1 /* 2 * TLS shared functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 6 * 7 * Licensed under the Apache License, Version 2.0 (the "License"); you may 8 * not use this file except in compliance with the License. 9 * You may obtain a copy of the License at 10 * 11 * http://www.apache.org/licenses/LICENSE-2.0 12 * 13 * Unless required by applicable law or agreed to in writing, software 14 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 15 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 16 * See the License for the specific language governing permissions and 17 * limitations under the License. 18 */ 19 /* 20 * http://www.ietf.org/rfc/rfc2246.txt 21 * http://www.ietf.org/rfc/rfc4346.txt 22 */ 23 24 #include "common.h" 25 26 #if defined(MBEDTLS_SSL_TLS_C) 27 28 #include "mbedtls/platform.h" 29 30 #include "mbedtls/ssl.h" 31 #include "ssl_client.h" 32 #include "ssl_debug_helpers.h" 33 #include "ssl_misc.h" 34 35 #include "mbedtls/debug.h" 36 #include "mbedtls/error.h" 37 #include "mbedtls/platform_util.h" 38 #include "mbedtls/version.h" 39 #include "mbedtls/constant_time.h" 40 41 #include <string.h> 42 43 #if defined(MBEDTLS_USE_PSA_CRYPTO) 44 #include "mbedtls/psa_util.h" 45 #include "psa/crypto.h" 46 #endif 47 #include "mbedtls/legacy_or_psa.h" 48 49 #if defined(MBEDTLS_X509_CRT_PARSE_C) 50 #include "mbedtls/oid.h" 51 #endif 52 53 #if defined(MBEDTLS_USE_PSA_CRYPTO) 54 #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 55 psa_to_ssl_errors, \ 56 psa_generic_status_to_mbedtls) 57 #define PSA_TO_MD_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ 58 psa_to_md_errors, \ 59 psa_generic_status_to_mbedtls) 60 #endif 61 62 #if defined(MBEDTLS_TEST_HOOKS) 63 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; 64 65 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 66 const uint8_t *cur, const uint8_t *end, size_t need) 67 { 68 chk_buf_ptr_fail_args.cur = cur; 69 chk_buf_ptr_fail_args.end = end; 70 chk_buf_ptr_fail_args.need = need; 71 } 72 73 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void) 74 { 75 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args)); 76 } 77 78 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args) 79 { 80 return (chk_buf_ptr_fail_args.cur != args->cur) || 81 (chk_buf_ptr_fail_args.end != args->end) || 82 (chk_buf_ptr_fail_args.need != args->need); 83 } 84 #endif /* MBEDTLS_TEST_HOOKS */ 85 86 #if defined(MBEDTLS_SSL_PROTO_DTLS) 87 88 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 89 /* Top-level Connection ID API */ 90 91 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, 92 size_t len, 93 int ignore_other_cid) 94 { 95 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) { 96 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 97 } 98 99 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL && 100 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) { 101 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 102 } 103 104 conf->ignore_unexpected_cid = ignore_other_cid; 105 conf->cid_len = len; 106 return 0; 107 } 108 109 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, 110 int enable, 111 unsigned char const *own_cid, 112 size_t own_cid_len) 113 { 114 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 115 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 116 } 117 118 ssl->negotiate_cid = enable; 119 if (enable == MBEDTLS_SSL_CID_DISABLED) { 120 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension.")); 121 return 0; 122 } 123 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension.")); 124 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len); 125 126 if (own_cid_len != ssl->conf->cid_len) { 127 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config", 128 (unsigned) own_cid_len, 129 (unsigned) ssl->conf->cid_len)); 130 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 131 } 132 133 memcpy(ssl->own_cid, own_cid, own_cid_len); 134 /* Truncation is not an issue here because 135 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ 136 ssl->own_cid_len = (uint8_t) own_cid_len; 137 138 return 0; 139 } 140 141 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, 142 int *enabled, 143 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 144 size_t *own_cid_len) 145 { 146 *enabled = MBEDTLS_SSL_CID_DISABLED; 147 148 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 149 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 150 } 151 152 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is 153 * zero as this is indistinguishable from not requesting to use 154 * the CID extension. */ 155 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 156 return 0; 157 } 158 159 if (own_cid_len != NULL) { 160 *own_cid_len = ssl->own_cid_len; 161 if (own_cid != NULL) { 162 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len); 163 } 164 } 165 166 *enabled = MBEDTLS_SSL_CID_ENABLED; 167 168 return 0; 169 } 170 171 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl, 172 int *enabled, 173 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 174 size_t *peer_cid_len) 175 { 176 *enabled = MBEDTLS_SSL_CID_DISABLED; 177 178 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 179 mbedtls_ssl_is_handshake_over(ssl) == 0) { 180 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 181 } 182 183 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions 184 * were used, but client and server requested the empty CID. 185 * This is indistinguishable from not using the CID extension 186 * in the first place. */ 187 if (ssl->transform_in->in_cid_len == 0 && 188 ssl->transform_in->out_cid_len == 0) { 189 return 0; 190 } 191 192 if (peer_cid_len != NULL) { 193 *peer_cid_len = ssl->transform_in->out_cid_len; 194 if (peer_cid != NULL) { 195 memcpy(peer_cid, ssl->transform_in->out_cid, 196 ssl->transform_in->out_cid_len); 197 } 198 } 199 200 *enabled = MBEDTLS_SSL_CID_ENABLED; 201 202 return 0; 203 } 204 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 205 206 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 207 208 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 209 /* 210 * Convert max_fragment_length codes to length. 211 * RFC 6066 says: 212 * enum{ 213 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 214 * } MaxFragmentLength; 215 * and we add 0 -> extension unused 216 */ 217 static unsigned int ssl_mfl_code_to_length(int mfl) 218 { 219 switch (mfl) { 220 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE: 221 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 222 case MBEDTLS_SSL_MAX_FRAG_LEN_512: 223 return 512; 224 case MBEDTLS_SSL_MAX_FRAG_LEN_1024: 225 return 1024; 226 case MBEDTLS_SSL_MAX_FRAG_LEN_2048: 227 return 2048; 228 case MBEDTLS_SSL_MAX_FRAG_LEN_4096: 229 return 4096; 230 default: 231 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 232 } 233 } 234 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 235 236 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 237 const mbedtls_ssl_session *src) 238 { 239 mbedtls_ssl_session_free(dst); 240 memcpy(dst, src, sizeof(mbedtls_ssl_session)); 241 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 242 dst->ticket = NULL; 243 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 244 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 245 dst->hostname = NULL; 246 #endif 247 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 248 249 #if defined(MBEDTLS_X509_CRT_PARSE_C) 250 251 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 252 if (src->peer_cert != NULL) { 253 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 254 255 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 256 if (dst->peer_cert == NULL) { 257 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 258 } 259 260 mbedtls_x509_crt_init(dst->peer_cert); 261 262 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p, 263 src->peer_cert->raw.len)) != 0) { 264 mbedtls_free(dst->peer_cert); 265 dst->peer_cert = NULL; 266 return ret; 267 } 268 } 269 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 270 if (src->peer_cert_digest != NULL) { 271 dst->peer_cert_digest = 272 mbedtls_calloc(1, src->peer_cert_digest_len); 273 if (dst->peer_cert_digest == NULL) { 274 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 275 } 276 277 memcpy(dst->peer_cert_digest, src->peer_cert_digest, 278 src->peer_cert_digest_len); 279 dst->peer_cert_digest_type = src->peer_cert_digest_type; 280 dst->peer_cert_digest_len = src->peer_cert_digest_len; 281 } 282 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 283 284 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 285 286 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 287 if (src->ticket != NULL) { 288 dst->ticket = mbedtls_calloc(1, src->ticket_len); 289 if (dst->ticket == NULL) { 290 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 291 } 292 293 memcpy(dst->ticket, src->ticket, src->ticket_len); 294 } 295 296 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 297 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 298 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) { 299 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 300 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname); 301 if (ret != 0) { 302 return ret; 303 } 304 } 305 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 306 MBEDTLS_SSL_SERVER_NAME_INDICATION */ 307 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 308 309 return 0; 310 } 311 312 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 313 MBEDTLS_CHECK_RETURN_CRITICAL 314 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old) 315 { 316 unsigned char *resized_buffer = mbedtls_calloc(1, len_new); 317 if (resized_buffer == NULL) { 318 return -1; 319 } 320 321 /* We want to copy len_new bytes when downsizing the buffer, and 322 * len_old bytes when upsizing, so we choose the smaller of two sizes, 323 * to fit one buffer into another. Size checks, ensuring that no data is 324 * lost, are done outside of this function. */ 325 memcpy(resized_buffer, *buffer, 326 (len_new < *len_old) ? len_new : *len_old); 327 mbedtls_platform_zeroize(*buffer, *len_old); 328 mbedtls_free(*buffer); 329 330 *buffer = resized_buffer; 331 *len_old = len_new; 332 333 return 0; 334 } 335 336 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, 337 size_t in_buf_new_len, 338 size_t out_buf_new_len) 339 { 340 int modified = 0; 341 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0; 342 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; 343 if (ssl->in_buf != NULL) { 344 written_in = ssl->in_msg - ssl->in_buf; 345 iv_offset_in = ssl->in_iv - ssl->in_buf; 346 len_offset_in = ssl->in_len - ssl->in_buf; 347 if (downsizing ? 348 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : 349 ssl->in_buf_len < in_buf_new_len) { 350 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) { 351 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory")); 352 } else { 353 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET, 354 in_buf_new_len)); 355 modified = 1; 356 } 357 } 358 } 359 360 if (ssl->out_buf != NULL) { 361 written_out = ssl->out_msg - ssl->out_buf; 362 iv_offset_out = ssl->out_iv - ssl->out_buf; 363 len_offset_out = ssl->out_len - ssl->out_buf; 364 if (downsizing ? 365 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len : 366 ssl->out_buf_len < out_buf_new_len) { 367 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) { 368 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory")); 369 } else { 370 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET, 371 out_buf_new_len)); 372 modified = 1; 373 } 374 } 375 } 376 if (modified) { 377 /* Update pointers here to avoid doing it twice. */ 378 mbedtls_ssl_reset_in_out_pointers(ssl); 379 /* Fields below might not be properly updated with record 380 * splitting or with CID, so they are manually updated here. */ 381 ssl->out_msg = ssl->out_buf + written_out; 382 ssl->out_len = ssl->out_buf + len_offset_out; 383 ssl->out_iv = ssl->out_buf + iv_offset_out; 384 385 ssl->in_msg = ssl->in_buf + written_in; 386 ssl->in_len = ssl->in_buf + len_offset_in; 387 ssl->in_iv = ssl->in_buf + iv_offset_in; 388 } 389 } 390 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ 391 392 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 393 394 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 395 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen, 396 const char *label, 397 const unsigned char *random, size_t rlen, 398 unsigned char *dstbuf, size_t dlen); 399 400 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id); 401 402 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 403 404 /* Type for the TLS PRF */ 405 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, 406 const unsigned char *, size_t, 407 unsigned char *, size_t); 408 409 MBEDTLS_CHECK_RETURN_CRITICAL 410 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 411 int ciphersuite, 412 const unsigned char master[48], 413 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 414 int encrypt_then_mac, 415 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 416 ssl_tls_prf_t tls_prf, 417 const unsigned char randbytes[64], 418 mbedtls_ssl_protocol_version tls_version, 419 unsigned endpoint, 420 const mbedtls_ssl_context *ssl); 421 422 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 423 MBEDTLS_CHECK_RETURN_CRITICAL 424 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 425 const char *label, 426 const unsigned char *random, size_t rlen, 427 unsigned char *dstbuf, size_t dlen); 428 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); 429 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); 430 431 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 432 433 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 434 MBEDTLS_CHECK_RETURN_CRITICAL 435 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 436 const char *label, 437 const unsigned char *random, size_t rlen, 438 unsigned char *dstbuf, size_t dlen); 439 440 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); 441 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); 442 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 443 444 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, 445 unsigned char *buf, 446 size_t buf_len); 447 448 MBEDTLS_CHECK_RETURN_CRITICAL 449 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 450 const unsigned char *buf, 451 size_t len); 452 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 453 454 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); 455 456 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 457 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); 458 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 459 460 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 461 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); 462 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 463 464 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, 465 const unsigned char *secret, size_t slen, 466 const char *label, 467 const unsigned char *random, size_t rlen, 468 unsigned char *dstbuf, size_t dlen) 469 { 470 mbedtls_ssl_tls_prf_cb *tls_prf = NULL; 471 472 switch (prf) { 473 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 474 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 475 case MBEDTLS_SSL_TLS_PRF_SHA384: 476 tls_prf = tls_prf_sha384; 477 break; 478 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 479 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 480 case MBEDTLS_SSL_TLS_PRF_SHA256: 481 tls_prf = tls_prf_sha256; 482 break; 483 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 485 default: 486 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 487 } 488 489 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen); 490 } 491 492 #if defined(MBEDTLS_X509_CRT_PARSE_C) 493 static void ssl_clear_peer_cert(mbedtls_ssl_session *session) 494 { 495 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 496 if (session->peer_cert != NULL) { 497 mbedtls_x509_crt_free(session->peer_cert); 498 mbedtls_free(session->peer_cert); 499 session->peer_cert = NULL; 500 } 501 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 502 if (session->peer_cert_digest != NULL) { 503 /* Zeroization is not necessary. */ 504 mbedtls_free(session->peer_cert_digest); 505 session->peer_cert_digest = NULL; 506 session->peer_cert_digest_type = MBEDTLS_MD_NONE; 507 session->peer_cert_digest_len = 0; 508 } 509 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 510 } 511 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 512 513 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type) 514 { 515 switch (extension_type) { 516 case MBEDTLS_TLS_EXT_SERVERNAME: 517 return MBEDTLS_SSL_EXT_ID_SERVERNAME; 518 519 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 520 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH; 521 522 case MBEDTLS_TLS_EXT_STATUS_REQUEST: 523 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST; 524 525 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 526 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS; 527 528 case MBEDTLS_TLS_EXT_SIG_ALG: 529 return MBEDTLS_SSL_EXT_ID_SIG_ALG; 530 531 case MBEDTLS_TLS_EXT_USE_SRTP: 532 return MBEDTLS_SSL_EXT_ID_USE_SRTP; 533 534 case MBEDTLS_TLS_EXT_HEARTBEAT: 535 return MBEDTLS_SSL_EXT_ID_HEARTBEAT; 536 537 case MBEDTLS_TLS_EXT_ALPN: 538 return MBEDTLS_SSL_EXT_ID_ALPN; 539 540 case MBEDTLS_TLS_EXT_SCT: 541 return MBEDTLS_SSL_EXT_ID_SCT; 542 543 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: 544 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE; 545 546 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: 547 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE; 548 549 case MBEDTLS_TLS_EXT_PADDING: 550 return MBEDTLS_SSL_EXT_ID_PADDING; 551 552 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: 553 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY; 554 555 case MBEDTLS_TLS_EXT_EARLY_DATA: 556 return MBEDTLS_SSL_EXT_ID_EARLY_DATA; 557 558 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: 559 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS; 560 561 case MBEDTLS_TLS_EXT_COOKIE: 562 return MBEDTLS_SSL_EXT_ID_COOKIE; 563 564 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: 565 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES; 566 567 case MBEDTLS_TLS_EXT_CERT_AUTH: 568 return MBEDTLS_SSL_EXT_ID_CERT_AUTH; 569 570 case MBEDTLS_TLS_EXT_OID_FILTERS: 571 return MBEDTLS_SSL_EXT_ID_OID_FILTERS; 572 573 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: 574 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH; 575 576 case MBEDTLS_TLS_EXT_SIG_ALG_CERT: 577 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT; 578 579 case MBEDTLS_TLS_EXT_KEY_SHARE: 580 return MBEDTLS_SSL_EXT_ID_KEY_SHARE; 581 582 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 583 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC; 584 585 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 586 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS; 587 588 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 589 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC; 590 591 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 592 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET; 593 594 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: 595 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT; 596 597 case MBEDTLS_TLS_EXT_SESSION_TICKET: 598 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET; 599 600 } 601 602 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED; 603 } 604 605 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type) 606 { 607 return 1 << mbedtls_ssl_get_extension_id(extension_type); 608 } 609 610 #if defined(MBEDTLS_DEBUG_C) 611 static const char *extension_name_table[] = { 612 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", 613 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", 614 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", 615 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", 616 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", 617 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", 618 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", 619 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", 620 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", 621 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", 622 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", 623 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", 624 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", 625 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", 626 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", 627 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", 628 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", 629 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", 630 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", 631 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", 632 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", 633 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", 634 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", 635 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", 636 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", 637 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", 638 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", 639 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket", 640 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit" 641 }; 642 643 static unsigned int extension_type_table[] = { 644 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, 645 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, 646 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, 647 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, 648 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, 649 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, 650 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, 651 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, 652 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, 653 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, 654 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, 655 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, 656 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, 657 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, 658 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, 659 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, 660 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, 661 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, 662 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, 663 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, 664 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, 665 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, 666 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, 667 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, 668 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, 669 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, 670 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, 671 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET, 672 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT 673 }; 674 675 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type) 676 { 677 return extension_name_table[ 678 mbedtls_ssl_get_extension_id(extension_type)]; 679 } 680 681 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type) 682 { 683 switch (hs_msg_type) { 684 case MBEDTLS_SSL_HS_CLIENT_HELLO: 685 return "ClientHello"; 686 case MBEDTLS_SSL_HS_SERVER_HELLO: 687 return "ServerHello"; 688 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: 689 return "HelloRetryRequest"; 690 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: 691 return "NewSessionTicket"; 692 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: 693 return "EncryptedExtensions"; 694 case MBEDTLS_SSL_HS_CERTIFICATE: 695 return "Certificate"; 696 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: 697 return "CertificateRequest"; 698 } 699 return "Unknown"; 700 } 701 702 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, 703 int level, const char *file, int line, 704 int hs_msg_type, unsigned int extension_type, 705 const char *extra_msg0, const char *extra_msg1) 706 { 707 const char *extra_msg; 708 if (extra_msg0 && extra_msg1) { 709 mbedtls_debug_print_msg( 710 ssl, level, file, line, 711 "%s: %s(%u) extension %s %s.", 712 ssl_tls13_get_hs_msg_name(hs_msg_type), 713 mbedtls_ssl_get_extension_name(extension_type), 714 extension_type, 715 extra_msg0, extra_msg1); 716 return; 717 } 718 719 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; 720 if (extra_msg) { 721 mbedtls_debug_print_msg( 722 ssl, level, file, line, 723 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type), 724 mbedtls_ssl_get_extension_name(extension_type), extension_type, 725 extra_msg); 726 return; 727 } 728 729 mbedtls_debug_print_msg( 730 ssl, level, file, line, 731 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type), 732 mbedtls_ssl_get_extension_name(extension_type), extension_type); 733 } 734 735 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl, 736 int level, const char *file, int line, 737 int hs_msg_type, uint32_t extensions_mask, 738 const char *extra) 739 { 740 741 for (unsigned i = 0; 742 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]); 743 i++) { 744 mbedtls_ssl_print_extension( 745 ssl, level, file, line, hs_msg_type, extension_type_table[i], 746 extensions_mask & (1 << i) ? "exists" : "does not exist", extra); 747 } 748 } 749 750 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 751 #define ARRAY_LENGTH(a) (sizeof(a) / sizeof(*(a))) 752 753 static const char *ticket_flag_name_table[] = 754 { 755 [0] = "ALLOW_PSK_RESUMPTION", 756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", 757 [3] = "ALLOW_EARLY_DATA", 758 }; 759 760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, 761 int level, const char *file, int line, 762 unsigned int flags) 763 { 764 size_t i; 765 766 mbedtls_debug_print_msg(ssl, level, file, line, 767 "print ticket_flags (0x%02x)", flags); 768 769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK; 770 771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { 772 if ((flags & (1 << i))) { 773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", 774 ticket_flag_name_table[i]); 775 } 776 } 777 } 778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 779 780 #endif /* MBEDTLS_DEBUG_C */ 781 782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 784 { 785 ((void) ciphersuite_info); 786 787 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 789 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 790 } else 791 #endif 792 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) { 794 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 795 } else 796 #endif 797 { 798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 799 return; 800 } 801 } 802 803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 804 unsigned hs_type, 805 size_t total_hs_len) 806 { 807 unsigned char hs_hdr[4]; 808 809 /* Build HS header for checksum update. */ 810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type); 811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len); 812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len); 813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len); 814 815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); 816 } 817 818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 819 unsigned hs_type, 820 unsigned char const *msg, 821 size_t msg_len) 822 { 823 int ret; 824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); 825 if (ret != 0) { 826 return ret; 827 } 828 return ssl->handshake->update_checksum(ssl, msg, msg_len); 829 } 830 831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) 832 { 833 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ 834 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 835 #if defined(MBEDTLS_USE_PSA_CRYPTO) 836 psa_status_t status; 837 #else 838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 839 #endif 840 #else /* SHA-256 or SHA-384 */ 841 ((void) ssl); 842 #endif /* SHA-256 or SHA-384 */ 843 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 844 #if defined(MBEDTLS_USE_PSA_CRYPTO) 845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); 846 if (status != PSA_SUCCESS) { 847 return PSA_TO_MD_ERR(status); 848 } 849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); 850 if (status != PSA_SUCCESS) { 851 return PSA_TO_MD_ERR(status); 852 } 853 #else 854 mbedtls_md_free(&ssl->handshake->fin_sha256); 855 mbedtls_md_init(&ssl->handshake->fin_sha256); 856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256, 857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 858 0); 859 if (ret != 0) { 860 return ret; 861 } 862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256); 863 if (ret != 0) { 864 return ret; 865 } 866 #endif 867 #endif 868 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 869 #if defined(MBEDTLS_USE_PSA_CRYPTO) 870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa); 871 if (status != PSA_SUCCESS) { 872 return PSA_TO_MD_ERR(status); 873 } 874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); 875 if (status != PSA_SUCCESS) { 876 return PSA_TO_MD_ERR(status); 877 } 878 #else 879 mbedtls_md_free(&ssl->handshake->fin_sha384); 880 mbedtls_md_init(&ssl->handshake->fin_sha384); 881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384, 882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 883 if (ret != 0) { 884 return ret; 885 } 886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384); 887 if (ret != 0) { 888 return ret; 889 } 890 #endif 891 #endif 892 return 0; 893 } 894 895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, 896 const unsigned char *buf, size_t len) 897 { 898 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \ 899 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 900 #if defined(MBEDTLS_USE_PSA_CRYPTO) 901 psa_status_t status; 902 #else 903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 904 #endif 905 #else /* SHA-256 or SHA-384 */ 906 ((void) ssl); 907 (void) buf; 908 (void) len; 909 #endif /* SHA-256 or SHA-384 */ 910 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 911 #if defined(MBEDTLS_USE_PSA_CRYPTO) 912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); 913 if (status != PSA_SUCCESS) { 914 return PSA_TO_MD_ERR(status); 915 } 916 #else 917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 918 if (ret != 0) { 919 return ret; 920 } 921 #endif 922 #endif 923 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 924 #if defined(MBEDTLS_USE_PSA_CRYPTO) 925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); 926 if (status != PSA_SUCCESS) { 927 return PSA_TO_MD_ERR(status); 928 } 929 #else 930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 931 if (ret != 0) { 932 return ret; 933 } 934 #endif 935 #endif 936 return 0; 937 } 938 939 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, 941 const unsigned char *buf, size_t len) 942 { 943 #if defined(MBEDTLS_USE_PSA_CRYPTO) 944 return PSA_TO_MD_ERR(psa_hash_update( 945 &ssl->handshake->fin_sha256_psa, buf, len)); 946 #else 947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 948 #endif 949 } 950 #endif 951 952 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, 954 const unsigned char *buf, size_t len) 955 { 956 #if defined(MBEDTLS_USE_PSA_CRYPTO) 957 return PSA_TO_MD_ERR(psa_hash_update( 958 &ssl->handshake->fin_sha384_psa, buf, len)); 959 #else 960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 961 #endif 962 } 963 #endif 964 965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) 966 { 967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params)); 968 969 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 970 #if defined(MBEDTLS_USE_PSA_CRYPTO) 971 handshake->fin_sha256_psa = psa_hash_operation_init(); 972 #else 973 mbedtls_md_init(&handshake->fin_sha256); 974 #endif 975 #endif 976 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 977 #if defined(MBEDTLS_USE_PSA_CRYPTO) 978 handshake->fin_sha384_psa = psa_hash_operation_init(); 979 #else 980 mbedtls_md_init(&handshake->fin_sha384); 981 #endif 982 #endif 983 984 handshake->update_checksum = ssl_update_checksum_start; 985 986 #if defined(MBEDTLS_DHM_C) 987 mbedtls_dhm_init(&handshake->dhm_ctx); 988 #endif 989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) 990 mbedtls_ecdh_init(&handshake->ecdh_ctx); 991 #endif 992 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 993 #if defined(MBEDTLS_USE_PSA_CRYPTO) 994 handshake->psa_pake_ctx = psa_pake_operation_init(); 995 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 996 #else 997 mbedtls_ecjpake_init(&handshake->ecjpake_ctx); 998 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 999 #if defined(MBEDTLS_SSL_CLI_C) 1000 handshake->ecjpake_cache = NULL; 1001 handshake->ecjpake_cache_len = 0; 1002 #endif 1003 #endif 1004 1005 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1006 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx); 1007 #endif 1008 1009 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1010 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 1011 #endif 1012 1013 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 1014 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1015 mbedtls_pk_init(&handshake->peer_pubkey); 1016 #endif 1017 } 1018 1019 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) 1020 { 1021 memset(transform, 0, sizeof(mbedtls_ssl_transform)); 1022 1023 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1024 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT; 1025 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT; 1026 #else 1027 mbedtls_cipher_init(&transform->cipher_ctx_enc); 1028 mbedtls_cipher_init(&transform->cipher_ctx_dec); 1029 #endif 1030 1031 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1032 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1033 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT; 1034 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT; 1035 #else 1036 mbedtls_md_init(&transform->md_ctx_enc); 1037 mbedtls_md_init(&transform->md_ctx_dec); 1038 #endif 1039 #endif 1040 } 1041 1042 void mbedtls_ssl_session_init(mbedtls_ssl_session *session) 1043 { 1044 memset(session, 0, sizeof(mbedtls_ssl_session)); 1045 } 1046 1047 MBEDTLS_CHECK_RETURN_CRITICAL 1048 static int ssl_handshake_init(mbedtls_ssl_context *ssl) 1049 { 1050 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1051 1052 /* Clear old handshake information if present */ 1053 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1054 if (ssl->transform_negotiate) { 1055 mbedtls_ssl_transform_free(ssl->transform_negotiate); 1056 } 1057 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1058 if (ssl->session_negotiate) { 1059 mbedtls_ssl_session_free(ssl->session_negotiate); 1060 } 1061 if (ssl->handshake) { 1062 mbedtls_ssl_handshake_free(ssl); 1063 } 1064 1065 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1066 /* 1067 * Either the pointers are now NULL or cleared properly and can be freed. 1068 * Now allocate missing structures. 1069 */ 1070 if (ssl->transform_negotiate == NULL) { 1071 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); 1072 } 1073 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1074 1075 if (ssl->session_negotiate == NULL) { 1076 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session)); 1077 } 1078 1079 if (ssl->handshake == NULL) { 1080 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params)); 1081 } 1082 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1083 /* If the buffers are too small - reallocate */ 1084 1085 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN, 1086 MBEDTLS_SSL_OUT_BUFFER_LEN); 1087 #endif 1088 1089 /* All pointers should exist and can be directly freed without issue */ 1090 if (ssl->handshake == NULL || 1091 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1092 ssl->transform_negotiate == NULL || 1093 #endif 1094 ssl->session_negotiate == NULL) { 1095 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed")); 1096 1097 mbedtls_free(ssl->handshake); 1098 ssl->handshake = NULL; 1099 1100 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1101 mbedtls_free(ssl->transform_negotiate); 1102 ssl->transform_negotiate = NULL; 1103 #endif 1104 1105 mbedtls_free(ssl->session_negotiate); 1106 ssl->session_negotiate = NULL; 1107 1108 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1109 } 1110 1111 /* Initialize structures */ 1112 mbedtls_ssl_session_init(ssl->session_negotiate); 1113 ssl_handshake_params_init(ssl->handshake); 1114 1115 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1116 mbedtls_ssl_transform_init(ssl->transform_negotiate); 1117 #endif 1118 1119 /* Setup handshake checksums */ 1120 ret = mbedtls_ssl_reset_checksum(ssl); 1121 if (ret != 0) { 1122 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); 1123 return ret; 1124 } 1125 1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 1127 defined(MBEDTLS_SSL_SRV_C) && \ 1128 defined(MBEDTLS_SSL_SESSION_TICKETS) 1129 ssl->handshake->new_session_tickets_count = 1130 ssl->conf->new_session_tickets_count; 1131 #endif 1132 1133 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1134 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1135 ssl->handshake->alt_transform_out = ssl->transform_out; 1136 1137 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 1138 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 1139 } else { 1140 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 1141 } 1142 1143 mbedtls_ssl_set_timer(ssl, 0); 1144 } 1145 #endif 1146 1147 /* 1148 * curve_list is translated to IANA TLS group identifiers here because 1149 * mbedtls_ssl_conf_curves returns void and so can't return 1150 * any error codes. 