ssl_tls.c 238 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596559755985599560056015602560356045605560656075608560956105611561256135614561556165617561856195620562156225623562456255626562756285629563056315632563356345635563656375638563956405641564256435644564556465647564856495650565156525653565456555656565756585659566056615662566356645665566656675668566956705671567256735674567556765677567856795680568156825683568456855686568756885689569056915692569356945695569656975698569957005701570257035704570557065707570857095710571157125713571457155716571757185719572057215722572357245725572657275728572957305731573257335734573557365737573857395740574157425743574457455746574757485749575057515752575357545755575657575758575957605761576257635764576557665767576857695770577157725773577457755776577757785779578057815782578357845785578657875788578957905791579257935794579557965797579857995800580158025803580458055806580758085809581058115812581358145815581658175818581958205821582258235824582558265827582858295830583158325833583458355836583758385839584058415842584358445845584658475848584958505851585258535854585558565857585858595860586158625863586458655866586758685869587058715872587358745875587658775878587958805881588258835884588558865887588858895890589158925893589458955896589758985899590059015902590359045905590659075908590959105911591259135914591559165917591859195920592159225923592459255926592759285929593059315932593359345935593659375938593959405941594259435944594559465947594859495950595159525953595459555956595759585959596059615962596359645965596659675968596959705971597259735974597559765977597859795980598159825983598459855986598759885989599059915992599359945995599659975998599960006001600260036004600560066007600860096010601160126013601460156016601760186019602060216022602360246025602660276028602960306031603260336034603560366037603860396040604160426043604460456046604760486049605060516052605360546055605660576058605960606061606260636064606560666067606860696070607160726073607460756076607760786079608060816082608360846085608660876088608960906091609260936094609560966097609860996100610161026103610461056106610761086109611061116112611361146115611661176118611961206121612261236124612561266127612861296130613161326133613461356136613761386139614061416142614361446145614661476148614961506151615261536154615561566157615861596160616161626163616461656166616761686169617061716172617361746175617661776178617961806181618261836184618561866187618861896190619161926193619461956196619761986199620062016202620362046205620662076208620962106211621262136214621562166217621862196220622162226223622462256226622762286229623062316232623362346235623662376238623962406241624262436244624562466247624862496250625162526253625462556256625762586259626062616262626362646265626662676268626962706271627262736274627562766277627862796280628162826283628462856286628762886289629062916292629362946295629662976298629963006301630263036304630563066307630863096310631163126313631463156316631763186319632063216322632363246325632663276328632963306331633263336334633563366337633863396340634163426343634463456346634763486349635063516352635363546355635663576358635963606361636263636364636563666367636863696370637163726373637463756376637763786379638063816382638363846385638663876388638963906391639263936394639563966397639863996400640164026403640464056406640764086409641064116412641364146415641664176418641964206421642264236424642564266427642864296430643164326433643464356436643764386439644064416442644364446445644664476448644964506451645264536454645564566457645864596460646164626463646464656466646764686469647064716472647364746475647664776478647964806481648264836484648564866487648864896490649164926493649464956496649764986499650065016502650365046505650665076508650965106511651265136514651565166517651865196520652165226523652465256526652765286529653065316532653365346535653665376538653965406541654265436544654565466547654865496550655165526553655465556556655765586559656065616562656365646565656665676568656965706571657265736574657565766577657865796580658165826583658465856586658765886589659065916592659365946595659665976598659966006601660266036604660566066607660866096610661166126613661466156616661766186619662066216622662366246625662666276628662966306631663266336634663566366637663866396640664166426643664466456646664766486649665066516652665366546655665666576658665966606661666266636664666566666667666866696670667166726673667466756676667766786679668066816682668366846685668666876688668966906691669266936694669566966697669866996700670167026703670467056706670767086709671067116712671367146715671667176718671967206721672267236724672567266727672867296730673167326733673467356736673767386739674067416742674367446745674667476748674967506751675267536754675567566757675867596760676167626763676467656766676767686769677067716772677367746775677667776778677967806781678267836784678567866787678867896790679167926793679467956796679767986799680068016802680368046805680668076808680968106811681268136814681568166817681868196820682168226823682468256826682768286829683068316832683368346835683668376838683968406841684268436844684568466847684868496850685168526853685468556856685768586859686068616862686368646865686668676868686968706871687268736874687568766877687868796880688168826883688468856886688768886889689068916892689368946895689668976898689969006901690269036904690569066907690869096910691169126913691469156916691769186919692069216922692369246925692669276928692969306931693269336934693569366937693869396940694169426943694469456946694769486949695069516952695369546955695669576958695969606961696269636964696569666967696869696970697169726973697469756976697769786979698069816982698369846985698669876988698969906991699269936994699569966997699869997000700170027003700470057006700770087009701070117012701370147015701670177018701970207021702270237024702570267027702870297030703170327033703470357036703770387039704070417042704370447045704670477048704970507051705270537054705570567057705870597060706170627063706470657066706770687069707070717072707370747075707670777078707970807081708270837084708570867087708870897090709170927093709470957096709770987099710071017102710371047105710671077108710971107111711271137114711571167117711871197120712171227123712471257126712771287129713071317132713371347135713671377138713971407141714271437144714571467147714871497150715171527153715471557156715771587159716071617162716371647165716671677168716971707171717271737174717571767177717871797180718171827183718471857186718771887189719071917192719371947195719671977198719972007201720272037204720572067207720872097210721172127213721472157216721772187219722072217222722372247225722672277228722972307231723272337234723572367237723872397240724172427243724472457246724772487249725072517252725372547255725672577258725972607261726272637264726572667267726872697270727172727273727472757276727772787279728072817282728372847285728672877288728972907291729272937294729572967297729872997300730173027303730473057306730773087309731073117312731373147315731673177318731973207321732273237324732573267327732873297330733173327333733473357336733773387339734073417342734373447345734673477348734973507351735273537354735573567357735873597360736173627363736473657366736773687369737073717372737373747375737673777378737973807381738273837384738573867387738873897390739173927393739473957396739773987399740074017402740374047405740674077408740974107411741274137414741574167417741874197420742174227423742474257426742774287429743074317432743374347435743674377438743974407441744274437444744574467447744874497450745174527453745474557456745774587459746074617462746374647465746674677468746974707471747274737474747574767477747874797480748174827483748474857486748774887489749074917492749374947495749674977498749975007501750275037504750575067507750875097510751175127513751475157516751775187519752075217522752375247525752675277528752975307531753275337534753575367537753875397540754175427543754475457546754775487549755075517552755375547555755675577558755975607561756275637564756575667567756875697570757175727573757475757576757775787579758075817582758375847585758675877588758975907591759275937594759575967597759875997600760176027603760476057606760776087609761076117612761376147615761676177618761976207621762276237624762576267627762876297630763176327633763476357636763776387639764076417642764376447645764676477648764976507651765276537654765576567657765876597660766176627663766476657666766776687669767076717672767376747675767676777678767976807681768276837684768576867687768876897690769176927693
  1. /*
  2. * SSLv3/TLSv1 shared functions
  3. *
  4. * Copyright The Mbed TLS Contributors
  5. * SPDX-License-Identifier: Apache-2.0
  6. *
  7. * Licensed under the Apache License, Version 2.0 (the "License"); you may
  8. * not use this file except in compliance with the License.
  9. * You may obtain a copy of the License at
  10. *
  11. * http://www.apache.org/licenses/LICENSE-2.0
  12. *
  13. * Unless required by applicable law or agreed to in writing, software
  14. * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
  15. * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  16. * See the License for the specific language governing permissions and
  17. * limitations under the License.
  18. */
  19. /*
  20. * The SSL 3.0 specification was drafted by Netscape in 1996,
  21. * and became an IETF standard in 1999.
  22. *
  23. * http://wp.netscape.com/eng/ssl3/
  24. * http://www.ietf.org/rfc/rfc2246.txt
  25. * http://www.ietf.org/rfc/rfc4346.txt
  26. */
  27. #include "common.h"
  28. #if defined(MBEDTLS_SSL_TLS_C)
  29. #if defined(MBEDTLS_PLATFORM_C)
  30. #include "mbedtls/platform.h"
  31. #else
  32. #include <stdlib.h>
  33. #define mbedtls_calloc calloc
  34. #define mbedtls_free free
  35. #endif
  36. #include "mbedtls/ssl.h"
  37. #include "mbedtls/ssl_internal.h"
  38. #include "mbedtls/debug.h"
  39. #include "mbedtls/error.h"
  40. #include "mbedtls/platform_util.h"
  41. #include "mbedtls/version.h"
  42. #include "mbedtls/constant_time.h"
  43. #include <string.h>
  44. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  45. #include "mbedtls/psa_util.h"
  46. #include "psa/crypto.h"
  47. #endif
  48. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  49. #include "mbedtls/oid.h"
  50. #endif
  51. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  52. #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
  53. /* Top-level Connection ID API */
  54. int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,
  55. size_t len,
  56. int ignore_other_cid )
  57. {
  58. if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )
  59. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  60. if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
  61. ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
  62. {
  63. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  64. }
  65. conf->ignore_unexpected_cid = ignore_other_cid;
  66. conf->cid_len = len;
  67. return( 0 );
  68. }
  69. int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,
  70. int enable,
  71. unsigned char const *own_cid,
  72. size_t own_cid_len )
  73. {
  74. if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  75. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  76. ssl->negotiate_cid = enable;
  77. if( enable == MBEDTLS_SSL_CID_DISABLED )
  78. {
  79. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );
  80. return( 0 );
  81. }
  82. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );
  83. MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );
  84. if( own_cid_len != ssl->conf->cid_len )
  85. {
  86. MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",
  87. (unsigned) own_cid_len,
  88. (unsigned) ssl->conf->cid_len ) );
  89. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  90. }
  91. memcpy( ssl->own_cid, own_cid, own_cid_len );
  92. /* Truncation is not an issue here because
  93. * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
  94. ssl->own_cid_len = (uint8_t) own_cid_len;
  95. return( 0 );
  96. }
  97. int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,
  98. int *enabled,
  99. unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],
  100. size_t *peer_cid_len )
  101. {
  102. *enabled = MBEDTLS_SSL_CID_DISABLED;
  103. if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
  104. ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
  105. {
  106. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  107. }
  108. /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
  109. * were used, but client and server requested the empty CID.
  110. * This is indistinguishable from not using the CID extension
  111. * in the first place. */
  112. if( ssl->transform_in->in_cid_len == 0 &&
  113. ssl->transform_in->out_cid_len == 0 )
  114. {
  115. return( 0 );
  116. }
  117. if( peer_cid_len != NULL )
  118. {
  119. *peer_cid_len = ssl->transform_in->out_cid_len;
  120. if( peer_cid != NULL )
  121. {
  122. memcpy( peer_cid, ssl->transform_in->out_cid,
  123. ssl->transform_in->out_cid_len );
  124. }
  125. }
  126. *enabled = MBEDTLS_SSL_CID_ENABLED;
  127. return( 0 );
  128. }
  129. #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
  130. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  131. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  132. /*
  133. * Convert max_fragment_length codes to length.
  134. * RFC 6066 says:
  135. * enum{
  136. * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
  137. * } MaxFragmentLength;
  138. * and we add 0 -> extension unused
  139. */
  140. static unsigned int ssl_mfl_code_to_length( int mfl )
  141. {
  142. switch( mfl )
  143. {
  144. case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
  145. return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
  146. case MBEDTLS_SSL_MAX_FRAG_LEN_512:
  147. return 512;
  148. case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
  149. return 1024;
  150. case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
  151. return 2048;
  152. case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
  153. return 4096;
  154. default:
  155. return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
  156. }
  157. }
  158. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  159. int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
  160. const mbedtls_ssl_session *src )
  161. {
  162. mbedtls_ssl_session_free( dst );
  163. memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
  164. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  165. dst->ticket = NULL;
  166. #endif
  167. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  168. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  169. if( src->peer_cert != NULL )
  170. {
  171. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  172. dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
  173. if( dst->peer_cert == NULL )
  174. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  175. mbedtls_x509_crt_init( dst->peer_cert );
  176. if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
  177. src->peer_cert->raw.len ) ) != 0 )
  178. {
  179. mbedtls_free( dst->peer_cert );
  180. dst->peer_cert = NULL;
  181. return( ret );
  182. }
  183. }
  184. #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  185. if( src->peer_cert_digest != NULL )
  186. {
  187. dst->peer_cert_digest =
  188. mbedtls_calloc( 1, src->peer_cert_digest_len );
  189. if( dst->peer_cert_digest == NULL )
  190. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  191. memcpy( dst->peer_cert_digest, src->peer_cert_digest,
  192. src->peer_cert_digest_len );
  193. dst->peer_cert_digest_type = src->peer_cert_digest_type;
  194. dst->peer_cert_digest_len = src->peer_cert_digest_len;
  195. }
  196. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  197. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  198. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  199. if( src->ticket != NULL )
  200. {
  201. dst->ticket = mbedtls_calloc( 1, src->ticket_len );
  202. if( dst->ticket == NULL )
  203. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  204. memcpy( dst->ticket, src->ticket, src->ticket_len );
  205. }
  206. #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
  207. return( 0 );
  208. }
  209. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  210. static int resize_buffer( unsigned char **buffer, size_t len_new, size_t *len_old )
  211. {
  212. unsigned char* resized_buffer = mbedtls_calloc( 1, len_new );
  213. if( resized_buffer == NULL )
  214. return -1;
  215. /* We want to copy len_new bytes when downsizing the buffer, and
  216. * len_old bytes when upsizing, so we choose the smaller of two sizes,
  217. * to fit one buffer into another. Size checks, ensuring that no data is
  218. * lost, are done outside of this function. */
  219. memcpy( resized_buffer, *buffer,
  220. ( len_new < *len_old ) ? len_new : *len_old );
  221. mbedtls_platform_zeroize( *buffer, *len_old );
  222. mbedtls_free( *buffer );
  223. *buffer = resized_buffer;
  224. *len_old = len_new;
  225. return 0;
  226. }
  227. static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
  228. size_t in_buf_new_len,
  229. size_t out_buf_new_len )
  230. {
  231. int modified = 0;
  232. size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0;
  233. size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
  234. if( ssl->in_buf != NULL )
  235. {
  236. written_in = ssl->in_msg - ssl->in_buf;
  237. iv_offset_in = ssl->in_iv - ssl->in_buf;
  238. len_offset_in = ssl->in_len - ssl->in_buf;
  239. if( downsizing ?
  240. ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
  241. ssl->in_buf_len < in_buf_new_len )
  242. {
  243. if( resize_buffer( &ssl->in_buf, in_buf_new_len, &ssl->in_buf_len ) != 0 )
  244. {
  245. MBEDTLS_SSL_DEBUG_MSG( 1, ( "input buffer resizing failed - out of memory" ) );
  246. }
  247. else
  248. {
  249. MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
  250. in_buf_new_len ) );
  251. modified = 1;
  252. }
  253. }
  254. }
  255. if( ssl->out_buf != NULL )
  256. {
  257. written_out = ssl->out_msg - ssl->out_buf;
  258. iv_offset_out = ssl->out_iv - ssl->out_buf;
  259. len_offset_out = ssl->out_len - ssl->out_buf;
  260. if( downsizing ?
  261. ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
  262. ssl->out_buf_len < out_buf_new_len )
  263. {
  264. if( resize_buffer( &ssl->out_buf, out_buf_new_len, &ssl->out_buf_len ) != 0 )
  265. {
  266. MBEDTLS_SSL_DEBUG_MSG( 1, ( "output buffer resizing failed - out of memory" ) );
  267. }
  268. else
  269. {
  270. MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
  271. out_buf_new_len ) );
  272. modified = 1;
  273. }
  274. }
  275. }
  276. if( modified )
  277. {
  278. /* Update pointers here to avoid doing it twice. */
  279. mbedtls_ssl_reset_in_out_pointers( ssl );
  280. /* Fields below might not be properly updated with record
  281. * splitting or with CID, so they are manually updated here. */
  282. ssl->out_msg = ssl->out_buf + written_out;
  283. ssl->out_len = ssl->out_buf + len_offset_out;
  284. ssl->out_iv = ssl->out_buf + iv_offset_out;
  285. ssl->in_msg = ssl->in_buf + written_in;
  286. ssl->in_len = ssl->in_buf + len_offset_in;
  287. ssl->in_iv = ssl->in_buf + iv_offset_in;
  288. }
  289. }
  290. #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
  291. /*
  292. * Key material generation
  293. */
  294. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  295. static int ssl3_prf( const unsigned char *secret, size_t slen,
  296. const char *label,
  297. const unsigned char *random, size_t rlen,
  298. unsigned char *dstbuf, size_t dlen )
  299. {
  300. int ret = 0;
  301. size_t i;
  302. mbedtls_md5_context md5;
  303. mbedtls_sha1_context sha1;
  304. unsigned char padding[16];
  305. unsigned char sha1sum[20];
  306. ((void)label);
  307. mbedtls_md5_init( &md5 );
  308. mbedtls_sha1_init( &sha1 );
  309. /*
  310. * SSLv3:
  311. * block =
  312. * MD5( secret + SHA1( 'A' + secret + random ) ) +
  313. * MD5( secret + SHA1( 'BB' + secret + random ) ) +
  314. * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
  315. * ...
  316. */
  317. for( i = 0; i < dlen / 16; i++ )
  318. {
  319. memset( padding, (unsigned char) ('A' + i), 1 + i );
  320. if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
  321. goto exit;
  322. if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
  323. goto exit;
  324. if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
  325. goto exit;
  326. if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
  327. goto exit;
  328. if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
  329. goto exit;
  330. if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
  331. goto exit;
  332. if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
  333. goto exit;
  334. if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
  335. goto exit;
  336. if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
  337. goto exit;
  338. }
  339. exit:
  340. mbedtls_md5_free( &md5 );
  341. mbedtls_sha1_free( &sha1 );
  342. mbedtls_platform_zeroize( padding, sizeof( padding ) );
  343. mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
  344. return( ret );
  345. }
  346. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  347. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  348. static int tls1_prf( const unsigned char *secret, size_t slen,
  349. const char *label,
  350. const unsigned char *random, size_t rlen,
  351. unsigned char *dstbuf, size_t dlen )
  352. {
  353. size_t nb, hs;
  354. size_t i, j, k;
  355. const unsigned char *S1, *S2;
  356. unsigned char *tmp;
  357. size_t tmp_len = 0;
  358. unsigned char h_i[20];
  359. const mbedtls_md_info_t *md_info;
  360. mbedtls_md_context_t md_ctx;
  361. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  362. mbedtls_md_init( &md_ctx );
  363. tmp_len = 20 + strlen( label ) + rlen;
  364. tmp = mbedtls_calloc( 1, tmp_len );
  365. if( tmp == NULL )
  366. {
  367. ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
  368. goto exit;
  369. }
  370. hs = ( slen + 1 ) / 2;
  371. S1 = secret;
  372. S2 = secret + slen - hs;
  373. nb = strlen( label );
  374. memcpy( tmp + 20, label, nb );
  375. memcpy( tmp + 20 + nb, random, rlen );
  376. nb += rlen;
  377. /*
  378. * First compute P_md5(secret,label+random)[0..dlen]
  379. */
  380. if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
  381. {
  382. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  383. goto exit;
  384. }
  385. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
  386. {
  387. goto exit;
  388. }
  389. ret = mbedtls_md_hmac_starts( &md_ctx, S1, hs );
  390. if( ret != 0 )
  391. goto exit;
  392. ret = mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
  393. if( ret != 0 )
  394. goto exit;
  395. ret = mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
  396. if( ret != 0 )
  397. goto exit;
  398. for( i = 0; i < dlen; i += 16 )
  399. {
  400. ret = mbedtls_md_hmac_reset ( &md_ctx );
  401. if( ret != 0 )
  402. goto exit;
  403. ret = mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
  404. if( ret != 0 )
  405. goto exit;
  406. ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
  407. if( ret != 0 )
  408. goto exit;
  409. ret = mbedtls_md_hmac_reset ( &md_ctx );
  410. if( ret != 0 )
  411. goto exit;
  412. ret = mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
  413. if( ret != 0 )
  414. goto exit;
  415. ret = mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
  416. if( ret != 0 )
  417. goto exit;
  418. k = ( i + 16 > dlen ) ? dlen % 16 : 16;
  419. for( j = 0; j < k; j++ )
  420. dstbuf[i + j] = h_i[j];
  421. }
  422. mbedtls_md_free( &md_ctx );
  423. /*
  424. * XOR out with P_sha1(secret,label+random)[0..dlen]
  425. */
  426. if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
  427. {
  428. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  429. goto exit;
  430. }
  431. if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
  432. {
  433. goto exit;
  434. }
  435. ret = mbedtls_md_hmac_starts( &md_ctx, S2, hs );
  436. if( ret != 0 )
  437. goto exit;
  438. ret = mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
  439. if( ret != 0 )
  440. goto exit;
  441. ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
  442. if( ret != 0 )
  443. goto exit;
  444. for( i = 0; i < dlen; i += 20 )
  445. {
  446. ret = mbedtls_md_hmac_reset ( &md_ctx );
  447. if( ret != 0 )
  448. goto exit;
  449. ret = mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
  450. if( ret != 0 )
  451. goto exit;
  452. ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
  453. if( ret != 0 )
  454. goto exit;
  455. ret = mbedtls_md_hmac_reset ( &md_ctx );
  456. if( ret != 0 )
  457. goto exit;
  458. ret = mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
  459. if( ret != 0 )
  460. goto exit;
  461. ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
  462. if( ret != 0 )
  463. goto exit;
  464. k = ( i + 20 > dlen ) ? dlen % 20 : 20;
  465. for( j = 0; j < k; j++ )
  466. dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
  467. }
  468. exit:
  469. mbedtls_md_free( &md_ctx );
  470. mbedtls_platform_zeroize( tmp, tmp_len );
  471. mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
  472. mbedtls_free( tmp );
  473. return( ret );
  474. }
  475. #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
  476. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  477. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  478. static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
  479. psa_key_id_t key,
  480. psa_algorithm_t alg,
  481. const unsigned char* seed, size_t seed_length,
  482. const unsigned char* label, size_t label_length,
  483. size_t capacity )
  484. {
  485. psa_status_t status;
  486. status = psa_key_derivation_setup( derivation, alg );
  487. if( status != PSA_SUCCESS )
  488. return( status );
  489. if( PSA_ALG_IS_TLS12_PRF( alg ) || PSA_ALG_IS_TLS12_PSK_TO_MS( alg ) )
  490. {
  491. status = psa_key_derivation_input_bytes( derivation,
  492. PSA_KEY_DERIVATION_INPUT_SEED,
  493. seed, seed_length );
  494. if( status != PSA_SUCCESS )
  495. return( status );
  496. if( mbedtls_svc_key_id_is_null( key ) )
  497. {
  498. status = psa_key_derivation_input_bytes(
  499. derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
  500. NULL, 0 );
  501. }
  502. else
  503. {
  504. status = psa_key_derivation_input_key(
  505. derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
  506. }
  507. if( status != PSA_SUCCESS )
  508. return( status );
  509. status = psa_key_derivation_input_bytes( derivation,
  510. PSA_KEY_DERIVATION_INPUT_LABEL,
  511. label, label_length );
  512. if( status != PSA_SUCCESS )
  513. return( status );
  514. }
  515. else
  516. {
  517. return( PSA_ERROR_NOT_SUPPORTED );
  518. }
  519. status = psa_key_derivation_set_capacity( derivation, capacity );
  520. if( status != PSA_SUCCESS )
  521. return( status );
  522. return( PSA_SUCCESS );
  523. }
  524. static int tls_prf_generic( mbedtls_md_type_t md_type,
  525. const unsigned char *secret, size_t slen,
  526. const char *label,
  527. const unsigned char *random, size_t rlen,
  528. unsigned char *dstbuf, size_t dlen )
  529. {
  530. psa_status_t status;
  531. psa_algorithm_t alg;
  532. psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
  533. psa_key_derivation_operation_t derivation =
  534. PSA_KEY_DERIVATION_OPERATION_INIT;
  535. if( md_type == MBEDTLS_MD_SHA384 )
  536. alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
  537. else
  538. alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
  539. /* Normally a "secret" should be long enough to be impossible to
  540. * find by brute force, and in particular should not be empty. But
  541. * this PRF is also used to derive an IV, in particular in EAP-TLS,
  542. * and for this use case it makes sense to have a 0-length "secret".
