", 842 dynamic_iv, 843 dynamic_iv_is_explicit ? dynamic_iv_len : 0 ); 844 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 845 add_data, add_data_len ); 846 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " 847 "including 0 bytes of padding", 848 rec->data_len ) ); 849 850 /* 851 * Encrypt and authenticate 852 */ 853 854 if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc, 855 iv, transform->ivlen, 856 add_data, add_data_len, 857 data, rec->data_len, /* src */ 858 data, rec->buf_len - (data - rec->buf), /* dst */ 859 &rec->data_len, 860 transform->taglen ) ) != 0 ) 861 { 862 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret ); 863 return( ret ); 864 } 865 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", 866 data + rec->data_len - transform->taglen, 867 transform->taglen ); 868 /* Account for authentication tag. */ 869 post_avail -= transform->taglen; 870 871 /* 872 * Prefix record content with dynamic IV in case it is explicit. 873 */ 874 if( dynamic_iv_is_explicit != 0 ) 875 { 876 if( rec->data_offset < dynamic_iv_len ) 877 { 878 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 879 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 880 } 881 882 memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len ); 883 rec->data_offset -= dynamic_iv_len; 884 rec->data_len += dynamic_iv_len; 885 } 886 887 auth_done++; 888 } 889 else 890 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 891 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 892 if( mode == MBEDTLS_MODE_CBC ) 893 { 894 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 895 size_t padlen, i; 896 size_t olen; 897 898 /* Currently we're always using minimal padding 899 * (up to 255 bytes would be allowed). */ 900 padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen; 901 if( padlen == transform->ivlen ) 902 padlen = 0; 903 904 /* Check there's enough space in the buffer for the padding. */ 905 if( post_avail < padlen + 1 ) 906 { 907 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 908 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 909 } 910 911 for( i = 0; i <= padlen; i++ ) 912 data[rec->data_len + i] = (unsigned char) padlen; 913 914 rec->data_len += padlen + 1; 915 post_avail -= padlen + 1; 916 917 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 918 /* 919 * Prepend per-record IV for block cipher in TLS v1.1 and up as per 920 * Method 1 (6.2.3.2. in RFC4346 and RFC5246) 921 */ 922 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 923 { 924 if( f_rng == NULL ) 925 { 926 MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) ); 927 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 928 } 929 930 if( rec->data_offset < transform->ivlen ) 931 { 932 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 933 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 934 } 935 936 /* 937 * Generate IV 938 */ 939 ret = f_rng( p_rng, transform->iv_enc, transform->ivlen ); 940 if( ret != 0 ) 941 return( ret ); 942 943 memcpy( data - transform->ivlen, transform->iv_enc, 944 transform->ivlen ); 945 946 } 947 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 948 949 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", " 950 "including %" MBEDTLS_PRINTF_SIZET 951 " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding", 952 rec->data_len, transform->ivlen, 953 padlen + 1 ) ); 954 955 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc, 956 transform->iv_enc, 957 transform->ivlen, 958 data, rec->data_len, 959 data, &olen ) ) != 0 ) 960 { 961 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 962 return( ret ); 963 } 964 965 if( rec->data_len != olen ) 966 { 967 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 968 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 969 } 970 971 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 972 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 973 { 974 /* 975 * Save IV in SSL3 and TLS1 976 */ 977 memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv, 978 transform->ivlen ); 979 } 980 else 981 #endif 982 { 983 data -= transform->ivlen; 984 rec->data_offset -= transform->ivlen; 985 rec->data_len += transform->ivlen; 986 } 987 988 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 989 if( auth_done == 0 ) 990 { 991 unsigned char mac[MBEDTLS_SSL_MAC_ADD]; 992 993 /* 994 * MAC(MAC_write_key, seq_num + 995 * TLSCipherText.type + 996 * TLSCipherText.version + 997 * length_of( (IV +) ENC(...) ) + 998 * IV + // except for TLS 1.0 999 * ENC(content + padding + padding_length)); 1000 */ 1001 1002 if( post_avail < transform->maclen) 1003 { 1004 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) ); 1005 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 1006 } 1007 1008 ssl_extract_add_data_from_record( add_data, &add_data_len, 1009 rec, transform->minor_ver ); 1010 1011 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 1012 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, 1013 add_data_len ); 1014 1015 mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data, 1016 add_data_len ); 1017 mbedtls_md_hmac_update( &transform->md_ctx_enc, 1018 data, rec->data_len ); 1019 mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac ); 1020 mbedtls_md_hmac_reset( &transform->md_ctx_enc ); 1021 1022 memcpy( data + rec->data_len, mac, transform->maclen ); 1023 1024 rec->data_len += transform->maclen; 1025 post_avail -= transform->maclen; 1026 auth_done++; 1027 } 1028 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1029 } 1030 else 1031 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */ 1032 { 1033 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1034 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1035 } 1036 1037 /* Make extra sure authentication was performed, exactly once */ 1038 if( auth_done != 1 ) 1039 { 1040 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1041 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1042 } 1043 1044 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); 1045 1046 return( 0 ); 1047 } 1048 1049 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) 1050 /* 1051 * Turn a bit into a mask: 1052 * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1 1053 * - if bit == 0, return the all-bits 0 mask, aka 0 1054 * 1055 * This function can be used to write constant-time code by replacing branches 1056 * with bit operations using masks. 1057 * 1058 * This function is implemented without using comparison operators, as those 1059 * might be translated to branches by some compilers on some platforms. 1060 */ 1061 static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit ) 1062 { 1063 /* MSVC has a warning about unary minus on unsigned integer types, 1064 * but this is well-defined and precisely what we want to do here. */ 1065 #if defined(_MSC_VER) 1066 #pragma warning( push ) 1067 #pragma warning( disable : 4146 ) 1068 #endif 1069 return -bit; 1070 #if defined(_MSC_VER) 1071 #pragma warning( pop ) 1072 #endif 1073 } 1074 1075 /* 1076 * Constant-flow mask generation for "less than" comparison: 1077 * - if x < y, return all bits 1, that is (size_t) -1 1078 * - otherwise, return all bits 0, that is 0 1079 * 1080 * This function can be used to write constant-time code by replacing branches 1081 * with bit operations using masks. 1082 * 1083 * This function is implemented without using comparison operators, as those 1084 * might be translated to branches by some compilers on some platforms. 1085 */ 1086 static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y ) 1087 { 1088 /* This has the most significant bit set if and only if x < y */ 1089 const size_t sub = x - y; 1090 1091 /* sub1 = (x < y) ? 1 : 0 */ 1092 const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 ); 1093 1094 /* mask = (x < y) ? 0xff... : 0x00... */ 1095 const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 ); 1096 1097 return( mask ); 1098 } 1099 1100 /* 1101 * Constant-flow mask generation for "greater or equal" comparison: 1102 * - if x >= y, return all bits 1, that is (size_t) -1 1103 * - otherwise, return all bits 0, that is 0 1104 * 1105 * This function can be used to write constant-time code by replacing branches 1106 * with bit operations using masks. 1107 * 1108 * This function is implemented without using comparison operators, as those 1109 * might be translated to branches by some compilers on some platforms. 1110 */ 1111 static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y ) 1112 { 1113 return( ~mbedtls_ssl_cf_mask_lt( x, y ) ); 1114 } 1115 1116 /* 1117 * Constant-flow boolean "equal" comparison: 1118 * return x == y 1119 * 1120 * This function can be used to write constant-time code by replacing branches 1121 * with bit operations - it can be used in conjunction with 1122 * mbedtls_ssl_cf_mask_from_bit(). 1123 * 1124 * This function is implemented without using comparison operators, as those 1125 * might be translated to branches by some compilers on some platforms. 1126 */ 1127 static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y ) 1128 { 1129 /* diff = 0 if x == y, non-zero otherwise */ 1130 const size_t diff = x ^ y; 1131 1132 /* MSVC has a warning about unary minus on unsigned integer types, 1133 * but this is well-defined and precisely what we want to do here. */ 1134 #if defined(_MSC_VER) 1135 #pragma warning( push ) 1136 #pragma warning( disable : 4146 ) 1137 #endif 1138 1139 /* diff_msb's most significant bit is equal to x != y */ 1140 const size_t diff_msb = ( diff | -diff ); 1141 1142 #if defined(_MSC_VER) 1143 #pragma warning( pop ) 1144 #endif 1145 1146 /* diff1 = (x != y) ? 1 : 0 */ 1147 const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 ); 1148 1149 return( 1 ^ diff1 ); 1150 } 1151 1152 /* 1153 * Constant-flow conditional memcpy: 1154 * - if c1 == c2, equivalent to memcpy(dst, src, len), 1155 * - otherwise, a no-op, 1156 * but with execution flow independent of the values of c1 and c2. 1157 * 1158 * This function is implemented without using comparison operators, as those 1159 * might be translated to branches by some compilers on some platforms. 1160 */ 1161 static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst, 1162 const unsigned char *src, 1163 size_t len, 1164 size_t c1, size_t c2 ) 1165 { 1166 /* mask = c1 == c2 ? 0xff : 0x00 */ 1167 const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 ); 1168 const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal ); 1169 1170 /* dst[i] = c1 == c2 ? src[i] : dst[i] */ 1171 for( size_t i = 0; i < len; i++ ) 1172 dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask ); 1173 } 1174 1175 /* 1176 * Compute HMAC of variable-length data with constant flow. 1177 * 1178 * Only works with MD-5, SHA-1, SHA-256 and SHA-384. 1179 * (Otherwise, computation of block_size needs to be adapted.) 1180 */ 1181 MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac( 1182 mbedtls_md_context_t *ctx, 1183 const unsigned char *add_data, size_t add_data_len, 1184 const unsigned char *data, size_t data_len_secret, 1185 size_t min_data_len, size_t max_data_len, 1186 unsigned char *output ) 1187 { 1188 /* 1189 * This function breaks the HMAC abstraction and uses the md_clone() 1190 * extension to the MD API in order to get constant-flow behaviour. 1191 * 1192 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means 1193 * concatenation, and okey/ikey are the XOR of the key with some fixed bit 1194 * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx. 1195 * 1196 * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to 1197 * minlen, then cloning the context, and for each byte up to maxlen 1198 * finishing up the hash computation, keeping only the correct result. 1199 * 1200 * Then we only need to compute HASH(okey + inner_hash) and we're done. 1201 */ 1202 const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info ); 1203 /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5, 1204 * all of which have the same block size except SHA-384. */ 1205 const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64; 1206 const unsigned char * const ikey = ctx->hmac_ctx; 1207 const unsigned char * const okey = ikey + block_size; 1208 const size_t hash_size = mbedtls_md_get_size( ctx->md_info ); 1209 1210 unsigned char aux_out[MBEDTLS_MD_MAX_SIZE]; 1211 mbedtls_md_context_t aux; 1212 size_t offset; 1213 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1214 1215 mbedtls_md_init( &aux ); 1216 1217 #define MD_CHK( func_call ) \ 1218 do { \ 1219 ret = (func_call); \ 1220 if( ret != 0 ) \ 1221 goto cleanup; \ 1222 } while( 0 ) 1223 1224 MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) ); 1225 1226 /* After hmac_start() of hmac_reset(), ikey has already been hashed, 1227 * so we can start directly with the message */ 1228 MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) ); 1229 MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) ); 1230 1231 /* For each possible length, compute the hash up to that point */ 1232 for( offset = min_data_len; offset <= max_data_len; offset++ ) 1233 { 1234 MD_CHK( mbedtls_md_clone( &aux, ctx ) ); 1235 MD_CHK( mbedtls_md_finish( &aux, aux_out ) ); 1236 /* Keep only the correct inner_hash in the output buffer */ 1237 mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size, 1238 offset, data_len_secret ); 1239 1240 if( offset < max_data_len ) 1241 MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) ); 1242 } 1243 1244 /* The context needs to finish() before it starts() again */ 1245 MD_CHK( mbedtls_md_finish( ctx, aux_out ) ); 1246 1247 /* Now compute HASH(okey + inner_hash) */ 1248 MD_CHK( mbedtls_md_starts( ctx ) ); 1249 MD_CHK( mbedtls_md_update( ctx, okey, block_size ) ); 1250 MD_CHK( mbedtls_md_update( ctx, output, hash_size ) ); 1251 MD_CHK( mbedtls_md_finish( ctx, output ) ); 1252 1253 /* Done, get ready for next time */ 1254 MD_CHK( mbedtls_md_hmac_reset( ctx ) ); 1255 1256 #undef MD_CHK 1257 1258 cleanup: 1259 mbedtls_md_free( &aux ); 1260 return( ret ); 1261 } 1262 1263 /* 1264 * Constant-flow memcpy from variable position in buffer. 1265 * - functionally equivalent to memcpy(dst, src + offset_secret, len) 1266 * - but with execution flow independent from the value of offset_secret. 1267 */ 1268 MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset( 1269 unsigned char *dst, 1270 const unsigned char *src_base, 1271 size_t offset_secret, 1272 size_t offset_min, size_t offset_max, 1273 size_t len ) 1274 { 1275 size_t offset; 1276 1277 for( offset = offset_min; offset <= offset_max; offset++ ) 1278 { 1279 mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len, 1280 offset, offset_secret ); 1281 } 1282 } 1283 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ 1284 1285 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, 1286 mbedtls_ssl_transform *transform, 1287 mbedtls_record *rec ) 1288 { 1289 size_t olen; 1290 mbedtls_cipher_mode_t mode; 1291 int ret, auth_done = 0; 1292 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 1293 size_t padlen = 0, correct = 1; 1294 #endif 1295 unsigned char* data; 1296 unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ]; 1297 size_t add_data_len; 1298 1299 #if !defined(MBEDTLS_DEBUG_C) 1300 ssl = NULL; /* make sure we don't use it except for debug */ 1301 ((void) ssl); 1302 #endif 1303 1304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) ); 1305 if( rec == NULL || 1306 rec->buf == NULL || 1307 rec->buf_len < rec->data_offset || 1308 rec->buf_len - rec->data_offset < rec->data_len ) 1309 { 1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) ); 1311 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1312 } 1313 1314 data = rec->buf + rec->data_offset; 1315 mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec ); 1316 1317 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1318 /* 1319 * Match record's CID with incoming CID. 1320 */ 1321 if( rec->cid_len != transform->in_cid_len || 1322 memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 ) 1323 { 1324 return( MBEDTLS_ERR_SSL_UNEXPECTED_CID ); 1325 } 1326 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1327 1328 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) 1329 if( mode == MBEDTLS_MODE_STREAM ) 1330 { 1331 padlen = 0; 1332 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, 1333 transform->iv_dec, 1334 transform->ivlen, 1335 data, rec->data_len, 1336 data, &olen ) ) != 0 ) 1337 { 1338 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 1339 return( ret ); 1340 } 1341 1342 if( rec->data_len != olen ) 1343 { 1344 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1345 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1346 } 1347 } 1348 else 1349 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */ 1350 #if defined(MBEDTLS_GCM_C) || \ 1351 defined(MBEDTLS_CCM_C) || \ 1352 defined(MBEDTLS_CHACHAPOLY_C) 1353 if( mode == MBEDTLS_MODE_GCM || 1354 mode == MBEDTLS_MODE_CCM || 1355 mode == MBEDTLS_MODE_CHACHAPOLY ) 1356 { 1357 unsigned char iv[12]; 1358 unsigned char *dynamic_iv; 1359 size_t dynamic_iv_len; 1360 1361 /* 1362 * Extract dynamic part of nonce for AEAD decryption. 1363 * 1364 * Note: In the case of CCM and GCM in TLS 1.2, the dynamic 1365 * part of the IV is prepended to the ciphertext and 1366 * can be chosen freely - in particular, it need not 1367 * agree with the record sequence number. 1368 */ 1369 dynamic_iv_len = sizeof( rec->ctr ); 1370 if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 ) 1371 { 1372 if( rec->data_len < dynamic_iv_len ) 1373 { 1374 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET 1375 " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ", 1376 rec->data_len, 1377 dynamic_iv_len ) ); 1378 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1379 } 1380 dynamic_iv = data; 1381 1382 data += dynamic_iv_len; 1383 rec->data_offset += dynamic_iv_len; 1384 rec->data_len -= dynamic_iv_len; 1385 } 1386 else 1387 { 1388 dynamic_iv = rec->ctr; 1389 } 1390 1391 /* Check that there's space for the authentication tag. */ 1392 if( rec->data_len < transform->taglen ) 1393 { 1394 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET 1395 ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ", 1396 rec->data_len, 1397 transform->taglen ) ); 1398 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1399 } 1400 rec->data_len -= transform->taglen; 1401 1402 /* 1403 * Prepare nonce from dynamic and static parts. 1404 */ 1405 ssl_build_record_nonce( iv, sizeof( iv ), 1406 transform->iv_dec, 1407 transform->fixed_ivlen, 1408 dynamic_iv, 1409 dynamic_iv_len ); 1410 1411 /* 1412 * Build additional data for AEAD encryption. 1413 * This depends on the TLS version. 1414 */ 1415 ssl_extract_add_data_from_record( add_data, &add_data_len, rec, 1416 transform->minor_ver ); 1417 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD", 1418 add_data, add_data_len ); 1419 1420 /* Because of the check above, we know that there are 1421 * explicit_iv_len Bytes preceeding data, and taglen 1422 * bytes following data + data_len. This justifies 1423 * the debug message and the invocation of 1424 * mbedtls_cipher_auth_decrypt() below. */ 1425 1426 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen ); 1427 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len, 1428 transform->taglen ); 1429 1430 /* 1431 * Decrypt and authenticate 1432 */ 1433 if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec, 1434 iv, transform->ivlen, 1435 add_data, add_data_len, 1436 data, rec->data_len + transform->taglen, /* src */ 1437 data, rec->buf_len - (data - rec->buf), &olen, /* dst */ 1438 transform->taglen ) ) != 0 ) 1439 { 1440 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret ); 1441 1442 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED ) 1443 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1444 1445 return( ret ); 1446 } 1447 auth_done++; 1448 1449 /* Double-check that AEAD decryption doesn't change content length. */ 1450 if( olen != rec->data_len ) 1451 { 1452 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1453 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1454 } 1455 } 1456 else 1457 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */ 1458 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 1459 if( mode == MBEDTLS_MODE_CBC ) 1460 { 1461 size_t minlen = 0; 1462 1463 /* 1464 * Check immediate ciphertext sanity 1465 */ 1466 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 1467 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 1468 { 1469 /* The ciphertext is prefixed with the CBC IV. */ 1470 minlen += transform->ivlen; 1471 } 1472 #endif 1473 1474 /* Size considerations: 1475 * 1476 * - The CBC cipher text must not be empty and hence 1477 * at least of size transform->ivlen. 1478 * 1479 * Together with the potential IV-prefix, this explains 1480 * the first of the two checks below. 