1151 */ 1152 #if defined(MBEDTLS_ECP_C) 1153 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1154 /* Heap allocate and translate curve_list from internal to IANA group ids */ 1155 if (ssl->conf->curve_list != NULL) { 1156 size_t length; 1157 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; 1158 1159 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE) && 1160 (length < MBEDTLS_ECP_DP_MAX); length++) { 1161 } 1162 1163 /* Leave room for zero termination */ 1164 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t)); 1165 if (group_list == NULL) { 1166 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1167 } 1168 1169 for (size_t i = 0; i < length; i++) { 1170 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 1171 curve_list[i]); 1172 if (tls_id == 0) { 1173 mbedtls_free(group_list); 1174 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1175 } 1176 group_list[i] = tls_id; 1177 } 1178 1179 group_list[length] = 0; 1180 1181 ssl->handshake->group_list = group_list; 1182 ssl->handshake->group_list_heap_allocated = 1; 1183 } else { 1184 ssl->handshake->group_list = ssl->conf->group_list; 1185 ssl->handshake->group_list_heap_allocated = 0; 1186 } 1187 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 1188 #endif /* MBEDTLS_ECP_C */ 1189 1190 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1191 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1192 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1193 /* Heap allocate and translate sig_hashes from internal hash identifiers to 1194 signature algorithms IANA identifiers. */ 1195 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) && 1196 ssl->conf->sig_hashes != NULL) { 1197 const int *md; 1198 const int *sig_hashes = ssl->conf->sig_hashes; 1199 size_t sig_algs_len = 0; 1200 uint16_t *p; 1201 1202 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 1203 <= (SIZE_MAX - (2 * sizeof(uint16_t))), 1204 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big"); 1205 1206 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1207 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) { 1208 continue; 1209 } 1210 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 1211 sig_algs_len += sizeof(uint16_t); 1212 #endif 1213 1214 #if defined(MBEDTLS_RSA_C) 1215 sig_algs_len += sizeof(uint16_t); 1216 #endif 1217 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) { 1218 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1219 } 1220 } 1221 1222 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) { 1223 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1224 } 1225 1226 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len + 1227 sizeof(uint16_t)); 1228 if (ssl->handshake->sig_algs == NULL) { 1229 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1230 } 1231 1232 p = (uint16_t *) ssl->handshake->sig_algs; 1233 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1234 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md); 1235 if (hash == MBEDTLS_SSL_HASH_NONE) { 1236 continue; 1237 } 1238 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 1239 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA); 1240 p++; 1241 #endif 1242 #if defined(MBEDTLS_RSA_C) 1243 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA); 1244 p++; 1245 #endif 1246 } 1247 *p = MBEDTLS_TLS_SIG_NONE; 1248 ssl->handshake->sig_algs_heap_allocated = 1; 1249 } else 1250 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1251 { 1252 ssl->handshake->sig_algs_heap_allocated = 0; 1253 } 1254 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1255 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1256 return 0; 1257 } 1258 1259 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1260 /* Dummy cookie callbacks for defaults */ 1261 MBEDTLS_CHECK_RETURN_CRITICAL 1262 static int ssl_cookie_write_dummy(void *ctx, 1263 unsigned char **p, unsigned char *end, 1264 const unsigned char *cli_id, size_t cli_id_len) 1265 { 1266 ((void) ctx); 1267 ((void) p); 1268 ((void) end); 1269 ((void) cli_id); 1270 ((void) cli_id_len); 1271 1272 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1273 } 1274 1275 MBEDTLS_CHECK_RETURN_CRITICAL 1276 static int ssl_cookie_check_dummy(void *ctx, 1277 const unsigned char *cookie, size_t cookie_len, 1278 const unsigned char *cli_id, size_t cli_id_len) 1279 { 1280 ((void) ctx); 1281 ((void) cookie); 1282 ((void) cookie_len); 1283 ((void) cli_id); 1284 ((void) cli_id_len); 1285 1286 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1287 } 1288 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 1289 1290 /* 1291 * Initialize an SSL context 1292 */ 1293 void mbedtls_ssl_init(mbedtls_ssl_context *ssl) 1294 { 1295 memset(ssl, 0, sizeof(mbedtls_ssl_context)); 1296 } 1297 1298 MBEDTLS_CHECK_RETURN_CRITICAL 1299 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl) 1300 { 1301 const mbedtls_ssl_config *conf = ssl->conf; 1302 1303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1304 if (mbedtls_ssl_conf_is_tls13_only(conf)) { 1305 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1306 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported.")); 1307 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1308 } 1309 1310 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only.")); 1311 return 0; 1312 } 1313 #endif 1314 1315 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1316 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 1317 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only.")); 1318 return 0; 1319 } 1320 #endif 1321 1322 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1323 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) { 1324 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1325 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2")); 1326 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1327 } 1328 1329 if (conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 1330 MBEDTLS_SSL_DEBUG_MSG(1, ("TLS 1.3 server is not supported yet.")); 1331 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1332 } 1333 1334 1335 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2.")); 1336 return 0; 1337 } 1338 #endif 1339 1340 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid.")); 1341 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1342 } 1343 1344 MBEDTLS_CHECK_RETURN_CRITICAL 1345 static int ssl_conf_check(const mbedtls_ssl_context *ssl) 1346 { 1347 int ret; 1348 ret = ssl_conf_version_check(ssl); 1349 if (ret != 0) { 1350 return ret; 1351 } 1352 1353 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1354 /* RFC 8446 section 4.4.3 1355 * 1356 * If the verification fails, the receiver MUST terminate the handshake with 1357 * a "decrypt_error" alert. 1358 * 1359 * If the client is configured as TLS 1.3 only with optional verify, return 1360 * bad config. 1361 * 1362 */ 1363 if (mbedtls_ssl_conf_tls13_ephemeral_enabled( 1364 (mbedtls_ssl_context *) ssl) && 1365 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 1366 ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1367 ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1368 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { 1369 MBEDTLS_SSL_DEBUG_MSG( 1370 1, ("Optional verify auth mode " 1371 "is not available for TLS 1.3 client")); 1372 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1373 } 1374 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1375 1376 /* Space for further checks */ 1377 1378 return 0; 1379 } 1380 1381 /* 1382 * Setup an SSL context 1383 */ 1384 1385 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, 1386 const mbedtls_ssl_config *conf) 1387 { 1388 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1389 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1390 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1391 1392 ssl->conf = conf; 1393 1394 if ((ret = ssl_conf_check(ssl)) != 0) { 1395 return ret; 1396 } 1397 1398 /* 1399 * Prepare base structures 1400 */ 1401 1402 /* Set to NULL in case of an error condition */ 1403 ssl->out_buf = NULL; 1404 1405 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1406 ssl->in_buf_len = in_buf_len; 1407 #endif 1408 ssl->in_buf = mbedtls_calloc(1, in_buf_len); 1409 if (ssl->in_buf == NULL) { 1410 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len)); 1411 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1412 goto error; 1413 } 1414 1415 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1416 ssl->out_buf_len = out_buf_len; 1417 #endif 1418 ssl->out_buf = mbedtls_calloc(1, out_buf_len); 1419 if (ssl->out_buf == NULL) { 1420 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len)); 1421 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1422 goto error; 1423 } 1424 1425 mbedtls_ssl_reset_in_out_pointers(ssl); 1426 1427 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1428 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); 1429 #endif 1430 1431 if ((ret = ssl_handshake_init(ssl)) != 0) { 1432 goto error; 1433 } 1434 1435 return 0; 1436 1437 error: 1438 mbedtls_free(ssl->in_buf); 1439 mbedtls_free(ssl->out_buf); 1440 1441 ssl->conf = NULL; 1442 1443 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1444 ssl->in_buf_len = 0; 1445 ssl->out_buf_len = 0; 1446 #endif 1447 ssl->in_buf = NULL; 1448 ssl->out_buf = NULL; 1449 1450 ssl->in_hdr = NULL; 1451 ssl->in_ctr = NULL; 1452 ssl->in_len = NULL; 1453 ssl->in_iv = NULL; 1454 ssl->in_msg = NULL; 1455 1456 ssl->out_hdr = NULL; 1457 ssl->out_ctr = NULL; 1458 ssl->out_len = NULL; 1459 ssl->out_iv = NULL; 1460 ssl->out_msg = NULL; 1461 1462 return ret; 1463 } 1464 1465 /* 1466 * Reset an initialized and used SSL context for re-use while retaining 1467 * all application-set variables, function pointers and data. 1468 * 1469 * If partial is non-zero, keep data in the input buffer and client ID. 1470 * (Use when a DTLS client reconnects from the same port.) 1471 */ 1472 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1473 int partial) 1474 { 1475 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1476 size_t in_buf_len = ssl->in_buf_len; 1477 size_t out_buf_len = ssl->out_buf_len; 1478 #else 1479 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1480 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1481 #endif 1482 1483 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C) 1484 partial = 0; 1485 #endif 1486 1487 /* Cancel any possibly running timer */ 1488 mbedtls_ssl_set_timer(ssl, 0); 1489 1490 mbedtls_ssl_reset_in_out_pointers(ssl); 1491 1492 /* Reset incoming message parsing */ 1493 ssl->in_offt = NULL; 1494 ssl->nb_zero = 0; 1495 ssl->in_msgtype = 0; 1496 ssl->in_msglen = 0; 1497 ssl->in_hslen = 0; 1498 ssl->keep_current_message = 0; 1499 ssl->transform_in = NULL; 1500 1501 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1502 ssl->next_record_offset = 0; 1503 ssl->in_epoch = 0; 1504 #endif 1505 1506 /* Keep current datagram if partial == 1 */ 1507 if (partial == 0) { 1508 ssl->in_left = 0; 1509 memset(ssl->in_buf, 0, in_buf_len); 1510 } 1511 1512 ssl->send_alert = 0; 1513 1514 /* Reset outgoing message writing */ 1515 ssl->out_msgtype = 0; 1516 ssl->out_msglen = 0; 1517 ssl->out_left = 0; 1518 memset(ssl->out_buf, 0, out_buf_len); 1519 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 1520 ssl->transform_out = NULL; 1521 1522 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1523 mbedtls_ssl_dtls_replay_reset(ssl); 1524 #endif 1525 1526 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1527 if (ssl->transform) { 1528 mbedtls_ssl_transform_free(ssl->transform); 1529 mbedtls_free(ssl->transform); 1530 ssl->transform = NULL; 1531 } 1532 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1533 1534 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1535 mbedtls_ssl_transform_free(ssl->transform_application); 1536 mbedtls_free(ssl->transform_application); 1537 ssl->transform_application = NULL; 1538 1539 if (ssl->handshake != NULL) { 1540 #if defined(MBEDTLS_SSL_EARLY_DATA) 1541 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata); 1542 mbedtls_free(ssl->handshake->transform_earlydata); 1543 ssl->handshake->transform_earlydata = NULL; 1544 #endif 1545 1546 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake); 1547 mbedtls_free(ssl->handshake->transform_handshake); 1548 ssl->handshake->transform_handshake = NULL; 1549 } 1550 1551 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1552 } 1553 1554 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) 1555 { 1556 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1557 1558 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 1559 1560 mbedtls_ssl_session_reset_msg_layer(ssl, partial); 1561 1562 /* Reset renegotiation state */ 1563 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1564 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 1565 ssl->renego_records_seen = 0; 1566 1567 ssl->verify_data_len = 0; 1568 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1569 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1570 #endif 1571 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 1572 1573 ssl->session_in = NULL; 1574 ssl->session_out = NULL; 1575 if (ssl->session) { 1576 mbedtls_ssl_session_free(ssl->session); 1577 mbedtls_free(ssl->session); 1578 ssl->session = NULL; 1579 } 1580 1581 #if defined(MBEDTLS_SSL_ALPN) 1582 ssl->alpn_chosen = NULL; 1583 #endif 1584 1585 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1586 int free_cli_id = 1; 1587 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) 1588 free_cli_id = (partial == 0); 1589 #endif 1590 if (free_cli_id) { 1591 mbedtls_free(ssl->cli_id); 1592 ssl->cli_id = NULL; 1593 ssl->cli_id_len = 0; 1594 } 1595 #endif 1596 1597 if ((ret = ssl_handshake_init(ssl)) != 0) { 1598 return ret; 1599 } 1600 1601 return 0; 1602 } 1603 1604 /* 1605 * Reset an initialized and used SSL context for re-use while retaining 1606 * all application-set variables, function pointers and data. 1607 */ 1608 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl) 1609 { 1610 return mbedtls_ssl_session_reset_int(ssl, 0); 1611 } 1612 1613 /* 1614 * SSL set accessors 1615 */ 1616 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint) 1617 { 1618 conf->endpoint = endpoint; 1619 } 1620 1621 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport) 1622 { 1623 conf->transport = transport; 1624 } 1625 1626 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1627 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode) 1628 { 1629 conf->anti_replay = mode; 1630 } 1631 #endif 1632 1633 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit) 1634 { 1635 conf->badmac_limit = limit; 1636 } 1637 1638 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1639 1640 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl, 1641 unsigned allow_packing) 1642 { 1643 ssl->disable_datagram_packing = !allow_packing; 1644 } 1645 1646 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, 1647 uint32_t min, uint32_t max) 1648 { 1649 conf->hs_timeout_min = min; 1650 conf->hs_timeout_max = max; 1651 } 1652 #endif 1653 1654 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode) 1655 { 1656 conf->authmode = authmode; 1657 } 1658 1659 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1660 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, 1661 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1662 void *p_vrfy) 1663 { 1664 conf->f_vrfy = f_vrfy; 1665 conf->p_vrfy = p_vrfy; 1666 } 1667 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1668 1669 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, 1670 int (*f_rng)(void *, unsigned char *, size_t), 1671 void *p_rng) 1672 { 1673 conf->f_rng = f_rng; 1674 conf->p_rng = p_rng; 1675 } 1676 1677 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, 1678 void (*f_dbg)(void *, int, const char *, int, const char *), 1679 void *p_dbg) 1680 { 1681 conf->f_dbg = f_dbg; 1682 conf->p_dbg = p_dbg; 1683 } 1684 1685 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, 1686 void *p_bio, 1687 mbedtls_ssl_send_t *f_send, 1688 mbedtls_ssl_recv_t *f_recv, 1689 mbedtls_ssl_recv_timeout_t *f_recv_timeout) 1690 { 1691 ssl->p_bio = p_bio; 1692 ssl->f_send = f_send; 1693 ssl->f_recv = f_recv; 1694 ssl->f_recv_timeout = f_recv_timeout; 1695 } 1696 1697 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1698 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu) 1699 { 1700 ssl->mtu = mtu; 1701 } 1702 #endif 1703 1704 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout) 1705 { 1706 conf->read_timeout = timeout; 1707 } 1708 1709 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, 1710 void *p_timer, 1711 mbedtls_ssl_set_timer_t *f_set_timer, 1712 mbedtls_ssl_get_timer_t *f_get_timer) 1713 { 1714 ssl->p_timer = p_timer; 1715 ssl->f_set_timer = f_set_timer; 1716 ssl->f_get_timer = f_get_timer; 1717 1718 /* Make sure we start with no timer running */ 1719 mbedtls_ssl_set_timer(ssl, 0); 1720 } 1721 1722 #if defined(MBEDTLS_SSL_SRV_C) 1723 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, 1724 void *p_cache, 1725 mbedtls_ssl_cache_get_t *f_get_cache, 1726 mbedtls_ssl_cache_set_t *f_set_cache) 1727 { 1728 conf->p_cache = p_cache; 1729 conf->f_get_cache = f_get_cache; 1730 conf->f_set_cache = f_set_cache; 1731 } 1732 #endif /* MBEDTLS_SSL_SRV_C */ 1733 1734 #if defined(MBEDTLS_SSL_CLI_C) 1735 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session) 1736 { 1737 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1738 1739 if (ssl == NULL || 1740 session == NULL || 1741 ssl->session_negotiate == NULL || 1742 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 1743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1744 } 1745 1746 if (ssl->handshake->resume == 1) { 1747 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1748 } 1749 1750 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1751 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1752 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 1753 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); 1754 1755 if (mbedtls_ssl_validate_ciphersuite( 1756 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, 1757 MBEDTLS_SSL_VERSION_TLS1_3) != 0) { 1758 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.", 1759 session->ciphersuite)); 1760 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1761 } 1762 } 1763 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1764 1765 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate, 1766 session)) != 0) { 1767 return ret; 1768 } 1769 1770 ssl->handshake->resume = 1; 1771 1772 return 0; 1773 } 1774 #endif /* MBEDTLS_SSL_CLI_C */ 1775 1776 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, 1777 const int *ciphersuites) 1778 { 1779 conf->ciphersuite_list = ciphersuites; 1780 } 1781 1782 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1783 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, 1784 const int kex_modes) 1785 { 1786 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 1787 } 1788 1789 #if defined(MBEDTLS_SSL_EARLY_DATA) 1790 void mbedtls_ssl_tls13_conf_early_data(mbedtls_ssl_config *conf, 1791 int early_data_enabled) 1792 { 1793 conf->early_data_enabled = early_data_enabled; 1794 } 1795 1796 #if defined(MBEDTLS_SSL_SRV_C) 1797 void mbedtls_ssl_tls13_conf_max_early_data_size( 1798 mbedtls_ssl_config *conf, uint32_t max_early_data_size) 1799 { 1800 conf->max_early_data_size = max_early_data_size; 1801 } 1802 #endif /* MBEDTLS_SSL_SRV_C */ 1803 1804 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1805 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1806 1807 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1808 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, 1809 const mbedtls_x509_crt_profile *profile) 1810 { 1811 conf->cert_profile = profile; 1812 } 1813 1814 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert) 1815 { 1816 mbedtls_ssl_key_cert *cur = key_cert, *next; 1817 1818 while (cur != NULL) { 1819 next = cur->next; 1820 mbedtls_free(cur); 1821 cur = next; 1822 } 1823 } 1824 1825 /* Append a new keycert entry to a (possibly empty) list */ 1826 MBEDTLS_CHECK_RETURN_CRITICAL 1827 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head, 1828 mbedtls_x509_crt *cert, 1829 mbedtls_pk_context *key) 1830 { 1831 mbedtls_ssl_key_cert *new_cert; 1832 1833 if (cert == NULL) { 1834 /* Free list if cert is null */ 1835 ssl_key_cert_free(*head); 1836 *head = NULL; 1837 return 0; 1838 } 1839 1840 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert)); 1841 if (new_cert == NULL) { 1842 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1843 } 1844 1845 new_cert->cert = cert; 1846 new_cert->key = key; 1847 new_cert->next = NULL; 1848 1849 /* Update head if the list was null, else add to the end */ 1850 if (*head == NULL) { 1851 *head = new_cert; 1852 } else { 1853 mbedtls_ssl_key_cert *cur = *head; 1854 while (cur->next != NULL) { 1855 cur = cur->next; 1856 } 1857 cur->next = new_cert; 1858 } 1859 1860 return 0; 1861 } 1862 1863 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, 1864 mbedtls_x509_crt *own_cert, 1865 mbedtls_pk_context *pk_key) 1866 { 1867 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); 1868 } 1869 1870 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, 1871 mbedtls_x509_crt *ca_chain, 1872 mbedtls_x509_crl *ca_crl) 1873 { 1874 conf->ca_chain = ca_chain; 1875 conf->ca_crl = ca_crl; 1876 1877 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1878 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1879 * cannot be used together. */ 1880 conf->f_ca_cb = NULL; 1881 conf->p_ca_cb = NULL; 1882 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1883 } 1884 1885 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1886 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, 1887 mbedtls_x509_crt_ca_cb_t f_ca_cb, 1888 void *p_ca_cb) 1889 { 1890 conf->f_ca_cb = f_ca_cb; 1891 conf->p_ca_cb = p_ca_cb; 1892 1893 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1894 * cannot be used together. */ 1895 conf->ca_chain = NULL; 1896 conf->ca_crl = NULL; 1897 } 1898 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1899 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1900 1901 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1902 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, 1903 size_t *name_len) 1904 { 1905 *name_len = ssl->handshake->sni_name_len; 1906 return ssl->handshake->sni_name; 1907 } 1908 1909 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, 1910 mbedtls_x509_crt *own_cert, 1911 mbedtls_pk_context *pk_key) 1912 { 1913 return ssl_append_key_cert(&ssl->handshake->sni_key_cert, 1914 own_cert, pk_key); 1915 } 1916 1917 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, 1918 mbedtls_x509_crt *ca_chain, 1919 mbedtls_x509_crl *ca_crl) 1920 { 1921 ssl->handshake->sni_ca_chain = ca_chain; 1922 ssl->handshake->sni_ca_crl = ca_crl; 1923 } 1924 1925 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1926 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl, 1927 const mbedtls_x509_crt *crt) 1928 { 1929 ssl->handshake->dn_hints = crt; 1930 } 1931 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 1932 1933 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, 1934 int authmode) 1935 { 1936 ssl->handshake->sni_authmode = authmode; 1937 } 1938 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1939 1940 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1941 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl, 1942 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1943 void *p_vrfy) 1944 { 1945 ssl->f_vrfy = f_vrfy; 1946 ssl->p_vrfy = p_vrfy; 1947 } 1948 #endif 1949 1950 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1951 1952 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1953 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1954 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 1955 1956 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( 1957 mbedtls_ssl_context *ssl, 1958 mbedtls_svc_key_id_t pwd) 1959 { 1960 psa_status_t status; 1961 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1962 const uint8_t *user = NULL; 1963 size_t user_len = 0; 1964 const uint8_t *peer = NULL; 1965 size_t peer_len = 0; 1966 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1967 psa_pake_cs_set_primitive(&cipher_suite, 1968 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, 1969 PSA_ECC_FAMILY_SECP_R1, 1970 256)); 1971 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1972 1973 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite); 1974 if (status != PSA_SUCCESS) { 1975 return status; 1976 } 1977 1978 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 1979 user = jpake_server_id; 1980 user_len = sizeof(jpake_server_id); 1981 peer = jpake_client_id; 1982 peer_len = sizeof(jpake_client_id); 1983 } else { 1984 user = jpake_client_id; 1985 user_len = sizeof(jpake_client_id); 1986 peer = jpake_server_id; 1987 peer_len = sizeof(jpake_server_id); 1988 } 1989 1990 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len); 1991 if (status != PSA_SUCCESS) { 1992 return status; 1993 } 1994 1995 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len); 1996 if (status != PSA_SUCCESS) { 1997 return status; 1998 } 1999 2000 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd); 2001 if (status != PSA_SUCCESS) { 2002 return status; 2003 } 2004 2005 ssl->handshake->psa_pake_ctx_is_ok = 1; 2006 2007 return PSA_SUCCESS; 2008 } 2009 2010 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2011 const unsigned char *pw, 2012 size_t pw_len) 2013 { 2014 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2015 psa_status_t status; 2016 2017 if (ssl->handshake == NULL || ssl->conf == NULL) { 2018 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2019 } 2020 2021 /* Empty password is not valid */ 2022 if ((pw == NULL) || (pw_len == 0)) { 2023 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2024 } 2025 2026 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 2027 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 2028 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 2029 2030 status = psa_import_key(&attributes, pw, pw_len, 2031 &ssl->handshake->psa_pake_password); 2032 if (status != PSA_SUCCESS) { 2033 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2034 } 2035 2036 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, 2037 ssl->handshake->psa_pake_password); 2038 if (status != PSA_SUCCESS) { 2039 psa_destroy_key(ssl->handshake->psa_pake_password); 2040 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2041 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2042 } 2043 2044 return 0; 2045 } 2046 2047 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, 2048 mbedtls_svc_key_id_t pwd) 2049 { 2050 psa_status_t status; 2051 2052 if (ssl->handshake == NULL || ssl->conf == NULL) { 2053 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2054 } 2055 2056 if (mbedtls_svc_key_id_is_null(pwd)) { 2057 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2058 } 2059 2060 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd); 2061 if (status != PSA_SUCCESS) { 2062 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2063 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2064 } 2065 2066 return 0; 2067 } 2068 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2069 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2070 const unsigned char *pw, 2071 size_t pw_len) 2072 { 2073 mbedtls_ecjpake_role role; 2074 2075 if (ssl->handshake == NULL || ssl->conf == NULL) { 2076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2077 } 2078 2079 /* Empty password is not valid */ 2080 if ((pw == NULL) || (pw_len == 0)) { 2081 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2082 } 2083 2084 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 2085 role = MBEDTLS_ECJPAKE_SERVER; 2086 } else { 2087 role = MBEDTLS_ECJPAKE_CLIENT; 2088 } 2089 2090 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx, 2091 role, 2092 MBEDTLS_MD_SHA256, 2093 MBEDTLS_ECP_DP_SECP256R1, 2094 pw, pw_len); 2095 } 2096 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2097 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2098 2099 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 2100 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) 2101 { 2102 if (conf->psk_identity == NULL || 2103 conf->psk_identity_len == 0) { 2104 return 0; 2105 } 2106 2107 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2108 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2109 return 1; 2110 } 2111 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2112 2113 if (conf->psk != NULL && conf->psk_len != 0) { 2114 return 1; 2115 } 2116 2117 return 0; 2118 } 2119 2120 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf) 2121 { 2122 /* Remove reference to existing PSK, if any. */ 2123 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2124 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2125 /* The maintenance of the PSK key slot is the 2126 * user's responsibility. */ 2127 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2128 } 2129 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2130 if (conf->psk != NULL) { 2131 mbedtls_platform_zeroize(conf->psk, conf->psk_len); 2132 2133 mbedtls_free(conf->psk); 2134 conf->psk = NULL; 2135 conf->psk_len = 0; 2136 } 2137 2138 /* Remove reference to PSK identity, if any. */ 2139 if (conf->psk_identity != NULL) { 2140 mbedtls_free(conf->psk_identity); 2141 conf->psk_identity = NULL; 2142 conf->psk_identity_len = 0; 2143 } 2144 } 2145 2146 /* This function assumes that PSK identity in the SSL config is unset. 2147 * It checks that the provided identity is well-formed and attempts 2148 * to make a copy of it in the SSL config. 2149 * On failure, the PSK identity in the config remains unset. */ 2150 MBEDTLS_CHECK_RETURN_CRITICAL 2151 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf, 2152 unsigned char const *psk_identity, 2153 size_t psk_identity_len) 2154 { 2155 /* Identity len will be encoded on two bytes */ 2156 if (psk_identity == NULL || 2157 psk_identity_len == 0 || 2158 (psk_identity_len >> 16) != 0 || 2159 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { 2160 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2161 } 2162 2163 conf->psk_identity = mbedtls_calloc(1, psk_identity_len); 2164 if (conf->psk_identity == NULL) { 2165 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2166 } 2167 2168 conf->psk_identity_len = psk_identity_len; 2169 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len); 2170 2171 return 0; 2172 } 2173 2174 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, 2175 const unsigned char *psk, size_t psk_len, 2176 const unsigned char *psk_identity, size_t psk_identity_len) 2177 { 2178 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2179 2180 /* We currently only support one PSK, raw or opaque. */ 2181 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2182 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2183 } 2184 2185 /* Check and set raw PSK */ 2186 if (psk == NULL) { 2187 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2188 } 2189 if (psk_len == 0) { 2190 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2191 } 2192 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2193 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2194 } 2195 2196 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2197 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2198 } 2199 conf->psk_len = psk_len; 2200 memcpy(conf->psk, psk, conf->psk_len); 2201 2202 /* Check and set PSK Identity */ 2203 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len); 2204 if (ret != 0) { 2205 ssl_conf_remove_psk(conf); 2206 } 2207 2208 return ret; 2209 } 2210 2211 static void ssl_remove_psk(mbedtls_ssl_context *ssl) 2212 { 2213 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2214 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 2215 /* The maintenance of the external PSK key slot is the 2216 * user's responsibility. */ 2217 if (ssl->handshake->psk_opaque_is_internal) { 2218 psa_destroy_key(ssl->handshake->psk_opaque); 2219 ssl->handshake->psk_opaque_is_internal = 0; 2220 } 2221 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2222 } 2223 #else 2224 if (ssl->handshake->psk != NULL) { 2225 mbedtls_platform_zeroize(ssl->handshake->psk, 2226 ssl->handshake->psk_len); 2227 mbedtls_free(ssl->handshake->psk); 2228 ssl->handshake->psk_len = 0; 2229 } 2230 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2231 } 2232 2233 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, 2234 const unsigned char *psk, size_t psk_len) 2235 { 2236 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2237 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 2238 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2239 psa_algorithm_t alg = PSA_ALG_NONE; 2240 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2241 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2242 2243 if (psk == NULL || ssl->handshake == NULL) { 2244 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2245 } 2246 2247 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2248 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2249 } 2250 2251 ssl_remove_psk(ssl); 2252 2253 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2254 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2255 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2256 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 2257 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 2258 } else { 2259 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 2260 } 2261 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2262 } 2263 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2264 2265 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2266 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2267 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH); 2268 psa_set_key_usage_flags(&key_attributes, 2269 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT); 2270 } 2271 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2272 2273 psa_set_key_algorithm(&key_attributes, alg); 2274 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 2275 2276 status = psa_import_key(&key_attributes, psk, psk_len, &key); 2277 if (status != PSA_SUCCESS) { 2278 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2279 } 2280 2281 /* Allow calling psa_destroy_key() on psk remove */ 2282 ssl->handshake->psk_opaque_is_internal = 1; 2283 return mbedtls_ssl_set_hs_psk_opaque(ssl, key); 2284 #else 2285 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2286 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2287 } 2288 2289 ssl->handshake->psk_len = psk_len; 2290 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len); 2291 2292 return 0; 2293 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2294 } 2295 2296 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2297 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf, 2298 mbedtls_svc_key_id_t psk, 2299 const unsigned char *psk_identity, 2300 size_t psk_identity_len) 2301 { 2302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2303 2304 /* We currently only support one PSK, raw or opaque. */ 2305 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2306 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2307 } 2308 2309 /* Check and set opaque PSK */ 2310 if (mbedtls_svc_key_id_is_null(psk)) { 2311 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2312 } 2313 conf->psk_opaque = psk; 2314 2315 /* Check and set PSK Identity */ 2316 ret = ssl_conf_set_psk_identity(conf, psk_identity, 2317 psk_identity_len); 2318 if (ret != 0) { 2319 ssl_conf_remove_psk(conf); 2320 } 2321 2322 return ret; 2323 } 2324 2325 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl, 2326 mbedtls_svc_key_id_t psk) 2327 { 2328 if ((mbedtls_svc_key_id_is_null(psk)) || 2329 (ssl->handshake == NULL)) { 2330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2331 } 2332 2333 ssl_remove_psk(ssl); 2334 ssl->handshake->psk_opaque = psk; 2335 return 0; 2336 } 2337 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2338 2339 #if defined(MBEDTLS_SSL_SRV_C) 2340 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, 2341 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 2342 size_t), 2343 void *p_psk) 2344 { 2345 conf->f_psk = f_psk; 2346 conf->p_psk = p_psk; 2347 } 2348 #endif /* MBEDTLS_SSL_SRV_C */ 2349 2350 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 2351 2352 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2353 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2354 psa_algorithm_t alg) 2355 { 2356 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2357 if (alg == PSA_ALG_CBC_NO_PADDING) { 2358 return MBEDTLS_SSL_MODE_CBC; 2359 } 2360 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2361 if (PSA_ALG_IS_AEAD(alg)) { 2362 return MBEDTLS_SSL_MODE_AEAD; 2363 } 2364 return MBEDTLS_SSL_MODE_STREAM; 2365 } 2366 2367 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2368 2369 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2370 mbedtls_cipher_mode_t mode) 2371 { 2372 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2373 if (mode == MBEDTLS_MODE_CBC) { 2374 return MBEDTLS_SSL_MODE_CBC; 2375 } 2376 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2377 2378 #if defined(MBEDTLS_GCM_C) || \ 2379 defined(MBEDTLS_CCM_C) || \ 2380 defined(MBEDTLS_CHACHAPOLY_C) 2381 if (mode == MBEDTLS_MODE_GCM || 2382 mode == MBEDTLS_MODE_CCM || 2383 mode == MBEDTLS_MODE_CHACHAPOLY) { 2384 return MBEDTLS_SSL_MODE_AEAD; 2385 } 2386 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 2387 2388 return MBEDTLS_SSL_MODE_STREAM; 2389 } 2390 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2391 2392 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode( 2393 mbedtls_ssl_mode_t base_mode, 2394 int encrypt_then_mac) 2395 { 2396 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2397 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 2398 base_mode == MBEDTLS_SSL_MODE_CBC) { 2399 return MBEDTLS_SSL_MODE_CBC_ETM; 2400 } 2401 #else 2402 (void) encrypt_then_mac; 2403 #endif 2404 return base_mode; 2405 } 2406 2407 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2408 const mbedtls_ssl_transform *transform) 2409 { 2410 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode( 2411 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2412 transform->psa_alg 2413 #else 2414 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc) 2415 #endif 2416 ); 2417 2418 int encrypt_then_mac = 0; 2419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2420 encrypt_then_mac = transform->encrypt_then_mac; 2421 #endif 2422 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2423 } 2424 2425 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2426 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2427 int encrypt_then_mac, 2428 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2429 const mbedtls_ssl_ciphersuite_t *suite) 2430 { 2431 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM; 2432 2433 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2434 psa_status_t status; 2435 psa_algorithm_t alg; 2436 psa_key_type_t type; 2437 size_t size; 2438 status = mbedtls_ssl_cipher_to_psa(suite->cipher, 0, &alg, &type, &size); 2439 if (status == PSA_SUCCESS) { 2440 base_mode = mbedtls_ssl_get_base_mode(alg); 2441 } 2442 #else 2443 const mbedtls_cipher_info_t *cipher = 2444 mbedtls_cipher_info_from_type(suite->cipher); 2445 if (cipher != NULL) { 2446 base_mode = 2447 mbedtls_ssl_get_base_mode( 2448 mbedtls_cipher_info_get_mode(cipher)); 2449 } 2450 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2451 2452 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2453 int encrypt_then_mac = 0; 2454 #endif 2455 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2456 } 2457 2458 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2459 2460 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2461 /* Serialization of TLS 1.3 sessions: 2462 * 2463 * struct { 2464 * opaque hostname<0..2^16-1>; 2465 * uint64 ticket_received; 2466 * uint32 ticket_lifetime; 2467 * opaque ticket<1..2^16-1>; 2468 * } ClientOnlyData; 2469 * 2470 * struct { 2471 * uint8 endpoint; 2472 * uint8 ciphersuite[2]; 2473 * uint32 ticket_age_add; 2474 * uint8 ticket_flags; 2475 * opaque resumption_key<0..255>; 2476 * select ( endpoint ) { 2477 * case client: ClientOnlyData; 2478 * case server: uint64 start_time; 2479 * }; 2480 * } serialized_session_tls13; 2481 * 2482 */ 2483 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2484 MBEDTLS_CHECK_RETURN_CRITICAL 2485 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 2486 unsigned char *buf, 2487 size_t buf_len, 2488 size_t *olen) 2489 { 2490 unsigned char *p = buf; 2491 #if defined(MBEDTLS_SSL_CLI_C) && \ 2492 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2493 size_t hostname_len = (session->hostname == NULL) ? 