1 /* 2 * TLS shared functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 /* 8 * http://www.ietf.org/rfc/rfc2246.txt 9 * http://www.ietf.org/rfc/rfc4346.txt 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_SSL_TLS_C) 15 16 #include "mbedtls/platform.h" 17 18 #include "mbedtls/ssl.h" 19 #include "ssl_client.h" 20 #include "ssl_debug_helpers.h" 21 #include "ssl_misc.h" 22 23 #include "debug_internal.h" 24 #include "mbedtls/error.h" 25 #include "mbedtls/platform_util.h" 26 #include "mbedtls/version.h" 27 #include "mbedtls/constant_time.h" 28 29 #include <string.h> 30 31 #if defined(MBEDTLS_USE_PSA_CRYPTO) 32 #include "mbedtls/psa_util.h" 33 #include "md_psa.h" 34 #include "psa_util_internal.h" 35 #include "psa/crypto.h" 36 #endif 37 38 #if defined(MBEDTLS_X509_CRT_PARSE_C) 39 #include "mbedtls/oid.h" 40 #endif 41 42 #if defined(MBEDTLS_USE_PSA_CRYPTO) 43 /* Define local translating functions to save code size by not using too many 44 * arguments in each translating place. */ 45 static int local_err_translation(psa_status_t status) 46 { 47 return psa_status_to_mbedtls(status, psa_to_ssl_errors, 48 ARRAY_LENGTH(psa_to_ssl_errors), 49 psa_generic_status_to_mbedtls); 50 } 51 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) 52 #endif 53 54 #if defined(MBEDTLS_TEST_HOOKS) 55 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; 56 57 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 58 const uint8_t *cur, const uint8_t *end, size_t need) 59 { 60 chk_buf_ptr_fail_args.cur = cur; 61 chk_buf_ptr_fail_args.end = end; 62 chk_buf_ptr_fail_args.need = need; 63 } 64 65 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void) 66 { 67 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args)); 68 } 69 70 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args) 71 { 72 return (chk_buf_ptr_fail_args.cur != args->cur) || 73 (chk_buf_ptr_fail_args.end != args->end) || 74 (chk_buf_ptr_fail_args.need != args->need); 75 } 76 #endif /* MBEDTLS_TEST_HOOKS */ 77 78 #if defined(MBEDTLS_SSL_PROTO_DTLS) 79 80 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 81 /* Top-level Connection ID API */ 82 83 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, 84 size_t len, 85 int ignore_other_cid) 86 { 87 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) { 88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 89 } 90 91 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL && 92 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) { 93 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 94 } 95 96 conf->ignore_unexpected_cid = ignore_other_cid; 97 conf->cid_len = len; 98 return 0; 99 } 100 101 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, 102 int enable, 103 unsigned char const *own_cid, 104 size_t own_cid_len) 105 { 106 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 107 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 108 } 109 110 ssl->negotiate_cid = enable; 111 if (enable == MBEDTLS_SSL_CID_DISABLED) { 112 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension.")); 113 return 0; 114 } 115 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension.")); 116 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len); 117 118 if (own_cid_len != ssl->conf->cid_len) { 119 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config", 120 (unsigned) own_cid_len, 121 (unsigned) ssl->conf->cid_len)); 122 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 123 } 124 125 memcpy(ssl->own_cid, own_cid, own_cid_len); 126 /* Truncation is not an issue here because 127 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ 128 ssl->own_cid_len = (uint8_t) own_cid_len; 129 130 return 0; 131 } 132 133 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, 134 int *enabled, 135 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], 136 size_t *own_cid_len) 137 { 138 *enabled = MBEDTLS_SSL_CID_DISABLED; 139 140 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 142 } 143 144 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is 145 * zero as this is indistinguishable from not requesting to use 146 * the CID extension. */ 147 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 148 return 0; 149 } 150 151 if (own_cid_len != NULL) { 152 *own_cid_len = ssl->own_cid_len; 153 if (own_cid != NULL) { 154 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len); 155 } 156 } 157 158 *enabled = MBEDTLS_SSL_CID_ENABLED; 159 160 return 0; 161 } 162 163 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl, 164 int *enabled, 165 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 166 size_t *peer_cid_len) 167 { 168 *enabled = MBEDTLS_SSL_CID_DISABLED; 169 170 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 171 mbedtls_ssl_is_handshake_over(ssl) == 0) { 172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 173 } 174 175 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions 176 * were used, but client and server requested the empty CID. 177 * This is indistinguishable from not using the CID extension 178 * in the first place. */ 179 if (ssl->transform_in->in_cid_len == 0 && 180 ssl->transform_in->out_cid_len == 0) { 181 return 0; 182 } 183 184 if (peer_cid_len != NULL) { 185 *peer_cid_len = ssl->transform_in->out_cid_len; 186 if (peer_cid != NULL) { 187 memcpy(peer_cid, ssl->transform_in->out_cid, 188 ssl->transform_in->out_cid_len); 189 } 190 } 191 192 *enabled = MBEDTLS_SSL_CID_ENABLED; 193 194 return 0; 195 } 196 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 197 198 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 199 200 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 201 /* 202 * Convert max_fragment_length codes to length. 203 * RFC 6066 says: 204 * enum{ 205 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 206 * } MaxFragmentLength; 207 * and we add 0 -> extension unused 208 */ 209 static unsigned int ssl_mfl_code_to_length(int mfl) 210 { 211 switch (mfl) { 212 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE: 213 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 214 case MBEDTLS_SSL_MAX_FRAG_LEN_512: 215 return 512; 216 case MBEDTLS_SSL_MAX_FRAG_LEN_1024: 217 return 1024; 218 case MBEDTLS_SSL_MAX_FRAG_LEN_2048: 219 return 2048; 220 case MBEDTLS_SSL_MAX_FRAG_LEN_4096: 221 return 4096; 222 default: 223 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 224 } 225 } 226 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 227 228 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 229 const mbedtls_ssl_session *src) 230 { 231 mbedtls_ssl_session_free(dst); 232 memcpy(dst, src, sizeof(mbedtls_ssl_session)); 233 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 234 dst->ticket = NULL; 235 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 236 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 237 dst->hostname = NULL; 238 #endif 239 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 240 241 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 242 defined(MBEDTLS_SSL_EARLY_DATA) 243 dst->ticket_alpn = NULL; 244 #endif 245 246 #if defined(MBEDTLS_X509_CRT_PARSE_C) 247 248 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 249 if (src->peer_cert != NULL) { 250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 251 252 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 253 if (dst->peer_cert == NULL) { 254 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 255 } 256 257 mbedtls_x509_crt_init(dst->peer_cert); 258 259 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p, 260 src->peer_cert->raw.len)) != 0) { 261 mbedtls_free(dst->peer_cert); 262 dst->peer_cert = NULL; 263 return ret; 264 } 265 } 266 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 267 if (src->peer_cert_digest != NULL) { 268 dst->peer_cert_digest = 269 mbedtls_calloc(1, src->peer_cert_digest_len); 270 if (dst->peer_cert_digest == NULL) { 271 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 272 } 273 274 memcpy(dst->peer_cert_digest, src->peer_cert_digest, 275 src->peer_cert_digest_len); 276 dst->peer_cert_digest_type = src->peer_cert_digest_type; 277 dst->peer_cert_digest_len = src->peer_cert_digest_len; 278 } 279 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 280 281 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 282 283 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 284 defined(MBEDTLS_SSL_EARLY_DATA) 285 { 286 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn); 287 if (ret != 0) { 288 return ret; 289 } 290 } 291 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */ 292 293 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 294 if (src->ticket != NULL) { 295 dst->ticket = mbedtls_calloc(1, src->ticket_len); 296 if (dst->ticket == NULL) { 297 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 298 } 299 300 memcpy(dst->ticket, src->ticket, src->ticket_len); 301 } 302 303 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 305 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) { 306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 307 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname); 308 if (ret != 0) { 309 return ret; 310 } 311 } 312 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 313 MBEDTLS_SSL_SERVER_NAME_INDICATION */ 314 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 315 316 return 0; 317 } 318 319 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 320 MBEDTLS_CHECK_RETURN_CRITICAL 321 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old) 322 { 323 unsigned char *resized_buffer = mbedtls_calloc(1, len_new); 324 if (resized_buffer == NULL) { 325 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 326 } 327 328 /* We want to copy len_new bytes when downsizing the buffer, and 329 * len_old bytes when upsizing, so we choose the smaller of two sizes, 330 * to fit one buffer into another. Size checks, ensuring that no data is 331 * lost, are done outside of this function. */ 332 memcpy(resized_buffer, *buffer, 333 (len_new < *len_old) ? len_new : *len_old); 334 mbedtls_zeroize_and_free(*buffer, *len_old); 335 336 *buffer = resized_buffer; 337 *len_old = len_new; 338 339 return 0; 340 } 341 342 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, 343 size_t in_buf_new_len, 344 size_t out_buf_new_len) 345 { 346 int modified = 0; 347 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0; 348 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; 349 if (ssl->in_buf != NULL) { 350 written_in = ssl->in_msg - ssl->in_buf; 351 iv_offset_in = ssl->in_iv - ssl->in_buf; 352 len_offset_in = ssl->in_len - ssl->in_buf; 353 if (downsizing ? 354 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : 355 ssl->in_buf_len < in_buf_new_len) { 356 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) { 357 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory")); 358 } else { 359 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET, 360 in_buf_new_len)); 361 modified = 1; 362 } 363 } 364 } 365 366 if (ssl->out_buf != NULL) { 367 written_out = ssl->out_msg - ssl->out_buf; 368 iv_offset_out = ssl->out_iv - ssl->out_buf; 369 len_offset_out = ssl->out_len - ssl->out_buf; 370 if (downsizing ? 371 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len : 372 ssl->out_buf_len < out_buf_new_len) { 373 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) { 374 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory")); 375 } else { 376 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET, 377 out_buf_new_len)); 378 modified = 1; 379 } 380 } 381 } 382 if (modified) { 383 /* Update pointers here to avoid doing it twice. */ 384 mbedtls_ssl_reset_in_out_pointers(ssl); 385 /* Fields below might not be properly updated with record 386 * splitting or with CID, so they are manually updated here. */ 387 ssl->out_msg = ssl->out_buf + written_out; 388 ssl->out_len = ssl->out_buf + len_offset_out; 389 ssl->out_iv = ssl->out_buf + iv_offset_out; 390 391 ssl->in_msg = ssl->in_buf + written_in; 392 ssl->in_len = ssl->in_buf + len_offset_in; 393 ssl->in_iv = ssl->in_buf + iv_offset_in; 394 } 395 } 396 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ 397 398 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 399 400 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 401 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen, 402 const char *label, 403 const unsigned char *random, size_t rlen, 404 unsigned char *dstbuf, size_t dlen); 405 406 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id); 407 408 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 409 410 /* Type for the TLS PRF */ 411 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, 412 const unsigned char *, size_t, 413 unsigned char *, size_t); 414 415 MBEDTLS_CHECK_RETURN_CRITICAL 416 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 417 int ciphersuite, 418 const unsigned char master[48], 419 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 420 int encrypt_then_mac, 421 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 422 ssl_tls_prf_t tls_prf, 423 const unsigned char randbytes[64], 424 mbedtls_ssl_protocol_version tls_version, 425 unsigned endpoint, 426 const mbedtls_ssl_context *ssl); 427 428 #if defined(MBEDTLS_MD_CAN_SHA256) 429 MBEDTLS_CHECK_RETURN_CRITICAL 430 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 431 const char *label, 432 const unsigned char *random, size_t rlen, 433 unsigned char *dstbuf, size_t dlen); 434 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); 435 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); 436 437 #endif /* MBEDTLS_MD_CAN_SHA256*/ 438 439 #if defined(MBEDTLS_MD_CAN_SHA384) 440 MBEDTLS_CHECK_RETURN_CRITICAL 441 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 442 const char *label, 443 const unsigned char *random, size_t rlen, 444 unsigned char *dstbuf, size_t dlen); 445 446 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); 447 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); 448 #endif /* MBEDTLS_MD_CAN_SHA384*/ 449 450 MBEDTLS_CHECK_RETURN_CRITICAL 451 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 452 const unsigned char *buf, 453 size_t len); 454 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 455 456 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); 457 458 #if defined(MBEDTLS_MD_CAN_SHA256) 459 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); 460 #endif /* MBEDTLS_MD_CAN_SHA256*/ 461 462 #if defined(MBEDTLS_MD_CAN_SHA384) 463 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); 464 #endif /* MBEDTLS_MD_CAN_SHA384*/ 465 466 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, 467 const unsigned char *secret, size_t slen, 468 const char *label, 469 const unsigned char *random, size_t rlen, 470 unsigned char *dstbuf, size_t dlen) 471 { 472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL; 473 474 switch (prf) { 475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 476 #if defined(MBEDTLS_MD_CAN_SHA384) 477 case MBEDTLS_SSL_TLS_PRF_SHA384: 478 tls_prf = tls_prf_sha384; 479 break; 480 #endif /* MBEDTLS_MD_CAN_SHA384*/ 481 #if defined(MBEDTLS_MD_CAN_SHA256) 482 case MBEDTLS_SSL_TLS_PRF_SHA256: 483 tls_prf = tls_prf_sha256; 484 break; 485 #endif /* MBEDTLS_MD_CAN_SHA256*/ 486 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 487 default: 488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 489 } 490 491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen); 492 } 493 494 #if defined(MBEDTLS_X509_CRT_PARSE_C) 495 static void ssl_clear_peer_cert(mbedtls_ssl_session *session) 496 { 497 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 498 if (session->peer_cert != NULL) { 499 mbedtls_x509_crt_free(session->peer_cert); 500 mbedtls_free(session->peer_cert); 501 session->peer_cert = NULL; 502 } 503 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 504 if (session->peer_cert_digest != NULL) { 505 /* Zeroization is not necessary. */ 506 mbedtls_free(session->peer_cert_digest); 507 session->peer_cert_digest = NULL; 508 session->peer_cert_digest_type = MBEDTLS_MD_NONE; 509 session->peer_cert_digest_len = 0; 510 } 511 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 512 } 513 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 514 515 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type) 516 { 517 switch (extension_type) { 518 case MBEDTLS_TLS_EXT_SERVERNAME: 519 return MBEDTLS_SSL_EXT_ID_SERVERNAME; 520 521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH; 523 524 case MBEDTLS_TLS_EXT_STATUS_REQUEST: 525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST; 526 527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS; 529 530 case MBEDTLS_TLS_EXT_SIG_ALG: 531 return MBEDTLS_SSL_EXT_ID_SIG_ALG; 532 533 case MBEDTLS_TLS_EXT_USE_SRTP: 534 return MBEDTLS_SSL_EXT_ID_USE_SRTP; 535 536 case MBEDTLS_TLS_EXT_HEARTBEAT: 537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT; 538 539 case MBEDTLS_TLS_EXT_ALPN: 540 return MBEDTLS_SSL_EXT_ID_ALPN; 541 542 case MBEDTLS_TLS_EXT_SCT: 543 return MBEDTLS_SSL_EXT_ID_SCT; 544 545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: 546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE; 547 548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: 549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE; 550 551 case MBEDTLS_TLS_EXT_PADDING: 552 return MBEDTLS_SSL_EXT_ID_PADDING; 553 554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: 555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY; 556 557 case MBEDTLS_TLS_EXT_EARLY_DATA: 558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA; 559 560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: 561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS; 562 563 case MBEDTLS_TLS_EXT_COOKIE: 564 return MBEDTLS_SSL_EXT_ID_COOKIE; 565 566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: 567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES; 568 569 case MBEDTLS_TLS_EXT_CERT_AUTH: 570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH; 571 572 case MBEDTLS_TLS_EXT_OID_FILTERS: 573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS; 574 575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: 576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH; 577 578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT: 579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT; 580 581 case MBEDTLS_TLS_EXT_KEY_SHARE: 582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE; 583 584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC; 586 587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS; 589 590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC; 592 593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET; 595 596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: 597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT; 598 599 case MBEDTLS_TLS_EXT_SESSION_TICKET: 600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET; 601 602 } 603 604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED; 605 } 606 607 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type) 608 { 609 return 1 << mbedtls_ssl_get_extension_id(extension_type); 610 } 611 612 #if defined(MBEDTLS_DEBUG_C) 613 static const char *extension_name_table[] = { 614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", 615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", 616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", 617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", 618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", 619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", 620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", 621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", 622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", 623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", 624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", 625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", 626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", 627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", 628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", 629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", 630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", 631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", 632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", 633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", 634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", 635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", 636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", 637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", 638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", 639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", 640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", 641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket", 642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit" 643 }; 644 645 static const unsigned int extension_type_table[] = { 646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, 647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, 648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, 649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, 650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, 651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, 652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, 653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, 654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, 655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, 656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, 657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, 658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, 659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, 660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, 661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, 662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, 663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, 664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, 665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, 666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, 667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, 668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, 669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, 670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, 671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, 672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, 673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET, 674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT 675 }; 676 677 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type) 678 { 679 return extension_name_table[ 680 mbedtls_ssl_get_extension_id(extension_type)]; 681 } 682 683 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type) 684 { 685 switch (hs_msg_type) { 686 case MBEDTLS_SSL_HS_CLIENT_HELLO: 687 return "ClientHello"; 688 case MBEDTLS_SSL_HS_SERVER_HELLO: 689 return "ServerHello"; 690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: 691 return "HelloRetryRequest"; 692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: 693 return "NewSessionTicket"; 694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: 695 return "EncryptedExtensions"; 696 case MBEDTLS_SSL_HS_CERTIFICATE: 697 return "Certificate"; 698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: 699 return "CertificateRequest"; 700 } 701 return "Unknown"; 702 } 703 704 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, 705 int level, const char *file, int line, 706 int hs_msg_type, unsigned int extension_type, 707 const char *extra_msg0, const char *extra_msg1) 708 { 709 const char *extra_msg; 710 if (extra_msg0 && extra_msg1) { 711 mbedtls_debug_print_msg( 712 ssl, level, file, line, 713 "%s: %s(%u) extension %s %s.", 714 ssl_tls13_get_hs_msg_name(hs_msg_type), 715 mbedtls_ssl_get_extension_name(extension_type), 716 extension_type, 717 extra_msg0, extra_msg1); 718 return; 719 } 720 721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; 722 if (extra_msg) { 723 mbedtls_debug_print_msg( 724 ssl, level, file, line, 725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type), 726 mbedtls_ssl_get_extension_name(extension_type), extension_type, 727 extra_msg); 728 return; 729 } 730 731 mbedtls_debug_print_msg( 732 ssl, level, file, line, 733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type), 734 mbedtls_ssl_get_extension_name(extension_type), extension_type); 735 } 736 737 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl, 738 int level, const char *file, int line, 739 int hs_msg_type, uint32_t extensions_mask, 740 const char *extra) 741 { 742 743 for (unsigned i = 0; 744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]); 745 i++) { 746 mbedtls_ssl_print_extension( 747 ssl, level, file, line, hs_msg_type, extension_type_table[i], 748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra); 749 } 750 } 751 752 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 753 static const char *ticket_flag_name_table[] = 754 { 755 [0] = "ALLOW_PSK_RESUMPTION", 756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", 757 [3] = "ALLOW_EARLY_DATA", 758 }; 759 760 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, 761 int level, const char *file, int line, 762 unsigned int flags) 763 { 764 size_t i; 765 766 mbedtls_debug_print_msg(ssl, level, file, line, 767 "print ticket_flags (0x%02x)", flags); 768 769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK; 770 771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { 772 if ((flags & (1 << i))) { 773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", 774 ticket_flag_name_table[i]); 775 } 776 } 777 } 778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 779 780 #endif /* MBEDTLS_DEBUG_C */ 781 782 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 784 { 785 ((void) ciphersuite_info); 786 787 #if defined(MBEDTLS_MD_CAN_SHA384) 788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 789 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 790 } else 791 #endif 792 #if defined(MBEDTLS_MD_CAN_SHA256) 793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) { 794 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 795 } else 796 #endif 797 { 798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 799 return; 800 } 801 } 802 803 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 804 unsigned hs_type, 805 size_t total_hs_len) 806 { 807 unsigned char hs_hdr[4]; 808 809 /* Build HS header for checksum update. */ 810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type); 811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len); 812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len); 813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len); 814 815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); 816 } 817 818 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 819 unsigned hs_type, 820 unsigned char const *msg, 821 size_t msg_len) 822 { 823 int ret; 824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); 825 if (ret != 0) { 826 return ret; 827 } 828 return ssl->handshake->update_checksum(ssl, msg, msg_len); 829 } 830 831 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) 832 { 833 #if defined(MBEDTLS_MD_CAN_SHA256) || \ 834 defined(MBEDTLS_MD_CAN_SHA384) 835 #if defined(MBEDTLS_USE_PSA_CRYPTO) 836 psa_status_t status; 837 #else 838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 839 #endif 840 #else /* SHA-256 or SHA-384 */ 841 ((void) ssl); 842 #endif /* SHA-256 or SHA-384 */ 843 #if defined(MBEDTLS_MD_CAN_SHA256) 844 #if defined(MBEDTLS_USE_PSA_CRYPTO) 845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); 846 if (status != PSA_SUCCESS) { 847 return mbedtls_md_error_from_psa(status); 848 } 849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); 850 if (status != PSA_SUCCESS) { 851 return mbedtls_md_error_from_psa(status); 852 } 853 #else 854 mbedtls_md_free(&ssl->handshake->fin_sha256); 855 mbedtls_md_init(&ssl->handshake->fin_sha256); 856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256, 857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 858 0); 859 if (ret != 0) { 860 return ret; 861 } 862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256); 863 if (ret != 0) { 864 return ret; 865 } 866 #endif 867 #endif 868 #if defined(MBEDTLS_MD_CAN_SHA384) 869 #if defined(MBEDTLS_USE_PSA_CRYPTO) 870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa); 871 if (status != PSA_SUCCESS) { 872 return mbedtls_md_error_from_psa(status); 873 } 874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); 875 if (status != PSA_SUCCESS) { 876 return mbedtls_md_error_from_psa(status); 877 } 878 #else 879 mbedtls_md_free(&ssl->handshake->fin_sha384); 880 mbedtls_md_init(&ssl->handshake->fin_sha384); 881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384, 882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 883 if (ret != 0) { 884 return ret; 885 } 886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384); 887 if (ret != 0) { 888 return ret; 889 } 890 #endif 891 #endif 892 return 0; 893 } 894 895 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, 896 const unsigned char *buf, size_t len) 897 { 898 #if defined(MBEDTLS_MD_CAN_SHA256) || \ 899 defined(MBEDTLS_MD_CAN_SHA384) 900 #if defined(MBEDTLS_USE_PSA_CRYPTO) 901 psa_status_t status; 902 #else 903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 904 #endif 905 #else /* SHA-256 or SHA-384 */ 906 ((void) ssl); 907 (void) buf; 908 (void) len; 909 #endif /* SHA-256 or SHA-384 */ 910 #if defined(MBEDTLS_MD_CAN_SHA256) 911 #if defined(MBEDTLS_USE_PSA_CRYPTO) 912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); 913 if (status != PSA_SUCCESS) { 914 return mbedtls_md_error_from_psa(status); 915 } 916 #else 917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 918 if (ret != 0) { 919 return ret; 920 } 921 #endif 922 #endif 923 #if defined(MBEDTLS_MD_CAN_SHA384) 924 #if defined(MBEDTLS_USE_PSA_CRYPTO) 925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); 926 if (status != PSA_SUCCESS) { 927 return mbedtls_md_error_from_psa(status); 928 } 929 #else 930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 931 if (ret != 0) { 932 return ret; 933 } 934 #endif 935 #endif 936 return 0; 937 } 938 939 #if defined(MBEDTLS_MD_CAN_SHA256) 940 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, 941 const unsigned char *buf, size_t len) 942 { 943 #if defined(MBEDTLS_USE_PSA_CRYPTO) 944 return mbedtls_md_error_from_psa(psa_hash_update( 945 &ssl->handshake->fin_sha256_psa, buf, len)); 946 #else 947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 948 #endif 949 } 950 #endif 951 952 #if defined(MBEDTLS_MD_CAN_SHA384) 953 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, 954 const unsigned char *buf, size_t len) 955 { 956 #if defined(MBEDTLS_USE_PSA_CRYPTO) 957 return mbedtls_md_error_from_psa(psa_hash_update( 958 &ssl->handshake->fin_sha384_psa, buf, len)); 959 #else 960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 961 #endif 962 } 963 #endif 964 965 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) 966 { 967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params)); 968 969 #if defined(MBEDTLS_MD_CAN_SHA256) 970 #if defined(MBEDTLS_USE_PSA_CRYPTO) 971 handshake->fin_sha256_psa = psa_hash_operation_init(); 972 #else 973 mbedtls_md_init(&handshake->fin_sha256); 974 #endif 975 #endif 976 #if defined(MBEDTLS_MD_CAN_SHA384) 977 #if defined(MBEDTLS_USE_PSA_CRYPTO) 978 handshake->fin_sha384_psa = psa_hash_operation_init(); 979 #else 980 mbedtls_md_init(&handshake->fin_sha384); 981 #endif 982 #endif 983 984 handshake->update_checksum = ssl_update_checksum_start; 985 986 #if defined(MBEDTLS_DHM_C) 987 mbedtls_dhm_init(&handshake->dhm_ctx); 988 #endif 989 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 990 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 991 mbedtls_ecdh_init(&handshake->ecdh_ctx); 992 #endif 993 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 994 #if defined(MBEDTLS_USE_PSA_CRYPTO) 995 handshake->psa_pake_ctx = psa_pake_operation_init(); 996 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 997 #else 998 mbedtls_ecjpake_init(&handshake->ecjpake_ctx); 999 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1000 #if defined(MBEDTLS_SSL_CLI_C) 1001 handshake->ecjpake_cache = NULL; 1002 handshake->ecjpake_cache_len = 0; 1003 #endif 1004 #endif 1005 1006 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1007 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx); 1008 #endif 1009 1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1011 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 1012 #endif 1013 1014 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 1015 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1016 mbedtls_pk_init(&handshake->peer_pubkey); 1017 #endif 1018 } 1019 1020 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) 1021 { 1022 memset(transform, 0, sizeof(mbedtls_ssl_transform)); 1023 1024 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1025 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT; 1026 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT; 1027 #else 1028 mbedtls_cipher_init(&transform->cipher_ctx_enc); 1029 mbedtls_cipher_init(&transform->cipher_ctx_dec); 1030 #endif 1031 1032 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1033 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1034 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT; 1035 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT; 1036 #else 1037 mbedtls_md_init(&transform->md_ctx_enc); 1038 mbedtls_md_init(&transform->md_ctx_dec); 1039 #endif 1040 #endif 1041 } 1042 1043 void mbedtls_ssl_session_init(mbedtls_ssl_session *session) 1044 { 1045 memset(session, 0, sizeof(mbedtls_ssl_session)); 1046 } 1047 1048 MBEDTLS_CHECK_RETURN_CRITICAL 1049 static int ssl_handshake_init(mbedtls_ssl_context *ssl) 1050 { 1051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1052 1053 /* Clear old handshake information if present */ 1054 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1055 if (ssl->transform_negotiate) { 1056 mbedtls_ssl_transform_free(ssl->transform_negotiate); 1057 } 1058 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1059 if (ssl->session_negotiate) { 1060 mbedtls_ssl_session_free(ssl->session_negotiate); 1061 } 1062 if (ssl->handshake) { 1063 mbedtls_ssl_handshake_free(ssl); 1064 } 1065 1066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1067 /* 1068 * Either the pointers are now NULL or cleared properly and can be freed. 1069 * Now allocate missing structures. 1070 */ 1071 if (ssl->transform_negotiate == NULL) { 1072 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); 1073 } 1074 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1075 1076 if (ssl->session_negotiate == NULL) { 1077 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session)); 1078 } 1079 1080 if (ssl->handshake == NULL) { 1081 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params)); 1082 } 1083 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1084 /* If the buffers are too small - reallocate */ 1085 1086 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN, 1087 MBEDTLS_SSL_OUT_BUFFER_LEN); 1088 #endif 1089 1090 /* All pointers should exist and can be directly freed without issue */ 1091 if (ssl->handshake == NULL || 1092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1093 ssl->transform_negotiate == NULL || 1094 #endif 1095 ssl->session_negotiate == NULL) { 1096 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed")); 1097 1098 mbedtls_free(ssl->handshake); 1099 ssl->handshake = NULL; 1100 1101 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1102 mbedtls_free(ssl->transform_negotiate); 1103 ssl->transform_negotiate = NULL; 1104 #endif 1105 1106 mbedtls_free(ssl->session_negotiate); 1107 ssl->session_negotiate = NULL; 1108 1109 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1110 } 1111 1112 #if defined(MBEDTLS_SSL_EARLY_DATA) 1113 #if defined(MBEDTLS_SSL_CLI_C) 1114 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE; 1115 #endif 1116 #if defined(MBEDTLS_SSL_SRV_C) 1117 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; 1118 #endif 1119 ssl->total_early_data_size = 0; 1120 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1121 1122 /* Initialize structures */ 1123 mbedtls_ssl_session_init(ssl->session_negotiate); 1124 ssl_handshake_params_init(ssl->handshake); 1125 1126 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1127 mbedtls_ssl_transform_init(ssl->transform_negotiate); 1128 #endif 1129 1130 /* Setup handshake checksums */ 1131 ret = mbedtls_ssl_reset_checksum(ssl); 1132 if (ret != 0) { 1133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); 1134 return ret; 1135 } 1136 1137 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 1138 defined(MBEDTLS_SSL_SRV_C) && \ 1139 defined(MBEDTLS_SSL_SESSION_TICKETS) 1140 ssl->handshake->new_session_tickets_count = 1141 ssl->conf->new_session_tickets_count; 1142 #endif 1143 1144 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1145 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1146 ssl->handshake->alt_transform_out = ssl->transform_out; 1147 1148 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 1149 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 1150 } else { 1151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 1152 } 1153 1154 mbedtls_ssl_set_timer(ssl, 0); 1155 } 1156 #endif 1157 1158 /* 1159 * curve_list is translated to IANA TLS group identifiers here because 1160 * mbedtls_ssl_conf_curves returns void and so can't return 1161 * any error codes. 