  543. * Since the key API doesn't allow importing a key of length 0,
  544. * keep master_key=0, which setup_psa_key_derivation() understands
  545. * to mean a 0-length "secret" input. */
  546. if( slen != 0 )
  547. {
  548. psa_key_attributes_t key_attributes = psa_key_attributes_init();
  549. psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
  550. psa_set_key_algorithm( &key_attributes, alg );
  551. psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
  552. status = psa_import_key( &key_attributes, secret, slen, &master_key );
  553. if( status != PSA_SUCCESS )
  554. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  555. }
  556. status = setup_psa_key_derivation( &derivation,
  557. master_key, alg,
  558. random, rlen,
  559. (unsigned char const *) label,
  560. (size_t) strlen( label ),
  561. dlen );
  562. if( status != PSA_SUCCESS )
  563. {
  564. psa_key_derivation_abort( &derivation );
  565. psa_destroy_key( master_key );
  566. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  567. }
  568. status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
  569. if( status != PSA_SUCCESS )
  570. {
  571. psa_key_derivation_abort( &derivation );
  572. psa_destroy_key( master_key );
  573. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  574. }
  575. status = psa_key_derivation_abort( &derivation );
  576. if( status != PSA_SUCCESS )
  577. {
  578. psa_destroy_key( master_key );
  579. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  580. }
  581. if( ! mbedtls_svc_key_id_is_null( master_key ) )
  582. status = psa_destroy_key( master_key );
  583. if( status != PSA_SUCCESS )
  584. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  585. return( 0 );
  586. }
  587. #else /* MBEDTLS_USE_PSA_CRYPTO */
  588. static int tls_prf_generic( mbedtls_md_type_t md_type,
  589. const unsigned char *secret, size_t slen,
  590. const char *label,
  591. const unsigned char *random, size_t rlen,
  592. unsigned char *dstbuf, size_t dlen )
  593. {
  594. size_t nb;
  595. size_t i, j, k, md_len;
  596. unsigned char *tmp;
  597. size_t tmp_len = 0;
  598. unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
  599. const mbedtls_md_info_t *md_info;
  600. mbedtls_md_context_t md_ctx;
  601. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  602. mbedtls_md_init( &md_ctx );
  603. if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
  604. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  605. md_len = mbedtls_md_get_size( md_info );
  606. tmp_len = md_len + strlen( label ) + rlen;
  607. tmp = mbedtls_calloc( 1, tmp_len );
  608. if( tmp == NULL )
  609. {
  610. ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
  611. goto exit;
  612. }
  613. nb = strlen( label );
  614. memcpy( tmp + md_len, label, nb );
  615. memcpy( tmp + md_len + nb, random, rlen );
  616. nb += rlen;
  617. /*
  618. * Compute P_<hash>(secret, label + random)[0..dlen]
  619. */
  620. if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
  621. goto exit;
  622. ret = mbedtls_md_hmac_starts( &md_ctx, secret, slen );
  623. if( ret != 0 )
  624. goto exit;
  625. ret = mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
  626. if( ret != 0 )
  627. goto exit;
  628. ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
  629. if( ret != 0 )
  630. goto exit;
  631. for( i = 0; i < dlen; i += md_len )
  632. {
  633. ret = mbedtls_md_hmac_reset ( &md_ctx );
  634. if( ret != 0 )
  635. goto exit;
  636. ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
  637. if( ret != 0 )
  638. goto exit;
  639. ret = mbedtls_md_hmac_finish( &md_ctx, h_i );
  640. if( ret != 0 )
  641. goto exit;
  642. ret = mbedtls_md_hmac_reset ( &md_ctx );
  643. if( ret != 0 )
  644. goto exit;
  645. ret = mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
  646. if( ret != 0 )
  647. goto exit;
  648. ret = mbedtls_md_hmac_finish( &md_ctx, tmp );
  649. if( ret != 0 )
  650. goto exit;
  651. k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
  652. for( j = 0; j < k; j++ )
  653. dstbuf[i + j] = h_i[j];
  654. }
  655. exit:
  656. mbedtls_md_free( &md_ctx );
  657. mbedtls_platform_zeroize( tmp, tmp_len );
  658. mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
  659. mbedtls_free( tmp );
  660. return( ret );
  661. }
  662. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  663. #if defined(MBEDTLS_SHA256_C)
  664. static int tls_prf_sha256( const unsigned char *secret, size_t slen,
  665. const char *label,
  666. const unsigned char *random, size_t rlen,
  667. unsigned char *dstbuf, size_t dlen )
  668. {
  669. return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
  670. label, random, rlen, dstbuf, dlen ) );
  671. }
  672. #endif /* MBEDTLS_SHA256_C */
  673. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  674. static int tls_prf_sha384( const unsigned char *secret, size_t slen,
  675. const char *label,
  676. const unsigned char *random, size_t rlen,
  677. unsigned char *dstbuf, size_t dlen )
  678. {
  679. return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
  680. label, random, rlen, dstbuf, dlen ) );
  681. }
  682. #endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
  683. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  684. static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
  685. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  686. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  687. static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
  688. #endif
  689. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  690. static void ssl_calc_verify_ssl( const mbedtls_ssl_context *, unsigned char *, size_t * );
  691. static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
  692. #endif
  693. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  694. static void ssl_calc_verify_tls( const mbedtls_ssl_context *, unsigned char*, size_t * );
  695. static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
  696. #endif
  697. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  698. #if defined(MBEDTLS_SHA256_C)
  699. static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
  700. static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
  701. static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
  702. #endif
  703. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  704. static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
  705. static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
  706. static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
  707. #endif
  708. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  709. #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
  710. defined(MBEDTLS_USE_PSA_CRYPTO)
  711. static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
  712. {
  713. if( ssl->conf->f_psk != NULL )
  714. {
  715. /* If we've used a callback to select the PSK,
  716. * the static configuration is irrelevant. */
  717. if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
  718. return( 1 );
  719. return( 0 );
  720. }
  721. if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
  722. return( 1 );
  723. return( 0 );
  724. }
  725. #endif /* MBEDTLS_USE_PSA_CRYPTO &&
  726. MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
  727. #if defined(MBEDTLS_SSL_EXPORT_KEYS)
  728. static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
  729. {
  730. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  731. if( tls_prf == ssl3_prf )
  732. {
  733. return( MBEDTLS_SSL_TLS_PRF_SSL3 );
  734. }
  735. else
  736. #endif
  737. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  738. if( tls_prf == tls1_prf )
  739. {
  740. return( MBEDTLS_SSL_TLS_PRF_TLS1 );
  741. }
  742. else
  743. #endif
  744. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  745. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  746. if( tls_prf == tls_prf_sha384 )
  747. {
  748. return( MBEDTLS_SSL_TLS_PRF_SHA384 );
  749. }
  750. else
  751. #endif
  752. #if defined(MBEDTLS_SHA256_C)
  753. if( tls_prf == tls_prf_sha256 )
  754. {
  755. return( MBEDTLS_SSL_TLS_PRF_SHA256 );
  756. }
  757. else
  758. #endif
  759. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  760. return( MBEDTLS_SSL_TLS_PRF_NONE );
  761. }
  762. #endif /* MBEDTLS_SSL_EXPORT_KEYS */
  763. int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
  764. const unsigned char *secret, size_t slen,
  765. const char *label,
  766. const unsigned char *random, size_t rlen,
  767. unsigned char *dstbuf, size_t dlen )
  768. {
  769. mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
  770. switch( prf )
  771. {
  772. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  773. case MBEDTLS_SSL_TLS_PRF_SSL3:
  774. tls_prf = ssl3_prf;
  775. break;
  776. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  777. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  778. case MBEDTLS_SSL_TLS_PRF_TLS1:
  779. tls_prf = tls1_prf;
  780. break;
  781. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
  782. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  783. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  784. case MBEDTLS_SSL_TLS_PRF_SHA384:
  785. tls_prf = tls_prf_sha384;
  786. break;
  787. #endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
  788. #if defined(MBEDTLS_SHA256_C)
  789. case MBEDTLS_SSL_TLS_PRF_SHA256:
  790. tls_prf = tls_prf_sha256;
  791. break;
  792. #endif /* MBEDTLS_SHA256_C */
  793. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  794. default:
  795. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  796. }
  797. return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );
  798. }
  799. /* Type for the TLS PRF */
  800. typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
  801. const unsigned char *, size_t,
  802. unsigned char *, size_t);
  803. /*
  804. * Populate a transform structure with session keys and all the other
  805. * necessary information.
  806. *
  807. * Parameters:
  808. * - [in/out]: transform: structure to populate
  809. * [in] must be just initialised with mbedtls_ssl_transform_init()
  810. * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
  811. * - [in] ciphersuite
  812. * - [in] master
  813. * - [in] encrypt_then_mac
  814. * - [in] trunc_hmac
  815. * - [in] compression
  816. * - [in] tls_prf: pointer to PRF to use for key derivation
  817. * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
  818. * - [in] minor_ver: SSL/TLS minor version
  819. * - [in] endpoint: client or server
  820. * - [in] ssl: optionally used for:
  821. * - MBEDTLS_SSL_HW_RECORD_ACCEL: whole context (non-const)
  822. * - MBEDTLS_SSL_EXPORT_KEYS: ssl->conf->{f,p}_export_keys
  823. * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
  824. */
  825. static int ssl_populate_transform( mbedtls_ssl_transform *transform,
  826. int ciphersuite,
  827. const unsigned char master[48],
  828. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  829. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  830. int encrypt_then_mac,
  831. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  832. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  833. int trunc_hmac,
  834. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  835. #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
  836. #if defined(MBEDTLS_ZLIB_SUPPORT)
  837. int compression,
  838. #endif
  839. ssl_tls_prf_t tls_prf,
  840. const unsigned char randbytes[64],
  841. int minor_ver,
  842. unsigned endpoint,
  843. #if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
  844. const
  845. #endif
  846. mbedtls_ssl_context *ssl )
  847. {
  848. int ret = 0;
  849. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  850. int psa_fallthrough;
  851. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  852. unsigned char keyblk[256];
  853. unsigned char *key1;
  854. unsigned char *key2;
  855. unsigned char *mac_enc;
  856. unsigned char *mac_dec;
  857. size_t mac_key_len = 0;
  858. size_t iv_copy_len;
  859. unsigned keylen;
  860. const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
  861. const mbedtls_cipher_info_t *cipher_info;
  862. const mbedtls_md_info_t *md_info;
  863. #if !defined(MBEDTLS_SSL_HW_RECORD_ACCEL) && \
  864. !defined(MBEDTLS_SSL_EXPORT_KEYS) && \
  865. !defined(MBEDTLS_DEBUG_C)
  866. ssl = NULL; /* make sure we don't use it except for those cases */
  867. (void) ssl;
  868. #endif
  869. /*
  870. * Some data just needs copying into the structure
  871. */
  872. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \
  873. defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  874. transform->encrypt_then_mac = encrypt_then_mac;
  875. #endif
  876. transform->minor_ver = minor_ver;
  877. #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
  878. memcpy( transform->randbytes, randbytes, sizeof( transform->randbytes ) );
  879. #endif
  880. /*
  881. * Get various info structures
  882. */
  883. ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
  884. if( ciphersuite_info == NULL )
  885. {
  886. MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
  887. ciphersuite ) );
  888. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  889. }
  890. cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
  891. if( cipher_info == NULL )
  892. {
  893. MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %u not found",
  894. ciphersuite_info->cipher ) );
  895. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  896. }
  897. md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
  898. if( md_info == NULL )
  899. {
  900. MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %u not found",
  901. (unsigned) ciphersuite_info->mac ) );
  902. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  903. }
  904. #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
  905. /* Copy own and peer's CID if the use of the CID
  906. * extension has been negotiated. */
  907. if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )
  908. {
  909. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );
  910. transform->in_cid_len = ssl->own_cid_len;
  911. memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );
  912. MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,
  913. transform->in_cid_len );
  914. transform->out_cid_len = ssl->handshake->peer_cid_len;
  915. memcpy( transform->out_cid, ssl->handshake->peer_cid,
  916. ssl->handshake->peer_cid_len );
  917. MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,
  918. transform->out_cid_len );
  919. }
  920. #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
  921. /*
  922. * Compute key block using the PRF
  923. */
  924. ret = tls_prf( master, 48, "key expansion", randbytes, 64, keyblk, 256 );
  925. if( ret != 0 )
  926. {
  927. MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
  928. return( ret );
  929. }
  930. MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
  931. mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
  932. MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", master, 48 );
  933. MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", randbytes, 64 );
  934. MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
  935. /*
  936. * Determine the appropriate key, IV and MAC length.
  937. */
  938. keylen = cipher_info->key_bitlen / 8;
  939. #if defined(MBEDTLS_GCM_C) || \
  940. defined(MBEDTLS_CCM_C) || \
  941. defined(MBEDTLS_CHACHAPOLY_C)
  942. if( cipher_info->mode == MBEDTLS_MODE_GCM ||
  943. cipher_info->mode == MBEDTLS_MODE_CCM ||
  944. cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
  945. {
  946. size_t explicit_ivlen;
  947. transform->maclen = 0;
  948. mac_key_len = 0;
  949. transform->taglen =
  950. ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
  951. /* All modes haves 96-bit IVs, but the length of the static parts vary
  952. * with mode and version:
  953. * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
  954. * (to be concatenated with a dynamically chosen IV of 8 Bytes)
  955. * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
  956. * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
  957. * sequence number).
  958. */
  959. transform->ivlen = 12;
  960. #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
  961. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
  962. {
  963. transform->fixed_ivlen = 12;
  964. }
  965. else
  966. #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
  967. {
  968. if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
  969. transform->fixed_ivlen = 12;
  970. else
  971. transform->fixed_ivlen = 4;
  972. }
  973. /* Minimum length of encrypted record */
  974. explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
  975. transform->minlen = explicit_ivlen + transform->taglen;
  976. }
  977. else
  978. #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
  979. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  980. if( cipher_info->mode == MBEDTLS_MODE_STREAM ||
  981. cipher_info->mode == MBEDTLS_MODE_CBC )
  982. {
  983. /* Initialize HMAC contexts */
  984. if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
  985. ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
  986. {
  987. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
  988. goto end;
  989. }
  990. /* Get MAC length */
  991. mac_key_len = mbedtls_md_get_size( md_info );
  992. transform->maclen = mac_key_len;
  993. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  994. /*
  995. * If HMAC is to be truncated, we shall keep the leftmost bytes,
  996. * (rfc 6066 page 13 or rfc 2104 section 4),
  997. * so we only need to adjust the length here.
  998. */
  999. if( trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
  1000. {
  1001. transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
  1002. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
  1003. /* Fall back to old, non-compliant version of the truncated
  1004. * HMAC implementation which also truncates the key
  1005. * (Mbed TLS versions from 1.3 to 2.6.0) */
  1006. mac_key_len = transform->maclen;
  1007. #endif
  1008. }
  1009. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  1010. /* IV length */
  1011. transform->ivlen = cipher_info->iv_size;
  1012. /* Minimum length */
  1013. if( cipher_info->mode == MBEDTLS_MODE_STREAM )
  1014. transform->minlen = transform->maclen;
  1015. else
  1016. {
  1017. /*
  1018. * GenericBlockCipher:
  1019. * 1. if EtM is in use: one block plus MAC
  1020. * otherwise: * first multiple of blocklen greater than maclen
  1021. * 2. IV except for SSL3 and TLS 1.0
  1022. */
  1023. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  1024. if( encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
  1025. {
  1026. transform->minlen = transform->maclen
  1027. + cipher_info->block_size;
  1028. }
  1029. else
  1030. #endif
  1031. {
  1032. transform->minlen = transform->maclen
  1033. + cipher_info->block_size
  1034. - transform->maclen % cipher_info->block_size;
  1035. }
  1036. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
  1037. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
  1038. minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
  1039. ; /* No need to adjust minlen */
  1040. else
  1041. #endif
  1042. #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1043. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
  1044. minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  1045. {
  1046. transform->minlen += transform->ivlen;
  1047. }
  1048. else
  1049. #endif
  1050. {
  1051. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1052. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  1053. goto end;
  1054. }
  1055. }
  1056. }
  1057. else
  1058. #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
  1059. {
  1060. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1061. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1062. }
  1063. MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
  1064. (unsigned) keylen,
  1065. (unsigned) transform->minlen,
  1066. (unsigned) transform->ivlen,
  1067. (unsigned) transform->maclen ) );
  1068. /*
  1069. * Finally setup the cipher contexts, IVs and MAC secrets.
  1070. */
  1071. #if defined(MBEDTLS_SSL_CLI_C)
  1072. if( endpoint == MBEDTLS_SSL_IS_CLIENT )
  1073. {
  1074. key1 = keyblk + mac_key_len * 2;
  1075. key2 = keyblk + mac_key_len * 2 + keylen;
  1076. mac_enc = keyblk;
  1077. mac_dec = keyblk + mac_key_len;
  1078. /*
  1079. * This is not used in TLS v1.1.
  1080. */
  1081. iv_copy_len = ( transform->fixed_ivlen ) ?
  1082. transform->fixed_ivlen : transform->ivlen;
  1083. memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );
  1084. memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,
  1085. iv_copy_len );
  1086. }
  1087. else
  1088. #endif /* MBEDTLS_SSL_CLI_C */
  1089. #if defined(MBEDTLS_SSL_SRV_C)
  1090. if( endpoint == MBEDTLS_SSL_IS_SERVER )
  1091. {
  1092. key1 = keyblk + mac_key_len * 2 + keylen;
  1093. key2 = keyblk + mac_key_len * 2;
  1094. mac_enc = keyblk + mac_key_len;
  1095. mac_dec = keyblk;
  1096. /*
  1097. * This is not used in TLS v1.1.
  1098. */
  1099. iv_copy_len = ( transform->fixed_ivlen ) ?
  1100. transform->fixed_ivlen : transform->ivlen;
  1101. memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );
  1102. memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,
  1103. iv_copy_len );
  1104. }
  1105. else
  1106. #endif /* MBEDTLS_SSL_SRV_C */
  1107. {
  1108. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1109. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  1110. goto end;
  1111. }
  1112. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  1113. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  1114. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  1115. {
  1116. if( mac_key_len > sizeof( transform->mac_enc ) )
  1117. {
  1118. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1119. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  1120. goto end;
  1121. }
  1122. memcpy( transform->mac_enc, mac_enc, mac_key_len );
  1123. memcpy( transform->mac_dec, mac_dec, mac_key_len );
  1124. }
  1125. else
  1126. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  1127. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
  1128. defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1129. if( minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
  1130. {
  1131. /* For HMAC-based ciphersuites, initialize the HMAC transforms.
  1132. For AEAD-based ciphersuites, there is nothing to do here. */
  1133. if( mac_key_len != 0 )
  1134. {
  1135. ret = mbedtls_md_hmac_starts( &transform->md_ctx_enc,
  1136. mac_enc, mac_key_len );
  1137. if( ret != 0 )
  1138. goto end;
  1139. ret = mbedtls_md_hmac_starts( &transform->md_ctx_dec,
  1140. mac_dec, mac_key_len );
  1141. if( ret != 0 )
  1142. goto end;
  1143. }
  1144. }
  1145. else
  1146. #endif
  1147. {
  1148. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1149. ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
  1150. goto end;
  1151. }
  1152. #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
  1153. #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
  1154. if( mbedtls_ssl_hw_record_init != NULL )
  1155. {
  1156. ret = 0;
  1157. MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
  1158. if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,
  1159. transform->iv_enc, transform->iv_dec,
  1160. iv_copy_len,
  1161. mac_enc, mac_dec,
  1162. mac_key_len ) ) != 0 )
  1163. {
  1164. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
  1165. ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
  1166. goto end;
  1167. }
  1168. }
  1169. #else
  1170. ((void) mac_dec);
  1171. ((void) mac_enc);
  1172. #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
  1173. #if defined(MBEDTLS_SSL_EXPORT_KEYS)
  1174. if( ssl->conf->f_export_keys != NULL )
  1175. {
  1176. ssl->conf->f_export_keys( ssl->conf->p_export_keys,
  1177. master, keyblk,
  1178. mac_key_len, keylen,
  1179. iv_copy_len );
  1180. }
  1181. if( ssl->conf->f_export_keys_ext != NULL )
  1182. {
  1183. ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,
  1184. master, keyblk,
  1185. mac_key_len, keylen,
  1186. iv_copy_len,
  1187. randbytes + 32,
  1188. randbytes,
  1189. tls_prf_get_type( tls_prf ) );
  1190. }
  1191. #endif
  1192. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  1193. /* Only use PSA-based ciphers for TLS-1.2.
  1194. * That's relevant at least for TLS-1.0, where
  1195. * we assume that mbedtls_cipher_crypt() updates
  1196. * the structure field for the IV, which the PSA-based
  1197. * implementation currently doesn't. */
  1198. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1199. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  1200. {
  1201. ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
  1202. cipher_info, transform->taglen );
  1203. if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  1204. {
  1205. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
  1206. goto end;
  1207. }
  1208. if( ret == 0 )
  1209. {
  1210. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );
  1211. psa_fallthrough = 0;
  1212. }
  1213. else
  1214. {
  1215. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );
  1216. psa_fallthrough = 1;
  1217. }
  1218. }
  1219. else
  1220. psa_fallthrough = 1;
  1221. #else
  1222. psa_fallthrough = 1;
  1223. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  1224. if( psa_fallthrough == 1 )
  1225. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  1226. if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
  1227. cipher_info ) ) != 0 )
  1228. {
  1229. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
  1230. goto end;
  1231. }
  1232. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  1233. /* Only use PSA-based ciphers for TLS-1.2.
  1234. * That's relevant at least for TLS-1.0, where
  1235. * we assume that mbedtls_cipher_crypt() updates
  1236. * the structure field for the IV, which the PSA-based
  1237. * implementation currently doesn't. */
  1238. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1239. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  1240. {
  1241. ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
  1242. cipher_info, transform->taglen );
  1243. if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
  1244. {
  1245. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );
  1246. goto end;
  1247. }
  1248. if( ret == 0 )
  1249. {
  1250. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );
  1251. psa_fallthrough = 0;
  1252. }
  1253. else
  1254. {
  1255. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );
  1256. psa_fallthrough = 1;
  1257. }
  1258. }
  1259. else
  1260. psa_fallthrough = 1;
  1261. #else
  1262. psa_fallthrough = 1;
  1263. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  1264. if( psa_fallthrough == 1 )
  1265. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  1266. if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
  1267. cipher_info ) ) != 0 )
  1268. {
  1269. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
  1270. goto end;
  1271. }
  1272. if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
  1273. cipher_info->key_bitlen,
  1274. MBEDTLS_ENCRYPT ) ) != 0 )
  1275. {
  1276. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
  1277. goto end;
  1278. }
  1279. if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
  1280. cipher_info->key_bitlen,
  1281. MBEDTLS_DECRYPT ) ) != 0 )
  1282. {
  1283. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
  1284. goto end;
  1285. }
  1286. #if defined(MBEDTLS_CIPHER_MODE_CBC)
  1287. if( cipher_info->mode == MBEDTLS_MODE_CBC )
  1288. {
  1289. if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
  1290. MBEDTLS_PADDING_NONE ) ) != 0 )
  1291. {
  1292. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
  1293. goto end;
  1294. }
  1295. if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
  1296. MBEDTLS_PADDING_NONE ) ) != 0 )
  1297. {
  1298. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
  1299. goto end;
  1300. }
  1301. }
  1302. #endif /* MBEDTLS_CIPHER_MODE_CBC */
  1303. /* Initialize Zlib contexts */
  1304. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1305. if( compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
  1306. {
  1307. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
  1308. memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
  1309. memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
  1310. if( deflateInit( &transform->ctx_deflate,
  1311. Z_DEFAULT_COMPRESSION ) != Z_OK ||
  1312. inflateInit( &transform->ctx_inflate ) != Z_OK )
  1313. {
  1314. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
  1315. ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED;
  1316. goto end;
  1317. }
  1318. }
  1319. #endif /* MBEDTLS_ZLIB_SUPPORT */
  1320. end:
  1321. mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
  1322. return( ret );
  1323. }
  1324. /*
  1325. * Set appropriate PRF function and other SSL / TLS 1.0/1.1 / TLS1.2 functions
  1326. *
  1327. * Inputs:
  1328. * - SSL/TLS minor version
  1329. * - hash associated with the ciphersuite (only used by TLS 1.2)
  1330. *
  1331. * Outputs:
  1332. * - the tls_prf, calc_verify and calc_finished members of handshake structure
  1333. */
  1334. static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
  1335. int minor_ver,
  1336. mbedtls_md_type_t hash )
  1337. {
  1338. #if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || \
  1339. !( defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384) )
  1340. (void) hash;
  1341. #endif
  1342. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  1343. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  1344. {
  1345. handshake->tls_prf = ssl3_prf;
  1346. handshake->calc_verify = ssl_calc_verify_ssl;
  1347. handshake->calc_finished = ssl_calc_finished_ssl;
  1348. }
  1349. else
  1350. #endif
  1351. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  1352. if( minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
  1353. {
  1354. handshake->tls_prf = tls1_prf;
  1355. handshake->calc_verify = ssl_calc_verify_tls;
  1356. handshake->calc_finished = ssl_calc_finished_tls;
  1357. }
  1358. else
  1359. #endif
  1360. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1361. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  1362. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
  1363. hash == MBEDTLS_MD_SHA384 )
  1364. {
  1365. handshake->tls_prf = tls_prf_sha384;
  1366. handshake->calc_verify = ssl_calc_verify_tls_sha384;
  1367. handshake->calc_finished = ssl_calc_finished_tls_sha384;
  1368. }
  1369. else
  1370. #endif
  1371. #if defined(MBEDTLS_SHA256_C)
  1372. if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
  1373. {
  1374. handshake->tls_prf = tls_prf_sha256;
  1375. handshake->calc_verify = ssl_calc_verify_tls_sha256;
  1376. handshake->calc_finished = ssl_calc_finished_tls_sha256;
  1377. }
  1378. else
  1379. #endif
  1380. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  1381. {
  1382. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1383. }
  1384. return( 0 );
  1385. }
  1386. /*
  1387. * Compute master secret if needed
  1388. *
  1389. * Parameters:
  1390. * [in/out] handshake
  1391. * [in] resume, premaster, extended_ms, calc_verify, tls_prf
  1392. * (PSA-PSK) ciphersuite_info, psk_opaque
  1393. * [out] premaster (cleared)
  1394. * [out] master
  1395. * [in] ssl: optionally used for debugging, EMS and PSA-PSK
  1396. * debug: conf->f_dbg, conf->p_dbg
  1397. * EMS: passed to calc_verify (debug + (SSL3) session_negotiate)
  1398. * PSA-PSA: minor_ver, conf
  1399. */
  1400. static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
  1401. unsigned char *master,
  1402. const mbedtls_ssl_context *ssl )
  1403. {
  1404. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  1405. /* cf. RFC 5246, Section 8.1:
  1406. * "The master secret is always exactly 48 bytes in length." */
  1407. size_t const master_secret_len = 48;
  1408. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  1409. unsigned char session_hash[48];
  1410. #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
  1411. /* The label for the KDF used for key expansion.
  1412. * This is either "master secret" or "extended master secret"
  1413. * depending on whether the Extended Master Secret extension
  1414. * is used. */
  1415. char const *lbl = "master secret";
  1416. /* The salt for the KDF used for key expansion.
  1417. * - If the Extended Master Secret extension is not used,
  1418. * this is ClientHello.Random + ServerHello.Random
  1419. * (see Sect. 8.1 in RFC 5246).
  1420. * - If the Extended Master Secret extension is used,
  1421. * this is the transcript of the handshake so far.