1481 * 1482 * - The record must contain a MAC, either in plain or 1483 * encrypted, depending on whether Encrypt-then-MAC 1484 * is used or not. 1485 * - If it is, the message contains the IV-prefix, 1486 * the CBC ciphertext, and the MAC. 1487 * - If it is not, the padded plaintext, and hence 1488 * the CBC ciphertext, has at least length maclen + 1 1489 * because there is at least the padding length byte. 1490 * 1491 * As the CBC ciphertext is not empty, both cases give the 1492 * lower bound minlen + maclen + 1 on the record size, which 1493 * we test for in the second check below. 1494 */ 1495 if( rec->data_len < minlen + transform->ivlen || 1496 rec->data_len < minlen + transform->maclen + 1 ) 1497 { 1498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET 1499 ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET 1500 "), maclen (%" MBEDTLS_PRINTF_SIZET ") " 1501 "+ 1 ) ( + expl IV )", rec->data_len, 1502 transform->ivlen, 1503 transform->maclen ) ); 1504 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1505 } 1506 1507 /* 1508 * Authenticate before decrypt if enabled 1509 */ 1510 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1511 if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED ) 1512 { 1513 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 1514 1515 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) ); 1516 1517 /* Update data_len in tandem with add_data. 1518 * 1519 * The subtraction is safe because of the previous check 1520 * data_len >= minlen + maclen + 1. 1521 * 1522 * Afterwards, we know that data + data_len is followed by at 1523 * least maclen Bytes, which justifies the call to 1524 * mbedtls_ssl_safer_memcmp() below. 1525 * 1526 * Further, we still know that data_len > minlen */ 1527 rec->data_len -= transform->maclen; 1528 ssl_extract_add_data_from_record( add_data, &add_data_len, rec, 1529 transform->minor_ver ); 1530 1531 /* Calculate expected MAC. */ 1532 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data, 1533 add_data_len ); 1534 mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data, 1535 add_data_len ); 1536 mbedtls_md_hmac_update( &transform->md_ctx_dec, 1537 data, rec->data_len ); 1538 mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect ); 1539 mbedtls_md_hmac_reset( &transform->md_ctx_dec ); 1540 1541 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, 1542 transform->maclen ); 1543 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, 1544 transform->maclen ); 1545 1546 /* Compare expected MAC with MAC at the end of the record. */ 1547 if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect, 1548 transform->maclen ) != 0 ) 1549 { 1550 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 1551 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1552 } 1553 auth_done++; 1554 } 1555 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 1556 1557 /* 1558 * Check length sanity 1559 */ 1560 1561 /* We know from above that data_len > minlen >= 0, 1562 * so the following check in particular implies that 1563 * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */ 1564 if( rec->data_len % transform->ivlen != 0 ) 1565 { 1566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET 1567 ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0", 1568 rec->data_len, transform->ivlen ) ); 1569 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1570 } 1571 1572 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 1573 /* 1574 * Initialize for prepended IV for block cipher in TLS v1.1 and up 1575 */ 1576 if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 1577 { 1578 /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */ 1579 memcpy( transform->iv_dec, data, transform->ivlen ); 1580 1581 data += transform->ivlen; 1582 rec->data_offset += transform->ivlen; 1583 rec->data_len -= transform->ivlen; 1584 } 1585 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 1586 1587 /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */ 1588 1589 if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec, 1590 transform->iv_dec, transform->ivlen, 1591 data, rec->data_len, data, &olen ) ) != 0 ) 1592 { 1593 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret ); 1594 return( ret ); 1595 } 1596 1597 /* Double-check that length hasn't changed during decryption. */ 1598 if( rec->data_len != olen ) 1599 { 1600 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1601 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1602 } 1603 1604 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) 1605 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 1606 { 1607 /* 1608 * Save IV in SSL3 and TLS1, where CBC decryption of consecutive 1609 * records is equivalent to CBC decryption of the concatenation 1610 * of the records; in other words, IVs are maintained across 1611 * record decryptions. 1612 */ 1613 memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv, 1614 transform->ivlen ); 1615 } 1616 #endif 1617 1618 /* Safe since data_len >= minlen + maclen + 1, so after having 1619 * subtracted at most minlen and maclen up to this point, 1620 * data_len > 0 (because of data_len % ivlen == 0, it's actually 1621 * >= ivlen ). */ 1622 padlen = data[rec->data_len - 1]; 1623 1624 if( auth_done == 1 ) 1625 { 1626 const size_t mask = mbedtls_ssl_cf_mask_ge( 1627 rec->data_len, 1628 padlen + 1 ); 1629 correct &= mask; 1630 padlen &= mask; 1631 } 1632 else 1633 { 1634 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1635 if( rec->data_len < transform->maclen + padlen + 1 ) 1636 { 1637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET 1638 ") < maclen (%" MBEDTLS_PRINTF_SIZET 1639 ") + padlen (%" MBEDTLS_PRINTF_SIZET ")", 1640 rec->data_len, 1641 transform->maclen, 1642 padlen + 1 ) ); 1643 } 1644 #endif 1645 1646 const size_t mask = mbedtls_ssl_cf_mask_ge( 1647 rec->data_len, 1648 transform->maclen + padlen + 1 ); 1649 correct &= mask; 1650 padlen &= mask; 1651 } 1652 1653 padlen++; 1654 1655 /* Regardless of the validity of the padding, 1656 * we have data_len >= padlen here. */ 1657 1658 #if defined(MBEDTLS_SSL_PROTO_SSL3) 1659 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 1660 { 1661 /* This is the SSL 3.0 path, we don't have to worry about Lucky 1662 * 13, because there's a strictly worse padding attack built in 1663 * the protocol (known as part of POODLE), so we don't care if the 1664 * code is not constant-time, in particular branches are OK. */ 1665 if( padlen > transform->ivlen ) 1666 { 1667 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1668 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %" MBEDTLS_PRINTF_SIZET ", " 1669 "should be no more than %" MBEDTLS_PRINTF_SIZET, 1670 padlen, transform->ivlen ) ); 1671 #endif 1672 correct = 0; 1673 } 1674 } 1675 else 1676 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 1677 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 1678 defined(MBEDTLS_SSL_PROTO_TLS1_2) 1679 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 1680 { 1681 /* The padding check involves a series of up to 256 1682 * consecutive memory reads at the end of the record 1683 * plaintext buffer. In order to hide the length and 1684 * validity of the padding, always perform exactly 1685 * `min(256,plaintext_len)` reads (but take into account 1686 * only the last `padlen` bytes for the padding check). */ 1687 size_t pad_count = 0; 1688 volatile unsigned char* const check = data; 1689 1690 /* Index of first padding byte; it has been ensured above 1691 * that the subtraction is safe. */ 1692 size_t const padding_idx = rec->data_len - padlen; 1693 size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256; 1694 size_t const start_idx = rec->data_len - num_checks; 1695 size_t idx; 1696 1697 for( idx = start_idx; idx < rec->data_len; idx++ ) 1698 { 1699 /* pad_count += (idx >= padding_idx) && 1700 * (check[idx] == padlen - 1); 1701 */ 1702 const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx ); 1703 const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx], 1704 padlen - 1 ); 1705 pad_count += mask & equal; 1706 } 1707 correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen ); 1708 1709 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1710 if( padlen > 0 && correct == 0 ) 1711 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) ); 1712 #endif 1713 padlen &= mbedtls_ssl_cf_mask_from_bit( correct ); 1714 } 1715 else 1716 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 1717 MBEDTLS_SSL_PROTO_TLS1_2 */ 1718 { 1719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1720 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1721 } 1722 1723 /* If the padding was found to be invalid, padlen == 0 1724 * and the subtraction is safe. If the padding was found valid, 1725 * padlen hasn't been changed and the previous assertion 1726 * data_len >= padlen still holds. */ 1727 rec->data_len -= padlen; 1728 } 1729 else 1730 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */ 1731 { 1732 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1733 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1734 } 1735 1736 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1737 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption", 1738 data, rec->data_len ); 1739 #endif 1740 1741 /* 1742 * Authenticate if not done yet. 1743 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME). 1744 */ 1745 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 1746 if( auth_done == 0 ) 1747 { 1748 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD]; 1749 unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD]; 1750 1751 /* If the initial value of padlen was such that 1752 * data_len < maclen + padlen + 1, then padlen 1753 * got reset to 1, and the initial check 1754 * data_len >= minlen + maclen + 1 1755 * guarantees that at this point we still 1756 * have at least data_len >= maclen. 1757 * 1758 * If the initial value of padlen was such that 1759 * data_len >= maclen + padlen + 1, then we have 1760 * subtracted either padlen + 1 (if the padding was correct) 1761 * or 0 (if the padding was incorrect) since then, 1762 * hence data_len >= maclen in any case. 1763 */ 1764 rec->data_len -= transform->maclen; 1765 ssl_extract_add_data_from_record( add_data, &add_data_len, rec, 1766 transform->minor_ver ); 1767 1768 #if defined(MBEDTLS_SSL_PROTO_SSL3) 1769 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 1770 { 1771 ssl_mac( &transform->md_ctx_dec, 1772 transform->mac_dec, 1773 data, rec->data_len, 1774 rec->ctr, rec->type, 1775 mac_expect ); 1776 memcpy( mac_peer, data + rec->data_len, transform->maclen ); 1777 } 1778 else 1779 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 1780 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 1781 defined(MBEDTLS_SSL_PROTO_TLS1_2) 1782 if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 ) 1783 { 1784 /* 1785 * The next two sizes are the minimum and maximum values of 1786 * data_len over all padlen values. 1787 * 1788 * They're independent of padlen, since we previously did 1789 * data_len -= padlen. 1790 * 1791 * Note that max_len + maclen is never more than the buffer 1792 * length, as we previously did in_msglen -= maclen too. 1793 */ 1794 const size_t max_len = rec->data_len + padlen; 1795 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0; 1796 1797 ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec, 1798 add_data, add_data_len, 1799 data, rec->data_len, min_len, max_len, 1800 mac_expect ); 1801 if( ret != 0 ) 1802 { 1803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret ); 1804 return( ret ); 1805 } 1806 1807 mbedtls_ssl_cf_memcpy_offset( mac_peer, data, 1808 rec->data_len, 1809 min_len, max_len, 1810 transform->maclen ); 1811 } 1812 else 1813 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \ 1814 MBEDTLS_SSL_PROTO_TLS1_2 */ 1815 { 1816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1817 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1818 } 1819 1820 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1821 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen ); 1822 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, transform->maclen ); 1823 #endif 1824 1825 if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect, 1826 transform->maclen ) != 0 ) 1827 { 1828 #if defined(MBEDTLS_SSL_DEBUG_ALL) 1829 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) ); 1830 #endif 1831 correct = 0; 1832 } 1833 auth_done++; 1834 } 1835 1836 /* 1837 * Finally check the correct flag 1838 */ 1839 if( correct == 0 ) 1840 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 1841 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */ 1842 1843 /* Make extra sure authentication was performed, exactly once */ 1844 if( auth_done != 1 ) 1845 { 1846 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 1847 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 1848 } 1849 1850 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) 1851 if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) 1852 { 1853 /* Remove inner padding and infer true content type. */ 1854 ret = ssl_parse_inner_plaintext( data, &rec->data_len, 1855 &rec->type ); 1856 1857 if( ret != 0 ) 1858 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 1859 } 1860 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ 1861 1862 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1863 if( rec->cid_len != 0 ) 1864 { 1865 ret = ssl_parse_inner_plaintext( data, &rec->data_len, 1866 &rec->type ); 1867 if( ret != 0 ) 1868 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 1869 } 1870 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1871 1872 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); 1873 1874 return( 0 ); 1875 } 1876 1877 #undef MAC_NONE 1878 #undef MAC_PLAINTEXT 1879 #undef MAC_CIPHERTEXT 1880 1881 #if defined(MBEDTLS_ZLIB_SUPPORT) 1882 /* 1883 * Compression/decompression functions 1884 */ 1885 static int ssl_compress_buf( mbedtls_ssl_context *ssl ) 1886 { 1887 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1888 unsigned char *msg_post = ssl->out_msg; 1889 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf; 1890 size_t len_pre = ssl->out_msglen; 1891 unsigned char *msg_pre = ssl->compress_buf; 1892 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1893 size_t out_buf_len = ssl->out_buf_len; 1894 #else 1895 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1896 #endif 1897 1898 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) ); 1899 1900 if( len_pre == 0 ) 1901 return( 0 ); 1902 1903 memcpy( msg_pre, ssl->out_msg, len_pre ); 1904 1905 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ", 1906 ssl->out_msglen ) ); 1907 1908 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload", 1909 ssl->out_msg, ssl->out_msglen ); 1910 1911 ssl->transform_out->ctx_deflate.next_in = msg_pre; 1912 ssl->transform_out->ctx_deflate.avail_in = len_pre; 1913 ssl->transform_out->ctx_deflate.next_out = msg_post; 1914 ssl->transform_out->ctx_deflate.avail_out = out_buf_len - bytes_written; 1915 1916 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH ); 1917 if( ret != Z_OK ) 1918 { 1919 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) ); 1920 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 1921 } 1922 1923 ssl->out_msglen = out_buf_len - 1924 ssl->transform_out->ctx_deflate.avail_out - bytes_written; 1925 1926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %" MBEDTLS_PRINTF_SIZET ", ", 1927 ssl->out_msglen ) ); 1928 1929 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload", 1930 ssl->out_msg, ssl->out_msglen ); 1931 1932 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) ); 1933 1934 return( 0 ); 1935 } 1936 1937 static int ssl_decompress_buf( mbedtls_ssl_context *ssl ) 1938 { 1939 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1940 unsigned char *msg_post = ssl->in_msg; 1941 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf; 1942 size_t len_pre = ssl->in_msglen; 1943 unsigned char *msg_pre = ssl->compress_buf; 1944 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1945 size_t in_buf_len = ssl->in_buf_len; 1946 #else 1947 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1948 #endif 1949 1950 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) ); 1951 1952 if( len_pre == 0 ) 1953 return( 0 ); 1954 1955 memcpy( msg_pre, ssl->in_msg, len_pre ); 1956 1957 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ", 1958 ssl->in_msglen ) ); 1959 1960 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload", 1961 ssl->in_msg, ssl->in_msglen ); 1962 1963 ssl->transform_in->ctx_inflate.next_in = msg_pre; 1964 ssl->transform_in->ctx_inflate.avail_in = len_pre; 1965 ssl->transform_in->ctx_inflate.next_out = msg_post; 1966 ssl->transform_in->ctx_inflate.avail_out = in_buf_len - header_bytes; 1967 1968 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH ); 1969 if( ret != Z_OK ) 1970 { 1971 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) ); 1972 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED ); 1973 } 1974 1975 ssl->in_msglen = in_buf_len - 1976 ssl->transform_in->ctx_inflate.avail_out - header_bytes; 1977 1978 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %" MBEDTLS_PRINTF_SIZET ", ", 1979 ssl->in_msglen ) ); 1980 1981 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload", 1982 ssl->in_msg, ssl->in_msglen ); 1983 1984 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) ); 1985 1986 return( 0 ); 1987 } 1988 #endif /* MBEDTLS_ZLIB_SUPPORT */ 1989 1990 /* 1991 * Fill the input message buffer by appending data to it. 1992 * The amount of data already fetched is in ssl->in_left. 1993 * 1994 * If we return 0, is it guaranteed that (at least) nb_want bytes are 1995 * available (from this read and/or a previous one). Otherwise, an error code 1996 * is returned (possibly EOF or WANT_READ). 1997 * 1998 * With stream transport (TLS) on success ssl->in_left == nb_want, but 1999 * with datagram transport (DTLS) on success ssl->in_left >= nb_want, 2000 * since we always read a whole datagram at once. 2001 * 2002 * For DTLS, it is up to the caller to set ssl->next_record_offset when 2003 * they're done reading a record. 2004 */ 2005 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) 2006 { 2007 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2008 size_t len; 2009 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 2010 size_t in_buf_len = ssl->in_buf_len; 2011 #else 2012 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 2013 #endif 2014 2015 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) ); 2016 2017 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) 2018 { 2019 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 2020 "or mbedtls_ssl_set_bio()" ) ); 2021 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 2022 } 2023 2024 if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 2025 { 2026 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) ); 2027 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 2028 } 2029 2030 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2031 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2032 { 2033 uint32_t timeout; 2034 2035 /* 2036 * The point is, we need to always read a full datagram at once, so we 2037 * sometimes read more then requested, and handle the additional data. 2038 * It could be the rest of the current record (while fetching the 2039 * header) and/or some other records in the same datagram. 2040 */ 2041 2042 /* 2043 * Move to the next record in the already read datagram if applicable 2044 */ 2045 if( ssl->next_record_offset != 0 ) 2046 { 2047 if( ssl->in_left < ssl->next_record_offset ) 2048 { 2049 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2050 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2051 } 2052 2053 ssl->in_left -= ssl->next_record_offset; 2054 2055 if( ssl->in_left != 0 ) 2056 { 2057 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %" 2058 MBEDTLS_PRINTF_SIZET, 2059 ssl->next_record_offset ) ); 2060 memmove( ssl->in_hdr, 2061 ssl->in_hdr + ssl->next_record_offset, 2062 ssl->in_left ); 2063 } 2064 2065 ssl->next_record_offset = 0; 2066 } 2067 2068 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET 2069 ", nb_want: %" MBEDTLS_PRINTF_SIZET, 2070 ssl->in_left, nb_want ) ); 2071 2072 /* 2073 * Done if we already have enough data. 2074 */ 2075 if( nb_want <= ssl->in_left) 2076 { 2077 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 2078 return( 0 ); 2079 } 2080 2081 /* 2082 * A record can't be split across datagrams. If we need to read but 2083 * are not at the beginning of a new record, the caller did something 2084 * wrong. 2085 */ 2086 if( ssl->in_left != 0 ) 2087 { 2088 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2089 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2090 } 2091 2092 /* 2093 * Don't even try to read if time's out already. 2094 * This avoids by-passing the timer when repeatedly receiving messages 2095 * that will end up being dropped. 