1162 */ 1163 #if defined(MBEDTLS_ECP_C) 1164 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1165 /* Heap allocate and translate curve_list from internal to IANA group ids */ 1166 if (ssl->conf->curve_list != NULL) { 1167 size_t length; 1168 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; 1169 1170 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) { 1171 } 1172 1173 /* Leave room for zero termination */ 1174 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t)); 1175 if (group_list == NULL) { 1176 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1177 } 1178 1179 for (size_t i = 0; i < length; i++) { 1180 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 1181 curve_list[i]); 1182 if (tls_id == 0) { 1183 mbedtls_free(group_list); 1184 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1185 } 1186 group_list[i] = tls_id; 1187 } 1188 1189 group_list[length] = 0; 1190 1191 ssl->handshake->group_list = group_list; 1192 ssl->handshake->group_list_heap_allocated = 1; 1193 } else { 1194 ssl->handshake->group_list = ssl->conf->group_list; 1195 ssl->handshake->group_list_heap_allocated = 0; 1196 } 1197 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 1198 #endif /* MBEDTLS_ECP_C */ 1199 1200 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1201 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1202 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1203 /* Heap allocate and translate sig_hashes from internal hash identifiers to 1204 signature algorithms IANA identifiers. */ 1205 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) && 1206 ssl->conf->sig_hashes != NULL) { 1207 const int *md; 1208 const int *sig_hashes = ssl->conf->sig_hashes; 1209 size_t sig_algs_len = 0; 1210 uint16_t *p; 1211 1212 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 1213 <= (SIZE_MAX - (2 * sizeof(uint16_t))), 1214 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big"); 1215 1216 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1217 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) { 1218 continue; 1219 } 1220 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1221 sig_algs_len += sizeof(uint16_t); 1222 #endif 1223 1224 #if defined(MBEDTLS_RSA_C) 1225 sig_algs_len += sizeof(uint16_t); 1226 #endif 1227 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) { 1228 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1229 } 1230 } 1231 1232 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) { 1233 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1234 } 1235 1236 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len + 1237 sizeof(uint16_t)); 1238 if (ssl->handshake->sig_algs == NULL) { 1239 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1240 } 1241 1242 p = (uint16_t *) ssl->handshake->sig_algs; 1243 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1244 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md); 1245 if (hash == MBEDTLS_SSL_HASH_NONE) { 1246 continue; 1247 } 1248 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1249 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA); 1250 p++; 1251 #endif 1252 #if defined(MBEDTLS_RSA_C) 1253 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA); 1254 p++; 1255 #endif 1256 } 1257 *p = MBEDTLS_TLS_SIG_NONE; 1258 ssl->handshake->sig_algs_heap_allocated = 1; 1259 } else 1260 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1261 { 1262 ssl->handshake->sig_algs_heap_allocated = 0; 1263 } 1264 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1265 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1266 return 0; 1267 } 1268 1269 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1270 /* Dummy cookie callbacks for defaults */ 1271 MBEDTLS_CHECK_RETURN_CRITICAL 1272 static int ssl_cookie_write_dummy(void *ctx, 1273 unsigned char **p, unsigned char *end, 1274 const unsigned char *cli_id, size_t cli_id_len) 1275 { 1276 ((void) ctx); 1277 ((void) p); 1278 ((void) end); 1279 ((void) cli_id); 1280 ((void) cli_id_len); 1281 1282 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1283 } 1284 1285 MBEDTLS_CHECK_RETURN_CRITICAL 1286 static int ssl_cookie_check_dummy(void *ctx, 1287 const unsigned char *cookie, size_t cookie_len, 1288 const unsigned char *cli_id, size_t cli_id_len) 1289 { 1290 ((void) ctx); 1291 ((void) cookie); 1292 ((void) cookie_len); 1293 ((void) cli_id); 1294 ((void) cli_id_len); 1295 1296 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1297 } 1298 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 1299 1300 /* 1301 * Initialize an SSL context 1302 */ 1303 void mbedtls_ssl_init(mbedtls_ssl_context *ssl) 1304 { 1305 memset(ssl, 0, sizeof(mbedtls_ssl_context)); 1306 } 1307 1308 MBEDTLS_CHECK_RETURN_CRITICAL 1309 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl) 1310 { 1311 const mbedtls_ssl_config *conf = ssl->conf; 1312 1313 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1314 if (mbedtls_ssl_conf_is_tls13_only(conf)) { 1315 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1316 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported.")); 1317 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1318 } 1319 1320 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only.")); 1321 return 0; 1322 } 1323 #endif 1324 1325 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1326 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 1327 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only.")); 1328 return 0; 1329 } 1330 #endif 1331 1332 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1333 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) { 1334 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1335 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2")); 1336 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1337 } 1338 1339 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2.")); 1340 return 0; 1341 } 1342 #endif 1343 1344 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid.")); 1345 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1346 } 1347 1348 MBEDTLS_CHECK_RETURN_CRITICAL 1349 static int ssl_conf_check(const mbedtls_ssl_context *ssl) 1350 { 1351 int ret; 1352 ret = ssl_conf_version_check(ssl); 1353 if (ret != 0) { 1354 return ret; 1355 } 1356 1357 if (ssl->conf->f_rng == NULL) { 1358 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 1359 return MBEDTLS_ERR_SSL_NO_RNG; 1360 } 1361 1362 /* Space for further checks */ 1363 1364 return 0; 1365 } 1366 1367 /* 1368 * Setup an SSL context 1369 */ 1370 1371 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, 1372 const mbedtls_ssl_config *conf) 1373 { 1374 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1375 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1376 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1377 1378 ssl->conf = conf; 1379 1380 if ((ret = ssl_conf_check(ssl)) != 0) { 1381 return ret; 1382 } 1383 ssl->tls_version = ssl->conf->max_tls_version; 1384 1385 /* 1386 * Prepare base structures 1387 */ 1388 1389 /* Set to NULL in case of an error condition */ 1390 ssl->out_buf = NULL; 1391 1392 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1393 ssl->in_buf_len = in_buf_len; 1394 #endif 1395 ssl->in_buf = mbedtls_calloc(1, in_buf_len); 1396 if (ssl->in_buf == NULL) { 1397 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len)); 1398 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1399 goto error; 1400 } 1401 1402 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1403 ssl->out_buf_len = out_buf_len; 1404 #endif 1405 ssl->out_buf = mbedtls_calloc(1, out_buf_len); 1406 if (ssl->out_buf == NULL) { 1407 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len)); 1408 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1409 goto error; 1410 } 1411 1412 mbedtls_ssl_reset_in_out_pointers(ssl); 1413 1414 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1415 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); 1416 #endif 1417 1418 if ((ret = ssl_handshake_init(ssl)) != 0) { 1419 goto error; 1420 } 1421 1422 return 0; 1423 1424 error: 1425 mbedtls_free(ssl->in_buf); 1426 mbedtls_free(ssl->out_buf); 1427 1428 ssl->conf = NULL; 1429 1430 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1431 ssl->in_buf_len = 0; 1432 ssl->out_buf_len = 0; 1433 #endif 1434 ssl->in_buf = NULL; 1435 ssl->out_buf = NULL; 1436 1437 ssl->in_hdr = NULL; 1438 ssl->in_ctr = NULL; 1439 ssl->in_len = NULL; 1440 ssl->in_iv = NULL; 1441 ssl->in_msg = NULL; 1442 1443 ssl->out_hdr = NULL; 1444 ssl->out_ctr = NULL; 1445 ssl->out_len = NULL; 1446 ssl->out_iv = NULL; 1447 ssl->out_msg = NULL; 1448 1449 return ret; 1450 } 1451 1452 /* 1453 * Reset an initialized and used SSL context for re-use while retaining 1454 * all application-set variables, function pointers and data. 1455 * 1456 * If partial is non-zero, keep data in the input buffer and client ID. 1457 * (Use when a DTLS client reconnects from the same port.) 1458 */ 1459 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1460 int partial) 1461 { 1462 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1463 size_t in_buf_len = ssl->in_buf_len; 1464 size_t out_buf_len = ssl->out_buf_len; 1465 #else 1466 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1467 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1468 #endif 1469 1470 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C) 1471 partial = 0; 1472 #endif 1473 1474 /* Cancel any possibly running timer */ 1475 mbedtls_ssl_set_timer(ssl, 0); 1476 1477 mbedtls_ssl_reset_in_out_pointers(ssl); 1478 1479 /* Reset incoming message parsing */ 1480 ssl->in_offt = NULL; 1481 ssl->nb_zero = 0; 1482 ssl->in_msgtype = 0; 1483 ssl->in_msglen = 0; 1484 ssl->in_hslen = 0; 1485 ssl->keep_current_message = 0; 1486 ssl->transform_in = NULL; 1487 1488 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1489 ssl->next_record_offset = 0; 1490 ssl->in_epoch = 0; 1491 #endif 1492 1493 /* Keep current datagram if partial == 1 */ 1494 if (partial == 0) { 1495 ssl->in_left = 0; 1496 memset(ssl->in_buf, 0, in_buf_len); 1497 } 1498 1499 ssl->send_alert = 0; 1500 1501 /* Reset outgoing message writing */ 1502 ssl->out_msgtype = 0; 1503 ssl->out_msglen = 0; 1504 ssl->out_left = 0; 1505 memset(ssl->out_buf, 0, out_buf_len); 1506 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 1507 ssl->transform_out = NULL; 1508 1509 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1510 mbedtls_ssl_dtls_replay_reset(ssl); 1511 #endif 1512 1513 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1514 if (ssl->transform) { 1515 mbedtls_ssl_transform_free(ssl->transform); 1516 mbedtls_free(ssl->transform); 1517 ssl->transform = NULL; 1518 } 1519 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1520 1521 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1522 mbedtls_ssl_transform_free(ssl->transform_application); 1523 mbedtls_free(ssl->transform_application); 1524 ssl->transform_application = NULL; 1525 1526 if (ssl->handshake != NULL) { 1527 #if defined(MBEDTLS_SSL_EARLY_DATA) 1528 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata); 1529 mbedtls_free(ssl->handshake->transform_earlydata); 1530 ssl->handshake->transform_earlydata = NULL; 1531 #endif 1532 1533 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake); 1534 mbedtls_free(ssl->handshake->transform_handshake); 1535 ssl->handshake->transform_handshake = NULL; 1536 } 1537 1538 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1539 } 1540 1541 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) 1542 { 1543 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1544 1545 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 1546 ssl->tls_version = ssl->conf->max_tls_version; 1547 1548 mbedtls_ssl_session_reset_msg_layer(ssl, partial); 1549 1550 /* Reset renegotiation state */ 1551 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1552 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 1553 ssl->renego_records_seen = 0; 1554 1555 ssl->verify_data_len = 0; 1556 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1557 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1558 #endif 1559 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 1560 1561 ssl->session_in = NULL; 1562 ssl->session_out = NULL; 1563 if (ssl->session) { 1564 mbedtls_ssl_session_free(ssl->session); 1565 mbedtls_free(ssl->session); 1566 ssl->session = NULL; 1567 } 1568 1569 #if defined(MBEDTLS_SSL_ALPN) 1570 ssl->alpn_chosen = NULL; 1571 #endif 1572 1573 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1574 int free_cli_id = 1; 1575 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) 1576 free_cli_id = (partial == 0); 1577 #endif 1578 if (free_cli_id) { 1579 mbedtls_free(ssl->cli_id); 1580 ssl->cli_id = NULL; 1581 ssl->cli_id_len = 0; 1582 } 1583 #endif 1584 1585 if ((ret = ssl_handshake_init(ssl)) != 0) { 1586 return ret; 1587 } 1588 1589 return 0; 1590 } 1591 1592 /* 1593 * Reset an initialized and used SSL context for re-use while retaining 1594 * all application-set variables, function pointers and data. 1595 */ 1596 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl) 1597 { 1598 return mbedtls_ssl_session_reset_int(ssl, 0); 1599 } 1600 1601 /* 1602 * SSL set accessors 1603 */ 1604 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint) 1605 { 1606 conf->endpoint = endpoint; 1607 } 1608 1609 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport) 1610 { 1611 conf->transport = transport; 1612 } 1613 1614 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1615 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode) 1616 { 1617 conf->anti_replay = mode; 1618 } 1619 #endif 1620 1621 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit) 1622 { 1623 conf->badmac_limit = limit; 1624 } 1625 1626 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1627 1628 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl, 1629 unsigned allow_packing) 1630 { 1631 ssl->disable_datagram_packing = !allow_packing; 1632 } 1633 1634 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, 1635 uint32_t min, uint32_t max) 1636 { 1637 conf->hs_timeout_min = min; 1638 conf->hs_timeout_max = max; 1639 } 1640 #endif 1641 1642 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode) 1643 { 1644 conf->authmode = authmode; 1645 } 1646 1647 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1648 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, 1649 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1650 void *p_vrfy) 1651 { 1652 conf->f_vrfy = f_vrfy; 1653 conf->p_vrfy = p_vrfy; 1654 } 1655 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1656 1657 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, 1658 int (*f_rng)(void *, unsigned char *, size_t), 1659 void *p_rng) 1660 { 1661 conf->f_rng = f_rng; 1662 conf->p_rng = p_rng; 1663 } 1664 1665 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, 1666 void (*f_dbg)(void *, int, const char *, int, const char *), 1667 void *p_dbg) 1668 { 1669 conf->f_dbg = f_dbg; 1670 conf->p_dbg = p_dbg; 1671 } 1672 1673 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, 1674 void *p_bio, 1675 mbedtls_ssl_send_t *f_send, 1676 mbedtls_ssl_recv_t *f_recv, 1677 mbedtls_ssl_recv_timeout_t *f_recv_timeout) 1678 { 1679 ssl->p_bio = p_bio; 1680 ssl->f_send = f_send; 1681 ssl->f_recv = f_recv; 1682 ssl->f_recv_timeout = f_recv_timeout; 1683 } 1684 1685 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1686 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu) 1687 { 1688 ssl->mtu = mtu; 1689 } 1690 #endif 1691 1692 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout) 1693 { 1694 conf->read_timeout = timeout; 1695 } 1696 1697 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, 1698 void *p_timer, 1699 mbedtls_ssl_set_timer_t *f_set_timer, 1700 mbedtls_ssl_get_timer_t *f_get_timer) 1701 { 1702 ssl->p_timer = p_timer; 1703 ssl->f_set_timer = f_set_timer; 1704 ssl->f_get_timer = f_get_timer; 1705 1706 /* Make sure we start with no timer running */ 1707 mbedtls_ssl_set_timer(ssl, 0); 1708 } 1709 1710 #if defined(MBEDTLS_SSL_SRV_C) 1711 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, 1712 void *p_cache, 1713 mbedtls_ssl_cache_get_t *f_get_cache, 1714 mbedtls_ssl_cache_set_t *f_set_cache) 1715 { 1716 conf->p_cache = p_cache; 1717 conf->f_get_cache = f_get_cache; 1718 conf->f_set_cache = f_set_cache; 1719 } 1720 #endif /* MBEDTLS_SSL_SRV_C */ 1721 1722 #if defined(MBEDTLS_SSL_CLI_C) 1723 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session) 1724 { 1725 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1726 1727 if (ssl == NULL || 1728 session == NULL || 1729 ssl->session_negotiate == NULL || 1730 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 1731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1732 } 1733 1734 if (ssl->handshake->resume == 1) { 1735 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1736 } 1737 1738 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1739 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1740 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1741 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 1742 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); 1743 1744 if (mbedtls_ssl_validate_ciphersuite( 1745 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, 1746 MBEDTLS_SSL_VERSION_TLS1_3) != 0) { 1747 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.", 1748 session->ciphersuite)); 1749 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1750 } 1751 #else 1752 /* 1753 * If session tickets are not enabled, it is not possible to resume a 1754 * TLS 1.3 session, thus do not make any change to the SSL context in 1755 * the first place. 1756 */ 1757 return 0; 1758 #endif 1759 } 1760 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1761 1762 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate, 1763 session)) != 0) { 1764 return ret; 1765 } 1766 1767 ssl->handshake->resume = 1; 1768 1769 return 0; 1770 } 1771 #endif /* MBEDTLS_SSL_CLI_C */ 1772 1773 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, 1774 const int *ciphersuites) 1775 { 1776 conf->ciphersuite_list = ciphersuites; 1777 } 1778 1779 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1780 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, 1781 const int kex_modes) 1782 { 1783 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 1784 } 1785 1786 #if defined(MBEDTLS_SSL_EARLY_DATA) 1787 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, 1788 int early_data_enabled) 1789 { 1790 conf->early_data_enabled = early_data_enabled; 1791 } 1792 1793 #if defined(MBEDTLS_SSL_SRV_C) 1794 void mbedtls_ssl_conf_max_early_data_size( 1795 mbedtls_ssl_config *conf, uint32_t max_early_data_size) 1796 { 1797 conf->max_early_data_size = max_early_data_size; 1798 } 1799 #endif /* MBEDTLS_SSL_SRV_C */ 1800 1801 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1802 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1803 1804 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1805 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, 1806 const mbedtls_x509_crt_profile *profile) 1807 { 1808 conf->cert_profile = profile; 1809 } 1810 1811 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert) 1812 { 1813 mbedtls_ssl_key_cert *cur = key_cert, *next; 1814 1815 while (cur != NULL) { 1816 next = cur->next; 1817 mbedtls_free(cur); 1818 cur = next; 1819 } 1820 } 1821 1822 /* Append a new keycert entry to a (possibly empty) list */ 1823 MBEDTLS_CHECK_RETURN_CRITICAL 1824 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head, 1825 mbedtls_x509_crt *cert, 1826 mbedtls_pk_context *key) 1827 { 1828 mbedtls_ssl_key_cert *new_cert; 1829 1830 if (cert == NULL) { 1831 /* Free list if cert is null */ 1832 ssl_key_cert_free(*head); 1833 *head = NULL; 1834 return 0; 1835 } 1836 1837 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert)); 1838 if (new_cert == NULL) { 1839 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1840 } 1841 1842 new_cert->cert = cert; 1843 new_cert->key = key; 1844 new_cert->next = NULL; 1845 1846 /* Update head if the list was null, else add to the end */ 1847 if (*head == NULL) { 1848 *head = new_cert; 1849 } else { 1850 mbedtls_ssl_key_cert *cur = *head; 1851 while (cur->next != NULL) { 1852 cur = cur->next; 1853 } 1854 cur->next = new_cert; 1855 } 1856 1857 return 0; 1858 } 1859 1860 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, 1861 mbedtls_x509_crt *own_cert, 1862 mbedtls_pk_context *pk_key) 1863 { 1864 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); 1865 } 1866 1867 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, 1868 mbedtls_x509_crt *ca_chain, 1869 mbedtls_x509_crl *ca_crl) 1870 { 1871 conf->ca_chain = ca_chain; 1872 conf->ca_crl = ca_crl; 1873 1874 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1875 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1876 * cannot be used together. */ 1877 conf->f_ca_cb = NULL; 1878 conf->p_ca_cb = NULL; 1879 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1880 } 1881 1882 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1883 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, 1884 mbedtls_x509_crt_ca_cb_t f_ca_cb, 1885 void *p_ca_cb) 1886 { 1887 conf->f_ca_cb = f_ca_cb; 1888 conf->p_ca_cb = p_ca_cb; 1889 1890 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1891 * cannot be used together. */ 1892 conf->ca_chain = NULL; 1893 conf->ca_crl = NULL; 1894 } 1895 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1896 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1897 1898 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1899 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, 1900 size_t *name_len) 1901 { 1902 *name_len = ssl->handshake->sni_name_len; 1903 return ssl->handshake->sni_name; 1904 } 1905 1906 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, 1907 mbedtls_x509_crt *own_cert, 1908 mbedtls_pk_context *pk_key) 1909 { 1910 return ssl_append_key_cert(&ssl->handshake->sni_key_cert, 1911 own_cert, pk_key); 1912 } 1913 1914 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, 1915 mbedtls_x509_crt *ca_chain, 1916 mbedtls_x509_crl *ca_crl) 1917 { 1918 ssl->handshake->sni_ca_chain = ca_chain; 1919 ssl->handshake->sni_ca_crl = ca_crl; 1920 } 1921 1922 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1923 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl, 1924 const mbedtls_x509_crt *crt) 1925 { 1926 ssl->handshake->dn_hints = crt; 1927 } 1928 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 1929 1930 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, 1931 int authmode) 1932 { 1933 ssl->handshake->sni_authmode = authmode; 1934 } 1935 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1936 1937 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1938 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl, 1939 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1940 void *p_vrfy) 1941 { 1942 ssl->f_vrfy = f_vrfy; 1943 ssl->p_vrfy = p_vrfy; 1944 } 1945 #endif 1946 1947 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1948 1949 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1950 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1951 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 1952 1953 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( 1954 mbedtls_ssl_context *ssl, 1955 mbedtls_svc_key_id_t pwd) 1956 { 1957 psa_status_t status; 1958 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1959 const uint8_t *user = NULL; 1960 size_t user_len = 0; 1961 const uint8_t *peer = NULL; 1962 size_t peer_len = 0; 1963 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1964 psa_pake_cs_set_primitive(&cipher_suite, 1965 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, 1966 PSA_ECC_FAMILY_SECP_R1, 1967 256)); 1968 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1969 1970 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite); 1971 if (status != PSA_SUCCESS) { 1972 return status; 1973 } 1974 1975 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 1976 user = jpake_server_id; 1977 user_len = sizeof(jpake_server_id); 1978 peer = jpake_client_id; 1979 peer_len = sizeof(jpake_client_id); 1980 } else { 1981 user = jpake_client_id; 1982 user_len = sizeof(jpake_client_id); 1983 peer = jpake_server_id; 1984 peer_len = sizeof(jpake_server_id); 1985 } 1986 1987 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len); 1988 if (status != PSA_SUCCESS) { 1989 return status; 1990 } 1991 1992 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len); 1993 if (status != PSA_SUCCESS) { 1994 return status; 1995 } 1996 1997 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd); 1998 if (status != PSA_SUCCESS) { 1999 return status; 2000 } 2001 2002 ssl->handshake->psa_pake_ctx_is_ok = 1; 2003 2004 return PSA_SUCCESS; 2005 } 2006 2007 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2008 const unsigned char *pw, 2009 size_t pw_len) 2010 { 2011 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2012 psa_status_t status; 2013 2014 if (ssl->handshake == NULL || ssl->conf == NULL) { 2015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2016 } 2017 2018 /* Empty password is not valid */ 2019 if ((pw == NULL) || (pw_len == 0)) { 2020 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2021 } 2022 2023 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 2024 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 2025 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 2026 2027 status = psa_import_key(&attributes, pw, pw_len, 2028 &ssl->handshake->psa_pake_password); 2029 if (status != PSA_SUCCESS) { 2030 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2031 } 2032 2033 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, 2034 ssl->handshake->psa_pake_password); 2035 if (status != PSA_SUCCESS) { 2036 psa_destroy_key(ssl->handshake->psa_pake_password); 2037 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2038 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2039 } 2040 2041 return 0; 2042 } 2043 2044 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, 2045 mbedtls_svc_key_id_t pwd) 2046 { 2047 psa_status_t status; 2048 2049 if (ssl->handshake == NULL || ssl->conf == NULL) { 2050 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2051 } 2052 2053 if (mbedtls_svc_key_id_is_null(pwd)) { 2054 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2055 } 2056 2057 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd); 2058 if (status != PSA_SUCCESS) { 2059 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2060 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2061 } 2062 2063 return 0; 2064 } 2065 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2066 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2067 const unsigned char *pw, 2068 size_t pw_len) 2069 { 2070 mbedtls_ecjpake_role role; 2071 2072 if (ssl->handshake == NULL || ssl->conf == NULL) { 2073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2074 } 2075 2076 /* Empty password is not valid */ 2077 if ((pw == NULL) || (pw_len == 0)) { 2078 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2079 } 2080 2081 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 2082 role = MBEDTLS_ECJPAKE_SERVER; 2083 } else { 2084 role = MBEDTLS_ECJPAKE_CLIENT; 2085 } 2086 2087 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx, 2088 role, 2089 MBEDTLS_MD_SHA256, 2090 MBEDTLS_ECP_DP_SECP256R1, 2091 pw, pw_len); 2092 } 2093 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2094 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2095 2096 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 2097 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) 2098 { 2099 if (conf->psk_identity == NULL || 2100 conf->psk_identity_len == 0) { 2101 return 0; 2102 } 2103 2104 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2105 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2106 return 1; 2107 } 2108 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2109 2110 if (conf->psk != NULL && conf->psk_len != 0) { 2111 return 1; 2112 } 2113 2114 return 0; 2115 } 2116 2117 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf) 2118 { 2119 /* Remove reference to existing PSK, if any. */ 2120 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2121 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2122 /* The maintenance of the PSK key slot is the 2123 * user's responsibility. */ 2124 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2125 } 2126 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2127 if (conf->psk != NULL) { 2128 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 2129 conf->psk = NULL; 2130 conf->psk_len = 0; 2131 } 2132 2133 /* Remove reference to PSK identity, if any. */ 2134 if (conf->psk_identity != NULL) { 2135 mbedtls_free(conf->psk_identity); 2136 conf->psk_identity = NULL; 2137 conf->psk_identity_len = 0; 2138 } 2139 } 2140 2141 /* This function assumes that PSK identity in the SSL config is unset. 2142 * It checks that the provided identity is well-formed and attempts 2143 * to make a copy of it in the SSL config. 2144 * On failure, the PSK identity in the config remains unset. */ 2145 MBEDTLS_CHECK_RETURN_CRITICAL 2146 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf, 2147 unsigned char const *psk_identity, 2148 size_t psk_identity_len) 2149 { 2150 /* Identity len will be encoded on two bytes */ 2151 if (psk_identity == NULL || 2152 psk_identity_len == 0 || 2153 (psk_identity_len >> 16) != 0 || 2154 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { 2155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2156 } 2157 2158 conf->psk_identity = mbedtls_calloc(1, psk_identity_len); 2159 if (conf->psk_identity == NULL) { 2160 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2161 } 2162 2163 conf->psk_identity_len = psk_identity_len; 2164 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len); 2165 2166 return 0; 2167 } 2168 2169 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, 2170 const unsigned char *psk, size_t psk_len, 2171 const unsigned char *psk_identity, size_t psk_identity_len) 2172 { 2173 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2174 2175 /* We currently only support one PSK, raw or opaque. */ 2176 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2177 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2178 } 2179 2180 /* Check and set raw PSK */ 2181 if (psk == NULL) { 2182 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2183 } 2184 if (psk_len == 0) { 2185 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2186 } 2187 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2188 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2189 } 2190 2191 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2192 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2193 } 2194 conf->psk_len = psk_len; 2195 memcpy(conf->psk, psk, conf->psk_len); 2196 2197 /* Check and set PSK Identity */ 2198 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len); 2199 if (ret != 0) { 2200 ssl_conf_remove_psk(conf); 2201 } 2202 2203 return ret; 2204 } 2205 2206 static void ssl_remove_psk(mbedtls_ssl_context *ssl) 2207 { 2208 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2209 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 2210 /* The maintenance of the external PSK key slot is the 2211 * user's responsibility. */ 2212 if (ssl->handshake->psk_opaque_is_internal) { 2213 psa_destroy_key(ssl->handshake->psk_opaque); 2214 ssl->handshake->psk_opaque_is_internal = 0; 2215 } 2216 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2217 } 2218 #else 2219 if (ssl->handshake->psk != NULL) { 2220 mbedtls_zeroize_and_free(ssl->handshake->psk, 2221 ssl->handshake->psk_len); 2222 ssl->handshake->psk_len = 0; 2223 ssl->handshake->psk = NULL; 2224 } 2225 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2226 } 2227 2228 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, 2229 const unsigned char *psk, size_t psk_len) 2230 { 2231 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2232 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 2233 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2234 psa_algorithm_t alg = PSA_ALG_NONE; 2235 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2236 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2237 2238 if (psk == NULL || ssl->handshake == NULL) { 2239 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2240 } 2241 2242 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2243 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2244 } 2245 2246 ssl_remove_psk(ssl); 2247 2248 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2249 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2250 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2251 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 2252 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 2253 } else { 2254 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 2255 } 2256 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2257 } 2258 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2259 2260 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2261 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2262 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH); 2263 psa_set_key_usage_flags(&key_attributes, 2264 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT); 2265 } 2266 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2267 2268 psa_set_key_algorithm(&key_attributes, alg); 2269 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 2270 2271 status = psa_import_key(&key_attributes, psk, psk_len, &key); 2272 if (status != PSA_SUCCESS) { 2273 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2274 } 2275 2276 /* Allow calling psa_destroy_key() on psk remove */ 2277 ssl->handshake->psk_opaque_is_internal = 1; 2278 return mbedtls_ssl_set_hs_psk_opaque(ssl, key); 2279 #else 2280 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2281 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2282 } 2283 2284 ssl->handshake->psk_len = psk_len; 2285 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len); 2286 2287 return 0; 2288 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2289 } 2290 2291 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2292 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf, 2293 mbedtls_svc_key_id_t psk, 2294 const unsigned char *psk_identity, 2295 size_t psk_identity_len) 2296 { 2297 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2298 2299 /* We currently only support one PSK, raw or opaque. */ 2300 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2301 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2302 } 2303 2304 /* Check and set opaque PSK */ 2305 if (mbedtls_svc_key_id_is_null(psk)) { 2306 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2307 } 2308 conf->psk_opaque = psk; 2309 2310 /* Check and set PSK Identity */ 2311 ret = ssl_conf_set_psk_identity(conf, psk_identity, 2312 psk_identity_len); 2313 if (ret != 0) { 2314 ssl_conf_remove_psk(conf); 2315 } 2316 2317 return ret; 2318 } 2319 2320 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl, 2321 mbedtls_svc_key_id_t psk) 2322 { 2323 if ((mbedtls_svc_key_id_is_null(psk)) || 2324 (ssl->handshake == NULL)) { 2325 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2326 } 2327 2328 ssl_remove_psk(ssl); 2329 ssl->handshake->psk_opaque = psk; 2330 return 0; 2331 } 2332 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2333 2334 #if defined(MBEDTLS_SSL_SRV_C) 2335 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, 2336 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 2337 size_t), 2338 void *p_psk) 2339 { 2340 conf->f_psk = f_psk; 2341 conf->p_psk = p_psk; 2342 } 2343 #endif /* MBEDTLS_SSL_SRV_C */ 2344 2345 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 2346 2347 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2348 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2349 psa_algorithm_t alg) 2350 { 2351 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2352 if (alg == PSA_ALG_CBC_NO_PADDING) { 2353 return MBEDTLS_SSL_MODE_CBC; 2354 } 2355 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2356 if (PSA_ALG_IS_AEAD(alg)) { 2357 return MBEDTLS_SSL_MODE_AEAD; 2358 } 2359 return MBEDTLS_SSL_MODE_STREAM; 2360 } 2361 2362 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2363 2364 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2365 mbedtls_cipher_mode_t mode) 2366 { 2367 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2368 if (mode == MBEDTLS_MODE_CBC) { 2369 return MBEDTLS_SSL_MODE_CBC; 2370 } 2371 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2372 2373 #if defined(MBEDTLS_GCM_C) || \ 2374 defined(MBEDTLS_CCM_C) || \ 2375 defined(MBEDTLS_CHACHAPOLY_C) 2376 if (mode == MBEDTLS_MODE_GCM || 2377 mode == MBEDTLS_MODE_CCM || 2378 mode == MBEDTLS_MODE_CHACHAPOLY) { 2379 return MBEDTLS_SSL_MODE_AEAD; 2380 } 2381 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 2382 2383 return MBEDTLS_SSL_MODE_STREAM; 2384 } 2385 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2386 2387 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode( 2388 mbedtls_ssl_mode_t base_mode, 2389 int encrypt_then_mac) 2390 { 2391 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2392 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 2393 base_mode == MBEDTLS_SSL_MODE_CBC) { 2394 return MBEDTLS_SSL_MODE_CBC_ETM; 2395 } 2396 #else 2397 (void) encrypt_then_mac; 2398 #endif 2399 return base_mode; 2400 } 2401 2402 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2403 const mbedtls_ssl_transform *transform) 2404 { 2405 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode( 2406 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2407 transform->psa_alg 2408 #else 2409 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc) 2410 #endif 2411 ); 2412 2413 int encrypt_then_mac = 0; 2414 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2415 encrypt_then_mac = transform->encrypt_then_mac; 2416 #endif 2417 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2418 } 2419 2420 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2421 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2422 int encrypt_then_mac, 2423 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2424 const mbedtls_ssl_ciphersuite_t *suite) 2425 { 2426 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM; 2427 2428 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2429 psa_status_t status; 2430 psa_algorithm_t alg; 2431 psa_key_type_t type; 2432 size_t size; 2433 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher, 2434 0, &alg, &type, &size); 2435 if (status == PSA_SUCCESS) { 2436 base_mode = mbedtls_ssl_get_base_mode(alg); 2437 } 2438 #else 2439 const mbedtls_cipher_info_t *cipher = 2440 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher); 2441 if (cipher != NULL) { 2442 base_mode = 2443 mbedtls_ssl_get_base_mode( 2444 mbedtls_cipher_info_get_mode(cipher)); 2445 } 2446 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2447 2448 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2449 int encrypt_then_mac = 0; 2450 #endif 2451 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2452 } 2453 2454 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2455 2456 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2457 size_t taglen, 2458 psa_algorithm_t *alg, 2459 psa_key_type_t *key_type, 2460 size_t *key_size) 2461 { 2462 #if !defined(MBEDTLS_SSL_HAVE_CCM) 2463 (void) taglen; 2464 #endif 2465 switch (mbedtls_cipher_type) { 2466 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2467 case MBEDTLS_CIPHER_AES_128_CBC: 2468 *alg = PSA_ALG_CBC_NO_PADDING; 2469 *key_type = PSA_KEY_TYPE_AES; 2470 *key_size = 128; 2471 break; 2472 #endif 2473 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2474 case MBEDTLS_CIPHER_AES_128_CCM: 2475 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2476 *key_type = PSA_KEY_TYPE_AES; 2477 *key_size = 128; 2478 break; 2479 #endif 2480 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2481 case MBEDTLS_CIPHER_AES_128_GCM: 2482 *alg = PSA_ALG_GCM; 2483 *key_type = PSA_KEY_TYPE_AES; 2484 *key_size = 128; 2485 break; 2486 #endif 2487 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2488 case MBEDTLS_CIPHER_AES_192_CCM: 2489 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2490 *key_type = PSA_KEY_TYPE_AES; 2491 *key_size = 192; 2492 break; 2493 #endif 2494 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2495 case MBEDTLS_CIPHER_AES_192_GCM: 2496 *alg = PSA_ALG_GCM; 2497 *key_type = PSA_KEY_TYPE_AES; 2498 *key_size = 192; 2499 break; 2500 #endif 2501 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2502 case MBEDTLS_CIPHER_AES_256_CBC: 2503 *alg = PSA_ALG_CBC_NO_PADDING; 2504 *key_type = PSA_KEY_TYPE_AES; 2505 *key_size = 256; 2506 break; 2507 #endif 2508 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2509 case MBEDTLS_CIPHER_AES_256_CCM: 2510 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2511 *key_type = PSA_KEY_TYPE_AES; 2512 *key_size = 256; 2513 break; 2514 #endif 2515 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2516 case MBEDTLS_CIPHER_AES_256_GCM: 2517 *alg = PSA_ALG_GCM; 2518 *key_type = PSA_KEY_TYPE_AES; 2519 *key_size = 256; 2520 break; 2521 #endif 2522 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2523 case MBEDTLS_CIPHER_ARIA_128_CBC: 2524 *alg = PSA_ALG_CBC_NO_PADDING; 2525 *key_type = PSA_KEY_TYPE_ARIA; 2526 *key_size = 128; 2527 break; 2528 #endif 2529 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2530 case