2494 0 : strlen(session->hostname) + 1; 2495 #endif 2496 size_t needed = 1 /* endpoint */ 2497 + 2 /* ciphersuite */ 2498 + 4 /* ticket_age_add */ 2499 + 1 /* ticket_flags */ 2500 + 1; /* resumption_key length */ 2501 *olen = 0; 2502 2503 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { 2504 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2505 } 2506 needed += session->resumption_key_len; /* resumption_key */ 2507 2508 #if defined(MBEDTLS_HAVE_TIME) 2509 needed += 8; /* start_time or ticket_received */ 2510 #endif 2511 2512 #if defined(MBEDTLS_SSL_CLI_C) 2513 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 2514 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2515 needed += 2 /* hostname_len */ 2516 + hostname_len; /* hostname */ 2517 #endif 2518 2519 needed += 4 /* ticket_lifetime */ 2520 + 2; /* ticket_len */ 2521 2522 /* Check size_t overflow */ 2523 if (session->ticket_len > SIZE_MAX - needed) { 2524 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2525 } 2526 2527 needed += session->ticket_len; /* ticket */ 2528 } 2529 #endif /* MBEDTLS_SSL_CLI_C */ 2530 2531 *olen = needed; 2532 if (needed > buf_len) { 2533 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2534 } 2535 2536 p[0] = session->endpoint; 2537 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 1); 2538 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 3); 2539 p[7] = session->ticket_flags; 2540 2541 /* save resumption_key */ 2542 p[8] = session->resumption_key_len; 2543 p += 9; 2544 memcpy(p, session->resumption_key, session->resumption_key_len); 2545 p += session->resumption_key_len; 2546 2547 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 2548 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 2549 MBEDTLS_PUT_UINT64_BE((uint64_t) session->start, p, 0); 2550 p += 8; 2551 } 2552 #endif /* MBEDTLS_HAVE_TIME */ 2553 2554 #if defined(MBEDTLS_SSL_CLI_C) 2555 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 2556 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2557 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); 2558 p += 2; 2559 if (hostname_len > 0) { 2560 /* save host name */ 2561 memcpy(p, session->hostname, hostname_len); 2562 p += hostname_len; 2563 } 2564 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2565 2566 #if defined(MBEDTLS_HAVE_TIME) 2567 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_received, p, 0); 2568 p += 8; 2569 #endif 2570 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 2571 p += 4; 2572 2573 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); 2574 p += 2; 2575 2576 if (session->ticket != NULL && session->ticket_len > 0) { 2577 memcpy(p, session->ticket, session->ticket_len); 2578 p += session->ticket_len; 2579 } 2580 } 2581 #endif /* MBEDTLS_SSL_CLI_C */ 2582 return 0; 2583 } 2584 2585 MBEDTLS_CHECK_RETURN_CRITICAL 2586 static int ssl_tls13_session_load(mbedtls_ssl_session *session, 2587 const unsigned char *buf, 2588 size_t len) 2589 { 2590 const unsigned char *p = buf; 2591 const unsigned char *end = buf + len; 2592 2593 if (end - p < 9) { 2594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2595 } 2596 session->endpoint = p[0]; 2597 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 1); 2598 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 3); 2599 session->ticket_flags = p[7]; 2600 2601 /* load resumption_key */ 2602 session->resumption_key_len = p[8]; 2603 p += 9; 2604 2605 if (end - p < session->resumption_key_len) { 2606 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2607 } 2608 2609 if (sizeof(session->resumption_key) < session->resumption_key_len) { 2610 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2611 } 2612 memcpy(session->resumption_key, p, session->resumption_key_len); 2613 p += session->resumption_key_len; 2614 2615 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 2616 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 2617 if (end - p < 8) { 2618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2619 } 2620 session->start = MBEDTLS_GET_UINT64_BE(p, 0); 2621 p += 8; 2622 } 2623 #endif /* MBEDTLS_HAVE_TIME */ 2624 2625 #if defined(MBEDTLS_SSL_CLI_C) 2626 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 2627 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 2628 defined(MBEDTLS_SSL_SESSION_TICKETS) 2629 size_t hostname_len; 2630 /* load host name */ 2631 if (end - p < 2) { 2632 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2633 } 2634 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); 2635 p += 2; 2636 2637 if (end - p < (long int) hostname_len) { 2638 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2639 } 2640 if (hostname_len > 0) { 2641 session->hostname = mbedtls_calloc(1, hostname_len); 2642 if (session->hostname == NULL) { 2643 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2644 } 2645 memcpy(session->hostname, p, hostname_len); 2646 p += hostname_len; 2647 } 2648 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && 2649 MBEDTLS_SSL_SESSION_TICKETS */ 2650 2651 #if defined(MBEDTLS_HAVE_TIME) 2652 if (end - p < 8) { 2653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2654 } 2655 session->ticket_received = MBEDTLS_GET_UINT64_BE(p, 0); 2656 p += 8; 2657 #endif 2658 if (end - p < 4) { 2659 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2660 } 2661 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 2662 p += 4; 2663 2664 if (end - p < 2) { 2665 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2666 } 2667 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); 2668 p += 2; 2669 2670 if (end - p < (long int) session->ticket_len) { 2671 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2672 } 2673 if (session->ticket_len > 0) { 2674 session->ticket = mbedtls_calloc(1, session->ticket_len); 2675 if (session->ticket == NULL) { 2676 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2677 } 2678 memcpy(session->ticket, p, session->ticket_len); 2679 p += session->ticket_len; 2680 } 2681 } 2682 #endif /* MBEDTLS_SSL_CLI_C */ 2683 2684 return 0; 2685 2686 } 2687 #else /* MBEDTLS_SSL_SESSION_TICKETS */ 2688 MBEDTLS_CHECK_RETURN_CRITICAL 2689 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 2690 unsigned char *buf, 2691 size_t buf_len, 2692 size_t *olen) 2693 { 2694 ((void) session); 2695 ((void) buf); 2696 ((void) buf_len); 2697 *olen = 0; 2698 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2699 } 2700 2701 static int ssl_tls13_session_load(const mbedtls_ssl_session *session, 2702 unsigned char *buf, 2703 size_t buf_len) 2704 { 2705 ((void) session); 2706 ((void) buf); 2707 ((void) buf_len); 2708 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2709 } 2710 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */ 2711 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2712 2713 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2714 size_t taglen, 2715 psa_algorithm_t *alg, 2716 psa_key_type_t *key_type, 2717 size_t *key_size) 2718 { 2719 switch (mbedtls_cipher_type) { 2720 case MBEDTLS_CIPHER_AES_128_CBC: 2721 *alg = PSA_ALG_CBC_NO_PADDING; 2722 *key_type = PSA_KEY_TYPE_AES; 2723 *key_size = 128; 2724 break; 2725 case MBEDTLS_CIPHER_AES_128_CCM: 2726 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2727 *key_type = PSA_KEY_TYPE_AES; 2728 *key_size = 128; 2729 break; 2730 case MBEDTLS_CIPHER_AES_128_GCM: 2731 *alg = PSA_ALG_GCM; 2732 *key_type = PSA_KEY_TYPE_AES; 2733 *key_size = 128; 2734 break; 2735 case MBEDTLS_CIPHER_AES_192_CCM: 2736 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2737 *key_type = PSA_KEY_TYPE_AES; 2738 *key_size = 192; 2739 break; 2740 case MBEDTLS_CIPHER_AES_192_GCM: 2741 *alg = PSA_ALG_GCM; 2742 *key_type = PSA_KEY_TYPE_AES; 2743 *key_size = 192; 2744 break; 2745 case MBEDTLS_CIPHER_AES_256_CBC: 2746 *alg = PSA_ALG_CBC_NO_PADDING; 2747 *key_type = PSA_KEY_TYPE_AES; 2748 *key_size = 256; 2749 break; 2750 case MBEDTLS_CIPHER_AES_256_CCM: 2751 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2752 *key_type = PSA_KEY_TYPE_AES; 2753 *key_size = 256; 2754 break; 2755 case MBEDTLS_CIPHER_AES_256_GCM: 2756 *alg = PSA_ALG_GCM; 2757 *key_type = PSA_KEY_TYPE_AES; 2758 *key_size = 256; 2759 break; 2760 case MBEDTLS_CIPHER_ARIA_128_CBC: 2761 *alg = PSA_ALG_CBC_NO_PADDING; 2762 *key_type = PSA_KEY_TYPE_ARIA; 2763 *key_size = 128; 2764 break; 2765 case MBEDTLS_CIPHER_ARIA_128_CCM: 2766 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2767 *key_type = PSA_KEY_TYPE_ARIA; 2768 *key_size = 128; 2769 break; 2770 case MBEDTLS_CIPHER_ARIA_128_GCM: 2771 *alg = PSA_ALG_GCM; 2772 *key_type = PSA_KEY_TYPE_ARIA; 2773 *key_size = 128; 2774 break; 2775 case MBEDTLS_CIPHER_ARIA_192_CCM: 2776 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2777 *key_type = PSA_KEY_TYPE_ARIA; 2778 *key_size = 192; 2779 break; 2780 case MBEDTLS_CIPHER_ARIA_192_GCM: 2781 *alg = PSA_ALG_GCM; 2782 *key_type = PSA_KEY_TYPE_ARIA; 2783 *key_size = 192; 2784 break; 2785 case MBEDTLS_CIPHER_ARIA_256_CBC: 2786 *alg = PSA_ALG_CBC_NO_PADDING; 2787 *key_type = PSA_KEY_TYPE_ARIA; 2788 *key_size = 256; 2789 break; 2790 case MBEDTLS_CIPHER_ARIA_256_CCM: 2791 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2792 *key_type = PSA_KEY_TYPE_ARIA; 2793 *key_size = 256; 2794 break; 2795 case MBEDTLS_CIPHER_ARIA_256_GCM: 2796 *alg = PSA_ALG_GCM; 2797 *key_type = PSA_KEY_TYPE_ARIA; 2798 *key_size = 256; 2799 break; 2800 case MBEDTLS_CIPHER_CAMELLIA_128_CBC: 2801 *alg = PSA_ALG_CBC_NO_PADDING; 2802 *key_type = PSA_KEY_TYPE_CAMELLIA; 2803 *key_size = 128; 2804 break; 2805 case MBEDTLS_CIPHER_CAMELLIA_128_CCM: 2806 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2807 *key_type = PSA_KEY_TYPE_CAMELLIA; 2808 *key_size = 128; 2809 break; 2810 case MBEDTLS_CIPHER_CAMELLIA_128_GCM: 2811 *alg = PSA_ALG_GCM; 2812 *key_type = PSA_KEY_TYPE_CAMELLIA; 2813 *key_size = 128; 2814 break; 2815 case MBEDTLS_CIPHER_CAMELLIA_192_CCM: 2816 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2817 *key_type = PSA_KEY_TYPE_CAMELLIA; 2818 *key_size = 192; 2819 break; 2820 case MBEDTLS_CIPHER_CAMELLIA_192_GCM: 2821 *alg = PSA_ALG_GCM; 2822 *key_type = PSA_KEY_TYPE_CAMELLIA; 2823 *key_size = 192; 2824 break; 2825 case MBEDTLS_CIPHER_CAMELLIA_256_CBC: 2826 *alg = PSA_ALG_CBC_NO_PADDING; 2827 *key_type = PSA_KEY_TYPE_CAMELLIA; 2828 *key_size = 256; 2829 break; 2830 case MBEDTLS_CIPHER_CAMELLIA_256_CCM: 2831 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2832 *key_type = PSA_KEY_TYPE_CAMELLIA; 2833 *key_size = 256; 2834 break; 2835 case MBEDTLS_CIPHER_CAMELLIA_256_GCM: 2836 *alg = PSA_ALG_GCM; 2837 *key_type = PSA_KEY_TYPE_CAMELLIA; 2838 *key_size = 256; 2839 break; 2840 case MBEDTLS_CIPHER_CHACHA20_POLY1305: 2841 *alg = PSA_ALG_CHACHA20_POLY1305; 2842 *key_type = PSA_KEY_TYPE_CHACHA20; 2843 *key_size = 256; 2844 break; 2845 case MBEDTLS_CIPHER_NULL: 2846 *alg = MBEDTLS_SSL_NULL_CIPHER; 2847 *key_type = 0; 2848 *key_size = 0; 2849 break; 2850 default: 2851 return PSA_ERROR_NOT_SUPPORTED; 2852 } 2853 2854 return PSA_SUCCESS; 2855 } 2856 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2857 2858 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 2859 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf, 2860 const unsigned char *dhm_P, size_t P_len, 2861 const unsigned char *dhm_G, size_t G_len) 2862 { 2863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2864 2865 mbedtls_mpi_free(&conf->dhm_P); 2866 mbedtls_mpi_free(&conf->dhm_G); 2867 2868 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 || 2869 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) { 2870 mbedtls_mpi_free(&conf->dhm_P); 2871 mbedtls_mpi_free(&conf->dhm_G); 2872 return ret; 2873 } 2874 2875 return 0; 2876 } 2877 2878 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx) 2879 { 2880 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2881 2882 mbedtls_mpi_free(&conf->dhm_P); 2883 mbedtls_mpi_free(&conf->dhm_G); 2884 2885 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P, 2886 &conf->dhm_P)) != 0 || 2887 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G, 2888 &conf->dhm_G)) != 0) { 2889 mbedtls_mpi_free(&conf->dhm_P); 2890 mbedtls_mpi_free(&conf->dhm_G); 2891 return ret; 2892 } 2893 2894 return 0; 2895 } 2896 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 2897 2898 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 2899 /* 2900 * Set the minimum length for Diffie-Hellman parameters 2901 */ 2902 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, 2903 unsigned int bitlen) 2904 { 2905 conf->dhm_min_bitlen = bitlen; 2906 } 2907 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 2908 2909 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2910 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2911 /* 2912 * Set allowed/preferred hashes for handshake signatures 2913 */ 2914 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, 2915 const int *hashes) 2916 { 2917 conf->sig_hashes = hashes; 2918 } 2919 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ 2920 2921 /* Configure allowed signature algorithms for handshake */ 2922 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, 2923 const uint16_t *sig_algs) 2924 { 2925 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2926 conf->sig_hashes = NULL; 2927 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2928 conf->sig_algs = sig_algs; 2929 } 2930 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2931 2932 #if defined(MBEDTLS_ECP_C) 2933 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2934 /* 2935 * Set the allowed elliptic curves 2936 * 2937 * mbedtls_ssl_setup() takes the provided list 2938 * and translates it to a list of IANA TLS group identifiers, 2939 * stored in ssl->handshake->group_list. 2940 * 2941 */ 2942 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, 2943 const mbedtls_ecp_group_id *curve_list) 2944 { 2945 conf->curve_list = curve_list; 2946 conf->group_list = NULL; 2947 } 2948 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 2949 #endif /* MBEDTLS_ECP_C */ 2950 2951 /* 2952 * Set the allowed groups 2953 */ 2954 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, 2955 const uint16_t *group_list) 2956 { 2957 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 2958 conf->curve_list = NULL; 2959 #endif 2960 conf->group_list = group_list; 2961 } 2962 2963 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2964 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) 2965 { 2966 /* Initialize to suppress unnecessary compiler warning */ 2967 size_t hostname_len = 0; 2968 2969 /* Check if new hostname is valid before 2970 * making any change to current one */ 2971 if (hostname != NULL) { 2972 hostname_len = strlen(hostname); 2973 2974 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 2975 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2976 } 2977 } 2978 2979 /* Now it's clear that we will overwrite the old hostname, 2980 * so we can free it safely */ 2981 2982 if (ssl->hostname != NULL) { 2983 mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname)); 2984 mbedtls_free(ssl->hostname); 2985 } 2986 2987 /* Passing NULL as hostname shall clear the old one */ 2988 2989 if (hostname == NULL) { 2990 ssl->hostname = NULL; 2991 } else { 2992 ssl->hostname = mbedtls_calloc(1, hostname_len + 1); 2993 if (ssl->hostname == NULL) { 2994 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2995 } 2996 2997 memcpy(ssl->hostname, hostname, hostname_len); 2998 2999 ssl->hostname[hostname_len] = '\0'; 3000 } 3001 3002 return 0; 3003 } 3004 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3005 3006 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3007 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, 3008 int (*f_sni)(void *, mbedtls_ssl_context *, 3009 const unsigned char *, size_t), 3010 void *p_sni) 3011 { 3012 conf->f_sni = f_sni; 3013 conf->p_sni = p_sni; 3014 } 3015 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 3016 3017 #if defined(MBEDTLS_SSL_ALPN) 3018 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos) 3019 { 3020 size_t cur_len, tot_len; 3021 const char **p; 3022 3023 /* 3024 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 3025 * MUST NOT be truncated." 3026 * We check lengths now rather than later. 3027 */ 3028 tot_len = 0; 3029 for (p = protos; *p != NULL; p++) { 3030 cur_len = strlen(*p); 3031 tot_len += cur_len; 3032 3033 if ((cur_len == 0) || 3034 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) || 3035 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) { 3036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3037 } 3038 } 3039 3040 conf->alpn_list = protos; 3041 3042 return 0; 3043 } 3044 3045 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl) 3046 { 3047 return ssl->alpn_chosen; 3048 } 3049 #endif /* MBEDTLS_SSL_ALPN */ 3050 3051 #if defined(MBEDTLS_SSL_DTLS_SRTP) 3052 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, 3053 int support_mki_value) 3054 { 3055 conf->dtls_srtp_mki_support = support_mki_value; 3056 } 3057 3058 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, 3059 unsigned char *mki_value, 3060 uint16_t mki_len) 3061 { 3062 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) { 3063 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3064 } 3065 3066 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) { 3067 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3068 } 3069 3070 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len); 3071 ssl->dtls_srtp_info.mki_len = mki_len; 3072 return 0; 3073 } 3074 3075 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf, 3076 const mbedtls_ssl_srtp_profile *profiles) 3077 { 3078 const mbedtls_ssl_srtp_profile *p; 3079 size_t list_size = 0; 3080 3081 /* check the profiles list: all entry must be valid, 3082 * its size cannot be more than the total number of supported profiles, currently 4 */ 3083 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET && 3084 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH; 3085 p++) { 3086 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) { 3087 list_size++; 3088 } else { 3089 /* unsupported value, stop parsing and set the size to an error value */ 3090 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1; 3091 } 3092 } 3093 3094 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) { 3095 conf->dtls_srtp_profile_list = NULL; 3096 conf->dtls_srtp_profile_list_len = 0; 3097 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3098 } 3099 3100 conf->dtls_srtp_profile_list = profiles; 3101 conf->dtls_srtp_profile_list_len = list_size; 3102 3103 return 0; 3104 } 3105 3106 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl, 3107 mbedtls_dtls_srtp_info *dtls_srtp_info) 3108 { 3109 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile; 3110 /* do not copy the mki value if there is no chosen profile */ 3111 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { 3112 dtls_srtp_info->mki_len = 0; 3113 } else { 3114 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len; 3115 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value, 3116 ssl->dtls_srtp_info.mki_len); 3117 } 3118 } 3119 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 3120 3121 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 3122 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) 3123 { 3124 conf->max_tls_version = (major << 8) | minor; 3125 } 3126 3127 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) 3128 { 3129 conf->min_tls_version = (major << 8) | minor; 3130 } 3131 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 3132 3133 #if defined(MBEDTLS_SSL_SRV_C) 3134 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, 3135 char cert_req_ca_list) 3136 { 3137 conf->cert_req_ca_list = cert_req_ca_list; 3138 } 3139 #endif 3140 3141 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3142 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm) 3143 { 3144 conf->encrypt_then_mac = etm; 3145 } 3146 #endif 3147 3148 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 3149 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems) 3150 { 3151 conf->extended_ms = ems; 3152 } 3153 #endif 3154 3155 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3156 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code) 3157 { 3158 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 3159 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) { 3160 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3161 } 3162 3163 conf->mfl_code = mfl_code; 3164 3165 return 0; 3166 } 3167 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3168 3169 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy) 3170 { 3171 conf->allow_legacy_renegotiation = allow_legacy; 3172 } 3173 3174 #if defined(MBEDTLS_SSL_RENEGOTIATION) 3175 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation) 3176 { 3177 conf->disable_renegotiation = renegotiation; 3178 } 3179 3180 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records) 3181 { 3182 conf->renego_max_records = max_records; 3183 } 3184 3185 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, 3186 const unsigned char period[8]) 3187 { 3188 memcpy(conf->renego_period, period, 8); 3189 } 3190 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 3191 3192 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3193 #if defined(MBEDTLS_SSL_CLI_C) 3194 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) 3195 { 3196 conf->session_tickets = use_tickets; 3197 } 3198 #endif 3199 3200 #if defined(MBEDTLS_SSL_SRV_C) 3201 3202 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 3203 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf, 3204 uint16_t num_tickets) 3205 { 3206 conf->new_session_tickets_count = num_tickets; 3207 } 3208 #endif 3209 3210 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, 3211 mbedtls_ssl_ticket_write_t *f_ticket_write, 3212 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 3213 void *p_ticket) 3214 { 3215 conf->f_ticket_write = f_ticket_write; 3216 conf->f_ticket_parse = f_ticket_parse; 3217 conf->p_ticket = p_ticket; 3218 } 3219 #endif 3220 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3221 3222 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl, 3223 mbedtls_ssl_export_keys_t *f_export_keys, 3224 void *p_export_keys) 3225 { 3226 ssl->f_export_keys = f_export_keys; 3227 ssl->p_export_keys = p_export_keys; 3228 } 3229 3230 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3231 void mbedtls_ssl_conf_async_private_cb( 3232 mbedtls_ssl_config *conf, 3233 mbedtls_ssl_async_sign_t *f_async_sign, 3234 mbedtls_ssl_async_decrypt_t *f_async_decrypt, 3235 mbedtls_ssl_async_resume_t *f_async_resume, 3236 mbedtls_ssl_async_cancel_t *f_async_cancel, 3237 void *async_config_data) 3238 { 3239 conf->f_async_sign_start = f_async_sign; 3240 conf->f_async_decrypt_start = f_async_decrypt; 3241 conf->f_async_resume = f_async_resume; 3242 conf->f_async_cancel = f_async_cancel; 3243 conf->p_async_config_data = async_config_data; 3244 } 3245 3246 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf) 3247 { 3248 return conf->p_async_config_data; 3249 } 3250 3251 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl) 3252 { 3253 if (ssl->handshake == NULL) { 3254 return NULL; 3255 } else { 3256 return ssl->handshake->user_async_ctx; 3257 } 3258 } 3259 3260 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl, 3261 void *ctx) 3262 { 3263 if (ssl->handshake != NULL) { 3264 ssl->handshake->user_async_ctx = ctx; 3265 } 3266 } 3267 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3268 3269 /* 3270 * SSL get accessors 3271 */ 3272 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl) 3273 { 3274 if (ssl->session != NULL) { 3275 return ssl->session->verify_result; 3276 } 3277 3278 if (ssl->session_negotiate != NULL) { 3279 return ssl->session_negotiate->verify_result; 3280 } 3281 3282 return 0xFFFFFFFF; 3283 } 3284 3285 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl) 3286 { 3287 if (ssl == NULL || ssl->session == NULL) { 3288 return 0; 3289 } 3290 3291 return ssl->session->ciphersuite; 3292 } 3293 3294 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl) 3295 { 3296 if (ssl == NULL || ssl->session == NULL) { 3297 return NULL; 3298 } 3299 3300 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite); 3301 } 3302 3303 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl) 3304 { 3305 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3306 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3307 switch (ssl->tls_version) { 3308 case MBEDTLS_SSL_VERSION_TLS1_2: 3309 return "DTLSv1.2"; 3310 default: 3311 return "unknown (DTLS)"; 3312 } 3313 } 3314 #endif 3315 3316 switch (ssl->tls_version) { 3317 case MBEDTLS_SSL_VERSION_TLS1_2: 3318 return "TLSv1.2"; 3319 case MBEDTLS_SSL_VERSION_TLS1_3: 3320 return "TLSv1.3"; 3321 default: 3322 return "unknown"; 3323 } 3324 } 3325 3326 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3327 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl) 3328 { 3329 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3330 size_t read_mfl; 3331 3332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3333 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */ 3334 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3335 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) { 3336 return ssl_mfl_code_to_length(ssl->conf->mfl_code); 3337 } 3338 #endif 3339 3340 /* Check if a smaller max length was negotiated */ 3341 if (ssl->session_out != NULL) { 3342 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3343 if (read_mfl < max_len) { 3344 max_len = read_mfl; 3345 } 3346 } 3347 3348 /* During a handshake, use the value being negotiated */ 3349 if (ssl->session_negotiate != NULL) { 3350 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3351 if (read_mfl < max_len) { 3352 max_len = read_mfl; 3353 } 3354 } 3355 3356 return max_len; 3357 } 3358 3359 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl) 3360 { 3361 size_t max_len; 3362 3363 /* 3364 * Assume mfl_code is correct since it was checked when set 3365 */ 3366 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code); 3367 3368 /* Check if a smaller max length was negotiated */ 3369 if (ssl->session_out != NULL && 3370 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) { 3371 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3372 } 3373 3374 /* During a handshake, use the value being negotiated */ 3375 if (ssl->session_negotiate != NULL && 3376 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) { 3377 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3378 } 3379 3380 return max_len; 3381 } 3382 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3383 3384 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3385 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl) 3386 { 3387 /* Return unlimited mtu for client hello messages to avoid fragmentation. */ 3388 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3389 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO || 3390 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) { 3391 return 0; 3392 } 3393 3394 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) { 3395 return ssl->mtu; 3396 } 3397 3398 if (ssl->mtu == 0) { 3399 return ssl->handshake->mtu; 3400 } 3401 3402 return ssl->mtu < ssl->handshake->mtu ? 3403 ssl->mtu : ssl->handshake->mtu; 3404 } 3405 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3406 3407 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl) 3408 { 3409 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3410 3411 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3412 !defined(MBEDTLS_SSL_PROTO_DTLS) 3413 (void) ssl; 3414 #endif 3415 3416 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3417 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl); 3418 3419 if (max_len > mfl) { 3420 max_len = mfl; 3421 } 3422 #endif 3423 3424 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3425 if (mbedtls_ssl_get_current_mtu(ssl) != 0) { 3426 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl); 3427 const int ret = mbedtls_ssl_get_record_expansion(ssl); 3428 const size_t overhead = (size_t) ret; 3429 3430 if (ret < 0) { 3431 return ret; 3432 } 3433 3434 if (mtu <= overhead) { 3435 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion")); 3436 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3437 } 3438 3439 if (max_len > mtu - overhead) { 3440 max_len = mtu - overhead; 3441 } 3442 } 3443 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3444 3445 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3446 !defined(MBEDTLS_SSL_PROTO_DTLS) 3447 ((void) ssl); 3448 #endif 3449 3450 return (int) max_len; 3451 } 3452 3453 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl) 3454 { 3455 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3456 3457 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3458 (void) ssl; 3459 #endif 3460 3461 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3462 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl); 3463 3464 if (max_len > mfl) { 3465 max_len = mfl; 3466 } 3467 #endif 3468 3469 return (int) max_len; 3470 } 3471 3472 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3473 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl) 3474 { 3475 if (ssl == NULL || ssl->session == NULL) { 3476 return NULL; 3477 } 3478 3479 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3480 return ssl->session->peer_cert; 3481 #else 3482 return NULL; 3483 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3484 } 3485 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3486 3487 #if defined(MBEDTLS_SSL_CLI_C) 3488 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, 3489 mbedtls_ssl_session *dst) 3490 { 3491 int ret; 3492 3493 if (ssl == NULL || 3494 dst == NULL || 3495 ssl->session == NULL || 3496 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 3497 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3498 } 3499 3500 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer 3501 * idempotent: Each session can only be exported once. 3502 * 3503 * (This is in preparation for TLS 1.3 support where we will 3504 * need the ability to export multiple sessions (aka tickets), 3505 * which will be achieved by calling mbedtls_ssl_get_session() 3506 * multiple times until it fails.) 3507 * 3508 * Check whether we have already exported the current session, 3509 * and fail if so. 3510 */ 3511 if (ssl->session->exported == 1) { 3512 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3513 } 3514 3515 ret = mbedtls_ssl_session_copy(dst, ssl->session); 3516 if (ret != 0) { 3517 return ret; 3518 } 3519 3520 /* Remember that we've exported the session. */ 3521 ssl->session->exported = 1; 3522 return 0; 3523 } 3524 #endif /* MBEDTLS_SSL_CLI_C */ 3525 3526 /* 3527 * Define ticket header determining Mbed TLS version 3528 * and structure of the ticket. 3529 */ 3530 3531 /* 3532 * Define bitflag determining compile-time settings influencing 3533 * structure of serialized SSL sessions. 3534 */ 3535 3536 #if defined(MBEDTLS_HAVE_TIME) 3537 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 3538 #else 3539 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 3540 #endif /* MBEDTLS_HAVE_TIME */ 3541 3542 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3543 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 3544 #else 3545 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 3546 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3547 3548 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 3549 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 3550 #else 3551 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 3552 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ 3553 3554 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3555 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 3556 #else 3557 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 3558 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3559 3560 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3561 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 3562 #else 3563 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 3564 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 3565 3566 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3567 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 3568 #else 3569 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 3570 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3571 3572 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 3573 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 3574 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 3575 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 3576 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 3577 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 3578 3579 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ 3580 ((uint16_t) ( \ 3581 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ 3582 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ 3583 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ 3584 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ 3585 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ 3586 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ 3587 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT))) 3588 3589 static unsigned char ssl_serialized_session_header[] = { 3590 MBEDTLS_VERSION_MAJOR, 3591 MBEDTLS_VERSION_MINOR, 3592 MBEDTLS_VERSION_PATCH, 3593 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 3594 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 3595 }; 3596 3597 /* 3598 * Serialize a session in the following format: 3599 * (in the presentation language of TLS, RFC 8446 section 3) 3600 * 3601 * struct { 3602 * 3603 * opaque mbedtls_version[3]; // library version: major, minor, patch 3604 * opaque session_format[2]; // library-version specific 16-bit field 3605 * // determining the format of the remaining 3606 * // serialized data. 3607 * 3608 * Note: When updating the format, remember to keep 3609 * these version+format bytes. 3610 * 3611 * // In this version, `session_format` determines 3612 * // the setting of those compile-time 3613 * // configuration options which influence 3614 * // the structure of mbedtls_ssl_session. 3615 * 3616 * uint8_t minor_ver; // Protocol minor version. Possible values: 3617 * // - TLS 1.2 (0x0303) 3618 * // - TLS 1.3 (0x0304) 3619 * 3620 * select (serialized_session.tls_version) { 3621 * 3622 * case MBEDTLS_SSL_VERSION_TLS1_2: 3623 * serialized_session_tls12 data; 3624 * case MBEDTLS_SSL_VERSION_TLS1_3: 3625 * serialized_session_tls13 data; 3626 * 3627 * }; 3628 * 3629 * } serialized_session; 3630 * 3631 */ 3632 3633 MBEDTLS_CHECK_RETURN_CRITICAL 3634 static int ssl_session_save(const mbedtls_ssl_session *session, 3635 unsigned char omit_header, 3636 unsigned char *buf, 3637 size_t buf_len, 3638 size_t *olen) 3639 { 3640 unsigned char *p = buf; 3641 size_t used = 0; 3642 size_t remaining_len; 3643 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3644 size_t out_len; 3645 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3646 #endif 3647 if (session == NULL) { 3648 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3649 } 3650 3651 if (!omit_header) { 3652 /* 3653 * Add Mbed TLS version identifier 3654 */ 3655 used += sizeof(ssl_serialized_session_header); 3656 3657 if (used <= buf_len) { 3658 memcpy(p, ssl_serialized_session_header, 3659 sizeof(ssl_serialized_session_header)); 3660 p += sizeof(ssl_serialized_session_header); 3661 } 3662 } 3663 3664 /* 3665 * TLS version identifier 3666 */ 3667 used += 1; 3668 if (used <= buf_len) { 3669 *p++ = MBEDTLS_BYTE_0(session->tls_version); 3670 } 3671 3672 /* Forward to version-specific serialization routine. */ 3673 remaining_len = (buf_len >= used) ? buf_len - used : 0; 3674 switch (session->tls_version) { 3675 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3676 case MBEDTLS_SSL_VERSION_TLS1_2: 3677 used += ssl_tls12_session_save(session, p, remaining_len); 3678 break; 3679 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3680 3681 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3682 case MBEDTLS_SSL_VERSION_TLS1_3: 3683 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); 3684 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 3685 return ret; 3686 } 3687 used += out_len; 3688 break; 3689 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3690 3691 default: 3692 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3693 } 3694 3695 *olen = used; 3696 if (used > buf_len) { 3697 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3698 } 3699 3700 return 0; 3701 } 3702 3703 /* 3704 * Public wrapper for ssl_session_save() 3705 */ 3706 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, 3707 unsigned char *buf, 3708 size_t buf_len, 3709 size_t *olen) 3710 { 3711 return ssl_session_save(session, 0, buf, buf_len, olen); 3712 } 3713 3714 /* 3715 * Deserialize session, see mbedtls_ssl_session_save() for format. 