2096 */ 2097 if( mbedtls_ssl_check_timer( ssl ) != 0 ) 2098 { 2099 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) ); 2100 ret = MBEDTLS_ERR_SSL_TIMEOUT; 2101 } 2102 else 2103 { 2104 len = in_buf_len - ( ssl->in_hdr - ssl->in_buf ); 2105 2106 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 2107 timeout = ssl->handshake->retransmit_timeout; 2108 else 2109 timeout = ssl->conf->read_timeout; 2110 2111 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) ); 2112 2113 if( ssl->f_recv_timeout != NULL ) 2114 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len, 2115 timeout ); 2116 else 2117 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len ); 2118 2119 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 2120 2121 if( ret == 0 ) 2122 return( MBEDTLS_ERR_SSL_CONN_EOF ); 2123 } 2124 2125 if( ret == MBEDTLS_ERR_SSL_TIMEOUT ) 2126 { 2127 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) ); 2128 mbedtls_ssl_set_timer( ssl, 0 ); 2129 2130 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 2131 { 2132 if( ssl_double_retransmit_timeout( ssl ) != 0 ) 2133 { 2134 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) ); 2135 return( MBEDTLS_ERR_SSL_TIMEOUT ); 2136 } 2137 2138 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 2139 { 2140 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 2141 return( ret ); 2142 } 2143 2144 return( MBEDTLS_ERR_SSL_WANT_READ ); 2145 } 2146 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 2147 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 2148 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 2149 { 2150 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) 2151 { 2152 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", 2153 ret ); 2154 return( ret ); 2155 } 2156 2157 return( MBEDTLS_ERR_SSL_WANT_READ ); 2158 } 2159 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 2160 } 2161 2162 if( ret < 0 ) 2163 return( ret ); 2164 2165 ssl->in_left = ret; 2166 } 2167 else 2168 #endif 2169 { 2170 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET 2171 ", nb_want: %" MBEDTLS_PRINTF_SIZET, 2172 ssl->in_left, nb_want ) ); 2173 2174 while( ssl->in_left < nb_want ) 2175 { 2176 len = nb_want - ssl->in_left; 2177 2178 if( mbedtls_ssl_check_timer( ssl ) != 0 ) 2179 ret = MBEDTLS_ERR_SSL_TIMEOUT; 2180 else 2181 { 2182 if( ssl->f_recv_timeout != NULL ) 2183 { 2184 ret = ssl->f_recv_timeout( ssl->p_bio, 2185 ssl->in_hdr + ssl->in_left, len, 2186 ssl->conf->read_timeout ); 2187 } 2188 else 2189 { 2190 ret = ssl->f_recv( ssl->p_bio, 2191 ssl->in_hdr + ssl->in_left, len ); 2192 } 2193 } 2194 2195 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET 2196 ", nb_want: %" MBEDTLS_PRINTF_SIZET, 2197 ssl->in_left, nb_want ) ); 2198 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret ); 2199 2200 if( ret == 0 ) 2201 return( MBEDTLS_ERR_SSL_CONN_EOF ); 2202 2203 if( ret < 0 ) 2204 return( ret ); 2205 2206 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) 2207 { 2208 MBEDTLS_SSL_DEBUG_MSG( 1, 2209 ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested", 2210 ret, len ) ); 2211 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2212 } 2213 2214 ssl->in_left += ret; 2215 } 2216 } 2217 2218 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) ); 2219 2220 return( 0 ); 2221 } 2222 2223 /* 2224 * Flush any data not yet written 2225 */ 2226 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) 2227 { 2228 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2229 unsigned char *buf; 2230 2231 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) ); 2232 2233 if( ssl->f_send == NULL ) 2234 { 2235 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " 2236 "or mbedtls_ssl_set_bio()" ) ); 2237 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 2238 } 2239 2240 /* Avoid incrementing counter if data is flushed */ 2241 if( ssl->out_left == 0 ) 2242 { 2243 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 2244 return( 0 ); 2245 } 2246 2247 while( ssl->out_left > 0 ) 2248 { 2249 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET 2250 ", out_left: %" MBEDTLS_PRINTF_SIZET, 2251 mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) ); 2252 2253 buf = ssl->out_hdr - ssl->out_left; 2254 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left ); 2255 2256 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret ); 2257 2258 if( ret <= 0 ) 2259 return( ret ); 2260 2261 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) ) 2262 { 2263 MBEDTLS_SSL_DEBUG_MSG( 1, 2264 ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent", 2265 ret, ssl->out_left ) ); 2266 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2267 } 2268 2269 ssl->out_left -= ret; 2270 } 2271 2272 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2273 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2274 { 2275 ssl->out_hdr = ssl->out_buf; 2276 } 2277 else 2278 #endif 2279 { 2280 ssl->out_hdr = ssl->out_buf + 8; 2281 } 2282 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); 2283 2284 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) ); 2285 2286 return( 0 ); 2287 } 2288 2289 /* 2290 * Functions to handle the DTLS retransmission state machine 2291 */ 2292 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2293 /* 2294 * Append current handshake message to current outgoing flight 2295 */ 2296 static int ssl_flight_append( mbedtls_ssl_context *ssl ) 2297 { 2298 mbedtls_ssl_flight_item *msg; 2299 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) ); 2300 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight", 2301 ssl->out_msg, ssl->out_msglen ); 2302 2303 /* Allocate space for current message */ 2304 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL ) 2305 { 2306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", 2307 sizeof( mbedtls_ssl_flight_item ) ) ); 2308 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 2309 } 2310 2311 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL ) 2312 { 2313 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed", 2314 ssl->out_msglen ) ); 2315 mbedtls_free( msg ); 2316 return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); 2317 } 2318 2319 /* Copy current handshake message with headers */ 2320 memcpy( msg->p, ssl->out_msg, ssl->out_msglen ); 2321 msg->len = ssl->out_msglen; 2322 msg->type = ssl->out_msgtype; 2323 msg->next = NULL; 2324 2325 /* Append to the current flight */ 2326 if( ssl->handshake->flight == NULL ) 2327 ssl->handshake->flight = msg; 2328 else 2329 { 2330 mbedtls_ssl_flight_item *cur = ssl->handshake->flight; 2331 while( cur->next != NULL ) 2332 cur = cur->next; 2333 cur->next = msg; 2334 } 2335 2336 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) ); 2337 return( 0 ); 2338 } 2339 2340 /* 2341 * Free the current flight of handshake messages 2342 */ 2343 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ) 2344 { 2345 mbedtls_ssl_flight_item *cur = flight; 2346 mbedtls_ssl_flight_item *next; 2347 2348 while( cur != NULL ) 2349 { 2350 next = cur->next; 2351 2352 mbedtls_free( cur->p ); 2353 mbedtls_free( cur ); 2354 2355 cur = next; 2356 } 2357 } 2358 2359 /* 2360 * Swap transform_out and out_ctr with the alternative ones 2361 */ 2362 static int ssl_swap_epochs( mbedtls_ssl_context *ssl ) 2363 { 2364 mbedtls_ssl_transform *tmp_transform; 2365 unsigned char tmp_out_ctr[8]; 2366 2367 if( ssl->transform_out == ssl->handshake->alt_transform_out ) 2368 { 2369 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) ); 2370 return( 0 ); 2371 } 2372 2373 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) ); 2374 2375 /* Swap transforms */ 2376 tmp_transform = ssl->transform_out; 2377 ssl->transform_out = ssl->handshake->alt_transform_out; 2378 ssl->handshake->alt_transform_out = tmp_transform; 2379 2380 /* Swap epoch + sequence_number */ 2381 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 ); 2382 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 ); 2383 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 ); 2384 2385 /* Adjust to the newly activated transform */ 2386 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); 2387 2388 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 2389 if( mbedtls_ssl_hw_record_activate != NULL ) 2390 { 2391 int ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ); 2392 if( ret != 0 ) 2393 { 2394 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 2395 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 2396 } 2397 } 2398 #endif 2399 2400 return( 0 ); 2401 } 2402 2403 /* 2404 * Retransmit the current flight of messages. 2405 */ 2406 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl ) 2407 { 2408 int ret = 0; 2409 2410 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) ); 2411 2412 ret = mbedtls_ssl_flight_transmit( ssl ); 2413 2414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) ); 2415 2416 return( ret ); 2417 } 2418 2419 /* 2420 * Transmit or retransmit the current flight of messages. 2421 * 2422 * Need to remember the current message in case flush_output returns 2423 * WANT_WRITE, causing us to exit this function and come back later. 2424 * This function must be called until state is no longer SENDING. 2425 */ 2426 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) 2427 { 2428 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2429 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) ); 2430 2431 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) 2432 { 2433 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) ); 2434 2435 ssl->handshake->cur_msg = ssl->handshake->flight; 2436 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12; 2437 ret = ssl_swap_epochs( ssl ); 2438 if( ret != 0 ) 2439 return( ret ); 2440 2441 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING; 2442 } 2443 2444 while( ssl->handshake->cur_msg != NULL ) 2445 { 2446 size_t max_frag_len; 2447 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg; 2448 2449 int const is_finished = 2450 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE && 2451 cur->p[0] == MBEDTLS_SSL_HS_FINISHED ); 2452 2453 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ? 2454 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH; 2455 2456 /* Swap epochs before sending Finished: we can't do it after 2457 * sending ChangeCipherSpec, in case write returns WANT_READ. 2458 * Must be done before copying, may change out_msg pointer */ 2459 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) ) 2460 { 2461 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) ); 2462 ret = ssl_swap_epochs( ssl ); 2463 if( ret != 0 ) 2464 return( ret ); 2465 } 2466 2467 ret = ssl_get_remaining_payload_in_datagram( ssl ); 2468 if( ret < 0 ) 2469 return( ret ); 2470 max_frag_len = (size_t) ret; 2471 2472 /* CCS is copied as is, while HS messages may need fragmentation */ 2473 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 2474 { 2475 if( max_frag_len == 0 ) 2476 { 2477 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 2478 return( ret ); 2479 2480 continue; 2481 } 2482 2483 memcpy( ssl->out_msg, cur->p, cur->len ); 2484 ssl->out_msglen = cur->len; 2485 ssl->out_msgtype = cur->type; 2486 2487 /* Update position inside current message */ 2488 ssl->handshake->cur_msg_p += cur->len; 2489 } 2490 else 2491 { 2492 const unsigned char * const p = ssl->handshake->cur_msg_p; 2493 const size_t hs_len = cur->len - 12; 2494 const size_t frag_off = p - ( cur->p + 12 ); 2495 const size_t rem_len = hs_len - frag_off; 2496 size_t cur_hs_frag_len, max_hs_frag_len; 2497 2498 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) ) 2499 { 2500 if( is_finished ) 2501 { 2502 ret = ssl_swap_epochs( ssl ); 2503 if( ret != 0 ) 2504 return( ret ); 2505 } 2506 2507 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 2508 return( ret ); 2509 2510 continue; 2511 } 2512 max_hs_frag_len = max_frag_len - 12; 2513 2514 cur_hs_frag_len = rem_len > max_hs_frag_len ? 2515 max_hs_frag_len : rem_len; 2516 2517 if( frag_off == 0 && cur_hs_frag_len != hs_len ) 2518 { 2519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)", 2520 (unsigned) cur_hs_frag_len, 2521 (unsigned) max_hs_frag_len ) ); 2522 } 2523 2524 /* Messages are stored with handshake headers as if not fragmented, 2525 * copy beginning of headers then fill fragmentation fields. 2526 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */ 2527 memcpy( ssl->out_msg, cur->p, 6 ); 2528 2529 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff ); 2530 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff ); 2531 ssl->out_msg[8] = ( ( frag_off ) & 0xff ); 2532 2533 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff ); 2534 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff ); 2535 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff ); 2536 2537 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 ); 2538 2539 /* Copy the handshake message content and set records fields */ 2540 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len ); 2541 ssl->out_msglen = cur_hs_frag_len + 12; 2542 ssl->out_msgtype = cur->type; 2543 2544 /* Update position inside current message */ 2545 ssl->handshake->cur_msg_p += cur_hs_frag_len; 2546 } 2547 2548 /* If done with the current message move to the next one if any */ 2549 if( ssl->handshake->cur_msg_p >= cur->p + cur->len ) 2550 { 2551 if( cur->next != NULL ) 2552 { 2553 ssl->handshake->cur_msg = cur->next; 2554 ssl->handshake->cur_msg_p = cur->next->p + 12; 2555 } 2556 else 2557 { 2558 ssl->handshake->cur_msg = NULL; 2559 ssl->handshake->cur_msg_p = NULL; 2560 } 2561 } 2562 2563 /* Actually send the message out */ 2564 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 ) 2565 { 2566 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 2567 return( ret ); 2568 } 2569 } 2570 2571 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 2572 return( ret ); 2573 2574 /* Update state and set timer */ 2575 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 2576 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 2577 else 2578 { 2579 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 2580 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 2581 } 2582 2583 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) ); 2584 2585 return( 0 ); 2586 } 2587 2588 /* 2589 * To be called when the last message of an incoming flight is received. 2590 */ 2591 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl ) 2592 { 2593 /* We won't need to resend that one any more */ 2594 mbedtls_ssl_flight_free( ssl->handshake->flight ); 2595 ssl->handshake->flight = NULL; 2596 ssl->handshake->cur_msg = NULL; 2597 2598 /* The next incoming flight will start with this msg_seq */ 2599 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq; 2600 2601 /* We don't want to remember CCS's across flight boundaries. */ 2602 ssl->handshake->buffering.seen_ccs = 0; 2603 2604 /* Clear future message buffering structure. */ 2605 mbedtls_ssl_buffering_free( ssl ); 2606 2607 /* Cancel timer */ 2608 mbedtls_ssl_set_timer( ssl, 0 ); 2609 2610 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 2611 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 2612 { 2613 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 2614 } 2615 else 2616 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 2617 } 2618 2619 /* 2620 * To be called when the last message of an outgoing flight is send. 2621 */ 2622 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl ) 2623 { 2624 ssl_reset_retransmit_timeout( ssl ); 2625 mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout ); 2626 2627 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 2628 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED ) 2629 { 2630 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED; 2631 } 2632 else 2633 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 2634 } 2635 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2636 2637 /* 2638 * Handshake layer functions 2639 */ 2640 2641 /* 2642 * Write (DTLS: or queue) current handshake (including CCS) message. 2643 * 2644 * - fill in handshake headers 2645 * - update handshake checksum 2646 * - DTLS: save message for resending 2647 * - then pass to the record layer 2648 * 2649 * DTLS: except for HelloRequest, messages are only queued, and will only be 2650 * actually sent when calling flight_transmit() or resend(). 2651 * 2652 * Inputs: 2653 * - ssl->out_msglen: 4 + actual handshake message len 2654 * (4 is the size of handshake headers for TLS) 2655 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc) 2656 * - ssl->out_msg + 4: the handshake message body 2657 * 2658 * Outputs, ie state before passing to flight_append() or write_record(): 2659 * - ssl->out_msglen: the length of the record contents 2660 * (including handshake headers but excluding record headers) 2661 * - ssl->out_msg: the record contents (handshake headers + content) 2662 */ 2663 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl ) 2664 { 2665 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2666 const size_t hs_len = ssl->out_msglen - 4; 2667 const unsigned char hs_type = ssl->out_msg[0]; 2668 2669 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) ); 2670 2671 /* 2672 * Sanity checks 2673 */ 2674 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE && 2675 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 2676 { 2677 /* In SSLv3, the client might send a NoCertificate alert. */ 2678 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C) 2679 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 2680 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT && 2681 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) ) 2682 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 2683 { 2684 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2685 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2686 } 2687 } 2688 2689 /* Whenever we send anything different from a 2690 * HelloRequest we should be in a handshake - double check. */ 2691 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 2692 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) && 2693 ssl->handshake == NULL ) 2694 { 2695 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2696 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2697 } 2698 2699 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2700 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2701 ssl->handshake != NULL && 2702 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 2703 { 2704 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2705 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2706 } 2707 #endif 2708 2709 /* Double-check that we did not exceed the bounds 2710 * of the outgoing record buffer. 2711 * This should never fail as the various message 2712 * writing functions must obey the bounds of the 2713 * outgoing record buffer, but better be safe. 2714 * 2715 * Note: We deliberately do not check for the MTU or MFL here. 2716 */ 2717 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN ) 2718 { 2719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: " 2720 "size %" MBEDTLS_PRINTF_SIZET 2721 ", maximum %" MBEDTLS_PRINTF_SIZET, 2722 ssl->out_msglen, 2723 (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) ); 2724 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2725 } 2726 2727 /* 2728 * Fill handshake headers 2729 */ 2730 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 2731 { 2732 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 ); 2733 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 ); 2734 ssl->out_msg[3] = (unsigned char)( hs_len ); 2735 2736 /* 2737 * DTLS has additional fields in the Handshake layer, 2738 * between the length field and the actual payload: 2739 * uint16 message_seq; 2740 * uint24 fragment_offset; 2741 * uint24 fragment_length; 2742 */ 2743 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2744 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2745 { 2746 /* Make room for the additional DTLS fields */ 2747 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 ) 2748 { 2749 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: " 2750 "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET, 2751 hs_len, 2752 (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) ); 2753 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 2754 } 2755 2756 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len ); 2757 ssl->out_msglen += 8; 2758 2759 /* Write message_seq and update it, except for HelloRequest */ 2760 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 2761 { 2762 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF; 2763 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF; 2764 ++( ssl->handshake->out_msg_seq ); 2765 } 2766 else 2767 { 2768 ssl->out_msg[4] = 0; 2769 ssl->out_msg[5] = 0; 2770 } 2771 2772 /* Handshake hashes are computed without fragmentation, 2773 * so set frag_offset = 0 and frag_len = hs_len for now */ 2774 memset( ssl->out_msg + 6, 0x00, 3 ); 2775 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 ); 2776 } 2777 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2778 2779 /* Update running hashes of handshake messages seen */ 2780 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST ) 2781 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen ); 2782 } 2783 2784 /* Either send now, or just save to be sent (and resent) later */ 2785 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2786 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2787 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 2788 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) ) 2789 { 2790 if( ( ret = ssl_flight_append( ssl ) ) != 0 ) 2791 { 2792 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret ); 2793 return( ret ); 2794 } 2795 } 2796 else 2797 #endif 2798 { 2799 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) 2800 { 2801 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret ); 2802 return( ret ); 2803 } 2804 } 2805 2806 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) ); 2807 2808 return( 0 ); 2809 } 2810 2811 /* 2812 * Record layer functions 2813 */ 2814 2815 /* 2816 * Write current record. 