MBEDTLS_CIPHER_ARIA_128_CCM: 2531 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2532 *key_type = PSA_KEY_TYPE_ARIA; 2533 *key_size = 128; 2534 break; 2535 #endif 2536 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2537 case MBEDTLS_CIPHER_ARIA_128_GCM: 2538 *alg = PSA_ALG_GCM; 2539 *key_type = PSA_KEY_TYPE_ARIA; 2540 *key_size = 128; 2541 break; 2542 #endif 2543 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2544 case MBEDTLS_CIPHER_ARIA_192_CCM: 2545 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2546 *key_type = PSA_KEY_TYPE_ARIA; 2547 *key_size = 192; 2548 break; 2549 #endif 2550 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2551 case MBEDTLS_CIPHER_ARIA_192_GCM: 2552 *alg = PSA_ALG_GCM; 2553 *key_type = PSA_KEY_TYPE_ARIA; 2554 *key_size = 192; 2555 break; 2556 #endif 2557 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2558 case MBEDTLS_CIPHER_ARIA_256_CBC: 2559 *alg = PSA_ALG_CBC_NO_PADDING; 2560 *key_type = PSA_KEY_TYPE_ARIA; 2561 *key_size = 256; 2562 break; 2563 #endif 2564 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2565 case MBEDTLS_CIPHER_ARIA_256_CCM: 2566 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2567 *key_type = PSA_KEY_TYPE_ARIA; 2568 *key_size = 256; 2569 break; 2570 #endif 2571 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2572 case MBEDTLS_CIPHER_ARIA_256_GCM: 2573 *alg = PSA_ALG_GCM; 2574 *key_type = PSA_KEY_TYPE_ARIA; 2575 *key_size = 256; 2576 break; 2577 #endif 2578 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2579 case MBEDTLS_CIPHER_CAMELLIA_128_CBC: 2580 *alg = PSA_ALG_CBC_NO_PADDING; 2581 *key_type = PSA_KEY_TYPE_CAMELLIA; 2582 *key_size = 128; 2583 break; 2584 #endif 2585 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2586 case MBEDTLS_CIPHER_CAMELLIA_128_CCM: 2587 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2588 *key_type = PSA_KEY_TYPE_CAMELLIA; 2589 *key_size = 128; 2590 break; 2591 #endif 2592 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2593 case MBEDTLS_CIPHER_CAMELLIA_128_GCM: 2594 *alg = PSA_ALG_GCM; 2595 *key_type = PSA_KEY_TYPE_CAMELLIA; 2596 *key_size = 128; 2597 break; 2598 #endif 2599 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2600 case MBEDTLS_CIPHER_CAMELLIA_192_CCM: 2601 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2602 *key_type = PSA_KEY_TYPE_CAMELLIA; 2603 *key_size = 192; 2604 break; 2605 #endif 2606 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2607 case MBEDTLS_CIPHER_CAMELLIA_192_GCM: 2608 *alg = PSA_ALG_GCM; 2609 *key_type = PSA_KEY_TYPE_CAMELLIA; 2610 *key_size = 192; 2611 break; 2612 #endif 2613 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2614 case MBEDTLS_CIPHER_CAMELLIA_256_CBC: 2615 *alg = PSA_ALG_CBC_NO_PADDING; 2616 *key_type = PSA_KEY_TYPE_CAMELLIA; 2617 *key_size = 256; 2618 break; 2619 #endif 2620 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2621 case MBEDTLS_CIPHER_CAMELLIA_256_CCM: 2622 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2623 *key_type = PSA_KEY_TYPE_CAMELLIA; 2624 *key_size = 256; 2625 break; 2626 #endif 2627 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2628 case MBEDTLS_CIPHER_CAMELLIA_256_GCM: 2629 *alg = PSA_ALG_GCM; 2630 *key_type = PSA_KEY_TYPE_CAMELLIA; 2631 *key_size = 256; 2632 break; 2633 #endif 2634 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) 2635 case MBEDTLS_CIPHER_CHACHA20_POLY1305: 2636 *alg = PSA_ALG_CHACHA20_POLY1305; 2637 *key_type = PSA_KEY_TYPE_CHACHA20; 2638 *key_size = 256; 2639 break; 2640 #endif 2641 case MBEDTLS_CIPHER_NULL: 2642 *alg = MBEDTLS_SSL_NULL_CIPHER; 2643 *key_type = 0; 2644 *key_size = 0; 2645 break; 2646 default: 2647 return PSA_ERROR_NOT_SUPPORTED; 2648 } 2649 2650 return PSA_SUCCESS; 2651 } 2652 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2653 2654 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 2655 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf, 2656 const unsigned char *dhm_P, size_t P_len, 2657 const unsigned char *dhm_G, size_t G_len) 2658 { 2659 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2660 2661 mbedtls_mpi_free(&conf->dhm_P); 2662 mbedtls_mpi_free(&conf->dhm_G); 2663 2664 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 || 2665 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) { 2666 mbedtls_mpi_free(&conf->dhm_P); 2667 mbedtls_mpi_free(&conf->dhm_G); 2668 return ret; 2669 } 2670 2671 return 0; 2672 } 2673 2674 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx) 2675 { 2676 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2677 2678 mbedtls_mpi_free(&conf->dhm_P); 2679 mbedtls_mpi_free(&conf->dhm_G); 2680 2681 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P, 2682 &conf->dhm_P)) != 0 || 2683 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G, 2684 &conf->dhm_G)) != 0) { 2685 mbedtls_mpi_free(&conf->dhm_P); 2686 mbedtls_mpi_free(&conf->dhm_G); 2687 return ret; 2688 } 2689 2690 return 0; 2691 } 2692 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 2693 2694 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 2695 /* 2696 * Set the minimum length for Diffie-Hellman parameters 2697 */ 2698 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, 2699 unsigned int bitlen) 2700 { 2701 conf->dhm_min_bitlen = bitlen; 2702 } 2703 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 2704 2705 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2706 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2707 /* 2708 * Set allowed/preferred hashes for handshake signatures 2709 */ 2710 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, 2711 const int *hashes) 2712 { 2713 conf->sig_hashes = hashes; 2714 } 2715 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ 2716 2717 /* Configure allowed signature algorithms for handshake */ 2718 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, 2719 const uint16_t *sig_algs) 2720 { 2721 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2722 conf->sig_hashes = NULL; 2723 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2724 conf->sig_algs = sig_algs; 2725 } 2726 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2727 2728 #if defined(MBEDTLS_ECP_C) 2729 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2730 /* 2731 * Set the allowed elliptic curves 2732 * 2733 * mbedtls_ssl_setup() takes the provided list 2734 * and translates it to a list of IANA TLS group identifiers, 2735 * stored in ssl->handshake->group_list. 2736 * 2737 */ 2738 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, 2739 const mbedtls_ecp_group_id *curve_list) 2740 { 2741 conf->curve_list = curve_list; 2742 conf->group_list = NULL; 2743 } 2744 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 2745 #endif /* MBEDTLS_ECP_C */ 2746 2747 /* 2748 * Set the allowed groups 2749 */ 2750 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, 2751 const uint16_t *group_list) 2752 { 2753 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 2754 conf->curve_list = NULL; 2755 #endif 2756 conf->group_list = group_list; 2757 } 2758 2759 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2760 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) 2761 { 2762 /* Initialize to suppress unnecessary compiler warning */ 2763 size_t hostname_len = 0; 2764 2765 /* Check if new hostname is valid before 2766 * making any change to current one */ 2767 if (hostname != NULL) { 2768 hostname_len = strlen(hostname); 2769 2770 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 2771 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2772 } 2773 } 2774 2775 /* Now it's clear that we will overwrite the old hostname, 2776 * so we can free it safely */ 2777 2778 if (ssl->hostname != NULL) { 2779 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); 2780 } 2781 2782 /* Passing NULL as hostname shall clear the old one */ 2783 2784 if (hostname == NULL) { 2785 ssl->hostname = NULL; 2786 } else { 2787 ssl->hostname = mbedtls_calloc(1, hostname_len + 1); 2788 if (ssl->hostname == NULL) { 2789 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2790 } 2791 2792 memcpy(ssl->hostname, hostname, hostname_len); 2793 2794 ssl->hostname[hostname_len] = '\0'; 2795 } 2796 2797 return 0; 2798 } 2799 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2800 2801 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2802 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, 2803 int (*f_sni)(void *, mbedtls_ssl_context *, 2804 const unsigned char *, size_t), 2805 void *p_sni) 2806 { 2807 conf->f_sni = f_sni; 2808 conf->p_sni = p_sni; 2809 } 2810 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2811 2812 #if defined(MBEDTLS_SSL_ALPN) 2813 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos) 2814 { 2815 size_t cur_len, tot_len; 2816 const char **p; 2817 2818 /* 2819 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 2820 * MUST NOT be truncated." 2821 * We check lengths now rather than later. 2822 */ 2823 tot_len = 0; 2824 for (p = protos; *p != NULL; p++) { 2825 cur_len = strlen(*p); 2826 tot_len += cur_len; 2827 2828 if ((cur_len == 0) || 2829 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) || 2830 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) { 2831 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2832 } 2833 } 2834 2835 conf->alpn_list = protos; 2836 2837 return 0; 2838 } 2839 2840 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl) 2841 { 2842 return ssl->alpn_chosen; 2843 } 2844 #endif /* MBEDTLS_SSL_ALPN */ 2845 2846 #if defined(MBEDTLS_SSL_DTLS_SRTP) 2847 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, 2848 int support_mki_value) 2849 { 2850 conf->dtls_srtp_mki_support = support_mki_value; 2851 } 2852 2853 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, 2854 unsigned char *mki_value, 2855 uint16_t mki_len) 2856 { 2857 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) { 2858 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2859 } 2860 2861 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) { 2862 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2863 } 2864 2865 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len); 2866 ssl->dtls_srtp_info.mki_len = mki_len; 2867 return 0; 2868 } 2869 2870 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf, 2871 const mbedtls_ssl_srtp_profile *profiles) 2872 { 2873 const mbedtls_ssl_srtp_profile *p; 2874 size_t list_size = 0; 2875 2876 /* check the profiles list: all entry must be valid, 2877 * its size cannot be more than the total number of supported profiles, currently 4 */ 2878 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET && 2879 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH; 2880 p++) { 2881 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) { 2882 list_size++; 2883 } else { 2884 /* unsupported value, stop parsing and set the size to an error value */ 2885 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1; 2886 } 2887 } 2888 2889 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) { 2890 conf->dtls_srtp_profile_list = NULL; 2891 conf->dtls_srtp_profile_list_len = 0; 2892 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2893 } 2894 2895 conf->dtls_srtp_profile_list = profiles; 2896 conf->dtls_srtp_profile_list_len = list_size; 2897 2898 return 0; 2899 } 2900 2901 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl, 2902 mbedtls_dtls_srtp_info *dtls_srtp_info) 2903 { 2904 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile; 2905 /* do not copy the mki value if there is no chosen profile */ 2906 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { 2907 dtls_srtp_info->mki_len = 0; 2908 } else { 2909 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len; 2910 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value, 2911 ssl->dtls_srtp_info.mki_len); 2912 } 2913 } 2914 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 2915 2916 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2917 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) 2918 { 2919 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2920 } 2921 2922 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) 2923 { 2924 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2925 } 2926 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 2927 2928 #if defined(MBEDTLS_SSL_SRV_C) 2929 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, 2930 char cert_req_ca_list) 2931 { 2932 conf->cert_req_ca_list = cert_req_ca_list; 2933 } 2934 #endif 2935 2936 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2937 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm) 2938 { 2939 conf->encrypt_then_mac = etm; 2940 } 2941 #endif 2942 2943 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 2944 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems) 2945 { 2946 conf->extended_ms = ems; 2947 } 2948 #endif 2949 2950 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2951 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code) 2952 { 2953 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 2954 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) { 2955 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2956 } 2957 2958 conf->mfl_code = mfl_code; 2959 2960 return 0; 2961 } 2962 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 2963 2964 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy) 2965 { 2966 conf->allow_legacy_renegotiation = allow_legacy; 2967 } 2968 2969 #if defined(MBEDTLS_SSL_RENEGOTIATION) 2970 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation) 2971 { 2972 conf->disable_renegotiation = renegotiation; 2973 } 2974 2975 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records) 2976 { 2977 conf->renego_max_records = max_records; 2978 } 2979 2980 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, 2981 const unsigned char period[8]) 2982 { 2983 memcpy(conf->renego_period, period, 8); 2984 } 2985 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 2986 2987 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 2988 #if defined(MBEDTLS_SSL_CLI_C) 2989 2990 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) 2991 { 2992 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK; 2993 conf->session_tickets |= (use_tickets != 0) << 2994 MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT; 2995 } 2996 2997 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2998 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( 2999 mbedtls_ssl_config *conf, int signal_new_session_tickets) 3000 { 3001 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK; 3002 conf->session_tickets |= (signal_new_session_tickets != 0) << 3003 MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT; 3004 } 3005 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3006 #endif /* MBEDTLS_SSL_CLI_C */ 3007 3008 #if defined(MBEDTLS_SSL_SRV_C) 3009 3010 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 3011 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf, 3012 uint16_t num_tickets) 3013 { 3014 conf->new_session_tickets_count = num_tickets; 3015 } 3016 #endif 3017 3018 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, 3019 mbedtls_ssl_ticket_write_t *f_ticket_write, 3020 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 3021 void *p_ticket) 3022 { 3023 conf->f_ticket_write = f_ticket_write; 3024 conf->f_ticket_parse = f_ticket_parse; 3025 conf->p_ticket = p_ticket; 3026 } 3027 #endif 3028 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3029 3030 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl, 3031 mbedtls_ssl_export_keys_t *f_export_keys, 3032 void *p_export_keys) 3033 { 3034 ssl->f_export_keys = f_export_keys; 3035 ssl->p_export_keys = p_export_keys; 3036 } 3037 3038 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3039 void mbedtls_ssl_conf_async_private_cb( 3040 mbedtls_ssl_config *conf, 3041 mbedtls_ssl_async_sign_t *f_async_sign, 3042 mbedtls_ssl_async_decrypt_t *f_async_decrypt, 3043 mbedtls_ssl_async_resume_t *f_async_resume, 3044 mbedtls_ssl_async_cancel_t *f_async_cancel, 3045 void *async_config_data) 3046 { 3047 conf->f_async_sign_start = f_async_sign; 3048 conf->f_async_decrypt_start = f_async_decrypt; 3049 conf->f_async_resume = f_async_resume; 3050 conf->f_async_cancel = f_async_cancel; 3051 conf->p_async_config_data = async_config_data; 3052 } 3053 3054 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf) 3055 { 3056 return conf->p_async_config_data; 3057 } 3058 3059 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl) 3060 { 3061 if (ssl->handshake == NULL) { 3062 return NULL; 3063 } else { 3064 return ssl->handshake->user_async_ctx; 3065 } 3066 } 3067 3068 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl, 3069 void *ctx) 3070 { 3071 if (ssl->handshake != NULL) { 3072 ssl->handshake->user_async_ctx = ctx; 3073 } 3074 } 3075 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3076 3077 /* 3078 * SSL get accessors 3079 */ 3080 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl) 3081 { 3082 if (ssl->session != NULL) { 3083 return ssl->session->verify_result; 3084 } 3085 3086 if (ssl->session_negotiate != NULL) { 3087 return ssl->session_negotiate->verify_result; 3088 } 3089 3090 return 0xFFFFFFFF; 3091 } 3092 3093 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl) 3094 { 3095 if (ssl == NULL || ssl->session == NULL) { 3096 return 0; 3097 } 3098 3099 return ssl->session->ciphersuite; 3100 } 3101 3102 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl) 3103 { 3104 if (ssl == NULL || ssl->session == NULL) { 3105 return NULL; 3106 } 3107 3108 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite); 3109 } 3110 3111 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl) 3112 { 3113 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3114 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3115 switch (ssl->tls_version) { 3116 case MBEDTLS_SSL_VERSION_TLS1_2: 3117 return "DTLSv1.2"; 3118 default: 3119 return "unknown (DTLS)"; 3120 } 3121 } 3122 #endif 3123 3124 switch (ssl->tls_version) { 3125 case MBEDTLS_SSL_VERSION_TLS1_2: 3126 return "TLSv1.2"; 3127 case MBEDTLS_SSL_VERSION_TLS1_3: 3128 return "TLSv1.3"; 3129 default: 3130 return "unknown"; 3131 } 3132 } 3133 3134 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3135 3136 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl) 3137 { 3138 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3139 size_t record_size_limit = max_len; 3140 3141 if (ssl->session != NULL && 3142 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3143 ssl->session->record_size_limit < max_len) { 3144 record_size_limit = ssl->session->record_size_limit; 3145 } 3146 3147 // TODO: this is currently untested 3148 /* During a handshake, use the value being negotiated */ 3149 if (ssl->session_negotiate != NULL && 3150 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3151 ssl->session_negotiate->record_size_limit < max_len) { 3152 record_size_limit = ssl->session_negotiate->record_size_limit; 3153 } 3154 3155 return record_size_limit; 3156 } 3157 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3158 3159 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3160 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl) 3161 { 3162 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3163 size_t read_mfl; 3164 3165 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3166 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */ 3167 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3168 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) { 3169 return ssl_mfl_code_to_length(ssl->conf->mfl_code); 3170 } 3171 #endif 3172 3173 /* Check if a smaller max length was negotiated */ 3174 if (ssl->session_out != NULL) { 3175 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3176 if (read_mfl < max_len) { 3177 max_len = read_mfl; 3178 } 3179 } 3180 3181 /* During a handshake, use the value being negotiated */ 3182 if (ssl->session_negotiate != NULL) { 3183 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3184 if (read_mfl < max_len) { 3185 max_len = read_mfl; 3186 } 3187 } 3188 3189 return max_len; 3190 } 3191 3192 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl) 3193 { 3194 size_t max_len; 3195 3196 /* 3197 * Assume mfl_code is correct since it was checked when set 3198 */ 3199 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code); 3200 3201 /* Check if a smaller max length was negotiated */ 3202 if (ssl->session_out != NULL && 3203 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) { 3204 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3205 } 3206 3207 /* During a handshake, use the value being negotiated */ 3208 if (ssl->session_negotiate != NULL && 3209 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) { 3210 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3211 } 3212 3213 return max_len; 3214 } 3215 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3216 3217 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3218 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl) 3219 { 3220 /* Return unlimited mtu for client hello messages to avoid fragmentation. */ 3221 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3222 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO || 3223 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) { 3224 return 0; 3225 } 3226 3227 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) { 3228 return ssl->mtu; 3229 } 3230 3231 if (ssl->mtu == 0) { 3232 return ssl->handshake->mtu; 3233 } 3234 3235 return ssl->mtu < ssl->handshake->mtu ? 3236 ssl->mtu : ssl->handshake->mtu; 3237 } 3238 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3239 3240 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl) 3241 { 3242 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3243 3244 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3245 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \ 3246 !defined(MBEDTLS_SSL_PROTO_DTLS) 3247 (void) ssl; 3248 #endif 3249 3250 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3251 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl); 3252 3253 if (max_len > mfl) { 3254 max_len = mfl; 3255 } 3256 #endif 3257 3258 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3259 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl); 3260 3261 if (max_len > record_size_limit) { 3262 max_len = record_size_limit; 3263 } 3264 #endif 3265 3266 if (ssl->transform_out != NULL && 3267 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 3268 /* 3269 * In TLS 1.3 case, when records are protected, `max_len` as computed 3270 * above is the maximum length of the TLSInnerPlaintext structure that 3271 * along the plaintext payload contains the inner content type (one byte) 3272 * and some zero padding. Given the algorithm used for padding 3273 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for 3274 * the plaintext payload. Round down to a multiple of 3275 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and 3276 * subtract 1. 3277 */ 3278 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) * 3279 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1; 3280 } 3281 3282 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3283 if (mbedtls_ssl_get_current_mtu(ssl) != 0) { 3284 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl); 3285 const int ret = mbedtls_ssl_get_record_expansion(ssl); 3286 const size_t overhead = (size_t) ret; 3287 3288 if (ret < 0) { 3289 return ret; 3290 } 3291 3292 if (mtu <= overhead) { 3293 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion")); 3294 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3295 } 3296 3297 if (max_len > mtu - overhead) { 3298 max_len = mtu - overhead; 3299 } 3300 } 3301 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3302 3303 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3304 !defined(MBEDTLS_SSL_PROTO_DTLS) && \ 3305 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3306 ((void) ssl); 3307 #endif 3308 3309 return (int) max_len; 3310 } 3311 3312 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl) 3313 { 3314 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3315 3316 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3317 (void) ssl; 3318 #endif 3319 3320 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3321 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl); 3322 3323 if (max_len > mfl) { 3324 max_len = mfl; 3325 } 3326 #endif 3327 3328 return (int) max_len; 3329 } 3330 3331 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3332 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl) 3333 { 3334 if (ssl == NULL || ssl->session == NULL) { 3335 return NULL; 3336 } 3337 3338 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3339 return ssl->session->peer_cert; 3340 #else 3341 return NULL; 3342 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3343 } 3344 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3345 3346 #if defined(MBEDTLS_SSL_CLI_C) 3347 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, 3348 mbedtls_ssl_session *dst) 3349 { 3350 int ret; 3351 3352 if (ssl == NULL || 3353 dst == NULL || 3354 ssl->session == NULL || 3355 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 3356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3357 } 3358 3359 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer 3360 * idempotent: Each session can only be exported once. 3361 * 3362 * (This is in preparation for TLS 1.3 support where we will 3363 * need the ability to export multiple sessions (aka tickets), 3364 * which will be achieved by calling mbedtls_ssl_get_session() 3365 * multiple times until it fails.) 3366 * 3367 * Check whether we have already exported the current session, 3368 * and fail if so. 3369 */ 3370 if (ssl->session->exported == 1) { 3371 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3372 } 3373 3374 ret = mbedtls_ssl_session_copy(dst, ssl->session); 3375 if (ret != 0) { 3376 return ret; 3377 } 3378 3379 /* Remember that we've exported the session. */ 3380 ssl->session->exported = 1; 3381 return 0; 3382 } 3383 #endif /* MBEDTLS_SSL_CLI_C */ 3384 3385 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3386 3387 /* Serialization of TLS 1.2 sessions 3388 * 3389 * For more detail, see the description of ssl_session_save(). 3390 */ 3391 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, 3392 unsigned char *buf, 3393 size_t buf_len) 3394 { 3395 unsigned char *p = buf; 3396 size_t used = 0; 3397 3398 #if defined(MBEDTLS_HAVE_TIME) 3399 uint64_t start; 3400 #endif 3401 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3402 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3403 size_t cert_len; 3404 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3405 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3406 3407 /* 3408 * Time 3409 */ 3410 #if defined(MBEDTLS_HAVE_TIME) 3411 used += 8; 3412 3413 if (used <= buf_len) { 3414 start = (uint64_t) session->start; 3415 3416 MBEDTLS_PUT_UINT64_BE(start, p, 0); 3417 p += 8; 3418 } 3419 #endif /* MBEDTLS_HAVE_TIME */ 3420 3421 /* 3422 * Basic mandatory fields 3423 */ 3424 used += 1 /* id_len */ 3425 + sizeof(session->id) 3426 + sizeof(session->master) 3427 + 4; /* verify_result */ 3428 3429 if (used <= buf_len) { 3430 *p++ = MBEDTLS_BYTE_0(session->id_len); 3431 memcpy(p, session->id, 32); 3432 p += 32; 3433 3434 memcpy(p, session->master, 48); 3435 p += 48; 3436 3437 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); 3438 p += 4; 3439 } 3440 3441 /* 3442 * Peer's end-entity certificate 3443 */ 3444 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3445 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3446 if (session->peer_cert == NULL) { 3447 cert_len = 0; 3448 } else { 3449 cert_len = session->peer_cert->raw.len; 3450 } 3451 3452 used += 3 + cert_len; 3453 3454 if (used <= buf_len) { 3455 *p++ = MBEDTLS_BYTE_2(cert_len); 3456 *p++ = MBEDTLS_BYTE_1(cert_len); 3457 *p++ = MBEDTLS_BYTE_0(cert_len); 3458 3459 if (session->peer_cert != NULL) { 3460 memcpy(p, session->peer_cert->raw.p, cert_len); 3461 p += cert_len; 3462 } 3463 } 3464 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3465 if (session->peer_cert_digest != NULL) { 3466 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; 3467 if (used <= buf_len) { 3468 *p++ = (unsigned char) session->peer_cert_digest_type; 3469 *p++ = (unsigned char) session->peer_cert_digest_len; 3470 memcpy(p, session->peer_cert_digest, 3471 session->peer_cert_digest_len); 3472 p += session->peer_cert_digest_len; 3473 } 3474 } else { 3475 used += 2; 3476 if (used <= buf_len) { 3477 *p++ = (unsigned char) MBEDTLS_MD_NONE; 3478 *p++ = 0; 3479 } 3480 } 3481 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3482 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3483 3484 /* 3485 * Session ticket if any, plus associated data 3486 */ 3487 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3488 #if defined(MBEDTLS_SSL_CLI_C) 3489 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3490 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ 3491 3492 if (used <= buf_len) { 3493 *p++ = MBEDTLS_BYTE_2(session->ticket_len); 3494 *p++ = MBEDTLS_BYTE_1(session->ticket_len); 3495 *p++ = MBEDTLS_BYTE_0(session->ticket_len); 3496 3497 if (session->ticket != NULL) { 3498 memcpy(p, session->ticket, session->ticket_len); 3499 p += session->ticket_len; 3500 } 3501 3502 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3503 p += 4; 3504 } 3505 } 3506 #endif /* MBEDTLS_SSL_CLI_C */ 3507 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3508 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3509 used += 8; 3510 3511 if (used <= buf_len) { 3512 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3513 p += 8; 3514 } 3515 } 3516 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3517 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3518 3519 /* 3520 * Misc extension-related info 3521 */ 3522 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3523 used += 1; 3524 3525 if (used <= buf_len) { 3526 *p++ = session->mfl_code; 3527 } 3528 #endif 3529 3530 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3531 used += 1; 3532 3533 if (used <= buf_len) { 3534 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); 3535 } 3536 #endif 3537 3538 return used; 3539 } 3540 3541 MBEDTLS_CHECK_RETURN_CRITICAL 3542 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 3543 const unsigned char *buf, 3544 size_t len) 3545 { 3546 #if defined(MBEDTLS_HAVE_TIME) 3547 uint64_t start; 3548 #endif 3549 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3550 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3551 size_t cert_len; 3552 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3553 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3554 3555 const unsigned char *p = buf; 3556 const unsigned char * const end = buf + len; 3557 3558 /* 3559 * Time 3560 */ 3561 #if defined(MBEDTLS_HAVE_TIME) 3562 if (8 > (size_t) (end - p)) { 3563 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3564 } 3565 3566 start = MBEDTLS_GET_UINT64_BE(p, 0); 3567 p += 8; 3568 3569 session->start = (time_t) start; 3570 #endif /* MBEDTLS_HAVE_TIME */ 3571 3572 /* 3573 * Basic mandatory fields 3574 */ 3575 if (1 + 32 + 48 + 4 > (size_t) (end - p)) { 3576 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3577 } 3578 3579 session->id_len = *p++; 3580 memcpy(session->id, p, 32); 3581 p += 32; 3582 3583 memcpy(session->master, p, 48); 3584 p += 48; 3585 3586 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0); 3587 p += 4; 3588 3589 /* Immediately clear invalid pointer values that have been read, in case 3590 * we exit early before we replaced them with valid ones. */ 3591 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3592 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3593 session->peer_cert = NULL; 3594 #else 3595 session->peer_cert_digest = NULL; 3596 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3597 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3598 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 3599 session->ticket = NULL; 3600 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3601 3602 /* 3603 * Peer certificate 3604 */ 3605 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3606 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3607 /* Deserialize CRT from the end of the ticket. */ 3608 if (3 > (size_t) (end - p)) { 3609 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3610 } 3611 3612 cert_len = MBEDTLS_GET_UINT24_BE(p, 0); 3613 p += 3; 3614 3615 if (cert_len != 0) { 3616 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3617 3618 if (cert_len > (size_t) (end - p)) { 3619 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3620 } 3621 3622 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 3623 3624 if (session->peer_cert == NULL) { 3625 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3626 } 3627 3628 mbedtls_x509_crt_init(session->peer_cert); 3629 3630 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, 3631 p, cert_len)) != 0) { 3632 mbedtls_x509_crt_free(session->peer_cert); 3633 mbedtls_free(session->peer_cert); 3634 session->peer_cert = NULL; 3635 return ret; 3636 } 3637 3638 p += cert_len; 3639 } 3640 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3641 /* Deserialize CRT digest from the end of the ticket. */ 3642 if (2 > (size_t) (end - p)) { 3643 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3644 } 3645 3646 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; 3647 session->peer_cert_digest_len = (size_t) *p++; 3648 3649 if (session->peer_cert_digest_len != 0) { 3650 const mbedtls_md_info_t *md_info = 3651 mbedtls_md_info_from_type(session->peer_cert_digest_type); 3652 if (md_info == NULL) { 3653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3654 } 3655 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { 3656 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3657 } 3658 3659 if (session->peer_cert_digest_len > (size_t) (end - p)) { 3660 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3661 } 3662 3663 session->peer_cert_digest = 3664 mbedtls_calloc(1, session->peer_cert_digest_len); 3665 if (session->peer_cert_digest == NULL) { 3666 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3667 } 3668 3669 memcpy(session->peer_cert_digest, p, 3670 session->peer_cert_digest_len); 3671 p += session->peer_cert_digest_len; 3672 } 3673 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3674 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3675 3676 /* 3677 * Session ticket and associated data 3678 */ 3679 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3680 #if defined(MBEDTLS_SSL_CLI_C) 3681 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3682 if (3 > (size_t) (end - p)) { 3683 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3684 } 3685 3686 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); 3687 p += 3; 3688 3689 if (session->ticket_len != 0) { 3690 if (session->ticket_len > (size_t) (end - p)) { 3691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3692 } 3693 3694 session->ticket = mbedtls_calloc(1, session->ticket_len); 3695 if (session->ticket == NULL) { 3696 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3697 } 3698 3699 memcpy(session->ticket, p, session->ticket_len); 3700 p += session->ticket_len; 3701 } 3702 3703 if (4 > (size_t) (end - p)) { 3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3705 } 3706 3707 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 3708 p += 4; 3709 } 3710 #endif /* MBEDTLS_SSL_CLI_C */ 3711 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3712 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3713 if (8 > (size_t) (end - p)) { 3714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3715 } 3716 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 3717 p += 8; 3718 } 3719 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3720 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3721 3722 /* 3723 * Misc extension-related info 3724 */ 3725 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3726 if (1 > (size_t) (end - p)) { 3727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3728 } 3729 3730 session->mfl_code = *p++; 3731 #endif 3732 3733 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3734 if (1 > (size_t) (end - p)) { 3735 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3736 } 3737 3738 session->encrypt_then_mac = *p++; 3739 #endif 3740 3741 /* Done, should have consumed entire buffer */ 3742 if (p != end) { 3743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3744 } 3745 3746 return 0; 3747 } 3748 3749 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3750 3751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3752 /* Serialization of TLS 1.3 sessions: 3753 * 3754 * For more detail, see the description of ssl_session_save(). 3755 */ 3756 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3757 MBEDTLS_CHECK_RETURN_CRITICAL 3758 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 3759 unsigned char *buf, 3760 size_t buf_len, 3761 size_t *olen) 3762 { 3763 unsigned char *p = buf; 3764 #if defined(MBEDTLS_SSL_CLI_C) && \ 3765 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3766 size_t hostname_len = (session->hostname == NULL) ? 3767 0 : strlen(session->hostname) + 1; 3768 #endif 3769 3770 #if defined(MBEDTLS_SSL_SRV_C) && \ 3771 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3772 const size_t alpn_len = (session->ticket_alpn == NULL) ? 