3716 * 3717 * This internal version is wrapped by a public function that cleans up in 3718 * case of error, and has an extra option omit_header. 3719 */ 3720 MBEDTLS_CHECK_RETURN_CRITICAL 3721 static int ssl_session_load(mbedtls_ssl_session *session, 3722 unsigned char omit_header, 3723 const unsigned char *buf, 3724 size_t len) 3725 { 3726 const unsigned char *p = buf; 3727 const unsigned char * const end = buf + len; 3728 size_t remaining_len; 3729 3730 3731 if (session == NULL) { 3732 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 3733 } 3734 3735 if (!omit_header) { 3736 /* 3737 * Check Mbed TLS version identifier 3738 */ 3739 3740 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { 3741 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3742 } 3743 3744 if (memcmp(p, ssl_serialized_session_header, 3745 sizeof(ssl_serialized_session_header)) != 0) { 3746 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 3747 } 3748 p += sizeof(ssl_serialized_session_header); 3749 } 3750 3751 /* 3752 * TLS version identifier 3753 */ 3754 if (1 > (size_t) (end - p)) { 3755 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3756 } 3757 session->tls_version = 0x0300 | *p++; 3758 3759 /* Dispatch according to TLS version. */ 3760 remaining_len = (end - p); 3761 switch (session->tls_version) { 3762 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3763 case MBEDTLS_SSL_VERSION_TLS1_2: 3764 return ssl_tls12_session_load(session, p, remaining_len); 3765 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3766 3767 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3768 case MBEDTLS_SSL_VERSION_TLS1_3: 3769 return ssl_tls13_session_load(session, p, remaining_len); 3770 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3771 3772 default: 3773 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3774 } 3775 } 3776 3777 /* 3778 * Deserialize session: public wrapper for error cleaning 3779 */ 3780 int mbedtls_ssl_session_load(mbedtls_ssl_session *session, 3781 const unsigned char *buf, 3782 size_t len) 3783 { 3784 int ret = ssl_session_load(session, 0, buf, len); 3785 3786 if (ret != 0) { 3787 mbedtls_ssl_session_free(session); 3788 } 3789 3790 return ret; 3791 } 3792 3793 /* 3794 * Perform a single step of the SSL handshake 3795 */ 3796 MBEDTLS_CHECK_RETURN_CRITICAL 3797 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) 3798 { 3799 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3800 3801 /* 3802 * We may have not been able to send to the peer all the handshake data 3803 * that were written into the output buffer by the previous handshake step, 3804 * if the write to the network callback returned with the 3805 * #MBEDTLS_ERR_SSL_WANT_WRITE error code. 3806 * We proceed to the next handshake step only when all data from the 3807 * previous one have been sent to the peer, thus we make sure that this is 3808 * the case here by calling `mbedtls_ssl_flush_output()`. The function may 3809 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case 3810 * we have to wait before to go ahead. 3811 * In the case of TLS 1.3, handshake step handlers do not send data to the 3812 * peer. Data are only sent here and through 3813 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an 3814 * alert occurred. 3815 */ 3816 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { 3817 return ret; 3818 } 3819 3820 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3821 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3822 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { 3823 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 3824 return ret; 3825 } 3826 } 3827 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3828 3829 return ret; 3830 } 3831 3832 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) 3833 { 3834 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3835 3836 if (ssl == NULL || 3837 ssl->conf == NULL || 3838 ssl->handshake == NULL || 3839 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { 3840 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3841 } 3842 3843 ret = ssl_prepare_handshake_step(ssl); 3844 if (ret != 0) { 3845 return ret; 3846 } 3847 3848 ret = mbedtls_ssl_handle_pending_alert(ssl); 3849 if (ret != 0) { 3850 goto cleanup; 3851 } 3852 3853 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or 3854 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ 3855 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3856 3857 #if defined(MBEDTLS_SSL_CLI_C) 3858 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3859 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", 3860 mbedtls_ssl_states_str(ssl->state))); 3861 3862 switch (ssl->state) { 3863 case MBEDTLS_SSL_HELLO_REQUEST: 3864 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 3865 ret = 0; 3866 break; 3867 3868 case MBEDTLS_SSL_CLIENT_HELLO: 3869 ret = mbedtls_ssl_write_client_hello(ssl); 3870 break; 3871 3872 default: 3873 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 3874 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 3875 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 3876 } else { 3877 ret = mbedtls_ssl_handshake_client_step(ssl); 3878 } 3879 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 3880 ret = mbedtls_ssl_handshake_client_step(ssl); 3881 #else 3882 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 3883 #endif 3884 } 3885 } 3886 #endif 3887 #if defined(MBEDTLS_SSL_SRV_C) 3888 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 3889 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3890 if (mbedtls_ssl_conf_is_tls13_only(ssl->conf)) { 3891 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 3892 } 3893 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3894 3895 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3896 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf)) { 3897 ret = mbedtls_ssl_handshake_server_step(ssl); 3898 } 3899 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3900 } 3901 #endif 3902 3903 if (ret != 0) { 3904 /* handshake_step return error. And it is same 3905 * with alert_reason. 3906 */ 3907 if (ssl->send_alert) { 3908 ret = mbedtls_ssl_handle_pending_alert(ssl); 3909 goto cleanup; 3910 } 3911 } 3912 3913 cleanup: 3914 return ret; 3915 } 3916 3917 /* 3918 * Perform the SSL handshake 3919 */ 3920 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) 3921 { 3922 int ret = 0; 3923 3924 /* Sanity checks */ 3925 3926 if (ssl == NULL || ssl->conf == NULL) { 3927 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3928 } 3929 3930 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3931 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 3932 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { 3933 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " 3934 "mbedtls_ssl_set_timer_cb() for DTLS")); 3935 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3936 } 3937 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3938 3939 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); 3940 3941 /* Main handshake loop */ 3942 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { 3943 ret = mbedtls_ssl_handshake_step(ssl); 3944 3945 if (ret != 0) { 3946 break; 3947 } 3948 } 3949 3950 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); 3951 3952 return ret; 3953 } 3954 3955 #if defined(MBEDTLS_SSL_RENEGOTIATION) 3956 #if defined(MBEDTLS_SSL_SRV_C) 3957 /* 3958 * Write HelloRequest to request renegotiation on server 3959 */ 3960 MBEDTLS_CHECK_RETURN_CRITICAL 3961 static int ssl_write_hello_request(mbedtls_ssl_context *ssl) 3962 { 3963 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3964 3965 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); 3966 3967 ssl->out_msglen = 4; 3968 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 3969 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 3970 3971 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 3972 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 3973 return ret; 3974 } 3975 3976 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); 3977 3978 return 0; 3979 } 3980 #endif /* MBEDTLS_SSL_SRV_C */ 3981 3982 /* 3983 * Actually renegotiate current connection, triggered by either: 3984 * - any side: calling mbedtls_ssl_renegotiate(), 3985 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 3986 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 3987 * the initial handshake is completed. 3988 * If the handshake doesn't complete due to waiting for I/O, it will continue 3989 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 3990 */ 3991 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) 3992 { 3993 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3994 3995 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); 3996 3997 if ((ret = ssl_handshake_init(ssl)) != 0) { 3998 return ret; 3999 } 4000 4001 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 4002 * the ServerHello will have message_seq = 1" */ 4003 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4004 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4005 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { 4006 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4007 ssl->handshake->out_msg_seq = 1; 4008 } else { 4009 ssl->handshake->in_msg_seq = 1; 4010 } 4011 } 4012 #endif 4013 4014 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 4015 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 4016 4017 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4018 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4019 return ret; 4020 } 4021 4022 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); 4023 4024 return 0; 4025 } 4026 4027 /* 4028 * Renegotiate current connection on client, 4029 * or request renegotiation on server 4030 */ 4031 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) 4032 { 4033 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4034 4035 if (ssl == NULL || ssl->conf == NULL) { 4036 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4037 } 4038 4039 #if defined(MBEDTLS_SSL_SRV_C) 4040 /* On server, just send the request */ 4041 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4042 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4043 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4044 } 4045 4046 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 4047 4048 /* Did we already try/start sending HelloRequest? */ 4049 if (ssl->out_left != 0) { 4050 return mbedtls_ssl_flush_output(ssl); 4051 } 4052 4053 return ssl_write_hello_request(ssl); 4054 } 4055 #endif /* MBEDTLS_SSL_SRV_C */ 4056 4057 #if defined(MBEDTLS_SSL_CLI_C) 4058 /* 4059 * On client, either start the renegotiation process or, 4060 * if already in progress, continue the handshake 4061 */ 4062 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 4063 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4065 } 4066 4067 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { 4068 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); 4069 return ret; 4070 } 4071 } else { 4072 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4073 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4074 return ret; 4075 } 4076 } 4077 #endif /* MBEDTLS_SSL_CLI_C */ 4078 4079 return ret; 4080 } 4081 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 4082 4083 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) 4084 { 4085 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 4086 4087 if (handshake == NULL) { 4088 return; 4089 } 4090 4091 #if defined(MBEDTLS_ECP_C) 4092 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4093 if (ssl->handshake->group_list_heap_allocated) { 4094 mbedtls_free((void *) handshake->group_list); 4095 } 4096 handshake->group_list = NULL; 4097 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4098 #endif /* MBEDTLS_ECP_C */ 4099 4100 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 4101 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4102 if (ssl->handshake->sig_algs_heap_allocated) { 4103 mbedtls_free((void *) handshake->sig_algs); 4104 } 4105 handshake->sig_algs = NULL; 4106 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4107 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4108 if (ssl->handshake->certificate_request_context) { 4109 mbedtls_free((void *) handshake->certificate_request_context); 4110 } 4111 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4112 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 4113 4114 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 4115 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { 4116 ssl->conf->f_async_cancel(ssl); 4117 handshake->async_in_progress = 0; 4118 } 4119 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 4120 4121 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 4122 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4123 psa_hash_abort(&handshake->fin_sha256_psa); 4124 #else 4125 mbedtls_md_free(&handshake->fin_sha256); 4126 #endif 4127 #endif 4128 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 4129 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4130 psa_hash_abort(&handshake->fin_sha384_psa); 4131 #else 4132 mbedtls_md_free(&handshake->fin_sha384); 4133 #endif 4134 #endif 4135 4136 #if defined(MBEDTLS_DHM_C) 4137 mbedtls_dhm_free(&handshake->dhm_ctx); 4138 #endif 4139 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) 4140 mbedtls_ecdh_free(&handshake->ecdh_ctx); 4141 #endif 4142 4143 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4144 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4145 psa_pake_abort(&handshake->psa_pake_ctx); 4146 /* 4147 * Opaque keys are not stored in the handshake's data and it's the user 4148 * responsibility to destroy them. Clear ones, instead, are created by 4149 * the TLS library and should be destroyed at the same level 4150 */ 4151 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { 4152 psa_destroy_key(handshake->psa_pake_password); 4153 } 4154 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 4155 #else 4156 mbedtls_ecjpake_free(&handshake->ecjpake_ctx); 4157 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4158 #if defined(MBEDTLS_SSL_CLI_C) 4159 mbedtls_free(handshake->ecjpake_cache); 4160 handshake->ecjpake_cache = NULL; 4161 handshake->ecjpake_cache_len = 0; 4162 #endif 4163 #endif 4164 4165 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 4166 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4167 /* explicit void pointer cast for buggy MS compiler */ 4168 mbedtls_free((void *) handshake->curves_tls_id); 4169 #endif 4170 4171 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 4172 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4173 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 4174 /* The maintenance of the external PSK key slot is the 4175 * user's responsibility. */ 4176 if (ssl->handshake->psk_opaque_is_internal) { 4177 psa_destroy_key(ssl->handshake->psk_opaque); 4178 ssl->handshake->psk_opaque_is_internal = 0; 4179 } 4180 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 4181 } 4182 #else 4183 if (handshake->psk != NULL) { 4184 mbedtls_platform_zeroize(handshake->psk, handshake->psk_len); 4185 mbedtls_free(handshake->psk); 4186 } 4187 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4188 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 4189 4190 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4191 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4192 /* 4193 * Free only the linked list wrapper, not the keys themselves 4194 * since the belong to the SNI callback 4195 */ 4196 ssl_key_cert_free(handshake->sni_key_cert); 4197 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4198 4199 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 4200 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); 4201 if (handshake->ecrs_peer_cert != NULL) { 4202 mbedtls_x509_crt_free(handshake->ecrs_peer_cert); 4203 mbedtls_free(handshake->ecrs_peer_cert); 4204 } 4205 #endif 4206 4207 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4208 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4209 mbedtls_pk_free(&handshake->peer_pubkey); 4210 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4211 4212 #if defined(MBEDTLS_SSL_CLI_C) && \ 4213 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) 4214 mbedtls_free(handshake->cookie); 4215 #endif /* MBEDTLS_SSL_CLI_C && 4216 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ 4217 4218 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4219 mbedtls_ssl_flight_free(handshake->flight); 4220 mbedtls_ssl_buffering_free(ssl); 4221 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4222 4223 #if defined(MBEDTLS_ECDH_C) && \ 4224 (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) 4225 if (handshake->ecdh_psa_privkey_is_external == 0) { 4226 psa_destroy_key(handshake->ecdh_psa_privkey); 4227 } 4228 #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */ 4229 4230 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4231 mbedtls_ssl_transform_free(handshake->transform_handshake); 4232 mbedtls_free(handshake->transform_handshake); 4233 #if defined(MBEDTLS_SSL_EARLY_DATA) 4234 mbedtls_ssl_transform_free(handshake->transform_earlydata); 4235 mbedtls_free(handshake->transform_earlydata); 4236 #endif 4237 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4238 4239 4240 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4241 /* If the buffers are too big - reallocate. Because of the way Mbed TLS 4242 * processes datagrams and the fact that a datagram is allowed to have 4243 * several records in it, it is possible that the I/O buffers are not 4244 * empty at this stage */ 4245 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), 4246 mbedtls_ssl_get_output_buflen(ssl)); 4247 #endif 4248 4249 /* mbedtls_platform_zeroize MUST be last one in this function */ 4250 mbedtls_platform_zeroize(handshake, 4251 sizeof(mbedtls_ssl_handshake_params)); 4252 } 4253 4254 void mbedtls_ssl_session_free(mbedtls_ssl_session *session) 4255 { 4256 if (session == NULL) { 4257 return; 4258 } 4259 4260 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4261 ssl_clear_peer_cert(session); 4262 #endif 4263 4264 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 4265 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 4266 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4267 mbedtls_free(session->hostname); 4268 #endif 4269 mbedtls_free(session->ticket); 4270 #endif 4271 4272 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); 4273 } 4274 4275 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 4276 4277 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4278 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u 4279 #else 4280 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u 4281 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4282 4283 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u 4284 4285 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 4286 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u 4287 #else 4288 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u 4289 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 4290 4291 #if defined(MBEDTLS_SSL_ALPN) 4292 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u 4293 #else 4294 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u 4295 #endif /* MBEDTLS_SSL_ALPN */ 4296 4297 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 4298 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 4299 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 4300 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 4301 4302 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ 4303 ((uint32_t) ( \ 4304 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ 4305 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ 4306 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ 4307 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ 4308 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ 4309 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ 4310 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ 4311 0u)) 4312 4313 static unsigned char ssl_serialized_context_header[] = { 4314 MBEDTLS_VERSION_MAJOR, 4315 MBEDTLS_VERSION_MINOR, 4316 MBEDTLS_VERSION_PATCH, 4317 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4318 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4319 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4320 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4321 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4322 }; 4323 4324 /* 4325 * Serialize a full SSL context 4326 * 4327 * The format of the serialized data is: 4328 * (in the presentation language of TLS, RFC 8446 section 3) 4329 * 4330 * // header 4331 * opaque mbedtls_version[3]; // major, minor, patch 4332 * opaque context_format[5]; // version-specific field determining 4333 * // the format of the remaining 4334 * // serialized data. 4335 * Note: When updating the format, remember to keep these 4336 * version+format bytes. (We may make their size part of the API.) 4337 * 4338 * // session sub-structure 4339 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() 4340 * // transform sub-structure 4341 * uint8 random[64]; // ServerHello.random+ClientHello.random 4342 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value 4343 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use 4344 * // fields from ssl_context 4345 * uint32 badmac_seen; // DTLS: number of records with failing MAC 4346 * uint64 in_window_top; // DTLS: last validated record seq_num 4347 * uint64 in_window; // DTLS: bitmask for replay protection 4348 * uint8 disable_datagram_packing; // DTLS: only one record per datagram 4349 * uint64 cur_out_ctr; // Record layer: outgoing sequence number 4350 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) 4351 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol 4352 * 4353 * Note that many fields of the ssl_context or sub-structures are not 4354 * serialized, as they fall in one of the following categories: 4355 * 4356 * 1. forced value (eg in_left must be 0) 4357 * 2. pointer to dynamically-allocated memory (eg session, transform) 4358 * 3. value can be re-derived from other data (eg session keys from MS) 4359 * 4. value was temporary (eg content of input buffer) 4360 * 5. value will be provided by the user again (eg I/O callbacks and context) 4361 */ 4362 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, 4363 unsigned char *buf, 4364 size_t buf_len, 4365 size_t *olen) 4366 { 4367 unsigned char *p = buf; 4368 size_t used = 0; 4369 size_t session_len; 4370 int ret = 0; 4371 4372 /* 4373 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in 4374 * this function's documentation. 4375 * 4376 * These are due to assumptions/limitations in the implementation. Some of 4377 * them are likely to stay (no handshake in progress) some might go away 4378 * (only DTLS) but are currently used to simplify the implementation. 4379 */ 4380 /* The initial handshake must be over */ 4381 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4382 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); 4383 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4384 } 4385 if (ssl->handshake != NULL) { 4386 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); 4387 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4388 } 4389 /* Double-check that sub-structures are indeed ready */ 4390 if (ssl->transform == NULL || ssl->session == NULL) { 4391 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); 4392 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4393 } 4394 /* There must be no pending incoming or outgoing data */ 4395 if (mbedtls_ssl_check_pending(ssl) != 0) { 4396 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); 4397 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4398 } 4399 if (ssl->out_left != 0) { 4400 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); 4401 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4402 } 4403 /* Protocol must be DTLS, not TLS */ 4404 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 4405 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); 4406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4407 } 4408 /* Version must be 1.2 */ 4409 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 4410 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); 4411 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4412 } 4413 /* We must be using an AEAD ciphersuite */ 4414 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { 4415 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); 4416 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4417 } 4418 /* Renegotiation must not be enabled */ 4419 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4420 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { 4421 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); 4422 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4423 } 4424 #endif 4425 4426 /* 4427 * Version and format identifier 4428 */ 4429 used += sizeof(ssl_serialized_context_header); 4430 4431 if (used <= buf_len) { 4432 memcpy(p, ssl_serialized_context_header, 4433 sizeof(ssl_serialized_context_header)); 4434 p += sizeof(ssl_serialized_context_header); 4435 } 4436 4437 /* 4438 * Session (length + data) 4439 */ 4440 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); 4441 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 4442 return ret; 4443 } 4444 4445 used += 4 + session_len; 4446 if (used <= buf_len) { 4447 MBEDTLS_PUT_UINT32_BE(session_len, p, 0); 4448 p += 4; 4449 4450 ret = ssl_session_save(ssl->session, 1, 4451 p, session_len, &session_len); 4452 if (ret != 0) { 4453 return ret; 4454 } 4455 4456 p += session_len; 4457 } 4458 4459 /* 4460 * Transform 4461 */ 4462 used += sizeof(ssl->transform->randbytes); 4463 if (used <= buf_len) { 4464 memcpy(p, ssl->transform->randbytes, 4465 sizeof(ssl->transform->randbytes)); 4466 p += sizeof(ssl->transform->randbytes); 4467 } 4468 4469 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4470 used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len; 4471 if (used <= buf_len) { 4472 *p++ = ssl->transform->in_cid_len; 4473 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); 4474 p += ssl->transform->in_cid_len; 4475 4476 *p++ = ssl->transform->out_cid_len; 4477 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); 4478 p += ssl->transform->out_cid_len; 4479 } 4480 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4481 4482 /* 4483 * Saved fields from top-level ssl_context structure 4484 */ 4485 used += 4; 4486 if (used <= buf_len) { 4487 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); 4488 p += 4; 4489 } 4490 4491 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 4492 used += 16; 4493 if (used <= buf_len) { 4494 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); 4495 p += 8; 4496 4497 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); 4498 p += 8; 4499 } 4500 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 4501 4502 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4503 used += 1; 4504 if (used <= buf_len) { 4505 *p++ = ssl->disable_datagram_packing; 4506 } 4507 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4508 4509 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 4510 if (used <= buf_len) { 4511 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); 4512 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 4513 } 4514 4515 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4516 used += 2; 4517 if (used <= buf_len) { 4518 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); 4519 p += 2; 4520 } 4521 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4522 4523 #if defined(MBEDTLS_SSL_ALPN) 4524 { 4525 const uint8_t alpn_len = ssl->alpn_chosen 4526 ? (uint8_t) strlen(ssl->alpn_chosen) 4527 : 0; 4528 4529 used += 1 + alpn_len; 4530 if (used <= buf_len) { 4531 *p++ = alpn_len; 4532 4533 if (ssl->alpn_chosen != NULL) { 4534 memcpy(p, ssl->alpn_chosen, alpn_len); 4535 p += alpn_len; 4536 } 4537 } 4538 } 4539 #endif /* MBEDTLS_SSL_ALPN */ 4540 4541 /* 4542 * Done 4543 */ 4544 *olen = used; 4545 4546 if (used > buf_len) { 4547 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 4548 } 4549 4550 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); 4551 4552 return mbedtls_ssl_session_reset_int(ssl, 0); 4553 } 4554 4555 /* 4556 * Deserialize context, see mbedtls_ssl_context_save() for format. 4557 * 4558 * This internal version is wrapped by a public function that cleans up in 4559 * case of error. 4560 */ 4561 MBEDTLS_CHECK_RETURN_CRITICAL 4562 static int ssl_context_load(mbedtls_ssl_context *ssl, 4563 const unsigned char *buf, 4564 size_t len) 4565 { 4566 const unsigned char *p = buf; 4567 const unsigned char * const end = buf + len; 4568 size_t session_len; 4569 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4570 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4571 tls_prf_fn prf_func = NULL; 4572 #endif 4573 4574 /* 4575 * The context should have been freshly setup or reset. 4576 * Give the user an error in case of obvious misuse. 4577 * (Checking session is useful because it won't be NULL if we're 4578 * renegotiating, or if the user mistakenly loaded a session first.) 4579 */ 4580 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || 4581 ssl->session != NULL) { 4582 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4583 } 4584 4585 /* 4586 * We can't check that the config matches the initial one, but we can at 4587 * least check it matches the requirements for serializing. 4588 */ 4589 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 4590 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || 4591 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 || 4592 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4593 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || 4594 #endif 4595 0) { 4596 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4597 } 4598 4599 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); 4600 4601 /* 4602 * Check version identifier 4603 */ 4604 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { 4605 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4606 } 4607 4608 if (memcmp(p, ssl_serialized_context_header, 4609 sizeof(ssl_serialized_context_header)) != 0) { 4610 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 4611 } 4612 p += sizeof(ssl_serialized_context_header); 4613 4614 /* 4615 * Session 4616 */ 4617 if ((size_t) (end - p) < 4) { 4618 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4619 } 4620 4621 session_len = ((size_t) p[0] << 24) | 4622 ((size_t) p[1] << 16) | 4623 ((size_t) p[2] << 8) | 4624 ((size_t) p[3]); 4625 p += 4; 4626 4627 /* This has been allocated by ssl_handshake_init(), called by 4628 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 4629 ssl->session = ssl->session_negotiate; 4630 ssl->session_in = ssl->session; 4631 ssl->session_out = ssl->session; 4632 ssl->session_negotiate = NULL; 4633 4634 if ((size_t) (end - p) < session_len) { 4635 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4636 } 4637 4638 ret = ssl_session_load(ssl->session, 1, p, session_len); 4639 if (ret != 0) { 4640 mbedtls_ssl_session_free(ssl->session); 4641 return ret; 4642 } 4643 4644 p += session_len; 4645 4646 /* 4647 * Transform 4648 */ 4649 4650 /* This has been allocated by ssl_handshake_init(), called by 4651 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 4652 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4653 ssl->transform = ssl->transform_negotiate; 4654 ssl->transform_in = ssl->transform; 4655 ssl->transform_out = ssl->transform; 4656 ssl->transform_negotiate = NULL; 4657 #endif 4658 4659 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4660 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); 4661 if (prf_func == NULL) { 4662 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4663 } 4664 4665 /* Read random bytes and populate structure */ 4666 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { 4667 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4668 } 4669 4670 ret = ssl_tls12_populate_transform(ssl->transform, 4671 ssl->session->ciphersuite, 4672 ssl->session->master, 4673 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 4674 ssl->session->encrypt_then_mac, 4675 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 4676 prf_func, 4677 p, /* currently pointing to randbytes */ 4678 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ 4679 ssl->conf->endpoint, 4680 ssl); 4681 if (ret != 0) { 4682 return ret; 4683 } 4684 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4685 p += sizeof(ssl->transform->randbytes); 4686 4687 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4688 /* Read connection IDs and store them */ 4689 if ((size_t) (end - p) < 1) { 4690 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4691 } 4692 4693 ssl->transform->in_cid_len = *p++; 4694 4695 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { 4696 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4697 } 4698 4699 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); 4700 p += ssl->transform->in_cid_len; 4701 4702 ssl->transform->out_cid_len = *p++; 4703 4704 if ((size_t) (end - p) < ssl->transform->out_cid_len) { 4705 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4706 } 4707 4708 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); 4709 p += ssl->transform->out_cid_len; 4710 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4711 4712 /* 4713 * Saved fields from top-level ssl_context structure 4714 */ 4715 if ((size_t) (end - p) < 4) { 4716 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4717 } 4718 4719 ssl->badmac_seen = ((uint32_t) p[0] << 24) | 4720 ((uint32_t) p[1] << 16) | 4721 ((uint32_t) p[2] << 8) | 4722 ((uint32_t) p[3]); 4723 p += 4; 4724 4725 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 4726 if ((size_t) (end - p) < 16) { 4727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4728 } 4729 4730 ssl->in_window_top = ((uint64_t) p[0] << 56) | 4731 ((uint64_t) p[1] << 48) | 4732 ((uint64_t) p[2] << 40) | 4733 ((uint64_t) p[3] << 32) | 4734 ((uint64_t) p[4] << 24) | 4735 ((uint64_t) p[5] << 16) | 4736 ((uint64_t) p[6] << 8) | 4737 ((uint64_t) p[7]); 4738 p += 8; 4739 4740 ssl->in_window = ((uint64_t) p[0] << 56) | 4741 ((uint64_t) p[1] << 48) | 4742 ((uint64_t) p[2] << 40) | 4743 ((uint64_t) p[3] << 32) | 4744 ((uint64_t) p[4] << 24) | 4745 ((uint64_t) p[5] << 16) | 4746 ((uint64_t) p[6] << 8) | 4747 ((uint64_t) p[7]); 4748 p += 8; 4749 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 4750 4751 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4752 if ((size_t) (end - p) < 1) { 4753 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4754 } 4755 4756 ssl->disable_datagram_packing = *p++; 4757 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4758 4759 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { 4760 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4761 } 4762 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); 4763 p += sizeof(ssl->cur_out_ctr); 4764 4765 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4766 if ((size_t) (end - p) < 2) { 4767 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4768 } 4769 4770 ssl->mtu = (p[0] << 8) | p[1]; 4771 p += 2; 4772 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4773 4774 #if defined(MBEDTLS_SSL_ALPN) 4775 { 4776 uint8_t alpn_len; 4777 const char **cur; 4778 4779 if ((size_t) (end - p) < 1) { 4780 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4781 } 4782 4783 alpn_len = *p++; 4784 4785 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { 4786 /* alpn_chosen should point to an item in the configured list */ 4787 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { 4788 if (strlen(*cur) == alpn_len && 4789 memcmp(p, cur, alpn_len) == 0) { 4790 ssl->alpn_chosen = *cur; 4791 break; 4792 } 4793 } 4794 } 4795 4796 /* can only happen on conf mismatch */ 4797 if (alpn_len != 0 && ssl->alpn_chosen == NULL) { 4798 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4799 } 4800 4801 p += alpn_len; 4802 } 4803 #endif /* MBEDTLS_SSL_ALPN */ 4804 4805 /* 4806 * Forced fields from top-level ssl_context structure 4807 * 4808 * Most of them already set to the correct value by mbedtls_ssl_init() and 4809 * mbedtls_ssl_reset(), so we only need to set the remaining ones. 4810 */ 4811 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 4812 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 4813 4814 /* Adjust pointers for header fields of outgoing records to 4815 * the given transform, accounting for explicit IV and CID. */ 4816 mbedtls_ssl_update_out_pointers(ssl, ssl->transform); 4817 4818 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4819 ssl->in_epoch = 1; 4820 #endif 4821 4822 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, 4823 * which we don't want - otherwise we'd end up freeing the wrong transform 4824 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() 4825 * inappropriately. */ 4826 if (ssl->handshake != NULL) { 4827 mbedtls_ssl_handshake_free(ssl); 4828 mbedtls_free(ssl->handshake); 4829 ssl->handshake = NULL; 4830 } 4831 4832 /* 4833 * Done - should have consumed entire buffer 4834 */ 4835 if (p != end) { 4836 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4837 } 4838 4839 return 0; 4840 } 4841 4842 /* 4843 * Deserialize context: public wrapper for error cleaning 4844 */ 4845 int mbedtls_ssl_context_load(mbedtls_ssl_context *context, 4846 const unsigned char *buf, 4847 size_t len) 4848 { 4849 int ret = ssl_context_load(context, buf, len); 4850 4851 if (ret != 0) { 4852 mbedtls_ssl_free(context); 4853 } 4854 4855 return ret; 4856 } 4857 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 4858 4859 /* 4860 * Free an SSL context 4861 */ 4862 void mbedtls_ssl_free(mbedtls_ssl_context *ssl) 4863 { 4864 if (ssl == NULL) { 4865 return; 4866 } 4867 4868 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); 4869 4870 if (ssl->out_buf != NULL) { 4871 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4872 size_t out_buf_len = ssl->out_buf_len; 4873 #else 4874 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 4875 #endif 4876 4877 mbedtls_platform_zeroize(ssl->out_buf, out_buf_len); 4878 mbedtls_free(ssl->out_buf); 4879 ssl->out_buf = NULL; 4880 } 4881 4882 if (ssl->in_buf != NULL) { 4883 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4884 size_t in_buf_len = ssl->in_buf_len; 4885 #else 4886 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 4887 #endif 4888 4889 mbedtls_platform_zeroize(ssl->in_buf, in_buf_len); 4890 mbedtls_free(ssl->in_buf); 4891 ssl->in_buf = NULL; 4892 } 4893 4894 if (ssl->transform) { 4895 mbedtls_ssl_transform_free(ssl->transform); 4896 mbedtls_free(ssl->transform); 4897 } 4898 4899 if (ssl->handshake) { 4900 mbedtls_ssl_handshake_free(ssl); 4901 mbedtls_free(ssl->handshake); 4902 4903 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4904 mbedtls_ssl_transform_free(ssl->transform_negotiate); 4905 mbedtls_free(ssl->transform_negotiate); 4906 #endif 4907 4908 mbedtls_ssl_session_free(ssl->session_negotiate); 4909 mbedtls_free(ssl->session_negotiate); 4910 } 4911 4912 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4913 mbedtls_ssl_transform_free(ssl->transform_application); 4914 mbedtls_free(ssl->transform_application); 4915 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4916 4917 if (ssl->session) { 4918 mbedtls_ssl_session_free(ssl->session); 4919 mbedtls_free(ssl->session); 4920 } 4921 4922 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4923 if (ssl->hostname != NULL) { 4924 mbedtls_platform_zeroize(ssl->hostname, strlen(ssl->hostname)); 4925 mbedtls_free(ssl->hostname); 4926 } 4927 #endif 4928 4929 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 4930 mbedtls_free(ssl->cli_id); 4931 #endif 4932 4933 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); 4934 4935 /* Actually clear after last debug message */ 4936 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); 4937 } 4938 4939 /* 4940 * Initialize mbedtls_ssl_config 4941 */ 4942 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) 4943 { 4944 memset(conf, 0, sizeof(mbedtls_ssl_config)); 4945 } 4946 4947 /* The selection should be the same as mbedtls_x509_crt_profile_default in 4948 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: 4949 * curves with a lower resource usage come first. 