2817 * 2818 * Uses: 2819 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS) 2820 * - ssl->out_msglen: length of the record content (excl headers) 2821 * - ssl->out_msg: record content 2822 */ 2823 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush ) 2824 { 2825 int ret, done = 0; 2826 size_t len = ssl->out_msglen; 2827 uint8_t flush = force_flush; 2828 2829 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) ); 2830 2831 #if defined(MBEDTLS_ZLIB_SUPPORT) 2832 if( ssl->transform_out != NULL && 2833 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 2834 { 2835 if( ( ret = ssl_compress_buf( ssl ) ) != 0 ) 2836 { 2837 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret ); 2838 return( ret ); 2839 } 2840 2841 len = ssl->out_msglen; 2842 } 2843 #endif /*MBEDTLS_ZLIB_SUPPORT */ 2844 2845 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 2846 if( mbedtls_ssl_hw_record_write != NULL ) 2847 { 2848 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) ); 2849 2850 ret = mbedtls_ssl_hw_record_write( ssl ); 2851 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 2852 { 2853 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret ); 2854 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 2855 } 2856 2857 if( ret == 0 ) 2858 done = 1; 2859 } 2860 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 2861 if( !done ) 2862 { 2863 unsigned i; 2864 size_t protected_record_size; 2865 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 2866 size_t out_buf_len = ssl->out_buf_len; 2867 #else 2868 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 2869 #endif 2870 /* Skip writing the record content type to after the encryption, 2871 * as it may change when using the CID extension. */ 2872 2873 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 2874 ssl->conf->transport, ssl->out_hdr + 1 ); 2875 2876 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 ); 2877 ssl->out_len[0] = (unsigned char)( len >> 8 ); 2878 ssl->out_len[1] = (unsigned char)( len ); 2879 2880 if( ssl->transform_out != NULL ) 2881 { 2882 mbedtls_record rec; 2883 2884 rec.buf = ssl->out_iv; 2885 rec.buf_len = out_buf_len - ( ssl->out_iv - ssl->out_buf ); 2886 rec.data_len = ssl->out_msglen; 2887 rec.data_offset = ssl->out_msg - rec.buf; 2888 2889 memcpy( &rec.ctr[0], ssl->out_ctr, 8 ); 2890 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver, 2891 ssl->conf->transport, rec.ver ); 2892 rec.type = ssl->out_msgtype; 2893 2894 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 2895 /* The CID is set by mbedtls_ssl_encrypt_buf(). */ 2896 rec.cid_len = 0; 2897 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 2898 2899 if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec, 2900 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 ) 2901 { 2902 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret ); 2903 return( ret ); 2904 } 2905 2906 if( rec.data_offset != 0 ) 2907 { 2908 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 2909 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2910 } 2911 2912 /* Update the record content type and CID. */ 2913 ssl->out_msgtype = rec.type; 2914 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID ) 2915 memcpy( ssl->out_cid, rec.cid, rec.cid_len ); 2916 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 2917 ssl->out_msglen = len = rec.data_len; 2918 ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 ); 2919 ssl->out_len[1] = (unsigned char)( rec.data_len ); 2920 } 2921 2922 protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl ); 2923 2924 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2925 /* In case of DTLS, double-check that we don't exceed 2926 * the remaining space in the datagram. */ 2927 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 2928 { 2929 ret = ssl_get_remaining_space_in_datagram( ssl ); 2930 if( ret < 0 ) 2931 return( ret ); 2932 2933 if( protected_record_size > (size_t) ret ) 2934 { 2935 /* Should never happen */ 2936 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 2937 } 2938 } 2939 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2940 2941 /* Now write the potentially updated record content type. */ 2942 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype; 2943 2944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, " 2945 "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET, 2946 ssl->out_hdr[0], ssl->out_hdr[1], 2947 ssl->out_hdr[2], len ) ); 2948 2949 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 2950 ssl->out_hdr, protected_record_size ); 2951 2952 ssl->out_left += protected_record_size; 2953 ssl->out_hdr += protected_record_size; 2954 mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out ); 2955 2956 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) 2957 if( ++ssl->cur_out_ctr[i - 1] != 0 ) 2958 break; 2959 2960 /* The loop goes to its end iff the counter is wrapping */ 2961 if( i == mbedtls_ssl_ep_len( ssl ) ) 2962 { 2963 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) ); 2964 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 2965 } 2966 } 2967 2968 #if defined(MBEDTLS_SSL_PROTO_DTLS) 2969 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 2970 flush == SSL_DONT_FORCE_FLUSH ) 2971 { 2972 size_t remaining; 2973 ret = ssl_get_remaining_payload_in_datagram( ssl ); 2974 if( ret < 0 ) 2975 { 2976 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram", 2977 ret ); 2978 return( ret ); 2979 } 2980 2981 remaining = (size_t) ret; 2982 if( remaining == 0 ) 2983 { 2984 flush = SSL_FORCE_FLUSH; 2985 } 2986 else 2987 { 2988 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) ); 2989 } 2990 } 2991 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 2992 2993 if( ( flush == SSL_FORCE_FLUSH ) && 2994 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 2995 { 2996 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 2997 return( ret ); 2998 } 2999 3000 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) ); 3001 3002 return( 0 ); 3003 } 3004 3005 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3006 3007 static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl ) 3008 { 3009 if( ssl->in_msglen < ssl->in_hslen || 3010 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 || 3011 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 ) 3012 { 3013 return( 1 ); 3014 } 3015 return( 0 ); 3016 } 3017 3018 static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl ) 3019 { 3020 return( ( ssl->in_msg[9] << 16 ) | 3021 ( ssl->in_msg[10] << 8 ) | 3022 ssl->in_msg[11] ); 3023 } 3024 3025 static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl ) 3026 { 3027 return( ( ssl->in_msg[6] << 16 ) | 3028 ( ssl->in_msg[7] << 8 ) | 3029 ssl->in_msg[8] ); 3030 } 3031 3032 static int ssl_check_hs_header( mbedtls_ssl_context const *ssl ) 3033 { 3034 uint32_t msg_len, frag_off, frag_len; 3035 3036 msg_len = ssl_get_hs_total_len( ssl ); 3037 frag_off = ssl_get_hs_frag_off( ssl ); 3038 frag_len = ssl_get_hs_frag_len( ssl ); 3039 3040 if( frag_off > msg_len ) 3041 return( -1 ); 3042 3043 if( frag_len > msg_len - frag_off ) 3044 return( -1 ); 3045 3046 if( frag_len + 12 > ssl->in_msglen ) 3047 return( -1 ); 3048 3049 return( 0 ); 3050 } 3051 3052 /* 3053 * Mark bits in bitmask (used for DTLS HS reassembly) 3054 */ 3055 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len ) 3056 { 3057 unsigned int start_bits, end_bits; 3058 3059 start_bits = 8 - ( offset % 8 ); 3060 if( start_bits != 8 ) 3061 { 3062 size_t first_byte_idx = offset / 8; 3063 3064 /* Special case */ 3065 if( len <= start_bits ) 3066 { 3067 for( ; len != 0; len-- ) 3068 mask[first_byte_idx] |= 1 << ( start_bits - len ); 3069 3070 /* Avoid potential issues with offset or len becoming invalid */ 3071 return; 3072 } 3073 3074 offset += start_bits; /* Now offset % 8 == 0 */ 3075 len -= start_bits; 3076 3077 for( ; start_bits != 0; start_bits-- ) 3078 mask[first_byte_idx] |= 1 << ( start_bits - 1 ); 3079 } 3080 3081 end_bits = len % 8; 3082 if( end_bits != 0 ) 3083 { 3084 size_t last_byte_idx = ( offset + len ) / 8; 3085 3086 len -= end_bits; /* Now len % 8 == 0 */ 3087 3088 for( ; end_bits != 0; end_bits-- ) 3089 mask[last_byte_idx] |= 1 << ( 8 - end_bits ); 3090 } 3091 3092 memset( mask + offset / 8, 0xFF, len / 8 ); 3093 } 3094 3095 /* 3096 * Check that bitmask is full 3097 */ 3098 static int ssl_bitmask_check( unsigned char *mask, size_t len ) 3099 { 3100 size_t i; 3101 3102 for( i = 0; i < len / 8; i++ ) 3103 if( mask[i] != 0xFF ) 3104 return( -1 ); 3105 3106 for( i = 0; i < len % 8; i++ ) 3107 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 ) 3108 return( -1 ); 3109 3110 return( 0 ); 3111 } 3112 3113 /* msg_len does not include the handshake header */ 3114 static size_t ssl_get_reassembly_buffer_size( size_t msg_len, 3115 unsigned add_bitmap ) 3116 { 3117 size_t alloc_len; 3118 3119 alloc_len = 12; /* Handshake header */ 3120 alloc_len += msg_len; /* Content buffer */ 3121 3122 if( add_bitmap ) 3123 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */ 3124 3125 return( alloc_len ); 3126 } 3127 3128 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3129 3130 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl ) 3131 { 3132 return( ( ssl->in_msg[1] << 16 ) | 3133 ( ssl->in_msg[2] << 8 ) | 3134 ssl->in_msg[3] ); 3135 } 3136 3137 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl ) 3138 { 3139 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) ) 3140 { 3141 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET, 3142 ssl->in_msglen ) ); 3143 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3144 } 3145 3146 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl ); 3147 3148 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen =" 3149 " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET, 3150 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) ); 3151 3152 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3153 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3154 { 3155 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3156 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 3157 3158 if( ssl_check_hs_header( ssl ) != 0 ) 3159 { 3160 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) ); 3161 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3162 } 3163 3164 if( ssl->handshake != NULL && 3165 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && 3166 recv_msg_seq != ssl->handshake->in_msg_seq ) || 3167 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 3168 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) ) 3169 { 3170 if( recv_msg_seq > ssl->handshake->in_msg_seq ) 3171 { 3172 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)", 3173 recv_msg_seq, 3174 ssl->handshake->in_msg_seq ) ); 3175 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); 3176 } 3177 3178 /* Retransmit only on last message from previous flight, to avoid 3179 * too many retransmissions. 3180 * Besides, No sane server ever retransmits HelloVerifyRequest */ 3181 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 && 3182 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST ) 3183 { 3184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, " 3185 "message_seq = %u, start_of_flight = %u", 3186 recv_msg_seq, 3187 ssl->handshake->in_flight_start_seq ) ); 3188 3189 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 ) 3190 { 3191 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret ); 3192 return( ret ); 3193 } 3194 } 3195 else 3196 { 3197 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: " 3198 "message_seq = %u, expected = %u", 3199 recv_msg_seq, 3200 ssl->handshake->in_msg_seq ) ); 3201 } 3202 3203 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 3204 } 3205 /* Wait until message completion to increment in_msg_seq */ 3206 3207 /* Message reassembly is handled alongside buffering of future 3208 * messages; the commonality is that both handshake fragments and 3209 * future messages cannot be forwarded immediately to the 3210 * handshake logic layer. */ 3211 if( ssl_hs_is_proper_fragment( ssl ) == 1 ) 3212 { 3213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) ); 3214 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); 3215 } 3216 } 3217 else 3218 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3219 /* With TLS we don't handle fragmentation (for now) */ 3220 if( ssl->in_msglen < ssl->in_hslen ) 3221 { 3222 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) ); 3223 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 3224 } 3225 3226 return( 0 ); 3227 } 3228 3229 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl ) 3230 { 3231 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 3232 3233 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL ) 3234 { 3235 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen ); 3236 } 3237 3238 /* Handshake message is complete, increment counter */ 3239 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3240 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3241 ssl->handshake != NULL ) 3242 { 3243 unsigned offset; 3244 mbedtls_ssl_hs_buffer *hs_buf; 3245 3246 /* Increment handshake sequence number */ 3247 hs->in_msg_seq++; 3248 3249 /* 3250 * Clear up handshake buffering and reassembly structure. 3251 */ 3252 3253 /* Free first entry */ 3254 ssl_buffering_free_slot( ssl, 0 ); 3255 3256 /* Shift all other entries */ 3257 for( offset = 0, hs_buf = &hs->buffering.hs[0]; 3258 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS; 3259 offset++, hs_buf++ ) 3260 { 3261 *hs_buf = *(hs_buf + 1); 3262 } 3263 3264 /* Create a fresh last entry */ 3265 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); 3266 } 3267 #endif 3268 } 3269 3270 /* 3271 * DTLS anti-replay: RFC 6347 4.1.2.6 3272 * 3273 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb). 3274 * Bit n is set iff record number in_window_top - n has been seen. 3275 * 3276 * Usually, in_window_top is the last record number seen and the lsb of 3277 * in_window is set. The only exception is the initial state (record number 0 3278 * not seen yet). 3279 */ 3280 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 3281 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl ) 3282 { 3283 ssl->in_window_top = 0; 3284 ssl->in_window = 0; 3285 } 3286 3287 static inline uint64_t ssl_load_six_bytes( unsigned char *buf ) 3288 { 3289 return( ( (uint64_t) buf[0] << 40 ) | 3290 ( (uint64_t) buf[1] << 32 ) | 3291 ( (uint64_t) buf[2] << 24 ) | 3292 ( (uint64_t) buf[3] << 16 ) | 3293 ( (uint64_t) buf[4] << 8 ) | 3294 ( (uint64_t) buf[5] ) ); 3295 } 3296 3297 static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr ) 3298 { 3299 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3300 unsigned char *original_in_ctr; 3301 3302 // save original in_ctr 3303 original_in_ctr = ssl->in_ctr; 3304 3305 // use counter from record 3306 ssl->in_ctr = record_in_ctr; 3307 3308 ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl ); 3309 3310 // restore the counter 3311 ssl->in_ctr = original_in_ctr; 3312 3313 return ret; 3314 } 3315 3316 /* 3317 * Return 0 if sequence number is acceptable, -1 otherwise 3318 */ 3319 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl ) 3320 { 3321 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 3322 uint64_t bit; 3323 3324 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 3325 return( 0 ); 3326 3327 if( rec_seqnum > ssl->in_window_top ) 3328 return( 0 ); 3329 3330 bit = ssl->in_window_top - rec_seqnum; 3331 3332 if( bit >= 64 ) 3333 return( -1 ); 3334 3335 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 ) 3336 return( -1 ); 3337 3338 return( 0 ); 3339 } 3340 3341 /* 3342 * Update replay window on new validated record 3343 */ 3344 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl ) 3345 { 3346 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 ); 3347 3348 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED ) 3349 return; 3350 3351 if( rec_seqnum > ssl->in_window_top ) 3352 { 3353 /* Update window_top and the contents of the window */ 3354 uint64_t shift = rec_seqnum - ssl->in_window_top; 3355 3356 if( shift >= 64 ) 3357 ssl->in_window = 1; 3358 else 3359 { 3360 ssl->in_window <<= shift; 3361 ssl->in_window |= 1; 3362 } 3363 3364 ssl->in_window_top = rec_seqnum; 3365 } 3366 else 3367 { 3368 /* Mark that number as seen in the current window */ 3369 uint64_t bit = ssl->in_window_top - rec_seqnum; 3370 3371 if( bit < 64 ) /* Always true, but be extra sure */ 3372 ssl->in_window |= (uint64_t) 1 << bit; 3373 } 3374 } 3375 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 3376 3377 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 3378 /* 3379 * Without any SSL context, check if a datagram looks like a ClientHello with 3380 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message. 3381 * Both input and output include full DTLS headers. 3382 * 3383 * - if cookie is valid, return 0 3384 * - if ClientHello looks superficially valid but cookie is not, 3385 * fill obuf and set olen, then 3386 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED 3387 * - otherwise return a specific error code 3388 */ 3389 static int ssl_check_dtls_clihlo_cookie( 3390 mbedtls_ssl_cookie_write_t *f_cookie_write, 3391 mbedtls_ssl_cookie_check_t *f_cookie_check, 3392 void *p_cookie, 3393 const unsigned char *cli_id, size_t cli_id_len, 3394 const unsigned char *in, size_t in_len, 3395 unsigned char *obuf, size_t buf_len, size_t *olen ) 3396 { 3397 size_t sid_len, cookie_len; 3398 unsigned char *p; 3399 3400 /* 3401 * Structure of ClientHello with record and handshake headers, 3402 * and expected values. We don't need to check a lot, more checks will be 3403 * done when actually parsing the ClientHello - skipping those checks 3404 * avoids code duplication and does not make cookie forging any easier. 3405 * 3406 * 0-0 ContentType type; copied, must be handshake 3407 * 1-2 ProtocolVersion version; copied 3408 * 3-4 uint16 epoch; copied, must be 0 3409 * 5-10 uint48 sequence_number; copied 3410 * 11-12 uint16 length; (ignored) 3411 * 3412 * 13-13 HandshakeType msg_type; (ignored) 3413 * 14-16 uint24 length; (ignored) 3414 * 17-18 uint16 message_seq; copied 3415 * 19-21 uint24 fragment_offset; copied, must be 0 3416 * 22-24 uint24 fragment_length; (ignored) 3417 * 3418 * 25-26 ProtocolVersion client_version; (ignored) 3419 * 27-58 Random random; (ignored) 3420 * 59-xx SessionID session_id; 1 byte len + sid_len content 3421 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content 3422 * ... 3423 * 3424 * Minimum length is 61 bytes. 3425 */ 3426 if( in_len < 61 || 3427 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE || 3428 in[3] != 0 || in[4] != 0 || 3429 in[19] != 0 || in[20] != 0 || in[21] != 0 ) 3430 { 3431 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 3432 } 3433 3434 sid_len = in[59]; 3435 if( sid_len > in_len - 61 ) 3436 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 3437 3438 cookie_len = in[60 + sid_len]; 3439 if( cookie_len > in_len - 60 ) 3440 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO ); 3441 3442 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len, 3443 cli_id, cli_id_len ) == 0 ) 3444 { 3445 /* Valid cookie */ 3446 return( 0 ); 3447 } 3448 3449 /* 3450 * If we get here, we've got an invalid cookie, let's prepare HVR. 3451 * 3452 * 0-0 ContentType type; copied 3453 * 1-2 ProtocolVersion version; copied 3454 * 3-4 uint16 epoch; copied 3455 * 5-10 uint48 sequence_number; copied 3456 * 11-12 uint16 length; olen - 13 3457 * 3458 * 13-13 HandshakeType msg_type; hello_verify_request 3459 * 14-16 uint24 length; olen - 25 3460 * 17-18 uint16 message_seq; copied 3461 * 19-21 uint24 fragment_offset; copied 3462 * 22-24 uint24 fragment_length; olen - 25 3463 * 3464 * 25-26 ProtocolVersion server_version; 0xfe 0xff 3465 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie 3466 * 3467 * Minimum length is 28. 