3773 0 : strlen(session->ticket_alpn) + 1; 3774 #endif 3775 size_t needed = 4 /* ticket_age_add */ 3776 + 1 /* ticket_flags */ 3777 + 1; /* resumption_key length */ 3778 3779 *olen = 0; 3780 3781 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { 3782 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3783 } 3784 needed += session->resumption_key_len; /* resumption_key */ 3785 3786 #if defined(MBEDTLS_SSL_EARLY_DATA) 3787 needed += 4; /* max_early_data_size */ 3788 #endif 3789 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3790 needed += 2; /* record_size_limit */ 3791 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3792 3793 #if defined(MBEDTLS_HAVE_TIME) 3794 needed += 8; /* ticket_creation_time or ticket_reception_time */ 3795 #endif 3796 3797 #if defined(MBEDTLS_SSL_SRV_C) 3798 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3799 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3800 needed += 2 /* alpn_len */ 3801 + alpn_len; /* alpn */ 3802 #endif 3803 } 3804 #endif /* MBEDTLS_SSL_SRV_C */ 3805 3806 #if defined(MBEDTLS_SSL_CLI_C) 3807 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3808 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3809 needed += 2 /* hostname_len */ 3810 + hostname_len; /* hostname */ 3811 #endif 3812 3813 needed += 4 /* ticket_lifetime */ 3814 + 2; /* ticket_len */ 3815 3816 /* Check size_t overflow */ 3817 if (session->ticket_len > SIZE_MAX - needed) { 3818 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3819 } 3820 3821 needed += session->ticket_len; /* ticket */ 3822 } 3823 #endif /* MBEDTLS_SSL_CLI_C */ 3824 3825 *olen = needed; 3826 if (needed > buf_len) { 3827 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3828 } 3829 3830 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); 3831 p[4] = session->ticket_flags; 3832 3833 /* save resumption_key */ 3834 p[5] = session->resumption_key_len; 3835 p += 6; 3836 memcpy(p, session->resumption_key, session->resumption_key_len); 3837 p += session->resumption_key_len; 3838 3839 #if defined(MBEDTLS_SSL_EARLY_DATA) 3840 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0); 3841 p += 4; 3842 #endif 3843 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3844 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0); 3845 p += 2; 3846 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3847 3848 #if defined(MBEDTLS_SSL_SRV_C) 3849 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3850 #if defined(MBEDTLS_HAVE_TIME) 3851 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3852 p += 8; 3853 #endif /* MBEDTLS_HAVE_TIME */ 3854 3855 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3856 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0); 3857 p += 2; 3858 3859 if (alpn_len > 0) { 3860 /* save chosen alpn */ 3861 memcpy(p, session->ticket_alpn, alpn_len); 3862 p += alpn_len; 3863 } 3864 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 3865 } 3866 #endif /* MBEDTLS_SSL_SRV_C */ 3867 3868 #if defined(MBEDTLS_SSL_CLI_C) 3869 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3870 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3871 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); 3872 p += 2; 3873 if (hostname_len > 0) { 3874 /* save host name */ 3875 memcpy(p, session->hostname, hostname_len); 3876 p += hostname_len; 3877 } 3878 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 3879 3880 #if defined(MBEDTLS_HAVE_TIME) 3881 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0); 3882 p += 8; 3883 #endif 3884 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3885 p += 4; 3886 3887 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); 3888 p += 2; 3889 3890 if (session->ticket != NULL && session->ticket_len > 0) { 3891 memcpy(p, session->ticket, session->ticket_len); 3892 p += session->ticket_len; 3893 } 3894 } 3895 #endif /* MBEDTLS_SSL_CLI_C */ 3896 return 0; 3897 } 3898 3899 MBEDTLS_CHECK_RETURN_CRITICAL 3900 static int ssl_tls13_session_load(mbedtls_ssl_session *session, 3901 const unsigned char *buf, 3902 size_t len) 3903 { 3904 const unsigned char *p = buf; 3905 const unsigned char *end = buf + len; 3906 3907 if (end - p < 6) { 3908 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3909 } 3910 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); 3911 session->ticket_flags = p[4]; 3912 3913 /* load resumption_key */ 3914 session->resumption_key_len = p[5]; 3915 p += 6; 3916 3917 if (end - p < session->resumption_key_len) { 3918 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3919 } 3920 3921 if (sizeof(session->resumption_key) < session->resumption_key_len) { 3922 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3923 } 3924 memcpy(session->resumption_key, p, session->resumption_key_len); 3925 p += session->resumption_key_len; 3926 3927 #if defined(MBEDTLS_SSL_EARLY_DATA) 3928 if (end - p < 4) { 3929 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3930 } 3931 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0); 3932 p += 4; 3933 #endif 3934 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3935 if (end - p < 2) { 3936 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3937 } 3938 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); 3939 p += 2; 3940 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3941 3942 #if defined(MBEDTLS_SSL_SRV_C) 3943 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3944 #if defined(MBEDTLS_HAVE_TIME) 3945 if (end - p < 8) { 3946 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3947 } 3948 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 3949 p += 8; 3950 #endif /* MBEDTLS_HAVE_TIME */ 3951 3952 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3953 size_t alpn_len; 3954 3955 if (end - p < 2) { 3956 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3957 } 3958 3959 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0); 3960 p += 2; 3961 3962 if (end - p < (long int) alpn_len) { 3963 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3964 } 3965 3966 if (alpn_len > 0) { 3967 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p); 3968 if (ret != 0) { 3969 return ret; 3970 } 3971 p += alpn_len; 3972 } 3973 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 3974 } 3975 #endif /* MBEDTLS_SSL_SRV_C */ 3976 3977 #if defined(MBEDTLS_SSL_CLI_C) 3978 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3979 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3980 size_t hostname_len; 3981 /* load host name */ 3982 if (end - p < 2) { 3983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3984 } 3985 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); 3986 p += 2; 3987 3988 if (end - p < (long int) hostname_len) { 3989 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3990 } 3991 if (hostname_len > 0) { 3992 session->hostname = mbedtls_calloc(1, hostname_len); 3993 if (session->hostname == NULL) { 3994 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3995 } 3996 memcpy(session->hostname, p, hostname_len); 3997 p += hostname_len; 3998 } 3999 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4000 4001 #if defined(MBEDTLS_HAVE_TIME) 4002 if (end - p < 8) { 4003 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4004 } 4005 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0); 4006 p += 8; 4007 #endif 4008 if (end - p < 4) { 4009 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4010 } 4011 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 4012 p += 4; 4013 4014 if (end - p < 2) { 4015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4016 } 4017 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); 4018 p += 2; 4019 4020 if (end - p < (long int) session->ticket_len) { 4021 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4022 } 4023 if (session->ticket_len > 0) { 4024 session->ticket = mbedtls_calloc(1, session->ticket_len); 4025 if (session->ticket == NULL) { 4026 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 4027 } 4028 memcpy(session->ticket, p, session->ticket_len); 4029 p += session->ticket_len; 4030 } 4031 } 4032 #endif /* MBEDTLS_SSL_CLI_C */ 4033 4034 return 0; 4035 4036 } 4037 #else /* MBEDTLS_SSL_SESSION_TICKETS */ 4038 MBEDTLS_CHECK_RETURN_CRITICAL 4039 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 4040 unsigned char *buf, 4041 size_t buf_len, 4042 size_t *olen) 4043 { 4044 ((void) session); 4045 ((void) buf); 4046 ((void) buf_len); 4047 *olen = 0; 4048 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4049 } 4050 4051 static int ssl_tls13_session_load(const mbedtls_ssl_session *session, 4052 const unsigned char *buf, 4053 size_t buf_len) 4054 { 4055 ((void) session); 4056 ((void) buf); 4057 ((void) buf_len); 4058 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4059 } 4060 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */ 4061 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4062 4063 /* 4064 * Define ticket header determining Mbed TLS version 4065 * and structure of the ticket. 4066 */ 4067 4068 /* 4069 * Define bitflag determining compile-time settings influencing 4070 * structure of serialized SSL sessions. 4071 */ 4072 4073 #if defined(MBEDTLS_HAVE_TIME) 4074 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 4075 #else 4076 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 4077 #endif /* MBEDTLS_HAVE_TIME */ 4078 4079 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4080 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 4081 #else 4082 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 4083 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 4084 4085 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4086 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1 4087 #else 4088 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0 4089 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4090 4091 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 4092 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 4093 #else 4094 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 4095 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ 4096 4097 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4098 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 4099 #else 4100 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 4101 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 4102 4103 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4104 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 4105 #else 4106 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 4107 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 4108 4109 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4110 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 4111 #else 4112 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 4113 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4114 4115 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4116 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 4117 #else 4118 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 4119 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4120 4121 #if defined(MBEDTLS_SSL_EARLY_DATA) 4122 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 4123 #else 4124 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 4125 #endif /* MBEDTLS_SSL_EARLY_DATA */ 4126 4127 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4128 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 4129 #else 4130 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 4131 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 4132 4133 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \ 4134 defined(MBEDTLS_SSL_EARLY_DATA) 4135 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1 4136 #else 4137 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0 4138 #endif /* MBEDTLS_SSL_ALPN */ 4139 4140 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 4141 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 4142 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 4143 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 4144 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 4145 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 4146 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6 4147 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 4148 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 4149 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 4150 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10 4151 4152 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ 4153 ((uint16_t) ( \ 4154 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ 4155 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ 4156 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ 4157 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ 4158 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ 4159 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ 4160 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ 4161 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \ 4162 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ 4163 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ 4164 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ 4165 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ 4166 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ 4167 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \ 4168 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \ 4169 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT))) 4170 4171 static const unsigned char ssl_serialized_session_header[] = { 4172 MBEDTLS_VERSION_MAJOR, 4173 MBEDTLS_VERSION_MINOR, 4174 MBEDTLS_VERSION_PATCH, 4175 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4176 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4177 }; 4178 4179 /* 4180 * Serialize a session in the following format: 4181 * (in the presentation language of TLS, RFC 8446 section 3) 4182 * 4183 * TLS 1.2 session: 4184 * 4185 * struct { 4186 * #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4187 * opaque ticket<0..2^24-1>; // length 0 means no ticket 4188 * uint32 ticket_lifetime; 4189 * #endif 4190 * } ClientOnlyData; 4191 * 4192 * struct { 4193 * #if defined(MBEDTLS_HAVE_TIME) 4194 * uint64 start_time; 4195 * #endif 4196 * uint8 session_id_len; // at most 32 4197 * opaque session_id[32]; 4198 * opaque master[48]; // fixed length in the standard 4199 * uint32 verify_result; 4200 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 4201 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert 4202 * #else 4203 * uint8 peer_cert_digest_type; 4204 * opaque peer_cert_digest<0..2^8-1> 4205 * #endif 4206 * select (endpoint) { 4207 * case client: ClientOnlyData; 4208 * case server: uint64 ticket_creation_time; 4209 * }; 4210 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4211 * uint8 mfl_code; // up to 255 according to standard 4212 * #endif 4213 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4214 * uint8 encrypt_then_mac; // 0 or 1 4215 * #endif 4216 * } serialized_session_tls12; 4217 * 4218 * 4219 * TLS 1.3 Session: 4220 * 4221 * struct { 4222 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4223 * opaque hostname<0..2^16-1>; 4224 * #endif 4225 * #if defined(MBEDTLS_HAVE_TIME) 4226 * uint64 ticket_reception_time; 4227 * #endif 4228 * uint32 ticket_lifetime; 4229 * opaque ticket<1..2^16-1>; 4230 * } ClientOnlyData; 4231 * 4232 * struct { 4233 * uint32 ticket_age_add; 4234 * uint8 ticket_flags; 4235 * opaque resumption_key<0..255>; 4236 * #if defined(MBEDTLS_SSL_EARLY_DATA) 4237 * uint32 max_early_data_size; 4238 * #endif 4239 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4240 * uint16 record_size_limit; 4241 * #endif 4242 * select ( endpoint ) { 4243 * case client: ClientOnlyData; 4244 * case server: 4245 * #if defined(MBEDTLS_HAVE_TIME) 4246 * uint64 ticket_creation_time; 4247 * #endif 4248 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 4249 * opaque ticket_alpn<0..256>; 4250 * #endif 4251 * }; 4252 * } serialized_session_tls13; 4253 * 4254 * 4255 * SSL session: 4256 * 4257 * struct { 4258 * 4259 * opaque mbedtls_version[3]; // library version: major, minor, patch 4260 * opaque session_format[2]; // library-version specific 16-bit field 4261 * // determining the format of the remaining 4262 * // serialized data. 4263 * 4264 * Note: When updating the format, remember to keep 4265 * these version+format bytes. 4266 * 4267 * // In this version, `session_format` determines 4268 * // the setting of those compile-time 4269 * // configuration options which influence 4270 * // the structure of mbedtls_ssl_session. 4271 * 4272 * uint8_t minor_ver; // Protocol minor version. Possible values: 4273 * // - TLS 1.2 (0x0303) 4274 * // - TLS 1.3 (0x0304) 4275 * uint8_t endpoint; 4276 * uint16_t ciphersuite; 4277 * 4278 * select (serialized_session.tls_version) { 4279 * 4280 * case MBEDTLS_SSL_VERSION_TLS1_2: 4281 * serialized_session_tls12 data; 4282 * case MBEDTLS_SSL_VERSION_TLS1_3: 4283 * serialized_session_tls13 data; 4284 * 4285 * }; 4286 * 4287 * } serialized_session; 4288 * 4289 */ 4290 4291 MBEDTLS_CHECK_RETURN_CRITICAL 4292 static int ssl_session_save(const mbedtls_ssl_session *session, 4293 unsigned char omit_header, 4294 unsigned char *buf, 4295 size_t buf_len, 4296 size_t *olen) 4297 { 4298 unsigned char *p = buf; 4299 size_t used = 0; 4300 size_t remaining_len; 4301 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4302 size_t out_len; 4303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4304 #endif 4305 if (session == NULL) { 4306 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4307 } 4308 4309 if (!omit_header) { 4310 /* 4311 * Add Mbed TLS version identifier 4312 */ 4313 used += sizeof(ssl_serialized_session_header); 4314 4315 if (used <= buf_len) { 4316 memcpy(p, ssl_serialized_session_header, 4317 sizeof(ssl_serialized_session_header)); 4318 p += sizeof(ssl_serialized_session_header); 4319 } 4320 } 4321 4322 /* 4323 * TLS version identifier, endpoint, ciphersuite 4324 */ 4325 used += 1 /* TLS version */ 4326 + 1 /* endpoint */ 4327 + 2; /* ciphersuite */ 4328 if (used <= buf_len) { 4329 *p++ = MBEDTLS_BYTE_0(session->tls_version); 4330 *p++ = session->endpoint; 4331 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); 4332 p += 2; 4333 } 4334 4335 /* Forward to version-specific serialization routine. */ 4336 remaining_len = (buf_len >= used) ? buf_len - used : 0; 4337 switch (session->tls_version) { 4338 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4339 case MBEDTLS_SSL_VERSION_TLS1_2: 4340 used += ssl_tls12_session_save(session, p, remaining_len); 4341 break; 4342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4343 4344 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4345 case MBEDTLS_SSL_VERSION_TLS1_3: 4346 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); 4347 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 4348 return ret; 4349 } 4350 used += out_len; 4351 break; 4352 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4353 4354 default: 4355 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4356 } 4357 4358 *olen = used; 4359 if (used > buf_len) { 4360 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 4361 } 4362 4363 return 0; 4364 } 4365 4366 /* 4367 * Public wrapper for ssl_session_save() 4368 */ 4369 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, 4370 unsigned char *buf, 4371 size_t buf_len, 4372 size_t *olen) 4373 { 4374 return ssl_session_save(session, 0, buf, buf_len, olen); 4375 } 4376 4377 /* 4378 * Deserialize session, see mbedtls_ssl_session_save() for format. 4379 * 4380 * This internal version is wrapped by a public function that cleans up in 4381 * case of error, and has an extra option omit_header. 4382 */ 4383 MBEDTLS_CHECK_RETURN_CRITICAL 4384 static int ssl_session_load(mbedtls_ssl_session *session, 4385 unsigned char omit_header, 4386 const unsigned char *buf, 4387 size_t len) 4388 { 4389 const unsigned char *p = buf; 4390 const unsigned char * const end = buf + len; 4391 size_t remaining_len; 4392 4393 4394 if (session == NULL) { 4395 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4396 } 4397 4398 if (!omit_header) { 4399 /* 4400 * Check Mbed TLS version identifier 4401 */ 4402 4403 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { 4404 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4405 } 4406 4407 if (memcmp(p, ssl_serialized_session_header, 4408 sizeof(ssl_serialized_session_header)) != 0) { 4409 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 4410 } 4411 p += sizeof(ssl_serialized_session_header); 4412 } 4413 4414 /* 4415 * TLS version identifier, endpoint, ciphersuite 4416 */ 4417 if (4 > (size_t) (end - p)) { 4418 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4419 } 4420 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); 4421 session->endpoint = *p++; 4422 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); 4423 p += 2; 4424 4425 /* Dispatch according to TLS version. */ 4426 remaining_len = (size_t) (end - p); 4427 switch (session->tls_version) { 4428 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4429 case MBEDTLS_SSL_VERSION_TLS1_2: 4430 return ssl_tls12_session_load(session, p, remaining_len); 4431 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4432 4433 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4434 case MBEDTLS_SSL_VERSION_TLS1_3: 4435 return ssl_tls13_session_load(session, p, remaining_len); 4436 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4437 4438 default: 4439 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4440 } 4441 } 4442 4443 /* 4444 * Deserialize session: public wrapper for error cleaning 4445 */ 4446 int mbedtls_ssl_session_load(mbedtls_ssl_session *session, 4447 const unsigned char *buf, 4448 size_t len) 4449 { 4450 int ret = ssl_session_load(session, 0, buf, len); 4451 4452 if (ret != 0) { 4453 mbedtls_ssl_session_free(session); 4454 } 4455 4456 return ret; 4457 } 4458 4459 /* 4460 * Perform a single step of the SSL handshake 4461 */ 4462 MBEDTLS_CHECK_RETURN_CRITICAL 4463 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) 4464 { 4465 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4466 4467 /* 4468 * We may have not been able to send to the peer all the handshake data 4469 * that were written into the output buffer by the previous handshake step, 4470 * if the write to the network callback returned with the 4471 * #MBEDTLS_ERR_SSL_WANT_WRITE error code. 4472 * We proceed to the next handshake step only when all data from the 4473 * previous one have been sent to the peer, thus we make sure that this is 4474 * the case here by calling `mbedtls_ssl_flush_output()`. The function may 4475 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case 4476 * we have to wait before to go ahead. 4477 * In the case of TLS 1.3, handshake step handlers do not send data to the 4478 * peer. Data are only sent here and through 4479 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an 4480 * alert occurred. 4481 */ 4482 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { 4483 return ret; 4484 } 4485 4486 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4487 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4488 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { 4489 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 4490 return ret; 4491 } 4492 } 4493 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4494 4495 return ret; 4496 } 4497 4498 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) 4499 { 4500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4501 4502 if (ssl == NULL || 4503 ssl->conf == NULL || 4504 ssl->handshake == NULL || 4505 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { 4506 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4507 } 4508 4509 ret = ssl_prepare_handshake_step(ssl); 4510 if (ret != 0) { 4511 return ret; 4512 } 4513 4514 ret = mbedtls_ssl_handle_pending_alert(ssl); 4515 if (ret != 0) { 4516 goto cleanup; 4517 } 4518 4519 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or 4520 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ 4521 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4522 4523 #if defined(MBEDTLS_SSL_CLI_C) 4524 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 4525 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", 4526 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state))); 4527 4528 switch (ssl->state) { 4529 case MBEDTLS_SSL_HELLO_REQUEST: 4530 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 4531 ret = 0; 4532 break; 4533 4534 case MBEDTLS_SSL_CLIENT_HELLO: 4535 ret = mbedtls_ssl_write_client_hello(ssl); 4536 break; 4537 4538 default: 4539 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4540 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4541 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4542 } else { 4543 ret = mbedtls_ssl_handshake_client_step(ssl); 4544 } 4545 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4546 ret = mbedtls_ssl_handshake_client_step(ssl); 4547 #else 4548 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4549 #endif 4550 } 4551 } 4552 #endif /* MBEDTLS_SSL_CLI_C */ 4553 4554 #if defined(MBEDTLS_SSL_SRV_C) 4555 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4556 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4557 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4558 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4559 } else { 4560 ret = mbedtls_ssl_handshake_server_step(ssl); 4561 } 4562 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4563 ret = mbedtls_ssl_handshake_server_step(ssl); 4564 #else 4565 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4566 #endif 4567 } 4568 #endif /* MBEDTLS_SSL_SRV_C */ 4569 4570 if (ret != 0) { 4571 /* handshake_step return error. And it is same 4572 * with alert_reason. 4573 */ 4574 if (ssl->send_alert) { 4575 ret = mbedtls_ssl_handle_pending_alert(ssl); 4576 goto cleanup; 4577 } 4578 } 4579 4580 cleanup: 4581 return ret; 4582 } 4583 4584 /* 4585 * Perform the SSL handshake 4586 */ 4587 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) 4588 { 4589 int ret = 0; 4590 4591 /* Sanity checks */ 4592 4593 if (ssl == NULL || ssl->conf == NULL) { 4594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4595 } 4596 4597 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4598 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4599 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { 4600 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " 4601 "mbedtls_ssl_set_timer_cb() for DTLS")); 4602 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4603 } 4604 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4605 4606 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); 4607 4608 /* Main handshake loop */ 4609 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { 4610 ret = mbedtls_ssl_handshake_step(ssl); 4611 4612 if (ret != 0) { 4613 break; 4614 } 4615 } 4616 4617 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); 4618 4619 return ret; 4620 } 4621 4622 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4623 #if defined(MBEDTLS_SSL_SRV_C) 4624 /* 4625 * Write HelloRequest to request renegotiation on server 4626 */ 4627 MBEDTLS_CHECK_RETURN_CRITICAL 4628 static int ssl_write_hello_request(mbedtls_ssl_context *ssl) 4629 { 4630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4631 4632 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); 4633 4634 ssl->out_msglen = 4; 4635 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4636 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 4637 4638 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 4639 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 4640 return ret; 4641 } 4642 4643 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); 4644 4645 return 0; 4646 } 4647 #endif /* MBEDTLS_SSL_SRV_C */ 4648 4649 /* 4650 * Actually renegotiate current connection, triggered by either: 4651 * - any side: calling mbedtls_ssl_renegotiate(), 4652 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 4653 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 4654 * the initial handshake is completed. 4655 * If the handshake doesn't complete due to waiting for I/O, it will continue 4656 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 4657 */ 4658 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) 4659 { 4660 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4661 4662 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); 4663 4664 if ((ret = ssl_handshake_init(ssl)) != 0) { 4665 return ret; 4666 } 4667 4668 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 4669 * the ServerHello will have message_seq = 1" */ 4670 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4671 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4672 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { 4673 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4674 ssl->handshake->out_msg_seq = 1; 4675 } else { 4676 ssl->handshake->in_msg_seq = 1; 4677 } 4678 } 4679 #endif 4680 4681 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 4682 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 4683 4684 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4686 return ret; 4687 } 4688 4689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); 4690 4691 return 0; 4692 } 4693 4694 /* 4695 * Renegotiate current connection on client, 4696 * or request renegotiation on server 4697 */ 4698 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) 4699 { 4700 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4701 4702 if (ssl == NULL || ssl->conf == NULL) { 4703 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4704 } 4705 4706 #if defined(MBEDTLS_SSL_SRV_C) 4707 /* On server, just send the request */ 4708 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4709 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4710 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4711 } 4712 4713 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 4714 4715 /* Did we already try/start sending HelloRequest? */ 4716 if (ssl->out_left != 0) { 4717 return mbedtls_ssl_flush_output(ssl); 4718 } 4719 4720 return ssl_write_hello_request(ssl); 4721 } 4722 #endif /* MBEDTLS_SSL_SRV_C */ 4723 4724 #if defined(MBEDTLS_SSL_CLI_C) 4725 /* 4726 * On client, either start the renegotiation process or, 4727 * if already in progress, continue the handshake 4728 */ 4729 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 4730 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4732 } 4733 4734 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { 4735 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); 4736 return ret; 4737 } 4738 } else { 4739 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4740 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4741 return ret; 4742 } 4743 } 4744 #endif /* MBEDTLS_SSL_CLI_C */ 4745 4746 return ret; 4747 } 4748 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 4749 4750 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) 4751 { 4752 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 4753 4754 if (handshake == NULL) { 4755 return; 4756 } 4757 4758 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 4759 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4760 if (ssl->handshake->group_list_heap_allocated) { 4761 mbedtls_free((void *) handshake->group_list); 4762 } 4763 handshake->group_list = NULL; 4764 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4765 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 4766 4767 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 4768 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4769 if (ssl->handshake->sig_algs_heap_allocated) { 4770 mbedtls_free((void *) handshake->sig_algs); 4771 } 4772 handshake->sig_algs = NULL; 4773 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4774 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4775 if (ssl->handshake->certificate_request_context) { 4776 mbedtls_free((void *) handshake->certificate_request_context); 4777 } 4778 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4779 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 4780 4781 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 4782 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { 4783 ssl->conf->f_async_cancel(ssl); 4784 handshake->async_in_progress = 0; 4785 } 4786 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 4787 4788 #if defined(MBEDTLS_MD_CAN_SHA256) 4789 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4790 psa_hash_abort(&handshake->fin_sha256_psa); 4791 #else 4792 mbedtls_md_free(&handshake->fin_sha256); 4793 #endif 4794 #endif 4795 #if defined(MBEDTLS_MD_CAN_SHA384) 4796 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4797 psa_hash_abort(&handshake->fin_sha384_psa); 4798 #else 4799 mbedtls_md_free(&handshake->fin_sha384); 4800 #endif 4801 #endif 4802 4803 #if defined(MBEDTLS_DHM_C) 4804 mbedtls_dhm_free(&handshake->dhm_ctx); 4805 #endif 4806 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 4807 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 4808 mbedtls_ecdh_free(&handshake->ecdh_ctx); 4809 #endif 4810 4811 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4812 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4813 psa_pake_abort(&handshake->psa_pake_ctx); 4814 /* 4815 * Opaque keys are not stored in the handshake's data and it's the user 4816 * responsibility to destroy them. Clear ones, instead, are created by 4817 * the TLS library and should be destroyed at the same level 4818 */ 4819 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { 4820 psa_destroy_key(handshake->psa_pake_password); 4821 } 4822 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 4823 #else 4824 mbedtls_ecjpake_free(&handshake->ecjpake_ctx); 4825 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4826 #if defined(MBEDTLS_SSL_CLI_C) 4827 mbedtls_free(handshake->ecjpake_cache); 4828 handshake->ecjpake_cache = NULL; 4829 handshake->ecjpake_cache_len = 0; 4830 #endif 4831 #endif 4832 4833 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 4834 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \ 4835 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4836 /* explicit void pointer cast for buggy MS compiler */ 4837 mbedtls_free((void *) handshake->curves_tls_id); 4838 #endif 4839 4840 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 4841 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4842 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 4843 /* The maintenance of the external PSK key slot is the 4844 * user's responsibility. */ 4845 if (ssl->handshake->psk_opaque_is_internal) { 4846 psa_destroy_key(ssl->handshake->psk_opaque); 4847 ssl->handshake->psk_opaque_is_internal = 0; 4848 } 4849 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 4850 } 4851 #else 4852 if (handshake->psk != NULL) { 4853 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len); 4854 } 4855 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4856 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 4857 4858 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4859 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4860 /* 4861 * Free only the linked list wrapper, not the keys themselves 4862 * since the belong to the SNI callback 4863 */ 4864 ssl_key_cert_free(handshake->sni_key_cert); 4865 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4866 4867 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 4868 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); 4869 if (handshake->ecrs_peer_cert != NULL) { 4870 mbedtls_x509_crt_free(handshake->ecrs_peer_cert); 4871 mbedtls_free(handshake->ecrs_peer_cert); 4872 } 4873 #endif 4874 4875 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4876 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4877 mbedtls_pk_free(&handshake->peer_pubkey); 4878 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4879 4880 #if defined(MBEDTLS_SSL_CLI_C) && \ 4881 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) 4882 mbedtls_free(handshake->cookie); 4883 #endif /* MBEDTLS_SSL_CLI_C && 4884 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ 4885 4886 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4887 mbedtls_ssl_flight_free(handshake->flight); 4888 mbedtls_ssl_buffering_free(ssl); 4889 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4890 4891 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 4892 if (handshake->xxdh_psa_privkey_is_external == 0) { 4893 psa_destroy_key(handshake->xxdh_psa_privkey); 4894 } 4895 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 4896 4897 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4898 mbedtls_ssl_transform_free(handshake->transform_handshake); 4899 mbedtls_free(handshake->transform_handshake); 4900 #if defined(MBEDTLS_SSL_EARLY_DATA) 4901 mbedtls_ssl_transform_free(handshake->transform_earlydata); 4902 mbedtls_free(handshake->transform_earlydata); 4903 #endif 4904 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4905 4906 4907 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4908 /* If the buffers are too big - reallocate. Because of the way Mbed TLS 4909 * processes datagrams and the fact that a datagram is allowed to have 4910 * several records in it, it is possible that the I/O buffers are not 4911 * empty at this stage */ 4912 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), 4913 mbedtls_ssl_get_output_buflen(ssl)); 4914 #endif 4915 4916 /* mbedtls_platform_zeroize MUST be last one in this function */ 4917 mbedtls_platform_zeroize(handshake, 4918 sizeof(mbedtls_ssl_handshake_params)); 4919 } 4920 4921 void mbedtls_ssl_session_free(mbedtls_ssl_session *session) 4922 { 4923 if (session == NULL) { 4924 return; 4925 } 4926 4927 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4928 ssl_clear_peer_cert(session); 4929 #endif 4930 4931 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 4932 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 4933 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4934 mbedtls_free(session->hostname); 4935 #endif 4936 mbedtls_free(session->ticket); 4937 #endif 4938 4939 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \ 4940 defined(MBEDTLS_SSL_SRV_C) 4941 mbedtls_free(session->ticket_alpn); 4942 #endif 4943 4944 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); 4945 } 4946 4947 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 4948 4949 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4950 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u 4951 #else 4952 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u 4953 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4954 4955 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u 4956 4957 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 4958 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u 4959 #else 4960 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u 4961 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 4962 4963 #if defined(MBEDTLS_SSL_ALPN) 4964 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u 4965 #else 4966 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u 4967 #endif /* MBEDTLS_SSL_ALPN */ 4968 4969 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 4970 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 4971 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 4972 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 4973 4974 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ 4975 ((uint32_t) ( \ 4976 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ 4977 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ 4978 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ 4979 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ 4980 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ 4981 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ 4982 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ 4983 0u)) 4984 4985 static const unsigned char ssl_serialized_context_header[] = { 4986 MBEDTLS_VERSION_MAJOR, 4987 MBEDTLS_VERSION_MINOR, 4988 MBEDTLS_VERSION_PATCH, 4989 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4990 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4991 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4992 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4993 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4994 }; 4995 4996 /* 4997 * Serialize a full SSL context 4998 * 4999 * The format of the serialized data is: 5000 * (in the presentation language of TLS, RFC 8446 section 3) 5001 * 5002 * // header 5003 * opaque mbedtls_version[3]; // major, minor, patch 5004 * opaque context_format[5]; // version-specific field determining 5005 * // the format of the remaining 5006 * // serialized data. 5007 * Note: When updating the format, remember to keep these 5008 * version+format bytes. (We may make their size part of the API.) 5009 * 5010 * // session sub-structure 5011 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() 5012 * // transform sub-structure 5013 * uint8 random[64]; // ServerHello.random+ClientHello.random 5014 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value 5015 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use 5016 * // fields from ssl_context 5017 * uint32 badmac_seen; // DTLS: number of records with failing MAC 5018 * uint64 in_window_top; // DTLS: last validated record seq_num 5019 * uint64 in_window; // DTLS: bitmask for replay protection 5020 * uint8 disable_datagram_packing; // DTLS: only one record per datagram 5021 * uint64 cur_out_ctr; // Record layer: outgoing sequence number 5022 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) 5023 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol 5024 * 5025 * Note that many fields of the ssl_context or sub-structures are not 5026 * serialized, as they fall in one of the following categories: 5027 * 5028 * 1. forced value (eg in_left must be 0) 5029 * 2. pointer to dynamically-allocated memory (eg session, transform) 5030 * 3. value can be re-derived from other data (eg session keys from MS) 5031 * 4. value was temporary (eg content of input buffer) 5032 * 5. value will be provided by the user again (eg I/O callbacks and context) 5033 */ 5034 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, 5035 unsigned char *buf, 5036 size_t buf_len, 5037 size_t *olen) 5038 { 5039 unsigned char *p = buf; 5040 size_t used = 0; 5041 size_t session_len; 5042 int ret = 0; 5043 5044 /* 5045 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in 5046 * this function's documentation. 