4950 * See the documentation of mbedtls_ssl_conf_curves() for what we promise 4951 * about this list. 4952 */ 4953 static uint16_t ssl_preset_default_groups[] = { 4954 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) 4955 MBEDTLS_SSL_IANA_TLS_GROUP_X25519, 4956 #endif 4957 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 4958 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 4959 #endif 4960 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 4961 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 4962 #endif 4963 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) 4964 MBEDTLS_SSL_IANA_TLS_GROUP_X448, 4965 #endif 4966 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 4967 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, 4968 #endif 4969 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) 4970 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, 4971 #endif 4972 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) 4973 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, 4974 #endif 4975 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) 4976 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, 4977 #endif 4978 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 4979 }; 4980 4981 static int ssl_preset_suiteb_ciphersuites[] = { 4982 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 4983 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 4984 0 4985 }; 4986 4987 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 4988 4989 /* NOTICE: 4990 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following 4991 * rules SHOULD be upheld. 4992 * - No duplicate entries. 4993 * - But if there is a good reason, do not change the order of the algorithms. 4994 * - ssl_tls12_preset* is for TLS 1.2 use only. 4995 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. 4996 */ 4997 static uint16_t ssl_preset_default_sig_algs[] = { 4998 4999 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \ 5000 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5001 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 5002 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5003 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA && 5004 MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 5005 5006 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \ 5007 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5008 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 5009 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5010 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& 5011 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 5012 5013 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \ 5014 defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5015 defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 5016 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, 5017 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& 5018 MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 5019 5020 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ 5021 defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5022 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5023 #endif \ 5024 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 5025 5026 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ 5027 defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5028 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5029 #endif \ 5030 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 5031 5032 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ 5033 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5034 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5035 #endif \ 5036 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 5037 5038 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5039 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, 5040 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA512_C */ 5041 5042 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5043 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, 5044 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA384_C */ 5045 5046 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5047 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, 5048 #endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */ 5049 5050 MBEDTLS_TLS_SIG_NONE 5051 }; 5052 5053 /* NOTICE: see above */ 5054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5055 static uint16_t ssl_tls12_preset_default_sig_algs[] = { 5056 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5057 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 5058 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), 5059 #endif 5060 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5061 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5062 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 5063 #if defined(MBEDTLS_RSA_C) 5064 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), 5065 #endif 5066 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5067 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5068 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 5069 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5070 #endif 5071 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5072 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5073 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 5074 #if defined(MBEDTLS_RSA_C) 5075 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), 5076 #endif 5077 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5078 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5079 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 5080 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5081 #endif 5082 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5083 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5084 #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ 5085 #if defined(MBEDTLS_RSA_C) 5086 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), 5087 #endif 5088 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5089 MBEDTLS_TLS_SIG_NONE 5090 }; 5091 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5092 /* NOTICE: see above */ 5093 static uint16_t ssl_preset_suiteb_sig_algs[] = { 5094 5095 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5096 defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 5097 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5098 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& 5099 MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 5100 5101 #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5102 defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 5103 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5104 #endif /* MBEDTLS_ECDSA_C && MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA&& 5105 MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 5106 5107 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \ 5108 defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5109 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5110 #endif \ 5111 /* MBEDTLS_X509_RSASSA_PSS_SUPPORT && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5112 5113 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5114 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, 5115 #endif /* MBEDTLS_RSA_C && MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5116 5117 MBEDTLS_TLS_SIG_NONE 5118 }; 5119 5120 /* NOTICE: see above */ 5121 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5122 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { 5123 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5124 #if defined(MBEDTLS_ECDSA_C) 5125 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5126 #endif 5127 #if defined(MBEDTLS_RSA_C) 5128 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), 5129 #endif 5130 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5131 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5132 #if defined(MBEDTLS_ECDSA_C) 5133 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5134 #endif 5135 #if defined(MBEDTLS_RSA_C) 5136 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), 5137 #endif 5138 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5139 MBEDTLS_TLS_SIG_NONE 5140 }; 5141 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5142 5143 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5144 5145 static uint16_t ssl_preset_suiteb_groups[] = { 5146 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 5147 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5148 #endif 5149 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 5150 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5151 #endif 5152 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5153 }; 5154 5155 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5156 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` 5157 * to make sure there are no duplicated signature algorithm entries. */ 5158 MBEDTLS_CHECK_RETURN_CRITICAL 5159 static int ssl_check_no_sig_alg_duplication(uint16_t *sig_algs) 5160 { 5161 size_t i, j; 5162 int ret = 0; 5163 5164 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 5165 for (j = 0; j < i; j++) { 5166 if (sig_algs[i] != sig_algs[j]) { 5167 continue; 5168 } 5169 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET 5170 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", 5171 sig_algs[i], j, i); 5172 ret = -1; 5173 } 5174 } 5175 return ret; 5176 } 5177 5178 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5179 5180 /* 5181 * Load default in mbedtls_ssl_config 5182 */ 5183 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, 5184 int endpoint, int transport, int preset) 5185 { 5186 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5188 #endif 5189 5190 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5191 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { 5192 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); 5193 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5194 } 5195 5196 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { 5197 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); 5198 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5199 } 5200 5201 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5202 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { 5203 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); 5204 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5205 } 5206 5207 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { 5208 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); 5209 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5210 } 5211 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5212 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5213 5214 /* Use the functions here so that they are covered in tests, 5215 * but otherwise access member directly for efficiency */ 5216 mbedtls_ssl_conf_endpoint(conf, endpoint); 5217 mbedtls_ssl_conf_transport(conf, transport); 5218 5219 /* 5220 * Things that are common to all presets 5221 */ 5222 #if defined(MBEDTLS_SSL_CLI_C) 5223 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 5224 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 5225 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 5226 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 5227 #endif 5228 } 5229 #endif 5230 5231 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 5232 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 5233 #endif 5234 5235 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 5236 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 5237 #endif 5238 5239 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5240 conf->f_cookie_write = ssl_cookie_write_dummy; 5241 conf->f_cookie_check = ssl_cookie_check_dummy; 5242 #endif 5243 5244 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5245 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 5246 #endif 5247 5248 #if defined(MBEDTLS_SSL_SRV_C) 5249 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 5250 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; 5251 #endif 5252 5253 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5254 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 5255 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 5256 #endif 5257 5258 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5259 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 5260 memset(conf->renego_period, 0x00, 2); 5261 memset(conf->renego_period + 2, 0xFF, 6); 5262 #endif 5263 5264 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5265 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 5266 const unsigned char dhm_p[] = 5267 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 5268 const unsigned char dhm_g[] = 5269 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 5270 5271 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, 5272 dhm_p, sizeof(dhm_p), 5273 dhm_g, sizeof(dhm_g))) != 0) { 5274 return ret; 5275 } 5276 } 5277 #endif 5278 5279 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5280 5281 #if defined(MBEDTLS_SSL_EARLY_DATA) 5282 mbedtls_ssl_tls13_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); 5283 #if defined(MBEDTLS_SSL_SRV_C) 5284 mbedtls_ssl_tls13_conf_max_early_data_size( 5285 conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); 5286 #endif 5287 #endif /* MBEDTLS_SSL_EARLY_DATA */ 5288 5289 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 5290 mbedtls_ssl_conf_new_session_tickets( 5291 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); 5292 #endif 5293 /* 5294 * Allow all TLS 1.3 key exchange modes by default. 5295 */ 5296 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 5297 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5298 5299 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5300 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5301 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5302 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5303 #else 5304 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5305 #endif 5306 } else { 5307 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 5308 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 5309 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5310 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5311 } else { 5312 /* Hybrid TLS 1.2 / 1.3 is not supported on server side yet */ 5313 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5314 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5315 } 5316 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3) 5317 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5318 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5319 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 5320 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5321 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5322 #else 5323 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5324 #endif 5325 } 5326 5327 /* 5328 * Preset-specific defaults 5329 */ 5330 switch (preset) { 5331 /* 5332 * NSA Suite B 5333 */ 5334 case MBEDTLS_SSL_PRESET_SUITEB: 5335 5336 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; 5337 5338 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5339 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 5340 #endif 5341 5342 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5343 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5344 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 5345 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; 5346 } else 5347 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5348 conf->sig_algs = ssl_preset_suiteb_sig_algs; 5349 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5350 5351 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 5352 conf->curve_list = NULL; 5353 #endif 5354 conf->group_list = ssl_preset_suiteb_groups; 5355 break; 5356 5357 /* 5358 * Default 5359 */ 5360 default: 5361 5362 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); 5363 5364 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5365 conf->cert_profile = &mbedtls_x509_crt_profile_default; 5366 #endif 5367 5368 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5369 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5370 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 5371 conf->sig_algs = ssl_tls12_preset_default_sig_algs; 5372 } else 5373 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5374 conf->sig_algs = ssl_preset_default_sig_algs; 5375 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5376 5377 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 5378 conf->curve_list = NULL; 5379 #endif 5380 conf->group_list = ssl_preset_default_groups; 5381 5382 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 5383 conf->dhm_min_bitlen = 1024; 5384 #endif 5385 } 5386 5387 return 0; 5388 } 5389 5390 /* 5391 * Free mbedtls_ssl_config 5392 */ 5393 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) 5394 { 5395 #if defined(MBEDTLS_DHM_C) 5396 mbedtls_mpi_free(&conf->dhm_P); 5397 mbedtls_mpi_free(&conf->dhm_G); 5398 #endif 5399 5400 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 5401 #if defined(MBEDTLS_USE_PSA_CRYPTO) 5402 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 5403 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 5404 } 5405 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 5406 if (conf->psk != NULL) { 5407 mbedtls_platform_zeroize(conf->psk, conf->psk_len); 5408 mbedtls_free(conf->psk); 5409 conf->psk = NULL; 5410 conf->psk_len = 0; 5411 } 5412 5413 if (conf->psk_identity != NULL) { 5414 mbedtls_platform_zeroize(conf->psk_identity, conf->psk_identity_len); 5415 mbedtls_free(conf->psk_identity); 5416 conf->psk_identity = NULL; 5417 conf->psk_identity_len = 0; 5418 } 5419 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 5420 5421 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5422 ssl_key_cert_free(conf->key_cert); 5423 #endif 5424 5425 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); 5426 } 5427 5428 #if defined(MBEDTLS_PK_C) && \ 5429 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME)) 5430 /* 5431 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 5432 */ 5433 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) 5434 { 5435 #if defined(MBEDTLS_RSA_C) 5436 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { 5437 return MBEDTLS_SSL_SIG_RSA; 5438 } 5439 #endif 5440 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 5441 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { 5442 return MBEDTLS_SSL_SIG_ECDSA; 5443 } 5444 #endif 5445 return MBEDTLS_SSL_SIG_ANON; 5446 } 5447 5448 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) 5449 { 5450 switch (type) { 5451 case MBEDTLS_PK_RSA: 5452 return MBEDTLS_SSL_SIG_RSA; 5453 case MBEDTLS_PK_ECDSA: 5454 case MBEDTLS_PK_ECKEY: 5455 return MBEDTLS_SSL_SIG_ECDSA; 5456 default: 5457 return MBEDTLS_SSL_SIG_ANON; 5458 } 5459 } 5460 5461 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) 5462 { 5463 switch (sig) { 5464 #if defined(MBEDTLS_RSA_C) 5465 case MBEDTLS_SSL_SIG_RSA: 5466 return MBEDTLS_PK_RSA; 5467 #endif 5468 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 5469 case MBEDTLS_SSL_SIG_ECDSA: 5470 return MBEDTLS_PK_ECDSA; 5471 #endif 5472 default: 5473 return MBEDTLS_PK_NONE; 5474 } 5475 } 5476 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_PK_CAN_ECDSA_SOME ) */ 5477 5478 /* 5479 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 5480 */ 5481 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) 5482 { 5483 switch (hash) { 5484 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5485 case MBEDTLS_SSL_HASH_MD5: 5486 return MBEDTLS_MD_MD5; 5487 #endif 5488 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5489 case MBEDTLS_SSL_HASH_SHA1: 5490 return MBEDTLS_MD_SHA1; 5491 #endif 5492 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5493 case MBEDTLS_SSL_HASH_SHA224: 5494 return MBEDTLS_MD_SHA224; 5495 #endif 5496 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5497 case MBEDTLS_SSL_HASH_SHA256: 5498 return MBEDTLS_MD_SHA256; 5499 #endif 5500 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5501 case MBEDTLS_SSL_HASH_SHA384: 5502 return MBEDTLS_MD_SHA384; 5503 #endif 5504 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5505 case MBEDTLS_SSL_HASH_SHA512: 5506 return MBEDTLS_MD_SHA512; 5507 #endif 5508 default: 5509 return MBEDTLS_MD_NONE; 5510 } 5511 } 5512 5513 /* 5514 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 5515 */ 5516 unsigned char mbedtls_ssl_hash_from_md_alg(int md) 5517 { 5518 switch (md) { 5519 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5520 case MBEDTLS_MD_MD5: 5521 return MBEDTLS_SSL_HASH_MD5; 5522 #endif 5523 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5524 case MBEDTLS_MD_SHA1: 5525 return MBEDTLS_SSL_HASH_SHA1; 5526 #endif 5527 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5528 case MBEDTLS_MD_SHA224: 5529 return MBEDTLS_SSL_HASH_SHA224; 5530 #endif 5531 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5532 case MBEDTLS_MD_SHA256: 5533 return MBEDTLS_SSL_HASH_SHA256; 5534 #endif 5535 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5536 case MBEDTLS_MD_SHA384: 5537 return MBEDTLS_SSL_HASH_SHA384; 5538 #endif 5539 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5540 case MBEDTLS_MD_SHA512: 5541 return MBEDTLS_SSL_HASH_SHA512; 5542 #endif 5543 default: 5544 return MBEDTLS_SSL_HASH_NONE; 5545 } 5546 } 5547 5548 /* 5549 * Check if a curve proposed by the peer is in our list. 5550 * Return 0 if we're willing to use it, -1 otherwise. 5551 */ 5552 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) 5553 { 5554 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 5555 5556 if (group_list == NULL) { 5557 return -1; 5558 } 5559 5560 for (; *group_list != 0; group_list++) { 5561 if (*group_list == tls_id) { 5562 return 0; 5563 } 5564 } 5565 5566 return -1; 5567 } 5568 5569 #if defined(MBEDTLS_ECP_C) 5570 /* 5571 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. 5572 */ 5573 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) 5574 { 5575 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); 5576 5577 if (tls_id == 0) { 5578 return -1; 5579 } 5580 5581 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); 5582 } 5583 #endif /* MBEDTLS_ECP_C */ 5584 5585 #if defined(MBEDTLS_DEBUG_C) 5586 #define EC_NAME(_name_) _name_ 5587 #else 5588 #define EC_NAME(_name_) NULL 5589 #endif 5590 5591 static const struct { 5592 uint16_t tls_id; 5593 mbedtls_ecp_group_id ecp_group_id; 5594 psa_ecc_family_t psa_family; 5595 uint16_t bits; 5596 const char *name; 5597 } tls_id_match_table[] = 5598 { 5599 #if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521) 5600 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521, EC_NAME("secp521r1") }, 5601 #endif 5602 #if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) 5603 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512, EC_NAME("brainpoolP512r1") }, 5604 #endif 5605 #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_384) 5606 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384, EC_NAME("secp384r1") }, 5607 #endif 5608 #if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) 5609 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384, EC_NAME("brainpoolP384r1") }, 5610 #endif 5611 #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_256) 5612 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256, EC_NAME("secp256r1") }, 5613 #endif 5614 #if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_256) 5615 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256, EC_NAME("secp256k1") }, 5616 #endif 5617 #if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED) || defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) 5618 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256, EC_NAME("brainpoolP256r1") }, 5619 #endif 5620 #if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224) 5621 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224, EC_NAME("secp224r1") }, 5622 #endif 5623 #if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_224) 5624 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224, EC_NAME("secp224k1") }, 5625 #endif 5626 #if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) 5627 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192, EC_NAME("secp192r1") }, 5628 #endif 5629 #if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192) 5630 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192, EC_NAME("secp192k1") }, 5631 #endif 5632 #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255) 5633 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255, EC_NAME("x25519") }, 5634 #endif 5635 #if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_448) 5636 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448, EC_NAME("x448") }, 5637 #endif 5638 { 0, MBEDTLS_ECP_DP_NONE, 0, 0, NULL }, 5639 }; 5640 5641 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 5642 psa_ecc_family_t *family, 5643 size_t *bits) 5644 { 5645 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 5646 if (tls_id_match_table[i].tls_id == tls_id) { 5647 if (family != NULL) { 5648 *family = tls_id_match_table[i].psa_family; 5649 } 5650 if (bits != NULL) { 5651 *bits = tls_id_match_table[i].bits; 5652 } 5653 return PSA_SUCCESS; 5654 } 5655 } 5656 5657 return PSA_ERROR_NOT_SUPPORTED; 5658 } 5659 5660 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) 5661 { 5662 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 5663 if (tls_id_match_table[i].tls_id == tls_id) { 5664 return tls_id_match_table[i].ecp_group_id; 5665 } 5666 } 5667 5668 return MBEDTLS_ECP_DP_NONE; 5669 } 5670 5671 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) 5672 { 5673 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; 5674 i++) { 5675 if (tls_id_match_table[i].ecp_group_id == grp_id) { 5676 return tls_id_match_table[i].tls_id; 5677 } 5678 } 5679 5680 return 0; 5681 } 5682 5683 #if defined(MBEDTLS_DEBUG_C) 5684 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) 5685 { 5686 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 5687 if (tls_id_match_table[i].tls_id == tls_id) { 5688 return tls_id_match_table[i].name; 5689 } 5690 } 5691 5692 return NULL; 5693 } 5694 #endif 5695 5696 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5697 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 5698 const mbedtls_ssl_ciphersuite_t *ciphersuite, 5699 int cert_endpoint, 5700 uint32_t *flags) 5701 { 5702 int ret = 0; 5703 int usage = 0; 5704 const char *ext_oid; 5705 size_t ext_len; 5706 5707 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { 5708 /* Server part of the key exchange */ 5709 switch (ciphersuite->key_exchange) { 5710 case MBEDTLS_KEY_EXCHANGE_RSA: 5711 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 5712 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 5713 break; 5714 5715 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 5716 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 5717 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 5718 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 5719 break; 5720 5721 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 5722 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 5723 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 5724 break; 5725 5726 /* Don't use default: we want warnings when adding new values */ 5727 case MBEDTLS_KEY_EXCHANGE_NONE: 5728 case MBEDTLS_KEY_EXCHANGE_PSK: 5729 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 5730 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 5731 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 5732 usage = 0; 5733 } 5734 } else { 5735 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 5736 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 5737 } 5738 5739 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { 5740 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 5741 ret = -1; 5742 } 5743 5744 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { 5745 ext_oid = MBEDTLS_OID_SERVER_AUTH; 5746 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); 5747 } else { 5748 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 5749 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); 5750 } 5751 5752 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { 5753 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 5754 ret = -1; 5755 } 5756 5757 return ret; 5758 } 5759 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 5760 5761 #if defined(MBEDTLS_USE_PSA_CRYPTO) 5762 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 5763 const mbedtls_md_type_t md, 5764 unsigned char *dst, 5765 size_t dst_len, 5766 size_t *olen) 5767 { 5768 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 5769 psa_hash_operation_t *hash_operation_to_clone; 5770 psa_hash_operation_t hash_operation = psa_hash_operation_init(); 5771 5772 *olen = 0; 5773 5774 switch (md) { 5775 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5776 case MBEDTLS_MD_SHA384: 5777 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; 5778 break; 5779 #endif 5780 5781 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5782 case MBEDTLS_MD_SHA256: 5783 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; 5784 break; 5785 #endif 5786 5787 default: 5788 goto exit; 5789 } 5790 5791 status = psa_hash_clone(hash_operation_to_clone, &hash_operation); 5792 if (status != PSA_SUCCESS) { 5793 goto exit; 5794 } 5795 5796 status = psa_hash_finish(&hash_operation, dst, dst_len, olen); 5797 if (status != PSA_SUCCESS) { 5798 goto exit; 5799 } 5800 5801 exit: 5802 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5803 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5804 (void) ssl; 5805 #endif 5806 return PSA_TO_MBEDTLS_ERR(status); 5807 } 5808 #else /* MBEDTLS_USE_PSA_CRYPTO */ 5809 5810 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5811 MBEDTLS_CHECK_RETURN_CRITICAL 5812 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, 5813 unsigned char *dst, 5814 size_t dst_len, 5815 size_t *olen) 5816 { 5817 int ret; 5818 mbedtls_md_context_t sha384; 5819 5820 if (dst_len < 48) { 5821 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 5822 } 5823 5824 mbedtls_md_init(&sha384); 5825 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 5826 if (ret != 0) { 5827 goto exit; 5828 } 5829 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 5830 if (ret != 0) { 5831 goto exit; 5832 } 5833 5834 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { 5835 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 5836 goto exit; 5837 } 5838 5839 *olen = 48; 5840 5841 exit: 5842 5843 mbedtls_md_free(&sha384); 5844 return ret; 5845 } 5846 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 5847 5848 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5849 MBEDTLS_CHECK_RETURN_CRITICAL 5850 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, 5851 unsigned char *dst, 5852 size_t dst_len, 5853 size_t *olen) 5854 { 5855 int ret; 5856 mbedtls_md_context_t sha256; 5857 5858 if (dst_len < 32) { 5859 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 5860 } 5861 5862 mbedtls_md_init(&sha256); 5863 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 5864 if (ret != 0) { 5865 goto exit; 5866 } 5867 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 5868 if (ret != 0) { 5869 goto exit; 5870 } 5871 5872 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { 5873 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 5874 goto exit; 5875 } 5876 5877 *olen = 32; 5878 5879 exit: 5880 5881 mbedtls_md_free(&sha256); 5882 return ret; 5883 } 5884 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 5885 5886 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 5887 const mbedtls_md_type_t md, 5888 unsigned char *dst, 5889 size_t dst_len, 5890 size_t *olen) 5891 { 5892 switch (md) { 5893 5894 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5895 case MBEDTLS_MD_SHA384: 5896 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); 5897 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5898 5899 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5900 case MBEDTLS_MD_SHA256: 5901 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); 5902 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 5903 5904 default: 5905 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 5906 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 5907 (void) ssl; 5908 (void) dst; 5909 (void) dst_len; 5910 (void) olen; 5911 #endif 5912 break; 5913 } 5914 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 5915 } 5916 5917 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 5918 5919 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5920 /* mbedtls_ssl_parse_sig_alg_ext() 5921 * 5922 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 5923 * value (TLS 1.3 RFC8446): 5924 * enum { 5925 * .... 5926 * ecdsa_secp256r1_sha256( 0x0403 ), 5927 * ecdsa_secp384r1_sha384( 0x0503 ), 5928 * ecdsa_secp521r1_sha512( 0x0603 ), 5929 * .... 5930 * } SignatureScheme; 5931 * 5932 * struct { 5933 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 5934 * } SignatureSchemeList; 5935 * 5936 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 5937 * value (TLS 1.2 RFC5246): 5938 * enum { 5939 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 5940 * sha512(6), (255) 5941 * } HashAlgorithm; 5942 * 5943 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 5944 * SignatureAlgorithm; 5945 * 5946 * struct { 5947 * HashAlgorithm hash; 5948 * SignatureAlgorithm signature; 5949 * } SignatureAndHashAlgorithm; 5950 * 5951 * SignatureAndHashAlgorithm 5952 * supported_signature_algorithms<2..2^16-2>; 5953 * 5954 * The TLS 1.3 signature algorithm extension was defined to be a compatible 5955 * generalization of the TLS 1.2 signature algorithm extension. 5956 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 5957 * `SignatureScheme` field of TLS 1.3 5958 * 5959 */ 5960 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 5961 const unsigned char *buf, 5962 const unsigned char *end) 5963 { 5964 const unsigned char *p = buf; 5965 size_t supported_sig_algs_len = 0; 5966 const unsigned char *supported_sig_algs_end; 5967 uint16_t sig_alg; 5968 uint32_t common_idx = 0; 5969 5970 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 5971 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); 5972 p += 2; 5973 5974 memset(ssl->handshake->received_sig_algs, 0, 5975 sizeof(ssl->handshake->received_sig_algs)); 5976 5977 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); 5978 supported_sig_algs_end = p + supported_sig_algs_len; 5979 while (p < supported_sig_algs_end) { 5980 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); 5981 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); 5982 p += 2; 5983 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", 5984 sig_alg, 5985 mbedtls_ssl_sig_alg_to_str(sig_alg))); 5986 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5987 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 5988 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && 5989 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { 5990 continue; 5991 } 5992 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5993 5994 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", 5995 mbedtls_ssl_sig_alg_to_str(sig_alg))); 5996 5997 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { 5998 ssl->handshake->received_sig_algs[common_idx] = sig_alg; 5999 common_idx += 1; 6000 } 6001 } 6002 /* Check that we consumed all the message. */ 6003 if (p != end) { 6004 MBEDTLS_SSL_DEBUG_MSG(1, 6005 ("Signature algorithms extension length misaligned")); 6006 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 6007 MBEDTLS_ERR_SSL_DECODE_ERROR); 6008 return MBEDTLS_ERR_SSL_DECODE_ERROR; 6009 } 6010 6011 if (common_idx == 0) { 6012 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); 6013 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 6014 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 6015 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 6016 } 6017 6018 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; 6019 return 0; 6020 } 6021 6022 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6023 6024 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6025 6026 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6027 6028 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, 6029 mbedtls_svc_key_id_t key, 6030 psa_algorithm_t alg, 6031 const unsigned char *raw_psk, size_t raw_psk_length, 6032 const unsigned char *seed, size_t seed_length, 6033 const unsigned char *label, size_t label_length, 6034 const unsigned char *other_secret, 6035 size_t other_secret_length, 6036 size_t capacity) 6037 { 6038 psa_status_t status; 6039 6040 status = psa_key_derivation_setup(derivation, alg); 6041 if (status != PSA_SUCCESS) { 6042 return status; 6043 } 6044 6045 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 6046 status = psa_key_derivation_input_bytes(derivation, 6047 PSA_KEY_DERIVATION_INPUT_SEED, 6048 seed, seed_length); 6049 if (status != PSA_SUCCESS) { 6050 return status; 6051 } 6052 6053 if (other_secret != NULL) { 6054 status = psa_key_derivation_input_bytes(derivation, 6055 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 6056 other_secret, other_secret_length); 6057 if (status != PSA_SUCCESS) { 6058 return status; 6059 } 6060 } 6061 6062 if (mbedtls_svc_key_id_is_null(key)) { 6063 status = psa_key_derivation_input_bytes( 6064 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, 6065 raw_psk, raw_psk_length); 6066 } else { 6067 status = psa_key_derivation_input_key( 6068 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); 6069 } 6070 if (status != PSA_SUCCESS) { 6071 return status; 6072 } 6073 6074 status = psa_key_derivation_input_bytes(derivation, 6075 PSA_KEY_DERIVATION_INPUT_LABEL, 6076 label, label_length); 6077 if (status != PSA_SUCCESS) { 6078 return status; 6079 } 6080 } else { 6081 return PSA_ERROR_NOT_SUPPORTED; 6082 } 6083 6084 status = psa_key_derivation_set_capacity(derivation, capacity); 6085 if (status != PSA_SUCCESS) { 6086 return status; 6087 } 6088 6089 return PSA_SUCCESS; 6090 } 6091 6092 #if defined(PSA_WANT_ALG_SHA_384) || \ 6093 defined(PSA_WANT_ALG_SHA_256) 6094 MBEDTLS_CHECK_RETURN_CRITICAL 6095 static int tls_prf_generic(mbedtls_md_type_t md_type, 6096 const unsigned char *secret, size_t slen, 6097 const char *label, 6098 const unsigned char *random, size_t rlen, 6099 unsigned char *dstbuf, size_t dlen) 6100 { 6101 psa_status_t status; 6102 psa_algorithm_t alg; 6103 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; 6104 psa_key_derivation_operation_t derivation = 6105 PSA_KEY_DERIVATION_OPERATION_INIT; 6106 6107 if (md_type == MBEDTLS_MD_SHA384) { 6108 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); 6109 } else { 6110 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); 6111 } 6112 6113 /* Normally a "secret" should be long enough to be impossible to 6114 * find by brute force, and in particular should not be empty. But 6115 * this PRF is also used to derive an IV, in particular in EAP-TLS, 6116 * and for this use case it makes sense to have a 0-length "secret". 