  1422. * (see Sect. 4 in RFC 7627). */
  1423. unsigned char const *salt = handshake->randbytes;
  1424. size_t salt_len = 64;
  1425. #if !defined(MBEDTLS_DEBUG_C) && \
  1426. !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
  1427. !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
  1428. defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
  1429. ssl = NULL; /* make sure we don't use it except for those cases */
  1430. (void) ssl;
  1431. #endif
  1432. if( handshake->resume != 0 )
  1433. {
  1434. MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
  1435. return( 0 );
  1436. }
  1437. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  1438. if( handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
  1439. {
  1440. lbl = "extended master secret";
  1441. salt = session_hash;
  1442. handshake->calc_verify( ssl, session_hash, &salt_len );
  1443. MBEDTLS_SSL_DEBUG_BUF( 3, "session hash for extended master secret",
  1444. session_hash, salt_len );
  1445. }
  1446. #endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */
  1447. #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
  1448. defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
  1449. if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
  1450. ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
  1451. ssl_use_opaque_psk( ssl ) == 1 )
  1452. {
  1453. /* Perform PSK-to-MS expansion in a single step. */
  1454. psa_status_t status;
  1455. psa_algorithm_t alg;
  1456. psa_key_id_t psk;
  1457. psa_key_derivation_operation_t derivation =
  1458. PSA_KEY_DERIVATION_OPERATION_INIT;
  1459. mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
  1460. MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
  1461. psk = mbedtls_ssl_get_opaque_psk( ssl );
  1462. if( hash_alg == MBEDTLS_MD_SHA384 )
  1463. alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
  1464. else
  1465. alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
  1466. status = setup_psa_key_derivation( &derivation, psk, alg,
  1467. salt, salt_len,
  1468. (unsigned char const *) lbl,
  1469. (size_t) strlen( lbl ),
  1470. master_secret_len );
  1471. if( status != PSA_SUCCESS )
  1472. {
  1473. psa_key_derivation_abort( &derivation );
  1474. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  1475. }
  1476. status = psa_key_derivation_output_bytes( &derivation,
  1477. master,
  1478. master_secret_len );
  1479. if( status != PSA_SUCCESS )
  1480. {
  1481. psa_key_derivation_abort( &derivation );
  1482. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  1483. }
  1484. status = psa_key_derivation_abort( &derivation );
  1485. if( status != PSA_SUCCESS )
  1486. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  1487. }
  1488. else
  1489. #endif
  1490. {
  1491. ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
  1492. lbl, salt, salt_len,
  1493. master,
  1494. master_secret_len );
  1495. if( ret != 0 )
  1496. {
  1497. MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
  1498. return( ret );
  1499. }
  1500. MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",
  1501. handshake->premaster,
  1502. handshake->pmslen );
  1503. mbedtls_platform_zeroize( handshake->premaster,
  1504. sizeof(handshake->premaster) );
  1505. }
  1506. return( 0 );
  1507. }
  1508. int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
  1509. {
  1510. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  1511. const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
  1512. ssl->handshake->ciphersuite_info;
  1513. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
  1514. /* Set PRF, calc_verify and calc_finished function pointers */
  1515. ret = ssl_set_handshake_prfs( ssl->handshake,
  1516. ssl->minor_ver,
  1517. ciphersuite_info->mac );
  1518. if( ret != 0 )
  1519. {
  1520. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
  1521. return( ret );
  1522. }
  1523. /* Compute master secret if needed */
  1524. ret = ssl_compute_master( ssl->handshake,
  1525. ssl->session_negotiate->master,
  1526. ssl );
  1527. if( ret != 0 )
  1528. {
  1529. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compute_master", ret );
  1530. return( ret );
  1531. }
  1532. /* Swap the client and server random values:
  1533. * - MS derivation wanted client+server (RFC 5246 8.1)
  1534. * - key derivation wants server+client (RFC 5246 6.3) */
  1535. {
  1536. unsigned char tmp[64];
  1537. memcpy( tmp, ssl->handshake->randbytes, 64 );
  1538. memcpy( ssl->handshake->randbytes, tmp + 32, 32 );
  1539. memcpy( ssl->handshake->randbytes + 32, tmp, 32 );
  1540. mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
  1541. }
  1542. /* Populate transform structure */
  1543. ret = ssl_populate_transform( ssl->transform_negotiate,
  1544. ssl->session_negotiate->ciphersuite,
  1545. ssl->session_negotiate->master,
  1546. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  1547. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  1548. ssl->session_negotiate->encrypt_then_mac,
  1549. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  1550. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  1551. ssl->session_negotiate->trunc_hmac,
  1552. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  1553. #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
  1554. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1555. ssl->session_negotiate->compression,
  1556. #endif
  1557. ssl->handshake->tls_prf,
  1558. ssl->handshake->randbytes,
  1559. ssl->minor_ver,
  1560. ssl->conf->endpoint,
  1561. ssl );
  1562. if( ret != 0 )
  1563. {
  1564. MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
  1565. return( ret );
  1566. }
  1567. /* We no longer need Server/ClientHello.random values */
  1568. mbedtls_platform_zeroize( ssl->handshake->randbytes,
  1569. sizeof( ssl->handshake->randbytes ) );
  1570. /* Allocate compression buffer */
  1571. #if defined(MBEDTLS_ZLIB_SUPPORT)
  1572. if( ssl->session_negotiate->compression == MBEDTLS_SSL_COMPRESS_DEFLATE &&
  1573. ssl->compress_buf == NULL )
  1574. {
  1575. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
  1576. ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
  1577. if( ssl->compress_buf == NULL )
  1578. {
  1579. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
  1580. MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
  1581. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  1582. }
  1583. }
  1584. #endif
  1585. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
  1586. return( 0 );
  1587. }
  1588. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  1589. void ssl_calc_verify_ssl( const mbedtls_ssl_context *ssl,
  1590. unsigned char *hash,
  1591. size_t *hlen )
  1592. {
  1593. mbedtls_md5_context md5;
  1594. mbedtls_sha1_context sha1;
  1595. unsigned char pad_1[48];
  1596. unsigned char pad_2[48];
  1597. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
  1598. mbedtls_md5_init( &md5 );
  1599. mbedtls_sha1_init( &sha1 );
  1600. mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
  1601. mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
  1602. memset( pad_1, 0x36, 48 );
  1603. memset( pad_2, 0x5C, 48 );
  1604. mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
  1605. mbedtls_md5_update_ret( &md5, pad_1, 48 );
  1606. mbedtls_md5_finish_ret( &md5, hash );
  1607. mbedtls_md5_starts_ret( &md5 );
  1608. mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
  1609. mbedtls_md5_update_ret( &md5, pad_2, 48 );
  1610. mbedtls_md5_update_ret( &md5, hash, 16 );
  1611. mbedtls_md5_finish_ret( &md5, hash );
  1612. mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
  1613. mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
  1614. mbedtls_sha1_finish_ret( &sha1, hash + 16 );
  1615. mbedtls_sha1_starts_ret( &sha1 );
  1616. mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
  1617. mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
  1618. mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
  1619. mbedtls_sha1_finish_ret( &sha1, hash + 16 );
  1620. *hlen = 36;
  1621. MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
  1622. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
  1623. mbedtls_md5_free( &md5 );
  1624. mbedtls_sha1_free( &sha1 );
  1625. return;
  1626. }
  1627. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  1628. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  1629. void ssl_calc_verify_tls( const mbedtls_ssl_context *ssl,
  1630. unsigned char *hash,
  1631. size_t *hlen )
  1632. {
  1633. mbedtls_md5_context md5;
  1634. mbedtls_sha1_context sha1;
  1635. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
  1636. mbedtls_md5_init( &md5 );
  1637. mbedtls_sha1_init( &sha1 );
  1638. mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
  1639. mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
  1640. mbedtls_md5_finish_ret( &md5, hash );
  1641. mbedtls_sha1_finish_ret( &sha1, hash + 16 );
  1642. *hlen = 36;
  1643. MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
  1644. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
  1645. mbedtls_md5_free( &md5 );
  1646. mbedtls_sha1_free( &sha1 );
  1647. return;
  1648. }
  1649. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
  1650. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  1651. #if defined(MBEDTLS_SHA256_C)
  1652. void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
  1653. unsigned char *hash,
  1654. size_t *hlen )
  1655. {
  1656. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  1657. size_t hash_size;
  1658. psa_status_t status;
  1659. psa_hash_operation_t sha256_psa = psa_hash_operation_init();
  1660. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );
  1661. status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
  1662. if( status != PSA_SUCCESS )
  1663. {
  1664. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
  1665. return;
  1666. }
  1667. status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );
  1668. if( status != PSA_SUCCESS )
  1669. {
  1670. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
  1671. return;
  1672. }
  1673. *hlen = 32;
  1674. MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
  1675. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
  1676. #else
  1677. mbedtls_sha256_context sha256;
  1678. mbedtls_sha256_init( &sha256 );
  1679. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
  1680. mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
  1681. mbedtls_sha256_finish_ret( &sha256, hash );
  1682. *hlen = 32;
  1683. MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
  1684. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
  1685. mbedtls_sha256_free( &sha256 );
  1686. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  1687. return;
  1688. }
  1689. #endif /* MBEDTLS_SHA256_C */
  1690. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  1691. void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
  1692. unsigned char *hash,
  1693. size_t *hlen )
  1694. {
  1695. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  1696. size_t hash_size;
  1697. psa_status_t status;
  1698. psa_hash_operation_t sha384_psa = psa_hash_operation_init();
  1699. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );
  1700. status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
  1701. if( status != PSA_SUCCESS )
  1702. {
  1703. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
  1704. return;
  1705. }
  1706. status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );
  1707. if( status != PSA_SUCCESS )
  1708. {
  1709. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
  1710. return;
  1711. }
  1712. *hlen = 48;
  1713. MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, *hlen );
  1714. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );
  1715. #else
  1716. mbedtls_sha512_context sha512;
  1717. mbedtls_sha512_init( &sha512 );
  1718. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
  1719. mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
  1720. mbedtls_sha512_finish_ret( &sha512, hash );
  1721. *hlen = 48;
  1722. MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, *hlen );
  1723. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
  1724. mbedtls_sha512_free( &sha512 );
  1725. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  1726. return;
  1727. }
  1728. #endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
  1729. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  1730. #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
  1731. int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
  1732. {
  1733. unsigned char *p = ssl->handshake->premaster;
  1734. unsigned char *end = p + sizeof( ssl->handshake->premaster );
  1735. const unsigned char *psk = NULL;
  1736. size_t psk_len = 0;
  1737. if( mbedtls_ssl_get_psk( ssl, &psk, &psk_len )
  1738. == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED )
  1739. {
  1740. /*
  1741. * This should never happen because the existence of a PSK is always
  1742. * checked before calling this function
  1743. */
  1744. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1745. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1746. }
  1747. /*
  1748. * PMS = struct {
  1749. * opaque other_secret<0..2^16-1>;
  1750. * opaque psk<0..2^16-1>;
  1751. * };
  1752. * with "other_secret" depending on the particular key exchange
  1753. */
  1754. #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
  1755. if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
  1756. {
  1757. if( end - p < 2 )
  1758. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1759. MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
  1760. p += 2;
  1761. if( end < p || (size_t)( end - p ) < psk_len )
  1762. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1763. memset( p, 0, psk_len );
  1764. p += psk_len;
  1765. }
  1766. else
  1767. #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
  1768. #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
  1769. if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
  1770. {
  1771. /*
  1772. * other_secret already set by the ClientKeyExchange message,
  1773. * and is 48 bytes long
  1774. */
  1775. if( end - p < 2 )
  1776. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1777. *p++ = 0;
  1778. *p++ = 48;
  1779. p += 48;
  1780. }
  1781. else
  1782. #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
  1783. #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
  1784. if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
  1785. {
  1786. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  1787. size_t len;
  1788. /* Write length only when we know the actual value */
  1789. if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
  1790. p + 2, end - ( p + 2 ), &len,
  1791. ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
  1792. {
  1793. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
  1794. return( ret );
  1795. }
  1796. MBEDTLS_PUT_UINT16_BE( len, p, 0 );
  1797. p += 2 + len;
  1798. MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
  1799. }
  1800. else
  1801. #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
  1802. #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
  1803. if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
  1804. {
  1805. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  1806. size_t zlen;
  1807. if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
  1808. p + 2, end - ( p + 2 ),
  1809. ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
  1810. {
  1811. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
  1812. return( ret );
  1813. }
  1814. MBEDTLS_PUT_UINT16_BE( zlen, p, 0 );
  1815. p += 2 + zlen;
  1816. MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
  1817. MBEDTLS_DEBUG_ECDH_Z );
  1818. }
  1819. else
  1820. #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
  1821. {
  1822. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1823. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1824. }
  1825. /* opaque psk<0..2^16-1>; */
  1826. if( end - p < 2 )
  1827. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1828. MBEDTLS_PUT_UINT16_BE( psk_len, p, 0 );
  1829. p += 2;
  1830. if( end < p || (size_t)( end - p ) < psk_len )
  1831. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  1832. memcpy( p, psk, psk_len );
  1833. p += psk_len;
  1834. ssl->handshake->pmslen = p - ssl->handshake->premaster;
  1835. return( 0 );
  1836. }
  1837. #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
  1838. #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
  1839. static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
  1840. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  1841. int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl )
  1842. {
  1843. /* If renegotiation is not enforced, retransmit until we would reach max
  1844. * timeout if we were using the usual handshake doubling scheme */
  1845. if( ssl->conf->renego_max_records < 0 )
  1846. {
  1847. uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
  1848. unsigned char doublings = 1;
  1849. while( ratio != 0 )
  1850. {
  1851. ++doublings;
  1852. ratio >>= 1;
  1853. }
  1854. if( ++ssl->renego_records_seen > doublings )
  1855. {
  1856. MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
  1857. return( 0 );
  1858. }
  1859. }
  1860. return( ssl_write_hello_request( ssl ) );
  1861. }
  1862. #endif
  1863. #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
  1864. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  1865. static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
  1866. {
  1867. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  1868. if( session->peer_cert != NULL )
  1869. {
  1870. mbedtls_x509_crt_free( session->peer_cert );
  1871. mbedtls_free( session->peer_cert );
  1872. session->peer_cert = NULL;
  1873. }
  1874. #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  1875. if( session->peer_cert_digest != NULL )
  1876. {
  1877. /* Zeroization is not necessary. */
  1878. mbedtls_free( session->peer_cert_digest );
  1879. session->peer_cert_digest = NULL;
  1880. session->peer_cert_digest_type = MBEDTLS_MD_NONE;
  1881. session->peer_cert_digest_len = 0;
  1882. }
  1883. #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  1884. }
  1885. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  1886. /*
  1887. * Handshake functions
  1888. */
  1889. #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  1890. /* No certificate support -> dummy functions */
  1891. int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
  1892. {
  1893. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  1894. ssl->handshake->ciphersuite_info;
  1895. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
  1896. if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
  1897. {
  1898. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
  1899. ssl->state++;
  1900. return( 0 );
  1901. }
  1902. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1903. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1904. }
  1905. int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
  1906. {
  1907. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  1908. ssl->handshake->ciphersuite_info;
  1909. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
  1910. if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
  1911. {
  1912. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
  1913. ssl->state++;
  1914. return( 0 );
  1915. }
  1916. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  1917. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  1918. }
  1919. #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
  1920. /* Some certificate support -> implement write and parse */
  1921. int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
  1922. {
  1923. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  1924. size_t i, n;
  1925. const mbedtls_x509_crt *crt;
  1926. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  1927. ssl->handshake->ciphersuite_info;
  1928. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
  1929. if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
  1930. {
  1931. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
  1932. ssl->state++;
  1933. return( 0 );
  1934. }
  1935. #if defined(MBEDTLS_SSL_CLI_C)
  1936. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  1937. {
  1938. if( ssl->client_auth == 0 )
  1939. {
  1940. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
  1941. ssl->state++;
  1942. return( 0 );
  1943. }
  1944. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  1945. /*
  1946. * If using SSLv3 and got no cert, send an Alert message
  1947. * (otherwise an empty Certificate message will be sent).
  1948. */
  1949. if( mbedtls_ssl_own_cert( ssl ) == NULL &&
  1950. ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  1951. {
  1952. ssl->out_msglen = 2;
  1953. ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
  1954. ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
  1955. ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
  1956. MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
  1957. goto write_msg;
  1958. }
  1959. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  1960. }
  1961. #endif /* MBEDTLS_SSL_CLI_C */
  1962. #if defined(MBEDTLS_SSL_SRV_C)
  1963. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  1964. {
  1965. if( mbedtls_ssl_own_cert( ssl ) == NULL )
  1966. {
  1967. MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
  1968. return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
  1969. }
  1970. }
  1971. #endif
  1972. MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
  1973. /*
  1974. * 0 . 0 handshake type
  1975. * 1 . 3 handshake length
  1976. * 4 . 6 length of all certs
  1977. * 7 . 9 length of cert. 1
  1978. * 10 . n-1 peer certificate
  1979. * n . n+2 length of cert. 2
  1980. * n+3 . ... upper level cert, etc.
  1981. */
  1982. i = 7;
  1983. crt = mbedtls_ssl_own_cert( ssl );
  1984. while( crt != NULL )
  1985. {
  1986. n = crt->raw.len;
  1987. if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
  1988. {
  1989. MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %" MBEDTLS_PRINTF_SIZET
  1990. " > %" MBEDTLS_PRINTF_SIZET,
  1991. i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
  1992. return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
  1993. }
  1994. ssl->out_msg[i ] = MBEDTLS_BYTE_2( n );
  1995. ssl->out_msg[i + 1] = MBEDTLS_BYTE_1( n );
  1996. ssl->out_msg[i + 2] = MBEDTLS_BYTE_0( n );
  1997. i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
  1998. i += n; crt = crt->next;
  1999. }
  2000. ssl->out_msg[4] = MBEDTLS_BYTE_2( i - 7 );
  2001. ssl->out_msg[5] = MBEDTLS_BYTE_1( i - 7 );
  2002. ssl->out_msg[6] = MBEDTLS_BYTE_0( i - 7 );
  2003. ssl->out_msglen = i;
  2004. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  2005. ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
  2006. #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
  2007. write_msg:
  2008. #endif
  2009. ssl->state++;
  2010. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  2011. {
  2012. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  2013. return( ret );
  2014. }
  2015. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
  2016. return( ret );
  2017. }
  2018. #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
  2019. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  2020. static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
  2021. unsigned char *crt_buf,
  2022. size_t crt_buf_len )
  2023. {
  2024. mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
  2025. if( peer_crt == NULL )
  2026. return( -1 );
  2027. if( peer_crt->raw.len != crt_buf_len )
  2028. return( -1 );
  2029. return( memcmp( peer_crt->raw.p, crt_buf, peer_crt->raw.len ) );
  2030. }
  2031. #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2032. static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,
  2033. unsigned char *crt_buf,
  2034. size_t crt_buf_len )
  2035. {
  2036. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  2037. unsigned char const * const peer_cert_digest =
  2038. ssl->session->peer_cert_digest;
  2039. mbedtls_md_type_t const peer_cert_digest_type =
  2040. ssl->session->peer_cert_digest_type;
  2041. mbedtls_md_info_t const * const digest_info =
  2042. mbedtls_md_info_from_type( peer_cert_digest_type );
  2043. unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
  2044. size_t digest_len;
  2045. if( peer_cert_digest == NULL || digest_info == NULL )
  2046. return( -1 );
  2047. digest_len = mbedtls_md_get_size( digest_info );
  2048. if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )
  2049. return( -1 );
  2050. ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );
  2051. if( ret != 0 )
  2052. return( -1 );
  2053. return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );
  2054. }
  2055. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2056. #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
  2057. /*
  2058. * Once the certificate message is read, parse it into a cert chain and
  2059. * perform basic checks, but leave actual verification to the caller
  2060. */
  2061. static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,
  2062. mbedtls_x509_crt *chain )
  2063. {
  2064. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  2065. #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
  2066. int crt_cnt=0;
  2067. #endif
  2068. size_t i, n;
  2069. uint8_t alert;
  2070. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  2071. {
  2072. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2073. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2074. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  2075. return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
  2076. }
  2077. if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
  2078. ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
  2079. {
  2080. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2081. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2082. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2083. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2084. }
  2085. i = mbedtls_ssl_hs_hdr_len( ssl );
  2086. /*
  2087. * Same message structure as in mbedtls_ssl_write_certificate()
  2088. */
  2089. n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
  2090. if( ssl->in_msg[i] != 0 ||
  2091. ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
  2092. {
  2093. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2094. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2095. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2096. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2097. }
  2098. /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
  2099. i += 3;
  2100. /* Iterate through and parse the CRTs in the provided chain. */
  2101. while( i < ssl->in_hslen )
  2102. {
  2103. /* Check that there's room for the next CRT's length fields. */
  2104. if ( i + 3 > ssl->in_hslen ) {
  2105. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2106. mbedtls_ssl_send_alert_message( ssl,
  2107. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2108. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2109. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2110. }
  2111. /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
  2112. * anything beyond 2**16 ~ 64K. */
  2113. if( ssl->in_msg[i] != 0 )
  2114. {
  2115. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2116. mbedtls_ssl_send_alert_message( ssl,
  2117. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2118. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2119. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2120. }
  2121. /* Read length of the next CRT in the chain. */
  2122. n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
  2123. | (unsigned int) ssl->in_msg[i + 2];
  2124. i += 3;
  2125. if( n < 128 || i + n > ssl->in_hslen )
  2126. {
  2127. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
  2128. mbedtls_ssl_send_alert_message( ssl,
  2129. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2130. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  2131. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2132. }
  2133. /* Check if we're handling the first CRT in the chain. */
  2134. #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
  2135. if( crt_cnt++ == 0 &&
  2136. ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
  2137. ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
  2138. {
  2139. /* During client-side renegotiation, check that the server's
  2140. * end-CRTs hasn't changed compared to the initial handshake,
  2141. * mitigating the triple handshake attack. On success, reuse
  2142. * the original end-CRT instead of parsing it again. */
  2143. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );
  2144. if( ssl_check_peer_crt_unchanged( ssl,
  2145. &ssl->in_msg[i],
  2146. n ) != 0 )
  2147. {
  2148. MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
  2149. mbedtls_ssl_send_alert_message( ssl,
  2150. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2151. MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
  2152. return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
  2153. }
  2154. /* Now we can safely free the original chain. */
  2155. ssl_clear_peer_cert( ssl->session );
  2156. }
  2157. #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
  2158. /* Parse the next certificate in the chain. */
  2159. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  2160. ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );
  2161. #else
  2162. /* If we don't need to store the CRT chain permanently, parse
  2163. * it in-place from the input buffer instead of making a copy. */
  2164. ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );
  2165. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2166. switch( ret )
  2167. {
  2168. case 0: /*ok*/
  2169. case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
  2170. /* Ignore certificate with an unknown algorithm: maybe a
  2171. prior certificate was already trusted. */
  2172. break;
  2173. case MBEDTLS_ERR_X509_ALLOC_FAILED:
  2174. alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
  2175. goto crt_parse_der_failed;
  2176. case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
  2177. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2178. goto crt_parse_der_failed;
  2179. default:
  2180. alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
  2181. crt_parse_der_failed:
  2182. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
  2183. MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
  2184. return( ret );
  2185. }
  2186. i += n;
  2187. }
  2188. MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );
  2189. return( 0 );
  2190. }
  2191. #if defined(MBEDTLS_SSL_SRV_C)
  2192. static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
  2193. {
  2194. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  2195. return( -1 );
  2196. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  2197. /*
  2198. * Check if the client sent an empty certificate
  2199. */
  2200. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  2201. {
  2202. if( ssl->in_msglen == 2 &&
  2203. ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
  2204. ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
  2205. ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
  2206. {
  2207. MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
  2208. return( 0 );
  2209. }
  2210. return( -1 );
  2211. }
  2212. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  2213. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
  2214. defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2215. if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
  2216. ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
  2217. ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
  2218. memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
  2219. {
  2220. MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
  2221. return( 0 );
  2222. }
  2223. return( -1 );
  2224. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
  2225. MBEDTLS_SSL_PROTO_TLS1_2 */
  2226. }
  2227. #endif /* MBEDTLS_SSL_SRV_C */
  2228. /* Check if a certificate message is expected.
  2229. * Return either
  2230. * - SSL_CERTIFICATE_EXPECTED, or
  2231. * - SSL_CERTIFICATE_SKIP
  2232. * indicating whether a Certificate message is expected or not.
  2233. */
  2234. #define SSL_CERTIFICATE_EXPECTED 0
  2235. #define SSL_CERTIFICATE_SKIP 1
  2236. static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
  2237. int authmode )
  2238. {
  2239. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2240. ssl->handshake->ciphersuite_info;
  2241. if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
  2242. return( SSL_CERTIFICATE_SKIP );
  2243. #if defined(MBEDTLS_SSL_SRV_C)
  2244. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  2245. {
  2246. if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
  2247. return( SSL_CERTIFICATE_SKIP );
  2248. if( authmode == MBEDTLS_SSL_VERIFY_NONE )
  2249. {
  2250. ssl->session_negotiate->verify_result =
  2251. MBEDTLS_X509_BADCERT_SKIP_VERIFY;
  2252. return( SSL_CERTIFICATE_SKIP );
  2253. }
  2254. }
  2255. #else
  2256. ((void) authmode);
  2257. #endif /* MBEDTLS_SSL_SRV_C */
  2258. return( SSL_CERTIFICATE_EXPECTED );
  2259. }
  2260. static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
  2261. int authmode,
  2262. mbedtls_x509_crt *chain,
  2263. void *rs_ctx )
  2264. {
  2265. int ret = 0;
  2266. const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
  2267. ssl->handshake->ciphersuite_info;
  2268. int have_ca_chain = 0;
  2269. int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
  2270. void *p_vrfy;
  2271. if( authmode == MBEDTLS_SSL_VERIFY_NONE )
  2272. return( 0 );
  2273. if( ssl->f_vrfy != NULL )
  2274. {
  2275. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
  2276. f_vrfy = ssl->f_vrfy;
  2277. p_vrfy = ssl->p_vrfy;
  2278. }
  2279. else
  2280. {
  2281. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
  2282. f_vrfy = ssl->conf->f_vrfy;
  2283. p_vrfy = ssl->conf->p_vrfy;
  2284. }
  2285. /*
  2286. * Main check: verify certificate
  2287. */
  2288. #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
  2289. if( ssl->conf->f_ca_cb != NULL )
  2290. {
  2291. ((void) rs_ctx);
  2292. have_ca_chain = 1;
  2293. MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
  2294. ret = mbedtls_x509_crt_verify_with_ca_cb(
  2295. chain,
  2296. ssl->conf->f_ca_cb,
  2297. ssl->conf->p_ca_cb,
  2298. ssl->conf->cert_profile,
  2299. ssl->hostname,
  2300. &ssl->session_negotiate->verify_result,
  2301. f_vrfy, p_vrfy );
  2302. }
  2303. else
  2304. #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
  2305. {
  2306. mbedtls_x509_crt *ca_chain;
  2307. mbedtls_x509_crl *ca_crl;
  2308. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  2309. if( ssl->handshake->sni_ca_chain != NULL )
  2310. {
  2311. ca_chain = ssl->handshake->sni_ca_chain;
  2312. ca_crl = ssl->handshake->sni_ca_crl;
  2313. }
  2314. else
  2315. #endif
  2316. {
  2317. ca_chain = ssl->conf->ca_chain;
  2318. ca_crl = ssl->conf->ca_crl;
  2319. }
  2320. if( ca_chain != NULL )
  2321. have_ca_chain = 1;
  2322. ret = mbedtls_x509_crt_verify_restartable(
  2323. chain,
  2324. ca_chain, ca_crl,
  2325. ssl->conf->cert_profile,
  2326. ssl->hostname,
  2327. &ssl->session_negotiate->verify_result,
  2328. f_vrfy, p_vrfy, rs_ctx );
  2329. }
  2330. if( ret != 0 )
  2331. {
  2332. MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
  2333. }
  2334. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  2335. if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
  2336. return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
  2337. #endif
  2338. /*
  2339. * Secondary checks: always done, but change 'ret' only if it was 0
  2340. */
  2341. #if defined(MBEDTLS_ECP_C)
  2342. {
  2343. const mbedtls_pk_context *pk = &chain->pk;
  2344. /* If certificate uses an EC key, make sure the curve is OK */
  2345. if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
  2346. mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
  2347. {
  2348. ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
  2349. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
  2350. if( ret == 0 )
  2351. ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
  2352. }
  2353. }
  2354. #endif /* MBEDTLS_ECP_C */
  2355. if( mbedtls_ssl_check_cert_usage( chain,
  2356. ciphersuite_info,
  2357. ! ssl->conf->endpoint,
  2358. &ssl->session_negotiate->verify_result ) != 0 )
  2359. {
  2360. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
  2361. if( ret == 0 )
  2362. ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
  2363. }
  2364. /* mbedtls_x509_crt_verify_with_profile is supposed to report a
  2365. * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
  2366. * with details encoded in the verification flags. All other kinds
  2367. * of error codes, including those from the user provided f_vrfy
  2368. * functions, are treated as fatal and lead to a failure of
  2369. * ssl_parse_certificate even if verification was optional. */
  2370. if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
  2371. ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
  2372. ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
  2373. {
  2374. ret = 0;
  2375. }
  2376. if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
  2377. {
  2378. MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
  2379. ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
  2380. }
  2381. if( ret != 0 )
  2382. {
  2383. uint8_t alert;
  2384. /* The certificate may have been rejected for several reasons.