5047 * 5048 * These are due to assumptions/limitations in the implementation. Some of 5049 * them are likely to stay (no handshake in progress) some might go away 5050 * (only DTLS) but are currently used to simplify the implementation. 5051 */ 5052 /* The initial handshake must be over */ 5053 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 5054 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); 5055 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5056 } 5057 if (ssl->handshake != NULL) { 5058 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); 5059 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5060 } 5061 /* Double-check that sub-structures are indeed ready */ 5062 if (ssl->transform == NULL || ssl->session == NULL) { 5063 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); 5064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5065 } 5066 /* There must be no pending incoming or outgoing data */ 5067 if (mbedtls_ssl_check_pending(ssl) != 0) { 5068 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); 5069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5070 } 5071 if (ssl->out_left != 0) { 5072 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); 5073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5074 } 5075 /* Protocol must be DTLS, not TLS */ 5076 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5077 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); 5078 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5079 } 5080 /* Version must be 1.2 */ 5081 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 5082 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); 5083 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5084 } 5085 /* We must be using an AEAD ciphersuite */ 5086 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { 5087 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); 5088 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5089 } 5090 /* Renegotiation must not be enabled */ 5091 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5092 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { 5093 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); 5094 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5095 } 5096 #endif 5097 5098 /* 5099 * Version and format identifier 5100 */ 5101 used += sizeof(ssl_serialized_context_header); 5102 5103 if (used <= buf_len) { 5104 memcpy(p, ssl_serialized_context_header, 5105 sizeof(ssl_serialized_context_header)); 5106 p += sizeof(ssl_serialized_context_header); 5107 } 5108 5109 /* 5110 * Session (length + data) 5111 */ 5112 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); 5113 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 5114 return ret; 5115 } 5116 5117 used += 4 + session_len; 5118 if (used <= buf_len) { 5119 MBEDTLS_PUT_UINT32_BE(session_len, p, 0); 5120 p += 4; 5121 5122 ret = ssl_session_save(ssl->session, 1, 5123 p, session_len, &session_len); 5124 if (ret != 0) { 5125 return ret; 5126 } 5127 5128 p += session_len; 5129 } 5130 5131 /* 5132 * Transform 5133 */ 5134 used += sizeof(ssl->transform->randbytes); 5135 if (used <= buf_len) { 5136 memcpy(p, ssl->transform->randbytes, 5137 sizeof(ssl->transform->randbytes)); 5138 p += sizeof(ssl->transform->randbytes); 5139 } 5140 5141 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5142 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len; 5143 if (used <= buf_len) { 5144 *p++ = ssl->transform->in_cid_len; 5145 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); 5146 p += ssl->transform->in_cid_len; 5147 5148 *p++ = ssl->transform->out_cid_len; 5149 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); 5150 p += ssl->transform->out_cid_len; 5151 } 5152 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5153 5154 /* 5155 * Saved fields from top-level ssl_context structure 5156 */ 5157 used += 4; 5158 if (used <= buf_len) { 5159 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); 5160 p += 4; 5161 } 5162 5163 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5164 used += 16; 5165 if (used <= buf_len) { 5166 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); 5167 p += 8; 5168 5169 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); 5170 p += 8; 5171 } 5172 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5173 5174 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5175 used += 1; 5176 if (used <= buf_len) { 5177 *p++ = ssl->disable_datagram_packing; 5178 } 5179 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5180 5181 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5182 if (used <= buf_len) { 5183 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); 5184 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5185 } 5186 5187 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5188 used += 2; 5189 if (used <= buf_len) { 5190 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); 5191 p += 2; 5192 } 5193 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5194 5195 #if defined(MBEDTLS_SSL_ALPN) 5196 { 5197 const uint8_t alpn_len = ssl->alpn_chosen 5198 ? (uint8_t) strlen(ssl->alpn_chosen) 5199 : 0; 5200 5201 used += 1 + alpn_len; 5202 if (used <= buf_len) { 5203 *p++ = alpn_len; 5204 5205 if (ssl->alpn_chosen != NULL) { 5206 memcpy(p, ssl->alpn_chosen, alpn_len); 5207 p += alpn_len; 5208 } 5209 } 5210 } 5211 #endif /* MBEDTLS_SSL_ALPN */ 5212 5213 /* 5214 * Done 5215 */ 5216 *olen = used; 5217 5218 if (used > buf_len) { 5219 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 5220 } 5221 5222 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); 5223 5224 return mbedtls_ssl_session_reset_int(ssl, 0); 5225 } 5226 5227 /* 5228 * Deserialize context, see mbedtls_ssl_context_save() for format. 5229 * 5230 * This internal version is wrapped by a public function that cleans up in 5231 * case of error. 5232 */ 5233 MBEDTLS_CHECK_RETURN_CRITICAL 5234 static int ssl_context_load(mbedtls_ssl_context *ssl, 5235 const unsigned char *buf, 5236 size_t len) 5237 { 5238 const unsigned char *p = buf; 5239 const unsigned char * const end = buf + len; 5240 size_t session_len; 5241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5242 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5243 tls_prf_fn prf_func = NULL; 5244 #endif 5245 5246 /* 5247 * The context should have been freshly setup or reset. 5248 * Give the user an error in case of obvious misuse. 5249 * (Checking session is useful because it won't be NULL if we're 5250 * renegotiating, or if the user mistakenly loaded a session first.) 5251 */ 5252 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || 5253 ssl->session != NULL) { 5254 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5255 } 5256 5257 /* 5258 * We can't check that the config matches the initial one, but we can at 5259 * least check it matches the requirements for serializing. 5260 */ 5261 if ( 5262 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5263 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || 5264 #endif 5265 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 5266 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || 5267 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 5268 ) { 5269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5270 } 5271 5272 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); 5273 5274 /* 5275 * Check version identifier 5276 */ 5277 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { 5278 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5279 } 5280 5281 if (memcmp(p, ssl_serialized_context_header, 5282 sizeof(ssl_serialized_context_header)) != 0) { 5283 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 5284 } 5285 p += sizeof(ssl_serialized_context_header); 5286 5287 /* 5288 * Session 5289 */ 5290 if ((size_t) (end - p) < 4) { 5291 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5292 } 5293 5294 session_len = MBEDTLS_GET_UINT32_BE(p, 0); 5295 p += 4; 5296 5297 /* This has been allocated by ssl_handshake_init(), called by 5298 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5299 ssl->session = ssl->session_negotiate; 5300 ssl->session_in = ssl->session; 5301 ssl->session_out = ssl->session; 5302 ssl->session_negotiate = NULL; 5303 5304 if ((size_t) (end - p) < session_len) { 5305 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5306 } 5307 5308 ret = ssl_session_load(ssl->session, 1, p, session_len); 5309 if (ret != 0) { 5310 mbedtls_ssl_session_free(ssl->session); 5311 return ret; 5312 } 5313 5314 p += session_len; 5315 5316 /* 5317 * Transform 5318 */ 5319 5320 /* This has been allocated by ssl_handshake_init(), called by 5321 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5322 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5323 ssl->transform = ssl->transform_negotiate; 5324 ssl->transform_in = ssl->transform; 5325 ssl->transform_out = ssl->transform; 5326 ssl->transform_negotiate = NULL; 5327 #endif 5328 5329 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5330 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); 5331 if (prf_func == NULL) { 5332 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5333 } 5334 5335 /* Read random bytes and populate structure */ 5336 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { 5337 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5338 } 5339 5340 ret = ssl_tls12_populate_transform(ssl->transform, 5341 ssl->session->ciphersuite, 5342 ssl->session->master, 5343 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 5344 ssl->session->encrypt_then_mac, 5345 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 5346 prf_func, 5347 p, /* currently pointing to randbytes */ 5348 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ 5349 ssl->conf->endpoint, 5350 ssl); 5351 if (ret != 0) { 5352 return ret; 5353 } 5354 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5355 p += sizeof(ssl->transform->randbytes); 5356 5357 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5358 /* Read connection IDs and store them */ 5359 if ((size_t) (end - p) < 1) { 5360 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5361 } 5362 5363 ssl->transform->in_cid_len = *p++; 5364 5365 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { 5366 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5367 } 5368 5369 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); 5370 p += ssl->transform->in_cid_len; 5371 5372 ssl->transform->out_cid_len = *p++; 5373 5374 if ((size_t) (end - p) < ssl->transform->out_cid_len) { 5375 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5376 } 5377 5378 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); 5379 p += ssl->transform->out_cid_len; 5380 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5381 5382 /* 5383 * Saved fields from top-level ssl_context structure 5384 */ 5385 if ((size_t) (end - p) < 4) { 5386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5387 } 5388 5389 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0); 5390 p += 4; 5391 5392 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5393 if ((size_t) (end - p) < 16) { 5394 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5395 } 5396 5397 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0); 5398 p += 8; 5399 5400 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0); 5401 p += 8; 5402 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5403 5404 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5405 if ((size_t) (end - p) < 1) { 5406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5407 } 5408 5409 ssl->disable_datagram_packing = *p++; 5410 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5411 5412 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { 5413 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5414 } 5415 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); 5416 p += sizeof(ssl->cur_out_ctr); 5417 5418 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5419 if ((size_t) (end - p) < 2) { 5420 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5421 } 5422 5423 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0); 5424 p += 2; 5425 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5426 5427 #if defined(MBEDTLS_SSL_ALPN) 5428 { 5429 uint8_t alpn_len; 5430 const char **cur; 5431 5432 if ((size_t) (end - p) < 1) { 5433 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5434 } 5435 5436 alpn_len = *p++; 5437 5438 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { 5439 /* alpn_chosen should point to an item in the configured list */ 5440 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { 5441 if (strlen(*cur) == alpn_len && 5442 memcmp(p, *cur, alpn_len) == 0) { 5443 ssl->alpn_chosen = *cur; 5444 break; 5445 } 5446 } 5447 } 5448 5449 /* can only happen on conf mismatch */ 5450 if (alpn_len != 0 && ssl->alpn_chosen == NULL) { 5451 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5452 } 5453 5454 p += alpn_len; 5455 } 5456 #endif /* MBEDTLS_SSL_ALPN */ 5457 5458 /* 5459 * Forced fields from top-level ssl_context structure 5460 * 5461 * Most of them already set to the correct value by mbedtls_ssl_init() and 5462 * mbedtls_ssl_reset(), so we only need to set the remaining ones. 5463 */ 5464 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 5465 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5466 5467 /* Adjust pointers for header fields of outgoing records to 5468 * the given transform, accounting for explicit IV and CID. */ 5469 mbedtls_ssl_update_out_pointers(ssl, ssl->transform); 5470 5471 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5472 ssl->in_epoch = 1; 5473 #endif 5474 5475 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, 5476 * which we don't want - otherwise we'd end up freeing the wrong transform 5477 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() 5478 * inappropriately. */ 5479 if (ssl->handshake != NULL) { 5480 mbedtls_ssl_handshake_free(ssl); 5481 mbedtls_free(ssl->handshake); 5482 ssl->handshake = NULL; 5483 } 5484 5485 /* 5486 * Done - should have consumed entire buffer 5487 */ 5488 if (p != end) { 5489 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5490 } 5491 5492 return 0; 5493 } 5494 5495 /* 5496 * Deserialize context: public wrapper for error cleaning 5497 */ 5498 int mbedtls_ssl_context_load(mbedtls_ssl_context *context, 5499 const unsigned char *buf, 5500 size_t len) 5501 { 5502 int ret = ssl_context_load(context, buf, len); 5503 5504 if (ret != 0) { 5505 mbedtls_ssl_free(context); 5506 } 5507 5508 return ret; 5509 } 5510 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 5511 5512 /* 5513 * Free an SSL context 5514 */ 5515 void mbedtls_ssl_free(mbedtls_ssl_context *ssl) 5516 { 5517 if (ssl == NULL) { 5518 return; 5519 } 5520 5521 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); 5522 5523 if (ssl->out_buf != NULL) { 5524 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5525 size_t out_buf_len = ssl->out_buf_len; 5526 #else 5527 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 5528 #endif 5529 5530 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len); 5531 ssl->out_buf = NULL; 5532 } 5533 5534 if (ssl->in_buf != NULL) { 5535 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5536 size_t in_buf_len = ssl->in_buf_len; 5537 #else 5538 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 5539 #endif 5540 5541 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len); 5542 ssl->in_buf = NULL; 5543 } 5544 5545 if (ssl->transform) { 5546 mbedtls_ssl_transform_free(ssl->transform); 5547 mbedtls_free(ssl->transform); 5548 } 5549 5550 if (ssl->handshake) { 5551 mbedtls_ssl_handshake_free(ssl); 5552 mbedtls_free(ssl->handshake); 5553 5554 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5555 mbedtls_ssl_transform_free(ssl->transform_negotiate); 5556 mbedtls_free(ssl->transform_negotiate); 5557 #endif 5558 5559 mbedtls_ssl_session_free(ssl->session_negotiate); 5560 mbedtls_free(ssl->session_negotiate); 5561 } 5562 5563 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5564 mbedtls_ssl_transform_free(ssl->transform_application); 5565 mbedtls_free(ssl->transform_application); 5566 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5567 5568 if (ssl->session) { 5569 mbedtls_ssl_session_free(ssl->session); 5570 mbedtls_free(ssl->session); 5571 } 5572 5573 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5574 if (ssl->hostname != NULL) { 5575 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); 5576 } 5577 #endif 5578 5579 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5580 mbedtls_free(ssl->cli_id); 5581 #endif 5582 5583 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); 5584 5585 /* Actually clear after last debug message */ 5586 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); 5587 } 5588 5589 /* 5590 * Initialize mbedtls_ssl_config 5591 */ 5592 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) 5593 { 5594 memset(conf, 0, sizeof(mbedtls_ssl_config)); 5595 } 5596 5597 /* The selection should be the same as mbedtls_x509_crt_profile_default in 5598 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: 5599 * curves with a lower resource usage come first. 5600 * See the documentation of mbedtls_ssl_conf_curves() for what we promise 5601 * about this list. 5602 */ 5603 static const uint16_t ssl_preset_default_groups[] = { 5604 #if defined(MBEDTLS_ECP_HAVE_CURVE25519) 5605 MBEDTLS_SSL_IANA_TLS_GROUP_X25519, 5606 #endif 5607 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5608 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5609 #endif 5610 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5611 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5612 #endif 5613 #if defined(MBEDTLS_ECP_HAVE_CURVE448) 5614 MBEDTLS_SSL_IANA_TLS_GROUP_X448, 5615 #endif 5616 #if defined(MBEDTLS_ECP_HAVE_SECP521R1) 5617 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, 5618 #endif 5619 #if defined(MBEDTLS_ECP_HAVE_BP256R1) 5620 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, 5621 #endif 5622 #if defined(MBEDTLS_ECP_HAVE_BP384R1) 5623 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, 5624 #endif 5625 #if defined(MBEDTLS_ECP_HAVE_BP512R1) 5626 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, 5627 #endif 5628 #if defined(PSA_WANT_ALG_FFDH) 5629 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, 5630 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, 5631 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, 5632 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, 5633 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, 5634 #endif 5635 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5636 }; 5637 5638 static const int ssl_preset_suiteb_ciphersuites[] = { 5639 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 5640 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 5641 0 5642 }; 5643 5644 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5645 5646 /* NOTICE: 5647 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following 5648 * rules SHOULD be upheld. 5649 * - No duplicate entries. 5650 * - But if there is a good reason, do not change the order of the algorithms. 5651 * - ssl_tls12_preset* is for TLS 1.2 use only. 5652 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. 5653 */ 5654 static const uint16_t ssl_preset_default_sig_algs[] = { 5655 5656 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5657 defined(MBEDTLS_MD_CAN_SHA256) && \ 5658 defined(PSA_WANT_ECC_SECP_R1_256) 5659 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5660 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5661 #endif 5662 5663 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5664 defined(MBEDTLS_MD_CAN_SHA384) && \ 5665 defined(PSA_WANT_ECC_SECP_R1_384) 5666 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5667 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5668 #endif 5669 5670 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5671 defined(MBEDTLS_MD_CAN_SHA512) && \ 5672 defined(PSA_WANT_ECC_SECP_R1_521) 5673 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, 5674 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) 5675 #endif 5676 5677 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512) 5678 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5679 #endif 5680 5681 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384) 5682 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5683 #endif 5684 5685 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256) 5686 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5687 #endif 5688 5689 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) 5690 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, 5691 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */ 5692 5693 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384) 5694 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, 5695 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */ 5696 5697 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) 5698 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, 5699 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */ 5700 5701 MBEDTLS_TLS_SIG_NONE 5702 }; 5703 5704 /* NOTICE: see above */ 5705 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5706 static uint16_t ssl_tls12_preset_default_sig_algs[] = { 5707 5708 #if defined(MBEDTLS_MD_CAN_SHA512) 5709 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5710 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), 5711 #endif 5712 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5713 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5714 #endif 5715 #if defined(MBEDTLS_RSA_C) 5716 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), 5717 #endif 5718 #endif /* MBEDTLS_MD_CAN_SHA512 */ 5719 5720 #if defined(MBEDTLS_MD_CAN_SHA384) 5721 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5722 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5723 #endif 5724 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5725 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5726 #endif 5727 #if defined(MBEDTLS_RSA_C) 5728 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), 5729 #endif 5730 #endif /* MBEDTLS_MD_CAN_SHA384 */ 5731 5732 #if defined(MBEDTLS_MD_CAN_SHA256) 5733 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5734 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5735 #endif 5736 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5737 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5738 #endif 5739 #if defined(MBEDTLS_RSA_C) 5740 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), 5741 #endif 5742 #endif /* MBEDTLS_MD_CAN_SHA256 */ 5743 5744 MBEDTLS_TLS_SIG_NONE 5745 }; 5746 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5747 5748 /* NOTICE: see above */ 5749 static const uint16_t ssl_preset_suiteb_sig_algs[] = { 5750 5751 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5752 defined(MBEDTLS_MD_CAN_SHA256) && \ 5753 defined(MBEDTLS_ECP_HAVE_SECP256R1) 5754 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5755 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5756 #endif 5757 5758 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5759 defined(MBEDTLS_MD_CAN_SHA384) && \ 5760 defined(MBEDTLS_ECP_HAVE_SECP384R1) 5761 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5762 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5763 #endif 5764 5765 MBEDTLS_TLS_SIG_NONE 5766 }; 5767 5768 /* NOTICE: see above */ 5769 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5770 static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { 5771 5772 #if defined(MBEDTLS_MD_CAN_SHA256) 5773 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5774 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5775 #endif 5776 #endif /* MBEDTLS_MD_CAN_SHA256 */ 5777 5778 #if defined(MBEDTLS_MD_CAN_SHA384) 5779 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5780 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5781 #endif 5782 #endif /* MBEDTLS_MD_CAN_SHA384 */ 5783 5784 MBEDTLS_TLS_SIG_NONE 5785 }; 5786 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5787 5788 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5789 5790 static const uint16_t ssl_preset_suiteb_groups[] = { 5791 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5792 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5793 #endif 5794 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5795 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5796 #endif 5797 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5798 }; 5799 5800 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5801 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` 5802 * to make sure there are no duplicated signature algorithm entries. */ 5803 MBEDTLS_CHECK_RETURN_CRITICAL 5804 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) 5805 { 5806 size_t i, j; 5807 int ret = 0; 5808 5809 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 5810 for (j = 0; j < i; j++) { 5811 if (sig_algs[i] != sig_algs[j]) { 5812 continue; 5813 } 5814 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET 5815 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", 5816 sig_algs[i], j, i); 5817 ret = -1; 5818 } 5819 } 5820 return ret; 5821 } 5822 5823 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5824 5825 /* 5826 * Load default in mbedtls_ssl_config 5827 */ 5828 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, 5829 int endpoint, int transport, int preset) 5830 { 5831 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5833 #endif 5834 5835 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5836 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { 5837 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); 5838 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5839 } 5840 5841 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { 5842 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); 5843 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5844 } 5845 5846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5847 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { 5848 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); 5849 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5850 } 5851 5852 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { 5853 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); 5854 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5855 } 5856 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5857 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5858 5859 /* Use the functions here so that they are covered in tests, 5860 * but otherwise access member directly for efficiency */ 5861 mbedtls_ssl_conf_endpoint(conf, endpoint); 5862 mbedtls_ssl_conf_transport(conf, transport); 5863 5864 /* 5865 * Things that are common to all presets 5866 */ 5867 #if defined(MBEDTLS_SSL_CLI_C) 5868 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 5869 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 5870 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 5871 mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED); 5872 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5873 /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message 5874 * handling is disabled by default in Mbed TLS 3.6.x for backward 5875 * compatibility with client applications developed using Mbed TLS 3.5 5876 * or earlier with the default configuration. 5877 * 5878 * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was 5879 * disabled, and a Mbed TLS client with the default configuration would 5880 * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable 5881 * server. 5882 * 5883 * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus 5884 * an Mbed TLS client with the default configuration establishes a 5885 * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If 5886 * following the handshake the TLS 1.3 server sends NewSessionTicket 5887 * messages and the Mbed TLS client processes them, this results in 5888 * Mbed TLS high level APIs (mbedtls_ssl_read(), 5889 * mbedtls_ssl_handshake(), ...) to eventually return an 5890 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code 5891 * (see the documentation of mbedtls_ssl_read() for more information on 5892 * that error code). Applications unaware of that TLS 1.3 specific non 5893 * fatal error code are then failing. 5894 */ 5895 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( 5896 conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED); 5897 #endif 5898 #endif 5899 } 5900 #endif 5901 5902 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 5903 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 5904 #endif 5905 5906 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 5907 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 5908 #endif 5909 5910 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5911 conf->f_cookie_write = ssl_cookie_write_dummy; 5912 conf->f_cookie_check = ssl_cookie_check_dummy; 5913 #endif 5914 5915 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5916 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 5917 #endif 5918 5919 #if defined(MBEDTLS_SSL_SRV_C) 5920 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 5921 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; 5922 #endif 5923 5924 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5925 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 5926 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 5927 #endif 5928 5929 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5930 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 5931 memset(conf->renego_period, 0x00, 2); 5932 memset(conf->renego_period + 2, 0xFF, 6); 5933 #endif 5934 5935 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5936 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 5937 const unsigned char dhm_p[] = 5938 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 5939 const unsigned char dhm_g[] = 5940 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 5941 5942 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, 5943 dhm_p, sizeof(dhm_p), 5944 dhm_g, sizeof(dhm_g))) != 0) { 5945 return ret; 5946 } 5947 } 5948 #endif 5949 5950 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5951 5952 #if defined(MBEDTLS_SSL_EARLY_DATA) 5953 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); 5954 #if defined(MBEDTLS_SSL_SRV_C) 5955 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); 5956 #endif 5957 #endif /* MBEDTLS_SSL_EARLY_DATA */ 5958 5959 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 5960 mbedtls_ssl_conf_new_session_tickets( 5961 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); 5962 #endif 5963 /* 5964 * Allow all TLS 1.3 key exchange modes by default. 5965 */ 5966 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 5967 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5968 5969 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5970 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5971 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5972 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5973 #else 5974 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5975 #endif 5976 } else { 5977 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 5978 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5979 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5980 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3) 5981 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5982 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5983 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 5984 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5985 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5986 #else 5987 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5988 #endif 5989 } 5990 5991 /* 5992 * Preset-specific defaults 5993 */ 5994 switch (preset) { 5995 /* 5996 * NSA Suite B 5997 */ 5998 case MBEDTLS_SSL_PRESET_SUITEB: 5999 6000 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; 6001 6002 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6003 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 6004 #endif 6005 6006 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6007 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6008 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 6009 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; 6010 } else 6011 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6012 conf->sig_algs = ssl_preset_suiteb_sig_algs; 6013 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6014 6015 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 6016 conf->curve_list = NULL; 6017 #endif 6018 conf->group_list = ssl_preset_suiteb_groups; 6019 break; 6020 6021 /* 6022 * Default 6023 */ 6024 default: 6025 6026 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); 6027 6028 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6029 conf->cert_profile = &mbedtls_x509_crt_profile_default; 6030 #endif 6031 6032 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6033 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6034 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 6035 conf->sig_algs = ssl_tls12_preset_default_sig_algs; 6036 } else 6037 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6038 conf->sig_algs = ssl_preset_default_sig_algs; 6039 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6040 6041 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 6042 conf->curve_list = NULL; 6043 #endif 6044 conf->group_list = ssl_preset_default_groups; 6045 6046 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 6047 conf->dhm_min_bitlen = 1024; 6048 #endif 6049 } 6050 6051 return 0; 6052 } 6053 6054 /* 6055 * Free mbedtls_ssl_config 6056 */ 6057 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) 6058 { 6059 if (conf == NULL) { 6060 return; 6061 } 6062 6063 #if defined(MBEDTLS_DHM_C) 6064 mbedtls_mpi_free(&conf->dhm_P); 6065 mbedtls_mpi_free(&conf->dhm_G); 6066 #endif 6067 6068 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 6069 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6070 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 6071 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 6072 } 6073 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6074 if (conf->psk != NULL) { 6075 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 6076 conf->psk = NULL; 6077 conf->psk_len = 0; 6078 } 6079 6080 if (conf->psk_identity != NULL) { 6081 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len); 6082 conf->psk_identity = NULL; 6083 conf->psk_identity_len = 0; 6084 } 6085 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 6086 6087 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6088 ssl_key_cert_free(conf->key_cert); 6089 #endif 6090 6091 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); 6092 } 6093 6094 #if defined(MBEDTLS_PK_C) && \ 6095 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) 6096 /* 6097 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 6098 */ 6099 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) 6100 { 6101 #if defined(MBEDTLS_RSA_C) 6102 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { 6103 return MBEDTLS_SSL_SIG_RSA; 6104 } 6105 #endif 6106 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6107 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { 6108 return MBEDTLS_SSL_SIG_ECDSA; 6109 } 6110 #endif 6111 return MBEDTLS_SSL_SIG_ANON; 6112 } 6113 6114 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) 6115 { 6116 switch (type) { 6117 case MBEDTLS_PK_RSA: 6118 return MBEDTLS_SSL_SIG_RSA; 6119 case MBEDTLS_PK_ECDSA: 6120 case MBEDTLS_PK_ECKEY: 6121 return MBEDTLS_SSL_SIG_ECDSA; 6122 default: 6123 return MBEDTLS_SSL_SIG_ANON; 6124 } 6125 } 6126 6127 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) 6128 { 6129 switch (sig) { 6130 #if defined(MBEDTLS_RSA_C) 6131 case MBEDTLS_SSL_SIG_RSA: 6132 return MBEDTLS_PK_RSA; 6133 #endif 6134 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6135 case MBEDTLS_SSL_SIG_ECDSA: 6136 return MBEDTLS_PK_ECDSA; 6137 #endif 6138 default: 6139 return MBEDTLS_PK_NONE; 6140 } 6141 } 6142 #endif /* MBEDTLS_PK_C && 6143 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ 6144 6145 /* 6146 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 6147 */ 6148 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) 6149 { 6150 switch (hash) { 6151 #if defined(MBEDTLS_MD_CAN_MD5) 6152 case MBEDTLS_SSL_HASH_MD5: 6153 return MBEDTLS_MD_MD5; 6154 #endif 6155 #if defined(MBEDTLS_MD_CAN_SHA1) 6156 case MBEDTLS_SSL_HASH_SHA1: 6157 return MBEDTLS_MD_SHA1; 6158 #endif 6159 #if defined(MBEDTLS_MD_CAN_SHA224) 6160 case MBEDTLS_SSL_HASH_SHA224: 6161 return MBEDTLS_MD_SHA224; 6162 #endif 6163 #if defined(MBEDTLS_MD_CAN_SHA256) 6164 case MBEDTLS_SSL_HASH_SHA256: 6165 return MBEDTLS_MD_SHA256; 6166 #endif 6167 #if defined(MBEDTLS_MD_CAN_SHA384) 6168 case MBEDTLS_SSL_HASH_SHA384: 6169 return MBEDTLS_MD_SHA384; 6170 #endif 6171 #if defined(MBEDTLS_MD_CAN_SHA512) 6172 case MBEDTLS_SSL_HASH_SHA512: 6173 return MBEDTLS_MD_SHA512; 6174 #endif 6175 default: 6176 return MBEDTLS_MD_NONE; 6177 } 6178 } 6179 6180 /* 6181 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 6182 */ 6183 unsigned char mbedtls_ssl_hash_from_md_alg(int md) 6184 { 6185 switch (md) { 6186 #if defined(MBEDTLS_MD_CAN_MD5) 6187 case MBEDTLS_MD_MD5: 6188 return MBEDTLS_SSL_HASH_MD5; 6189 #endif 6190 #if defined(MBEDTLS_MD_CAN_SHA1) 6191 case MBEDTLS_MD_SHA1: 6192 return MBEDTLS_SSL_HASH_SHA1; 6193 #endif 6194 #if defined(MBEDTLS_MD_CAN_SHA224) 6195 case MBEDTLS_MD_SHA224: 6196 return MBEDTLS_SSL_HASH_SHA224; 6197 #endif 6198 #if defined(MBEDTLS_MD_CAN_SHA256) 6199 case MBEDTLS_MD_SHA256: 6200 return MBEDTLS_SSL_HASH_SHA256; 6201 #endif 6202 #if defined(MBEDTLS_MD_CAN_SHA384) 6203 case MBEDTLS_MD_SHA384: 6204 return MBEDTLS_SSL_HASH_SHA384; 6205 #endif 6206 #if defined(MBEDTLS_MD_CAN_SHA512) 6207 case MBEDTLS_MD_SHA512: 6208 return MBEDTLS_SSL_HASH_SHA512; 6209 #endif 6210 default: 6211 return MBEDTLS_SSL_HASH_NONE; 6212 } 6213 } 6214 6215 /* 6216 * Check if a curve proposed by the peer is in our list. 6217 * Return 0 if we're willing to use it, -1 otherwise. 6218 */ 6219 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) 6220 { 6221 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 6222 6223 if (group_list == NULL) { 6224 return -1; 6225 } 6226 6227 for (; *group_list != 0; group_list++) { 6228 if (*group_list == tls_id) { 6229 return 0; 6230 } 6231 } 6232 6233 return -1; 6234 } 6235 6236 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 6237 /* 6238 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. 