6117 * Since the key API doesn't allow importing a key of length 0, 6118 * keep master_key=0, which setup_psa_key_derivation() understands 6119 * to mean a 0-length "secret" input. */ 6120 if (slen != 0) { 6121 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 6122 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 6123 psa_set_key_algorithm(&key_attributes, alg); 6124 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 6125 6126 status = psa_import_key(&key_attributes, secret, slen, &master_key); 6127 if (status != PSA_SUCCESS) { 6128 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6129 } 6130 } 6131 6132 status = setup_psa_key_derivation(&derivation, 6133 master_key, alg, 6134 NULL, 0, 6135 random, rlen, 6136 (unsigned char const *) label, 6137 (size_t) strlen(label), 6138 NULL, 0, 6139 dlen); 6140 if (status != PSA_SUCCESS) { 6141 psa_key_derivation_abort(&derivation); 6142 psa_destroy_key(master_key); 6143 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6144 } 6145 6146 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); 6147 if (status != PSA_SUCCESS) { 6148 psa_key_derivation_abort(&derivation); 6149 psa_destroy_key(master_key); 6150 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6151 } 6152 6153 status = psa_key_derivation_abort(&derivation); 6154 if (status != PSA_SUCCESS) { 6155 psa_destroy_key(master_key); 6156 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6157 } 6158 6159 if (!mbedtls_svc_key_id_is_null(master_key)) { 6160 status = psa_destroy_key(master_key); 6161 } 6162 if (status != PSA_SUCCESS) { 6163 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6164 } 6165 6166 return 0; 6167 } 6168 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ 6169 #else /* MBEDTLS_USE_PSA_CRYPTO */ 6170 6171 #if defined(MBEDTLS_MD_C) && \ 6172 (defined(MBEDTLS_SHA256_C) || \ 6173 defined(MBEDTLS_SHA384_C)) 6174 MBEDTLS_CHECK_RETURN_CRITICAL 6175 static int tls_prf_generic(mbedtls_md_type_t md_type, 6176 const unsigned char *secret, size_t slen, 6177 const char *label, 6178 const unsigned char *random, size_t rlen, 6179 unsigned char *dstbuf, size_t dlen) 6180 { 6181 size_t nb; 6182 size_t i, j, k, md_len; 6183 unsigned char *tmp; 6184 size_t tmp_len = 0; 6185 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 6186 const mbedtls_md_info_t *md_info; 6187 mbedtls_md_context_t md_ctx; 6188 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6189 6190 mbedtls_md_init(&md_ctx); 6191 6192 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { 6193 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6194 } 6195 6196 md_len = mbedtls_md_get_size(md_info); 6197 6198 tmp_len = md_len + strlen(label) + rlen; 6199 tmp = mbedtls_calloc(1, tmp_len); 6200 if (tmp == NULL) { 6201 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 6202 goto exit; 6203 } 6204 6205 nb = strlen(label); 6206 memcpy(tmp + md_len, label, nb); 6207 memcpy(tmp + md_len + nb, random, rlen); 6208 nb += rlen; 6209 6210 /* 6211 * Compute P_<hash>(secret, label + random)[0..dlen] 6212 */ 6213 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { 6214 goto exit; 6215 } 6216 6217 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); 6218 if (ret != 0) { 6219 goto exit; 6220 } 6221 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); 6222 if (ret != 0) { 6223 goto exit; 6224 } 6225 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6226 if (ret != 0) { 6227 goto exit; 6228 } 6229 6230 for (i = 0; i < dlen; i += md_len) { 6231 ret = mbedtls_md_hmac_reset(&md_ctx); 6232 if (ret != 0) { 6233 goto exit; 6234 } 6235 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); 6236 if (ret != 0) { 6237 goto exit; 6238 } 6239 ret = mbedtls_md_hmac_finish(&md_ctx, h_i); 6240 if (ret != 0) { 6241 goto exit; 6242 } 6243 6244 ret = mbedtls_md_hmac_reset(&md_ctx); 6245 if (ret != 0) { 6246 goto exit; 6247 } 6248 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); 6249 if (ret != 0) { 6250 goto exit; 6251 } 6252 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6253 if (ret != 0) { 6254 goto exit; 6255 } 6256 6257 k = (i + md_len > dlen) ? dlen % md_len : md_len; 6258 6259 for (j = 0; j < k; j++) { 6260 dstbuf[i + j] = h_i[j]; 6261 } 6262 } 6263 6264 exit: 6265 mbedtls_md_free(&md_ctx); 6266 6267 if (tmp != NULL) { 6268 mbedtls_platform_zeroize(tmp, tmp_len); 6269 } 6270 6271 mbedtls_platform_zeroize(h_i, sizeof(h_i)); 6272 6273 mbedtls_free(tmp); 6274 6275 return ret; 6276 } 6277 #endif /* MBEDTLS_MD_C && ( MBEDTLS_SHA256_C || MBEDTLS_SHA384_C ) */ 6278 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6279 6280 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6281 MBEDTLS_CHECK_RETURN_CRITICAL 6282 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 6283 const char *label, 6284 const unsigned char *random, size_t rlen, 6285 unsigned char *dstbuf, size_t dlen) 6286 { 6287 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, 6288 label, random, rlen, dstbuf, dlen); 6289 } 6290 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 6291 6292 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6293 MBEDTLS_CHECK_RETURN_CRITICAL 6294 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 6295 const char *label, 6296 const unsigned char *random, size_t rlen, 6297 unsigned char *dstbuf, size_t dlen) 6298 { 6299 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, 6300 label, random, rlen, dstbuf, dlen); 6301 } 6302 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 6303 6304 /* 6305 * Set appropriate PRF function and other SSL / TLS1.2 functions 6306 * 6307 * Inputs: 6308 * - hash associated with the ciphersuite (only used by TLS 1.2) 6309 * 6310 * Outputs: 6311 * - the tls_prf, calc_verify and calc_finished members of handshake structure 6312 */ 6313 MBEDTLS_CHECK_RETURN_CRITICAL 6314 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, 6315 mbedtls_md_type_t hash) 6316 { 6317 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6318 if (hash == MBEDTLS_MD_SHA384) { 6319 handshake->tls_prf = tls_prf_sha384; 6320 handshake->calc_verify = ssl_calc_verify_tls_sha384; 6321 handshake->calc_finished = ssl_calc_finished_tls_sha384; 6322 } else 6323 #endif 6324 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6325 { 6326 (void) hash; 6327 handshake->tls_prf = tls_prf_sha256; 6328 handshake->calc_verify = ssl_calc_verify_tls_sha256; 6329 handshake->calc_finished = ssl_calc_finished_tls_sha256; 6330 } 6331 #else 6332 { 6333 (void) handshake; 6334 (void) hash; 6335 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6336 } 6337 #endif 6338 6339 return 0; 6340 } 6341 6342 /* 6343 * Compute master secret if needed 6344 * 6345 * Parameters: 6346 * [in/out] handshake 6347 * [in] resume, premaster, extended_ms, calc_verify, tls_prf 6348 * (PSA-PSK) ciphersuite_info, psk_opaque 6349 * [out] premaster (cleared) 6350 * [out] master 6351 * [in] ssl: optionally used for debugging, EMS and PSA-PSK 6352 * debug: conf->f_dbg, conf->p_dbg 6353 * EMS: passed to calc_verify (debug + session_negotiate) 6354 * PSA-PSA: conf 6355 */ 6356 MBEDTLS_CHECK_RETURN_CRITICAL 6357 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, 6358 unsigned char *master, 6359 const mbedtls_ssl_context *ssl) 6360 { 6361 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6362 6363 /* cf. RFC 5246, Section 8.1: 6364 * "The master secret is always exactly 48 bytes in length." */ 6365 size_t const master_secret_len = 48; 6366 6367 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 6368 unsigned char session_hash[48]; 6369 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 6370 6371 /* The label for the KDF used for key expansion. 6372 * This is either "master secret" or "extended master secret" 6373 * depending on whether the Extended Master Secret extension 6374 * is used. */ 6375 char const *lbl = "master secret"; 6376 6377 /* The seed for the KDF used for key expansion. 6378 * - If the Extended Master Secret extension is not used, 6379 * this is ClientHello.Random + ServerHello.Random 6380 * (see Sect. 8.1 in RFC 5246). 6381 * - If the Extended Master Secret extension is used, 6382 * this is the transcript of the handshake so far. 6383 * (see Sect. 4 in RFC 7627). */ 6384 unsigned char const *seed = handshake->randbytes; 6385 size_t seed_len = 64; 6386 6387 #if !defined(MBEDTLS_DEBUG_C) && \ 6388 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ 6389 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ 6390 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) 6391 ssl = NULL; /* make sure we don't use it except for those cases */ 6392 (void) ssl; 6393 #endif 6394 6395 if (handshake->resume != 0) { 6396 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); 6397 return 0; 6398 } 6399 6400 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 6401 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 6402 lbl = "extended master secret"; 6403 seed = session_hash; 6404 ret = handshake->calc_verify(ssl, session_hash, &seed_len); 6405 if (ret != 0) { 6406 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); 6407 } 6408 6409 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", 6410 session_hash, seed_len); 6411 } 6412 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 6413 6414 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 6415 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 6416 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { 6417 /* Perform PSK-to-MS expansion in a single step. */ 6418 psa_status_t status; 6419 psa_algorithm_t alg; 6420 mbedtls_svc_key_id_t psk; 6421 psa_key_derivation_operation_t derivation = 6422 PSA_KEY_DERIVATION_OPERATION_INIT; 6423 mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac; 6424 6425 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); 6426 6427 psk = mbedtls_ssl_get_opaque_psk(ssl); 6428 6429 if (hash_alg == MBEDTLS_MD_SHA384) { 6430 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 6431 } else { 6432 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 6433 } 6434 6435 size_t other_secret_len = 0; 6436 unsigned char *other_secret = NULL; 6437 6438 switch (handshake->ciphersuite_info->key_exchange) { 6439 /* Provide other secret. 6440 * Other secret is stored in premaster, where first 2 bytes hold the 6441 * length of the other key. 6442 */ 6443 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 6444 /* For RSA-PSK other key length is always 48 bytes. */ 6445 other_secret_len = 48; 6446 other_secret = handshake->premaster + 2; 6447 break; 6448 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 6449 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 6450 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); 6451 other_secret = handshake->premaster + 2; 6452 break; 6453 default: 6454 break; 6455 } 6456 6457 status = setup_psa_key_derivation(&derivation, psk, alg, 6458 ssl->conf->psk, ssl->conf->psk_len, 6459 seed, seed_len, 6460 (unsigned char const *) lbl, 6461 (size_t) strlen(lbl), 6462 other_secret, other_secret_len, 6463 master_secret_len); 6464 if (status != PSA_SUCCESS) { 6465 psa_key_derivation_abort(&derivation); 6466 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6467 } 6468 6469 status = psa_key_derivation_output_bytes(&derivation, 6470 master, 6471 master_secret_len); 6472 if (status != PSA_SUCCESS) { 6473 psa_key_derivation_abort(&derivation); 6474 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6475 } 6476 6477 status = psa_key_derivation_abort(&derivation); 6478 if (status != PSA_SUCCESS) { 6479 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6480 } 6481 } else 6482 #endif 6483 { 6484 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 6485 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 6486 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 6487 psa_status_t status; 6488 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 6489 psa_key_derivation_operation_t derivation = 6490 PSA_KEY_DERIVATION_OPERATION_INIT; 6491 6492 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); 6493 6494 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; 6495 6496 status = psa_key_derivation_setup(&derivation, alg); 6497 if (status != PSA_SUCCESS) { 6498 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6499 } 6500 6501 status = psa_key_derivation_set_capacity(&derivation, 6502 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); 6503 if (status != PSA_SUCCESS) { 6504 psa_key_derivation_abort(&derivation); 6505 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6506 } 6507 6508 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, 6509 &derivation); 6510 if (status != PSA_SUCCESS) { 6511 psa_key_derivation_abort(&derivation); 6512 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6513 } 6514 6515 status = psa_key_derivation_output_bytes(&derivation, 6516 handshake->premaster, 6517 handshake->pmslen); 6518 if (status != PSA_SUCCESS) { 6519 psa_key_derivation_abort(&derivation); 6520 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6521 } 6522 6523 status = psa_key_derivation_abort(&derivation); 6524 if (status != PSA_SUCCESS) { 6525 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6526 } 6527 } 6528 #endif 6529 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, 6530 lbl, seed, seed_len, 6531 master, 6532 master_secret_len); 6533 if (ret != 0) { 6534 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 6535 return ret; 6536 } 6537 6538 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", 6539 handshake->premaster, 6540 handshake->pmslen); 6541 6542 mbedtls_platform_zeroize(handshake->premaster, 6543 sizeof(handshake->premaster)); 6544 } 6545 6546 return 0; 6547 } 6548 6549 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) 6550 { 6551 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6552 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 6553 ssl->handshake->ciphersuite_info; 6554 6555 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); 6556 6557 /* Set PRF, calc_verify and calc_finished function pointers */ 6558 ret = ssl_set_handshake_prfs(ssl->handshake, 6559 ciphersuite_info->mac); 6560 if (ret != 0) { 6561 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); 6562 return ret; 6563 } 6564 6565 /* Compute master secret if needed */ 6566 ret = ssl_compute_master(ssl->handshake, 6567 ssl->session_negotiate->master, 6568 ssl); 6569 if (ret != 0) { 6570 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); 6571 return ret; 6572 } 6573 6574 /* Swap the client and server random values: 6575 * - MS derivation wanted client+server (RFC 5246 8.1) 6576 * - key derivation wants server+client (RFC 5246 6.3) */ 6577 { 6578 unsigned char tmp[64]; 6579 memcpy(tmp, ssl->handshake->randbytes, 64); 6580 memcpy(ssl->handshake->randbytes, tmp + 32, 32); 6581 memcpy(ssl->handshake->randbytes + 32, tmp, 32); 6582 mbedtls_platform_zeroize(tmp, sizeof(tmp)); 6583 } 6584 6585 /* Populate transform structure */ 6586 ret = ssl_tls12_populate_transform(ssl->transform_negotiate, 6587 ssl->session_negotiate->ciphersuite, 6588 ssl->session_negotiate->master, 6589 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 6590 ssl->session_negotiate->encrypt_then_mac, 6591 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 6592 ssl->handshake->tls_prf, 6593 ssl->handshake->randbytes, 6594 ssl->tls_version, 6595 ssl->conf->endpoint, 6596 ssl); 6597 if (ret != 0) { 6598 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); 6599 return ret; 6600 } 6601 6602 /* We no longer need Server/ClientHello.random values */ 6603 mbedtls_platform_zeroize(ssl->handshake->randbytes, 6604 sizeof(ssl->handshake->randbytes)); 6605 6606 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); 6607 6608 return 0; 6609 } 6610 6611 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) 6612 { 6613 switch (md) { 6614 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6615 case MBEDTLS_SSL_HASH_SHA384: 6616 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 6617 break; 6618 #endif 6619 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6620 case MBEDTLS_SSL_HASH_SHA256: 6621 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 6622 break; 6623 #endif 6624 default: 6625 return -1; 6626 } 6627 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 6628 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6629 (void) ssl; 6630 #endif 6631 return 0; 6632 } 6633 6634 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6635 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, 6636 unsigned char *hash, 6637 size_t *hlen) 6638 { 6639 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6640 size_t hash_size; 6641 psa_status_t status; 6642 psa_hash_operation_t sha256_psa = psa_hash_operation_init(); 6643 6644 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256")); 6645 status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); 6646 if (status != PSA_SUCCESS) { 6647 goto exit; 6648 } 6649 6650 status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size); 6651 if (status != PSA_SUCCESS) { 6652 goto exit; 6653 } 6654 6655 *hlen = 32; 6656 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); 6657 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); 6658 6659 exit: 6660 psa_hash_abort(&sha256_psa); 6661 return PSA_TO_MD_ERR(status); 6662 #else 6663 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6664 mbedtls_md_context_t sha256; 6665 6666 mbedtls_md_init(&sha256); 6667 6668 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256")); 6669 6670 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 6671 if (ret != 0) { 6672 goto exit; 6673 } 6674 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 6675 if (ret != 0) { 6676 goto exit; 6677 } 6678 6679 ret = mbedtls_md_finish(&sha256, hash); 6680 if (ret != 0) { 6681 goto exit; 6682 } 6683 6684 *hlen = 32; 6685 6686 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); 6687 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); 6688 6689 exit: 6690 mbedtls_md_free(&sha256); 6691 return ret; 6692 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6693 } 6694 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 6695 6696 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 6697 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, 6698 unsigned char *hash, 6699 size_t *hlen) 6700 { 6701 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6702 size_t hash_size; 6703 psa_status_t status; 6704 psa_hash_operation_t sha384_psa = psa_hash_operation_init(); 6705 6706 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384")); 6707 status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); 6708 if (status != PSA_SUCCESS) { 6709 goto exit; 6710 } 6711 6712 status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size); 6713 if (status != PSA_SUCCESS) { 6714 goto exit; 6715 } 6716 6717 *hlen = 48; 6718 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); 6719 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); 6720 6721 exit: 6722 psa_hash_abort(&sha384_psa); 6723 return PSA_TO_MD_ERR(status); 6724 #else 6725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6726 mbedtls_md_context_t sha384; 6727 6728 mbedtls_md_init(&sha384); 6729 6730 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384")); 6731 6732 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 6733 if (ret != 0) { 6734 goto exit; 6735 } 6736 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 6737 if (ret != 0) { 6738 goto exit; 6739 } 6740 6741 ret = mbedtls_md_finish(&sha384, hash); 6742 if (ret != 0) { 6743 goto exit; 6744 } 6745 6746 *hlen = 48; 6747 6748 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); 6749 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); 6750 6751 exit: 6752 mbedtls_md_free(&sha384); 6753 return ret; 6754 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6755 } 6756 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 6757 6758 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 6759 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 6760 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) 6761 { 6762 unsigned char *p = ssl->handshake->premaster; 6763 unsigned char *end = p + sizeof(ssl->handshake->premaster); 6764 const unsigned char *psk = NULL; 6765 size_t psk_len = 0; 6766 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); 6767 6768 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { 6769 /* 6770 * This should never happen because the existence of a PSK is always 6771 * checked before calling this function. 6772 * 6773 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with 6774 * the shared secret without PSK. 6775 */ 6776 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 6777 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 6778 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6779 } 6780 } 6781 6782 /* 6783 * PMS = struct { 6784 * opaque other_secret<0..2^16-1>; 6785 * opaque psk<0..2^16-1>; 6786 * }; 6787 * with "other_secret" depending on the particular key exchange 6788 */ 6789 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 6790 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { 6791 if (end - p < 2) { 6792 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 6793 } 6794 6795 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 6796 p += 2; 6797 6798 if (end < p || (size_t) (end - p) < psk_len) { 6799 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 6800 } 6801 6802 memset(p, 0, psk_len); 6803 p += psk_len; 6804 } else 6805 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 6806 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 6807 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 6808 /* 6809 * other_secret already set by the ClientKeyExchange message, 6810 * and is 48 bytes long 6811 */ 6812 if (end - p < 2) { 6813 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 6814 } 6815 6816 *p++ = 0; 6817 *p++ = 48; 6818 p += 48; 6819 } else 6820 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 6821 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 6822 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 6823 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6824 size_t len; 6825 6826 /* Write length only when we know the actual value */ 6827 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 6828 p + 2, end - (p + 2), &len, 6829 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 6830 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 6831 return ret; 6832 } 6833 MBEDTLS_PUT_UINT16_BE(len, p, 0); 6834 p += 2 + len; 6835 6836 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 6837 } else 6838 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 6839 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 6840 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 6841 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6842 size_t zlen; 6843 6844 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, 6845 p + 2, end - (p + 2), 6846 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 6847 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 6848 return ret; 6849 } 6850 6851 MBEDTLS_PUT_UINT16_BE(zlen, p, 0); 6852 p += 2 + zlen; 6853 6854 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 6855 MBEDTLS_DEBUG_ECDH_Z); 6856 } else 6857 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 6858 { 6859 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 6860 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6861 } 6862 6863 /* opaque psk<0..2^16-1>; */ 6864 if (end - p < 2) { 6865 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 6866 } 6867 6868 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 6869 p += 2; 6870 6871 if (end < p || (size_t) (end - p) < psk_len) { 6872 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 6873 } 6874 6875 memcpy(p, psk, psk_len); 6876 p += psk_len; 6877 6878 ssl->handshake->pmslen = p - ssl->handshake->premaster; 6879 6880 return 0; 6881 } 6882 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 6883 6884 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 6885 MBEDTLS_CHECK_RETURN_CRITICAL 6886 static int ssl_write_hello_request(mbedtls_ssl_context *ssl); 6887 6888 #if defined(MBEDTLS_SSL_PROTO_DTLS) 6889 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) 6890 { 6891 /* If renegotiation is not enforced, retransmit until we would reach max 6892 * timeout if we were using the usual handshake doubling scheme */ 6893 if (ssl->conf->renego_max_records < 0) { 6894 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 6895 unsigned char doublings = 1; 6896 6897 while (ratio != 0) { 6898 ++doublings; 6899 ratio >>= 1; 6900 } 6901 6902 if (++ssl->renego_records_seen > doublings) { 6903 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); 6904 return 0; 6905 } 6906 } 6907 6908 return ssl_write_hello_request(ssl); 6909 } 6910 #endif 6911 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 6912 6913 /* 6914 * Handshake functions 6915 */ 6916 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 6917 /* No certificate support -> dummy functions */ 6918 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 6919 { 6920 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 6921 ssl->handshake->ciphersuite_info; 6922 6923 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 6924 6925 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 6926 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 6927 ssl->state++; 6928 return 0; 6929 } 6930 6931 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 6932 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6933 } 6934 6935 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 6936 { 6937 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 6938 ssl->handshake->ciphersuite_info; 6939 6940 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 6941 6942 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 6943 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 6944 ssl->state++; 6945 return 0; 6946 } 6947 6948 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 6949 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6950 } 6951 6952 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 6953 /* Some certificate support -> implement write and parse */ 6954 6955 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 6956 { 6957 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 6958 size_t i, n; 6959 const mbedtls_x509_crt *crt; 6960 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 6961 ssl->handshake->ciphersuite_info; 6962 6963 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 6964 6965 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 6966 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 6967 ssl->state++; 6968 return 0; 6969 } 6970 6971 #if defined(MBEDTLS_SSL_CLI_C) 6972 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 6973 if (ssl->handshake->client_auth == 0) { 6974 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 6975 ssl->state++; 6976 return 0; 6977 } 6978 } 6979 #endif /* MBEDTLS_SSL_CLI_C */ 6980 #if defined(MBEDTLS_SSL_SRV_C) 6981 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 6982 if (mbedtls_ssl_own_cert(ssl) == NULL) { 6983 /* Should never happen because we shouldn't have picked the 6984 * ciphersuite if we don't have a certificate. */ 6985 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6986 } 6987 } 6988 #endif 6989 6990 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); 6991 6992 /* 6993 * 0 . 0 handshake type 6994 * 1 . 3 handshake length 6995 * 4 . 6 length of all certs 6996 * 7 . 9 length of cert. 1 6997 * 10 . n-1 peer certificate 6998 * n . n+2 length of cert. 2 6999 * n+3 . ... upper level cert, etc. 7000 */ 7001 i = 7; 7002 crt = mbedtls_ssl_own_cert(ssl); 7003 7004 while (crt != NULL) { 7005 n = crt->raw.len; 7006 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { 7007 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET 7008 " > %" MBEDTLS_PRINTF_SIZET, 7009 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); 7010 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 7011 } 7012 7013 ssl->out_msg[i] = MBEDTLS_BYTE_2(n); 7014 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); 7015 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); 7016 7017 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); 7018 i += n; crt = crt->next; 7019 } 7020 7021 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); 7022 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); 7023 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); 7024 7025 ssl->out_msglen = i; 7026 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 7027 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 7028 7029 ssl->state++; 7030 7031 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 7032 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 7033 return ret; 7034 } 7035 7036 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); 7037 7038 return ret; 7039 } 7040 7041 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7042 7043 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7044 MBEDTLS_CHECK_RETURN_CRITICAL 7045 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7046 unsigned char *crt_buf, 7047 size_t crt_buf_len) 7048 { 7049 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; 7050 7051 if (peer_crt == NULL) { 7052 return -1; 7053 } 7054 7055 if (peer_crt->raw.len != crt_buf_len) { 7056 return -1; 7057 } 7058 7059 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); 7060 } 7061 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7062 MBEDTLS_CHECK_RETURN_CRITICAL 7063 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7064 unsigned char *crt_buf, 7065 size_t crt_buf_len) 7066 { 7067 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7068 unsigned char const * const peer_cert_digest = 7069 ssl->session->peer_cert_digest; 7070 mbedtls_md_type_t const peer_cert_digest_type = 7071 ssl->session->peer_cert_digest_type; 7072 mbedtls_md_info_t const * const digest_info = 7073 mbedtls_md_info_from_type(peer_cert_digest_type); 7074 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; 7075 size_t digest_len; 7076 7077 if (peer_cert_digest == NULL || digest_info == NULL) { 7078 return -1; 7079 } 7080 7081 digest_len = mbedtls_md_get_size(digest_info); 7082 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { 7083 return -1; 7084 } 7085 7086 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); 7087 if (ret != 0) { 7088 return -1; 7089 } 7090 7091 return memcmp(tmp_digest, peer_cert_digest, digest_len); 7092 } 7093 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7094 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7095 7096 /* 7097 * Once the certificate message is read, parse it into a cert chain and 7098 * perform basic checks, but leave actual verification to the caller 7099 */ 7100 MBEDTLS_CHECK_RETURN_CRITICAL 7101 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, 7102 mbedtls_x509_crt *chain) 7103 { 7104 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7105 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7106 int crt_cnt = 0; 7107 #endif 7108 size_t i, n; 7109 uint8_t alert; 7110 7111 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 7112 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7113 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7114 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7115 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7116 } 7117 7118 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { 7119 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7120 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7121 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7122 } 7123 7124 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { 7125 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7126 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7127 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7128 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7129 } 7130 7131 i = mbedtls_ssl_hs_hdr_len(ssl); 7132 7133 /* 7134 * Same message structure as in mbedtls_ssl_write_certificate() 7135 */ 7136 n = (ssl->in_msg[i+1] << 8) | ssl->in_msg[i+2]; 7137 7138 if (ssl->in_msg[i] != 0 || 7139 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { 7140 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7141 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7142 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7143 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7144 } 7145 7146 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ 7147 i += 3; 7148 7149 /* Iterate through and parse the CRTs in the provided chain. */ 7150 while (i < ssl->in_hslen) { 7151 /* Check that there's room for the next CRT's length fields. */ 7152 if (i + 3 > ssl->in_hslen) { 7153 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7154 mbedtls_ssl_send_alert_message(ssl, 7155 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7156 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7157 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7158 } 7159 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support 7160 * anything beyond 2**16 ~ 64K. */ 7161 if (ssl->in_msg[i] != 0) { 7162 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7163 mbedtls_ssl_send_alert_message(ssl, 7164 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7165 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); 7166 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7167 } 7168 7169 /* Read length of the next CRT in the chain. */ 7170 n = ((unsigned int) ssl->in_msg[i + 1] << 8) 7171 | (unsigned int) ssl->in_msg[i + 2]; 7172 i += 3; 7173 7174 if (n < 128 || i + n > ssl->in_hslen) { 7175 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7176 mbedtls_ssl_send_alert_message(ssl, 7177 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7178 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7179 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7180 } 7181 7182 /* Check if we're handling the first CRT in the chain. */ 7183 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7184 if (crt_cnt++ == 0 && 7185 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 7186 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 7187 /* During client-side renegotiation, check that the server's 7188 * end-CRTs hasn't changed compared to the initial handshake, 7189 * mitigating the triple handshake attack. On success, reuse 7190 * the original end-CRT instead of parsing it again. */ 7191 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); 7192 if (ssl_check_peer_crt_unchanged(ssl, 7193 &ssl->in_msg[i], 7194 n) != 0) { 7195 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); 7196 mbedtls_ssl_send_alert_message(ssl, 7197 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7198 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); 7199 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7200 } 7201 7202 /* Now we can safely free the original chain. */ 7203 ssl_clear_peer_cert(ssl->session); 7204 } 7205 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7206 7207 /* Parse the next certificate in the chain. */ 7208 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7209 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); 7210 #else 7211 /* If we don't need to store the CRT chain permanently, parse 7212 * it in-place from the input buffer instead of making a copy. */ 7213 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); 7214 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7215 switch (ret) { 7216 case 0: /*ok*/ 7217 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 7218 /* Ignore certificate with an unknown algorithm: maybe a 7219 prior certificate was already trusted. */ 7220 break; 7221 7222 case MBEDTLS_ERR_X509_ALLOC_FAILED: 7223 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 7224 goto crt_parse_der_failed; 7225 7226 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 7227 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7228 goto crt_parse_der_failed; 7229 7230 default: 7231 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 7232 crt_parse_der_failed: 7233 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); 7234 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 7235 return ret; 7236 } 7237 7238 i += n; 7239 } 7240 7241 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); 7242 return 0; 7243 } 7244 7245 #if defined(MBEDTLS_SSL_SRV_C) 7246 MBEDTLS_CHECK_RETURN_CRITICAL 7247 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) 7248 { 7249 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7250 return -1; 7251 } 7252 7253 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && 7254 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 7255 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 7256 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { 7257 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); 7258 return 0; 7259 } 7260 return -1; 7261 } 7262 #endif /* MBEDTLS_SSL_SRV_C */ 7263 7264 /* Check if a certificate message is expected. 