  2385. Pick one and send the corresponding alert. Which alert to send
  2386. may be a subject of debate in some cases. */
  2387. if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
  2388. alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
  2389. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
  2390. alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
  2391. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
  2392. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2393. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
  2394. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2395. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
  2396. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2397. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
  2398. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2399. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
  2400. alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
  2401. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
  2402. alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
  2403. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
  2404. alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
  2405. else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
  2406. alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
  2407. else
  2408. alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
  2409. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2410. alert );
  2411. }
  2412. #if defined(MBEDTLS_DEBUG_C)
  2413. if( ssl->session_negotiate->verify_result != 0 )
  2414. {
  2415. MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %08x",
  2416. (unsigned int) ssl->session_negotiate->verify_result ) );
  2417. }
  2418. else
  2419. {
  2420. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
  2421. }
  2422. #endif /* MBEDTLS_DEBUG_C */
  2423. return( ret );
  2424. }
  2425. #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  2426. static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,
  2427. unsigned char *start, size_t len )
  2428. {
  2429. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  2430. /* Remember digest of the peer's end-CRT. */
  2431. ssl->session_negotiate->peer_cert_digest =
  2432. mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
  2433. if( ssl->session_negotiate->peer_cert_digest == NULL )
  2434. {
  2435. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
  2436. MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) );
  2437. mbedtls_ssl_send_alert_message( ssl,
  2438. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2439. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  2440. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  2441. }
  2442. ret = mbedtls_md( mbedtls_md_info_from_type(
  2443. MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
  2444. start, len,
  2445. ssl->session_negotiate->peer_cert_digest );
  2446. ssl->session_negotiate->peer_cert_digest_type =
  2447. MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
  2448. ssl->session_negotiate->peer_cert_digest_len =
  2449. MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
  2450. return( ret );
  2451. }
  2452. static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
  2453. unsigned char *start, size_t len )
  2454. {
  2455. unsigned char *end = start + len;
  2456. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  2457. /* Make a copy of the peer's raw public key. */
  2458. mbedtls_pk_init( &ssl->handshake->peer_pubkey );
  2459. ret = mbedtls_pk_parse_subpubkey( &start, end,
  2460. &ssl->handshake->peer_pubkey );
  2461. if( ret != 0 )
  2462. {
  2463. /* We should have parsed the public key before. */
  2464. return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
  2465. }
  2466. return( 0 );
  2467. }
  2468. #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2469. int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
  2470. {
  2471. int ret = 0;
  2472. int crt_expected;
  2473. #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  2474. const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
  2475. ? ssl->handshake->sni_authmode
  2476. : ssl->conf->authmode;
  2477. #else
  2478. const int authmode = ssl->conf->authmode;
  2479. #endif
  2480. void *rs_ctx = NULL;
  2481. mbedtls_x509_crt *chain = NULL;
  2482. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
  2483. crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
  2484. if( crt_expected == SSL_CERTIFICATE_SKIP )
  2485. {
  2486. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
  2487. goto exit;
  2488. }
  2489. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  2490. if( ssl->handshake->ecrs_enabled &&
  2491. ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
  2492. {
  2493. chain = ssl->handshake->ecrs_peer_cert;
  2494. ssl->handshake->ecrs_peer_cert = NULL;
  2495. goto crt_verify;
  2496. }
  2497. #endif
  2498. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  2499. {
  2500. /* mbedtls_ssl_read_record may have sent an alert already. We
  2501. let it decide whether to alert. */
  2502. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  2503. goto exit;
  2504. }
  2505. #if defined(MBEDTLS_SSL_SRV_C)
  2506. if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
  2507. {
  2508. ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
  2509. if( authmode != MBEDTLS_SSL_VERIFY_OPTIONAL )
  2510. ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
  2511. goto exit;
  2512. }
  2513. #endif /* MBEDTLS_SSL_SRV_C */
  2514. /* Clear existing peer CRT structure in case we tried to
  2515. * reuse a session but it failed, and allocate a new one. */
  2516. ssl_clear_peer_cert( ssl->session_negotiate );
  2517. chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
  2518. if( chain == NULL )
  2519. {
  2520. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
  2521. sizeof( mbedtls_x509_crt ) ) );
  2522. mbedtls_ssl_send_alert_message( ssl,
  2523. MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  2524. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  2525. ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
  2526. goto exit;
  2527. }
  2528. mbedtls_x509_crt_init( chain );
  2529. ret = ssl_parse_certificate_chain( ssl, chain );
  2530. if( ret != 0 )
  2531. goto exit;
  2532. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  2533. if( ssl->handshake->ecrs_enabled)
  2534. ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
  2535. crt_verify:
  2536. if( ssl->handshake->ecrs_enabled)
  2537. rs_ctx = &ssl->handshake->ecrs_ctx;
  2538. #endif
  2539. ret = ssl_parse_certificate_verify( ssl, authmode,
  2540. chain, rs_ctx );
  2541. if( ret != 0 )
  2542. goto exit;
  2543. #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  2544. {
  2545. unsigned char *crt_start, *pk_start;
  2546. size_t crt_len, pk_len;
  2547. /* We parse the CRT chain without copying, so
  2548. * these pointers point into the input buffer,
  2549. * and are hence still valid after freeing the
  2550. * CRT chain. */
  2551. crt_start = chain->raw.p;
  2552. crt_len = chain->raw.len;
  2553. pk_start = chain->pk_raw.p;
  2554. pk_len = chain->pk_raw.len;
  2555. /* Free the CRT structures before computing
  2556. * digest and copying the peer's public key. */
  2557. mbedtls_x509_crt_free( chain );
  2558. mbedtls_free( chain );
  2559. chain = NULL;
  2560. ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );
  2561. if( ret != 0 )
  2562. goto exit;
  2563. ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );
  2564. if( ret != 0 )
  2565. goto exit;
  2566. }
  2567. #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2568. /* Pass ownership to session structure. */
  2569. ssl->session_negotiate->peer_cert = chain;
  2570. chain = NULL;
  2571. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  2572. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
  2573. exit:
  2574. if( ret == 0 )
  2575. ssl->state++;
  2576. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  2577. if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
  2578. {
  2579. ssl->handshake->ecrs_peer_cert = chain;
  2580. chain = NULL;
  2581. }
  2582. #endif
  2583. if( chain != NULL )
  2584. {
  2585. mbedtls_x509_crt_free( chain );
  2586. mbedtls_free( chain );
  2587. }
  2588. return( ret );
  2589. }
  2590. #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
  2591. void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
  2592. const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
  2593. {
  2594. ((void) ciphersuite_info);
  2595. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2596. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2597. if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
  2598. ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
  2599. else
  2600. #endif
  2601. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2602. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  2603. if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
  2604. ssl->handshake->update_checksum = ssl_update_checksum_sha384;
  2605. else
  2606. #endif
  2607. #if defined(MBEDTLS_SHA256_C)
  2608. if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
  2609. ssl->handshake->update_checksum = ssl_update_checksum_sha256;
  2610. else
  2611. #endif
  2612. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2613. {
  2614. MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
  2615. return;
  2616. }
  2617. }
  2618. void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
  2619. {
  2620. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2621. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2622. mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
  2623. mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
  2624. #endif
  2625. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2626. #if defined(MBEDTLS_SHA256_C)
  2627. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2628. psa_hash_abort( &ssl->handshake->fin_sha256_psa );
  2629. psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
  2630. #else
  2631. mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
  2632. #endif
  2633. #endif
  2634. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  2635. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2636. psa_hash_abort( &ssl->handshake->fin_sha384_psa );
  2637. psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
  2638. #else
  2639. mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
  2640. #endif
  2641. #endif
  2642. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2643. }
  2644. static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
  2645. const unsigned char *buf, size_t len )
  2646. {
  2647. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2648. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2649. mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
  2650. mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
  2651. #endif
  2652. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2653. #if defined(MBEDTLS_SHA256_C)
  2654. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2655. psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
  2656. #else
  2657. mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
  2658. #endif
  2659. #endif
  2660. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  2661. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2662. psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
  2663. #else
  2664. mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
  2665. #endif
  2666. #endif
  2667. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2668. }
  2669. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  2670. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2671. static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
  2672. const unsigned char *buf, size_t len )
  2673. {
  2674. mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
  2675. mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
  2676. }
  2677. #endif
  2678. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2679. #if defined(MBEDTLS_SHA256_C)
  2680. static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
  2681. const unsigned char *buf, size_t len )
  2682. {
  2683. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2684. psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
  2685. #else
  2686. mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
  2687. #endif
  2688. }
  2689. #endif
  2690. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  2691. static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
  2692. const unsigned char *buf, size_t len )
  2693. {
  2694. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2695. psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );
  2696. #else
  2697. mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
  2698. #endif
  2699. }
  2700. #endif
  2701. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2702. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  2703. static void ssl_calc_finished_ssl(
  2704. mbedtls_ssl_context *ssl, unsigned char *buf, int from )
  2705. {
  2706. const char *sender;
  2707. mbedtls_md5_context md5;
  2708. mbedtls_sha1_context sha1;
  2709. unsigned char padbuf[48];
  2710. unsigned char md5sum[16];
  2711. unsigned char sha1sum[20];
  2712. mbedtls_ssl_session *session = ssl->session_negotiate;
  2713. if( !session )
  2714. session = ssl->session;
  2715. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
  2716. mbedtls_md5_init( &md5 );
  2717. mbedtls_sha1_init( &sha1 );
  2718. mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
  2719. mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
  2720. /*
  2721. * SSLv3:
  2722. * hash =
  2723. * MD5( master + pad2 +
  2724. * MD5( handshake + sender + master + pad1 ) )
  2725. * + SHA1( master + pad2 +
  2726. * SHA1( handshake + sender + master + pad1 ) )
  2727. */
  2728. #if !defined(MBEDTLS_MD5_ALT)
  2729. MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
  2730. md5.state, sizeof( md5.state ) );
  2731. #endif
  2732. #if !defined(MBEDTLS_SHA1_ALT)
  2733. MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
  2734. sha1.state, sizeof( sha1.state ) );
  2735. #endif
  2736. sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
  2737. : "SRVR";
  2738. memset( padbuf, 0x36, 48 );
  2739. mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
  2740. mbedtls_md5_update_ret( &md5, session->master, 48 );
  2741. mbedtls_md5_update_ret( &md5, padbuf, 48 );
  2742. mbedtls_md5_finish_ret( &md5, md5sum );
  2743. mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
  2744. mbedtls_sha1_update_ret( &sha1, session->master, 48 );
  2745. mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
  2746. mbedtls_sha1_finish_ret( &sha1, sha1sum );
  2747. memset( padbuf, 0x5C, 48 );
  2748. mbedtls_md5_starts_ret( &md5 );
  2749. mbedtls_md5_update_ret( &md5, session->master, 48 );
  2750. mbedtls_md5_update_ret( &md5, padbuf, 48 );
  2751. mbedtls_md5_update_ret( &md5, md5sum, 16 );
  2752. mbedtls_md5_finish_ret( &md5, buf );
  2753. mbedtls_sha1_starts_ret( &sha1 );
  2754. mbedtls_sha1_update_ret( &sha1, session->master, 48 );
  2755. mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
  2756. mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
  2757. mbedtls_sha1_finish_ret( &sha1, buf + 16 );
  2758. MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
  2759. mbedtls_md5_free( &md5 );
  2760. mbedtls_sha1_free( &sha1 );
  2761. mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
  2762. mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
  2763. mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
  2764. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
  2765. }
  2766. #endif /* MBEDTLS_SSL_PROTO_SSL3 */
  2767. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  2768. static void ssl_calc_finished_tls(
  2769. mbedtls_ssl_context *ssl, unsigned char *buf, int from )
  2770. {
  2771. int len = 12;
  2772. const char *sender;
  2773. mbedtls_md5_context md5;
  2774. mbedtls_sha1_context sha1;
  2775. unsigned char padbuf[36];
  2776. mbedtls_ssl_session *session = ssl->session_negotiate;
  2777. if( !session )
  2778. session = ssl->session;
  2779. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
  2780. mbedtls_md5_init( &md5 );
  2781. mbedtls_sha1_init( &sha1 );
  2782. mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
  2783. mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
  2784. /*
  2785. * TLSv1:
  2786. * hash = PRF( master, finished_label,
  2787. * MD5( handshake ) + SHA1( handshake ) )[0..11]
  2788. */
  2789. #if !defined(MBEDTLS_MD5_ALT)
  2790. MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
  2791. md5.state, sizeof( md5.state ) );
  2792. #endif
  2793. #if !defined(MBEDTLS_SHA1_ALT)
  2794. MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
  2795. sha1.state, sizeof( sha1.state ) );
  2796. #endif
  2797. sender = ( from == MBEDTLS_SSL_IS_CLIENT )
  2798. ? "client finished"
  2799. : "server finished";
  2800. mbedtls_md5_finish_ret( &md5, padbuf );
  2801. mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
  2802. ssl->handshake->tls_prf( session->master, 48, sender,
  2803. padbuf, 36, buf, len );
  2804. MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
  2805. mbedtls_md5_free( &md5 );
  2806. mbedtls_sha1_free( &sha1 );
  2807. mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
  2808. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
  2809. }
  2810. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
  2811. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  2812. #if defined(MBEDTLS_SHA256_C)
  2813. static void ssl_calc_finished_tls_sha256(
  2814. mbedtls_ssl_context *ssl, unsigned char *buf, int from )
  2815. {
  2816. int len = 12;
  2817. const char *sender;
  2818. unsigned char padbuf[32];
  2819. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2820. size_t hash_size;
  2821. psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
  2822. psa_status_t status;
  2823. #else
  2824. mbedtls_sha256_context sha256;
  2825. #endif
  2826. mbedtls_ssl_session *session = ssl->session_negotiate;
  2827. if( !session )
  2828. session = ssl->session;
  2829. sender = ( from == MBEDTLS_SSL_IS_CLIENT )
  2830. ? "client finished"
  2831. : "server finished";
  2832. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2833. sha256_psa = psa_hash_operation_init();
  2834. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );
  2835. status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );
  2836. if( status != PSA_SUCCESS )
  2837. {
  2838. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
  2839. return;
  2840. }
  2841. status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );
  2842. if( status != PSA_SUCCESS )
  2843. {
  2844. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
  2845. return;
  2846. }
  2847. MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );
  2848. #else
  2849. mbedtls_sha256_init( &sha256 );
  2850. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
  2851. mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
  2852. /*
  2853. * TLSv1.2:
  2854. * hash = PRF( master, finished_label,
  2855. * Hash( handshake ) )[0.11]
  2856. */
  2857. #if !defined(MBEDTLS_SHA256_ALT)
  2858. MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
  2859. sha256.state, sizeof( sha256.state ) );
  2860. #endif
  2861. mbedtls_sha256_finish_ret( &sha256, padbuf );
  2862. mbedtls_sha256_free( &sha256 );
  2863. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  2864. ssl->handshake->tls_prf( session->master, 48, sender,
  2865. padbuf, 32, buf, len );
  2866. MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
  2867. mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
  2868. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
  2869. }
  2870. #endif /* MBEDTLS_SHA256_C */
  2871. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  2872. static void ssl_calc_finished_tls_sha384(
  2873. mbedtls_ssl_context *ssl, unsigned char *buf, int from )
  2874. {
  2875. int len = 12;
  2876. const char *sender;
  2877. unsigned char padbuf[48];
  2878. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2879. size_t hash_size;
  2880. psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
  2881. psa_status_t status;
  2882. #else
  2883. mbedtls_sha512_context sha512;
  2884. #endif
  2885. mbedtls_ssl_session *session = ssl->session_negotiate;
  2886. if( !session )
  2887. session = ssl->session;
  2888. sender = ( from == MBEDTLS_SSL_IS_CLIENT )
  2889. ? "client finished"
  2890. : "server finished";
  2891. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  2892. sha384_psa = psa_hash_operation_init();
  2893. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );
  2894. status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );
  2895. if( status != PSA_SUCCESS )
  2896. {
  2897. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );
  2898. return;
  2899. }
  2900. status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );
  2901. if( status != PSA_SUCCESS )
  2902. {
  2903. MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );
  2904. return;
  2905. }
  2906. MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );
  2907. #else
  2908. mbedtls_sha512_init( &sha512 );
  2909. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
  2910. mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
  2911. /*
  2912. * TLSv1.2:
  2913. * hash = PRF( master, finished_label,
  2914. * Hash( handshake ) )[0.11]
  2915. */
  2916. #if !defined(MBEDTLS_SHA512_ALT)
  2917. MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
  2918. sha512.state, sizeof( sha512.state ) );
  2919. #endif
  2920. /* mbedtls_sha512_finish_ret's output parameter is declared as a
  2921. * 64-byte buffer, but sice we're using SHA-384, we know that the
  2922. * output fits in 48 bytes. This is correct C, but GCC 11.1 warns
  2923. * about it.
  2924. */
  2925. #if defined(__GNUC__) && __GNUC__ >= 11
  2926. #pragma GCC diagnostic push
  2927. #pragma GCC diagnostic ignored "-Wstringop-overflow"
  2928. #endif
  2929. mbedtls_sha512_finish_ret( &sha512, padbuf );
  2930. #if defined(__GNUC__) && __GNUC__ >= 11
  2931. #pragma GCC diagnostic pop
  2932. #endif
  2933. mbedtls_sha512_free( &sha512 );
  2934. #endif
  2935. ssl->handshake->tls_prf( session->master, 48, sender,
  2936. padbuf, 48, buf, len );
  2937. MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
  2938. mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
  2939. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
  2940. }
  2941. #endif /* MBEDTLS_SHA512_C && !MBEDTLS_SHA512_NO_SHA384 */
  2942. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  2943. void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
  2944. {
  2945. MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
  2946. /*
  2947. * Free our handshake params
  2948. */
  2949. mbedtls_ssl_handshake_free( ssl );
  2950. mbedtls_free( ssl->handshake );
  2951. ssl->handshake = NULL;
  2952. /*
  2953. * Free the previous transform and swith in the current one
  2954. */
  2955. if( ssl->transform )
  2956. {
  2957. mbedtls_ssl_transform_free( ssl->transform );
  2958. mbedtls_free( ssl->transform );
  2959. }
  2960. ssl->transform = ssl->transform_negotiate;
  2961. ssl->transform_negotiate = NULL;
  2962. MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
  2963. }
  2964. void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
  2965. {
  2966. int resume = ssl->handshake->resume;
  2967. MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
  2968. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  2969. if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
  2970. {
  2971. ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
  2972. ssl->renego_records_seen = 0;
  2973. }
  2974. #endif
  2975. /*
  2976. * Free the previous session and switch in the current one
  2977. */
  2978. if( ssl->session )
  2979. {
  2980. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  2981. /* RFC 7366 3.1: keep the EtM state */
  2982. ssl->session_negotiate->encrypt_then_mac =
  2983. ssl->session->encrypt_then_mac;
  2984. #endif
  2985. mbedtls_ssl_session_free( ssl->session );
  2986. mbedtls_free( ssl->session );
  2987. }
  2988. ssl->session = ssl->session_negotiate;
  2989. ssl->session_negotiate = NULL;
  2990. /*
  2991. * Add cache entry
  2992. */
  2993. if( ssl->conf->f_set_cache != NULL &&
  2994. ssl->session->id_len != 0 &&
  2995. resume == 0 )
  2996. {
  2997. if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
  2998. MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
  2999. }
  3000. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3001. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  3002. ssl->handshake->flight != NULL )
  3003. {
  3004. /* Cancel handshake timer */
  3005. mbedtls_ssl_set_timer( ssl, 0 );
  3006. /* Keep last flight around in case we need to resend it:
  3007. * we need the handshake and transform structures for that */
  3008. MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
  3009. }
  3010. else
  3011. #endif
  3012. mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
  3013. ssl->state++;
  3014. MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
  3015. }
  3016. int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
  3017. {
  3018. int ret, hash_len;
  3019. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
  3020. mbedtls_ssl_update_out_pointers( ssl, ssl->transform_negotiate );
  3021. ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
  3022. /*
  3023. * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
  3024. * may define some other value. Currently (early 2016), no defined
  3025. * ciphersuite does this (and this is unlikely to change as activity has
  3026. * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
  3027. */
  3028. hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
  3029. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  3030. ssl->verify_data_len = hash_len;
  3031. memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
  3032. #endif
  3033. ssl->out_msglen = 4 + hash_len;
  3034. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  3035. ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
  3036. /*
  3037. * In case of session resuming, invert the client and server
  3038. * ChangeCipherSpec messages order.
  3039. */
  3040. if( ssl->handshake->resume != 0 )
  3041. {
  3042. #if defined(MBEDTLS_SSL_CLI_C)
  3043. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  3044. ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
  3045. #endif
  3046. #if defined(MBEDTLS_SSL_SRV_C)
  3047. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  3048. ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
  3049. #endif
  3050. }
  3051. else
  3052. ssl->state++;
  3053. /*
  3054. * Switch to our negotiated transform and session parameters for outbound
  3055. * data.
  3056. */
  3057. MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
  3058. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3059. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  3060. {
  3061. unsigned char i;
  3062. /* Remember current epoch settings for resending */
  3063. ssl->handshake->alt_transform_out = ssl->transform_out;
  3064. memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
  3065. /* Set sequence_number to zero */
  3066. memset( ssl->cur_out_ctr + 2, 0, 6 );
  3067. /* Increment epoch */
  3068. for( i = 2; i > 0; i-- )
  3069. if( ++ssl->cur_out_ctr[i - 1] != 0 )
  3070. break;
  3071. /* The loop goes to its end iff the counter is wrapping */
  3072. if( i == 0 )
  3073. {
  3074. MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
  3075. return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
  3076. }
  3077. }
  3078. else
  3079. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  3080. memset( ssl->cur_out_ctr, 0, 8 );
  3081. ssl->transform_out = ssl->transform_negotiate;
  3082. ssl->session_out = ssl->session_negotiate;
  3083. #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
  3084. if( mbedtls_ssl_hw_record_activate != NULL )
  3085. {
  3086. if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
  3087. {
  3088. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
  3089. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  3090. }
  3091. }
  3092. #endif
  3093. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3094. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  3095. mbedtls_ssl_send_flight_completed( ssl );
  3096. #endif
  3097. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  3098. {
  3099. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  3100. return( ret );
  3101. }
  3102. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3103. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  3104. ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
  3105. {
  3106. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
  3107. return( ret );
  3108. }
  3109. #endif
  3110. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
  3111. return( 0 );
  3112. }
  3113. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  3114. #define SSL_MAX_HASH_LEN 36
  3115. #else
  3116. #define SSL_MAX_HASH_LEN 12
  3117. #endif
  3118. int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
  3119. {
  3120. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3121. unsigned int hash_len;
  3122. unsigned char buf[SSL_MAX_HASH_LEN];
  3123. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
  3124. /* There is currently no ciphersuite using another length with TLS 1.2 */
  3125. #if defined(MBEDTLS_SSL_PROTO_SSL3)
  3126. if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
  3127. hash_len = 36;
  3128. else
  3129. #endif
  3130. hash_len = 12;
  3131. ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
  3132. if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
  3133. {
  3134. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
  3135. goto exit;
  3136. }
  3137. if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
  3138. {
  3139. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
  3140. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3141. MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
  3142. ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
  3143. goto exit;
  3144. }
  3145. if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
  3146. ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
  3147. {
  3148. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
  3149. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3150. MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
  3151. ret = MBEDTLS_ERR_SSL_BAD_HS_FINISHED;
  3152. goto exit;
  3153. }
  3154. if( mbedtls_ct_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
  3155. buf, hash_len ) != 0 )
  3156. {
  3157. MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
  3158. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  3159. MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
  3160. ret = MBEDTLS_ERR_SSL_BAD_HS_FINISHED;
  3161. goto exit;
  3162. }
  3163. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  3164. ssl->verify_data_len = hash_len;
  3165. memcpy( ssl->peer_verify_data, buf, hash_len );
  3166. #endif
  3167. if( ssl->handshake->resume != 0 )
  3168. {
  3169. #if defined(MBEDTLS_SSL_CLI_C)
  3170. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  3171. ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
  3172. #endif
  3173. #if defined(MBEDTLS_SSL_SRV_C)
  3174. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  3175. ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
  3176. #endif
  3177. }
  3178. else
  3179. ssl->state++;
  3180. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3181. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  3182. mbedtls_ssl_recv_flight_completed( ssl );
  3183. #endif
  3184. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
  3185. exit:
  3186. mbedtls_platform_zeroize( buf, hash_len );
  3187. return( ret );
  3188. }
  3189. static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
  3190. {
  3191. memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
  3192. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  3193. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  3194. mbedtls_md5_init( &handshake->fin_md5 );
  3195. mbedtls_sha1_init( &handshake->fin_sha1 );
  3196. mbedtls_md5_starts_ret( &handshake->fin_md5 );
  3197. mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
  3198. #endif
  3199. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  3200. #if defined(MBEDTLS_SHA256_C)
  3201. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  3202. handshake->fin_sha256_psa = psa_hash_operation_init();
  3203. psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
  3204. #else
  3205. mbedtls_sha256_init( &handshake->fin_sha256 );
  3206. mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
  3207. #endif
  3208. #endif
  3209. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  3210. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  3211. handshake->fin_sha384_psa = psa_hash_operation_init();
  3212. psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
  3213. #else
  3214. mbedtls_sha512_init( &handshake->fin_sha512 );
  3215. mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
  3216. #endif
  3217. #endif
  3218. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  3219. handshake->update_checksum = ssl_update_checksum_start;
  3220. #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
  3221. defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  3222. mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
  3223. #endif
  3224. #if defined(MBEDTLS_DHM_C)
  3225. mbedtls_dhm_init( &handshake->dhm_ctx );
  3226. #endif
  3227. #if defined(MBEDTLS_ECDH_C)
  3228. mbedtls_ecdh_init( &handshake->ecdh_ctx );
  3229. #endif
  3230. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  3231. mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
  3232. #if defined(MBEDTLS_SSL_CLI_C)
  3233. handshake->ecjpake_cache = NULL;
  3234. handshake->ecjpake_cache_len = 0;
  3235. #endif
  3236. #endif
  3237. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  3238. mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
  3239. #endif
  3240. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  3241. handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
  3242. #endif
  3243. #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
  3244. !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  3245. mbedtls_pk_init( &handshake->peer_pubkey );
  3246. #endif
  3247. }
  3248. void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )
  3249. {
  3250. memset( transform, 0, sizeof(mbedtls_ssl_transform) );
  3251. mbedtls_cipher_init( &transform->cipher_ctx_enc );
  3252. mbedtls_cipher_init( &transform->cipher_ctx_dec );
  3253. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  3254. mbedtls_md_init( &transform->md_ctx_enc );
  3255. mbedtls_md_init( &transform->md_ctx_dec );
  3256. #endif
  3257. }
  3258. void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
  3259. {
  3260. memset( session, 0, sizeof(mbedtls_ssl_session) );
  3261. }
  3262. static int ssl_handshake_init( mbedtls_ssl_context *ssl )
  3263. {
  3264. /* Clear old handshake information if present */
  3265. if( ssl->transform_negotiate )
  3266. mbedtls_ssl_transform_free( ssl->transform_negotiate );
  3267. if( ssl->session_negotiate )
  3268. mbedtls_ssl_session_free( ssl->session_negotiate );
  3269. if( ssl->handshake )
  3270. mbedtls_ssl_handshake_free( ssl );
  3271. /*
  3272. * Either the pointers are now NULL or cleared properly and can be freed.