6239 */ 6240 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) 6241 { 6242 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); 6243 6244 if (tls_id == 0) { 6245 return -1; 6246 } 6247 6248 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); 6249 } 6250 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 6251 6252 static const struct { 6253 uint16_t tls_id; 6254 mbedtls_ecp_group_id ecp_group_id; 6255 psa_ecc_family_t psa_family; 6256 uint16_t bits; 6257 } tls_id_match_table[] = 6258 { 6259 #if defined(MBEDTLS_ECP_HAVE_SECP521R1) 6260 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 }, 6261 #endif 6262 #if defined(MBEDTLS_ECP_HAVE_BP512R1) 6263 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 }, 6264 #endif 6265 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 6266 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 }, 6267 #endif 6268 #if defined(MBEDTLS_ECP_HAVE_BP384R1) 6269 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 }, 6270 #endif 6271 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 6272 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 }, 6273 #endif 6274 #if defined(MBEDTLS_ECP_HAVE_SECP256K1) 6275 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 }, 6276 #endif 6277 #if defined(MBEDTLS_ECP_HAVE_BP256R1) 6278 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, 6279 #endif 6280 #if defined(MBEDTLS_ECP_HAVE_SECP224R1) 6281 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, 6282 #endif 6283 #if defined(MBEDTLS_ECP_HAVE_SECP224K1) 6284 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, 6285 #endif 6286 #if defined(MBEDTLS_ECP_HAVE_SECP192R1) 6287 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, 6288 #endif 6289 #if defined(MBEDTLS_ECP_HAVE_SECP192K1) 6290 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, 6291 #endif 6292 #if defined(MBEDTLS_ECP_HAVE_CURVE25519) 6293 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, 6294 #endif 6295 #if defined(MBEDTLS_ECP_HAVE_CURVE448) 6296 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 }, 6297 #endif 6298 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 }, 6299 }; 6300 6301 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 6302 psa_key_type_t *type, 6303 size_t *bits) 6304 { 6305 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6306 if (tls_id_match_table[i].tls_id == tls_id) { 6307 if (type != NULL) { 6308 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family); 6309 } 6310 if (bits != NULL) { 6311 *bits = tls_id_match_table[i].bits; 6312 } 6313 return PSA_SUCCESS; 6314 } 6315 } 6316 6317 return PSA_ERROR_NOT_SUPPORTED; 6318 } 6319 6320 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) 6321 { 6322 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6323 if (tls_id_match_table[i].tls_id == tls_id) { 6324 return tls_id_match_table[i].ecp_group_id; 6325 } 6326 } 6327 6328 return MBEDTLS_ECP_DP_NONE; 6329 } 6330 6331 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) 6332 { 6333 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; 6334 i++) { 6335 if (tls_id_match_table[i].ecp_group_id == grp_id) { 6336 return tls_id_match_table[i].tls_id; 6337 } 6338 } 6339 6340 return 0; 6341 } 6342 6343 #if defined(MBEDTLS_DEBUG_C) 6344 static const struct { 6345 uint16_t tls_id; 6346 const char *name; 6347 } tls_id_curve_name_table[] = 6348 { 6349 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, 6350 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, 6351 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, 6352 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, 6353 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, 6354 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, 6355 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, 6356 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, 6357 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, 6358 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, 6359 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, 6360 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, 6361 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, 6362 { 0, NULL }, 6363 }; 6364 6365 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) 6366 { 6367 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { 6368 if (tls_id_curve_name_table[i].tls_id == tls_id) { 6369 return tls_id_curve_name_table[i].name; 6370 } 6371 } 6372 6373 return NULL; 6374 } 6375 #endif 6376 6377 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6378 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6379 const mbedtls_md_type_t md, 6380 unsigned char *dst, 6381 size_t dst_len, 6382 size_t *olen) 6383 { 6384 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6385 psa_hash_operation_t *hash_operation_to_clone; 6386 psa_hash_operation_t hash_operation = psa_hash_operation_init(); 6387 6388 *olen = 0; 6389 6390 switch (md) { 6391 #if defined(MBEDTLS_MD_CAN_SHA384) 6392 case MBEDTLS_MD_SHA384: 6393 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; 6394 break; 6395 #endif 6396 6397 #if defined(MBEDTLS_MD_CAN_SHA256) 6398 case MBEDTLS_MD_SHA256: 6399 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; 6400 break; 6401 #endif 6402 6403 default: 6404 goto exit; 6405 } 6406 6407 status = psa_hash_clone(hash_operation_to_clone, &hash_operation); 6408 if (status != PSA_SUCCESS) { 6409 goto exit; 6410 } 6411 6412 status = psa_hash_finish(&hash_operation, dst, dst_len, olen); 6413 if (status != PSA_SUCCESS) { 6414 goto exit; 6415 } 6416 6417 exit: 6418 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6419 !defined(MBEDTLS_MD_CAN_SHA256) 6420 (void) ssl; 6421 #endif 6422 return PSA_TO_MBEDTLS_ERR(status); 6423 } 6424 #else /* MBEDTLS_USE_PSA_CRYPTO */ 6425 6426 #if defined(MBEDTLS_MD_CAN_SHA384) 6427 MBEDTLS_CHECK_RETURN_CRITICAL 6428 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, 6429 unsigned char *dst, 6430 size_t dst_len, 6431 size_t *olen) 6432 { 6433 int ret; 6434 mbedtls_md_context_t sha384; 6435 6436 if (dst_len < 48) { 6437 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6438 } 6439 6440 mbedtls_md_init(&sha384); 6441 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 6442 if (ret != 0) { 6443 goto exit; 6444 } 6445 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 6446 if (ret != 0) { 6447 goto exit; 6448 } 6449 6450 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { 6451 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6452 goto exit; 6453 } 6454 6455 *olen = 48; 6456 6457 exit: 6458 6459 mbedtls_md_free(&sha384); 6460 return ret; 6461 } 6462 #endif /* MBEDTLS_MD_CAN_SHA384 */ 6463 6464 #if defined(MBEDTLS_MD_CAN_SHA256) 6465 MBEDTLS_CHECK_RETURN_CRITICAL 6466 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, 6467 unsigned char *dst, 6468 size_t dst_len, 6469 size_t *olen) 6470 { 6471 int ret; 6472 mbedtls_md_context_t sha256; 6473 6474 if (dst_len < 32) { 6475 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6476 } 6477 6478 mbedtls_md_init(&sha256); 6479 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 6480 if (ret != 0) { 6481 goto exit; 6482 } 6483 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 6484 if (ret != 0) { 6485 goto exit; 6486 } 6487 6488 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { 6489 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6490 goto exit; 6491 } 6492 6493 *olen = 32; 6494 6495 exit: 6496 6497 mbedtls_md_free(&sha256); 6498 return ret; 6499 } 6500 #endif /* MBEDTLS_MD_CAN_SHA256 */ 6501 6502 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6503 const mbedtls_md_type_t md, 6504 unsigned char *dst, 6505 size_t dst_len, 6506 size_t *olen) 6507 { 6508 switch (md) { 6509 6510 #if defined(MBEDTLS_MD_CAN_SHA384) 6511 case MBEDTLS_MD_SHA384: 6512 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); 6513 #endif /* MBEDTLS_MD_CAN_SHA384*/ 6514 6515 #if defined(MBEDTLS_MD_CAN_SHA256) 6516 case MBEDTLS_MD_SHA256: 6517 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); 6518 #endif /* MBEDTLS_MD_CAN_SHA256*/ 6519 6520 default: 6521 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6522 !defined(MBEDTLS_MD_CAN_SHA256) 6523 (void) ssl; 6524 (void) dst; 6525 (void) dst_len; 6526 (void) olen; 6527 #endif 6528 break; 6529 } 6530 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6531 } 6532 6533 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 6534 6535 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6536 /* mbedtls_ssl_parse_sig_alg_ext() 6537 * 6538 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 6539 * value (TLS 1.3 RFC8446): 6540 * enum { 6541 * .... 6542 * ecdsa_secp256r1_sha256( 0x0403 ), 6543 * ecdsa_secp384r1_sha384( 0x0503 ), 6544 * ecdsa_secp521r1_sha512( 0x0603 ), 6545 * .... 6546 * } SignatureScheme; 6547 * 6548 * struct { 6549 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 6550 * } SignatureSchemeList; 6551 * 6552 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 6553 * value (TLS 1.2 RFC5246): 6554 * enum { 6555 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 6556 * sha512(6), (255) 6557 * } HashAlgorithm; 6558 * 6559 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 6560 * SignatureAlgorithm; 6561 * 6562 * struct { 6563 * HashAlgorithm hash; 6564 * SignatureAlgorithm signature; 6565 * } SignatureAndHashAlgorithm; 6566 * 6567 * SignatureAndHashAlgorithm 6568 * supported_signature_algorithms<2..2^16-2>; 6569 * 6570 * The TLS 1.3 signature algorithm extension was defined to be a compatible 6571 * generalization of the TLS 1.2 signature algorithm extension. 6572 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 6573 * `SignatureScheme` field of TLS 1.3 6574 * 6575 */ 6576 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 6577 const unsigned char *buf, 6578 const unsigned char *end) 6579 { 6580 const unsigned char *p = buf; 6581 size_t supported_sig_algs_len = 0; 6582 const unsigned char *supported_sig_algs_end; 6583 uint16_t sig_alg; 6584 uint32_t common_idx = 0; 6585 6586 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 6587 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); 6588 p += 2; 6589 6590 memset(ssl->handshake->received_sig_algs, 0, 6591 sizeof(ssl->handshake->received_sig_algs)); 6592 6593 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); 6594 supported_sig_algs_end = p + supported_sig_algs_len; 6595 while (p < supported_sig_algs_end) { 6596 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); 6597 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); 6598 p += 2; 6599 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", 6600 sig_alg, 6601 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6602 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6603 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 6604 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && 6605 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { 6606 continue; 6607 } 6608 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6609 6610 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", 6611 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6612 6613 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { 6614 ssl->handshake->received_sig_algs[common_idx] = sig_alg; 6615 common_idx += 1; 6616 } 6617 } 6618 /* Check that we consumed all the message. */ 6619 if (p != end) { 6620 MBEDTLS_SSL_DEBUG_MSG(1, 6621 ("Signature algorithms extension length misaligned")); 6622 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 6623 MBEDTLS_ERR_SSL_DECODE_ERROR); 6624 return MBEDTLS_ERR_SSL_DECODE_ERROR; 6625 } 6626 6627 if (common_idx == 0) { 6628 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); 6629 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 6630 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 6631 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 6632 } 6633 6634 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; 6635 return 0; 6636 } 6637 6638 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6639 6640 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6641 6642 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6643 6644 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, 6645 mbedtls_svc_key_id_t key, 6646 psa_algorithm_t alg, 6647 const unsigned char *raw_psk, size_t raw_psk_length, 6648 const unsigned char *seed, size_t seed_length, 6649 const unsigned char *label, size_t label_length, 6650 const unsigned char *other_secret, 6651 size_t other_secret_length, 6652 size_t capacity) 6653 { 6654 psa_status_t status; 6655 6656 status = psa_key_derivation_setup(derivation, alg); 6657 if (status != PSA_SUCCESS) { 6658 return status; 6659 } 6660 6661 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 6662 status = psa_key_derivation_input_bytes(derivation, 6663 PSA_KEY_DERIVATION_INPUT_SEED, 6664 seed, seed_length); 6665 if (status != PSA_SUCCESS) { 6666 return status; 6667 } 6668 6669 if (other_secret != NULL) { 6670 status = psa_key_derivation_input_bytes(derivation, 6671 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 6672 other_secret, other_secret_length); 6673 if (status != PSA_SUCCESS) { 6674 return status; 6675 } 6676 } 6677 6678 if (mbedtls_svc_key_id_is_null(key)) { 6679 status = psa_key_derivation_input_bytes( 6680 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, 6681 raw_psk, raw_psk_length); 6682 } else { 6683 status = psa_key_derivation_input_key( 6684 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); 6685 } 6686 if (status != PSA_SUCCESS) { 6687 return status; 6688 } 6689 6690 status = psa_key_derivation_input_bytes(derivation, 6691 PSA_KEY_DERIVATION_INPUT_LABEL, 6692 label, label_length); 6693 if (status != PSA_SUCCESS) { 6694 return status; 6695 } 6696 } else { 6697 return PSA_ERROR_NOT_SUPPORTED; 6698 } 6699 6700 status = psa_key_derivation_set_capacity(derivation, capacity); 6701 if (status != PSA_SUCCESS) { 6702 return status; 6703 } 6704 6705 return PSA_SUCCESS; 6706 } 6707 6708 #if defined(PSA_WANT_ALG_SHA_384) || \ 6709 defined(PSA_WANT_ALG_SHA_256) 6710 MBEDTLS_CHECK_RETURN_CRITICAL 6711 static int tls_prf_generic(mbedtls_md_type_t md_type, 6712 const unsigned char *secret, size_t slen, 6713 const char *label, 6714 const unsigned char *random, size_t rlen, 6715 unsigned char *dstbuf, size_t dlen) 6716 { 6717 psa_status_t status; 6718 psa_algorithm_t alg; 6719 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; 6720 psa_key_derivation_operation_t derivation = 6721 PSA_KEY_DERIVATION_OPERATION_INIT; 6722 6723 if (md_type == MBEDTLS_MD_SHA384) { 6724 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); 6725 } else { 6726 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); 6727 } 6728 6729 /* Normally a "secret" should be long enough to be impossible to 6730 * find by brute force, and in particular should not be empty. But 6731 * this PRF is also used to derive an IV, in particular in EAP-TLS, 6732 * and for this use case it makes sense to have a 0-length "secret". 6733 * Since the key API doesn't allow importing a key of length 0, 6734 * keep master_key=0, which setup_psa_key_derivation() understands 6735 * to mean a 0-length "secret" input. */ 6736 if (slen != 0) { 6737 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 6738 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 6739 psa_set_key_algorithm(&key_attributes, alg); 6740 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 6741 6742 status = psa_import_key(&key_attributes, secret, slen, &master_key); 6743 if (status != PSA_SUCCESS) { 6744 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6745 } 6746 } 6747 6748 status = setup_psa_key_derivation(&derivation, 6749 master_key, alg, 6750 NULL, 0, 6751 random, rlen, 6752 (unsigned char const *) label, 6753 (size_t) strlen(label), 6754 NULL, 0, 6755 dlen); 6756 if (status != PSA_SUCCESS) { 6757 psa_key_derivation_abort(&derivation); 6758 psa_destroy_key(master_key); 6759 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6760 } 6761 6762 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); 6763 if (status != PSA_SUCCESS) { 6764 psa_key_derivation_abort(&derivation); 6765 psa_destroy_key(master_key); 6766 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6767 } 6768 6769 status = psa_key_derivation_abort(&derivation); 6770 if (status != PSA_SUCCESS) { 6771 psa_destroy_key(master_key); 6772 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6773 } 6774 6775 if (!mbedtls_svc_key_id_is_null(master_key)) { 6776 status = psa_destroy_key(master_key); 6777 } 6778 if (status != PSA_SUCCESS) { 6779 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6780 } 6781 6782 return 0; 6783 } 6784 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ 6785 #else /* MBEDTLS_USE_PSA_CRYPTO */ 6786 6787 #if defined(MBEDTLS_MD_C) && \ 6788 (defined(MBEDTLS_MD_CAN_SHA256) || \ 6789 defined(MBEDTLS_MD_CAN_SHA384)) 6790 MBEDTLS_CHECK_RETURN_CRITICAL 6791 static int tls_prf_generic(mbedtls_md_type_t md_type, 6792 const unsigned char *secret, size_t slen, 6793 const char *label, 6794 const unsigned char *random, size_t rlen, 6795 unsigned char *dstbuf, size_t dlen) 6796 { 6797 size_t nb; 6798 size_t i, j, k, md_len; 6799 unsigned char *tmp; 6800 size_t tmp_len = 0; 6801 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 6802 const mbedtls_md_info_t *md_info; 6803 mbedtls_md_context_t md_ctx; 6804 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6805 6806 mbedtls_md_init(&md_ctx); 6807 6808 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { 6809 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6810 } 6811 6812 md_len = mbedtls_md_get_size(md_info); 6813 6814 tmp_len = md_len + strlen(label) + rlen; 6815 tmp = mbedtls_calloc(1, tmp_len); 6816 if (tmp == NULL) { 6817 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 6818 goto exit; 6819 } 6820 6821 nb = strlen(label); 6822 memcpy(tmp + md_len, label, nb); 6823 memcpy(tmp + md_len + nb, random, rlen); 6824 nb += rlen; 6825 6826 /* 6827 * Compute P_<hash>(secret, label + random)[0..dlen] 6828 */ 6829 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { 6830 goto exit; 6831 } 6832 6833 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); 6834 if (ret != 0) { 6835 goto exit; 6836 } 6837 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); 6838 if (ret != 0) { 6839 goto exit; 6840 } 6841 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6842 if (ret != 0) { 6843 goto exit; 6844 } 6845 6846 for (i = 0; i < dlen; i += md_len) { 6847 ret = mbedtls_md_hmac_reset(&md_ctx); 6848 if (ret != 0) { 6849 goto exit; 6850 } 6851 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); 6852 if (ret != 0) { 6853 goto exit; 6854 } 6855 ret = mbedtls_md_hmac_finish(&md_ctx, h_i); 6856 if (ret != 0) { 6857 goto exit; 6858 } 6859 6860 ret = mbedtls_md_hmac_reset(&md_ctx); 6861 if (ret != 0) { 6862 goto exit; 6863 } 6864 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); 6865 if (ret != 0) { 6866 goto exit; 6867 } 6868 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6869 if (ret != 0) { 6870 goto exit; 6871 } 6872 6873 k = (i + md_len > dlen) ? dlen % md_len : md_len; 6874 6875 for (j = 0; j < k; j++) { 6876 dstbuf[i + j] = h_i[j]; 6877 } 6878 } 6879 6880 exit: 6881 mbedtls_md_free(&md_ctx); 6882 6883 if (tmp != NULL) { 6884 mbedtls_platform_zeroize(tmp, tmp_len); 6885 } 6886 6887 mbedtls_platform_zeroize(h_i, sizeof(h_i)); 6888 6889 mbedtls_free(tmp); 6890 6891 return ret; 6892 } 6893 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */ 6894 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6895 6896 #if defined(MBEDTLS_MD_CAN_SHA256) 6897 MBEDTLS_CHECK_RETURN_CRITICAL 6898 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 6899 const char *label, 6900 const unsigned char *random, size_t rlen, 6901 unsigned char *dstbuf, size_t dlen) 6902 { 6903 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, 6904 label, random, rlen, dstbuf, dlen); 6905 } 6906 #endif /* MBEDTLS_MD_CAN_SHA256*/ 6907 6908 #if defined(MBEDTLS_MD_CAN_SHA384) 6909 MBEDTLS_CHECK_RETURN_CRITICAL 6910 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 6911 const char *label, 6912 const unsigned char *random, size_t rlen, 6913 unsigned char *dstbuf, size_t dlen) 6914 { 6915 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, 6916 label, random, rlen, dstbuf, dlen); 6917 } 6918 #endif /* MBEDTLS_MD_CAN_SHA384*/ 6919 6920 /* 6921 * Set appropriate PRF function and other SSL / TLS1.2 functions 6922 * 6923 * Inputs: 6924 * - hash associated with the ciphersuite (only used by TLS 1.2) 6925 * 6926 * Outputs: 6927 * - the tls_prf, calc_verify and calc_finished members of handshake structure 6928 */ 6929 MBEDTLS_CHECK_RETURN_CRITICAL 6930 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, 6931 mbedtls_md_type_t hash) 6932 { 6933 #if defined(MBEDTLS_MD_CAN_SHA384) 6934 if (hash == MBEDTLS_MD_SHA384) { 6935 handshake->tls_prf = tls_prf_sha384; 6936 handshake->calc_verify = ssl_calc_verify_tls_sha384; 6937 handshake->calc_finished = ssl_calc_finished_tls_sha384; 6938 } else 6939 #endif 6940 #if defined(MBEDTLS_MD_CAN_SHA256) 6941 { 6942 (void) hash; 6943 handshake->tls_prf = tls_prf_sha256; 6944 handshake->calc_verify = ssl_calc_verify_tls_sha256; 6945 handshake->calc_finished = ssl_calc_finished_tls_sha256; 6946 } 6947 #else 6948 { 6949 (void) handshake; 6950 (void) hash; 6951 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6952 } 6953 #endif 6954 6955 return 0; 6956 } 6957 6958 /* 6959 * Compute master secret if needed 6960 * 6961 * Parameters: 6962 * [in/out] handshake 6963 * [in] resume, premaster, extended_ms, calc_verify, tls_prf 6964 * (PSA-PSK) ciphersuite_info, psk_opaque 6965 * [out] premaster (cleared) 6966 * [out] master 6967 * [in] ssl: optionally used for debugging, EMS and PSA-PSK 6968 * debug: conf->f_dbg, conf->p_dbg 6969 * EMS: passed to calc_verify (debug + session_negotiate) 6970 * PSA-PSA: conf 6971 */ 6972 MBEDTLS_CHECK_RETURN_CRITICAL 6973 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, 6974 unsigned char *master, 6975 const mbedtls_ssl_context *ssl) 6976 { 6977 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6978 6979 /* cf. RFC 5246, Section 8.1: 6980 * "The master secret is always exactly 48 bytes in length." */ 6981 size_t const master_secret_len = 48; 6982 6983 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 6984 unsigned char session_hash[48]; 6985 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 6986 6987 /* The label for the KDF used for key expansion. 6988 * This is either "master secret" or "extended master secret" 6989 * depending on whether the Extended Master Secret extension 6990 * is used. */ 6991 char const *lbl = "master secret"; 6992 6993 /* The seed for the KDF used for key expansion. 6994 * - If the Extended Master Secret extension is not used, 6995 * this is ClientHello.Random + ServerHello.Random 6996 * (see Sect. 8.1 in RFC 5246). 6997 * - If the Extended Master Secret extension is used, 6998 * this is the transcript of the handshake so far. 6999 * (see Sect. 4 in RFC 7627). */ 7000 unsigned char const *seed = handshake->randbytes; 7001 size_t seed_len = 64; 7002 7003 #if !defined(MBEDTLS_DEBUG_C) && \ 7004 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ 7005 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7006 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) 7007 ssl = NULL; /* make sure we don't use it except for those cases */ 7008 (void) ssl; 7009 #endif 7010 7011 if (handshake->resume != 0) { 7012 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); 7013 return 0; 7014 } 7015 7016 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 7017 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 7018 lbl = "extended master secret"; 7019 seed = session_hash; 7020 ret = handshake->calc_verify(ssl, session_hash, &seed_len); 7021 if (ret != 0) { 7022 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); 7023 } 7024 7025 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", 7026 session_hash, seed_len); 7027 } 7028 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 7029 7030 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7031 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7032 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { 7033 /* Perform PSK-to-MS expansion in a single step. */ 7034 psa_status_t status; 7035 psa_algorithm_t alg; 7036 mbedtls_svc_key_id_t psk; 7037 psa_key_derivation_operation_t derivation = 7038 PSA_KEY_DERIVATION_OPERATION_INIT; 7039 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; 7040 7041 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); 7042 7043 psk = mbedtls_ssl_get_opaque_psk(ssl); 7044 7045 if (hash_alg == MBEDTLS_MD_SHA384) { 7046 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 7047 } else { 7048 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 7049 } 7050 7051 size_t other_secret_len = 0; 7052 unsigned char *other_secret = NULL; 7053 7054 switch (handshake->ciphersuite_info->key_exchange) { 7055 /* Provide other secret. 7056 * Other secret is stored in premaster, where first 2 bytes hold the 7057 * length of the other key. 7058 */ 7059 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 7060 /* For RSA-PSK other key length is always 48 bytes. */ 7061 other_secret_len = 48; 7062 other_secret = handshake->premaster + 2; 7063 break; 7064 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 7065 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 7066 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); 7067 other_secret = handshake->premaster + 2; 7068 break; 7069 default: 7070 break; 7071 } 7072 7073 status = setup_psa_key_derivation(&derivation, psk, alg, 7074 ssl->conf->psk, ssl->conf->psk_len, 7075 seed, seed_len, 7076 (unsigned char const *) lbl, 7077 (size_t) strlen(lbl), 7078 other_secret, other_secret_len, 7079 master_secret_len); 7080 if (status != PSA_SUCCESS) { 7081 psa_key_derivation_abort(&derivation); 7082 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7083 } 7084 7085 status = psa_key_derivation_output_bytes(&derivation, 7086 master, 7087 master_secret_len); 7088 if (status != PSA_SUCCESS) { 7089 psa_key_derivation_abort(&derivation); 7090 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7091 } 7092 7093 status = psa_key_derivation_abort(&derivation); 7094 if (status != PSA_SUCCESS) { 7095 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7096 } 7097 } else 7098 #endif 7099 { 7100 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7101 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 7102 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 7103 psa_status_t status; 7104 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 7105 psa_key_derivation_operation_t derivation = 7106 PSA_KEY_DERIVATION_OPERATION_INIT; 7107 7108 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); 7109 7110 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; 7111 7112 status = psa_key_derivation_setup(&derivation, alg); 7113 if (status != PSA_SUCCESS) { 7114 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7115 } 7116 7117 status = psa_key_derivation_set_capacity(&derivation, 7118 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); 7119 if (status != PSA_SUCCESS) { 7120 psa_key_derivation_abort(&derivation); 7121 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7122 } 7123 7124 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, 7125 &derivation); 7126 if (status != PSA_SUCCESS) { 7127 psa_key_derivation_abort(&derivation); 7128 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7129 } 7130 7131 status = psa_key_derivation_output_bytes(&derivation, 7132 handshake->premaster, 7133 handshake->pmslen); 7134 if (status != PSA_SUCCESS) { 7135 psa_key_derivation_abort(&derivation); 7136 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7137 } 7138 7139 status = psa_key_derivation_abort(&derivation); 7140 if (status != PSA_SUCCESS) { 7141 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7142 } 7143 } 7144 #endif 7145 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, 7146 lbl, seed, seed_len, 7147 master, 7148 master_secret_len); 7149 if (ret != 0) { 7150 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 7151 return ret; 7152 } 7153 7154 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", 7155 handshake->premaster, 7156 handshake->pmslen); 7157 7158 mbedtls_platform_zeroize(handshake->premaster, 7159 sizeof(handshake->premaster)); 7160 } 7161 7162 return 0; 7163 } 7164 7165 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) 7166 { 7167 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7168 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 7169 ssl->handshake->ciphersuite_info; 7170 7171 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); 7172 7173 /* Set PRF, calc_verify and calc_finished function pointers */ 7174 ret = ssl_set_handshake_prfs(ssl->handshake, 7175 (mbedtls_md_type_t) ciphersuite_info->mac); 7176 if (ret != 0) { 7177 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); 7178 return ret; 7179 } 7180 7181 /* Compute master secret if needed */ 7182 ret = ssl_compute_master(ssl->handshake, 7183 ssl->session_negotiate->master, 7184 ssl); 7185 if (ret != 0) { 7186 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); 7187 return ret; 7188 } 7189 7190 /* Swap the client and server random values: 7191 * - MS derivation wanted client+server (RFC 5246 8.1) 7192 * - key derivation wants server+client (RFC 5246 6.3) */ 7193 { 7194 unsigned char tmp[64]; 7195 memcpy(tmp, ssl->handshake->randbytes, 64); 7196 memcpy(ssl->handshake->randbytes, tmp + 32, 32); 7197 memcpy(ssl->handshake->randbytes + 32, tmp, 32); 7198 mbedtls_platform_zeroize(tmp, sizeof(tmp)); 7199 } 7200 7201 /* Populate transform structure */ 7202 ret = ssl_tls12_populate_transform(ssl->transform_negotiate, 7203 ssl->session_negotiate->ciphersuite, 7204 ssl->session_negotiate->master, 7205 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 7206 ssl->session_negotiate->encrypt_then_mac, 7207 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 7208 ssl->handshake->tls_prf, 7209 ssl->handshake->randbytes, 7210 ssl->tls_version, 7211 ssl->conf->endpoint, 7212 ssl); 7213 if (ret != 0) { 7214 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); 7215 return ret; 7216 } 7217 7218 /* We no longer need Server/ClientHello.random values */ 7219 mbedtls_platform_zeroize(ssl->handshake->randbytes, 7220 sizeof(ssl->handshake->randbytes)); 7221 7222 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); 7223 7224 return 0; 7225 } 7226 7227 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) 7228 { 7229 switch (md) { 7230 #if defined(MBEDTLS_MD_CAN_SHA384) 7231 case MBEDTLS_SSL_HASH_SHA384: 7232 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 7233 break; 7234 #endif 7235 #if defined(MBEDTLS_MD_CAN_SHA256) 7236 case MBEDTLS_SSL_HASH_SHA256: 7237 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 7238 break; 7239 #endif 7240 default: 7241 return -1; 7242 } 7243 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 7244 !defined(MBEDTLS_MD_CAN_SHA256) 7245 (void) ssl; 7246 #endif 7247 return 0; 7248 } 7249 7250 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7251 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, 7252 const psa_hash_operation_t *hs_op, 7253 size_t buffer_size, 7254 unsigned char *hash, 7255 size_t *hlen) 7256 { 7257 psa_status_t status; 7258 psa_hash_operation_t cloned_op = psa_hash_operation_init(); 7259 7260 #if !defined(MBEDTLS_DEBUG_C) 7261 (void) ssl; 7262 #endif 7263 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); 7264 status = psa_hash_clone(hs_op, &cloned_op); 7265 if (status != PSA_SUCCESS) { 7266 goto exit; 7267 } 7268 7269 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen); 7270 if (status != PSA_SUCCESS) { 7271 goto exit; 7272 } 7273 7274 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); 7275 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); 7276 7277 exit: 7278 psa_hash_abort(&cloned_op); 7279 return mbedtls_md_error_from_psa(status); 7280 } 7281 #else 7282 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, 7283 const mbedtls_md_context_t *hs_ctx, 7284 unsigned char *hash, 7285 size_t *hlen) 7286 { 7287 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7288 mbedtls_md_context_t cloned_ctx; 7289 7290 mbedtls_md_init(&cloned_ctx); 7291 7292 #if !defined(MBEDTLS_DEBUG_C) 7293 (void) ssl; 7294 #endif 7295 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); 7296 7297 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 7298 if (ret != 0) { 7299 goto exit; 7300 } 7301 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 7302 if (ret != 0) { 7303 goto exit; 7304 } 7305 7306 ret = mbedtls_md_finish(&cloned_ctx, hash); 7307 if (ret != 0) { 7308 goto exit; 7309 } 7310 7311 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); 7312 7313 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); 7314 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); 7315 7316 exit: 7317 mbedtls_md_free(&cloned_ctx); 7318 return ret; 7319 } 7320 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7321 7322 #if defined(MBEDTLS_MD_CAN_SHA256) 7323 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, 7324 unsigned char *hash, 7325 size_t *hlen) 7326 { 7327 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7328 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, 7329 hash, hlen); 7330 #else 7331 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, 7332 hash, hlen); 7333 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7334 } 7335 #endif /* MBEDTLS_MD_CAN_SHA256 */ 7336 7337 #if defined(MBEDTLS_MD_CAN_SHA384) 7338 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, 7339 unsigned char *hash, 7340 size_t *hlen) 7341 { 7342 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7343 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, 7344 hash, hlen); 7345 #else 7346 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, 7347 hash, hlen); 7348 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7349 } 7350 #endif /* MBEDTLS_MD_CAN_SHA384 */ 7351 7352 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7353 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7354 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) 7355 { 7356 unsigned char *p = ssl->handshake->premaster; 7357 unsigned char *end = p + sizeof(ssl->handshake->premaster); 7358 const unsigned char *psk = NULL; 7359 size_t psk_len = 0; 7360 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); 7361 7362 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { 7363 /* 7364 * This should never happen because the existence of a PSK is always 7365 * checked before calling this function. 7366 * 7367 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with 7368 * the shared secret without PSK. 7369 */ 7370 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7371 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7372 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7373 } 7374 } 7375 7376 /* 7377 * PMS = struct { 7378 * opaque other_secret<0..2^16-1>; 7379 * opaque psk<0..2^16-1>; 7380 * }; 7381 * with "other_secret" depending on the particular key exchange 7382 */ 7383 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 7384 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { 7385 if (end - p < 2) { 7386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7387 } 7388 7389 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7390 p += 2; 7391 7392 if (end < p || (size_t) (end - p) < psk_len) { 7393 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7394 } 7395 7396 memset(p, 0, psk_len); 7397 p += psk_len; 7398 } else 7399 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 7400 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 7401 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7402 /* 7403 * other_secret already set by the ClientKeyExchange message, 7404 * and is 48 bytes long 7405 */ 7406 if (end - p < 2) { 7407 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7408 } 7409 7410 *p++ = 0; 7411 *p++ = 48; 7412 p += 48; 7413 } else 7414 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 7415 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 7416 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7417 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7418 size_t len; 7419 7420 /* Write length only when we know the actual value */ 7421 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 7422 p + 2, (size_t) (end - (p + 2)), &len, 7423 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7424 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 7425 return ret; 7426 } 7427 MBEDTLS_PUT_UINT16_BE(len, p, 0); 7428 p += 2 + len; 7429 7430 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 7431 } else 7432 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 7433 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 7434 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 7435 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7436 size_t zlen; 7437 7438 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, 7439 p + 2, (size_t) (end - (p + 2)), 7440 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7441 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 7442 return ret; 7443 } 7444 7445 MBEDTLS_PUT_UINT16_BE(zlen, p, 0); 7446 p += 2 + zlen; 7447 7448 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 7449 MBEDTLS_DEBUG_ECDH_Z); 7450 } else 7451 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 7452 { 7453 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7454 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7455 } 7456 7457 /* opaque psk<0..2^16-1>; */ 7458 if (end - p < 2) { 7459 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7460 } 7461 7462 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7463 p += 2; 7464 7465 if (end < p || (size_t) (end - p) < psk_len) { 7466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7467 } 7468 7469 memcpy(p, psk, psk_len); 7470 p += psk_len; 7471 7472 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster); 7473 7474 return 0; 7475 } 7476 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 7477 7478 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 7479 MBEDTLS_CHECK_RETURN_CRITICAL 7480 static int ssl_write_hello_request(mbedtls_ssl_context *ssl); 7481 7482 #if defined(MBEDTLS_SSL_PROTO_DTLS) 7483 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) 7484 { 7485 /* If renegotiation is not enforced, retransmit until we would reach max 7486 * timeout if we were using the usual handshake doubling scheme */ 7487 if (ssl->conf->renego_max_records < 0) { 7488 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 7489 unsigned char doublings = 1; 7490 7491 while (ratio != 0) { 7492 ++doublings; 7493 ratio >>= 1; 7494 } 7495 7496 if (++ssl->renego_records_seen > doublings) { 7497 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); 7498 return 0; 7499 } 7500 } 7501 7502 return ssl_write_hello_request(ssl); 7503 } 7504 #endif 7505 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 7506 7507 /* 7508 * Handshake functions 7509 */ 7510 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 7511 /* No certificate support -> dummy functions */ 7512 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7513 { 7514 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7515 ssl->handshake->ciphersuite_info; 7516 7517 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7518 7519 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7520 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7521 ssl->state++; 7522 return 0; 7523 } 7524 7525 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7526 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7527 } 7528 7529 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 7530 { 7531 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7532 ssl->handshake->ciphersuite_info; 7533 7534 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 7535 7536 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7537 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 7538 ssl->state++; 7539 return 0; 7540 } 7541 7542 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7543 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7544 } 7545 7546 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 7547 /* Some certificate support -> implement write and parse */ 7548 7549 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7550 { 7551 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 7552 size_t i, n; 7553 const mbedtls_x509_crt *crt; 7554 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7555 ssl->handshake->ciphersuite_info; 7556 7557 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7558 7559 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7560 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7561 ssl->state++; 7562 return 0; 7563 } 7564 7565 #if defined(MBEDTLS_SSL_CLI_C) 7566 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7567 if (ssl->handshake->client_auth == 0) { 7568 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7569 ssl->state++; 7570 return 0; 7571 } 7572 } 7573 #endif /* MBEDTLS_SSL_CLI_C */ 7574 #if defined(MBEDTLS_SSL_SRV_C) 7575 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7576 if (mbedtls_ssl_own_cert(ssl) == NULL) { 7577 /* Should never happen because we shouldn't have picked the 7578 * ciphersuite if we don't have a certificate. */ 7579 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7580 } 7581 } 7582 #endif 7583 7584 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); 7585 7586 /* 7587 * 0 . 