3468 */ 3469 if( buf_len < 28 ) 3470 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); 3471 3472 /* Copy most fields and adapt others */ 3473 memcpy( obuf, in, 25 ); 3474 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST; 3475 obuf[25] = 0xfe; 3476 obuf[26] = 0xff; 3477 3478 /* Generate and write actual cookie */ 3479 p = obuf + 28; 3480 if( f_cookie_write( p_cookie, 3481 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 ) 3482 { 3483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 3484 } 3485 3486 *olen = p - obuf; 3487 3488 /* Go back and fill length fields */ 3489 obuf[27] = (unsigned char)( *olen - 28 ); 3490 3491 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 ); 3492 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 ); 3493 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) ); 3494 3495 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 ); 3496 obuf[12] = (unsigned char)( ( *olen - 13 ) ); 3497 3498 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ); 3499 } 3500 3501 /* 3502 * Handle possible client reconnect with the same UDP quadruplet 3503 * (RFC 6347 Section 4.2.8). 3504 * 3505 * Called by ssl_parse_record_header() in case we receive an epoch 0 record 3506 * that looks like a ClientHello. 3507 * 3508 * - if the input looks like a ClientHello without cookies, 3509 * send back HelloVerifyRequest, then return 0 3510 * - if the input looks like a ClientHello with a valid cookie, 3511 * reset the session of the current context, and 3512 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT 3513 * - if anything goes wrong, return a specific error code 3514 * 3515 * This function is called (through ssl_check_client_reconnect()) when an 3516 * unexpected record is found in ssl_get_next_record(), which will discard the 3517 * record if we return 0, and bubble up the return value otherwise (this 3518 * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected 3519 * errors, and is the right thing to do in both cases). 3520 */ 3521 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl ) 3522 { 3523 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3524 size_t len; 3525 3526 if( ssl->conf->f_cookie_write == NULL || 3527 ssl->conf->f_cookie_check == NULL ) 3528 { 3529 /* If we can't use cookies to verify reachability of the peer, 3530 * drop the record. */ 3531 MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, " 3532 "can't check reconnect validity" ) ); 3533 return( 0 ); 3534 } 3535 3536 ret = ssl_check_dtls_clihlo_cookie( 3537 ssl->conf->f_cookie_write, 3538 ssl->conf->f_cookie_check, 3539 ssl->conf->p_cookie, 3540 ssl->cli_id, ssl->cli_id_len, 3541 ssl->in_buf, ssl->in_left, 3542 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len ); 3543 3544 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret ); 3545 3546 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED ) 3547 { 3548 int send_ret; 3549 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) ); 3550 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network", 3551 ssl->out_buf, len ); 3552 /* Don't check write errors as we can't do anything here. 3553 * If the error is permanent we'll catch it later, 3554 * if it's not, then hopefully it'll work next time. */ 3555 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len ); 3556 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret ); 3557 (void) send_ret; 3558 3559 return( 0 ); 3560 } 3561 3562 if( ret == 0 ) 3563 { 3564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) ); 3565 if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 ) 3566 { 3567 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret ); 3568 return( ret ); 3569 } 3570 3571 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT ); 3572 } 3573 3574 return( ret ); 3575 } 3576 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 3577 3578 static int ssl_check_record_type( uint8_t record_type ) 3579 { 3580 if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE && 3581 record_type != MBEDTLS_SSL_MSG_ALERT && 3582 record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC && 3583 record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 3584 { 3585 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3586 } 3587 3588 return( 0 ); 3589 } 3590 3591 /* 3592 * ContentType type; 3593 * ProtocolVersion version; 3594 * uint16 epoch; // DTLS only 3595 * uint48 sequence_number; // DTLS only 3596 * uint16 length; 3597 * 3598 * Return 0 if header looks sane (and, for DTLS, the record is expected) 3599 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad, 3600 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected. 3601 * 3602 * With DTLS, mbedtls_ssl_read_record() will: 3603 * 1. proceed with the record if this function returns 0 3604 * 2. drop only the current record if this function returns UNEXPECTED_RECORD 3605 * 3. return CLIENT_RECONNECT if this function return that value 3606 * 4. drop the whole datagram if this function returns anything else. 3607 * Point 2 is needed when the peer is resending, and we have already received 3608 * the first record from a datagram but are still waiting for the others. 3609 */ 3610 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl, 3611 unsigned char *buf, 3612 size_t len, 3613 mbedtls_record *rec ) 3614 { 3615 int major_ver, minor_ver; 3616 3617 size_t const rec_hdr_type_offset = 0; 3618 size_t const rec_hdr_type_len = 1; 3619 3620 size_t const rec_hdr_version_offset = rec_hdr_type_offset + 3621 rec_hdr_type_len; 3622 size_t const rec_hdr_version_len = 2; 3623 3624 size_t const rec_hdr_ctr_len = 8; 3625 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3626 uint32_t rec_epoch; 3627 size_t const rec_hdr_ctr_offset = rec_hdr_version_offset + 3628 rec_hdr_version_len; 3629 3630 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 3631 size_t const rec_hdr_cid_offset = rec_hdr_ctr_offset + 3632 rec_hdr_ctr_len; 3633 size_t rec_hdr_cid_len = 0; 3634 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3635 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3636 3637 size_t rec_hdr_len_offset; /* To be determined */ 3638 size_t const rec_hdr_len_len = 2; 3639 3640 /* 3641 * Check minimum lengths for record header. 3642 */ 3643 3644 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3645 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3646 { 3647 rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len; 3648 } 3649 else 3650 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3651 { 3652 rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len; 3653 } 3654 3655 if( len < rec_hdr_len_offset + rec_hdr_len_len ) 3656 { 3657 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u", 3658 (unsigned) len, 3659 (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) ); 3660 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3661 } 3662 3663 /* 3664 * Parse and validate record content type 3665 */ 3666 3667 rec->type = buf[ rec_hdr_type_offset ]; 3668 3669 /* Check record content type */ 3670 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 3671 rec->cid_len = 0; 3672 3673 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3674 ssl->conf->cid_len != 0 && 3675 rec->type == MBEDTLS_SSL_MSG_CID ) 3676 { 3677 /* Shift pointers to account for record header including CID 3678 * struct { 3679 * ContentType special_type = tls12_cid; 3680 * ProtocolVersion version; 3681 * uint16 epoch; 3682 * uint48 sequence_number; 3683 * opaque cid[cid_length]; // Additional field compared to 3684 * // default DTLS record format 3685 * uint16 length; 3686 * opaque enc_content[DTLSCiphertext.length]; 3687 * } DTLSCiphertext; 3688 */ 3689 3690 /* So far, we only support static CID lengths 3691 * fixed in the configuration. */ 3692 rec_hdr_cid_len = ssl->conf->cid_len; 3693 rec_hdr_len_offset += rec_hdr_cid_len; 3694 3695 if( len < rec_hdr_len_offset + rec_hdr_len_len ) 3696 { 3697 MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u", 3698 (unsigned) len, 3699 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) ); 3700 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3701 } 3702 3703 /* configured CID len is guaranteed at most 255, see 3704 * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */ 3705 rec->cid_len = (uint8_t) rec_hdr_cid_len; 3706 memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len ); 3707 } 3708 else 3709 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3710 { 3711 if( ssl_check_record_type( rec->type ) ) 3712 { 3713 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u", 3714 (unsigned) rec->type ) ); 3715 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3716 } 3717 } 3718 3719 /* 3720 * Parse and validate record version 3721 */ 3722 3723 rec->ver[0] = buf[ rec_hdr_version_offset + 0 ]; 3724 rec->ver[1] = buf[ rec_hdr_version_offset + 1 ]; 3725 mbedtls_ssl_read_version( &major_ver, &minor_ver, 3726 ssl->conf->transport, 3727 &rec->ver[0] ); 3728 3729 if( major_ver != ssl->major_ver ) 3730 { 3731 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) ); 3732 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3733 } 3734 3735 if( minor_ver > ssl->conf->max_minor_ver ) 3736 { 3737 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) ); 3738 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3739 } 3740 3741 /* 3742 * Parse/Copy record sequence number. 3743 */ 3744 3745 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3746 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3747 { 3748 /* Copy explicit record sequence number from input buffer. */ 3749 memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset, 3750 rec_hdr_ctr_len ); 3751 } 3752 else 3753 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3754 { 3755 /* Copy implicit record sequence number from SSL context structure. */ 3756 memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len ); 3757 } 3758 3759 /* 3760 * Parse record length. 3761 */ 3762 3763 rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len; 3764 rec->data_len = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) | 3765 ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 ); 3766 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset ); 3767 3768 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, " 3769 "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET, 3770 rec->type, 3771 major_ver, minor_ver, rec->data_len ) ); 3772 3773 rec->buf = buf; 3774 rec->buf_len = rec->data_offset + rec->data_len; 3775 3776 if( rec->data_len == 0 ) 3777 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3778 3779 /* 3780 * DTLS-related tests. 3781 * Check epoch before checking length constraint because 3782 * the latter varies with the epoch. E.g., if a ChangeCipherSpec 3783 * message gets duplicated before the corresponding Finished message, 3784 * the second ChangeCipherSpec should be discarded because it belongs 3785 * to an old epoch, but not because its length is shorter than 3786 * the minimum record length for packets using the new record transform. 3787 * Note that these two kinds of failures are handled differently, 3788 * as an unexpected record is silently skipped but an invalid 3789 * record leads to the entire datagram being dropped. 3790 */ 3791 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3792 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3793 { 3794 rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1]; 3795 3796 /* Check that the datagram is large enough to contain a record 3797 * of the advertised length. */ 3798 if( len < rec->data_offset + rec->data_len ) 3799 { 3800 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.", 3801 (unsigned) len, 3802 (unsigned)( rec->data_offset + rec->data_len ) ) ); 3803 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3804 } 3805 3806 /* Records from other, non-matching epochs are silently discarded. 3807 * (The case of same-port Client reconnects must be considered in 3808 * the caller). */ 3809 if( rec_epoch != ssl->in_epoch ) 3810 { 3811 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: " 3812 "expected %u, received %lu", 3813 ssl->in_epoch, (unsigned long) rec_epoch ) ); 3814 3815 /* Records from the next epoch are considered for buffering 3816 * (concretely: early Finished messages). */ 3817 if( rec_epoch == (unsigned) ssl->in_epoch + 1 ) 3818 { 3819 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) ); 3820 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); 3821 } 3822 3823 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 3824 } 3825 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 3826 /* For records from the correct epoch, check whether their 3827 * sequence number has been seen before. */ 3828 else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl, 3829 &rec->ctr[0] ) != 0 ) 3830 { 3831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) ); 3832 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 3833 } 3834 #endif 3835 } 3836 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3837 3838 return( 0 ); 3839 } 3840 3841 3842 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 3843 static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl ) 3844 { 3845 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1]; 3846 3847 /* 3848 * Check for an epoch 0 ClientHello. We can't use in_msg here to 3849 * access the first byte of record content (handshake type), as we 3850 * have an active transform (possibly iv_len != 0), so use the 3851 * fact that the record header len is 13 instead. 3852 */ 3853 if( rec_epoch == 0 && 3854 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 3855 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER && 3856 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 3857 ssl->in_left > 13 && 3858 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO ) 3859 { 3860 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect " 3861 "from the same port" ) ); 3862 return( ssl_handle_possible_reconnect( ssl ) ); 3863 } 3864 3865 return( 0 ); 3866 } 3867 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */ 3868 3869 /* 3870 * If applicable, decrypt record content 3871 */ 3872 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl, 3873 mbedtls_record *rec ) 3874 { 3875 int ret, done = 0; 3876 3877 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network", 3878 rec->buf, rec->buf_len ); 3879 3880 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 3881 if( mbedtls_ssl_hw_record_read != NULL ) 3882 { 3883 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) ); 3884 3885 ret = mbedtls_ssl_hw_record_read( ssl ); 3886 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH ) 3887 { 3888 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret ); 3889 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 3890 } 3891 3892 if( ret == 0 ) 3893 done = 1; 3894 } 3895 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */ 3896 if( !done && ssl->transform_in != NULL ) 3897 { 3898 unsigned char const old_msg_type = rec->type; 3899 3900 if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, 3901 rec ) ) != 0 ) 3902 { 3903 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret ); 3904 3905 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 3906 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID && 3907 ssl->conf->ignore_unexpected_cid 3908 == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE ) 3909 { 3910 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) ); 3911 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; 3912 } 3913 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3914 3915 return( ret ); 3916 } 3917 3918 if( old_msg_type != rec->type ) 3919 { 3920 MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d", 3921 old_msg_type, rec->type ) ); 3922 } 3923 3924 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt", 3925 rec->buf + rec->data_offset, rec->data_len ); 3926 3927 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 3928 /* We have already checked the record content type 3929 * in ssl_parse_record_header(), failing or silently 3930 * dropping the record in the case of an unknown type. 3931 * 3932 * Since with the use of CIDs, the record content type 3933 * might change during decryption, re-check the record 3934 * content type, but treat a failure as fatal this time. */ 3935 if( ssl_check_record_type( rec->type ) ) 3936 { 3937 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) ); 3938 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3939 } 3940 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 3941 3942 if( rec->data_len == 0 ) 3943 { 3944 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3945 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 3946 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 3947 { 3948 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */ 3949 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) ); 3950 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 3951 } 3952 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3953 3954 ssl->nb_zero++; 3955 3956 /* 3957 * Three or more empty messages may be a DoS attack 3958 * (excessive CPU consumption). 3959 */ 3960 if( ssl->nb_zero > 3 ) 3961 { 3962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty " 3963 "messages, possible DoS attack" ) ); 3964 /* Treat the records as if they were not properly authenticated, 3965 * thereby failing the connection if we see more than allowed 3966 * by the configured bad MAC threshold. */ 3967 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 3968 } 3969 } 3970 else 3971 ssl->nb_zero = 0; 3972 3973 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3974 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3975 { 3976 ; /* in_ctr read from peer, not maintained internally */ 3977 } 3978 else 3979 #endif 3980 { 3981 unsigned i; 3982 for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- ) 3983 if( ++ssl->in_ctr[i - 1] != 0 ) 3984 break; 3985 3986 /* The loop goes to its end iff the counter is wrapping */ 3987 if( i == mbedtls_ssl_ep_len( ssl ) ) 3988 { 3989 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) ); 3990 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 3991 } 3992 } 3993 3994 } 3995 3996 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 3997 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 3998 { 3999 mbedtls_ssl_dtls_replay_update( ssl ); 4000 } 4001 #endif 4002 4003 /* Check actual (decrypted) record content length against 4004 * configured maximum. */ 4005 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN ) 4006 { 4007 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 4008 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 4009 } 4010 4011 return( 0 ); 4012 } 4013 4014 /* 4015 * Read a record. 4016 * 4017 * Silently ignore non-fatal alert (and for DTLS, invalid records as well, 4018 * RFC 6347 4.1.2.7) and continue reading until a valid record is found. 