  3273. * Now allocate missing structures.
  3274. */
  3275. if( ssl->transform_negotiate == NULL )
  3276. {
  3277. ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
  3278. }
  3279. if( ssl->session_negotiate == NULL )
  3280. {
  3281. ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
  3282. }
  3283. if( ssl->handshake == NULL )
  3284. {
  3285. ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
  3286. }
  3287. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  3288. /* If the buffers are too small - reallocate */
  3289. handle_buffer_resizing( ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
  3290. MBEDTLS_SSL_OUT_BUFFER_LEN );
  3291. #endif
  3292. /* All pointers should exist and can be directly freed without issue */
  3293. if( ssl->handshake == NULL ||
  3294. ssl->transform_negotiate == NULL ||
  3295. ssl->session_negotiate == NULL )
  3296. {
  3297. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
  3298. mbedtls_free( ssl->handshake );
  3299. mbedtls_free( ssl->transform_negotiate );
  3300. mbedtls_free( ssl->session_negotiate );
  3301. ssl->handshake = NULL;
  3302. ssl->transform_negotiate = NULL;
  3303. ssl->session_negotiate = NULL;
  3304. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3305. }
  3306. /* Initialize structures */
  3307. mbedtls_ssl_session_init( ssl->session_negotiate );
  3308. mbedtls_ssl_transform_init( ssl->transform_negotiate );
  3309. ssl_handshake_params_init( ssl->handshake );
  3310. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3311. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  3312. {
  3313. ssl->handshake->alt_transform_out = ssl->transform_out;
  3314. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  3315. ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
  3316. else
  3317. ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
  3318. mbedtls_ssl_set_timer( ssl, 0 );
  3319. }
  3320. #endif
  3321. return( 0 );
  3322. }
  3323. #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
  3324. /* Dummy cookie callbacks for defaults */
  3325. static int ssl_cookie_write_dummy( void *ctx,
  3326. unsigned char **p, unsigned char *end,
  3327. const unsigned char *cli_id, size_t cli_id_len )
  3328. {
  3329. ((void) ctx);
  3330. ((void) p);
  3331. ((void) end);
  3332. ((void) cli_id);
  3333. ((void) cli_id_len);
  3334. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  3335. }
  3336. static int ssl_cookie_check_dummy( void *ctx,
  3337. const unsigned char *cookie, size_t cookie_len,
  3338. const unsigned char *cli_id, size_t cli_id_len )
  3339. {
  3340. ((void) ctx);
  3341. ((void) cookie);
  3342. ((void) cookie_len);
  3343. ((void) cli_id);
  3344. ((void) cli_id_len);
  3345. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  3346. }
  3347. #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
  3348. /*
  3349. * Initialize an SSL context
  3350. */
  3351. void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
  3352. {
  3353. memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
  3354. }
  3355. /*
  3356. * Setup an SSL context
  3357. */
  3358. int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
  3359. const mbedtls_ssl_config *conf )
  3360. {
  3361. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3362. size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
  3363. size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
  3364. ssl->conf = conf;
  3365. /*
  3366. * Prepare base structures
  3367. */
  3368. /* Set to NULL in case of an error condition */
  3369. ssl->out_buf = NULL;
  3370. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  3371. ssl->in_buf_len = in_buf_len;
  3372. #endif
  3373. ssl->in_buf = mbedtls_calloc( 1, in_buf_len );
  3374. if( ssl->in_buf == NULL )
  3375. {
  3376. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len ) );
  3377. ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
  3378. goto error;
  3379. }
  3380. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  3381. ssl->out_buf_len = out_buf_len;
  3382. #endif
  3383. ssl->out_buf = mbedtls_calloc( 1, out_buf_len );
  3384. if( ssl->out_buf == NULL )
  3385. {
  3386. MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len ) );
  3387. ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
  3388. goto error;
  3389. }
  3390. mbedtls_ssl_reset_in_out_pointers( ssl );
  3391. #if defined(MBEDTLS_SSL_DTLS_SRTP)
  3392. memset( &ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info) );
  3393. #endif
  3394. if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
  3395. goto error;
  3396. return( 0 );
  3397. error:
  3398. mbedtls_free( ssl->in_buf );
  3399. mbedtls_free( ssl->out_buf );
  3400. ssl->conf = NULL;
  3401. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  3402. ssl->in_buf_len = 0;
  3403. ssl->out_buf_len = 0;
  3404. #endif
  3405. ssl->in_buf = NULL;
  3406. ssl->out_buf = NULL;
  3407. ssl->in_hdr = NULL;
  3408. ssl->in_ctr = NULL;
  3409. ssl->in_len = NULL;
  3410. ssl->in_iv = NULL;
  3411. ssl->in_msg = NULL;
  3412. ssl->out_hdr = NULL;
  3413. ssl->out_ctr = NULL;
  3414. ssl->out_len = NULL;
  3415. ssl->out_iv = NULL;
  3416. ssl->out_msg = NULL;
  3417. return( ret );
  3418. }
  3419. /*
  3420. * Reset an initialized and used SSL context for re-use while retaining
  3421. * all application-set variables, function pointers and data.
  3422. *
  3423. * If partial is non-zero, keep data in the input buffer and client ID.
  3424. * (Use when a DTLS client reconnects from the same port.)
  3425. */
  3426. int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
  3427. {
  3428. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3429. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  3430. size_t in_buf_len = ssl->in_buf_len;
  3431. size_t out_buf_len = ssl->out_buf_len;
  3432. #else
  3433. size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
  3434. size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
  3435. #endif
  3436. #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
  3437. !defined(MBEDTLS_SSL_SRV_C)
  3438. ((void) partial);
  3439. #endif
  3440. ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
  3441. /* Cancel any possibly running timer */
  3442. mbedtls_ssl_set_timer( ssl, 0 );
  3443. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  3444. ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
  3445. ssl->renego_records_seen = 0;
  3446. ssl->verify_data_len = 0;
  3447. memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
  3448. memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
  3449. #endif
  3450. ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
  3451. ssl->in_offt = NULL;
  3452. mbedtls_ssl_reset_in_out_pointers( ssl );
  3453. ssl->in_msgtype = 0;
  3454. ssl->in_msglen = 0;
  3455. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3456. ssl->next_record_offset = 0;
  3457. ssl->in_epoch = 0;
  3458. #endif
  3459. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  3460. mbedtls_ssl_dtls_replay_reset( ssl );
  3461. #endif
  3462. ssl->in_hslen = 0;
  3463. ssl->nb_zero = 0;
  3464. ssl->keep_current_message = 0;
  3465. ssl->out_msgtype = 0;
  3466. ssl->out_msglen = 0;
  3467. ssl->out_left = 0;
  3468. #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
  3469. if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
  3470. ssl->split_done = 0;
  3471. #endif
  3472. memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
  3473. ssl->transform_in = NULL;
  3474. ssl->transform_out = NULL;
  3475. ssl->session_in = NULL;
  3476. ssl->session_out = NULL;
  3477. memset( ssl->out_buf, 0, out_buf_len );
  3478. #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
  3479. if( partial == 0 )
  3480. #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
  3481. {
  3482. ssl->in_left = 0;
  3483. memset( ssl->in_buf, 0, in_buf_len );
  3484. }
  3485. #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
  3486. if( mbedtls_ssl_hw_record_reset != NULL )
  3487. {
  3488. MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
  3489. if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
  3490. {
  3491. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
  3492. return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
  3493. }
  3494. }
  3495. #endif
  3496. if( ssl->transform )
  3497. {
  3498. mbedtls_ssl_transform_free( ssl->transform );
  3499. mbedtls_free( ssl->transform );
  3500. ssl->transform = NULL;
  3501. }
  3502. if( ssl->session )
  3503. {
  3504. mbedtls_ssl_session_free( ssl->session );
  3505. mbedtls_free( ssl->session );
  3506. ssl->session = NULL;
  3507. }
  3508. #if defined(MBEDTLS_SSL_ALPN)
  3509. ssl->alpn_chosen = NULL;
  3510. #endif
  3511. #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
  3512. #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
  3513. if( partial == 0 )
  3514. #endif
  3515. {
  3516. mbedtls_free( ssl->cli_id );
  3517. ssl->cli_id = NULL;
  3518. ssl->cli_id_len = 0;
  3519. }
  3520. #endif
  3521. if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
  3522. return( ret );
  3523. return( 0 );
  3524. }
  3525. /*
  3526. * Reset an initialized and used SSL context for re-use while retaining
  3527. * all application-set variables, function pointers and data.
  3528. */
  3529. int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
  3530. {
  3531. return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
  3532. }
  3533. /*
  3534. * SSL set accessors
  3535. */
  3536. void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
  3537. {
  3538. conf->endpoint = endpoint;
  3539. }
  3540. void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
  3541. {
  3542. conf->transport = transport;
  3543. }
  3544. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  3545. void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
  3546. {
  3547. conf->anti_replay = mode;
  3548. }
  3549. #endif
  3550. #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
  3551. void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
  3552. {
  3553. conf->badmac_limit = limit;
  3554. }
  3555. #endif
  3556. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3557. void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
  3558. unsigned allow_packing )
  3559. {
  3560. ssl->disable_datagram_packing = !allow_packing;
  3561. }
  3562. void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
  3563. uint32_t min, uint32_t max )
  3564. {
  3565. conf->hs_timeout_min = min;
  3566. conf->hs_timeout_max = max;
  3567. }
  3568. #endif
  3569. void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
  3570. {
  3571. conf->authmode = authmode;
  3572. }
  3573. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  3574. void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
  3575. int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
  3576. void *p_vrfy )
  3577. {
  3578. conf->f_vrfy = f_vrfy;
  3579. conf->p_vrfy = p_vrfy;
  3580. }
  3581. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  3582. void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
  3583. int (*f_rng)(void *, unsigned char *, size_t),
  3584. void *p_rng )
  3585. {
  3586. conf->f_rng = f_rng;
  3587. conf->p_rng = p_rng;
  3588. }
  3589. void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
  3590. void (*f_dbg)(void *, int, const char *, int, const char *),
  3591. void *p_dbg )
  3592. {
  3593. conf->f_dbg = f_dbg;
  3594. conf->p_dbg = p_dbg;
  3595. }
  3596. void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
  3597. void *p_bio,
  3598. mbedtls_ssl_send_t *f_send,
  3599. mbedtls_ssl_recv_t *f_recv,
  3600. mbedtls_ssl_recv_timeout_t *f_recv_timeout )
  3601. {
  3602. ssl->p_bio = p_bio;
  3603. ssl->f_send = f_send;
  3604. ssl->f_recv = f_recv;
  3605. ssl->f_recv_timeout = f_recv_timeout;
  3606. }
  3607. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  3608. void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
  3609. {
  3610. ssl->mtu = mtu;
  3611. }
  3612. #endif
  3613. void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
  3614. {
  3615. conf->read_timeout = timeout;
  3616. }
  3617. void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
  3618. void *p_timer,
  3619. mbedtls_ssl_set_timer_t *f_set_timer,
  3620. mbedtls_ssl_get_timer_t *f_get_timer )
  3621. {
  3622. ssl->p_timer = p_timer;
  3623. ssl->f_set_timer = f_set_timer;
  3624. ssl->f_get_timer = f_get_timer;
  3625. /* Make sure we start with no timer running */
  3626. mbedtls_ssl_set_timer( ssl, 0 );
  3627. }
  3628. #if defined(MBEDTLS_SSL_SRV_C)
  3629. void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
  3630. void *p_cache,
  3631. int (*f_get_cache)(void *, mbedtls_ssl_session *),
  3632. int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
  3633. {
  3634. conf->p_cache = p_cache;
  3635. conf->f_get_cache = f_get_cache;
  3636. conf->f_set_cache = f_set_cache;
  3637. }
  3638. #endif /* MBEDTLS_SSL_SRV_C */
  3639. #if defined(MBEDTLS_SSL_CLI_C)
  3640. int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
  3641. {
  3642. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3643. if( ssl == NULL ||
  3644. session == NULL ||
  3645. ssl->session_negotiate == NULL ||
  3646. ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
  3647. {
  3648. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3649. }
  3650. if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
  3651. session ) ) != 0 )
  3652. return( ret );
  3653. ssl->handshake->resume = 1;
  3654. return( 0 );
  3655. }
  3656. #endif /* MBEDTLS_SSL_CLI_C */
  3657. void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
  3658. const int *ciphersuites )
  3659. {
  3660. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
  3661. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
  3662. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
  3663. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
  3664. }
  3665. void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
  3666. const int *ciphersuites,
  3667. int major, int minor )
  3668. {
  3669. if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
  3670. return;
  3671. if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
  3672. return;
  3673. conf->ciphersuite_list[minor] = ciphersuites;
  3674. }
  3675. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  3676. void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
  3677. const mbedtls_x509_crt_profile *profile )
  3678. {
  3679. conf->cert_profile = profile;
  3680. }
  3681. /* Append a new keycert entry to a (possibly empty) list */
  3682. static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
  3683. mbedtls_x509_crt *cert,
  3684. mbedtls_pk_context *key )
  3685. {
  3686. mbedtls_ssl_key_cert *new_cert;
  3687. new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
  3688. if( new_cert == NULL )
  3689. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3690. new_cert->cert = cert;
  3691. new_cert->key = key;
  3692. new_cert->next = NULL;
  3693. /* Update head is the list was null, else add to the end */
  3694. if( *head == NULL )
  3695. {
  3696. *head = new_cert;
  3697. }
  3698. else
  3699. {
  3700. mbedtls_ssl_key_cert *cur = *head;
  3701. while( cur->next != NULL )
  3702. cur = cur->next;
  3703. cur->next = new_cert;
  3704. }
  3705. return( 0 );
  3706. }
  3707. int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
  3708. mbedtls_x509_crt *own_cert,
  3709. mbedtls_pk_context *pk_key )
  3710. {
  3711. return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
  3712. }
  3713. void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
  3714. mbedtls_x509_crt *ca_chain,
  3715. mbedtls_x509_crl *ca_crl )
  3716. {
  3717. conf->ca_chain = ca_chain;
  3718. conf->ca_crl = ca_crl;
  3719. #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
  3720. /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
  3721. * cannot be used together. */
  3722. conf->f_ca_cb = NULL;
  3723. conf->p_ca_cb = NULL;
  3724. #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
  3725. }
  3726. #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
  3727. void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
  3728. mbedtls_x509_crt_ca_cb_t f_ca_cb,
  3729. void *p_ca_cb )
  3730. {
  3731. conf->f_ca_cb = f_ca_cb;
  3732. conf->p_ca_cb = p_ca_cb;
  3733. /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
  3734. * cannot be used together. */
  3735. conf->ca_chain = NULL;
  3736. conf->ca_crl = NULL;
  3737. }
  3738. #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
  3739. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  3740. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  3741. int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
  3742. mbedtls_x509_crt *own_cert,
  3743. mbedtls_pk_context *pk_key )
  3744. {
  3745. return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
  3746. own_cert, pk_key ) );
  3747. }
  3748. void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
  3749. mbedtls_x509_crt *ca_chain,
  3750. mbedtls_x509_crl *ca_crl )
  3751. {
  3752. ssl->handshake->sni_ca_chain = ca_chain;
  3753. ssl->handshake->sni_ca_crl = ca_crl;
  3754. }
  3755. void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
  3756. int authmode )
  3757. {
  3758. ssl->handshake->sni_authmode = authmode;
  3759. }
  3760. #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
  3761. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  3762. void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
  3763. int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
  3764. void *p_vrfy )
  3765. {
  3766. ssl->f_vrfy = f_vrfy;
  3767. ssl->p_vrfy = p_vrfy;
  3768. }
  3769. #endif
  3770. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  3771. /*
  3772. * Set EC J-PAKE password for current handshake
  3773. */
  3774. int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
  3775. const unsigned char *pw,
  3776. size_t pw_len )
  3777. {
  3778. mbedtls_ecjpake_role role;
  3779. if( ssl->handshake == NULL || ssl->conf == NULL )
  3780. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3781. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  3782. role = MBEDTLS_ECJPAKE_SERVER;
  3783. else
  3784. role = MBEDTLS_ECJPAKE_CLIENT;
  3785. return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
  3786. role,
  3787. MBEDTLS_MD_SHA256,
  3788. MBEDTLS_ECP_DP_SECP256R1,
  3789. pw, pw_len ) );
  3790. }
  3791. #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
  3792. #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
  3793. static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
  3794. {
  3795. /* Remove reference to existing PSK, if any. */
  3796. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  3797. if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
  3798. {
  3799. /* The maintenance of the PSK key slot is the
  3800. * user's responsibility. */
  3801. conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
  3802. }
  3803. /* This and the following branch should never
  3804. * be taken simultaenously as we maintain the
  3805. * invariant that raw and opaque PSKs are never
  3806. * configured simultaneously. As a safeguard,
  3807. * though, `else` is omitted here. */
  3808. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  3809. if( conf->psk != NULL )
  3810. {
  3811. mbedtls_platform_zeroize( conf->psk, conf->psk_len );
  3812. mbedtls_free( conf->psk );
  3813. conf->psk = NULL;
  3814. conf->psk_len = 0;
  3815. }
  3816. /* Remove reference to PSK identity, if any. */
  3817. if( conf->psk_identity != NULL )
  3818. {
  3819. mbedtls_free( conf->psk_identity );
  3820. conf->psk_identity = NULL;
  3821. conf->psk_identity_len = 0;
  3822. }
  3823. }
  3824. /* This function assumes that PSK identity in the SSL config is unset.
  3825. * It checks that the provided identity is well-formed and attempts
  3826. * to make a copy of it in the SSL config.
  3827. * On failure, the PSK identity in the config remains unset. */
  3828. static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,
  3829. unsigned char const *psk_identity,
  3830. size_t psk_identity_len )
  3831. {
  3832. /* Identity len will be encoded on two bytes */
  3833. if( psk_identity == NULL ||
  3834. ( psk_identity_len >> 16 ) != 0 ||
  3835. psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
  3836. {
  3837. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3838. }
  3839. conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );
  3840. if( conf->psk_identity == NULL )
  3841. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3842. conf->psk_identity_len = psk_identity_len;
  3843. memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
  3844. return( 0 );
  3845. }
  3846. int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
  3847. const unsigned char *psk, size_t psk_len,
  3848. const unsigned char *psk_identity, size_t psk_identity_len )
  3849. {
  3850. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3851. /* Remove opaque/raw PSK + PSK Identity */
  3852. ssl_conf_remove_psk( conf );
  3853. /* Check and set raw PSK */
  3854. if( psk == NULL )
  3855. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3856. if( psk_len == 0 )
  3857. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3858. if( psk_len > MBEDTLS_PSK_MAX_LEN )
  3859. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3860. if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
  3861. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3862. conf->psk_len = psk_len;
  3863. memcpy( conf->psk, psk, conf->psk_len );
  3864. /* Check and set PSK Identity */
  3865. ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );
  3866. if( ret != 0 )
  3867. ssl_conf_remove_psk( conf );
  3868. return( ret );
  3869. }
  3870. static void ssl_remove_psk( mbedtls_ssl_context *ssl )
  3871. {
  3872. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  3873. if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
  3874. {
  3875. ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
  3876. }
  3877. else
  3878. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  3879. if( ssl->handshake->psk != NULL )
  3880. {
  3881. mbedtls_platform_zeroize( ssl->handshake->psk,
  3882. ssl->handshake->psk_len );
  3883. mbedtls_free( ssl->handshake->psk );
  3884. ssl->handshake->psk_len = 0;
  3885. }
  3886. }
  3887. int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
  3888. const unsigned char *psk, size_t psk_len )
  3889. {
  3890. if( psk == NULL || ssl->handshake == NULL )
  3891. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3892. if( psk_len > MBEDTLS_PSK_MAX_LEN )
  3893. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3894. ssl_remove_psk( ssl );
  3895. if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
  3896. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  3897. ssl->handshake->psk_len = psk_len;
  3898. memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
  3899. return( 0 );
  3900. }
  3901. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  3902. int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
  3903. psa_key_id_t psk,
  3904. const unsigned char *psk_identity,
  3905. size_t psk_identity_len )
  3906. {
  3907. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3908. /* Clear opaque/raw PSK + PSK Identity, if present. */
  3909. ssl_conf_remove_psk( conf );
  3910. /* Check and set opaque PSK */
  3911. if( mbedtls_svc_key_id_is_null( psk ) )
  3912. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3913. conf->psk_opaque = psk;
  3914. /* Check and set PSK Identity */
  3915. ret = ssl_conf_set_psk_identity( conf, psk_identity,
  3916. psk_identity_len );
  3917. if( ret != 0 )
  3918. ssl_conf_remove_psk( conf );
  3919. return( ret );
  3920. }
  3921. int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
  3922. psa_key_id_t psk )
  3923. {
  3924. if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
  3925. ( ssl->handshake == NULL ) )
  3926. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  3927. ssl_remove_psk( ssl );
  3928. ssl->handshake->psk_opaque = psk;
  3929. return( 0 );
  3930. }
  3931. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  3932. void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
  3933. int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
  3934. size_t),
  3935. void *p_psk )
  3936. {
  3937. conf->f_psk = f_psk;
  3938. conf->p_psk = p_psk;
  3939. }
  3940. #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
  3941. #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
  3942. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
  3943. int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
  3944. {
  3945. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3946. if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
  3947. ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
  3948. {
  3949. mbedtls_mpi_free( &conf->dhm_P );
  3950. mbedtls_mpi_free( &conf->dhm_G );
  3951. return( ret );
  3952. }
  3953. return( 0 );
  3954. }
  3955. #endif /* MBEDTLS_DEPRECATED_REMOVED */
  3956. int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
  3957. const unsigned char *dhm_P, size_t P_len,
  3958. const unsigned char *dhm_G, size_t G_len )
  3959. {
  3960. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3961. if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
  3962. ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
  3963. {
  3964. mbedtls_mpi_free( &conf->dhm_P );
  3965. mbedtls_mpi_free( &conf->dhm_G );
  3966. return( ret );
  3967. }
  3968. return( 0 );
  3969. }
  3970. int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
  3971. {
  3972. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  3973. if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
  3974. ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
  3975. {
  3976. mbedtls_mpi_free( &conf->dhm_P );
  3977. mbedtls_mpi_free( &conf->dhm_G );
  3978. return( ret );
  3979. }
  3980. return( 0 );
  3981. }
  3982. #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
  3983. #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
  3984. /*
  3985. * Set the minimum length for Diffie-Hellman parameters
  3986. */
  3987. void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
  3988. unsigned int bitlen )
  3989. {
  3990. conf->dhm_min_bitlen = bitlen;
  3991. }
  3992. #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
  3993. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  3994. /*
  3995. * Set allowed/preferred hashes for handshake signatures
  3996. */
  3997. void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
  3998. const int *hashes )
  3999. {
  4000. conf->sig_hashes = hashes;
  4001. }
  4002. #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
  4003. #if defined(MBEDTLS_ECP_C)
  4004. /*
  4005. * Set the allowed elliptic curves
  4006. */
  4007. void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
  4008. const mbedtls_ecp_group_id *curve_list )
  4009. {
  4010. conf->curve_list = curve_list;
  4011. }
  4012. #endif /* MBEDTLS_ECP_C */
  4013. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4014. int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
  4015. {
  4016. /* Initialize to suppress unnecessary compiler warning */
  4017. size_t hostname_len = 0;
  4018. /* Check if new hostname is valid before
  4019. * making any change to current one */
  4020. if( hostname != NULL )
  4021. {
  4022. hostname_len = strlen( hostname );
  4023. if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
  4024. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4025. }
  4026. /* Now it's clear that we will overwrite the old hostname,
  4027. * so we can free it safely */
  4028. if( ssl->hostname != NULL )
  4029. {
  4030. mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
  4031. mbedtls_free( ssl->hostname );
  4032. }
  4033. /* Passing NULL as hostname shall clear the old one */
  4034. if( hostname == NULL )
  4035. {
  4036. ssl->hostname = NULL;
  4037. }
  4038. else
  4039. {
  4040. ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
  4041. if( ssl->hostname == NULL )
  4042. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  4043. memcpy( ssl->hostname, hostname, hostname_len );
  4044. ssl->hostname[hostname_len] = '\0';
  4045. }
  4046. return( 0 );
  4047. }
  4048. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4049. #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  4050. void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
  4051. int (*f_sni)(void *, mbedtls_ssl_context *,
  4052. const unsigned char *, size_t),
  4053. void *p_sni )
  4054. {
  4055. conf->f_sni = f_sni;
  4056. conf->p_sni = p_sni;
  4057. }
  4058. #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
  4059. #if defined(MBEDTLS_SSL_ALPN)
  4060. int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
  4061. {
  4062. size_t cur_len, tot_len;
  4063. const char **p;
  4064. /*
  4065. * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
  4066. * MUST NOT be truncated."
  4067. * We check lengths now rather than later.