7265 * Return either 7266 * - SSL_CERTIFICATE_EXPECTED, or 7267 * - SSL_CERTIFICATE_SKIP 7268 * indicating whether a Certificate message is expected or not. 7269 */ 7270 #define SSL_CERTIFICATE_EXPECTED 0 7271 #define SSL_CERTIFICATE_SKIP 1 7272 MBEDTLS_CHECK_RETURN_CRITICAL 7273 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, 7274 int authmode) 7275 { 7276 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7277 ssl->handshake->ciphersuite_info; 7278 7279 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7280 return SSL_CERTIFICATE_SKIP; 7281 } 7282 7283 #if defined(MBEDTLS_SSL_SRV_C) 7284 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7285 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7286 return SSL_CERTIFICATE_SKIP; 7287 } 7288 7289 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7290 ssl->session_negotiate->verify_result = 7291 MBEDTLS_X509_BADCERT_SKIP_VERIFY; 7292 return SSL_CERTIFICATE_SKIP; 7293 } 7294 } 7295 #else 7296 ((void) authmode); 7297 #endif /* MBEDTLS_SSL_SRV_C */ 7298 7299 return SSL_CERTIFICATE_EXPECTED; 7300 } 7301 7302 MBEDTLS_CHECK_RETURN_CRITICAL 7303 static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, 7304 int authmode, 7305 mbedtls_x509_crt *chain, 7306 void *rs_ctx) 7307 { 7308 int ret = 0; 7309 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7310 ssl->handshake->ciphersuite_info; 7311 int have_ca_chain = 0; 7312 7313 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); 7314 void *p_vrfy; 7315 7316 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7317 return 0; 7318 } 7319 7320 if (ssl->f_vrfy != NULL) { 7321 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); 7322 f_vrfy = ssl->f_vrfy; 7323 p_vrfy = ssl->p_vrfy; 7324 } else { 7325 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); 7326 f_vrfy = ssl->conf->f_vrfy; 7327 p_vrfy = ssl->conf->p_vrfy; 7328 } 7329 7330 /* 7331 * Main check: verify certificate 7332 */ 7333 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 7334 if (ssl->conf->f_ca_cb != NULL) { 7335 ((void) rs_ctx); 7336 have_ca_chain = 1; 7337 7338 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); 7339 ret = mbedtls_x509_crt_verify_with_ca_cb( 7340 chain, 7341 ssl->conf->f_ca_cb, 7342 ssl->conf->p_ca_cb, 7343 ssl->conf->cert_profile, 7344 ssl->hostname, 7345 &ssl->session_negotiate->verify_result, 7346 f_vrfy, p_vrfy); 7347 } else 7348 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 7349 { 7350 mbedtls_x509_crt *ca_chain; 7351 mbedtls_x509_crl *ca_crl; 7352 7353 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 7354 if (ssl->handshake->sni_ca_chain != NULL) { 7355 ca_chain = ssl->handshake->sni_ca_chain; 7356 ca_crl = ssl->handshake->sni_ca_crl; 7357 } else 7358 #endif 7359 { 7360 ca_chain = ssl->conf->ca_chain; 7361 ca_crl = ssl->conf->ca_crl; 7362 } 7363 7364 if (ca_chain != NULL) { 7365 have_ca_chain = 1; 7366 } 7367 7368 ret = mbedtls_x509_crt_verify_restartable( 7369 chain, 7370 ca_chain, ca_crl, 7371 ssl->conf->cert_profile, 7372 ssl->hostname, 7373 &ssl->session_negotiate->verify_result, 7374 f_vrfy, p_vrfy, rs_ctx); 7375 } 7376 7377 if (ret != 0) { 7378 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); 7379 } 7380 7381 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 7382 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 7383 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 7384 } 7385 #endif 7386 7387 /* 7388 * Secondary checks: always done, but change 'ret' only if it was 0 7389 */ 7390 7391 #if defined(MBEDTLS_ECP_C) 7392 { 7393 const mbedtls_pk_context *pk = &chain->pk; 7394 7395 /* If certificate uses an EC key, make sure the curve is OK. 7396 * This is a public key, so it can't be opaque, so can_do() is a good 7397 * enough check to ensure pk_ec() is safe to use here. */ 7398 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { 7399 /* and in the unlikely case the above assumption no longer holds 7400 * we are making sure that pk_ec() here does not return a NULL 7401 */ 7402 const mbedtls_ecp_keypair *ec = mbedtls_pk_ec(*pk); 7403 if (ec == NULL) { 7404 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_pk_ec() returned NULL")); 7405 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7406 } 7407 7408 if (mbedtls_ssl_check_curve(ssl, ec->grp.id) != 0) { 7409 ssl->session_negotiate->verify_result |= 7410 MBEDTLS_X509_BADCERT_BAD_KEY; 7411 7412 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); 7413 if (ret == 0) { 7414 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7415 } 7416 } 7417 } 7418 } 7419 #endif /* MBEDTLS_ECP_C */ 7420 7421 if (mbedtls_ssl_check_cert_usage(chain, 7422 ciphersuite_info, 7423 !ssl->conf->endpoint, 7424 &ssl->session_negotiate->verify_result) != 0) { 7425 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); 7426 if (ret == 0) { 7427 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7428 } 7429 } 7430 7431 /* mbedtls_x509_crt_verify_with_profile is supposed to report a 7432 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, 7433 * with details encoded in the verification flags. All other kinds 7434 * of error codes, including those from the user provided f_vrfy 7435 * functions, are treated as fatal and lead to a failure of 7436 * ssl_parse_certificate even if verification was optional. */ 7437 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 7438 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 7439 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { 7440 ret = 0; 7441 } 7442 7443 if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { 7444 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); 7445 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 7446 } 7447 7448 if (ret != 0) { 7449 uint8_t alert; 7450 7451 /* The certificate may have been rejected for several reasons. 7452 Pick one and send the corresponding alert. Which alert to send 7453 may be a subject of debate in some cases. */ 7454 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { 7455 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 7456 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { 7457 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 7458 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { 7459 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7460 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { 7461 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7462 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) { 7463 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7464 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { 7465 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7466 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { 7467 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7468 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { 7469 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 7470 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { 7471 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 7472 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { 7473 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 7474 } else { 7475 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 7476 } 7477 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7478 alert); 7479 } 7480 7481 #if defined(MBEDTLS_DEBUG_C) 7482 if (ssl->session_negotiate->verify_result != 0) { 7483 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", 7484 (unsigned int) ssl->session_negotiate->verify_result)); 7485 } else { 7486 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); 7487 } 7488 #endif /* MBEDTLS_DEBUG_C */ 7489 7490 return ret; 7491 } 7492 7493 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7494 MBEDTLS_CHECK_RETURN_CRITICAL 7495 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, 7496 unsigned char *start, size_t len) 7497 { 7498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7499 /* Remember digest of the peer's end-CRT. */ 7500 ssl->session_negotiate->peer_cert_digest = 7501 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); 7502 if (ssl->session_negotiate->peer_cert_digest == NULL) { 7503 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", 7504 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); 7505 mbedtls_ssl_send_alert_message(ssl, 7506 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7507 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 7508 7509 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 7510 } 7511 7512 ret = mbedtls_md(mbedtls_md_info_from_type( 7513 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), 7514 start, len, 7515 ssl->session_negotiate->peer_cert_digest); 7516 7517 ssl->session_negotiate->peer_cert_digest_type = 7518 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; 7519 ssl->session_negotiate->peer_cert_digest_len = 7520 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; 7521 7522 return ret; 7523 } 7524 7525 MBEDTLS_CHECK_RETURN_CRITICAL 7526 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, 7527 unsigned char *start, size_t len) 7528 { 7529 unsigned char *end = start + len; 7530 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7531 7532 /* Make a copy of the peer's raw public key. */ 7533 mbedtls_pk_init(&ssl->handshake->peer_pubkey); 7534 ret = mbedtls_pk_parse_subpubkey(&start, end, 7535 &ssl->handshake->peer_pubkey); 7536 if (ret != 0) { 7537 /* We should have parsed the public key before. */ 7538 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7539 } 7540 7541 return 0; 7542 } 7543 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7544 7545 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 7546 { 7547 int ret = 0; 7548 int crt_expected; 7549 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 7550 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET 7551 ? ssl->handshake->sni_authmode 7552 : ssl->conf->authmode; 7553 #else 7554 const int authmode = ssl->conf->authmode; 7555 #endif 7556 void *rs_ctx = NULL; 7557 mbedtls_x509_crt *chain = NULL; 7558 7559 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 7560 7561 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); 7562 if (crt_expected == SSL_CERTIFICATE_SKIP) { 7563 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 7564 goto exit; 7565 } 7566 7567 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 7568 if (ssl->handshake->ecrs_enabled && 7569 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { 7570 chain = ssl->handshake->ecrs_peer_cert; 7571 ssl->handshake->ecrs_peer_cert = NULL; 7572 goto crt_verify; 7573 } 7574 #endif 7575 7576 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 7577 /* mbedtls_ssl_read_record may have sent an alert already. We 7578 let it decide whether to alert. */ 7579 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 7580 goto exit; 7581 } 7582 7583 #if defined(MBEDTLS_SSL_SRV_C) 7584 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { 7585 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 7586 7587 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { 7588 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 7589 } 7590 7591 goto exit; 7592 } 7593 #endif /* MBEDTLS_SSL_SRV_C */ 7594 7595 /* Clear existing peer CRT structure in case we tried to 7596 * reuse a session but it failed, and allocate a new one. */ 7597 ssl_clear_peer_cert(ssl->session_negotiate); 7598 7599 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 7600 if (chain == NULL) { 7601 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", 7602 sizeof(mbedtls_x509_crt))); 7603 mbedtls_ssl_send_alert_message(ssl, 7604 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7605 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 7606 7607 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 7608 goto exit; 7609 } 7610 mbedtls_x509_crt_init(chain); 7611 7612 ret = ssl_parse_certificate_chain(ssl, chain); 7613 if (ret != 0) { 7614 goto exit; 7615 } 7616 7617 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 7618 if (ssl->handshake->ecrs_enabled) { 7619 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; 7620 } 7621 7622 crt_verify: 7623 if (ssl->handshake->ecrs_enabled) { 7624 rs_ctx = &ssl->handshake->ecrs_ctx; 7625 } 7626 #endif 7627 7628 ret = ssl_parse_certificate_verify(ssl, authmode, 7629 chain, rs_ctx); 7630 if (ret != 0) { 7631 goto exit; 7632 } 7633 7634 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7635 { 7636 unsigned char *crt_start, *pk_start; 7637 size_t crt_len, pk_len; 7638 7639 /* We parse the CRT chain without copying, so 7640 * these pointers point into the input buffer, 7641 * and are hence still valid after freeing the 7642 * CRT chain. */ 7643 7644 crt_start = chain->raw.p; 7645 crt_len = chain->raw.len; 7646 7647 pk_start = chain->pk_raw.p; 7648 pk_len = chain->pk_raw.len; 7649 7650 /* Free the CRT structures before computing 7651 * digest and copying the peer's public key. */ 7652 mbedtls_x509_crt_free(chain); 7653 mbedtls_free(chain); 7654 chain = NULL; 7655 7656 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); 7657 if (ret != 0) { 7658 goto exit; 7659 } 7660 7661 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); 7662 if (ret != 0) { 7663 goto exit; 7664 } 7665 } 7666 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7667 /* Pass ownership to session structure. */ 7668 ssl->session_negotiate->peer_cert = chain; 7669 chain = NULL; 7670 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7671 7672 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); 7673 7674 exit: 7675 7676 if (ret == 0) { 7677 ssl->state++; 7678 } 7679 7680 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 7681 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { 7682 ssl->handshake->ecrs_peer_cert = chain; 7683 chain = NULL; 7684 } 7685 #endif 7686 7687 if (chain != NULL) { 7688 mbedtls_x509_crt_free(chain); 7689 mbedtls_free(chain); 7690 } 7691 7692 return ret; 7693 } 7694 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 7695 7696 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 7697 static int ssl_calc_finished_tls_sha256( 7698 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 7699 { 7700 int len = 12; 7701 const char *sender; 7702 unsigned char padbuf[32]; 7703 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7704 size_t hash_size; 7705 psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT; 7706 psa_status_t status; 7707 #else 7708 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7709 mbedtls_md_context_t sha256; 7710 #endif 7711 7712 mbedtls_ssl_session *session = ssl->session_negotiate; 7713 if (!session) { 7714 session = ssl->session; 7715 } 7716 7717 sender = (from == MBEDTLS_SSL_IS_CLIENT) 7718 ? "client finished" 7719 : "server finished"; 7720 7721 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7722 sha256_psa = psa_hash_operation_init(); 7723 7724 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha256")); 7725 7726 status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa); 7727 if (status != PSA_SUCCESS) { 7728 goto exit; 7729 } 7730 7731 status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size); 7732 if (status != PSA_SUCCESS) { 7733 goto exit; 7734 } 7735 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32); 7736 #else 7737 7738 mbedtls_md_init(&sha256); 7739 7740 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha256")); 7741 7742 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 7743 if (ret != 0) { 7744 goto exit; 7745 } 7746 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 7747 if (ret != 0) { 7748 goto exit; 7749 } 7750 7751 /* 7752 * TLSv1.2: 7753 * hash = PRF( master, finished_label, 7754 * Hash( handshake ) )[0.11] 7755 */ 7756 7757 ret = mbedtls_md_finish(&sha256, padbuf); 7758 if (ret != 0) { 7759 goto exit; 7760 } 7761 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7762 7763 MBEDTLS_SSL_DEBUG_BUF(4, "finished sha256 output", padbuf, 32); 7764 7765 ssl->handshake->tls_prf(session->master, 48, sender, 7766 padbuf, 32, buf, len); 7767 7768 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); 7769 7770 mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); 7771 7772 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); 7773 7774 exit: 7775 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7776 psa_hash_abort(&sha256_psa); 7777 return PSA_TO_MD_ERR(status); 7778 #else 7779 mbedtls_md_free(&sha256); 7780 return ret; 7781 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7782 } 7783 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 7784 7785 7786 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 7787 static int ssl_calc_finished_tls_sha384( 7788 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 7789 { 7790 int len = 12; 7791 const char *sender; 7792 unsigned char padbuf[48]; 7793 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7794 size_t hash_size; 7795 psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT; 7796 psa_status_t status; 7797 #else 7798 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7799 mbedtls_md_context_t sha384; 7800 #endif 7801 7802 mbedtls_ssl_session *session = ssl->session_negotiate; 7803 if (!session) { 7804 session = ssl->session; 7805 } 7806 7807 sender = (from == MBEDTLS_SSL_IS_CLIENT) 7808 ? "client finished" 7809 : "server finished"; 7810 7811 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7812 sha384_psa = psa_hash_operation_init(); 7813 7814 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls sha384")); 7815 7816 status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa); 7817 if (status != PSA_SUCCESS) { 7818 goto exit; 7819 } 7820 7821 status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size); 7822 if (status != PSA_SUCCESS) { 7823 goto exit; 7824 } 7825 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48); 7826 #else 7827 mbedtls_md_init(&sha384); 7828 7829 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls sha384")); 7830 7831 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 7832 if (ret != 0) { 7833 goto exit; 7834 } 7835 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 7836 if (ret != 0) { 7837 goto exit; 7838 } 7839 7840 /* 7841 * TLSv1.2: 7842 * hash = PRF( master, finished_label, 7843 * Hash( handshake ) )[0.11] 7844 */ 7845 7846 ret = mbedtls_md_finish(&sha384, padbuf); 7847 if (ret != 0) { 7848 goto exit; 7849 } 7850 #endif 7851 7852 MBEDTLS_SSL_DEBUG_BUF(4, "finished sha384 output", padbuf, 48); 7853 7854 ssl->handshake->tls_prf(session->master, 48, sender, 7855 padbuf, 48, buf, len); 7856 7857 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); 7858 7859 mbedtls_platform_zeroize(padbuf, sizeof(padbuf)); 7860 7861 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); 7862 7863 exit: 7864 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7865 psa_hash_abort(&sha384_psa); 7866 return PSA_TO_MD_ERR(status); 7867 #else 7868 mbedtls_md_free(&sha384); 7869 return ret; 7870 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7871 } 7872 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/ 7873 7874 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) 7875 { 7876 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); 7877 7878 /* 7879 * Free our handshake params 7880 */ 7881 mbedtls_ssl_handshake_free(ssl); 7882 mbedtls_free(ssl->handshake); 7883 ssl->handshake = NULL; 7884 7885 /* 7886 * Free the previous transform and switch in the current one 7887 */ 7888 if (ssl->transform) { 7889 mbedtls_ssl_transform_free(ssl->transform); 7890 mbedtls_free(ssl->transform); 7891 } 7892 ssl->transform = ssl->transform_negotiate; 7893 ssl->transform_negotiate = NULL; 7894 7895 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); 7896 } 7897 7898 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) 7899 { 7900 int resume = ssl->handshake->resume; 7901 7902 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); 7903 7904 #if defined(MBEDTLS_SSL_RENEGOTIATION) 7905 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 7906 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 7907 ssl->renego_records_seen = 0; 7908 } 7909 #endif 7910 7911 /* 7912 * Free the previous session and switch in the current one 7913 */ 7914 if (ssl->session) { 7915 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 7916 /* RFC 7366 3.1: keep the EtM state */ 7917 ssl->session_negotiate->encrypt_then_mac = 7918 ssl->session->encrypt_then_mac; 7919 #endif 7920 7921 mbedtls_ssl_session_free(ssl->session); 7922 mbedtls_free(ssl->session); 7923 } 7924 ssl->session = ssl->session_negotiate; 7925 ssl->session_negotiate = NULL; 7926 7927 /* 7928 * Add cache entry 7929 */ 7930 if (ssl->conf->f_set_cache != NULL && 7931 ssl->session->id_len != 0 && 7932 resume == 0) { 7933 if (ssl->conf->f_set_cache(ssl->conf->p_cache, 7934 ssl->session->id, 7935 ssl->session->id_len, 7936 ssl->session) != 0) { 7937 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); 7938 } 7939 } 7940 7941 #if defined(MBEDTLS_SSL_PROTO_DTLS) 7942 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 7943 ssl->handshake->flight != NULL) { 7944 /* Cancel handshake timer */ 7945 mbedtls_ssl_set_timer(ssl, 0); 7946 7947 /* Keep last flight around in case we need to resend it: 7948 * we need the handshake and transform structures for that */ 7949 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); 7950 } else 7951 #endif 7952 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); 7953 7954 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 7955 7956 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); 7957 } 7958 7959 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) 7960 { 7961 int ret, hash_len; 7962 7963 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); 7964 7965 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); 7966 7967 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); 7968 if (ret != 0) { 7969 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 7970 } 7971 7972 /* 7973 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 7974 * may define some other value. Currently (early 2016), no defined 7975 * ciphersuite does this (and this is unlikely to change as activity has 7976 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 7977 */ 7978 hash_len = 12; 7979 7980 #if defined(MBEDTLS_SSL_RENEGOTIATION) 7981 ssl->verify_data_len = hash_len; 7982 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); 7983 #endif 7984 7985 ssl->out_msglen = 4 + hash_len; 7986 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 7987 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 7988 7989 /* 7990 * In case of session resuming, invert the client and server 7991 * ChangeCipherSpec messages order. 7992 */ 7993 if (ssl->handshake->resume != 0) { 7994 #if defined(MBEDTLS_SSL_CLI_C) 7995 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7996 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 7997 } 7998 #endif 7999 #if defined(MBEDTLS_SSL_SRV_C) 8000 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8001 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8002 } 8003 #endif 8004 } else { 8005 ssl->state++; 8006 } 8007 8008 /* 8009 * Switch to our negotiated transform and session parameters for outbound 8010 * data. 8011 */ 8012 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); 8013 8014 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8015 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8016 unsigned char i; 8017 8018 /* Remember current epoch settings for resending */ 8019 ssl->handshake->alt_transform_out = ssl->transform_out; 8020 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8021 sizeof(ssl->handshake->alt_out_ctr)); 8022 8023 /* Set sequence_number to zero */ 8024 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); 8025 8026 8027 /* Increment epoch */ 8028 for (i = 2; i > 0; i--) { 8029 if (++ssl->cur_out_ctr[i - 1] != 0) { 8030 break; 8031 } 8032 } 8033 8034 /* The loop goes to its end iff the counter is wrapping */ 8035 if (i == 0) { 8036 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); 8037 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; 8038 } 8039 } else 8040 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 8041 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 8042 8043 ssl->transform_out = ssl->transform_negotiate; 8044 ssl->session_out = ssl->session_negotiate; 8045 8046 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8047 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8048 mbedtls_ssl_send_flight_completed(ssl); 8049 } 8050 #endif 8051 8052 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 8053 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 8054 return ret; 8055 } 8056 8057 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8058 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8059 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 8060 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 8061 return ret; 8062 } 8063 #endif 8064 8065 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); 8066 8067 return 0; 8068 } 8069 8070 #define SSL_MAX_HASH_LEN 12 8071 8072 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) 8073 { 8074 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8075 unsigned int hash_len = 12; 8076 unsigned char buf[SSL_MAX_HASH_LEN]; 8077 8078 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); 8079 8080 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); 8081 if (ret != 0) { 8082 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8083 } 8084 8085 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8086 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8087 goto exit; 8088 } 8089 8090 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 8091 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8092 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8093 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8094 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8095 goto exit; 8096 } 8097 8098 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { 8099 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8100 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8101 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8102 goto exit; 8103 } 8104 8105 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { 8106 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8107 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8108 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 8109 ret = MBEDTLS_ERR_SSL_DECODE_ERROR; 8110 goto exit; 8111 } 8112 8113 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), 8114 buf, hash_len) != 0) { 8115 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8116 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8117 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); 8118 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8119 goto exit; 8120 } 8121 8122 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8123 ssl->verify_data_len = hash_len; 8124 memcpy(ssl->peer_verify_data, buf, hash_len); 8125 #endif 8126 8127 if (ssl->handshake->resume != 0) { 8128 #if defined(MBEDTLS_SSL_CLI_C) 8129 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8130 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8131 } 8132 #endif 8133 #if defined(MBEDTLS_SSL_SRV_C) 8134 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8135 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 8136 } 8137 #endif 8138 } else { 8139 ssl->state++; 8140 } 8141 8142 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8143 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8144 mbedtls_ssl_recv_flight_completed(ssl); 8145 } 8146 #endif 8147 8148 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); 8149 8150 exit: 8151 mbedtls_platform_zeroize(buf, hash_len); 8152 return ret; 8153 } 8154 8155 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8156 /* 8157 * Helper to get TLS 1.2 PRF from ciphersuite 8158 * (Duplicates bits of logic from ssl_set_handshake_prfs().) 8159 */ 8160 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) 8161 { 8162 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 8163 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 8164 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 8165 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 8166 return tls_prf_sha384; 8167 } else 8168 #endif 8169 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 8170 { 8171 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { 8172 return tls_prf_sha256; 8173 } 8174 } 8175 #endif 8176 #if !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \ 8177 !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 8178 (void) ciphersuite_info; 8179 #endif 8180 8181 return NULL; 8182 } 8183 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 8184 8185 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) 8186 { 8187 ((void) tls_prf); 8188 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 8189 if (tls_prf == tls_prf_sha384) { 8190 return MBEDTLS_SSL_TLS_PRF_SHA384; 8191 } else 8192 #endif 8193 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 8194 if (tls_prf == tls_prf_sha256) { 8195 return MBEDTLS_SSL_TLS_PRF_SHA256; 8196 } else 8197 #endif 8198 return MBEDTLS_SSL_TLS_PRF_NONE; 8199 } 8200 8201 /* 8202 * Populate a transform structure with session keys and all the other 8203 * necessary information. 8204 * 8205 * Parameters: 8206 * - [in/out]: transform: structure to populate 8207 * [in] must be just initialised with mbedtls_ssl_transform_init() 8208 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() 8209 * - [in] ciphersuite 8210 * - [in] master 8211 * - [in] encrypt_then_mac 8212 * - [in] tls_prf: pointer to PRF to use for key derivation 8213 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random 8214 * - [in] tls_version: TLS version 8215 * - [in] endpoint: client or server 8216 * - [in] ssl: used for: 8217 * - ssl->conf->{f,p}_export_keys 8218 * [in] optionally used for: 8219 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg 8220 */ 8221 MBEDTLS_CHECK_RETURN_CRITICAL 8222 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 8223 int ciphersuite, 8224 const unsigned char master[48], 8225 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8226 int encrypt_then_mac, 8227 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8228 ssl_tls_prf_t tls_prf, 8229 const unsigned char randbytes[64], 8230 mbedtls_ssl_protocol_version tls_version, 8231 unsigned endpoint, 8232 const mbedtls_ssl_context *ssl) 8233 { 8234 int ret = 0; 8235 unsigned char keyblk[256]; 8236 unsigned char *key1; 8237 unsigned char *key2; 8238 unsigned char *mac_enc; 8239 unsigned char *mac_dec; 8240 size_t mac_key_len = 0; 8241 size_t iv_copy_len; 8242 size_t keylen; 8243 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 8244 mbedtls_ssl_mode_t ssl_mode; 8245 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 8246 const mbedtls_cipher_info_t *cipher_info; 8247 const mbedtls_md_info_t *md_info; 8248 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 8249 8250 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8251 psa_key_type_t key_type; 8252 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8253 psa_algorithm_t alg; 8254 psa_algorithm_t mac_alg = 0; 8255 size_t key_bits; 8256 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8257 #endif 8258 8259 #if !defined(MBEDTLS_DEBUG_C) && \ 8260 !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 8261 if (ssl->f_export_keys == NULL) { 8262 ssl = NULL; /* make sure we don't use it except for these cases */ 8263 (void) ssl; 8264 } 8265 #endif 8266 8267 /* 8268 * Some data just needs copying into the structure 8269 */ 8270 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8271 transform->encrypt_then_mac = encrypt_then_mac; 8272 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8273 transform->tls_version = tls_version; 8274 8275 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8276 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); 8277 #endif 8278 8279 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 8280 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 8281 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform 8282 * generation separate. This should never happen. */ 8283 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8284 } 8285 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 8286 8287 /* 8288 * Get various info structures 8289 */ 8290 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); 8291 if (ciphersuite_info == NULL) { 8292 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", 8293 ciphersuite)); 8294 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8295 } 8296 8297 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( 8298 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8299 encrypt_then_mac, 8300 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8301 ciphersuite_info); 8302 8303 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8304 transform->taglen = 8305 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 8306 } 8307 8308 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8309 if ((status = mbedtls_ssl_cipher_to_psa(ciphersuite_info->cipher, 8310 transform->taglen, 8311 &alg, 8312 &key_type, 8313 &key_bits)) != PSA_SUCCESS) { 8314 ret = PSA_TO_MBEDTLS_ERR(status); 8315 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); 8316 goto end; 8317 } 8318 #else 8319 cipher_info = mbedtls_cipher_info_from_type(ciphersuite_info->cipher); 8320 if (cipher_info == NULL) { 8321 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", 8322 ciphersuite_info->cipher)); 8323 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8324 } 8325 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8326 8327 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8328 mac_alg = mbedtls_hash_info_psa_from_md(ciphersuite_info->mac); 8329 if (mac_alg == 0) { 8330 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_hash_info_psa_from_md for %u not found", 8331 (unsigned) ciphersuite_info->mac)); 8332 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8333 } 8334 #else 8335 md_info = mbedtls_md_info_from_type(ciphersuite_info->mac); 8336 if (md_info == NULL) { 8337 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", 8338 (unsigned) ciphersuite_info->mac)); 8339 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8340 } 8341 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8342 8343 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 8344 /* Copy own and peer's CID if the use of the CID 8345 * extension has been negotiated. */ 8346 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { 8347 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); 8348 8349 transform->in_cid_len = ssl->own_cid_len; 8350 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); 8351 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, 8352 transform->in_cid_len); 8353 8354 transform->out_cid_len = ssl->handshake->peer_cid_len; 8355 memcpy(transform->out_cid, ssl->handshake->peer_cid, 8356 ssl->handshake->peer_cid_len); 8357 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, 8358 transform->out_cid_len); 8359 } 8360 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 8361 8362 /* 8363 * Compute key block using the PRF 8364 */ 8365 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); 8366 if (ret != 0) { 8367 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 8368 return ret; 8369 } 8370 8371 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", 8372 mbedtls_ssl_get_ciphersuite_name(ciphersuite))); 8373 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); 8374 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); 8375 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); 8376 8377 /* 8378 * Determine the appropriate key, IV and MAC length. 8379 */ 8380 8381 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8382 keylen = PSA_BITS_TO_BYTES(key_bits); 8383 #else 8384 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; 8385 #endif 8386 8387 #if defined(MBEDTLS_GCM_C) || \ 8388 defined(MBEDTLS_CCM_C) || \ 8389 defined(MBEDTLS_CHACHAPOLY_C) 8390 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8391 size_t explicit_ivlen; 8392 8393 transform->maclen = 0; 8394 mac_key_len = 0; 8395 8396 /* All modes haves 96-bit IVs, but the length of the static parts vary 8397 * with mode and version: 8398 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes 8399 * (to be concatenated with a dynamically chosen IV of 8 Bytes) 8400 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's 8401 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record 8402 * sequence number). 