4019 * 4020 */ 4021 4022 /* Helper functions for mbedtls_ssl_read_record(). */ 4023 static int ssl_consume_current_message( mbedtls_ssl_context *ssl ); 4024 static int ssl_get_next_record( mbedtls_ssl_context *ssl ); 4025 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ); 4026 4027 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl, 4028 unsigned update_hs_digest ) 4029 { 4030 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4031 4032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) ); 4033 4034 if( ssl->keep_current_message == 0 ) 4035 { 4036 do { 4037 4038 ret = ssl_consume_current_message( ssl ); 4039 if( ret != 0 ) 4040 return( ret ); 4041 4042 if( ssl_record_is_in_progress( ssl ) == 0 ) 4043 { 4044 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4045 int have_buffered = 0; 4046 4047 /* We only check for buffered messages if the 4048 * current datagram is fully consumed. */ 4049 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4050 ssl_next_record_is_in_datagram( ssl ) == 0 ) 4051 { 4052 if( ssl_load_buffered_message( ssl ) == 0 ) 4053 have_buffered = 1; 4054 } 4055 4056 if( have_buffered == 0 ) 4057 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4058 { 4059 ret = ssl_get_next_record( ssl ); 4060 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ) 4061 continue; 4062 4063 if( ret != 0 ) 4064 { 4065 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret ); 4066 return( ret ); 4067 } 4068 } 4069 } 4070 4071 ret = mbedtls_ssl_handle_message_type( ssl ); 4072 4073 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4074 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) 4075 { 4076 /* Buffer future message */ 4077 ret = ssl_buffer_message( ssl ); 4078 if( ret != 0 ) 4079 return( ret ); 4080 4081 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; 4082 } 4083 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4084 4085 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret || 4086 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret ); 4087 4088 if( 0 != ret ) 4089 { 4090 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret ); 4091 return( ret ); 4092 } 4093 4094 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 4095 update_hs_digest == 1 ) 4096 { 4097 mbedtls_ssl_update_handshake_status( ssl ); 4098 } 4099 } 4100 else 4101 { 4102 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) ); 4103 ssl->keep_current_message = 0; 4104 } 4105 4106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) ); 4107 4108 return( 0 ); 4109 } 4110 4111 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4112 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl ) 4113 { 4114 if( ssl->in_left > ssl->next_record_offset ) 4115 return( 1 ); 4116 4117 return( 0 ); 4118 } 4119 4120 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl ) 4121 { 4122 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4123 mbedtls_ssl_hs_buffer * hs_buf; 4124 int ret = 0; 4125 4126 if( hs == NULL ) 4127 return( -1 ); 4128 4129 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) ); 4130 4131 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC || 4132 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 4133 { 4134 /* Check if we have seen a ChangeCipherSpec before. 4135 * If yes, synthesize a CCS record. */ 4136 if( !hs->buffering.seen_ccs ) 4137 { 4138 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) ); 4139 ret = -1; 4140 goto exit; 4141 } 4142 4143 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) ); 4144 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 4145 ssl->in_msglen = 1; 4146 ssl->in_msg[0] = 1; 4147 4148 /* As long as they are equal, the exact value doesn't matter. */ 4149 ssl->in_left = 0; 4150 ssl->next_record_offset = 0; 4151 4152 hs->buffering.seen_ccs = 0; 4153 goto exit; 4154 } 4155 4156 #if defined(MBEDTLS_DEBUG_C) 4157 /* Debug only */ 4158 { 4159 unsigned offset; 4160 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) 4161 { 4162 hs_buf = &hs->buffering.hs[offset]; 4163 if( hs_buf->is_valid == 1 ) 4164 { 4165 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.", 4166 hs->in_msg_seq + offset, 4167 hs_buf->is_complete ? "fully" : "partially" ) ); 4168 } 4169 } 4170 } 4171 #endif /* MBEDTLS_DEBUG_C */ 4172 4173 /* Check if we have buffered and/or fully reassembled the 4174 * next handshake message. */ 4175 hs_buf = &hs->buffering.hs[0]; 4176 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) ) 4177 { 4178 /* Synthesize a record containing the buffered HS message. */ 4179 size_t msg_len = ( hs_buf->data[1] << 16 ) | 4180 ( hs_buf->data[2] << 8 ) | 4181 hs_buf->data[3]; 4182 4183 /* Double-check that we haven't accidentally buffered 4184 * a message that doesn't fit into the input buffer. */ 4185 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) 4186 { 4187 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 4188 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 4189 } 4190 4191 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) ); 4192 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)", 4193 hs_buf->data, msg_len + 12 ); 4194 4195 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4196 ssl->in_hslen = msg_len + 12; 4197 ssl->in_msglen = msg_len + 12; 4198 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen ); 4199 4200 ret = 0; 4201 goto exit; 4202 } 4203 else 4204 { 4205 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered", 4206 hs->in_msg_seq ) ); 4207 } 4208 4209 ret = -1; 4210 4211 exit: 4212 4213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) ); 4214 return( ret ); 4215 } 4216 4217 static int ssl_buffer_make_space( mbedtls_ssl_context *ssl, 4218 size_t desired ) 4219 { 4220 int offset; 4221 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4222 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available", 4223 (unsigned) desired ) ); 4224 4225 /* Get rid of future records epoch first, if such exist. */ 4226 ssl_free_buffered_record( ssl ); 4227 4228 /* Check if we have enough space available now. */ 4229 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - 4230 hs->buffering.total_bytes_buffered ) ) 4231 { 4232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) ); 4233 return( 0 ); 4234 } 4235 4236 /* We don't have enough space to buffer the next expected handshake 4237 * message. Remove buffers used for future messages to gain space, 4238 * starting with the most distant one. */ 4239 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1; 4240 offset >= 0; offset-- ) 4241 { 4242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message", 4243 offset ) ); 4244 4245 ssl_buffering_free_slot( ssl, (uint8_t) offset ); 4246 4247 /* Check if we have enough space available now. */ 4248 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - 4249 hs->buffering.total_bytes_buffered ) ) 4250 { 4251 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) ); 4252 return( 0 ); 4253 } 4254 } 4255 4256 return( -1 ); 4257 } 4258 4259 static int ssl_buffer_message( mbedtls_ssl_context *ssl ) 4260 { 4261 int ret = 0; 4262 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4263 4264 if( hs == NULL ) 4265 return( 0 ); 4266 4267 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) ); 4268 4269 switch( ssl->in_msgtype ) 4270 { 4271 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC: 4272 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) ); 4273 4274 hs->buffering.seen_ccs = 1; 4275 break; 4276 4277 case MBEDTLS_SSL_MSG_HANDSHAKE: 4278 { 4279 unsigned recv_msg_seq_offset; 4280 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5]; 4281 mbedtls_ssl_hs_buffer *hs_buf; 4282 size_t msg_len = ssl->in_hslen - 12; 4283 4284 /* We should never receive an old handshake 4285 * message - double-check nonetheless. */ 4286 if( recv_msg_seq < ssl->handshake->in_msg_seq ) 4287 { 4288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 4289 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 4290 } 4291 4292 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq; 4293 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS ) 4294 { 4295 /* Silently ignore -- message too far in the future */ 4296 MBEDTLS_SSL_DEBUG_MSG( 2, 4297 ( "Ignore future HS message with sequence number %u, " 4298 "buffering window %u - %u", 4299 recv_msg_seq, ssl->handshake->in_msg_seq, 4300 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) ); 4301 4302 goto exit; 4303 } 4304 4305 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ", 4306 recv_msg_seq, recv_msg_seq_offset ) ); 4307 4308 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ]; 4309 4310 /* Check if the buffering for this seq nr has already commenced. */ 4311 if( !hs_buf->is_valid ) 4312 { 4313 size_t reassembly_buf_sz; 4314 4315 hs_buf->is_fragmented = 4316 ( ssl_hs_is_proper_fragment( ssl ) == 1 ); 4317 4318 /* We copy the message back into the input buffer 4319 * after reassembly, so check that it's not too large. 4320 * This is an implementation-specific limitation 4321 * and not one from the standard, hence it is not 4322 * checked in ssl_check_hs_header(). */ 4323 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN ) 4324 { 4325 /* Ignore message */ 4326 goto exit; 4327 } 4328 4329 /* Check if we have enough space to buffer the message. */ 4330 if( hs->buffering.total_bytes_buffered > 4331 MBEDTLS_SSL_DTLS_MAX_BUFFERING ) 4332 { 4333 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 4334 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 4335 } 4336 4337 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len, 4338 hs_buf->is_fragmented ); 4339 4340 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - 4341 hs->buffering.total_bytes_buffered ) ) 4342 { 4343 if( recv_msg_seq_offset > 0 ) 4344 { 4345 /* If we can't buffer a future message because 4346 * of space limitations -- ignore. */ 4347 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET 4348 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET 4349 " (already %" MBEDTLS_PRINTF_SIZET 4350 " bytes buffered) -- ignore\n", 4351 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, 4352 hs->buffering.total_bytes_buffered ) ); 4353 goto exit; 4354 } 4355 else 4356 { 4357 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET 4358 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET 4359 " (already %" MBEDTLS_PRINTF_SIZET 4360 " bytes buffered) -- attempt to make space by freeing buffered future messages\n", 4361 msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, 4362 hs->buffering.total_bytes_buffered ) ); 4363 } 4364 4365 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 ) 4366 { 4367 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET 4368 " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed" 4369 " the compile-time limit %" MBEDTLS_PRINTF_SIZET 4370 " (already %" MBEDTLS_PRINTF_SIZET 4371 " bytes buffered) -- fail\n", 4372 msg_len, 4373 reassembly_buf_sz, 4374 (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, 4375 hs->buffering.total_bytes_buffered ) ); 4376 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 4377 goto exit; 4378 } 4379 } 4380 4381 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET, 4382 msg_len ) ); 4383 4384 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz ); 4385 if( hs_buf->data == NULL ) 4386 { 4387 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 4388 goto exit; 4389 } 4390 hs_buf->data_len = reassembly_buf_sz; 4391 4392 /* Prepare final header: copy msg_type, length and message_seq, 4393 * then add standardised fragment_offset and fragment_length */ 4394 memcpy( hs_buf->data, ssl->in_msg, 6 ); 4395 memset( hs_buf->data + 6, 0, 3 ); 4396 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 ); 4397 4398 hs_buf->is_valid = 1; 4399 4400 hs->buffering.total_bytes_buffered += reassembly_buf_sz; 4401 } 4402 else 4403 { 4404 /* Make sure msg_type and length are consistent */ 4405 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 ) 4406 { 4407 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) ); 4408 /* Ignore */ 4409 goto exit; 4410 } 4411 } 4412 4413 if( !hs_buf->is_complete ) 4414 { 4415 size_t frag_len, frag_off; 4416 unsigned char * const msg = hs_buf->data + 12; 4417 4418 /* 4419 * Check and copy current fragment 4420 */ 4421 4422 /* Validation of header fields already done in 4423 * mbedtls_ssl_prepare_handshake_record(). */ 4424 frag_off = ssl_get_hs_frag_off( ssl ); 4425 frag_len = ssl_get_hs_frag_len( ssl ); 4426 4427 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET 4428 ", length = %" MBEDTLS_PRINTF_SIZET, 4429 frag_off, frag_len ) ); 4430 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len ); 4431 4432 if( hs_buf->is_fragmented ) 4433 { 4434 unsigned char * const bitmask = msg + msg_len; 4435 ssl_bitmask_set( bitmask, frag_off, frag_len ); 4436 hs_buf->is_complete = ( ssl_bitmask_check( bitmask, 4437 msg_len ) == 0 ); 4438 } 4439 else 4440 { 4441 hs_buf->is_complete = 1; 4442 } 4443 4444 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete", 4445 hs_buf->is_complete ? "" : "not yet " ) ); 4446 } 4447 4448 break; 4449 } 4450 4451 default: 4452 /* We don't buffer other types of messages. */ 4453 break; 4454 } 4455 4456 exit: 4457 4458 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) ); 4459 return( ret ); 4460 } 4461 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4462 4463 static int ssl_consume_current_message( mbedtls_ssl_context *ssl ) 4464 { 4465 /* 4466 * Consume last content-layer message and potentially 4467 * update in_msglen which keeps track of the contents' 4468 * consumption state. 4469 * 4470 * (1) Handshake messages: 4471 * Remove last handshake message, move content 4472 * and adapt in_msglen. 4473 * 4474 * (2) Alert messages: 4475 * Consume whole record content, in_msglen = 0. 4476 * 4477 * (3) Change cipher spec: 4478 * Consume whole record content, in_msglen = 0. 4479 * 4480 * (4) Application data: 4481 * Don't do anything - the record layer provides 4482 * the application data as a stream transport 4483 * and consumes through mbedtls_ssl_read only. 4484 * 4485 */ 4486 4487 /* Case (1): Handshake messages */ 4488 if( ssl->in_hslen != 0 ) 4489 { 4490 /* Hard assertion to be sure that no application data 4491 * is in flight, as corrupting ssl->in_msglen during 4492 * ssl->in_offt != NULL is fatal. */ 4493 if( ssl->in_offt != NULL ) 4494 { 4495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 4496 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 4497 } 4498 4499 /* 4500 * Get next Handshake message in the current record 4501 */ 4502 4503 /* Notes: 4504 * (1) in_hslen is not necessarily the size of the 4505 * current handshake content: If DTLS handshake 4506 * fragmentation is used, that's the fragment 4507 * size instead. Using the total handshake message 4508 * size here is faulty and should be changed at 4509 * some point. 4510 * (2) While it doesn't seem to cause problems, one 4511 * has to be very careful not to assume that in_hslen 4512 * is always <= in_msglen in a sensible communication. 4513 * Again, it's wrong for DTLS handshake fragmentation. 4514 * The following check is therefore mandatory, and 4515 * should not be treated as a silently corrected assertion. 4516 * Additionally, ssl->in_hslen might be arbitrarily out of 4517 * bounds after handling a DTLS message with an unexpected 4518 * sequence number, see mbedtls_ssl_prepare_handshake_record. 4519 */ 4520 if( ssl->in_hslen < ssl->in_msglen ) 4521 { 4522 ssl->in_msglen -= ssl->in_hslen; 4523 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen, 4524 ssl->in_msglen ); 4525 4526 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record", 4527 ssl->in_msg, ssl->in_msglen ); 4528 } 4529 else 4530 { 4531 ssl->in_msglen = 0; 4532 } 4533 4534 ssl->in_hslen = 0; 4535 } 4536 /* Case (4): Application data */ 4537 else if( ssl->in_offt != NULL ) 4538 { 4539 return( 0 ); 4540 } 4541 /* Everything else (CCS & Alerts) */ 4542 else 4543 { 4544 ssl->in_msglen = 0; 4545 } 4546 4547 return( 0 ); 4548 } 4549 4550 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl ) 4551 { 4552 if( ssl->in_msglen > 0 ) 4553 return( 1 ); 4554 4555 return( 0 ); 4556 } 4557 4558 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4559 4560 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl ) 4561 { 4562 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4563 if( hs == NULL ) 4564 return; 4565 4566 if( hs->buffering.future_record.data != NULL ) 4567 { 4568 hs->buffering.total_bytes_buffered -= 4569 hs->buffering.future_record.len; 4570 4571 mbedtls_free( hs->buffering.future_record.data ); 4572 hs->buffering.future_record.data = NULL; 4573 } 4574 } 4575 4576 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl ) 4577 { 4578 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4579 unsigned char * rec; 4580 size_t rec_len; 4581 unsigned rec_epoch; 4582 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4583 size_t in_buf_len = ssl->in_buf_len; 4584 #else 4585 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 4586 #endif 4587 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 4588 return( 0 ); 4589 4590 if( hs == NULL ) 4591 return( 0 ); 4592 4593 rec = hs->buffering.future_record.data; 4594 rec_len = hs->buffering.future_record.len; 4595 rec_epoch = hs->buffering.future_record.epoch; 4596 4597 if( rec == NULL ) 4598 return( 0 ); 4599 4600 /* Only consider loading future records if the 4601 * input buffer is empty. */ 4602 if( ssl_next_record_is_in_datagram( ssl ) == 1 ) 4603 return( 0 ); 4604 4605 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) ); 4606 4607 if( rec_epoch != ssl->in_epoch ) 4608 { 4609 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) ); 4610 goto exit; 4611 } 4612 4613 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) ); 4614 4615 /* Double-check that the record is not too large */ 4616 if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) ) 4617 { 4618 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 4619 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 4620 } 4621 4622 memcpy( ssl->in_hdr, rec, rec_len ); 4623 ssl->in_left = rec_len; 4624 ssl->next_record_offset = 0; 4625 4626 ssl_free_buffered_record( ssl ); 4627 4628 exit: 4629 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) ); 4630 return( 0 ); 4631 } 4632 4633 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl, 4634 mbedtls_record const *rec ) 4635 { 4636 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 4637 4638 /* Don't buffer future records outside handshakes. */ 4639 if( hs == NULL ) 4640 return( 0 ); 4641 4642 /* Only buffer handshake records (we are only interested 4643 * in Finished messages). */ 4644 if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE ) 4645 return( 0 ); 4646 4647 /* Don't buffer more than one future epoch record. */ 4648 if( hs->buffering.future_record.data != NULL ) 4649 return( 0 ); 4650 4651 /* Don't buffer record if there's not enough buffering space remaining. */ 4652 if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING - 4653 hs->buffering.total_bytes_buffered ) ) 4654 { 4655 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET 4656 " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET 4657 " (already %" MBEDTLS_PRINTF_SIZET 4658 " bytes buffered) -- ignore\n", 4659 rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING, 4660 hs->buffering.total_bytes_buffered ) ); 4661 return( 0 ); 4662 } 4663 4664 /* Buffer record */ 4665 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u", 4666 ssl->in_epoch + 1U ) ); 4667 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len ); 4668 4669 /* ssl_parse_record_header() only considers records 4670 * of the next epoch as candidates for buffering. */ 4671 hs->buffering.future_record.epoch = ssl->in_epoch + 1; 4672 hs->buffering.future_record.len = rec->buf_len; 4673 4674 hs->buffering.future_record.data = 4675 mbedtls_calloc( 1, hs->buffering.future_record.len ); 4676 if( hs->buffering.future_record.data == NULL ) 4677 { 4678 /* If we run out of RAM trying to buffer a 4679 * record from the next epoch, just ignore. */ 4680 return( 0 ); 4681 } 4682 4683 memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len ); 4684 4685 hs->buffering.total_bytes_buffered += rec->buf_len; 4686 return( 0 ); 4687 } 4688 4689 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4690 4691 static int ssl_get_next_record( mbedtls_ssl_context *ssl ) 4692 { 4693 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4694 mbedtls_record rec; 4695 4696 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4697 /* We might have buffered a future record; if so, 4698 * and if the epoch matches now, load it. 4699 * On success, this call will set ssl->in_left to 4700 * the length of the buffered record, so that 4701 * the calls to ssl_fetch_input() below will 4702 * essentially be no-ops. */ 4703 ret = ssl_load_buffered_record( ssl ); 4704 if( ret != 0 ) 4705 return( ret ); 4706 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4707 4708 /* Ensure that we have enough space available for the default form 4709 * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS, 4710 * with no space for CIDs counted in). */ 4711 ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) ); 4712 if( ret != 0 ) 4713 { 4714 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 4715 return( ret ); 4716 } 4717 4718 ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec ); 4719 if( ret != 0 ) 4720 { 4721 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4722 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 4723 { 4724 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE ) 4725 { 4726 ret = ssl_buffer_future_record( ssl, &rec ); 4727 if( ret != 0 ) 4728 return( ret ); 4729 4730 /* Fall through to handling of unexpected records */ 4731 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD; 4732 } 4733 4734 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ) 4735 { 4736 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C) 4737 /* Reset in pointers to default state for TLS/DTLS records, 4738 * assuming no CID and no offset between record content and 4739 * record plaintext. */ 4740 mbedtls_ssl_update_in_pointers( ssl ); 4741 4742 /* Setup internal message pointers from record structure. */ 4743 ssl->in_msgtype = rec.type; 4744 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4745 ssl->in_len = ssl->in_cid + rec.cid_len; 4746 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4747 ssl->in_iv = ssl->in_msg = ssl->in_len + 2; 4748 ssl->in_msglen = rec.data_len; 4749 4750 ret = ssl_check_client_reconnect( ssl ); 4751 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret ); 4752 if( ret != 0 ) 4753 return( ret ); 4754 #endif 4755 4756 /* Skip unexpected record (but not whole datagram) */ 4757 ssl->next_record_offset = rec.buf_len; 4758 4759 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record " 4760 "(header)" ) ); 4761 } 4762 else 4763 { 4764 /* Skip invalid record and the rest of the datagram */ 4765 ssl->next_record_offset = 0; 4766 ssl->in_left = 0; 4767 4768 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record " 4769 "(header)" ) ); 4770 } 4771 4772 /* Get next record */ 4773 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 4774 } 4775 else 4776 #endif 4777 { 4778 return( ret ); 4779 } 4780 } 4781 4782 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4783 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 4784 { 4785 /* Remember offset of next record within datagram. */ 4786 ssl->next_record_offset = rec.buf_len; 4787 if( ssl->next_record_offset < ssl->in_left ) 4788 { 4789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) ); 4790 } 4791 } 4792 else 4793 #endif 4794 { 4795 /* 4796 * Fetch record contents from underlying transport. 