  4068. */
  4069. tot_len = 0;
  4070. for( p = protos; *p != NULL; p++ )
  4071. {
  4072. cur_len = strlen( *p );
  4073. tot_len += cur_len;
  4074. if( ( cur_len == 0 ) ||
  4075. ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
  4076. ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
  4077. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4078. }
  4079. conf->alpn_list = protos;
  4080. return( 0 );
  4081. }
  4082. const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
  4083. {
  4084. return( ssl->alpn_chosen );
  4085. }
  4086. #endif /* MBEDTLS_SSL_ALPN */
  4087. #if defined(MBEDTLS_SSL_DTLS_SRTP)
  4088. void mbedtls_ssl_conf_srtp_mki_value_supported( mbedtls_ssl_config *conf,
  4089. int support_mki_value )
  4090. {
  4091. conf->dtls_srtp_mki_support = support_mki_value;
  4092. }
  4093. int mbedtls_ssl_dtls_srtp_set_mki_value( mbedtls_ssl_context *ssl,
  4094. unsigned char *mki_value,
  4095. uint16_t mki_len )
  4096. {
  4097. if( mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH )
  4098. {
  4099. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4100. }
  4101. if( ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED )
  4102. {
  4103. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  4104. }
  4105. memcpy( ssl->dtls_srtp_info.mki_value, mki_value, mki_len );
  4106. ssl->dtls_srtp_info.mki_len = mki_len;
  4107. return( 0 );
  4108. }
  4109. int mbedtls_ssl_conf_dtls_srtp_protection_profiles( mbedtls_ssl_config *conf,
  4110. const mbedtls_ssl_srtp_profile *profiles )
  4111. {
  4112. const mbedtls_ssl_srtp_profile *p;
  4113. size_t list_size = 0;
  4114. /* check the profiles list: all entry must be valid,
  4115. * its size cannot be more than the total number of supported profiles, currently 4 */
  4116. for( p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
  4117. list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
  4118. p++ )
  4119. {
  4120. if( mbedtls_ssl_check_srtp_profile_value( *p ) != MBEDTLS_TLS_SRTP_UNSET )
  4121. {
  4122. list_size++;
  4123. }
  4124. else
  4125. {
  4126. /* unsupported value, stop parsing and set the size to an error value */
  4127. list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
  4128. }
  4129. }
  4130. if( list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH )
  4131. {
  4132. conf->dtls_srtp_profile_list = NULL;
  4133. conf->dtls_srtp_profile_list_len = 0;
  4134. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4135. }
  4136. conf->dtls_srtp_profile_list = profiles;
  4137. conf->dtls_srtp_profile_list_len = list_size;
  4138. return( 0 );
  4139. }
  4140. void mbedtls_ssl_get_dtls_srtp_negotiation_result( const mbedtls_ssl_context *ssl,
  4141. mbedtls_dtls_srtp_info *dtls_srtp_info )
  4142. {
  4143. dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
  4144. /* do not copy the mki value if there is no chosen profile */
  4145. if( dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET )
  4146. {
  4147. dtls_srtp_info->mki_len = 0;
  4148. }
  4149. else
  4150. {
  4151. dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
  4152. memcpy( dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
  4153. ssl->dtls_srtp_info.mki_len );
  4154. }
  4155. }
  4156. #endif /* MBEDTLS_SSL_DTLS_SRTP */
  4157. void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
  4158. {
  4159. conf->max_major_ver = major;
  4160. conf->max_minor_ver = minor;
  4161. }
  4162. void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
  4163. {
  4164. conf->min_major_ver = major;
  4165. conf->min_minor_ver = minor;
  4166. }
  4167. #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
  4168. void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
  4169. {
  4170. conf->fallback = fallback;
  4171. }
  4172. #endif
  4173. #if defined(MBEDTLS_SSL_SRV_C)
  4174. void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
  4175. char cert_req_ca_list )
  4176. {
  4177. conf->cert_req_ca_list = cert_req_ca_list;
  4178. }
  4179. #endif
  4180. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  4181. void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
  4182. {
  4183. conf->encrypt_then_mac = etm;
  4184. }
  4185. #endif
  4186. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  4187. void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
  4188. {
  4189. conf->extended_ms = ems;
  4190. }
  4191. #endif
  4192. #if defined(MBEDTLS_ARC4_C)
  4193. void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
  4194. {
  4195. conf->arc4_disabled = arc4;
  4196. }
  4197. #endif
  4198. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4199. int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
  4200. {
  4201. if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
  4202. ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
  4203. {
  4204. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4205. }
  4206. conf->mfl_code = mfl_code;
  4207. return( 0 );
  4208. }
  4209. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  4210. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  4211. void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
  4212. {
  4213. conf->trunc_hmac = truncate;
  4214. }
  4215. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  4216. #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
  4217. void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
  4218. {
  4219. conf->cbc_record_splitting = split;
  4220. }
  4221. #endif
  4222. void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
  4223. {
  4224. conf->allow_legacy_renegotiation = allow_legacy;
  4225. }
  4226. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  4227. void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
  4228. {
  4229. conf->disable_renegotiation = renegotiation;
  4230. }
  4231. void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
  4232. {
  4233. conf->renego_max_records = max_records;
  4234. }
  4235. void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
  4236. const unsigned char period[8] )
  4237. {
  4238. memcpy( conf->renego_period, period, 8 );
  4239. }
  4240. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  4241. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  4242. #if defined(MBEDTLS_SSL_CLI_C)
  4243. void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
  4244. {
  4245. conf->session_tickets = use_tickets;
  4246. }
  4247. #endif
  4248. #if defined(MBEDTLS_SSL_SRV_C)
  4249. void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
  4250. mbedtls_ssl_ticket_write_t *f_ticket_write,
  4251. mbedtls_ssl_ticket_parse_t *f_ticket_parse,
  4252. void *p_ticket )
  4253. {
  4254. conf->f_ticket_write = f_ticket_write;
  4255. conf->f_ticket_parse = f_ticket_parse;
  4256. conf->p_ticket = p_ticket;
  4257. }
  4258. #endif
  4259. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  4260. #if defined(MBEDTLS_SSL_EXPORT_KEYS)
  4261. void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
  4262. mbedtls_ssl_export_keys_t *f_export_keys,
  4263. void *p_export_keys )
  4264. {
  4265. conf->f_export_keys = f_export_keys;
  4266. conf->p_export_keys = p_export_keys;
  4267. }
  4268. void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,
  4269. mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,
  4270. void *p_export_keys )
  4271. {
  4272. conf->f_export_keys_ext = f_export_keys_ext;
  4273. conf->p_export_keys = p_export_keys;
  4274. }
  4275. #endif
  4276. #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
  4277. void mbedtls_ssl_conf_async_private_cb(
  4278. mbedtls_ssl_config *conf,
  4279. mbedtls_ssl_async_sign_t *f_async_sign,
  4280. mbedtls_ssl_async_decrypt_t *f_async_decrypt,
  4281. mbedtls_ssl_async_resume_t *f_async_resume,
  4282. mbedtls_ssl_async_cancel_t *f_async_cancel,
  4283. void *async_config_data )
  4284. {
  4285. conf->f_async_sign_start = f_async_sign;
  4286. conf->f_async_decrypt_start = f_async_decrypt;
  4287. conf->f_async_resume = f_async_resume;
  4288. conf->f_async_cancel = f_async_cancel;
  4289. conf->p_async_config_data = async_config_data;
  4290. }
  4291. void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
  4292. {
  4293. return( conf->p_async_config_data );
  4294. }
  4295. void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
  4296. {
  4297. if( ssl->handshake == NULL )
  4298. return( NULL );
  4299. else
  4300. return( ssl->handshake->user_async_ctx );
  4301. }
  4302. void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
  4303. void *ctx )
  4304. {
  4305. if( ssl->handshake != NULL )
  4306. ssl->handshake->user_async_ctx = ctx;
  4307. }
  4308. #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
  4309. /*
  4310. * SSL get accessors
  4311. */
  4312. uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
  4313. {
  4314. if( ssl->session != NULL )
  4315. return( ssl->session->verify_result );
  4316. if( ssl->session_negotiate != NULL )
  4317. return( ssl->session_negotiate->verify_result );
  4318. return( 0xFFFFFFFF );
  4319. }
  4320. const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
  4321. {
  4322. if( ssl == NULL || ssl->session == NULL )
  4323. return( NULL );
  4324. return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
  4325. }
  4326. const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
  4327. {
  4328. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  4329. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  4330. {
  4331. switch( ssl->minor_ver )
  4332. {
  4333. case MBEDTLS_SSL_MINOR_VERSION_2:
  4334. return( "DTLSv1.0" );
  4335. case MBEDTLS_SSL_MINOR_VERSION_3:
  4336. return( "DTLSv1.2" );
  4337. default:
  4338. return( "unknown (DTLS)" );
  4339. }
  4340. }
  4341. #endif
  4342. switch( ssl->minor_ver )
  4343. {
  4344. case MBEDTLS_SSL_MINOR_VERSION_0:
  4345. return( "SSLv3.0" );
  4346. case MBEDTLS_SSL_MINOR_VERSION_1:
  4347. return( "TLSv1.0" );
  4348. case MBEDTLS_SSL_MINOR_VERSION_2:
  4349. return( "TLSv1.1" );
  4350. case MBEDTLS_SSL_MINOR_VERSION_3:
  4351. return( "TLSv1.2" );
  4352. default:
  4353. return( "unknown" );
  4354. }
  4355. }
  4356. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4357. size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl )
  4358. {
  4359. size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
  4360. size_t read_mfl;
  4361. /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
  4362. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
  4363. ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE )
  4364. {
  4365. return ssl_mfl_code_to_length( ssl->conf->mfl_code );
  4366. }
  4367. /* Check if a smaller max length was negotiated */
  4368. if( ssl->session_out != NULL )
  4369. {
  4370. read_mfl = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
  4371. if( read_mfl < max_len )
  4372. {
  4373. max_len = read_mfl;
  4374. }
  4375. }
  4376. // During a handshake, use the value being negotiated
  4377. if( ssl->session_negotiate != NULL )
  4378. {
  4379. read_mfl = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
  4380. if( read_mfl < max_len )
  4381. {
  4382. max_len = read_mfl;
  4383. }
  4384. }
  4385. return( max_len );
  4386. }
  4387. size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl )
  4388. {
  4389. size_t max_len;
  4390. /*
  4391. * Assume mfl_code is correct since it was checked when set
  4392. */
  4393. max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
  4394. /* Check if a smaller max length was negotiated */
  4395. if( ssl->session_out != NULL &&
  4396. ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
  4397. {
  4398. max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
  4399. }
  4400. /* During a handshake, use the value being negotiated */
  4401. if( ssl->session_negotiate != NULL &&
  4402. ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
  4403. {
  4404. max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
  4405. }
  4406. return( max_len );
  4407. }
  4408. #if !defined(MBEDTLS_DEPRECATED_REMOVED)
  4409. size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
  4410. {
  4411. return mbedtls_ssl_get_output_max_frag_len( ssl );
  4412. }
  4413. #endif /* !MBEDTLS_DEPRECATED_REMOVED */
  4414. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  4415. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  4416. size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
  4417. {
  4418. /* Return unlimited mtu for client hello messages to avoid fragmentation. */
  4419. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
  4420. ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
  4421. ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
  4422. return ( 0 );
  4423. if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
  4424. return( ssl->mtu );
  4425. if( ssl->mtu == 0 )
  4426. return( ssl->handshake->mtu );
  4427. return( ssl->mtu < ssl->handshake->mtu ?
  4428. ssl->mtu : ssl->handshake->mtu );
  4429. }
  4430. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  4431. int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
  4432. {
  4433. size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
  4434. #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
  4435. !defined(MBEDTLS_SSL_PROTO_DTLS)
  4436. (void) ssl;
  4437. #endif
  4438. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4439. const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
  4440. if( max_len > mfl )
  4441. max_len = mfl;
  4442. #endif
  4443. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  4444. if( mbedtls_ssl_get_current_mtu( ssl ) != 0 )
  4445. {
  4446. const size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
  4447. const int ret = mbedtls_ssl_get_record_expansion( ssl );
  4448. const size_t overhead = (size_t) ret;
  4449. if( ret < 0 )
  4450. return( ret );
  4451. if( mtu <= overhead )
  4452. {
  4453. MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
  4454. return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
  4455. }
  4456. if( max_len > mtu - overhead )
  4457. max_len = mtu - overhead;
  4458. }
  4459. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  4460. #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
  4461. !defined(MBEDTLS_SSL_PROTO_DTLS)
  4462. ((void) ssl);
  4463. #endif
  4464. return( (int) max_len );
  4465. }
  4466. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4467. const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
  4468. {
  4469. if( ssl == NULL || ssl->session == NULL )
  4470. return( NULL );
  4471. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4472. return( ssl->session->peer_cert );
  4473. #else
  4474. return( NULL );
  4475. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4476. }
  4477. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4478. #if defined(MBEDTLS_SSL_CLI_C)
  4479. int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,
  4480. mbedtls_ssl_session *dst )
  4481. {
  4482. if( ssl == NULL ||
  4483. dst == NULL ||
  4484. ssl->session == NULL ||
  4485. ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
  4486. {
  4487. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4488. }
  4489. return( mbedtls_ssl_session_copy( dst, ssl->session ) );
  4490. }
  4491. #endif /* MBEDTLS_SSL_CLI_C */
  4492. const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_context *ssl )
  4493. {
  4494. if( ssl == NULL )
  4495. return( NULL );
  4496. return( ssl->session );
  4497. }
  4498. /*
  4499. * Define ticket header determining Mbed TLS version
  4500. * and structure of the ticket.
  4501. */
  4502. /*
  4503. * Define bitflag determining compile-time settings influencing
  4504. * structure of serialized SSL sessions.
  4505. */
  4506. #if defined(MBEDTLS_HAVE_TIME)
  4507. #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
  4508. #else
  4509. #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
  4510. #endif /* MBEDTLS_HAVE_TIME */
  4511. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4512. #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
  4513. #else
  4514. #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
  4515. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4516. #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
  4517. #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
  4518. #else
  4519. #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
  4520. #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
  4521. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4522. #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
  4523. #else
  4524. #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
  4525. #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
  4526. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  4527. #define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 1
  4528. #else
  4529. #define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC 0
  4530. #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
  4531. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  4532. #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
  4533. #else
  4534. #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
  4535. #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
  4536. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  4537. #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
  4538. #else
  4539. #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
  4540. #endif /* MBEDTLS_SSL_SESSION_TICKETS */
  4541. #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
  4542. #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
  4543. #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
  4544. #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
  4545. #define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4
  4546. #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5
  4547. #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6
  4548. #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
  4549. ( (uint16_t) ( \
  4550. ( SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT ) | \
  4551. ( SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT ) | \
  4552. ( SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT ) | \
  4553. ( SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT ) | \
  4554. ( SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT ) | \
  4555. ( SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT ) | \
  4556. ( SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT ) ) )
  4557. static unsigned char ssl_serialized_session_header[] = {
  4558. MBEDTLS_VERSION_MAJOR,
  4559. MBEDTLS_VERSION_MINOR,
  4560. MBEDTLS_VERSION_PATCH,
  4561. MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
  4562. MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
  4563. };
  4564. /*
  4565. * Serialize a session in the following format:
  4566. * (in the presentation language of TLS, RFC 8446 section 3)
  4567. *
  4568. * opaque mbedtls_version[3]; // major, minor, patch
  4569. * opaque session_format[2]; // version-specific 16-bit field determining
  4570. * // the format of the remaining
  4571. * // serialized data.
  4572. *
  4573. * Note: When updating the format, remember to keep
  4574. * these version+format bytes.
  4575. *
  4576. * // In this version, `session_format` determines
  4577. * // the setting of those compile-time
  4578. * // configuration options which influence
  4579. * // the structure of mbedtls_ssl_session.
  4580. * uint64 start_time;
  4581. * uint8 ciphersuite[2]; // defined by the standard
  4582. * uint8 compression; // 0 or 1
  4583. * uint8 session_id_len; // at most 32
  4584. * opaque session_id[32];
  4585. * opaque master[48]; // fixed length in the standard
  4586. * uint32 verify_result;
  4587. * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
  4588. * opaque ticket<0..2^24-1>; // length 0 means no ticket
  4589. * uint32 ticket_lifetime;
  4590. * uint8 mfl_code; // up to 255 according to standard
  4591. * uint8 trunc_hmac; // 0 or 1
  4592. * uint8 encrypt_then_mac; // 0 or 1
  4593. *
  4594. * The order is the same as in the definition of the structure, except
  4595. * verify_result is put before peer_cert so that all mandatory fields come
  4596. * together in one block.
  4597. */
  4598. static int ssl_session_save( const mbedtls_ssl_session *session,
  4599. unsigned char omit_header,
  4600. unsigned char *buf,
  4601. size_t buf_len,
  4602. size_t *olen )
  4603. {
  4604. unsigned char *p = buf;
  4605. size_t used = 0;
  4606. #if defined(MBEDTLS_HAVE_TIME)
  4607. uint64_t start;
  4608. #endif
  4609. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4610. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4611. size_t cert_len;
  4612. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4613. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4614. if( !omit_header )
  4615. {
  4616. /*
  4617. * Add version identifier
  4618. */
  4619. used += sizeof( ssl_serialized_session_header );
  4620. if( used <= buf_len )
  4621. {
  4622. memcpy( p, ssl_serialized_session_header,
  4623. sizeof( ssl_serialized_session_header ) );
  4624. p += sizeof( ssl_serialized_session_header );
  4625. }
  4626. }
  4627. /*
  4628. * Time
  4629. */
  4630. #if defined(MBEDTLS_HAVE_TIME)
  4631. used += 8;
  4632. if( used <= buf_len )
  4633. {
  4634. start = (uint64_t) session->start;
  4635. MBEDTLS_PUT_UINT64_BE( start, p, 0 );
  4636. p += 8;
  4637. }
  4638. #endif /* MBEDTLS_HAVE_TIME */
  4639. /*
  4640. * Basic mandatory fields
  4641. */
  4642. used += 2 /* ciphersuite */
  4643. + 1 /* compression */
  4644. + 1 /* id_len */
  4645. + sizeof( session->id )
  4646. + sizeof( session->master )
  4647. + 4; /* verify_result */
  4648. if( used <= buf_len )
  4649. {
  4650. MBEDTLS_PUT_UINT16_BE( session->ciphersuite, p, 0 );
  4651. p += 2;
  4652. *p++ = MBEDTLS_BYTE_0( session->compression );
  4653. *p++ = MBEDTLS_BYTE_0( session->id_len );
  4654. memcpy( p, session->id, 32 );
  4655. p += 32;
  4656. memcpy( p, session->master, 48 );
  4657. p += 48;
  4658. MBEDTLS_PUT_UINT32_BE( session->verify_result, p, 0 );
  4659. p += 4;
  4660. }
  4661. /*
  4662. * Peer's end-entity certificate
  4663. */
  4664. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4665. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4666. if( session->peer_cert == NULL )
  4667. cert_len = 0;
  4668. else
  4669. cert_len = session->peer_cert->raw.len;
  4670. used += 3 + cert_len;
  4671. if( used <= buf_len )
  4672. {
  4673. *p++ = MBEDTLS_BYTE_2( cert_len );
  4674. *p++ = MBEDTLS_BYTE_1( cert_len );
  4675. *p++ = MBEDTLS_BYTE_0( cert_len );
  4676. if( session->peer_cert != NULL )
  4677. {
  4678. memcpy( p, session->peer_cert->raw.p, cert_len );
  4679. p += cert_len;
  4680. }
  4681. }
  4682. #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4683. if( session->peer_cert_digest != NULL )
  4684. {
  4685. used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
  4686. if( used <= buf_len )
  4687. {
  4688. *p++ = (unsigned char) session->peer_cert_digest_type;
  4689. *p++ = (unsigned char) session->peer_cert_digest_len;
  4690. memcpy( p, session->peer_cert_digest,
  4691. session->peer_cert_digest_len );
  4692. p += session->peer_cert_digest_len;
  4693. }
  4694. }
  4695. else
  4696. {
  4697. used += 2;
  4698. if( used <= buf_len )
  4699. {
  4700. *p++ = (unsigned char) MBEDTLS_MD_NONE;
  4701. *p++ = 0;
  4702. }
  4703. }
  4704. #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4705. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4706. /*
  4707. * Session ticket if any, plus associated data
  4708. */
  4709. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  4710. used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
  4711. if( used <= buf_len )
  4712. {
  4713. *p++ = MBEDTLS_BYTE_2( session->ticket_len );
  4714. *p++ = MBEDTLS_BYTE_1( session->ticket_len );
  4715. *p++ = MBEDTLS_BYTE_0( session->ticket_len );
  4716. if( session->ticket != NULL )
  4717. {
  4718. memcpy( p, session->ticket, session->ticket_len );
  4719. p += session->ticket_len;
  4720. }
  4721. MBEDTLS_PUT_UINT32_BE( session->ticket_lifetime, p, 0 );
  4722. p += 4;
  4723. }
  4724. #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
  4725. /*
  4726. * Misc extension-related info
  4727. */
  4728. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4729. used += 1;
  4730. if( used <= buf_len )
  4731. *p++ = session->mfl_code;
  4732. #endif
  4733. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  4734. used += 1;
  4735. if( used <= buf_len )
  4736. *p++ = (unsigned char)( ( session->trunc_hmac ) & 0xFF );
  4737. #endif
  4738. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  4739. used += 1;
  4740. if( used <= buf_len )
  4741. *p++ = MBEDTLS_BYTE_0( session->encrypt_then_mac );
  4742. #endif
  4743. /* Done */
  4744. *olen = used;
  4745. if( used > buf_len )
  4746. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  4747. return( 0 );
  4748. }
  4749. /*
  4750. * Public wrapper for ssl_session_save()
  4751. */
  4752. int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
  4753. unsigned char *buf,
  4754. size_t buf_len,
  4755. size_t *olen )
  4756. {
  4757. return( ssl_session_save( session, 0, buf, buf_len, olen ) );
  4758. }
  4759. /*
  4760. * Deserialize session, see mbedtls_ssl_session_save() for format.
  4761. *
  4762. * This internal version is wrapped by a public function that cleans up in
  4763. * case of error, and has an extra option omit_header.
  4764. */
  4765. static int ssl_session_load( mbedtls_ssl_session *session,
  4766. unsigned char omit_header,
  4767. const unsigned char *buf,
  4768. size_t len )
  4769. {
  4770. const unsigned char *p = buf;
  4771. const unsigned char * const end = buf + len;
  4772. #if defined(MBEDTLS_HAVE_TIME)
  4773. uint64_t start;
  4774. #endif
  4775. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4776. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4777. size_t cert_len;
  4778. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4779. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4780. if( !omit_header )
  4781. {
  4782. /*
  4783. * Check version identifier
  4784. */
  4785. if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
  4786. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4787. if( memcmp( p, ssl_serialized_session_header,
  4788. sizeof( ssl_serialized_session_header ) ) != 0 )
  4789. {
  4790. return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
  4791. }
  4792. p += sizeof( ssl_serialized_session_header );
  4793. }
  4794. /*
  4795. * Time
  4796. */
  4797. #if defined(MBEDTLS_HAVE_TIME)
  4798. if( 8 > (size_t)( end - p ) )
  4799. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4800. start = ( (uint64_t) p[0] << 56 ) |
  4801. ( (uint64_t) p[1] << 48 ) |
  4802. ( (uint64_t) p[2] << 40 ) |
  4803. ( (uint64_t) p[3] << 32 ) |
  4804. ( (uint64_t) p[4] << 24 ) |
  4805. ( (uint64_t) p[5] << 16 ) |
  4806. ( (uint64_t) p[6] << 8 ) |
  4807. ( (uint64_t) p[7] );
  4808. p += 8;
  4809. session->start = (time_t) start;
  4810. #endif /* MBEDTLS_HAVE_TIME */
  4811. /*
  4812. * Basic mandatory fields
  4813. */
  4814. if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
  4815. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4816. session->ciphersuite = ( p[0] << 8 ) | p[1];
  4817. p += 2;
  4818. session->compression = *p++;
  4819. session->id_len = *p++;
  4820. memcpy( session->id, p, 32 );
  4821. p += 32;
  4822. memcpy( session->master, p, 48 );
  4823. p += 48;
  4824. session->verify_result = ( (uint32_t) p[0] << 24 ) |
  4825. ( (uint32_t) p[1] << 16 ) |
  4826. ( (uint32_t) p[2] << 8 ) |
  4827. ( (uint32_t) p[3] );
  4828. p += 4;
  4829. /* Immediately clear invalid pointer values that have been read, in case
  4830. * we exit early before we replaced them with valid ones. */
  4831. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4832. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4833. session->peer_cert = NULL;
  4834. #else
  4835. session->peer_cert_digest = NULL;
  4836. #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4837. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4838. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  4839. session->ticket = NULL;
  4840. #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
  4841. /*
  4842. * Peer certificate
  4843. */
  4844. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  4845. #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  4846. /* Deserialize CRT from the end of the ticket. */
  4847. if( 3 > (size_t)( end - p ) )
  4848. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4849. cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
  4850. p += 3;
  4851. if( cert_len != 0 )
  4852. {
  4853. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  4854. if( cert_len > (size_t)( end - p ) )
  4855. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4856. session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
  4857. if( session->peer_cert == NULL )
  4858. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  4859. mbedtls_x509_crt_init( session->peer_cert );
  4860. if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
  4861. p, cert_len ) ) != 0 )
  4862. {
  4863. mbedtls_x509_crt_free( session->peer_cert );
  4864. mbedtls_free( session->peer_cert );
  4865. session->peer_cert = NULL;
  4866. return( ret );
  4867. }
  4868. p += cert_len;
  4869. }
  4870. #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4871. /* Deserialize CRT digest from the end of the ticket. */
  4872. if( 2 > (size_t)( end - p ) )
  4873. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4874. session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
  4875. session->peer_cert_digest_len = (size_t) *p++;
  4876. if( session->peer_cert_digest_len != 0 )
  4877. {
  4878. const mbedtls_md_info_t *md_info =
  4879. mbedtls_md_info_from_type( session->peer_cert_digest_type );
  4880. if( md_info == NULL )
  4881. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4882. if( session->peer_cert_digest_len != mbedtls_md_get_size( md_info ) )
  4883. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4884. if( session->peer_cert_digest_len > (size_t)( end - p ) )
  4885. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4886. session->peer_cert_digest =
  4887. mbedtls_calloc( 1, session->peer_cert_digest_len );
  4888. if( session->peer_cert_digest == NULL )
  4889. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  4890. memcpy( session->peer_cert_digest, p,
  4891. session->peer_cert_digest_len );
  4892. p += session->peer_cert_digest_len;
  4893. }
  4894. #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  4895. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  4896. /*
  4897. * Session ticket and associated data
  4898. */
  4899. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  4900. if( 3 > (size_t)( end - p ) )
  4901. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4902. session->ticket_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
  4903. p += 3;
  4904. if( session->ticket_len != 0 )
  4905. {
  4906. if( session->ticket_len > (size_t)( end - p ) )
  4907. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4908. session->ticket = mbedtls_calloc( 1, session->ticket_len );
  4909. if( session->ticket == NULL )
  4910. return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
  4911. memcpy( session->ticket, p, session->ticket_len );
  4912. p += session->ticket_len;
  4913. }
  4914. if( 4 > (size_t)( end - p ) )
  4915. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4916. session->ticket_lifetime = ( (uint32_t) p[0] << 24 ) |
  4917. ( (uint32_t) p[1] << 16 ) |
  4918. ( (uint32_t) p[2] << 8 ) |
  4919. ( (uint32_t) p[3] );
  4920. p += 4;
  4921. #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
  4922. /*
  4923. * Misc extension-related info
  4924. */
  4925. #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
  4926. if( 1 > (size_t)( end - p ) )
  4927. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4928. session->mfl_code = *p++;
  4929. #endif
  4930. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  4931. if( 1 > (size_t)( end - p ) )
  4932. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4933. session->trunc_hmac = *p++;
  4934. #endif
  4935. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  4936. if( 1 > (size_t)( end - p ) )
  4937. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4938. session->encrypt_then_mac = *p++;
  4939. #endif
  4940. /* Done, should have consumed entire buffer */
  4941. if( p != end )
  4942. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4943. return( 0 );
  4944. }
  4945. /*
  4946. * Deserialize session: public wrapper for error cleaning
  4947. */
  4948. int mbedtls_ssl_session_load( mbedtls_ssl_session *session,
  4949. const unsigned char *buf,
  4950. size_t len )
  4951. {
  4952. int ret = ssl_session_load( session, 0, buf, len );
  4953. if( ret != 0 )
  4954. mbedtls_ssl_session_free( session );
  4955. return( ret );
  4956. }
  4957. /*
  4958. * Perform a single step of the SSL handshake
  4959. */
  4960. int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
  4961. {
  4962. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  4963. if( ssl == NULL || ssl->conf == NULL )
  4964. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4965. #if defined(MBEDTLS_SSL_CLI_C)
  4966. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
  4967. ret = mbedtls_ssl_handshake_client_step( ssl );
  4968. #endif
  4969. #if defined(MBEDTLS_SSL_SRV_C)
  4970. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  4971. ret = mbedtls_ssl_handshake_server_step( ssl );
  4972. #endif
  4973. return( ret );
  4974. }
  4975. /*
  4976. * Perform the SSL handshake
  4977. */
  4978. int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
  4979. {
  4980. int ret = 0;
  4981. /* Sanity checks */
  4982. if( ssl == NULL || ssl->conf == NULL )
  4983. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4984. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  4985. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  4986. ( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL ) )
  4987. {
  4988. MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
  4989. "mbedtls_ssl_set_timer_cb() for DTLS" ) );
  4990. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  4991. }
  4992. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  4993. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
  4994. /* Main handshake loop */
  4995. while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
  4996. {
  4997. ret = mbedtls_ssl_handshake_step( ssl );
  4998. if( ret != 0 )
  4999. break;
  5000. }
  5001. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
  5002. return( ret );
  5003. }
  5004. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  5005. #if defined(MBEDTLS_SSL_SRV_C)
  5006. /*
  5007. * Write HelloRequest to request renegotiation on server
  5008. */
  5009. static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
  5010. {
  5011. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  5012. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
  5013. ssl->out_msglen = 4;
  5014. ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
  5015. ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
  5016. if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
  5017. {
  5018. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
  5019. return( ret );
  5020. }
  5021. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
  5022. return( 0 );
  5023. }
  5024. #endif /* MBEDTLS_SSL_SRV_C */
  5025. /*
  5026. * Actually renegotiate current connection, triggered by either:
  5027. * - any side: calling mbedtls_ssl_renegotiate(),
  5028. * - client: receiving a HelloRequest during mbedtls_ssl_read(),
  5029. * - server: receiving any handshake message on server during mbedtls_ssl_read() after
  5030. * the initial handshake is completed.