8403 */ 8404 transform->ivlen = 12; 8405 8406 int is_chachapoly = 0; 8407 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8408 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); 8409 #else 8410 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) 8411 == MBEDTLS_MODE_CHACHAPOLY); 8412 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8413 8414 if (is_chachapoly) { 8415 transform->fixed_ivlen = 12; 8416 } else { 8417 transform->fixed_ivlen = 4; 8418 } 8419 8420 /* Minimum length of encrypted record */ 8421 explicit_ivlen = transform->ivlen - transform->fixed_ivlen; 8422 transform->minlen = explicit_ivlen + transform->taglen; 8423 } else 8424 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 8425 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8426 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || 8427 ssl_mode == MBEDTLS_SSL_MODE_CBC || 8428 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8429 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8430 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); 8431 #else 8432 size_t block_size = cipher_info->block_size; 8433 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8434 8435 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8436 /* Get MAC length */ 8437 mac_key_len = PSA_HASH_LENGTH(mac_alg); 8438 #else 8439 /* Initialize HMAC contexts */ 8440 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || 8441 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { 8442 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 8443 goto end; 8444 } 8445 8446 /* Get MAC length */ 8447 mac_key_len = mbedtls_md_get_size(md_info); 8448 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8449 transform->maclen = mac_key_len; 8450 8451 /* IV length */ 8452 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8453 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); 8454 #else 8455 transform->ivlen = cipher_info->iv_size; 8456 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8457 8458 /* Minimum length */ 8459 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { 8460 transform->minlen = transform->maclen; 8461 } else { 8462 /* 8463 * GenericBlockCipher: 8464 * 1. if EtM is in use: one block plus MAC 8465 * otherwise: * first multiple of blocklen greater than maclen 8466 * 2. IV 8467 */ 8468 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8469 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8470 transform->minlen = transform->maclen 8471 + block_size; 8472 } else 8473 #endif 8474 { 8475 transform->minlen = transform->maclen 8476 + block_size 8477 - transform->maclen % block_size; 8478 } 8479 8480 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 8481 transform->minlen += transform->ivlen; 8482 } else { 8483 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8484 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8485 goto end; 8486 } 8487 } 8488 } else 8489 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 8490 { 8491 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8492 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8493 } 8494 8495 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", 8496 (unsigned) keylen, 8497 (unsigned) transform->minlen, 8498 (unsigned) transform->ivlen, 8499 (unsigned) transform->maclen)); 8500 8501 /* 8502 * Finally setup the cipher contexts, IVs and MAC secrets. 8503 */ 8504 #if defined(MBEDTLS_SSL_CLI_C) 8505 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 8506 key1 = keyblk + mac_key_len * 2; 8507 key2 = keyblk + mac_key_len * 2 + keylen; 8508 8509 mac_enc = keyblk; 8510 mac_dec = keyblk + mac_key_len; 8511 8512 iv_copy_len = (transform->fixed_ivlen) ? 8513 transform->fixed_ivlen : transform->ivlen; 8514 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); 8515 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, 8516 iv_copy_len); 8517 } else 8518 #endif /* MBEDTLS_SSL_CLI_C */ 8519 #if defined(MBEDTLS_SSL_SRV_C) 8520 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 8521 key1 = keyblk + mac_key_len * 2 + keylen; 8522 key2 = keyblk + mac_key_len * 2; 8523 8524 mac_enc = keyblk + mac_key_len; 8525 mac_dec = keyblk; 8526 8527 iv_copy_len = (transform->fixed_ivlen) ? 8528 transform->fixed_ivlen : transform->ivlen; 8529 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); 8530 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, 8531 iv_copy_len); 8532 } else 8533 #endif /* MBEDTLS_SSL_SRV_C */ 8534 { 8535 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8536 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8537 goto end; 8538 } 8539 8540 if (ssl != NULL && ssl->f_export_keys != NULL) { 8541 ssl->f_export_keys(ssl->p_export_keys, 8542 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, 8543 master, 48, 8544 randbytes + 32, 8545 randbytes, 8546 tls_prf_get_type(tls_prf)); 8547 } 8548 8549 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8550 transform->psa_alg = alg; 8551 8552 if (alg != MBEDTLS_SSL_NULL_CIPHER) { 8553 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 8554 psa_set_key_algorithm(&attributes, alg); 8555 psa_set_key_type(&attributes, key_type); 8556 8557 if ((status = psa_import_key(&attributes, 8558 key1, 8559 PSA_BITS_TO_BYTES(key_bits), 8560 &transform->psa_key_enc)) != PSA_SUCCESS) { 8561 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); 8562 ret = PSA_TO_MBEDTLS_ERR(status); 8563 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8564 goto end; 8565 } 8566 8567 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8568 8569 if ((status = psa_import_key(&attributes, 8570 key2, 8571 PSA_BITS_TO_BYTES(key_bits), 8572 &transform->psa_key_dec)) != PSA_SUCCESS) { 8573 ret = PSA_TO_MBEDTLS_ERR(status); 8574 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8575 goto end; 8576 } 8577 } 8578 #else 8579 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, 8580 cipher_info)) != 0) { 8581 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8582 goto end; 8583 } 8584 8585 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, 8586 cipher_info)) != 0) { 8587 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8588 goto end; 8589 } 8590 8591 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, 8592 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8593 MBEDTLS_ENCRYPT)) != 0) { 8594 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8595 goto end; 8596 } 8597 8598 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, 8599 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8600 MBEDTLS_DECRYPT)) != 0) { 8601 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8602 goto end; 8603 } 8604 8605 #if defined(MBEDTLS_CIPHER_MODE_CBC) 8606 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { 8607 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, 8608 MBEDTLS_PADDING_NONE)) != 0) { 8609 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 8610 goto end; 8611 } 8612 8613 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, 8614 MBEDTLS_PADDING_NONE)) != 0) { 8615 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 8616 goto end; 8617 } 8618 } 8619 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 8620 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8621 8622 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8623 /* For HMAC-based ciphersuites, initialize the HMAC transforms. 8624 For AEAD-based ciphersuites, there is nothing to do here. */ 8625 if (mac_key_len != 0) { 8626 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8627 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); 8628 8629 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8630 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); 8631 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 8632 8633 if ((status = psa_import_key(&attributes, 8634 mac_enc, mac_key_len, 8635 &transform->psa_mac_enc)) != PSA_SUCCESS) { 8636 ret = PSA_TO_MBEDTLS_ERR(status); 8637 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 8638 goto end; 8639 } 8640 8641 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || 8642 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) 8643 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8644 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) 8645 #endif 8646 )) { 8647 /* mbedtls_ct_hmac() requires the key to be exportable */ 8648 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | 8649 PSA_KEY_USAGE_VERIFY_HASH); 8650 } else { 8651 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 8652 } 8653 8654 if ((status = psa_import_key(&attributes, 8655 mac_dec, mac_key_len, 8656 &transform->psa_mac_dec)) != PSA_SUCCESS) { 8657 ret = PSA_TO_MBEDTLS_ERR(status); 8658 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 8659 goto end; 8660 } 8661 #else 8662 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); 8663 if (ret != 0) { 8664 goto end; 8665 } 8666 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); 8667 if (ret != 0) { 8668 goto end; 8669 } 8670 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8671 } 8672 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 8673 8674 ((void) mac_dec); 8675 ((void) mac_enc); 8676 8677 end: 8678 mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); 8679 return ret; 8680 } 8681 8682 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 8683 defined(MBEDTLS_USE_PSA_CRYPTO) 8684 int mbedtls_psa_ecjpake_read_round( 8685 psa_pake_operation_t *pake_ctx, 8686 const unsigned char *buf, 8687 size_t len, mbedtls_ecjpake_rounds_t round) 8688 { 8689 psa_status_t status; 8690 size_t input_offset = 0; 8691 /* 8692 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 8693 * At round two perform a single cycle 8694 */ 8695 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 8696 8697 for (; remaining_steps > 0; remaining_steps--) { 8698 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 8699 step <= PSA_PAKE_STEP_ZK_PROOF; 8700 ++step) { 8701 /* Length is stored at the first byte */ 8702 size_t length = buf[input_offset]; 8703 input_offset += 1; 8704 8705 if (input_offset + length > len) { 8706 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8707 } 8708 8709 status = psa_pake_input(pake_ctx, step, 8710 buf + input_offset, length); 8711 if (status != PSA_SUCCESS) { 8712 return PSA_TO_MBEDTLS_ERR(status); 8713 } 8714 8715 input_offset += length; 8716 } 8717 } 8718 8719 if (input_offset != len) { 8720 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8721 } 8722 8723 return 0; 8724 } 8725 8726 int mbedtls_psa_ecjpake_write_round( 8727 psa_pake_operation_t *pake_ctx, 8728 unsigned char *buf, 8729 size_t len, size_t *olen, 8730 mbedtls_ecjpake_rounds_t round) 8731 { 8732 psa_status_t status; 8733 size_t output_offset = 0; 8734 size_t output_len; 8735 /* 8736 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 8737 * At round two perform a single cycle 8738 */ 8739 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 8740 8741 for (; remaining_steps > 0; remaining_steps--) { 8742 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 8743 step <= PSA_PAKE_STEP_ZK_PROOF; 8744 ++step) { 8745 /* 8746 * For each step, prepend 1 byte with the length of the data as 8747 * given by psa_pake_output(). 8748 */ 8749 status = psa_pake_output(pake_ctx, step, 8750 buf + output_offset + 1, 8751 len - output_offset - 1, 8752 &output_len); 8753 if (status != PSA_SUCCESS) { 8754 return PSA_TO_MBEDTLS_ERR(status); 8755 } 8756 8757 *(buf + output_offset) = (uint8_t) output_len; 8758 8759 output_offset += output_len + 1; 8760 } 8761 } 8762 8763 *olen = output_offset; 8764 8765 return 0; 8766 } 8767 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 8768 8769 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8770 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 8771 unsigned char *hash, size_t *hashlen, 8772 unsigned char *data, size_t data_len, 8773 mbedtls_md_type_t md_alg) 8774 { 8775 psa_status_t status; 8776 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; 8777 psa_algorithm_t hash_alg = mbedtls_hash_info_psa_from_md(md_alg); 8778 8779 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); 8780 8781 if ((status = psa_hash_setup(&hash_operation, 8782 hash_alg)) != PSA_SUCCESS) { 8783 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); 8784 goto exit; 8785 } 8786 8787 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, 8788 64)) != PSA_SUCCESS) { 8789 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 8790 goto exit; 8791 } 8792 8793 if ((status = psa_hash_update(&hash_operation, 8794 data, data_len)) != PSA_SUCCESS) { 8795 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 8796 goto exit; 8797 } 8798 8799 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, 8800 hashlen)) != PSA_SUCCESS) { 8801 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); 8802 goto exit; 8803 } 8804 8805 exit: 8806 if (status != PSA_SUCCESS) { 8807 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8808 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8809 switch (status) { 8810 case PSA_ERROR_NOT_SUPPORTED: 8811 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; 8812 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ 8813 case PSA_ERROR_BUFFER_TOO_SMALL: 8814 return MBEDTLS_ERR_MD_BAD_INPUT_DATA; 8815 case PSA_ERROR_INSUFFICIENT_MEMORY: 8816 return MBEDTLS_ERR_MD_ALLOC_FAILED; 8817 default: 8818 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 8819 } 8820 } 8821 return 0; 8822 } 8823 8824 #else 8825 8826 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 8827 unsigned char *hash, size_t *hashlen, 8828 unsigned char *data, size_t data_len, 8829 mbedtls_md_type_t md_alg) 8830 { 8831 int ret = 0; 8832 mbedtls_md_context_t ctx; 8833 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); 8834 *hashlen = mbedtls_md_get_size(md_info); 8835 8836 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); 8837 8838 mbedtls_md_init(&ctx); 8839 8840 /* 8841 * digitally-signed struct { 8842 * opaque client_random[32]; 8843 * opaque server_random[32]; 8844 * ServerDHParams params; 8845 * }; 8846 */ 8847 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { 8848 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 8849 goto exit; 8850 } 8851 if ((ret = mbedtls_md_starts(&ctx)) != 0) { 8852 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); 8853 goto exit; 8854 } 8855 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { 8856 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 8857 goto exit; 8858 } 8859 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { 8860 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 8861 goto exit; 8862 } 8863 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { 8864 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 8865 goto exit; 8866 } 8867 8868 exit: 8869 mbedtls_md_free(&ctx); 8870 8871 if (ret != 0) { 8872 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8873 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8874 } 8875 8876 return ret; 8877 } 8878 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8879 8880 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 8881 8882 /* Find the preferred hash for a given signature algorithm. */ 8883 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 8884 mbedtls_ssl_context *ssl, 8885 unsigned int sig_alg) 8886 { 8887 unsigned int i; 8888 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 8889 8890 if (sig_alg == MBEDTLS_SSL_SIG_ANON) { 8891 return MBEDTLS_SSL_HASH_NONE; 8892 } 8893 8894 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 8895 unsigned int hash_alg_received = 8896 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( 8897 received_sig_algs[i]); 8898 unsigned int sig_alg_received = 8899 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( 8900 received_sig_algs[i]); 8901 8902 if (sig_alg == sig_alg_received) { 8903 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8904 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { 8905 psa_algorithm_t psa_hash_alg = 8906 mbedtls_hash_info_psa_from_md(hash_alg_received); 8907 8908 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && 8909 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 8910 PSA_ALG_ECDSA(psa_hash_alg), 8911 PSA_KEY_USAGE_SIGN_HASH)) { 8912 continue; 8913 } 8914 8915 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && 8916 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 8917 PSA_ALG_RSA_PKCS1V15_SIGN( 8918 psa_hash_alg), 8919 PSA_KEY_USAGE_SIGN_HASH)) { 8920 continue; 8921 } 8922 } 8923 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8924 8925 return hash_alg_received; 8926 } 8927 } 8928 8929 return MBEDTLS_SSL_HASH_NONE; 8930 } 8931 8932 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 8933 8934 /* Serialization of TLS 1.2 sessions: 8935 * 8936 * struct { 8937 * uint64 start_time; 8938 * uint8 ciphersuite[2]; // defined by the standard 8939 * uint8 session_id_len; // at most 32 8940 * opaque session_id[32]; 8941 * opaque master[48]; // fixed length in the standard 8942 * uint32 verify_result; 8943 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert 8944 * opaque ticket<0..2^24-1>; // length 0 means no ticket 8945 * uint32 ticket_lifetime; 8946 * uint8 mfl_code; // up to 255 according to standard 8947 * uint8 encrypt_then_mac; // 0 or 1 8948 * } serialized_session_tls12; 8949 * 8950 */ 8951 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, 8952 unsigned char *buf, 8953 size_t buf_len) 8954 { 8955 unsigned char *p = buf; 8956 size_t used = 0; 8957 8958 #if defined(MBEDTLS_HAVE_TIME) 8959 uint64_t start; 8960 #endif 8961 #if defined(MBEDTLS_X509_CRT_PARSE_C) 8962 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 8963 size_t cert_len; 8964 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8965 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 8966 8967 /* 8968 * Time 8969 */ 8970 #if defined(MBEDTLS_HAVE_TIME) 8971 used += 8; 8972 8973 if (used <= buf_len) { 8974 start = (uint64_t) session->start; 8975 8976 MBEDTLS_PUT_UINT64_BE(start, p, 0); 8977 p += 8; 8978 } 8979 #endif /* MBEDTLS_HAVE_TIME */ 8980 8981 /* 8982 * Basic mandatory fields 8983 */ 8984 used += 2 /* ciphersuite */ 8985 + 1 /* id_len */ 8986 + sizeof(session->id) 8987 + sizeof(session->master) 8988 + 4; /* verify_result */ 8989 8990 if (used <= buf_len) { 8991 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); 8992 p += 2; 8993 8994 *p++ = MBEDTLS_BYTE_0(session->id_len); 8995 memcpy(p, session->id, 32); 8996 p += 32; 8997 8998 memcpy(p, session->master, 48); 8999 p += 48; 9000 9001 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); 9002 p += 4; 9003 } 9004 9005 /* 9006 * Peer's end-entity certificate 9007 */ 9008 #if defined(MBEDTLS_X509_CRT_PARSE_C) 9009 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 9010 if (session->peer_cert == NULL) { 9011 cert_len = 0; 9012 } else { 9013 cert_len = session->peer_cert->raw.len; 9014 } 9015 9016 used += 3 + cert_len; 9017 9018 if (used <= buf_len) { 9019 *p++ = MBEDTLS_BYTE_2(cert_len); 9020 *p++ = MBEDTLS_BYTE_1(cert_len); 9021 *p++ = MBEDTLS_BYTE_0(cert_len); 9022 9023 if (session->peer_cert != NULL) { 9024 memcpy(p, session->peer_cert->raw.p, cert_len); 9025 p += cert_len; 9026 } 9027 } 9028 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9029 if (session->peer_cert_digest != NULL) { 9030 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; 9031 if (used <= buf_len) { 9032 *p++ = (unsigned char) session->peer_cert_digest_type; 9033 *p++ = (unsigned char) session->peer_cert_digest_len; 9034 memcpy(p, session->peer_cert_digest, 9035 session->peer_cert_digest_len); 9036 p += session->peer_cert_digest_len; 9037 } 9038 } else { 9039 used += 2; 9040 if (used <= buf_len) { 9041 *p++ = (unsigned char) MBEDTLS_MD_NONE; 9042 *p++ = 0; 9043 } 9044 } 9045 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9046 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 9047 9048 /* 9049 * Session ticket if any, plus associated data 9050 */ 9051 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 9052 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ 9053 9054 if (used <= buf_len) { 9055 *p++ = MBEDTLS_BYTE_2(session->ticket_len); 9056 *p++ = MBEDTLS_BYTE_1(session->ticket_len); 9057 *p++ = MBEDTLS_BYTE_0(session->ticket_len); 9058 9059 if (session->ticket != NULL) { 9060 memcpy(p, session->ticket, session->ticket_len); 9061 p += session->ticket_len; 9062 } 9063 9064 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 9065 p += 4; 9066 } 9067 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 9068 9069 /* 9070 * Misc extension-related info 9071 */ 9072 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 9073 used += 1; 9074 9075 if (used <= buf_len) { 9076 *p++ = session->mfl_code; 9077 } 9078 #endif 9079 9080 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 9081 used += 1; 9082 9083 if (used <= buf_len) { 9084 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); 9085 } 9086 #endif 9087 9088 return used; 9089 } 9090 9091 MBEDTLS_CHECK_RETURN_CRITICAL 9092 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 9093 const unsigned char *buf, 9094 size_t len) 9095 { 9096 #if defined(MBEDTLS_HAVE_TIME) 9097 uint64_t start; 9098 #endif 9099 #if defined(MBEDTLS_X509_CRT_PARSE_C) 9100 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 9101 size_t cert_len; 9102 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9103 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 9104 9105 const unsigned char *p = buf; 9106 const unsigned char * const end = buf + len; 9107 9108 /* 9109 * Time 9110 */ 9111 #if defined(MBEDTLS_HAVE_TIME) 9112 if (8 > (size_t) (end - p)) { 9113 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9114 } 9115 9116 start = ((uint64_t) p[0] << 56) | 9117 ((uint64_t) p[1] << 48) | 9118 ((uint64_t) p[2] << 40) | 9119 ((uint64_t) p[3] << 32) | 9120 ((uint64_t) p[4] << 24) | 9121 ((uint64_t) p[5] << 16) | 9122 ((uint64_t) p[6] << 8) | 9123 ((uint64_t) p[7]); 9124 p += 8; 9125 9126 session->start = (time_t) start; 9127 #endif /* MBEDTLS_HAVE_TIME */ 9128 9129 /* 9130 * Basic mandatory fields 9131 */ 9132 if (2 + 1 + 32 + 48 + 4 > (size_t) (end - p)) { 9133 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9134 } 9135 9136 session->ciphersuite = (p[0] << 8) | p[1]; 9137 p += 2; 9138 9139 session->id_len = *p++; 9140 memcpy(session->id, p, 32); 9141 p += 32; 9142 9143 memcpy(session->master, p, 48); 9144 p += 48; 9145 9146 session->verify_result = ((uint32_t) p[0] << 24) | 9147 ((uint32_t) p[1] << 16) | 9148 ((uint32_t) p[2] << 8) | 9149 ((uint32_t) p[3]); 9150 p += 4; 9151 9152 /* Immediately clear invalid pointer values that have been read, in case 9153 * we exit early before we replaced them with valid ones. */ 9154 #if defined(MBEDTLS_X509_CRT_PARSE_C) 9155 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 9156 session->peer_cert = NULL; 9157 #else 9158 session->peer_cert_digest = NULL; 9159 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9160 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 9161 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 9162 session->ticket = NULL; 9163 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 9164 9165 /* 9166 * Peer certificate 9167 */ 9168 #if defined(MBEDTLS_X509_CRT_PARSE_C) 9169 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 9170 /* Deserialize CRT from the end of the ticket. */ 9171 if (3 > (size_t) (end - p)) { 9172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9173 } 9174 9175 cert_len = (p[0] << 16) | (p[1] << 8) | p[2]; 9176 p += 3; 9177 9178 if (cert_len != 0) { 9179 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 9180 9181 if (cert_len > (size_t) (end - p)) { 9182 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9183 } 9184 9185 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 9186 9187 if (session->peer_cert == NULL) { 9188 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9189 } 9190 9191 mbedtls_x509_crt_init(session->peer_cert); 9192 9193 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, 9194 p, cert_len)) != 0) { 9195 mbedtls_x509_crt_free(session->peer_cert); 9196 mbedtls_free(session->peer_cert); 9197 session->peer_cert = NULL; 9198 return ret; 9199 } 9200 9201 p += cert_len; 9202 } 9203 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9204 /* Deserialize CRT digest from the end of the ticket. */ 9205 if (2 > (size_t) (end - p)) { 9206 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9207 } 9208 9209 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; 9210 session->peer_cert_digest_len = (size_t) *p++; 9211 9212 if (session->peer_cert_digest_len != 0) { 9213 const mbedtls_md_info_t *md_info = 9214 mbedtls_md_info_from_type(session->peer_cert_digest_type); 9215 if (md_info == NULL) { 9216 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9217 } 9218 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { 9219 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9220 } 9221 9222 if (session->peer_cert_digest_len > (size_t) (end - p)) { 9223 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9224 } 9225 9226 session->peer_cert_digest = 9227 mbedtls_calloc(1, session->peer_cert_digest_len); 9228 if (session->peer_cert_digest == NULL) { 9229 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9230 } 9231 9232 memcpy(session->peer_cert_digest, p, 9233 session->peer_cert_digest_len); 9234 p += session->peer_cert_digest_len; 9235 } 9236 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 9237 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 9238 9239 /* 9240 * Session ticket and associated data 9241 */ 9242 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 9243 if (3 > (size_t) (end - p)) { 9244 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9245 } 9246 9247 session->ticket_len = (p[0] << 16) | (p[1] << 8) | p[2]; 9248 p += 3; 9249 9250 if (session->ticket_len != 0) { 9251 if (session->ticket_len > (size_t) (end - p)) { 9252 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9253 } 9254 9255 session->ticket = mbedtls_calloc(1, session->ticket_len); 9256 if (session->ticket == NULL) { 9257 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9258 } 9259 9260 memcpy(session->ticket, p, session->ticket_len); 9261 p += session->ticket_len; 9262 } 9263 9264 if (4 > (size_t) (end - p)) { 9265 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9266 } 9267 9268 session->ticket_lifetime = ((uint32_t) p[0] << 24) | 9269 ((uint32_t) p[1] << 16) | 9270 ((uint32_t) p[2] << 8) | 9271 ((uint32_t) p[3]); 9272 p += 4; 9273 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 9274 9275 /* 9276 * Misc extension-related info 9277 */ 9278 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 9279 if (1 > (size_t) (end - p)) { 9280 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9281 } 9282 9283 session->mfl_code = *p++; 9284 #endif 9285 9286 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 9287 if (1 > (size_t) (end - p)) { 9288 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9289 } 9290 9291 session->encrypt_then_mac = *p++; 9292 #endif 9293 9294 /* Done, should have consumed entire buffer */ 9295 if (p != end) { 9296 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9297 } 9298 9299 return 0; 9300 } 9301 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9302 9303 int mbedtls_ssl_validate_ciphersuite( 9304 const mbedtls_ssl_context *ssl, 9305 const mbedtls_ssl_ciphersuite_t *suite_info, 9306 mbedtls_ssl_protocol_version min_tls_version, 9307 mbedtls_ssl_protocol_version max_tls_version) 9308 { 9309 (void) ssl; 9310 9311 if (suite_info == NULL) { 9312 return -1; 9313 } 9314 9315 if ((suite_info->min_tls_version > max_tls_version) || 9316 (suite_info->max_tls_version < min_tls_version)) { 9317 return -1; 9318 } 9319 9320 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) 9321 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 9322 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9323 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9324 ssl->handshake->psa_pake_ctx_is_ok != 1) 9325 #else 9326 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9327 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 9328 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9329 { 9330 return -1; 9331 } 9332 #endif 9333 9334 /* Don't suggest PSK-based ciphersuite if no PSK is available. */ 9335 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 9336 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 9337 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 9338 return -1; 9339 } 9340 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 9341 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9342 9343 return 0; 9344 } 9345 9346 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9347 /* 9348 * Function for writing a signature algorithm extension. 9349 * 9350 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 9351 * value (TLS 1.3 RFC8446): 9352 * enum { 9353 * .... 9354 * ecdsa_secp256r1_sha256( 0x0403 ), 9355 * ecdsa_secp384r1_sha384( 0x0503 ), 9356 * ecdsa_secp521r1_sha512( 0x0603 ), 9357 * .... 9358 * } SignatureScheme; 9359 * 9360 * struct { 9361 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 9362 * } SignatureSchemeList; 9363 * 9364 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 9365 * value (TLS 1.2 RFC5246): 9366 * enum { 9367 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 9368 * sha512(6), (255) 9369 * } HashAlgorithm; 9370 * 9371 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 9372 * SignatureAlgorithm; 9373 * 9374 * struct { 9375 * HashAlgorithm hash; 9376 * SignatureAlgorithm signature; 9377 * } SignatureAndHashAlgorithm; 9378 * 9379 * SignatureAndHashAlgorithm 9380 * supported_signature_algorithms<2..2^16-2>; 9381 * 9382 * The TLS 1.3 signature algorithm extension was defined to be a compatible 9383 * generalization of the TLS 1.2 signature algorithm extension. 9384 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 9385 * `SignatureScheme` field of TLS 1.3 9386 * 9387 */ 9388 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 9389 const unsigned char *end, size_t *out_len) 9390 { 9391 unsigned char *p = buf; 9392 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */ 9393 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ 9394 9395 *out_len = 0; 9396 9397 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension")); 9398 9399 /* Check if we have space for header and length field: 9400 * - extension_type (2 bytes) 9401 * - extension_data_length (2 bytes) 9402 * - supported_signature_algorithms_length (2 bytes) 9403 */ 9404 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 9405 p += 6; 9406 9407 /* 9408 * Write supported_signature_algorithms 9409 */ 9410 supported_sig_alg = p; 9411 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 9412 if (sig_alg == NULL) { 9413 return MBEDTLS_ERR_SSL_BAD_CONFIG; 9414 } 9415 9416 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 9417 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s", 9418 *sig_alg, 9419 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9420 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 9421 continue; 9422 } 9423 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 9424 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); 9425 p += 2; 9426 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s", 9427 *sig_alg, 9428 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9429 } 9430 9431 /* Length of supported_signature_algorithms */ 9432 supported_sig_alg_len = p - supported_sig_alg; 9433 if (supported_sig_alg_len == 0) { 9434 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined.")); 9435 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9436 } 9437 9438 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0); 9439 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2); 9440 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4); 9441 9442 *out_len = p - buf; 9443 9444 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9445 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG); 9446 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 9447 9448 return 0; 9449 } 9450 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 9451 9452 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9453 /* 9454 * mbedtls_ssl_parse_server_name_ext 9455 * 9456 * Structure of server_name extension: 9457 * 9458 * enum { 9459 * host_name(0), (255) 9460 * } NameType; 9461 * opaque HostName<1..2^16-1>; 9462 * 9463 * struct { 9464 * NameType name_type; 9465 * select (name_type) { 9466 * case host_name: HostName; 9467 * } name; 9468 * } ServerName; 9469 * struct { 9470 * ServerName server_name_list<1..2^16-1> 9471 * } ServerNameList; 9472 */ 9473 MBEDTLS_CHECK_RETURN_CRITICAL 9474 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 9475 const unsigned char *buf, 9476 const unsigned char *end) 9477 { 9478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 9479 const unsigned char *p = buf; 9480 size_t server_name_list_len, hostname_len; 9481 const unsigned char *server_name_list_end; 9482 9483 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension")); 9484 9485 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 9486 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9487 p += 2; 9488 9489 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len); 9490 server_name_list_end = p + server_name_list_len; 9491 while (p < server_name_list_end) { 9492 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3); 9493 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1); 9494 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 9495 hostname_len + 3); 9496 9497 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) { 9498 /* sni_name is intended to be used only during the parsing of the 9499 * ClientHello message (it is reset to NULL before the end of 9500 * the message parsing). Thus it is ok to just point to the 9501 * reception buffer and not make a copy of it. 9502 */ 9503 ssl->handshake->sni_name = p + 3; 9504 ssl->handshake->sni_name_len = hostname_len; 9505 if (ssl->conf->f_sni == NULL) { 9506 return 0; 9507 } 9508 ret = ssl->conf->f_sni(ssl->conf->p_sni, 9509 ssl, p + 3, hostname_len); 9510 if (ret != 0) { 9511 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret); 9512 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME, 9513 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME); 9514 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME; 9515 } 9516 return 0; 9517 } 9518 9519 p += hostname_len + 3; 9520 } 9521 9522 return 0; 9523 } 9524 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 9525 9526 #if defined(MBEDTLS_SSL_ALPN) 9527 MBEDTLS_CHECK_RETURN_CRITICAL 9528 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 9529 const unsigned char *buf, 9530 const unsigned char *end) 9531 { 9532 const unsigned char *p = buf; 9533 size_t protocol_name_list_len; 9534 const unsigned char *protocol_name_list; 9535 const unsigned char *protocol_name_list_end; 9536 size_t protocol_name_len; 9537 9538 /* If ALPN not configured, just ignore the extension */ 9539 if (ssl->conf->alpn_list == NULL) { 9540 return 0; 9541 } 9542 9543 /* 9544 * RFC7301, section 3.1 9545 * opaque ProtocolName<1..2^8-1>; 9546 * 9547 * struct { 9548 * ProtocolName protocol_name_list<2..2^16-1> 9549 * } ProtocolNameList; 9550 */ 9551 9552 /* 9553 * protocol_name_list_len 2 bytes 9554 * protocol_name_len 1 bytes 9555 * protocol_name >=1 byte 9556 */ 9557 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); 9558 9559 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9560 p += 2; 9561 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len); 9562 protocol_name_list = p; 9563 protocol_name_list_end = p + protocol_name_list_len; 9564 9565 /* Validate peer's list (lengths) */ 9566 while (p < protocol_name_list_end) { 9567 protocol_name_len = *p++; 9568 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 9569 protocol_name_len); 9570 if (protocol_name_len == 0) { 9571 MBEDTLS_SSL_PEND_FATAL_ALERT( 9572 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 9573 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 9574 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 9575 } 9576 9577 p += protocol_name_len; 9578 } 9579 9580 /* Use our order of preference */ 9581 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) { 9582 size_t const alpn_len = strlen(*alpn); 9583 p = protocol_name_list; 9584 while (p < protocol_name_list_end) { 9585 protocol_name_len = *p++; 9586 if (protocol_name_len == alpn_len && 9587 memcmp(p, *alpn, alpn_len) == 0) { 9588 ssl->alpn_chosen = *alpn; 9589 return 0; 9590 } 9591 9592 p += protocol_name_len; 9593 } 9594 } 9595 9596 /* If we get here, no match was found */ 9597 MBEDTLS_SSL_PEND_FATAL_ALERT( 9598 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL, 9599 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL); 9600 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL; 9601 } 9602 9603 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 9604 unsigned char *buf, 9605 unsigned char *end, 9606 size_t *out_len) 9607 { 9608 unsigned char *p = buf; 9609 size_t protocol_name_len; 9610 *out_len = 0; 9611 9612 if (ssl->alpn_chosen == NULL) { 9613 return 0; 9614 } 9615 9616 protocol_name_len = strlen(ssl->alpn_chosen); 9617 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len); 9618 9619 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension")); 9620 /* 9621 * 0 . 1 ext identifier 9622 * 2 . 3 ext length 9623 * 4 . 5 protocol list length 9624 * 6 . 6 protocol name length 9625 * 7 . 7+n protocol name 9626 */ 9627 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); 9628 9629 *out_len = 7 + protocol_name_len; 9630 9631 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2); 9632 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4); 9633 /* Note: the length of the chosen protocol has been checked to be less 9634 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`. 9635 */ 9636 p[6] = MBEDTLS_BYTE_0(protocol_name_len); 9637 9638 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len); 9639 9640 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9641 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN); 9642 #endif 9643 9644 return 0; 9645 } 9646 #endif /* MBEDTLS_SSL_ALPN */ 9647 9648 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 9649 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 9650 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 9651 defined(MBEDTLS_SSL_CLI_C) 9652 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 9653 const char *hostname) 9654 { 9655 /* Initialize to suppress unnecessary compiler warning */ 9656 size_t hostname_len = 0; 9657 9658 /* Check if new hostname is valid before 9659 * making any change to current one */ 9660 if (hostname != NULL) { 9661 hostname_len = strlen(hostname); 9662 9663 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 9664 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9665 } 9666 } 9667 9668 /* Now it's clear that we will overwrite the old hostname, 9669 * so we can free it safely */ 9670 if (session->hostname != NULL) { 9671 mbedtls_platform_zeroize(session->hostname, 9672 strlen(session->hostname)); 9673 mbedtls_free(session->hostname); 9674 } 9675 9676 /* Passing NULL as hostname shall clear the old one */ 9677 if (hostname == NULL) { 9678 session->hostname = NULL; 9679 } else { 9680 session->hostname = mbedtls_calloc(1, hostname_len + 1); 9681 if (session->hostname == NULL) { 9682 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9683 } 9684 9685 memcpy(session->hostname, hostname, hostname_len); 9686 } 9687 9688 return 0; 9689 } 9690 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 9691 MBEDTLS_SSL_SESSION_TICKETS && 9692 MBEDTLS_SSL_SERVER_NAME_INDICATION && 9693 MBEDTLS_SSL_CLI_C */ 9694 9695 #endif /* MBEDTLS_SSL_TLS_C */ 9696