4797 */ 4798 ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len ); 4799 if( ret != 0 ) 4800 { 4801 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret ); 4802 return( ret ); 4803 } 4804 4805 ssl->in_left = 0; 4806 } 4807 4808 /* 4809 * Decrypt record contents. 4810 */ 4811 4812 if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 ) 4813 { 4814 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4815 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 4816 { 4817 /* Silently discard invalid records */ 4818 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 4819 { 4820 /* Except when waiting for Finished as a bad mac here 4821 * probably means something went wrong in the handshake 4822 * (eg wrong psk used, mitm downgrade attempt, etc.) */ 4823 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED || 4824 ssl->state == MBEDTLS_SSL_SERVER_FINISHED ) 4825 { 4826 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 4827 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 4828 { 4829 mbedtls_ssl_send_alert_message( ssl, 4830 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 4831 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 4832 } 4833 #endif 4834 return( ret ); 4835 } 4836 4837 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT) 4838 if( ssl->conf->badmac_limit != 0 && 4839 ++ssl->badmac_seen >= ssl->conf->badmac_limit ) 4840 { 4841 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) ); 4842 return( MBEDTLS_ERR_SSL_INVALID_MAC ); 4843 } 4844 #endif 4845 4846 /* As above, invalid records cause 4847 * dismissal of the whole datagram. */ 4848 4849 ssl->next_record_offset = 0; 4850 ssl->in_left = 0; 4851 4852 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) ); 4853 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING ); 4854 } 4855 4856 return( ret ); 4857 } 4858 else 4859 #endif 4860 { 4861 /* Error out (and send alert) on invalid records */ 4862 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES) 4863 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC ) 4864 { 4865 mbedtls_ssl_send_alert_message( ssl, 4866 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 4867 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC ); 4868 } 4869 #endif 4870 return( ret ); 4871 } 4872 } 4873 4874 4875 /* Reset in pointers to default state for TLS/DTLS records, 4876 * assuming no CID and no offset between record content and 4877 * record plaintext. */ 4878 mbedtls_ssl_update_in_pointers( ssl ); 4879 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4880 ssl->in_len = ssl->in_cid + rec.cid_len; 4881 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4882 ssl->in_iv = ssl->in_len + 2; 4883 4884 /* The record content type may change during decryption, 4885 * so re-read it. */ 4886 ssl->in_msgtype = rec.type; 4887 /* Also update the input buffer, because unfortunately 4888 * the server-side ssl_parse_client_hello() reparses the 4889 * record header when receiving a ClientHello initiating 4890 * a renegotiation. */ 4891 ssl->in_hdr[0] = rec.type; 4892 ssl->in_msg = rec.buf + rec.data_offset; 4893 ssl->in_msglen = rec.data_len; 4894 ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 ); 4895 ssl->in_len[1] = (unsigned char)( rec.data_len ); 4896 4897 #if defined(MBEDTLS_ZLIB_SUPPORT) 4898 if( ssl->transform_in != NULL && 4899 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE ) 4900 { 4901 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 ) 4902 { 4903 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret ); 4904 return( ret ); 4905 } 4906 4907 /* Check actual (decompress) record content length against 4908 * configured maximum. */ 4909 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN ) 4910 { 4911 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) ); 4912 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 4913 } 4914 } 4915 #endif /* MBEDTLS_ZLIB_SUPPORT */ 4916 4917 return( 0 ); 4918 } 4919 4920 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl ) 4921 { 4922 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4923 4924 /* 4925 * Handle particular types of records 4926 */ 4927 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 4928 { 4929 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 ) 4930 { 4931 return( ret ); 4932 } 4933 } 4934 4935 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 4936 { 4937 if( ssl->in_msglen != 1 ) 4938 { 4939 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET, 4940 ssl->in_msglen ) ); 4941 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 4942 } 4943 4944 if( ssl->in_msg[0] != 1 ) 4945 { 4946 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x", 4947 ssl->in_msg[0] ) ); 4948 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 4949 } 4950 4951 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4952 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4953 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC && 4954 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC ) 4955 { 4956 if( ssl->handshake == NULL ) 4957 { 4958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) ); 4959 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD ); 4960 } 4961 4962 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) ); 4963 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE ); 4964 } 4965 #endif 4966 } 4967 4968 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 4969 { 4970 if( ssl->in_msglen != 2 ) 4971 { 4972 /* Note: Standard allows for more than one 2 byte alert 4973 to be packed in a single message, but Mbed TLS doesn't 4974 currently support this. */ 4975 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET, 4976 ssl->in_msglen ) ); 4977 return( MBEDTLS_ERR_SSL_INVALID_RECORD ); 4978 } 4979 4980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]", 4981 ssl->in_msg[0], ssl->in_msg[1] ) ); 4982 4983 /* 4984 * Ignore non-fatal alerts, except close_notify and no_renegotiation 4985 */ 4986 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL ) 4987 { 4988 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)", 4989 ssl->in_msg[1] ) ); 4990 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); 4991 } 4992 4993 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 4994 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) 4995 { 4996 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) ); 4997 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY ); 4998 } 4999 5000 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED) 5001 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 5002 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) 5003 { 5004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) ); 5005 /* Will be handled when trying to parse ServerHello */ 5006 return( 0 ); 5007 } 5008 #endif 5009 5010 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C) 5011 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 && 5012 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 5013 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING && 5014 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT ) 5015 { 5016 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) ); 5017 /* Will be handled in mbedtls_ssl_parse_certificate() */ 5018 return( 0 ); 5019 } 5020 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */ 5021 5022 /* Silently ignore: fetch new message */ 5023 return MBEDTLS_ERR_SSL_NON_FATAL; 5024 } 5025 5026 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5027 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5028 { 5029 /* Drop unexpected ApplicationData records, 5030 * except at the beginning of renegotiations */ 5031 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA && 5032 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER 5033 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5034 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS && 5035 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) 5036 #endif 5037 ) 5038 { 5039 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) ); 5040 return( MBEDTLS_ERR_SSL_NON_FATAL ); 5041 } 5042 5043 if( ssl->handshake != NULL && 5044 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 5045 { 5046 mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl ); 5047 } 5048 } 5049 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5050 5051 return( 0 ); 5052 } 5053 5054 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl ) 5055 { 5056 return( mbedtls_ssl_send_alert_message( ssl, 5057 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 5058 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ); 5059 } 5060 5061 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl, 5062 unsigned char level, 5063 unsigned char message ) 5064 { 5065 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5066 5067 if( ssl == NULL || ssl->conf == NULL ) 5068 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 5069 5070 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) ); 5071 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message )); 5072 5073 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT; 5074 ssl->out_msglen = 2; 5075 ssl->out_msg[0] = level; 5076 ssl->out_msg[1] = message; 5077 5078 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) 5079 { 5080 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 5081 return( ret ); 5082 } 5083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) ); 5084 5085 return( 0 ); 5086 } 5087 5088 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl ) 5089 { 5090 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5091 5092 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) ); 5093 5094 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; 5095 ssl->out_msglen = 1; 5096 ssl->out_msg[0] = 1; 5097 5098 ssl->state++; 5099 5100 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) 5101 { 5102 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); 5103 return( ret ); 5104 } 5105 5106 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) ); 5107 5108 return( 0 ); 5109 } 5110 5111 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) 5112 { 5113 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5114 5115 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) ); 5116 5117 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 5118 { 5119 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 5120 return( ret ); 5121 } 5122 5123 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC ) 5124 { 5125 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) ); 5126 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 5127 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 5128 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5129 } 5130 5131 /* CCS records are only accepted if they have length 1 and content '1', 5132 * so we don't need to check this here. */ 5133 5134 /* 5135 * Switch to our negotiated transform and session parameters for inbound 5136 * data. 5137 */ 5138 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); 5139 ssl->transform_in = ssl->transform_negotiate; 5140 ssl->session_in = ssl->session_negotiate; 5141 5142 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5143 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5144 { 5145 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5146 mbedtls_ssl_dtls_replay_reset( ssl ); 5147 #endif 5148 5149 /* Increment epoch */ 5150 if( ++ssl->in_epoch == 0 ) 5151 { 5152 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) ); 5153 /* This is highly unlikely to happen for legitimate reasons, so 5154 treat it as an attack and don't send an alert. */ 5155 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING ); 5156 } 5157 } 5158 else 5159 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5160 memset( ssl->in_ctr, 0, 8 ); 5161 5162 mbedtls_ssl_update_in_pointers( ssl ); 5163 5164 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL) 5165 if( mbedtls_ssl_hw_record_activate != NULL ) 5166 { 5167 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 ) 5168 { 5169 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret ); 5170 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 5171 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR ); 5172 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); 5173 } 5174 } 5175 #endif 5176 5177 ssl->state++; 5178 5179 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) ); 5180 5181 return( 0 ); 5182 } 5183 5184 /* Once ssl->out_hdr as the address of the beginning of the 5185 * next outgoing record is set, deduce the other pointers. 5186 * 5187 * Note: For TLS, we save the implicit record sequence number 5188 * (entering MAC computation) in the 8 bytes before ssl->out_hdr, 5189 * and the caller has to make sure there's space for this. 5190 */ 5191 5192 static size_t ssl_transform_get_explicit_iv_len( 5193 mbedtls_ssl_transform const *transform ) 5194 { 5195 if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ) 5196 return( 0 ); 5197 5198 return( transform->ivlen - transform->fixed_ivlen ); 5199 } 5200 5201 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl, 5202 mbedtls_ssl_transform *transform ) 5203 { 5204 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5205 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5206 { 5207 ssl->out_ctr = ssl->out_hdr + 3; 5208 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5209 ssl->out_cid = ssl->out_ctr + 8; 5210 ssl->out_len = ssl->out_cid; 5211 if( transform != NULL ) 5212 ssl->out_len += transform->out_cid_len; 5213 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5214 ssl->out_len = ssl->out_ctr + 8; 5215 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5216 ssl->out_iv = ssl->out_len + 2; 5217 } 5218 else 5219 #endif 5220 { 5221 ssl->out_ctr = ssl->out_hdr - 8; 5222 ssl->out_len = ssl->out_hdr + 3; 5223 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5224 ssl->out_cid = ssl->out_len; 5225 #endif 5226 ssl->out_iv = ssl->out_hdr + 5; 5227 } 5228 5229 ssl->out_msg = ssl->out_iv; 5230 /* Adjust out_msg to make space for explicit IV, if used. */ 5231 if( transform != NULL ) 5232 ssl->out_msg += ssl_transform_get_explicit_iv_len( transform ); 5233 } 5234 5235 /* Once ssl->in_hdr as the address of the beginning of the 5236 * next incoming record is set, deduce the other pointers. 5237 * 5238 * Note: For TLS, we save the implicit record sequence number 5239 * (entering MAC computation) in the 8 bytes before ssl->in_hdr, 5240 * and the caller has to make sure there's space for this. 5241 */ 5242 5243 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ) 5244 { 5245 /* This function sets the pointers to match the case 5246 * of unprotected TLS/DTLS records, with both ssl->in_iv 5247 * and ssl->in_msg pointing to the beginning of the record 5248 * content. 5249 * 5250 * When decrypting a protected record, ssl->in_msg 5251 * will be shifted to point to the beginning of the 5252 * record plaintext. 5253 */ 5254 5255 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5256 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5257 { 5258 /* This sets the header pointers to match records 5259 * without CID. When we receive a record containing 5260 * a CID, the fields are shifted accordingly in 5261 * ssl_parse_record_header(). */ 5262 ssl->in_ctr = ssl->in_hdr + 3; 5263 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5264 ssl->in_cid = ssl->in_ctr + 8; 5265 ssl->in_len = ssl->in_cid; /* Default: no CID */ 5266 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5267 ssl->in_len = ssl->in_ctr + 8; 5268 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5269 ssl->in_iv = ssl->in_len + 2; 5270 } 5271 else 5272 #endif 5273 { 5274 ssl->in_ctr = ssl->in_hdr - 8; 5275 ssl->in_len = ssl->in_hdr + 3; 5276 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5277 ssl->in_cid = ssl->in_len; 5278 #endif 5279 ssl->in_iv = ssl->in_hdr + 5; 5280 } 5281 5282 /* This will be adjusted at record decryption time. */ 5283 ssl->in_msg = ssl->in_iv; 5284 } 5285 5286 /* 5287 * Setup an SSL context 5288 */ 5289 5290 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl ) 5291 { 5292 /* Set the incoming and outgoing record pointers. */ 5293 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5294 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5295 { 5296 ssl->out_hdr = ssl->out_buf; 5297 ssl->in_hdr = ssl->in_buf; 5298 } 5299 else 5300 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5301 { 5302 ssl->out_hdr = ssl->out_buf + 8; 5303 ssl->in_hdr = ssl->in_buf + 8; 5304 } 5305 5306 /* Derive other internal pointers. */ 5307 mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ ); 5308 mbedtls_ssl_update_in_pointers ( ssl ); 5309 } 5310 5311 /* 5312 * SSL get accessors 5313 */ 5314 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) 5315 { 5316 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); 5317 } 5318 5319 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl ) 5320 { 5321 /* 5322 * Case A: We're currently holding back 5323 * a message for further processing. 5324 */ 5325 5326 if( ssl->keep_current_message == 1 ) 5327 { 5328 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) ); 5329 return( 1 ); 5330 } 5331 5332 /* 5333 * Case B: Further records are pending in the current datagram. 5334 */ 5335 5336 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5337 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 5338 ssl->in_left > ssl->next_record_offset ) 5339 { 5340 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) ); 5341 return( 1 ); 5342 } 5343 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5344 5345 /* 5346 * Case C: A handshake message is being processed. 5347 */ 5348 5349 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen ) 5350 { 5351 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) ); 5352 return( 1 ); 5353 } 5354 5355 /* 5356 * Case D: An application data message is being processed 5357 */ 5358 if( ssl->in_offt != NULL ) 5359 { 5360 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) ); 5361 return( 1 ); 5362 } 5363 5364 /* 5365 * In all other cases, the rest of the message can be dropped. 5366 * As in ssl_get_next_record, this needs to be adapted if 5367 * we implement support for multiple alerts in single records. 5368 */ 5369 5370 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) ); 5371 return( 0 ); 5372 } 5373 5374 5375 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl ) 5376 { 5377 size_t transform_expansion = 0; 5378 const mbedtls_ssl_transform *transform = ssl->transform_out; 5379 unsigned block_size; 5380 5381 size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl ); 5382 5383 if( transform == NULL ) 5384 return( (int) out_hdr_len ); 5385 5386 #if defined(MBEDTLS_ZLIB_SUPPORT) 5387 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL ) 5388 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); 5389 #endif 5390 5391 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) ) 5392 { 5393 case MBEDTLS_MODE_GCM: 5394 case MBEDTLS_MODE_CCM: 5395 case MBEDTLS_MODE_CHACHAPOLY: 5396 case MBEDTLS_MODE_STREAM: 5397 transform_expansion = transform->minlen; 5398 break; 5399 5400 case MBEDTLS_MODE_CBC: 5401 5402 block_size = mbedtls_cipher_get_block_size( 5403 &transform->cipher_ctx_enc ); 5404 5405 /* Expansion due to the addition of the MAC. */ 5406 transform_expansion += transform->maclen; 5407 5408 /* Expansion due to the addition of CBC padding; 5409 * Theoretically up to 256 bytes, but we never use 5410 * more than the block size of the underlying cipher. */ 5411 transform_expansion += block_size; 5412 5413 /* For TLS 1.1 or higher, an explicit IV is added 5414 * after the record header. */ 5415 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) 5416 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 ) 5417 transform_expansion += block_size; 5418 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */ 5419 5420 break; 5421 5422 default: 5423 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 5424 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 5425 } 5426 5427 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5428 if( transform->out_cid_len != 0 ) 5429 transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION; 5430 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5431 5432 return( (int)( out_hdr_len + transform_expansion ) ); 5433 } 5434 5435 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5436 /* 5437 * Check record counters and renegotiate if they're above the limit. 