  5031. * If the handshake doesn't complete due to waiting for I/O, it will continue
  5032. * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
  5033. */
  5034. int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl )
  5035. {
  5036. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  5037. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
  5038. if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
  5039. return( ret );
  5040. /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
  5041. * the ServerHello will have message_seq = 1" */
  5042. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5043. if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
  5044. ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
  5045. {
  5046. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  5047. ssl->handshake->out_msg_seq = 1;
  5048. else
  5049. ssl->handshake->in_msg_seq = 1;
  5050. }
  5051. #endif
  5052. ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
  5053. ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
  5054. if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
  5055. {
  5056. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
  5057. return( ret );
  5058. }
  5059. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
  5060. return( 0 );
  5061. }
  5062. /*
  5063. * Renegotiate current connection on client,
  5064. * or request renegotiation on server
  5065. */
  5066. int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
  5067. {
  5068. int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
  5069. if( ssl == NULL || ssl->conf == NULL )
  5070. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5071. #if defined(MBEDTLS_SSL_SRV_C)
  5072. /* On server, just send the request */
  5073. if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
  5074. {
  5075. if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
  5076. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5077. ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
  5078. /* Did we already try/start sending HelloRequest? */
  5079. if( ssl->out_left != 0 )
  5080. return( mbedtls_ssl_flush_output( ssl ) );
  5081. return( ssl_write_hello_request( ssl ) );
  5082. }
  5083. #endif /* MBEDTLS_SSL_SRV_C */
  5084. #if defined(MBEDTLS_SSL_CLI_C)
  5085. /*
  5086. * On client, either start the renegotiation process or,
  5087. * if already in progress, continue the handshake
  5088. */
  5089. if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
  5090. {
  5091. if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
  5092. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5093. if( ( ret = mbedtls_ssl_start_renegotiation( ssl ) ) != 0 )
  5094. {
  5095. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation", ret );
  5096. return( ret );
  5097. }
  5098. }
  5099. else
  5100. {
  5101. if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
  5102. {
  5103. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
  5104. return( ret );
  5105. }
  5106. }
  5107. #endif /* MBEDTLS_SSL_CLI_C */
  5108. return( ret );
  5109. }
  5110. #endif /* MBEDTLS_SSL_RENEGOTIATION */
  5111. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  5112. static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
  5113. {
  5114. mbedtls_ssl_key_cert *cur = key_cert, *next;
  5115. while( cur != NULL )
  5116. {
  5117. next = cur->next;
  5118. mbedtls_free( cur );
  5119. cur = next;
  5120. }
  5121. }
  5122. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  5123. void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
  5124. {
  5125. mbedtls_ssl_handshake_params *handshake = ssl->handshake;
  5126. if( handshake == NULL )
  5127. return;
  5128. #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
  5129. if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
  5130. {
  5131. ssl->conf->f_async_cancel( ssl );
  5132. handshake->async_in_progress = 0;
  5133. }
  5134. #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
  5135. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  5136. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  5137. mbedtls_md5_free( &handshake->fin_md5 );
  5138. mbedtls_sha1_free( &handshake->fin_sha1 );
  5139. #endif
  5140. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  5141. #if defined(MBEDTLS_SHA256_C)
  5142. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  5143. psa_hash_abort( &handshake->fin_sha256_psa );
  5144. #else
  5145. mbedtls_sha256_free( &handshake->fin_sha256 );
  5146. #endif
  5147. #endif
  5148. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  5149. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  5150. psa_hash_abort( &handshake->fin_sha384_psa );
  5151. #else
  5152. mbedtls_sha512_free( &handshake->fin_sha512 );
  5153. #endif
  5154. #endif
  5155. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  5156. #if defined(MBEDTLS_DHM_C)
  5157. mbedtls_dhm_free( &handshake->dhm_ctx );
  5158. #endif
  5159. #if defined(MBEDTLS_ECDH_C)
  5160. mbedtls_ecdh_free( &handshake->ecdh_ctx );
  5161. #endif
  5162. #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  5163. mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
  5164. #if defined(MBEDTLS_SSL_CLI_C)
  5165. mbedtls_free( handshake->ecjpake_cache );
  5166. handshake->ecjpake_cache = NULL;
  5167. handshake->ecjpake_cache_len = 0;
  5168. #endif
  5169. #endif
  5170. #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
  5171. defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
  5172. /* explicit void pointer cast for buggy MS compiler */
  5173. mbedtls_free( (void *) handshake->curves );
  5174. #endif
  5175. #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
  5176. if( handshake->psk != NULL )
  5177. {
  5178. mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
  5179. mbedtls_free( handshake->psk );
  5180. }
  5181. #endif
  5182. #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
  5183. defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
  5184. /*
  5185. * Free only the linked list wrapper, not the keys themselves
  5186. * since the belong to the SNI callback
  5187. */
  5188. if( handshake->sni_key_cert != NULL )
  5189. {
  5190. mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
  5191. while( cur != NULL )
  5192. {
  5193. next = cur->next;
  5194. mbedtls_free( cur );
  5195. cur = next;
  5196. }
  5197. }
  5198. #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
  5199. #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
  5200. mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
  5201. if( handshake->ecrs_peer_cert != NULL )
  5202. {
  5203. mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
  5204. mbedtls_free( handshake->ecrs_peer_cert );
  5205. }
  5206. #endif
  5207. #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
  5208. !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
  5209. mbedtls_pk_free( &handshake->peer_pubkey );
  5210. #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
  5211. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5212. mbedtls_free( handshake->verify_cookie );
  5213. mbedtls_ssl_flight_free( handshake->flight );
  5214. mbedtls_ssl_buffering_free( ssl );
  5215. #endif
  5216. #if defined(MBEDTLS_ECDH_C) && \
  5217. defined(MBEDTLS_USE_PSA_CRYPTO)
  5218. psa_destroy_key( handshake->ecdh_psa_privkey );
  5219. #endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */
  5220. mbedtls_platform_zeroize( handshake,
  5221. sizeof( mbedtls_ssl_handshake_params ) );
  5222. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  5223. /* If the buffers are too big - reallocate. Because of the way Mbed TLS
  5224. * processes datagrams and the fact that a datagram is allowed to have
  5225. * several records in it, it is possible that the I/O buffers are not
  5226. * empty at this stage */
  5227. handle_buffer_resizing( ssl, 1, mbedtls_ssl_get_input_buflen( ssl ),
  5228. mbedtls_ssl_get_output_buflen( ssl ) );
  5229. #endif
  5230. }
  5231. void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
  5232. {
  5233. if( session == NULL )
  5234. return;
  5235. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  5236. ssl_clear_peer_cert( session );
  5237. #endif
  5238. #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
  5239. mbedtls_free( session->ticket );
  5240. #endif
  5241. mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
  5242. }
  5243. #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
  5244. #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
  5245. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
  5246. #else
  5247. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
  5248. #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
  5249. #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
  5250. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
  5251. #else
  5252. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 0u
  5253. #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
  5254. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  5255. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
  5256. #else
  5257. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
  5258. #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
  5259. #if defined(MBEDTLS_SSL_ALPN)
  5260. #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
  5261. #else
  5262. #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
  5263. #endif /* MBEDTLS_SSL_ALPN */
  5264. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
  5265. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
  5266. #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
  5267. #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
  5268. #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
  5269. ( (uint32_t) ( \
  5270. ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT ) | \
  5271. ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT ) | \
  5272. ( SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT ) | \
  5273. ( SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT ) | \
  5274. 0u ) )
  5275. static unsigned char ssl_serialized_context_header[] = {
  5276. MBEDTLS_VERSION_MAJOR,
  5277. MBEDTLS_VERSION_MINOR,
  5278. MBEDTLS_VERSION_PATCH,
  5279. MBEDTLS_BYTE_1( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
  5280. MBEDTLS_BYTE_0( SSL_SERIALIZED_SESSION_CONFIG_BITFLAG ),
  5281. MBEDTLS_BYTE_2( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
  5282. MBEDTLS_BYTE_1( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
  5283. MBEDTLS_BYTE_0( SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG ),
  5284. };
  5285. /*
  5286. * Serialize a full SSL context
  5287. *
  5288. * The format of the serialized data is:
  5289. * (in the presentation language of TLS, RFC 8446 section 3)
  5290. *
  5291. * // header
  5292. * opaque mbedtls_version[3]; // major, minor, patch
  5293. * opaque context_format[5]; // version-specific field determining
  5294. * // the format of the remaining
  5295. * // serialized data.
  5296. * Note: When updating the format, remember to keep these
  5297. * version+format bytes. (We may make their size part of the API.)
  5298. *
  5299. * // session sub-structure
  5300. * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
  5301. * // transform sub-structure
  5302. * uint8 random[64]; // ServerHello.random+ClientHello.random
  5303. * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
  5304. * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
  5305. * // fields from ssl_context
  5306. * uint32 badmac_seen; // DTLS: number of records with failing MAC
  5307. * uint64 in_window_top; // DTLS: last validated record seq_num
  5308. * uint64 in_window; // DTLS: bitmask for replay protection
  5309. * uint8 disable_datagram_packing; // DTLS: only one record per datagram
  5310. * uint64 cur_out_ctr; // Record layer: outgoing sequence number
  5311. * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
  5312. * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
  5313. *
  5314. * Note that many fields of the ssl_context or sub-structures are not
  5315. * serialized, as they fall in one of the following categories:
  5316. *
  5317. * 1. forced value (eg in_left must be 0)
  5318. * 2. pointer to dynamically-allocated memory (eg session, transform)
  5319. * 3. value can be re-derived from other data (eg session keys from MS)
  5320. * 4. value was temporary (eg content of input buffer)
  5321. * 5. value will be provided by the user again (eg I/O callbacks and context)
  5322. */
  5323. int mbedtls_ssl_context_save( mbedtls_ssl_context *ssl,
  5324. unsigned char *buf,
  5325. size_t buf_len,
  5326. size_t *olen )
  5327. {
  5328. unsigned char *p = buf;
  5329. size_t used = 0;
  5330. size_t session_len;
  5331. int ret = 0;
  5332. /*
  5333. * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
  5334. * this function's documentation.
  5335. *
  5336. * These are due to assumptions/limitations in the implementation. Some of
  5337. * them are likely to stay (no handshake in progress) some might go away
  5338. * (only DTLS) but are currently used to simplify the implementation.
  5339. */
  5340. /* The initial handshake must be over */
  5341. if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
  5342. {
  5343. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Initial handshake isn't over" ) );
  5344. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5345. }
  5346. if( ssl->handshake != NULL )
  5347. {
  5348. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Handshake isn't completed" ) );
  5349. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5350. }
  5351. /* Double-check that sub-structures are indeed ready */
  5352. if( ssl->transform == NULL || ssl->session == NULL )
  5353. {
  5354. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Serialised structures aren't ready" ) );
  5355. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5356. }
  5357. /* There must be no pending incoming or outgoing data */
  5358. if( mbedtls_ssl_check_pending( ssl ) != 0 )
  5359. {
  5360. MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending incoming data" ) );
  5361. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5362. }
  5363. if( ssl->out_left != 0 )
  5364. {
  5365. MBEDTLS_SSL_DEBUG_MSG( 1, ( "There is pending outgoing data" ) );
  5366. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5367. }
  5368. /* Protocol must be DLTS, not TLS */
  5369. if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  5370. {
  5371. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only DTLS is supported" ) );
  5372. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5373. }
  5374. /* Version must be 1.2 */
  5375. if( ssl->major_ver != MBEDTLS_SSL_MAJOR_VERSION_3 )
  5376. {
  5377. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
  5378. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5379. }
  5380. if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
  5381. {
  5382. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only version 1.2 supported" ) );
  5383. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5384. }
  5385. /* We must be using an AEAD ciphersuite */
  5386. if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
  5387. {
  5388. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
  5389. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5390. }
  5391. /* Renegotiation must not be enabled */
  5392. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  5393. if( ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED )
  5394. {
  5395. MBEDTLS_SSL_DEBUG_MSG( 1, ( "Renegotiation must not be enabled" ) );
  5396. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5397. }
  5398. #endif
  5399. /*
  5400. * Version and format identifier
  5401. */
  5402. used += sizeof( ssl_serialized_context_header );
  5403. if( used <= buf_len )
  5404. {
  5405. memcpy( p, ssl_serialized_context_header,
  5406. sizeof( ssl_serialized_context_header ) );
  5407. p += sizeof( ssl_serialized_context_header );
  5408. }
  5409. /*
  5410. * Session (length + data)
  5411. */
  5412. ret = ssl_session_save( ssl->session, 1, NULL, 0, &session_len );
  5413. if( ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL )
  5414. return( ret );
  5415. used += 4 + session_len;
  5416. if( used <= buf_len )
  5417. {
  5418. MBEDTLS_PUT_UINT32_BE( session_len, p, 0 );
  5419. p += 4;
  5420. ret = ssl_session_save( ssl->session, 1,
  5421. p, session_len, &session_len );
  5422. if( ret != 0 )
  5423. return( ret );
  5424. p += session_len;
  5425. }
  5426. /*
  5427. * Transform
  5428. */
  5429. used += sizeof( ssl->transform->randbytes );
  5430. if( used <= buf_len )
  5431. {
  5432. memcpy( p, ssl->transform->randbytes,
  5433. sizeof( ssl->transform->randbytes ) );
  5434. p += sizeof( ssl->transform->randbytes );
  5435. }
  5436. #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
  5437. used += 2 + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
  5438. if( used <= buf_len )
  5439. {
  5440. *p++ = ssl->transform->in_cid_len;
  5441. memcpy( p, ssl->transform->in_cid, ssl->transform->in_cid_len );
  5442. p += ssl->transform->in_cid_len;
  5443. *p++ = ssl->transform->out_cid_len;
  5444. memcpy( p, ssl->transform->out_cid, ssl->transform->out_cid_len );
  5445. p += ssl->transform->out_cid_len;
  5446. }
  5447. #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
  5448. /*
  5449. * Saved fields from top-level ssl_context structure
  5450. */
  5451. #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
  5452. used += 4;
  5453. if( used <= buf_len )
  5454. {
  5455. MBEDTLS_PUT_UINT32_BE( ssl->badmac_seen, p, 0 );
  5456. p += 4;
  5457. }
  5458. #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
  5459. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  5460. used += 16;
  5461. if( used <= buf_len )
  5462. {
  5463. MBEDTLS_PUT_UINT64_BE( ssl->in_window_top, p, 0 );
  5464. p += 8;
  5465. MBEDTLS_PUT_UINT64_BE( ssl->in_window, p, 0 );
  5466. p += 8;
  5467. }
  5468. #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
  5469. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5470. used += 1;
  5471. if( used <= buf_len )
  5472. {
  5473. *p++ = ssl->disable_datagram_packing;
  5474. }
  5475. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  5476. used += 8;
  5477. if( used <= buf_len )
  5478. {
  5479. memcpy( p, ssl->cur_out_ctr, 8 );
  5480. p += 8;
  5481. }
  5482. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5483. used += 2;
  5484. if( used <= buf_len )
  5485. {
  5486. MBEDTLS_PUT_UINT16_BE( ssl->mtu, p, 0 );
  5487. p += 2;
  5488. }
  5489. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  5490. #if defined(MBEDTLS_SSL_ALPN)
  5491. {
  5492. const uint8_t alpn_len = ssl->alpn_chosen
  5493. ? (uint8_t) strlen( ssl->alpn_chosen )
  5494. : 0;
  5495. used += 1 + alpn_len;
  5496. if( used <= buf_len )
  5497. {
  5498. *p++ = alpn_len;
  5499. if( ssl->alpn_chosen != NULL )
  5500. {
  5501. memcpy( p, ssl->alpn_chosen, alpn_len );
  5502. p += alpn_len;
  5503. }
  5504. }
  5505. }
  5506. #endif /* MBEDTLS_SSL_ALPN */
  5507. /*
  5508. * Done
  5509. */
  5510. *olen = used;
  5511. if( used > buf_len )
  5512. return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
  5513. MBEDTLS_SSL_DEBUG_BUF( 4, "saved context", buf, used );
  5514. return( mbedtls_ssl_session_reset_int( ssl, 0 ) );
  5515. }
  5516. /*
  5517. * Helper to get TLS 1.2 PRF from ciphersuite
  5518. * (Duplicates bits of logic from ssl_set_handshake_prfs().)
  5519. */
  5520. typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
  5521. const char *label,
  5522. const unsigned char *random, size_t rlen,
  5523. unsigned char *dstbuf, size_t dlen );
  5524. static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
  5525. {
  5526. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  5527. const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
  5528. mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
  5529. if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
  5530. return( tls_prf_sha384 );
  5531. #else
  5532. (void) ciphersuite_id;
  5533. #endif
  5534. return( tls_prf_sha256 );
  5535. }
  5536. /*
  5537. * Deserialize context, see mbedtls_ssl_context_save() for format.
  5538. *
  5539. * This internal version is wrapped by a public function that cleans up in
  5540. * case of error.
  5541. */
  5542. static int ssl_context_load( mbedtls_ssl_context *ssl,
  5543. const unsigned char *buf,
  5544. size_t len )
  5545. {
  5546. const unsigned char *p = buf;
  5547. const unsigned char * const end = buf + len;
  5548. size_t session_len;
  5549. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  5550. /*
  5551. * The context should have been freshly setup or reset.
  5552. * Give the user an error in case of obvious misuse.
  5553. * (Checking session is useful because it won't be NULL if we're
  5554. * renegotiating, or if the user mistakenly loaded a session first.)
  5555. */
  5556. if( ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
  5557. ssl->session != NULL )
  5558. {
  5559. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5560. }
  5561. /*
  5562. * We can't check that the config matches the initial one, but we can at
  5563. * least check it matches the requirements for serializing.
  5564. */
  5565. if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
  5566. ssl->conf->max_major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
  5567. ssl->conf->min_major_ver > MBEDTLS_SSL_MAJOR_VERSION_3 ||
  5568. ssl->conf->max_minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 ||
  5569. ssl->conf->min_minor_ver > MBEDTLS_SSL_MINOR_VERSION_3 ||
  5570. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  5571. ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
  5572. #endif
  5573. 0 )
  5574. {
  5575. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5576. }
  5577. MBEDTLS_SSL_DEBUG_BUF( 4, "context to load", buf, len );
  5578. /*
  5579. * Check version identifier
  5580. */
  5581. if( (size_t)( end - p ) < sizeof( ssl_serialized_context_header ) )
  5582. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5583. if( memcmp( p, ssl_serialized_context_header,
  5584. sizeof( ssl_serialized_context_header ) ) != 0 )
  5585. {
  5586. return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
  5587. }
  5588. p += sizeof( ssl_serialized_context_header );
  5589. /*
  5590. * Session
  5591. */
  5592. if( (size_t)( end - p ) < 4 )
  5593. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5594. session_len = ( (size_t) p[0] << 24 ) |
  5595. ( (size_t) p[1] << 16 ) |
  5596. ( (size_t) p[2] << 8 ) |
  5597. ( (size_t) p[3] );
  5598. p += 4;
  5599. /* This has been allocated by ssl_handshake_init(), called by
  5600. * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
  5601. ssl->session = ssl->session_negotiate;
  5602. ssl->session_in = ssl->session;
  5603. ssl->session_out = ssl->session;
  5604. ssl->session_negotiate = NULL;
  5605. if( (size_t)( end - p ) < session_len )
  5606. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5607. ret = ssl_session_load( ssl->session, 1, p, session_len );
  5608. if( ret != 0 )
  5609. {
  5610. mbedtls_ssl_session_free( ssl->session );
  5611. return( ret );
  5612. }
  5613. p += session_len;
  5614. /*
  5615. * Transform
  5616. */
  5617. /* This has been allocated by ssl_handshake_init(), called by
  5618. * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
  5619. ssl->transform = ssl->transform_negotiate;
  5620. ssl->transform_in = ssl->transform;
  5621. ssl->transform_out = ssl->transform;
  5622. ssl->transform_negotiate = NULL;
  5623. /* Read random bytes and populate structure */
  5624. if( (size_t)( end - p ) < sizeof( ssl->transform->randbytes ) )
  5625. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5626. ret = ssl_populate_transform( ssl->transform,
  5627. ssl->session->ciphersuite,
  5628. ssl->session->master,
  5629. #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
  5630. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  5631. ssl->session->encrypt_then_mac,
  5632. #endif
  5633. #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
  5634. ssl->session->trunc_hmac,
  5635. #endif
  5636. #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
  5637. #if defined(MBEDTLS_ZLIB_SUPPORT)
  5638. ssl->session->compression,
  5639. #endif
  5640. ssl_tls12prf_from_cs( ssl->session->ciphersuite ),
  5641. p, /* currently pointing to randbytes */
  5642. MBEDTLS_SSL_MINOR_VERSION_3, /* (D)TLS 1.2 is forced */
  5643. ssl->conf->endpoint,
  5644. ssl );
  5645. if( ret != 0 )
  5646. return( ret );
  5647. p += sizeof( ssl->transform->randbytes );
  5648. #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
  5649. /* Read connection IDs and store them */
  5650. if( (size_t)( end - p ) < 1 )
  5651. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5652. ssl->transform->in_cid_len = *p++;
  5653. if( (size_t)( end - p ) < ssl->transform->in_cid_len + 1u )
  5654. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5655. memcpy( ssl->transform->in_cid, p, ssl->transform->in_cid_len );
  5656. p += ssl->transform->in_cid_len;
  5657. ssl->transform->out_cid_len = *p++;
  5658. if( (size_t)( end - p ) < ssl->transform->out_cid_len )
  5659. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5660. memcpy( ssl->transform->out_cid, p, ssl->transform->out_cid_len );
  5661. p += ssl->transform->out_cid_len;
  5662. #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
  5663. /*
  5664. * Saved fields from top-level ssl_context structure
  5665. */
  5666. #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
  5667. if( (size_t)( end - p ) < 4 )
  5668. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5669. ssl->badmac_seen = ( (uint32_t) p[0] << 24 ) |
  5670. ( (uint32_t) p[1] << 16 ) |
  5671. ( (uint32_t) p[2] << 8 ) |
  5672. ( (uint32_t) p[3] );
  5673. p += 4;
  5674. #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
  5675. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  5676. if( (size_t)( end - p ) < 16 )
  5677. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5678. ssl->in_window_top = ( (uint64_t) p[0] << 56 ) |
  5679. ( (uint64_t) p[1] << 48 ) |
  5680. ( (uint64_t) p[2] << 40 ) |
  5681. ( (uint64_t) p[3] << 32 ) |
  5682. ( (uint64_t) p[4] << 24 ) |
  5683. ( (uint64_t) p[5] << 16 ) |
  5684. ( (uint64_t) p[6] << 8 ) |
  5685. ( (uint64_t) p[7] );
  5686. p += 8;
  5687. ssl->in_window = ( (uint64_t) p[0] << 56 ) |
  5688. ( (uint64_t) p[1] << 48 ) |
  5689. ( (uint64_t) p[2] << 40 ) |
  5690. ( (uint64_t) p[3] << 32 ) |
  5691. ( (uint64_t) p[4] << 24 ) |
  5692. ( (uint64_t) p[5] << 16 ) |
  5693. ( (uint64_t) p[6] << 8 ) |
  5694. ( (uint64_t) p[7] );
  5695. p += 8;
  5696. #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
  5697. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5698. if( (size_t)( end - p ) < 1 )
  5699. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5700. ssl->disable_datagram_packing = *p++;
  5701. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  5702. if( (size_t)( end - p ) < 8 )
  5703. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5704. memcpy( ssl->cur_out_ctr, p, 8 );
  5705. p += 8;
  5706. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5707. if( (size_t)( end - p ) < 2 )
  5708. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5709. ssl->mtu = ( p[0] << 8 ) | p[1];
  5710. p += 2;
  5711. #endif /* MBEDTLS_SSL_PROTO_DTLS */
  5712. #if defined(MBEDTLS_SSL_ALPN)
  5713. {
  5714. uint8_t alpn_len;
  5715. const char **cur;
  5716. if( (size_t)( end - p ) < 1 )
  5717. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5718. alpn_len = *p++;
  5719. if( alpn_len != 0 && ssl->conf->alpn_list != NULL )
  5720. {
  5721. /* alpn_chosen should point to an item in the configured list */
  5722. for( cur = ssl->conf->alpn_list; *cur != NULL; cur++ )
  5723. {
  5724. if( strlen( *cur ) == alpn_len &&
  5725. memcmp( p, cur, alpn_len ) == 0 )
  5726. {
  5727. ssl->alpn_chosen = *cur;
  5728. break;
  5729. }
  5730. }
  5731. }
  5732. /* can only happen on conf mismatch */
  5733. if( alpn_len != 0 && ssl->alpn_chosen == NULL )
  5734. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5735. p += alpn_len;
  5736. }
  5737. #endif /* MBEDTLS_SSL_ALPN */
  5738. /*
  5739. * Forced fields from top-level ssl_context structure
  5740. *
  5741. * Most of them already set to the correct value by mbedtls_ssl_init() and
  5742. * mbedtls_ssl_reset(), so we only need to set the remaining ones.