0 handshake type 7588 * 1 . 3 handshake length 7589 * 4 . 6 length of all certs 7590 * 7 . 9 length of cert. 1 7591 * 10 . n-1 peer certificate 7592 * n . n+2 length of cert. 2 7593 * n+3 . ... upper level cert, etc. 7594 */ 7595 i = 7; 7596 crt = mbedtls_ssl_own_cert(ssl); 7597 7598 while (crt != NULL) { 7599 n = crt->raw.len; 7600 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { 7601 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET 7602 " > %" MBEDTLS_PRINTF_SIZET, 7603 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); 7604 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 7605 } 7606 7607 ssl->out_msg[i] = MBEDTLS_BYTE_2(n); 7608 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); 7609 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); 7610 7611 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); 7612 i += n; crt = crt->next; 7613 } 7614 7615 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); 7616 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); 7617 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); 7618 7619 ssl->out_msglen = i; 7620 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 7621 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 7622 7623 ssl->state++; 7624 7625 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 7626 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 7627 return ret; 7628 } 7629 7630 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); 7631 7632 return ret; 7633 } 7634 7635 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7636 7637 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7638 MBEDTLS_CHECK_RETURN_CRITICAL 7639 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7640 unsigned char *crt_buf, 7641 size_t crt_buf_len) 7642 { 7643 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; 7644 7645 if (peer_crt == NULL) { 7646 return -1; 7647 } 7648 7649 if (peer_crt->raw.len != crt_buf_len) { 7650 return -1; 7651 } 7652 7653 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); 7654 } 7655 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7656 MBEDTLS_CHECK_RETURN_CRITICAL 7657 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7658 unsigned char *crt_buf, 7659 size_t crt_buf_len) 7660 { 7661 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7662 unsigned char const * const peer_cert_digest = 7663 ssl->session->peer_cert_digest; 7664 mbedtls_md_type_t const peer_cert_digest_type = 7665 ssl->session->peer_cert_digest_type; 7666 mbedtls_md_info_t const * const digest_info = 7667 mbedtls_md_info_from_type(peer_cert_digest_type); 7668 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; 7669 size_t digest_len; 7670 7671 if (peer_cert_digest == NULL || digest_info == NULL) { 7672 return -1; 7673 } 7674 7675 digest_len = mbedtls_md_get_size(digest_info); 7676 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { 7677 return -1; 7678 } 7679 7680 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); 7681 if (ret != 0) { 7682 return -1; 7683 } 7684 7685 return memcmp(tmp_digest, peer_cert_digest, digest_len); 7686 } 7687 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7688 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7689 7690 /* 7691 * Once the certificate message is read, parse it into a cert chain and 7692 * perform basic checks, but leave actual verification to the caller 7693 */ 7694 MBEDTLS_CHECK_RETURN_CRITICAL 7695 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, 7696 mbedtls_x509_crt *chain) 7697 { 7698 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7699 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7700 int crt_cnt = 0; 7701 #endif 7702 size_t i, n; 7703 uint8_t alert; 7704 7705 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 7706 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7707 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7708 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7709 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7710 } 7711 7712 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { 7713 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7714 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7715 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7716 } 7717 7718 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { 7719 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7720 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7721 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7722 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7723 } 7724 7725 i = mbedtls_ssl_hs_hdr_len(ssl); 7726 7727 /* 7728 * Same message structure as in mbedtls_ssl_write_certificate() 7729 */ 7730 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7731 7732 if (ssl->in_msg[i] != 0 || 7733 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { 7734 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7735 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7736 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7737 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7738 } 7739 7740 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ 7741 i += 3; 7742 7743 /* Iterate through and parse the CRTs in the provided chain. */ 7744 while (i < ssl->in_hslen) { 7745 /* Check that there's room for the next CRT's length fields. */ 7746 if (i + 3 > ssl->in_hslen) { 7747 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7748 mbedtls_ssl_send_alert_message(ssl, 7749 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7750 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7751 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7752 } 7753 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support 7754 * anything beyond 2**16 ~ 64K. */ 7755 if (ssl->in_msg[i] != 0) { 7756 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7757 mbedtls_ssl_send_alert_message(ssl, 7758 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7759 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); 7760 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7761 } 7762 7763 /* Read length of the next CRT in the chain. */ 7764 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7765 i += 3; 7766 7767 if (n < 128 || i + n > ssl->in_hslen) { 7768 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7769 mbedtls_ssl_send_alert_message(ssl, 7770 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7771 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7772 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7773 } 7774 7775 /* Check if we're handling the first CRT in the chain. */ 7776 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7777 if (crt_cnt++ == 0 && 7778 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 7779 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 7780 /* During client-side renegotiation, check that the server's 7781 * end-CRTs hasn't changed compared to the initial handshake, 7782 * mitigating the triple handshake attack. On success, reuse 7783 * the original end-CRT instead of parsing it again. */ 7784 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); 7785 if (ssl_check_peer_crt_unchanged(ssl, 7786 &ssl->in_msg[i], 7787 n) != 0) { 7788 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); 7789 mbedtls_ssl_send_alert_message(ssl, 7790 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7791 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); 7792 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7793 } 7794 7795 /* Now we can safely free the original chain. */ 7796 ssl_clear_peer_cert(ssl->session); 7797 } 7798 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7799 7800 /* Parse the next certificate in the chain. */ 7801 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7802 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); 7803 #else 7804 /* If we don't need to store the CRT chain permanently, parse 7805 * it in-place from the input buffer instead of making a copy. */ 7806 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); 7807 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7808 switch (ret) { 7809 case 0: /*ok*/ 7810 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 7811 /* Ignore certificate with an unknown algorithm: maybe a 7812 prior certificate was already trusted. */ 7813 break; 7814 7815 case MBEDTLS_ERR_X509_ALLOC_FAILED: 7816 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 7817 goto crt_parse_der_failed; 7818 7819 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 7820 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7821 goto crt_parse_der_failed; 7822 7823 default: 7824 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 7825 crt_parse_der_failed: 7826 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); 7827 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 7828 return ret; 7829 } 7830 7831 i += n; 7832 } 7833 7834 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); 7835 return 0; 7836 } 7837 7838 #if defined(MBEDTLS_SSL_SRV_C) 7839 MBEDTLS_CHECK_RETURN_CRITICAL 7840 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) 7841 { 7842 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7843 return -1; 7844 } 7845 7846 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && 7847 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 7848 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 7849 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { 7850 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); 7851 return 0; 7852 } 7853 return -1; 7854 } 7855 #endif /* MBEDTLS_SSL_SRV_C */ 7856 7857 /* Check if a certificate message is expected. 7858 * Return either 7859 * - SSL_CERTIFICATE_EXPECTED, or 7860 * - SSL_CERTIFICATE_SKIP 7861 * indicating whether a Certificate message is expected or not. 7862 */ 7863 #define SSL_CERTIFICATE_EXPECTED 0 7864 #define SSL_CERTIFICATE_SKIP 1 7865 MBEDTLS_CHECK_RETURN_CRITICAL 7866 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, 7867 int authmode) 7868 { 7869 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7870 ssl->handshake->ciphersuite_info; 7871 7872 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7873 return SSL_CERTIFICATE_SKIP; 7874 } 7875 7876 #if defined(MBEDTLS_SSL_SRV_C) 7877 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7878 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7879 return SSL_CERTIFICATE_SKIP; 7880 } 7881 7882 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7883 ssl->session_negotiate->verify_result = 7884 MBEDTLS_X509_BADCERT_SKIP_VERIFY; 7885 return SSL_CERTIFICATE_SKIP; 7886 } 7887 } 7888 #else 7889 ((void) authmode); 7890 #endif /* MBEDTLS_SSL_SRV_C */ 7891 7892 return SSL_CERTIFICATE_EXPECTED; 7893 } 7894 7895 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7896 MBEDTLS_CHECK_RETURN_CRITICAL 7897 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, 7898 unsigned char *start, size_t len) 7899 { 7900 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7901 /* Remember digest of the peer's end-CRT. */ 7902 ssl->session_negotiate->peer_cert_digest = 7903 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); 7904 if (ssl->session_negotiate->peer_cert_digest == NULL) { 7905 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", 7906 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); 7907 mbedtls_ssl_send_alert_message(ssl, 7908 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7909 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 7910 7911 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 7912 } 7913 7914 ret = mbedtls_md(mbedtls_md_info_from_type( 7915 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), 7916 start, len, 7917 ssl->session_negotiate->peer_cert_digest); 7918 7919 ssl->session_negotiate->peer_cert_digest_type = 7920 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; 7921 ssl->session_negotiate->peer_cert_digest_len = 7922 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; 7923 7924 return ret; 7925 } 7926 7927 MBEDTLS_CHECK_RETURN_CRITICAL 7928 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, 7929 unsigned char *start, size_t len) 7930 { 7931 unsigned char *end = start + len; 7932 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7933 7934 /* Make a copy of the peer's raw public key. */ 7935 mbedtls_pk_init(&ssl->handshake->peer_pubkey); 7936 ret = mbedtls_pk_parse_subpubkey(&start, end, 7937 &ssl->handshake->peer_pubkey); 7938 if (ret != 0) { 7939 /* We should have parsed the public key before. */ 7940 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7941 } 7942 7943 return 0; 7944 } 7945 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7946 7947 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 7948 { 7949 int ret = 0; 7950 int crt_expected; 7951 /* Authmode: precedence order is SNI if used else configuration */ 7952 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 7953 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET 7954 ? ssl->handshake->sni_authmode 7955 : ssl->conf->authmode; 7956 #else 7957 const int authmode = ssl->conf->authmode; 7958 #endif 7959 void *rs_ctx = NULL; 7960 mbedtls_x509_crt *chain = NULL; 7961 7962 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 7963 7964 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); 7965 if (crt_expected == SSL_CERTIFICATE_SKIP) { 7966 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 7967 goto exit; 7968 } 7969 7970 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 7971 if (ssl->handshake->ecrs_enabled && 7972 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { 7973 chain = ssl->handshake->ecrs_peer_cert; 7974 ssl->handshake->ecrs_peer_cert = NULL; 7975 goto crt_verify; 7976 } 7977 #endif 7978 7979 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 7980 /* mbedtls_ssl_read_record may have sent an alert already. We 7981 let it decide whether to alert. */ 7982 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 7983 goto exit; 7984 } 7985 7986 #if defined(MBEDTLS_SSL_SRV_C) 7987 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { 7988 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 7989 7990 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { 7991 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 7992 } 7993 7994 goto exit; 7995 } 7996 #endif /* MBEDTLS_SSL_SRV_C */ 7997 7998 /* Clear existing peer CRT structure in case we tried to 7999 * reuse a session but it failed, and allocate a new one. */ 8000 ssl_clear_peer_cert(ssl->session_negotiate); 8001 8002 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 8003 if (chain == NULL) { 8004 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", 8005 sizeof(mbedtls_x509_crt))); 8006 mbedtls_ssl_send_alert_message(ssl, 8007 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8008 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8009 8010 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 8011 goto exit; 8012 } 8013 mbedtls_x509_crt_init(chain); 8014 8015 ret = ssl_parse_certificate_chain(ssl, chain); 8016 if (ret != 0) { 8017 goto exit; 8018 } 8019 8020 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8021 if (ssl->handshake->ecrs_enabled) { 8022 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; 8023 } 8024 8025 crt_verify: 8026 if (ssl->handshake->ecrs_enabled) { 8027 rs_ctx = &ssl->handshake->ecrs_ctx; 8028 } 8029 #endif 8030 8031 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain, 8032 ssl->handshake->ciphersuite_info, 8033 rs_ctx); 8034 if (ret != 0) { 8035 goto exit; 8036 } 8037 8038 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 8039 { 8040 unsigned char *crt_start, *pk_start; 8041 size_t crt_len, pk_len; 8042 8043 /* We parse the CRT chain without copying, so 8044 * these pointers point into the input buffer, 8045 * and are hence still valid after freeing the 8046 * CRT chain. */ 8047 8048 crt_start = chain->raw.p; 8049 crt_len = chain->raw.len; 8050 8051 pk_start = chain->pk_raw.p; 8052 pk_len = chain->pk_raw.len; 8053 8054 /* Free the CRT structures before computing 8055 * digest and copying the peer's public key. */ 8056 mbedtls_x509_crt_free(chain); 8057 mbedtls_free(chain); 8058 chain = NULL; 8059 8060 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); 8061 if (ret != 0) { 8062 goto exit; 8063 } 8064 8065 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); 8066 if (ret != 0) { 8067 goto exit; 8068 } 8069 } 8070 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8071 /* Pass ownership to session structure. */ 8072 ssl->session_negotiate->peer_cert = chain; 8073 chain = NULL; 8074 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8075 8076 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); 8077 8078 exit: 8079 8080 if (ret == 0) { 8081 ssl->state++; 8082 } 8083 8084 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8085 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { 8086 ssl->handshake->ecrs_peer_cert = chain; 8087 chain = NULL; 8088 } 8089 #endif 8090 8091 if (chain != NULL) { 8092 mbedtls_x509_crt_free(chain); 8093 mbedtls_free(chain); 8094 } 8095 8096 return ret; 8097 } 8098 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 8099 8100 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, 8101 unsigned char *padbuf, size_t hlen, 8102 unsigned char *buf, int from) 8103 { 8104 unsigned int len = 12; 8105 const char *sender; 8106 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8107 psa_status_t status; 8108 psa_hash_operation_t *hs_op = ctx; 8109 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT; 8110 size_t hash_size; 8111 #else 8112 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8113 mbedtls_md_context_t *hs_ctx = ctx; 8114 mbedtls_md_context_t cloned_ctx; 8115 mbedtls_md_init(&cloned_ctx); 8116 #endif 8117 8118 mbedtls_ssl_session *session = ssl->session_negotiate; 8119 if (!session) { 8120 session = ssl->session; 8121 } 8122 8123 sender = (from == MBEDTLS_SSL_IS_CLIENT) 8124 ? "client finished" 8125 : "server finished"; 8126 8127 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8128 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls")); 8129 8130 status = psa_hash_clone(hs_op, &cloned_op); 8131 if (status != PSA_SUCCESS) { 8132 goto exit; 8133 } 8134 8135 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size); 8136 if (status != PSA_SUCCESS) { 8137 goto exit; 8138 } 8139 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen); 8140 #else 8141 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls")); 8142 8143 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 8144 if (ret != 0) { 8145 goto exit; 8146 } 8147 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 8148 if (ret != 0) { 8149 goto exit; 8150 } 8151 8152 ret = mbedtls_md_finish(&cloned_ctx, padbuf); 8153 if (ret != 0) { 8154 goto exit; 8155 } 8156 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8157 8158 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen); 8159 8160 /* 8161 * TLSv1.2: 8162 * hash = PRF( master, finished_label, 8163 * Hash( handshake ) )[0.11] 8164 */ 8165 ssl->handshake->tls_prf(session->master, 48, sender, 8166 padbuf, hlen, buf, len); 8167 8168 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); 8169 8170 mbedtls_platform_zeroize(padbuf, hlen); 8171 8172 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); 8173 8174 exit: 8175 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8176 psa_hash_abort(&cloned_op); 8177 return mbedtls_md_error_from_psa(status); 8178 #else 8179 mbedtls_md_free(&cloned_ctx); 8180 return ret; 8181 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8182 } 8183 8184 #if defined(MBEDTLS_MD_CAN_SHA256) 8185 static int ssl_calc_finished_tls_sha256( 8186 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8187 { 8188 unsigned char padbuf[32]; 8189 return ssl_calc_finished_tls_generic(ssl, 8190 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8191 &ssl->handshake->fin_sha256_psa, 8192 #else 8193 &ssl->handshake->fin_sha256, 8194 #endif 8195 padbuf, sizeof(padbuf), 8196 buf, from); 8197 } 8198 #endif /* MBEDTLS_MD_CAN_SHA256*/ 8199 8200 8201 #if defined(MBEDTLS_MD_CAN_SHA384) 8202 static int ssl_calc_finished_tls_sha384( 8203 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8204 { 8205 unsigned char padbuf[48]; 8206 return ssl_calc_finished_tls_generic(ssl, 8207 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8208 &ssl->handshake->fin_sha384_psa, 8209 #else 8210 &ssl->handshake->fin_sha384, 8211 #endif 8212 padbuf, sizeof(padbuf), 8213 buf, from); 8214 } 8215 #endif /* MBEDTLS_MD_CAN_SHA384*/ 8216 8217 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) 8218 { 8219 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); 8220 8221 /* 8222 * Free our handshake params 8223 */ 8224 mbedtls_ssl_handshake_free(ssl); 8225 mbedtls_free(ssl->handshake); 8226 ssl->handshake = NULL; 8227 8228 /* 8229 * Free the previous transform and switch in the current one 8230 */ 8231 if (ssl->transform) { 8232 mbedtls_ssl_transform_free(ssl->transform); 8233 mbedtls_free(ssl->transform); 8234 } 8235 ssl->transform = ssl->transform_negotiate; 8236 ssl->transform_negotiate = NULL; 8237 8238 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); 8239 } 8240 8241 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) 8242 { 8243 int resume = ssl->handshake->resume; 8244 8245 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); 8246 8247 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8248 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 8249 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 8250 ssl->renego_records_seen = 0; 8251 } 8252 #endif 8253 8254 /* 8255 * Free the previous session and switch in the current one 8256 */ 8257 if (ssl->session) { 8258 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8259 /* RFC 7366 3.1: keep the EtM state */ 8260 ssl->session_negotiate->encrypt_then_mac = 8261 ssl->session->encrypt_then_mac; 8262 #endif 8263 8264 mbedtls_ssl_session_free(ssl->session); 8265 mbedtls_free(ssl->session); 8266 } 8267 ssl->session = ssl->session_negotiate; 8268 ssl->session_negotiate = NULL; 8269 8270 /* 8271 * Add cache entry 8272 */ 8273 if (ssl->conf->f_set_cache != NULL && 8274 ssl->session->id_len != 0 && 8275 resume == 0) { 8276 if (ssl->conf->f_set_cache(ssl->conf->p_cache, 8277 ssl->session->id, 8278 ssl->session->id_len, 8279 ssl->session) != 0) { 8280 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); 8281 } 8282 } 8283 8284 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8285 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8286 ssl->handshake->flight != NULL) { 8287 /* Cancel handshake timer */ 8288 mbedtls_ssl_set_timer(ssl, 0); 8289 8290 /* Keep last flight around in case we need to resend it: 8291 * we need the handshake and transform structures for that */ 8292 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); 8293 } else 8294 #endif 8295 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); 8296 8297 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 8298 8299 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); 8300 } 8301 8302 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) 8303 { 8304 int ret; 8305 unsigned int hash_len; 8306 8307 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); 8308 8309 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); 8310 8311 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); 8312 if (ret != 0) { 8313 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8314 } 8315 8316 /* 8317 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 8318 * may define some other value. Currently (early 2016), no defined 8319 * ciphersuite does this (and this is unlikely to change as activity has 8320 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 8321 */ 8322 hash_len = 12; 8323 8324 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8325 ssl->verify_data_len = hash_len; 8326 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); 8327 #endif 8328 8329 ssl->out_msglen = 4 + hash_len; 8330 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 8331 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 8332 8333 /* 8334 * In case of session resuming, invert the client and server 8335 * ChangeCipherSpec messages order. 8336 */ 8337 if (ssl->handshake->resume != 0) { 8338 #if defined(MBEDTLS_SSL_CLI_C) 8339 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8340 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 8341 } 8342 #endif 8343 #if defined(MBEDTLS_SSL_SRV_C) 8344 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8345 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8346 } 8347 #endif 8348 } else { 8349 ssl->state++; 8350 } 8351 8352 /* 8353 * Switch to our negotiated transform and session parameters for outbound 8354 * data. 8355 */ 8356 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); 8357 8358 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8359 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8360 unsigned char i; 8361 8362 /* Remember current epoch settings for resending */ 8363 ssl->handshake->alt_transform_out = ssl->transform_out; 8364 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8365 sizeof(ssl->handshake->alt_out_ctr)); 8366 8367 /* Set sequence_number to zero */ 8368 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); 8369 8370 8371 /* Increment epoch */ 8372 for (i = 2; i > 0; i--) { 8373 if (++ssl->cur_out_ctr[i - 1] != 0) { 8374 break; 8375 } 8376 } 8377 8378 /* The loop goes to its end iff the counter is wrapping */ 8379 if (i == 0) { 8380 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); 8381 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; 8382 } 8383 } else 8384 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 8385 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 8386 8387 ssl->transform_out = ssl->transform_negotiate; 8388 ssl->session_out = ssl->session_negotiate; 8389 8390 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8391 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8392 mbedtls_ssl_send_flight_completed(ssl); 8393 } 8394 #endif 8395 8396 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 8397 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 8398 return ret; 8399 } 8400 8401 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8402 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8403 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 8404 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 8405 return ret; 8406 } 8407 #endif 8408 8409 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); 8410 8411 return 0; 8412 } 8413 8414 #define SSL_MAX_HASH_LEN 12 8415 8416 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) 8417 { 8418 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8419 unsigned int hash_len = 12; 8420 unsigned char buf[SSL_MAX_HASH_LEN]; 8421 8422 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); 8423 8424 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); 8425 if (ret != 0) { 8426 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8427 } 8428 8429 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8430 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8431 goto exit; 8432 } 8433 8434 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 8435 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8436 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8437 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8438 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8439 goto exit; 8440 } 8441 8442 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { 8443 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8444 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8445 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8446 goto exit; 8447 } 8448 8449 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { 8450 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8451 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8452 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 8453 ret = MBEDTLS_ERR_SSL_DECODE_ERROR; 8454 goto exit; 8455 } 8456 8457 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), 8458 buf, hash_len) != 0) { 8459 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8460 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8461 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); 8462 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8463 goto exit; 8464 } 8465 8466 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8467 ssl->verify_data_len = hash_len; 8468 memcpy(ssl->peer_verify_data, buf, hash_len); 8469 #endif 8470 8471 if (ssl->handshake->resume != 0) { 8472 #if defined(MBEDTLS_SSL_CLI_C) 8473 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8474 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8475 } 8476 #endif 8477 #if defined(MBEDTLS_SSL_SRV_C) 8478 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8479 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 8480 } 8481 #endif 8482 } else { 8483 ssl->state++; 8484 } 8485 8486 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8487 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8488 mbedtls_ssl_recv_flight_completed(ssl); 8489 } 8490 #endif 8491 8492 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); 8493 8494 exit: 8495 mbedtls_platform_zeroize(buf, hash_len); 8496 return ret; 8497 } 8498 8499 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8500 /* 8501 * Helper to get TLS 1.2 PRF from ciphersuite 8502 * (Duplicates bits of logic from ssl_set_handshake_prfs().) 8503 */ 8504 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) 8505 { 8506 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 8507 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 8508 #if defined(MBEDTLS_MD_CAN_SHA384) 8509 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 8510 return tls_prf_sha384; 8511 } else 8512 #endif 8513 #if defined(MBEDTLS_MD_CAN_SHA256) 8514 { 8515 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { 8516 return tls_prf_sha256; 8517 } 8518 } 8519 #endif 8520 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 8521 !defined(MBEDTLS_MD_CAN_SHA256) 8522 (void) ciphersuite_info; 8523 #endif 8524 8525 return NULL; 8526 } 8527 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 8528 8529 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) 8530 { 8531 ((void) tls_prf); 8532 #if defined(MBEDTLS_MD_CAN_SHA384) 8533 if (tls_prf == tls_prf_sha384) { 8534 return MBEDTLS_SSL_TLS_PRF_SHA384; 8535 } else 8536 #endif 8537 #if defined(MBEDTLS_MD_CAN_SHA256) 8538 if (tls_prf == tls_prf_sha256) { 8539 return MBEDTLS_SSL_TLS_PRF_SHA256; 8540 } else 8541 #endif 8542 return MBEDTLS_SSL_TLS_PRF_NONE; 8543 } 8544 8545 /* 8546 * Populate a transform structure with session keys and all the other 8547 * necessary information. 8548 * 8549 * Parameters: 8550 * - [in/out]: transform: structure to populate 8551 * [in] must be just initialised with mbedtls_ssl_transform_init() 8552 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() 8553 * - [in] ciphersuite 8554 * - [in] master 8555 * - [in] encrypt_then_mac 8556 * - [in] tls_prf: pointer to PRF to use for key derivation 8557 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random 8558 * - [in] tls_version: TLS version 8559 * - [in] endpoint: client or server 8560 * - [in] ssl: used for: 8561 * - ssl->conf->{f,p}_export_keys 8562 * [in] optionally used for: 8563 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg 8564 */ 8565 MBEDTLS_CHECK_RETURN_CRITICAL 8566 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 8567 int ciphersuite, 8568 const unsigned char master[48], 8569 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8570 int encrypt_then_mac, 8571 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8572 ssl_tls_prf_t tls_prf, 8573 const unsigned char randbytes[64], 8574 mbedtls_ssl_protocol_version tls_version, 8575 unsigned endpoint, 8576 const mbedtls_ssl_context *ssl) 8577 { 8578 int ret = 0; 8579 unsigned char keyblk[256]; 8580 unsigned char *key1; 8581 unsigned char *key2; 8582 unsigned char *mac_enc; 8583 unsigned char *mac_dec; 8584 size_t mac_key_len = 0; 8585 size_t iv_copy_len; 8586 size_t keylen; 8587 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 8588 mbedtls_ssl_mode_t ssl_mode; 8589 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 8590 const mbedtls_cipher_info_t *cipher_info; 8591 const mbedtls_md_info_t *md_info; 8592 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 8593 8594 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8595 psa_key_type_t key_type; 8596 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8597 psa_algorithm_t alg; 8598 psa_algorithm_t mac_alg = 0; 8599 size_t key_bits; 8600 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8601 #endif 8602 8603 /* 8604 * Some data just needs copying into the structure 8605 */ 8606 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8607 transform->encrypt_then_mac = encrypt_then_mac; 8608 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8609 transform->tls_version = tls_version; 8610 8611 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8612 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); 8613 #endif 8614 8615 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 8616 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 8617 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform 8618 * generation separate. This should never happen. */ 8619 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8620 } 8621 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 8622 8623 /* 8624 * Get various info structures 8625 */ 8626 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); 8627 if (ciphersuite_info == NULL) { 8628 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", 8629 ciphersuite)); 8630 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8631 } 8632 8633 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( 8634 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8635 encrypt_then_mac, 8636 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8637 ciphersuite_info); 8638 8639 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8640 transform->taglen = 8641 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 8642 } 8643 8644 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8645 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, 8646 transform->taglen, 8647 &alg, 8648 &key_type, 8649 &key_bits)) != PSA_SUCCESS) { 8650 ret = PSA_TO_MBEDTLS_ERR(status); 8651 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); 8652 goto end; 8653 } 8654 #else 8655 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher); 8656 if (cipher_info == NULL) { 8657 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", 8658 ciphersuite_info->cipher)); 8659 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8660 } 8661 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8662 8663 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8664 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8665 if (mac_alg == 0) { 8666 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found", 8667 (unsigned) ciphersuite_info->mac)); 8668 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8669 } 8670 #else 8671 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8672 if (md_info == NULL) { 8673 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", 8674 (unsigned) ciphersuite_info->mac)); 8675 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8676 } 8677 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8678 8679 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 8680 /* Copy own and peer's CID if the use of the CID 8681 * extension has been negotiated. */ 8682 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { 8683 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); 8684 8685 transform->in_cid_len = ssl->own_cid_len; 8686 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); 8687 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, 8688 transform->in_cid_len); 8689 8690 transform->out_cid_len = ssl->handshake->peer_cid_len; 8691 memcpy(transform->out_cid, ssl->handshake->peer_cid, 8692 ssl->handshake->peer_cid_len); 8693 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, 8694 transform->out_cid_len); 8695 } 8696 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 8697 8698 /* 8699 * Compute key block using the PRF 8700 */ 8701 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); 8702 if (ret != 0) { 8703 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 8704 return ret; 8705 } 8706 8707 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", 8708 mbedtls_ssl_get_ciphersuite_name(ciphersuite))); 8709 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); 8710 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); 8711 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); 8712 8713 /* 8714 * Determine the appropriate key, IV and MAC length. 8715 */ 8716 8717 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8718 keylen = PSA_BITS_TO_BYTES(key_bits); 8719 #else 8720 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; 8721 #endif 8722 8723 #if defined(MBEDTLS_SSL_HAVE_AEAD) 8724 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8725 size_t explicit_ivlen; 8726 8727 transform->maclen = 0; 8728 mac_key_len = 0; 8729 8730 /* All modes haves 96-bit IVs, but the length of the static parts vary 8731 * with mode and version: 8732 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes 8733 * (to be concatenated with a dynamically chosen IV of 8 Bytes) 8734 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's 8735 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record 8736 * sequence number). 