5438 */ 5439 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl ) 5440 { 5441 size_t ep_len = mbedtls_ssl_ep_len( ssl ); 5442 int in_ctr_cmp; 5443 int out_ctr_cmp; 5444 5445 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER || 5446 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING || 5447 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ) 5448 { 5449 return( 0 ); 5450 } 5451 5452 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len, 5453 ssl->conf->renego_period + ep_len, 8 - ep_len ); 5454 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len, 5455 ssl->conf->renego_period + ep_len, 8 - ep_len ); 5456 5457 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 ) 5458 { 5459 return( 0 ); 5460 } 5461 5462 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) ); 5463 return( mbedtls_ssl_renegotiate( ssl ) ); 5464 } 5465 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 5466 5467 /* 5468 * Receive application data decrypted from the SSL layer 5469 */ 5470 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len ) 5471 { 5472 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5473 size_t n; 5474 5475 if( ssl == NULL || ssl->conf == NULL ) 5476 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 5477 5478 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) ); 5479 5480 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5481 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5482 { 5483 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 5484 return( ret ); 5485 5486 if( ssl->handshake != NULL && 5487 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING ) 5488 { 5489 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 ) 5490 return( ret ); 5491 } 5492 } 5493 #endif 5494 5495 /* 5496 * Check if renegotiation is necessary and/or handshake is 5497 * in process. If yes, perform/continue, and fall through 5498 * if an unexpected packet is received while the client 5499 * is waiting for the ServerHello. 5500 * 5501 * (There is no equivalent to the last condition on 5502 * the server-side as it is not treated as within 5503 * a handshake while waiting for the ClientHello 5504 * after a renegotiation request.) 5505 */ 5506 5507 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5508 ret = ssl_check_ctr_renegotiate( ssl ); 5509 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 5510 ret != 0 ) 5511 { 5512 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 5513 return( ret ); 5514 } 5515 #endif 5516 5517 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 5518 { 5519 ret = mbedtls_ssl_handshake( ssl ); 5520 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 5521 ret != 0 ) 5522 { 5523 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 5524 return( ret ); 5525 } 5526 } 5527 5528 /* Loop as long as no application data record is available */ 5529 while( ssl->in_offt == NULL ) 5530 { 5531 /* Start timer if not already running */ 5532 if( ssl->f_get_timer != NULL && 5533 ssl->f_get_timer( ssl->p_timer ) == -1 ) 5534 { 5535 mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout ); 5536 } 5537 5538 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 5539 { 5540 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 5541 return( 0 ); 5542 5543 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 5544 return( ret ); 5545 } 5546 5547 if( ssl->in_msglen == 0 && 5548 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA ) 5549 { 5550 /* 5551 * OpenSSL sends empty messages to randomize the IV 5552 */ 5553 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 ) 5554 { 5555 if( ret == MBEDTLS_ERR_SSL_CONN_EOF ) 5556 return( 0 ); 5557 5558 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret ); 5559 return( ret ); 5560 } 5561 } 5562 5563 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE ) 5564 { 5565 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) ); 5566 5567 /* 5568 * - For client-side, expect SERVER_HELLO_REQUEST. 5569 * - For server-side, expect CLIENT_HELLO. 5570 * - Fail (TLS) or silently drop record (DTLS) in other cases. 5571 */ 5572 5573 #if defined(MBEDTLS_SSL_CLI_C) 5574 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 5575 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST || 5576 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) ) 5577 { 5578 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) ); 5579 5580 /* With DTLS, drop the packet (probably from last handshake) */ 5581 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5582 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5583 { 5584 continue; 5585 } 5586 #endif 5587 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5588 } 5589 #endif /* MBEDTLS_SSL_CLI_C */ 5590 5591 #if defined(MBEDTLS_SSL_SRV_C) 5592 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 5593 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) 5594 { 5595 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) ); 5596 5597 /* With DTLS, drop the packet (probably from last handshake) */ 5598 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5599 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5600 { 5601 continue; 5602 } 5603 #endif 5604 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5605 } 5606 #endif /* MBEDTLS_SSL_SRV_C */ 5607 5608 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5609 /* Determine whether renegotiation attempt should be accepted */ 5610 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED || 5611 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION && 5612 ssl->conf->allow_legacy_renegotiation == 5613 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) ) 5614 { 5615 /* 5616 * Accept renegotiation request 5617 */ 5618 5619 /* DTLS clients need to know renego is server-initiated */ 5620 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5621 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 5622 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) 5623 { 5624 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 5625 } 5626 #endif 5627 ret = mbedtls_ssl_start_renegotiation( ssl ); 5628 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO && 5629 ret != 0 ) 5630 { 5631 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", 5632 ret ); 5633 return( ret ); 5634 } 5635 } 5636 else 5637 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 5638 { 5639 /* 5640 * Refuse renegotiation 5641 */ 5642 5643 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) ); 5644 5645 #if defined(MBEDTLS_SSL_PROTO_SSL3) 5646 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) 5647 { 5648 /* SSLv3 does not have a "no_renegotiation" warning, so 5649 we send a fatal alert and abort the connection. */ 5650 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 5651 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); 5652 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5653 } 5654 else 5655 #endif /* MBEDTLS_SSL_PROTO_SSL3 */ 5656 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \ 5657 defined(MBEDTLS_SSL_PROTO_TLS1_2) 5658 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 ) 5659 { 5660 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 5661 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 5662 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 ) 5663 { 5664 return( ret ); 5665 } 5666 } 5667 else 5668 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || 5669 MBEDTLS_SSL_PROTO_TLS1_2 */ 5670 { 5671 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); 5672 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); 5673 } 5674 } 5675 5676 /* At this point, we don't know whether the renegotiation has been 5677 * completed or not. The cases to consider are the following: 5678 * 1) The renegotiation is complete. In this case, no new record 5679 * has been read yet. 5680 * 2) The renegotiation is incomplete because the client received 5681 * an application data record while awaiting the ServerHello. 5682 * 3) The renegotiation is incomplete because the client received 5683 * a non-handshake, non-application data message while awaiting 5684 * the ServerHello. 5685 * In each of these case, looping will be the proper action: 5686 * - For 1), the next iteration will read a new record and check 5687 * if it's application data. 5688 * - For 2), the loop condition isn't satisfied as application data 5689 * is present, hence continue is the same as break 5690 * - For 3), the loop condition is satisfied and read_record 5691 * will re-deliver the message that was held back by the client 5692 * when expecting the ServerHello. 5693 */ 5694 continue; 5695 } 5696 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5697 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 5698 { 5699 if( ssl->conf->renego_max_records >= 0 ) 5700 { 5701 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records ) 5702 { 5703 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, " 5704 "but not honored by client" ) ); 5705 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5706 } 5707 } 5708 } 5709 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 5710 5711 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */ 5712 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT ) 5713 { 5714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) ); 5715 return( MBEDTLS_ERR_SSL_WANT_READ ); 5716 } 5717 5718 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA ) 5719 { 5720 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) ); 5721 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE ); 5722 } 5723 5724 ssl->in_offt = ssl->in_msg; 5725 5726 /* We're going to return something now, cancel timer, 5727 * except if handshake (renegotiation) is in progress */ 5728 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 5729 mbedtls_ssl_set_timer( ssl, 0 ); 5730 5731 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5732 /* If we requested renego but received AppData, resend HelloRequest. 5733 * Do it now, after setting in_offt, to avoid taking this branch 5734 * again if ssl_write_hello_request() returns WANT_WRITE */ 5735 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 5736 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && 5737 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ) 5738 { 5739 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 ) 5740 { 5741 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request", 5742 ret ); 5743 return( ret ); 5744 } 5745 } 5746 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 5747 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5748 } 5749 5750 n = ( len < ssl->in_msglen ) 5751 ? len : ssl->in_msglen; 5752 5753 memcpy( buf, ssl->in_offt, n ); 5754 ssl->in_msglen -= n; 5755 5756 /* Zeroising the plaintext buffer to erase unused application data 5757 from the memory. */ 5758 mbedtls_platform_zeroize( ssl->in_offt, n ); 5759 5760 if( ssl->in_msglen == 0 ) 5761 { 5762 /* all bytes consumed */ 5763 ssl->in_offt = NULL; 5764 ssl->keep_current_message = 0; 5765 } 5766 else 5767 { 5768 /* more data available */ 5769 ssl->in_offt += n; 5770 } 5771 5772 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) ); 5773 5774 return( (int) n ); 5775 } 5776 5777 /* 5778 * Send application data to be encrypted by the SSL layer, taking care of max 5779 * fragment length and buffer size. 5780 * 5781 * According to RFC 5246 Section 6.2.1: 5782 * 5783 * Zero-length fragments of Application data MAY be sent as they are 5784 * potentially useful as a traffic analysis countermeasure. 5785 * 5786 * Therefore, it is possible that the input message length is 0 and the 5787 * corresponding return code is 0 on success. 5788 */ 5789 static int ssl_write_real( mbedtls_ssl_context *ssl, 5790 const unsigned char *buf, size_t len ) 5791 { 5792 int ret = mbedtls_ssl_get_max_out_record_payload( ssl ); 5793 const size_t max_len = (size_t) ret; 5794 5795 if( ret < 0 ) 5796 { 5797 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret ); 5798 return( ret ); 5799 } 5800 5801 if( len > max_len ) 5802 { 5803 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5804 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 5805 { 5806 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) " 5807 "maximum fragment length: %" MBEDTLS_PRINTF_SIZET 5808 " > %" MBEDTLS_PRINTF_SIZET, 5809 len, max_len ) ); 5810 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 5811 } 5812 else 5813 #endif 5814 len = max_len; 5815 } 5816 5817 if( ssl->out_left != 0 ) 5818 { 5819 /* 5820 * The user has previously tried to send the data and 5821 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially 5822 * written. In this case, we expect the high-level write function 5823 * (e.g. mbedtls_ssl_write()) to be called with the same parameters 5824 */ 5825 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 ) 5826 { 5827 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret ); 5828 return( ret ); 5829 } 5830 } 5831 else 5832 { 5833 /* 5834 * The user is trying to send a message the first time, so we need to 5835 * copy the data into the internal buffers and setup the data structure 5836 * to keep track of partial writes 5837 */ 5838 ssl->out_msglen = len; 5839 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA; 5840 memcpy( ssl->out_msg, buf, len ); 5841 5842 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 ) 5843 { 5844 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret ); 5845 return( ret ); 5846 } 5847 } 5848 5849 return( (int) len ); 5850 } 5851 5852 /* 5853 * Write application data, doing 1/n-1 splitting if necessary. 5854 * 5855 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE, 5856 * then the caller will call us again with the same arguments, so 5857 * remember whether we already did the split or not. 5858 */ 5859 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 5860 static int ssl_write_split( mbedtls_ssl_context *ssl, 5861 const unsigned char *buf, size_t len ) 5862 { 5863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5864 5865 if( ssl->conf->cbc_record_splitting == 5866 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED || 5867 len <= 1 || 5868 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 || 5869 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc ) 5870 != MBEDTLS_MODE_CBC ) 5871 { 5872 return( ssl_write_real( ssl, buf, len ) ); 5873 } 5874 5875 if( ssl->split_done == 0 ) 5876 { 5877 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 ) 5878 return( ret ); 5879 ssl->split_done = 1; 5880 } 5881 5882 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 ) 5883 return( ret ); 5884 ssl->split_done = 0; 5885 5886 return( ret + 1 ); 5887 } 5888 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */ 5889 5890 /* 5891 * Write application data (public-facing wrapper) 5892 */ 5893 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len ) 5894 { 5895 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5896 5897 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) ); 5898 5899 if( ssl == NULL || ssl->conf == NULL ) 5900 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 5901 5902 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5903 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 ) 5904 { 5905 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret ); 5906 return( ret ); 5907 } 5908 #endif 5909 5910 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ) 5911 { 5912 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 ) 5913 { 5914 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret ); 5915 return( ret ); 5916 } 5917 } 5918 5919 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) 5920 ret = ssl_write_split( ssl, buf, len ); 5921 #else 5922 ret = ssl_write_real( ssl, buf, len ); 5923 #endif 5924 5925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) ); 5926 5927 return( ret ); 5928 } 5929 5930 /* 5931 * Notify the peer that the connection is being closed 5932 */ 5933 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl ) 5934 { 5935 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5936 5937 if( ssl == NULL || ssl->conf == NULL ) 5938 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); 5939 5940 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) ); 5941 5942 if( ssl->out_left != 0 ) 5943 return( mbedtls_ssl_flush_output( ssl ) ); 5944 5945 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER ) 5946 { 5947 if( ( ret = mbedtls_ssl_send_alert_message( ssl, 5948 MBEDTLS_SSL_ALERT_LEVEL_WARNING, 5949 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 ) 5950 { 5951 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret ); 5952 return( ret ); 5953 } 5954 } 5955 5956 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) ); 5957 5958 return( 0 ); 5959 } 5960 5961 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform ) 5962 { 5963 if( transform == NULL ) 5964 return; 5965 5966 #if defined(MBEDTLS_ZLIB_SUPPORT) 5967 deflateEnd( &transform->ctx_deflate ); 5968 inflateEnd( &transform->ctx_inflate ); 5969 #endif 5970 5971 mbedtls_cipher_free( &transform->cipher_ctx_enc ); 5972 mbedtls_cipher_free( &transform->cipher_ctx_dec ); 5973 5974 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) 5975 mbedtls_md_free( &transform->md_ctx_enc ); 5976 mbedtls_md_free( &transform->md_ctx_dec ); 5977 #endif 5978 5979 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) ); 5980 } 5981 5982 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5983 5984 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ) 5985 { 5986 unsigned offset; 5987 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 5988 5989 if( hs == NULL ) 5990 return; 5991 5992 ssl_free_buffered_record( ssl ); 5993 5994 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ ) 5995 ssl_buffering_free_slot( ssl, offset ); 5996 } 5997 5998 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl, 5999 uint8_t slot ) 6000 { 6001 mbedtls_ssl_handshake_params * const hs = ssl->handshake; 6002 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot]; 6003 6004 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS ) 6005 return; 6006 6007 if( hs_buf->is_valid == 1 ) 6008 { 6009 hs->buffering.total_bytes_buffered -= hs_buf->data_len; 6010 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len ); 6011 mbedtls_free( hs_buf->data ); 6012 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) ); 6013 } 6014 } 6015 6016 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 6017 6018 /* 6019 * Convert version numbers to/from wire format 6020 * and, for DTLS, to/from TLS equivalent. 6021 * 6022 * For TLS this is the identity. 6023 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows: 6024 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1) 6025 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2) 6026 */ 6027 void mbedtls_ssl_write_version( int major, int minor, int transport, 6028 unsigned char ver[2] ) 6029 { 6030 #if defined(MBEDTLS_SSL_PROTO_DTLS) 6031 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 6032 { 6033 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 ) 6034 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 6035 6036 ver[0] = (unsigned char)( 255 - ( major - 2 ) ); 6037 ver[1] = (unsigned char)( 255 - ( minor - 1 ) ); 6038 } 6039 else 6040 #else 6041 ((void) transport); 6042 #endif 6043 { 6044 ver[0] = (unsigned char) major; 6045 ver[1] = (unsigned char) minor; 6046 } 6047 } 6048 6049 void mbedtls_ssl_read_version( int *major, int *minor, int transport, 6050 const unsigned char ver[2] ) 6051 { 6052 #if defined(MBEDTLS_SSL_PROTO_DTLS) 6053 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) 6054 { 6055 *major = 255 - ver[0] + 2; 6056 *minor = 255 - ver[1] + 1; 6057 6058 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 ) 6059 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */ 6060 } 6061 else 6062 #else 6063 ((void) transport); 6064 #endif 6065 { 6066 *major = ver[0]; 6067 *minor = ver[1]; 6068 } 6069 } 6070 6071 #endif /* MBEDTLS_SSL_TLS_C */ 6072