  5743. */
  5744. ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
  5745. ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
  5746. ssl->minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
  5747. /* Adjust pointers for header fields of outgoing records to
  5748. * the given transform, accounting for explicit IV and CID. */
  5749. mbedtls_ssl_update_out_pointers( ssl, ssl->transform );
  5750. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5751. ssl->in_epoch = 1;
  5752. #endif
  5753. /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
  5754. * which we don't want - otherwise we'd end up freeing the wrong transform
  5755. * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
  5756. * inappropriately. */
  5757. if( ssl->handshake != NULL )
  5758. {
  5759. mbedtls_ssl_handshake_free( ssl );
  5760. mbedtls_free( ssl->handshake );
  5761. ssl->handshake = NULL;
  5762. }
  5763. /*
  5764. * Done - should have consumed entire buffer
  5765. */
  5766. if( p != end )
  5767. return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
  5768. return( 0 );
  5769. }
  5770. /*
  5771. * Deserialize context: public wrapper for error cleaning
  5772. */
  5773. int mbedtls_ssl_context_load( mbedtls_ssl_context *context,
  5774. const unsigned char *buf,
  5775. size_t len )
  5776. {
  5777. int ret = ssl_context_load( context, buf, len );
  5778. if( ret != 0 )
  5779. mbedtls_ssl_free( context );
  5780. return( ret );
  5781. }
  5782. #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
  5783. /*
  5784. * Free an SSL context
  5785. */
  5786. void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
  5787. {
  5788. if( ssl == NULL )
  5789. return;
  5790. MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
  5791. if( ssl->out_buf != NULL )
  5792. {
  5793. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  5794. size_t out_buf_len = ssl->out_buf_len;
  5795. #else
  5796. size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
  5797. #endif
  5798. mbedtls_platform_zeroize( ssl->out_buf, out_buf_len );
  5799. mbedtls_free( ssl->out_buf );
  5800. ssl->out_buf = NULL;
  5801. }
  5802. if( ssl->in_buf != NULL )
  5803. {
  5804. #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
  5805. size_t in_buf_len = ssl->in_buf_len;
  5806. #else
  5807. size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
  5808. #endif
  5809. mbedtls_platform_zeroize( ssl->in_buf, in_buf_len );
  5810. mbedtls_free( ssl->in_buf );
  5811. ssl->in_buf = NULL;
  5812. }
  5813. #if defined(MBEDTLS_ZLIB_SUPPORT)
  5814. if( ssl->compress_buf != NULL )
  5815. {
  5816. mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
  5817. mbedtls_free( ssl->compress_buf );
  5818. }
  5819. #endif
  5820. if( ssl->transform )
  5821. {
  5822. mbedtls_ssl_transform_free( ssl->transform );
  5823. mbedtls_free( ssl->transform );
  5824. }
  5825. if( ssl->handshake )
  5826. {
  5827. mbedtls_ssl_handshake_free( ssl );
  5828. mbedtls_ssl_transform_free( ssl->transform_negotiate );
  5829. mbedtls_ssl_session_free( ssl->session_negotiate );
  5830. mbedtls_free( ssl->handshake );
  5831. mbedtls_free( ssl->transform_negotiate );
  5832. mbedtls_free( ssl->session_negotiate );
  5833. }
  5834. if( ssl->session )
  5835. {
  5836. mbedtls_ssl_session_free( ssl->session );
  5837. mbedtls_free( ssl->session );
  5838. }
  5839. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  5840. if( ssl->hostname != NULL )
  5841. {
  5842. mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
  5843. mbedtls_free( ssl->hostname );
  5844. }
  5845. #endif
  5846. #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
  5847. if( mbedtls_ssl_hw_record_finish != NULL )
  5848. {
  5849. MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
  5850. mbedtls_ssl_hw_record_finish( ssl );
  5851. }
  5852. #endif
  5853. #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
  5854. mbedtls_free( ssl->cli_id );
  5855. #endif
  5856. MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
  5857. /* Actually clear after last debug message */
  5858. mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
  5859. }
  5860. /*
  5861. * Initialze mbedtls_ssl_config
  5862. */
  5863. void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
  5864. {
  5865. memset( conf, 0, sizeof( mbedtls_ssl_config ) );
  5866. }
  5867. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  5868. static int ssl_preset_default_hashes[] = {
  5869. #if defined(MBEDTLS_SHA512_C)
  5870. MBEDTLS_MD_SHA512,
  5871. #endif
  5872. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  5873. MBEDTLS_MD_SHA384,
  5874. #endif
  5875. #if defined(MBEDTLS_SHA256_C)
  5876. MBEDTLS_MD_SHA256,
  5877. MBEDTLS_MD_SHA224,
  5878. #endif
  5879. #if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
  5880. MBEDTLS_MD_SHA1,
  5881. #endif
  5882. MBEDTLS_MD_NONE
  5883. };
  5884. #endif
  5885. static int ssl_preset_suiteb_ciphersuites[] = {
  5886. MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
  5887. MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
  5888. 0
  5889. };
  5890. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  5891. static int ssl_preset_suiteb_hashes[] = {
  5892. MBEDTLS_MD_SHA256,
  5893. MBEDTLS_MD_SHA384,
  5894. MBEDTLS_MD_NONE
  5895. };
  5896. #endif
  5897. #if defined(MBEDTLS_ECP_C)
  5898. static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
  5899. #if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
  5900. MBEDTLS_ECP_DP_SECP256R1,
  5901. #endif
  5902. #if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
  5903. MBEDTLS_ECP_DP_SECP384R1,
  5904. #endif
  5905. MBEDTLS_ECP_DP_NONE
  5906. };
  5907. #endif
  5908. /*
  5909. * Load default in mbedtls_ssl_config
  5910. */
  5911. int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
  5912. int endpoint, int transport, int preset )
  5913. {
  5914. #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
  5915. int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
  5916. #endif
  5917. /* Use the functions here so that they are covered in tests,
  5918. * but otherwise access member directly for efficiency */
  5919. mbedtls_ssl_conf_endpoint( conf, endpoint );
  5920. mbedtls_ssl_conf_transport( conf, transport );
  5921. /*
  5922. * Things that are common to all presets
  5923. */
  5924. #if defined(MBEDTLS_SSL_CLI_C)
  5925. if( endpoint == MBEDTLS_SSL_IS_CLIENT )
  5926. {
  5927. conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
  5928. #if defined(MBEDTLS_SSL_SESSION_TICKETS)
  5929. conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
  5930. #endif
  5931. }
  5932. #endif
  5933. #if defined(MBEDTLS_ARC4_C)
  5934. conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
  5935. #endif
  5936. #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
  5937. conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
  5938. #endif
  5939. #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
  5940. conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
  5941. #endif
  5942. #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
  5943. conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
  5944. #endif
  5945. #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
  5946. conf->f_cookie_write = ssl_cookie_write_dummy;
  5947. conf->f_cookie_check = ssl_cookie_check_dummy;
  5948. #endif
  5949. #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
  5950. conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
  5951. #endif
  5952. #if defined(MBEDTLS_SSL_SRV_C)
  5953. conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
  5954. #endif
  5955. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  5956. conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
  5957. conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
  5958. #endif
  5959. #if defined(MBEDTLS_SSL_RENEGOTIATION)
  5960. conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
  5961. memset( conf->renego_period, 0x00, 2 );
  5962. memset( conf->renego_period + 2, 0xFF, 6 );
  5963. #endif
  5964. #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
  5965. if( endpoint == MBEDTLS_SSL_IS_SERVER )
  5966. {
  5967. const unsigned char dhm_p[] =
  5968. MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
  5969. const unsigned char dhm_g[] =
  5970. MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
  5971. if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
  5972. dhm_p, sizeof( dhm_p ),
  5973. dhm_g, sizeof( dhm_g ) ) ) != 0 )
  5974. {
  5975. return( ret );
  5976. }
  5977. }
  5978. #endif
  5979. /*
  5980. * Preset-specific defaults
  5981. */
  5982. switch( preset )
  5983. {
  5984. /*
  5985. * NSA Suite B
  5986. */
  5987. case MBEDTLS_SSL_PRESET_SUITEB:
  5988. conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
  5989. conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
  5990. conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
  5991. conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
  5992. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
  5993. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
  5994. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
  5995. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
  5996. ssl_preset_suiteb_ciphersuites;
  5997. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  5998. conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
  5999. #endif
  6000. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  6001. conf->sig_hashes = ssl_preset_suiteb_hashes;
  6002. #endif
  6003. #if defined(MBEDTLS_ECP_C)
  6004. conf->curve_list = ssl_preset_suiteb_curves;
  6005. #endif
  6006. break;
  6007. /*
  6008. * Default
  6009. */
  6010. default:
  6011. conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
  6012. MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
  6013. MBEDTLS_SSL_MIN_MAJOR_VERSION :
  6014. MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
  6015. conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
  6016. MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
  6017. MBEDTLS_SSL_MIN_MINOR_VERSION :
  6018. MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
  6019. conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
  6020. conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
  6021. #if defined(MBEDTLS_SSL_PROTO_DTLS)
  6022. if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
  6023. conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
  6024. #endif
  6025. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
  6026. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
  6027. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
  6028. conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
  6029. mbedtls_ssl_list_ciphersuites();
  6030. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  6031. conf->cert_profile = &mbedtls_x509_crt_profile_default;
  6032. #endif
  6033. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  6034. conf->sig_hashes = ssl_preset_default_hashes;
  6035. #endif
  6036. #if defined(MBEDTLS_ECP_C)
  6037. conf->curve_list = mbedtls_ecp_grp_id_list();
  6038. #endif
  6039. #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
  6040. conf->dhm_min_bitlen = 1024;
  6041. #endif
  6042. }
  6043. return( 0 );
  6044. }
  6045. /*
  6046. * Free mbedtls_ssl_config
  6047. */
  6048. void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
  6049. {
  6050. #if defined(MBEDTLS_DHM_C)
  6051. mbedtls_mpi_free( &conf->dhm_P );
  6052. mbedtls_mpi_free( &conf->dhm_G );
  6053. #endif
  6054. #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
  6055. if( conf->psk != NULL )
  6056. {
  6057. mbedtls_platform_zeroize( conf->psk, conf->psk_len );
  6058. mbedtls_free( conf->psk );
  6059. conf->psk = NULL;
  6060. conf->psk_len = 0;
  6061. }
  6062. if( conf->psk_identity != NULL )
  6063. {
  6064. mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
  6065. mbedtls_free( conf->psk_identity );
  6066. conf->psk_identity = NULL;
  6067. conf->psk_identity_len = 0;
  6068. }
  6069. #endif
  6070. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  6071. ssl_key_cert_free( conf->key_cert );
  6072. #endif
  6073. mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
  6074. }
  6075. #if defined(MBEDTLS_PK_C) && \
  6076. ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
  6077. /*
  6078. * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
  6079. */
  6080. unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
  6081. {
  6082. #if defined(MBEDTLS_RSA_C)
  6083. if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
  6084. return( MBEDTLS_SSL_SIG_RSA );
  6085. #endif
  6086. #if defined(MBEDTLS_ECDSA_C)
  6087. if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
  6088. return( MBEDTLS_SSL_SIG_ECDSA );
  6089. #endif
  6090. return( MBEDTLS_SSL_SIG_ANON );
  6091. }
  6092. unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
  6093. {
  6094. switch( type ) {
  6095. case MBEDTLS_PK_RSA:
  6096. return( MBEDTLS_SSL_SIG_RSA );
  6097. case MBEDTLS_PK_ECDSA:
  6098. case MBEDTLS_PK_ECKEY:
  6099. return( MBEDTLS_SSL_SIG_ECDSA );
  6100. default:
  6101. return( MBEDTLS_SSL_SIG_ANON );
  6102. }
  6103. }
  6104. mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
  6105. {
  6106. switch( sig )
  6107. {
  6108. #if defined(MBEDTLS_RSA_C)
  6109. case MBEDTLS_SSL_SIG_RSA:
  6110. return( MBEDTLS_PK_RSA );
  6111. #endif
  6112. #if defined(MBEDTLS_ECDSA_C)
  6113. case MBEDTLS_SSL_SIG_ECDSA:
  6114. return( MBEDTLS_PK_ECDSA );
  6115. #endif
  6116. default:
  6117. return( MBEDTLS_PK_NONE );
  6118. }
  6119. }
  6120. #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
  6121. #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
  6122. defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  6123. /* Find an entry in a signature-hash set matching a given hash algorithm. */
  6124. mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
  6125. mbedtls_pk_type_t sig_alg )
  6126. {
  6127. switch( sig_alg )
  6128. {
  6129. case MBEDTLS_PK_RSA:
  6130. return( set->rsa );
  6131. case MBEDTLS_PK_ECDSA:
  6132. return( set->ecdsa );
  6133. default:
  6134. return( MBEDTLS_MD_NONE );
  6135. }
  6136. }
  6137. /* Add a signature-hash-pair to a signature-hash set */
  6138. void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
  6139. mbedtls_pk_type_t sig_alg,
  6140. mbedtls_md_type_t md_alg )
  6141. {
  6142. switch( sig_alg )
  6143. {
  6144. case MBEDTLS_PK_RSA:
  6145. if( set->rsa == MBEDTLS_MD_NONE )
  6146. set->rsa = md_alg;
  6147. break;
  6148. case MBEDTLS_PK_ECDSA:
  6149. if( set->ecdsa == MBEDTLS_MD_NONE )
  6150. set->ecdsa = md_alg;
  6151. break;
  6152. default:
  6153. break;
  6154. }
  6155. }
  6156. /* Allow exactly one hash algorithm for each signature. */
  6157. void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
  6158. mbedtls_md_type_t md_alg )
  6159. {
  6160. set->rsa = md_alg;
  6161. set->ecdsa = md_alg;
  6162. }
  6163. #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
  6164. MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
  6165. /*
  6166. * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
  6167. */
  6168. mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
  6169. {
  6170. switch( hash )
  6171. {
  6172. #if defined(MBEDTLS_MD5_C)
  6173. case MBEDTLS_SSL_HASH_MD5:
  6174. return( MBEDTLS_MD_MD5 );
  6175. #endif
  6176. #if defined(MBEDTLS_SHA1_C)
  6177. case MBEDTLS_SSL_HASH_SHA1:
  6178. return( MBEDTLS_MD_SHA1 );
  6179. #endif
  6180. #if defined(MBEDTLS_SHA256_C)
  6181. case MBEDTLS_SSL_HASH_SHA224:
  6182. return( MBEDTLS_MD_SHA224 );
  6183. case MBEDTLS_SSL_HASH_SHA256:
  6184. return( MBEDTLS_MD_SHA256 );
  6185. #endif
  6186. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  6187. case MBEDTLS_SSL_HASH_SHA384:
  6188. return( MBEDTLS_MD_SHA384 );
  6189. #endif
  6190. #if defined(MBEDTLS_SHA512_C)
  6191. case MBEDTLS_SSL_HASH_SHA512:
  6192. return( MBEDTLS_MD_SHA512 );
  6193. #endif
  6194. default:
  6195. return( MBEDTLS_MD_NONE );
  6196. }
  6197. }
  6198. /*
  6199. * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
  6200. */
  6201. unsigned char mbedtls_ssl_hash_from_md_alg( int md )
  6202. {
  6203. switch( md )
  6204. {
  6205. #if defined(MBEDTLS_MD5_C)
  6206. case MBEDTLS_MD_MD5:
  6207. return( MBEDTLS_SSL_HASH_MD5 );
  6208. #endif
  6209. #if defined(MBEDTLS_SHA1_C)
  6210. case MBEDTLS_MD_SHA1:
  6211. return( MBEDTLS_SSL_HASH_SHA1 );
  6212. #endif
  6213. #if defined(MBEDTLS_SHA256_C)
  6214. case MBEDTLS_MD_SHA224:
  6215. return( MBEDTLS_SSL_HASH_SHA224 );
  6216. case MBEDTLS_MD_SHA256:
  6217. return( MBEDTLS_SSL_HASH_SHA256 );
  6218. #endif
  6219. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  6220. case MBEDTLS_MD_SHA384:
  6221. return( MBEDTLS_SSL_HASH_SHA384 );
  6222. #endif
  6223. #if defined(MBEDTLS_SHA512_C)
  6224. case MBEDTLS_MD_SHA512:
  6225. return( MBEDTLS_SSL_HASH_SHA512 );
  6226. #endif
  6227. default:
  6228. return( MBEDTLS_SSL_HASH_NONE );
  6229. }
  6230. }
  6231. #if defined(MBEDTLS_ECP_C)
  6232. /*
  6233. * Check if a curve proposed by the peer is in our list.
  6234. * Return 0 if we're willing to use it, -1 otherwise.
  6235. */
  6236. int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
  6237. {
  6238. const mbedtls_ecp_group_id *gid;
  6239. if( ssl->conf->curve_list == NULL )
  6240. return( -1 );
  6241. for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
  6242. if( *gid == grp_id )
  6243. return( 0 );
  6244. return( -1 );
  6245. }
  6246. #endif /* MBEDTLS_ECP_C */
  6247. #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
  6248. /*
  6249. * Check if a hash proposed by the peer is in our list.
  6250. * Return 0 if we're willing to use it, -1 otherwise.
  6251. */
  6252. int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
  6253. mbedtls_md_type_t md )
  6254. {
  6255. const int *cur;
  6256. if( ssl->conf->sig_hashes == NULL )
  6257. return( -1 );
  6258. for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
  6259. if( *cur == (int) md )
  6260. return( 0 );
  6261. return( -1 );
  6262. }
  6263. #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
  6264. #if defined(MBEDTLS_X509_CRT_PARSE_C)
  6265. int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
  6266. const mbedtls_ssl_ciphersuite_t *ciphersuite,
  6267. int cert_endpoint,
  6268. uint32_t *flags )
  6269. {
  6270. int ret = 0;
  6271. #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
  6272. int usage = 0;
  6273. #endif
  6274. #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
  6275. const char *ext_oid;
  6276. size_t ext_len;
  6277. #endif
  6278. #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
  6279. !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
  6280. ((void) cert);
  6281. ((void) cert_endpoint);
  6282. ((void) flags);
  6283. #endif
  6284. #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
  6285. if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
  6286. {
  6287. /* Server part of the key exchange */
  6288. switch( ciphersuite->key_exchange )
  6289. {
  6290. case MBEDTLS_KEY_EXCHANGE_RSA:
  6291. case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
  6292. usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
  6293. break;
  6294. case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
  6295. case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
  6296. case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
  6297. usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
  6298. break;
  6299. case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
  6300. case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
  6301. usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
  6302. break;
  6303. /* Don't use default: we want warnings when adding new values */
  6304. case MBEDTLS_KEY_EXCHANGE_NONE:
  6305. case MBEDTLS_KEY_EXCHANGE_PSK:
  6306. case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
  6307. case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
  6308. case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
  6309. usage = 0;
  6310. }
  6311. }
  6312. else
  6313. {
  6314. /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
  6315. usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
  6316. }
  6317. if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
  6318. {
  6319. *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
  6320. ret = -1;
  6321. }
  6322. #else
  6323. ((void) ciphersuite);
  6324. #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
  6325. #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
  6326. if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
  6327. {
  6328. ext_oid = MBEDTLS_OID_SERVER_AUTH;
  6329. ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
  6330. }
  6331. else
  6332. {
  6333. ext_oid = MBEDTLS_OID_CLIENT_AUTH;
  6334. ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
  6335. }
  6336. if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
  6337. {
  6338. *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
  6339. ret = -1;
  6340. }
  6341. #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
  6342. return( ret );
  6343. }
  6344. #endif /* MBEDTLS_X509_CRT_PARSE_C */
  6345. int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
  6346. {
  6347. #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
  6348. if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
  6349. return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
  6350. switch( md )
  6351. {
  6352. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
  6353. #if defined(MBEDTLS_MD5_C)
  6354. case MBEDTLS_SSL_HASH_MD5:
  6355. return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
  6356. #endif
  6357. #if defined(MBEDTLS_SHA1_C)
  6358. case MBEDTLS_SSL_HASH_SHA1:
  6359. ssl->handshake->calc_verify = ssl_calc_verify_tls;
  6360. break;
  6361. #endif
  6362. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
  6363. #if defined(MBEDTLS_SHA512_C) && !defined(MBEDTLS_SHA512_NO_SHA384)
  6364. case MBEDTLS_SSL_HASH_SHA384:
  6365. ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
  6366. break;
  6367. #endif
  6368. #if defined(MBEDTLS_SHA256_C)
  6369. case MBEDTLS_SSL_HASH_SHA256:
  6370. ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
  6371. break;
  6372. #endif
  6373. default:
  6374. return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
  6375. }
  6376. return 0;
  6377. #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
  6378. (void) ssl;
  6379. (void) md;
  6380. return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
  6381. #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
  6382. }
  6383. #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
  6384. defined(MBEDTLS_SSL_PROTO_TLS1_1)
  6385. int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
  6386. unsigned char *output,
  6387. unsigned char *data, size_t data_len )
  6388. {
  6389. int ret = 0;
  6390. mbedtls_md5_context mbedtls_md5;
  6391. mbedtls_sha1_context mbedtls_sha1;
  6392. mbedtls_md5_init( &mbedtls_md5 );
  6393. mbedtls_sha1_init( &mbedtls_sha1 );
  6394. /*
  6395. * digitally-signed struct {
  6396. * opaque md5_hash[16];
  6397. * opaque sha_hash[20];
  6398. * };
  6399. *
  6400. * md5_hash
  6401. * MD5(ClientHello.random + ServerHello.random
  6402. * + ServerParams);
  6403. * sha_hash
  6404. * SHA(ClientHello.random + ServerHello.random
  6405. * + ServerParams);
  6406. */
  6407. if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
  6408. {
  6409. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
  6410. goto exit;
  6411. }
  6412. if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
  6413. ssl->handshake->randbytes, 64 ) ) != 0 )
  6414. {
  6415. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
  6416. goto exit;
  6417. }
  6418. if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
  6419. {
  6420. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
  6421. goto exit;
  6422. }
  6423. if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
  6424. {
  6425. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
  6426. goto exit;
  6427. }
  6428. if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
  6429. {
  6430. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
  6431. goto exit;
  6432. }
  6433. if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
  6434. ssl->handshake->randbytes, 64 ) ) != 0 )
  6435. {
  6436. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
  6437. goto exit;
  6438. }
  6439. if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
  6440. data_len ) ) != 0 )
  6441. {
  6442. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
  6443. goto exit;
  6444. }
  6445. if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
  6446. output + 16 ) ) != 0 )
  6447. {
  6448. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
  6449. goto exit;
  6450. }
  6451. exit:
  6452. mbedtls_md5_free( &mbedtls_md5 );
  6453. mbedtls_sha1_free( &mbedtls_sha1 );
  6454. if( ret != 0 )
  6455. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  6456. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  6457. return( ret );
  6458. }
  6459. #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
  6460. MBEDTLS_SSL_PROTO_TLS1_1 */
  6461. #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
  6462. defined(MBEDTLS_SSL_PROTO_TLS1_2)
  6463. #if defined(MBEDTLS_USE_PSA_CRYPTO)
  6464. int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
  6465. unsigned char *hash, size_t *hashlen,
  6466. unsigned char *data, size_t data_len,
  6467. mbedtls_md_type_t md_alg )
  6468. {
  6469. psa_status_t status;
  6470. psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
  6471. psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );
  6472. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );
  6473. if( ( status = psa_hash_setup( &hash_operation,
  6474. hash_alg ) ) != PSA_SUCCESS )
  6475. {
  6476. MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );
  6477. goto exit;
  6478. }
  6479. if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,
  6480. 64 ) ) != PSA_SUCCESS )
  6481. {
  6482. MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
  6483. goto exit;
  6484. }
  6485. if( ( status = psa_hash_update( &hash_operation,
  6486. data, data_len ) ) != PSA_SUCCESS )
  6487. {
  6488. MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );
  6489. goto exit;
  6490. }
  6491. if( ( status = psa_hash_finish( &hash_operation, hash, PSA_HASH_MAX_SIZE,
  6492. hashlen ) ) != PSA_SUCCESS )
  6493. {
  6494. MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );
  6495. goto exit;
  6496. }
  6497. exit:
  6498. if( status != PSA_SUCCESS )
  6499. {
  6500. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  6501. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  6502. switch( status )
  6503. {
  6504. case PSA_ERROR_NOT_SUPPORTED:
  6505. return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );
  6506. case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
  6507. case PSA_ERROR_BUFFER_TOO_SMALL:
  6508. return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );
  6509. case PSA_ERROR_INSUFFICIENT_MEMORY:
  6510. return( MBEDTLS_ERR_MD_ALLOC_FAILED );
  6511. default:
  6512. return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED );
  6513. }
  6514. }
  6515. return( 0 );
  6516. }
  6517. #else
  6518. int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
  6519. unsigned char *hash, size_t *hashlen,
  6520. unsigned char *data, size_t data_len,
  6521. mbedtls_md_type_t md_alg )
  6522. {
  6523. int ret = 0;
  6524. mbedtls_md_context_t ctx;
  6525. const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
  6526. *hashlen = mbedtls_md_get_size( md_info );
  6527. MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );
  6528. mbedtls_md_init( &ctx );
  6529. /*
  6530. * digitally-signed struct {
  6531. * opaque client_random[32];
  6532. * opaque server_random[32];
  6533. * ServerDHParams params;
  6534. * };
  6535. */
  6536. if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
  6537. {
  6538. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
  6539. goto exit;
  6540. }
  6541. if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
  6542. {
  6543. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
  6544. goto exit;
  6545. }
  6546. if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
  6547. {
  6548. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
  6549. goto exit;
  6550. }
  6551. if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
  6552. {
  6553. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
  6554. goto exit;
  6555. }
  6556. if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
  6557. {
  6558. MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
  6559. goto exit;
  6560. }
  6561. exit:
  6562. mbedtls_md_free( &ctx );
  6563. if( ret != 0 )
  6564. mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
  6565. MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
  6566. return( ret );
  6567. }
  6568. #endif /* MBEDTLS_USE_PSA_CRYPTO */
  6569. #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
  6570. MBEDTLS_SSL_PROTO_TLS1_2 */
  6571. #endif /* MBEDTLS_SSL_TLS_C */