8737 */ 8738 transform->ivlen = 12; 8739 8740 int is_chachapoly = 0; 8741 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8742 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); 8743 #else 8744 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) 8745 == MBEDTLS_MODE_CHACHAPOLY); 8746 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8747 8748 if (is_chachapoly) { 8749 transform->fixed_ivlen = 12; 8750 } else { 8751 transform->fixed_ivlen = 4; 8752 } 8753 8754 /* Minimum length of encrypted record */ 8755 explicit_ivlen = transform->ivlen - transform->fixed_ivlen; 8756 transform->minlen = explicit_ivlen + transform->taglen; 8757 } else 8758 #endif /* MBEDTLS_SSL_HAVE_AEAD */ 8759 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8760 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || 8761 ssl_mode == MBEDTLS_SSL_MODE_CBC || 8762 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8763 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8764 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); 8765 #else 8766 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info); 8767 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8768 8769 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8770 /* Get MAC length */ 8771 mac_key_len = PSA_HASH_LENGTH(mac_alg); 8772 #else 8773 /* Initialize HMAC contexts */ 8774 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || 8775 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { 8776 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 8777 goto end; 8778 } 8779 8780 /* Get MAC length */ 8781 mac_key_len = mbedtls_md_get_size(md_info); 8782 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8783 transform->maclen = mac_key_len; 8784 8785 /* IV length */ 8786 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8787 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); 8788 #else 8789 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info); 8790 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8791 8792 /* Minimum length */ 8793 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { 8794 transform->minlen = transform->maclen; 8795 } else { 8796 /* 8797 * GenericBlockCipher: 8798 * 1. if EtM is in use: one block plus MAC 8799 * otherwise: * first multiple of blocklen greater than maclen 8800 * 2. IV 8801 */ 8802 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8803 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8804 transform->minlen = transform->maclen 8805 + block_size; 8806 } else 8807 #endif 8808 { 8809 transform->minlen = transform->maclen 8810 + block_size 8811 - transform->maclen % block_size; 8812 } 8813 8814 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 8815 transform->minlen += transform->ivlen; 8816 } else { 8817 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8818 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8819 goto end; 8820 } 8821 } 8822 } else 8823 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 8824 { 8825 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8826 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8827 } 8828 8829 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", 8830 (unsigned) keylen, 8831 (unsigned) transform->minlen, 8832 (unsigned) transform->ivlen, 8833 (unsigned) transform->maclen)); 8834 8835 /* 8836 * Finally setup the cipher contexts, IVs and MAC secrets. 8837 */ 8838 #if defined(MBEDTLS_SSL_CLI_C) 8839 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 8840 key1 = keyblk + mac_key_len * 2; 8841 key2 = keyblk + mac_key_len * 2 + keylen; 8842 8843 mac_enc = keyblk; 8844 mac_dec = keyblk + mac_key_len; 8845 8846 iv_copy_len = (transform->fixed_ivlen) ? 8847 transform->fixed_ivlen : transform->ivlen; 8848 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); 8849 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, 8850 iv_copy_len); 8851 } else 8852 #endif /* MBEDTLS_SSL_CLI_C */ 8853 #if defined(MBEDTLS_SSL_SRV_C) 8854 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 8855 key1 = keyblk + mac_key_len * 2 + keylen; 8856 key2 = keyblk + mac_key_len * 2; 8857 8858 mac_enc = keyblk + mac_key_len; 8859 mac_dec = keyblk; 8860 8861 iv_copy_len = (transform->fixed_ivlen) ? 8862 transform->fixed_ivlen : transform->ivlen; 8863 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); 8864 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, 8865 iv_copy_len); 8866 } else 8867 #endif /* MBEDTLS_SSL_SRV_C */ 8868 { 8869 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8870 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8871 goto end; 8872 } 8873 8874 if (ssl->f_export_keys != NULL) { 8875 ssl->f_export_keys(ssl->p_export_keys, 8876 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, 8877 master, 48, 8878 randbytes + 32, 8879 randbytes, 8880 tls_prf_get_type(tls_prf)); 8881 } 8882 8883 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8884 transform->psa_alg = alg; 8885 8886 if (alg != MBEDTLS_SSL_NULL_CIPHER) { 8887 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 8888 psa_set_key_algorithm(&attributes, alg); 8889 psa_set_key_type(&attributes, key_type); 8890 8891 if ((status = psa_import_key(&attributes, 8892 key1, 8893 PSA_BITS_TO_BYTES(key_bits), 8894 &transform->psa_key_enc)) != PSA_SUCCESS) { 8895 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); 8896 ret = PSA_TO_MBEDTLS_ERR(status); 8897 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8898 goto end; 8899 } 8900 8901 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8902 8903 if ((status = psa_import_key(&attributes, 8904 key2, 8905 PSA_BITS_TO_BYTES(key_bits), 8906 &transform->psa_key_dec)) != PSA_SUCCESS) { 8907 ret = PSA_TO_MBEDTLS_ERR(status); 8908 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8909 goto end; 8910 } 8911 } 8912 #else 8913 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, 8914 cipher_info)) != 0) { 8915 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8916 goto end; 8917 } 8918 8919 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, 8920 cipher_info)) != 0) { 8921 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8922 goto end; 8923 } 8924 8925 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, 8926 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8927 MBEDTLS_ENCRYPT)) != 0) { 8928 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8929 goto end; 8930 } 8931 8932 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, 8933 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8934 MBEDTLS_DECRYPT)) != 0) { 8935 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8936 goto end; 8937 } 8938 8939 #if defined(MBEDTLS_CIPHER_MODE_CBC) 8940 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { 8941 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, 8942 MBEDTLS_PADDING_NONE)) != 0) { 8943 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 8944 goto end; 8945 } 8946 8947 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, 8948 MBEDTLS_PADDING_NONE)) != 0) { 8949 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 8950 goto end; 8951 } 8952 } 8953 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 8954 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8955 8956 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8957 /* For HMAC-based ciphersuites, initialize the HMAC transforms. 8958 For AEAD-based ciphersuites, there is nothing to do here. */ 8959 if (mac_key_len != 0) { 8960 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8961 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); 8962 8963 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 8964 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); 8965 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 8966 8967 if ((status = psa_import_key(&attributes, 8968 mac_enc, mac_key_len, 8969 &transform->psa_mac_enc)) != PSA_SUCCESS) { 8970 ret = PSA_TO_MBEDTLS_ERR(status); 8971 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 8972 goto end; 8973 } 8974 8975 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || 8976 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) 8977 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8978 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) 8979 #endif 8980 )) { 8981 /* mbedtls_ct_hmac() requires the key to be exportable */ 8982 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | 8983 PSA_KEY_USAGE_VERIFY_HASH); 8984 } else { 8985 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 8986 } 8987 8988 if ((status = psa_import_key(&attributes, 8989 mac_dec, mac_key_len, 8990 &transform->psa_mac_dec)) != PSA_SUCCESS) { 8991 ret = PSA_TO_MBEDTLS_ERR(status); 8992 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 8993 goto end; 8994 } 8995 #else 8996 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); 8997 if (ret != 0) { 8998 goto end; 8999 } 9000 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); 9001 if (ret != 0) { 9002 goto end; 9003 } 9004 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9005 } 9006 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 9007 9008 ((void) mac_dec); 9009 ((void) mac_enc); 9010 9011 end: 9012 mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); 9013 return ret; 9014 } 9015 9016 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 9017 defined(MBEDTLS_USE_PSA_CRYPTO) 9018 int mbedtls_psa_ecjpake_read_round( 9019 psa_pake_operation_t *pake_ctx, 9020 const unsigned char *buf, 9021 size_t len, mbedtls_ecjpake_rounds_t round) 9022 { 9023 psa_status_t status; 9024 size_t input_offset = 0; 9025 /* 9026 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9027 * At round two perform a single cycle 9028 */ 9029 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9030 9031 for (; remaining_steps > 0; remaining_steps--) { 9032 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9033 step <= PSA_PAKE_STEP_ZK_PROOF; 9034 ++step) { 9035 /* Length is stored at the first byte */ 9036 size_t length = buf[input_offset]; 9037 input_offset += 1; 9038 9039 if (input_offset + length > len) { 9040 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9041 } 9042 9043 status = psa_pake_input(pake_ctx, step, 9044 buf + input_offset, length); 9045 if (status != PSA_SUCCESS) { 9046 return PSA_TO_MBEDTLS_ERR(status); 9047 } 9048 9049 input_offset += length; 9050 } 9051 } 9052 9053 if (input_offset != len) { 9054 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9055 } 9056 9057 return 0; 9058 } 9059 9060 int mbedtls_psa_ecjpake_write_round( 9061 psa_pake_operation_t *pake_ctx, 9062 unsigned char *buf, 9063 size_t len, size_t *olen, 9064 mbedtls_ecjpake_rounds_t round) 9065 { 9066 psa_status_t status; 9067 size_t output_offset = 0; 9068 size_t output_len; 9069 /* 9070 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9071 * At round two perform a single cycle 9072 */ 9073 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9074 9075 for (; remaining_steps > 0; remaining_steps--) { 9076 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9077 step <= PSA_PAKE_STEP_ZK_PROOF; 9078 ++step) { 9079 /* 9080 * For each step, prepend 1 byte with the length of the data as 9081 * given by psa_pake_output(). 9082 */ 9083 status = psa_pake_output(pake_ctx, step, 9084 buf + output_offset + 1, 9085 len - output_offset - 1, 9086 &output_len); 9087 if (status != PSA_SUCCESS) { 9088 return PSA_TO_MBEDTLS_ERR(status); 9089 } 9090 9091 *(buf + output_offset) = (uint8_t) output_len; 9092 9093 output_offset += output_len + 1; 9094 } 9095 } 9096 9097 *olen = output_offset; 9098 9099 return 0; 9100 } 9101 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 9102 9103 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9104 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9105 unsigned char *hash, size_t *hashlen, 9106 unsigned char *data, size_t data_len, 9107 mbedtls_md_type_t md_alg) 9108 { 9109 psa_status_t status; 9110 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; 9111 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg); 9112 9113 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); 9114 9115 if ((status = psa_hash_setup(&hash_operation, 9116 hash_alg)) != PSA_SUCCESS) { 9117 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); 9118 goto exit; 9119 } 9120 9121 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, 9122 64)) != PSA_SUCCESS) { 9123 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9124 goto exit; 9125 } 9126 9127 if ((status = psa_hash_update(&hash_operation, 9128 data, data_len)) != PSA_SUCCESS) { 9129 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9130 goto exit; 9131 } 9132 9133 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, 9134 hashlen)) != PSA_SUCCESS) { 9135 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); 9136 goto exit; 9137 } 9138 9139 exit: 9140 if (status != PSA_SUCCESS) { 9141 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9142 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9143 switch (status) { 9144 case PSA_ERROR_NOT_SUPPORTED: 9145 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; 9146 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ 9147 case PSA_ERROR_BUFFER_TOO_SMALL: 9148 return MBEDTLS_ERR_MD_BAD_INPUT_DATA; 9149 case PSA_ERROR_INSUFFICIENT_MEMORY: 9150 return MBEDTLS_ERR_MD_ALLOC_FAILED; 9151 default: 9152 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 9153 } 9154 } 9155 return 0; 9156 } 9157 9158 #else 9159 9160 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9161 unsigned char *hash, size_t *hashlen, 9162 unsigned char *data, size_t data_len, 9163 mbedtls_md_type_t md_alg) 9164 { 9165 int ret = 0; 9166 mbedtls_md_context_t ctx; 9167 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); 9168 *hashlen = mbedtls_md_get_size(md_info); 9169 9170 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); 9171 9172 mbedtls_md_init(&ctx); 9173 9174 /* 9175 * digitally-signed struct { 9176 * opaque client_random[32]; 9177 * opaque server_random[32]; 9178 * ServerDHParams params; 9179 * }; 9180 */ 9181 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { 9182 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 9183 goto exit; 9184 } 9185 if ((ret = mbedtls_md_starts(&ctx)) != 0) { 9186 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); 9187 goto exit; 9188 } 9189 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { 9190 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9191 goto exit; 9192 } 9193 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { 9194 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9195 goto exit; 9196 } 9197 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { 9198 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 9199 goto exit; 9200 } 9201 9202 exit: 9203 mbedtls_md_free(&ctx); 9204 9205 if (ret != 0) { 9206 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9207 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9208 } 9209 9210 return ret; 9211 } 9212 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9213 9214 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 9215 9216 /* Find the preferred hash for a given signature algorithm. */ 9217 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 9218 mbedtls_ssl_context *ssl, 9219 unsigned int sig_alg) 9220 { 9221 unsigned int i; 9222 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 9223 9224 if (sig_alg == MBEDTLS_SSL_SIG_ANON) { 9225 return MBEDTLS_SSL_HASH_NONE; 9226 } 9227 9228 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 9229 unsigned int hash_alg_received = 9230 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( 9231 received_sig_algs[i]); 9232 unsigned int sig_alg_received = 9233 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( 9234 received_sig_algs[i]); 9235 9236 mbedtls_md_type_t md_alg = 9237 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received); 9238 if (md_alg == MBEDTLS_MD_NONE) { 9239 continue; 9240 } 9241 9242 if (sig_alg == sig_alg_received) { 9243 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9244 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { 9245 psa_algorithm_t psa_hash_alg = 9246 mbedtls_md_psa_alg_from_type(md_alg); 9247 9248 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && 9249 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9250 PSA_ALG_ECDSA(psa_hash_alg), 9251 PSA_KEY_USAGE_SIGN_HASH)) { 9252 continue; 9253 } 9254 9255 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && 9256 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9257 PSA_ALG_RSA_PKCS1V15_SIGN( 9258 psa_hash_alg), 9259 PSA_KEY_USAGE_SIGN_HASH)) { 9260 continue; 9261 } 9262 } 9263 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9264 9265 return hash_alg_received; 9266 } 9267 } 9268 9269 return MBEDTLS_SSL_HASH_NONE; 9270 } 9271 9272 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 9273 9274 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9275 9276 int mbedtls_ssl_validate_ciphersuite( 9277 const mbedtls_ssl_context *ssl, 9278 const mbedtls_ssl_ciphersuite_t *suite_info, 9279 mbedtls_ssl_protocol_version min_tls_version, 9280 mbedtls_ssl_protocol_version max_tls_version) 9281 { 9282 (void) ssl; 9283 9284 if (suite_info == NULL) { 9285 return -1; 9286 } 9287 9288 if ((suite_info->min_tls_version > max_tls_version) || 9289 (suite_info->max_tls_version < min_tls_version)) { 9290 return -1; 9291 } 9292 9293 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) 9294 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 9295 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9296 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9297 ssl->handshake->psa_pake_ctx_is_ok != 1) 9298 #else 9299 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9300 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 9301 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9302 { 9303 return -1; 9304 } 9305 #endif 9306 9307 /* Don't suggest PSK-based ciphersuite if no PSK is available. */ 9308 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 9309 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 9310 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 9311 return -1; 9312 } 9313 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 9314 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9315 9316 return 0; 9317 } 9318 9319 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9320 /* 9321 * Function for writing a signature algorithm extension. 9322 * 9323 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 9324 * value (TLS 1.3 RFC8446): 9325 * enum { 9326 * .... 9327 * ecdsa_secp256r1_sha256( 0x0403 ), 9328 * ecdsa_secp384r1_sha384( 0x0503 ), 9329 * ecdsa_secp521r1_sha512( 0x0603 ), 9330 * .... 9331 * } SignatureScheme; 9332 * 9333 * struct { 9334 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 9335 * } SignatureSchemeList; 9336 * 9337 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 9338 * value (TLS 1.2 RFC5246): 9339 * enum { 9340 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 9341 * sha512(6), (255) 9342 * } HashAlgorithm; 9343 * 9344 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 9345 * SignatureAlgorithm; 9346 * 9347 * struct { 9348 * HashAlgorithm hash; 9349 * SignatureAlgorithm signature; 9350 * } SignatureAndHashAlgorithm; 9351 * 9352 * SignatureAndHashAlgorithm 9353 * supported_signature_algorithms<2..2^16-2>; 9354 * 9355 * The TLS 1.3 signature algorithm extension was defined to be a compatible 9356 * generalization of the TLS 1.2 signature algorithm extension. 9357 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 9358 * `SignatureScheme` field of TLS 1.3 9359 * 9360 */ 9361 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 9362 const unsigned char *end, size_t *out_len) 9363 { 9364 unsigned char *p = buf; 9365 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */ 9366 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ 9367 9368 *out_len = 0; 9369 9370 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension")); 9371 9372 /* Check if we have space for header and length field: 9373 * - extension_type (2 bytes) 9374 * - extension_data_length (2 bytes) 9375 * - supported_signature_algorithms_length (2 bytes) 9376 */ 9377 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 9378 p += 6; 9379 9380 /* 9381 * Write supported_signature_algorithms 9382 */ 9383 supported_sig_alg = p; 9384 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 9385 if (sig_alg == NULL) { 9386 return MBEDTLS_ERR_SSL_BAD_CONFIG; 9387 } 9388 9389 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 9390 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s", 9391 *sig_alg, 9392 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9393 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 9394 continue; 9395 } 9396 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 9397 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); 9398 p += 2; 9399 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s", 9400 *sig_alg, 9401 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9402 } 9403 9404 /* Length of supported_signature_algorithms */ 9405 supported_sig_alg_len = (size_t) (p - supported_sig_alg); 9406 if (supported_sig_alg_len == 0) { 9407 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined.")); 9408 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9409 } 9410 9411 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0); 9412 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2); 9413 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4); 9414 9415 *out_len = (size_t) (p - buf); 9416 9417 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9418 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG); 9419 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 9420 9421 return 0; 9422 } 9423 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 9424 9425 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9426 /* 9427 * mbedtls_ssl_parse_server_name_ext 9428 * 9429 * Structure of server_name extension: 9430 * 9431 * enum { 9432 * host_name(0), (255) 9433 * } NameType; 9434 * opaque HostName<1..2^16-1>; 9435 * 9436 * struct { 9437 * NameType name_type; 9438 * select (name_type) { 9439 * case host_name: HostName; 9440 * } name; 9441 * } ServerName; 9442 * struct { 9443 * ServerName server_name_list<1..2^16-1> 9444 * } ServerNameList; 9445 */ 9446 MBEDTLS_CHECK_RETURN_CRITICAL 9447 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 9448 const unsigned char *buf, 9449 const unsigned char *end) 9450 { 9451 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 9452 const unsigned char *p = buf; 9453 size_t server_name_list_len, hostname_len; 9454 const unsigned char *server_name_list_end; 9455 9456 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension")); 9457 9458 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 9459 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9460 p += 2; 9461 9462 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len); 9463 server_name_list_end = p + server_name_list_len; 9464 while (p < server_name_list_end) { 9465 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3); 9466 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1); 9467 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 9468 hostname_len + 3); 9469 9470 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) { 9471 /* sni_name is intended to be used only during the parsing of the 9472 * ClientHello message (it is reset to NULL before the end of 9473 * the message parsing). Thus it is ok to just point to the 9474 * reception buffer and not make a copy of it. 9475 */ 9476 ssl->handshake->sni_name = p + 3; 9477 ssl->handshake->sni_name_len = hostname_len; 9478 if (ssl->conf->f_sni == NULL) { 9479 return 0; 9480 } 9481 ret = ssl->conf->f_sni(ssl->conf->p_sni, 9482 ssl, p + 3, hostname_len); 9483 if (ret != 0) { 9484 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret); 9485 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME, 9486 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME); 9487 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME; 9488 } 9489 return 0; 9490 } 9491 9492 p += hostname_len + 3; 9493 } 9494 9495 return 0; 9496 } 9497 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 9498 9499 #if defined(MBEDTLS_SSL_ALPN) 9500 MBEDTLS_CHECK_RETURN_CRITICAL 9501 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 9502 const unsigned char *buf, 9503 const unsigned char *end) 9504 { 9505 const unsigned char *p = buf; 9506 size_t protocol_name_list_len; 9507 const unsigned char *protocol_name_list; 9508 const unsigned char *protocol_name_list_end; 9509 size_t protocol_name_len; 9510 9511 /* If ALPN not configured, just ignore the extension */ 9512 if (ssl->conf->alpn_list == NULL) { 9513 return 0; 9514 } 9515 9516 /* 9517 * RFC7301, section 3.1 9518 * opaque ProtocolName<1..2^8-1>; 9519 * 9520 * struct { 9521 * ProtocolName protocol_name_list<2..2^16-1> 9522 * } ProtocolNameList; 9523 */ 9524 9525 /* 9526 * protocol_name_list_len 2 bytes 9527 * protocol_name_len 1 bytes 9528 * protocol_name >=1 byte 9529 */ 9530 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); 9531 9532 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9533 p += 2; 9534 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len); 9535 protocol_name_list = p; 9536 protocol_name_list_end = p + protocol_name_list_len; 9537 9538 /* Validate peer's list (lengths) */ 9539 while (p < protocol_name_list_end) { 9540 protocol_name_len = *p++; 9541 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 9542 protocol_name_len); 9543 if (protocol_name_len == 0) { 9544 MBEDTLS_SSL_PEND_FATAL_ALERT( 9545 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 9546 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 9547 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 9548 } 9549 9550 p += protocol_name_len; 9551 } 9552 9553 /* Use our order of preference */ 9554 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) { 9555 size_t const alpn_len = strlen(*alpn); 9556 p = protocol_name_list; 9557 while (p < protocol_name_list_end) { 9558 protocol_name_len = *p++; 9559 if (protocol_name_len == alpn_len && 9560 memcmp(p, *alpn, alpn_len) == 0) { 9561 ssl->alpn_chosen = *alpn; 9562 return 0; 9563 } 9564 9565 p += protocol_name_len; 9566 } 9567 } 9568 9569 /* If we get here, no match was found */ 9570 MBEDTLS_SSL_PEND_FATAL_ALERT( 9571 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL, 9572 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL); 9573 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL; 9574 } 9575 9576 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 9577 unsigned char *buf, 9578 unsigned char *end, 9579 size_t *out_len) 9580 { 9581 unsigned char *p = buf; 9582 size_t protocol_name_len; 9583 *out_len = 0; 9584 9585 if (ssl->alpn_chosen == NULL) { 9586 return 0; 9587 } 9588 9589 protocol_name_len = strlen(ssl->alpn_chosen); 9590 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len); 9591 9592 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension")); 9593 /* 9594 * 0 . 1 ext identifier 9595 * 2 . 3 ext length 9596 * 4 . 5 protocol list length 9597 * 6 . 6 protocol name length 9598 * 7 . 7+n protocol name 9599 */ 9600 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); 9601 9602 *out_len = 7 + protocol_name_len; 9603 9604 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2); 9605 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4); 9606 /* Note: the length of the chosen protocol has been checked to be less 9607 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`. 9608 */ 9609 p[6] = MBEDTLS_BYTE_0(protocol_name_len); 9610 9611 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len); 9612 9613 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9614 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN); 9615 #endif 9616 9617 return 0; 9618 } 9619 #endif /* MBEDTLS_SSL_ALPN */ 9620 9621 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 9622 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 9623 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 9624 defined(MBEDTLS_SSL_CLI_C) 9625 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 9626 const char *hostname) 9627 { 9628 /* Initialize to suppress unnecessary compiler warning */ 9629 size_t hostname_len = 0; 9630 9631 /* Check if new hostname is valid before 9632 * making any change to current one */ 9633 if (hostname != NULL) { 9634 hostname_len = strlen(hostname); 9635 9636 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 9637 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9638 } 9639 } 9640 9641 /* Now it's clear that we will overwrite the old hostname, 9642 * so we can free it safely */ 9643 if (session->hostname != NULL) { 9644 mbedtls_zeroize_and_free(session->hostname, 9645 strlen(session->hostname)); 9646 } 9647 9648 /* Passing NULL as hostname shall clear the old one */ 9649 if (hostname == NULL) { 9650 session->hostname = NULL; 9651 } else { 9652 session->hostname = mbedtls_calloc(1, hostname_len + 1); 9653 if (session->hostname == NULL) { 9654 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9655 } 9656 9657 memcpy(session->hostname, hostname, hostname_len); 9658 } 9659 9660 return 0; 9661 } 9662 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 9663 MBEDTLS_SSL_SESSION_TICKETS && 9664 MBEDTLS_SSL_SERVER_NAME_INDICATION && 9665 MBEDTLS_SSL_CLI_C */ 9666 9667 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 9668 defined(MBEDTLS_SSL_ALPN) 9669 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 9670 const char *alpn) 9671 { 9672 size_t alpn_len = 0; 9673 9674 if (alpn != NULL) { 9675 alpn_len = strlen(alpn); 9676 9677 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) { 9678 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9679 } 9680 } 9681 9682 if (session->ticket_alpn != NULL) { 9683 mbedtls_zeroize_and_free(session->ticket_alpn, 9684 strlen(session->ticket_alpn)); 9685 session->ticket_alpn = NULL; 9686 } 9687 9688 if (alpn != NULL) { 9689 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1); 9690 if (session->ticket_alpn == NULL) { 9691 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9692 } 9693 memcpy(session->ticket_alpn, alpn, alpn_len); 9694 } 9695 9696 return 0; 9697 } 9698 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 9699 9700 /* 9701 * The following functions are used by 1.2 and 1.3, client and server. 9702 */ 9703 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9704 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 9705 const mbedtls_ssl_ciphersuite_t *ciphersuite, 9706 int recv_endpoint, 9707 mbedtls_ssl_protocol_version tls_version, 9708 uint32_t *flags) 9709 { 9710 int ret = 0; 9711 unsigned int usage = 0; 9712 const char *ext_oid; 9713 size_t ext_len; 9714 9715 /* 9716 * keyUsage 9717 */ 9718 9719 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants 9720 * to check what a compliant client will think while choosing which cert 9721 * to send to the client. */ 9722 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 9723 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 9724 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { 9725 /* TLS 1.2 server part of the key exchange */ 9726 switch (ciphersuite->key_exchange) { 9727 case MBEDTLS_KEY_EXCHANGE_RSA: 9728 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 9729 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 9730 break; 9731 9732 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 9733 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 9734 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 9735 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 9736 break; 9737 9738 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 9739 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 9740 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 9741 break; 9742 9743 /* Don't use default: we want warnings when adding new values */ 9744 case MBEDTLS_KEY_EXCHANGE_NONE: 9745 case MBEDTLS_KEY_EXCHANGE_PSK: 9746 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 9747 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 9748 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 9749 usage = 0; 9750 } 9751 } else 9752 #endif 9753 { 9754 /* This is either TLS 1.3 authentication, which always uses signatures, 9755 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only 9756 * options we implement, both using signatures. */ 9757 (void) tls_version; 9758 (void) ciphersuite; 9759 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 9760 } 9761 9762 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { 9763 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 9764 ret = -1; 9765 } 9766 9767 /* 9768 * extKeyUsage 9769 */ 9770 9771 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { 9772 ext_oid = MBEDTLS_OID_SERVER_AUTH; 9773 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); 9774 } else { 9775 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 9776 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); 9777 } 9778 9779 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { 9780 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 9781 ret = -1; 9782 } 9783 9784 return ret; 9785 } 9786 9787 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, 9788 int authmode, 9789 mbedtls_x509_crt *chain, 9790 const mbedtls_ssl_ciphersuite_t *ciphersuite_info, 9791 void *rs_ctx) 9792 { 9793 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 9794 return 0; 9795 } 9796 9797 /* 9798 * Primary check: use the appropriate X.509 verification function 9799 */ 9800 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); 9801 void *p_vrfy; 9802 if (ssl->f_vrfy != NULL) { 9803 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); 9804 f_vrfy = ssl->f_vrfy; 9805 p_vrfy = ssl->p_vrfy; 9806 } else { 9807 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); 9808 f_vrfy = ssl->conf->f_vrfy; 9809 p_vrfy = ssl->conf->p_vrfy; 9810 } 9811 9812 int ret = 0; 9813 int have_ca_chain_or_callback = 0; 9814 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 9815 if (ssl->conf->f_ca_cb != NULL) { 9816 ((void) rs_ctx); 9817 have_ca_chain_or_callback = 1; 9818 9819 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); 9820 ret = mbedtls_x509_crt_verify_with_ca_cb( 9821 chain, 9822 ssl->conf->f_ca_cb, 9823 ssl->conf->p_ca_cb, 9824 ssl->conf->cert_profile, 9825 ssl->hostname, 9826 &ssl->session_negotiate->verify_result, 9827 f_vrfy, p_vrfy); 9828 } else 9829 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 9830 { 9831 mbedtls_x509_crt *ca_chain; 9832 mbedtls_x509_crl *ca_crl; 9833 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9834 if (ssl->handshake->sni_ca_chain != NULL) { 9835 ca_chain = ssl->handshake->sni_ca_chain; 9836 ca_crl = ssl->handshake->sni_ca_crl; 9837 } else 9838 #endif 9839 { 9840 ca_chain = ssl->conf->ca_chain; 9841 ca_crl = ssl->conf->ca_crl; 9842 } 9843 9844 if (ca_chain != NULL) { 9845 have_ca_chain_or_callback = 1; 9846 } 9847 9848 ret = mbedtls_x509_crt_verify_restartable( 9849 chain, 9850 ca_chain, ca_crl, 9851 ssl->conf->cert_profile, 9852 ssl->hostname, 9853 &ssl->session_negotiate->verify_result, 9854 f_vrfy, p_vrfy, rs_ctx); 9855 } 9856 9857 if (ret != 0) { 9858 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); 9859 } 9860 9861 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 9862 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 9863 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 9864 } 9865 #endif 9866 9867 /* 9868 * Secondary checks: always done, but change 'ret' only if it was 0 9869 */ 9870 9871 /* With TLS 1.2 and ECC certs, check that the curve used by the 9872 * certificate is on our list of acceptable curves. 9873 * 9874 * With TLS 1.3 this is not needed because the curve is part of the 9875 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when 9876 * we validate the signature made with the key associated to this cert. 9877 */ 9878 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 9879 defined(MBEDTLS_PK_HAVE_ECC_KEYS) 9880 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 9881 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) { 9882 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) { 9883 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); 9884 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; 9885 if (ret == 0) { 9886 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 9887 } 9888 } 9889 } 9890 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */ 9891 9892 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */ 9893 if (mbedtls_ssl_check_cert_usage(chain, 9894 ciphersuite_info, 9895 ssl->conf->endpoint, 9896 ssl->tls_version, 9897 &ssl->session_negotiate->verify_result) != 0) { 9898 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); 9899 if (ret == 0) { 9900 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 9901 } 9902 } 9903 9904 /* With authmode optional, we want to keep going if the certificate was 9905 * unacceptable, but still fail on other errors (out of memory etc), 9906 * including fatal errors from the f_vrfy callback. 9907 * 9908 * The only acceptable errors are: 9909 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check; 9910 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks. 9911 * Anything else is a fatal error. */ 9912 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 9913 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 9914 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { 9915 ret = 0; 9916 } 9917 9918 /* Return a specific error as this is a user error: inconsistent 9919 * configuration - can't verify without trust anchors. */ 9920 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { 9921 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); 9922 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 9923 } 9924 9925 if (ret != 0) { 9926 uint8_t alert; 9927 9928 /* The certificate may have been rejected for several reasons. 9929 Pick one and send the corresponding alert. Which alert to send 9930 may be a subject of debate in some cases. */ 9931 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { 9932 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 9933 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { 9934 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 9935 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { 9936 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 9937 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { 9938 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 9939 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { 9940 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 9941 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { 9942 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 9943 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { 9944 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 9945 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { 9946 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 9947 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { 9948 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 9949 } else { 9950 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 9951 } 9952 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9953 alert); 9954 } 9955 9956 #if defined(MBEDTLS_DEBUG_C) 9957 if (ssl->session_negotiate->verify_result != 0) { 9958 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", 9959 (unsigned int) ssl->session_negotiate->verify_result)); 9960 } else { 9961 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); 9962 } 9963 #endif /* MBEDTLS_DEBUG_C */ 9964 9965 return ret; 9966 } 9967 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 9968 9969 #endif /* MBEDTLS_SSL_TLS_C */ 9970