1/* 2 * TLS shared functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7/* 8 * http://www.ietf.org/rfc/rfc2246.txt 9 * http://www.ietf.org/rfc/rfc4346.txt 10 */ 11 12#include "common.h" 13 14#if defined(MBEDTLS_SSL_TLS_C) 15 16#include "mbedtls/platform.h" 17 18#include "mbedtls/ssl.h" 19#include "ssl_client.h" 20#include "ssl_debug_helpers.h" 21#include "ssl_misc.h" 22 23#include "debug_internal.h" 24#include "mbedtls/error.h" 25#include "mbedtls/platform_util.h" 26#include "mbedtls/version.h" 27#include "mbedtls/constant_time.h" 28 29#include <string.h> 30 31#if defined(MBEDTLS_USE_PSA_CRYPTO) 32#include "mbedtls/psa_util.h" 33#include "md_psa.h" 34#include "psa_util_internal.h" 35#include "psa/crypto.h" 36#endif 37 38#if defined(MBEDTLS_X509_CRT_PARSE_C) 39#include "mbedtls/oid.h" 40#endif 41 42#if defined(MBEDTLS_USE_PSA_CRYPTO) 43/* Define local translating functions to save code size by not using too many 44 * arguments in each translating place. */ 45static int local_err_translation(psa_status_t status) 46{ 47 return psa_status_to_mbedtls(status, psa_to_ssl_errors, 48 ARRAY_LENGTH(psa_to_ssl_errors), 49 psa_generic_status_to_mbedtls); 50} 51#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) 52#endif 53 54#if defined(MBEDTLS_TEST_HOOKS) 55static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; 56 57void mbedtls_ssl_set_chk_buf_ptr_fail_args( 58 const uint8_t *cur, const uint8_t *end, size_t need) 59{ 60 chk_buf_ptr_fail_args.cur = cur; 61 chk_buf_ptr_fail_args.end = end; 62 chk_buf_ptr_fail_args.need = need; 63} 64 65void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void) 66{ 67 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args)); 68} 69 70int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args) 71{ 72 return (chk_buf_ptr_fail_args.cur != args->cur) || 73 (chk_buf_ptr_fail_args.end != args->end) || 74 (chk_buf_ptr_fail_args.need != args->need); 75} 76#endif /* MBEDTLS_TEST_HOOKS */ 77 78#if defined(MBEDTLS_SSL_PROTO_DTLS) 79 80#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 81/* Top-level Connection ID API */ 82 83int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, 84 size_t len, 85 int ignore_other_cid) 86{ 87 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) { 88 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 89 } 90 91 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL && 92 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) { 93 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 94 } 95 96 conf->ignore_unexpected_cid = ignore_other_cid; 97 conf->cid_len = len; 98 return 0; 99} 100 101int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, 102 int enable, 103 unsigned char const *own_cid, 104 size_t own_cid_len) 105{ 106 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 107 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 108 } 109 110 ssl->negotiate_cid = enable; 111 if (enable == MBEDTLS_SSL_CID_DISABLED) { 112 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension.")); 113 return 0; 114 } 115 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension.")); 116 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len); 117 118 if (own_cid_len != ssl->conf->cid_len) { 119 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config", 120 (unsigned) own_cid_len, 121 (unsigned) ssl->conf->cid_len)); 122 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 123 } 124 125 memcpy(ssl->own_cid, own_cid, own_cid_len); 126 /* Truncation is not an issue here because 127 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ 128 ssl->own_cid_len = (uint8_t) own_cid_len; 129 130 return 0; 131} 132 133int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, 134 int *enabled, 135 unsigned char own_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 136 size_t *own_cid_len) 137{ 138 *enabled = MBEDTLS_SSL_CID_DISABLED; 139 140 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 141 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 142 } 143 144 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is 145 * zero as this is indistinguishable from not requesting to use 146 * the CID extension. */ 147 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 148 return 0; 149 } 150 151 if (own_cid_len != NULL) { 152 *own_cid_len = ssl->own_cid_len; 153 if (own_cid != NULL) { 154 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len); 155 } 156 } 157 158 *enabled = MBEDTLS_SSL_CID_ENABLED; 159 160 return 0; 161} 162 163int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl, 164 int *enabled, 165 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 166 size_t *peer_cid_len) 167{ 168 *enabled = MBEDTLS_SSL_CID_DISABLED; 169 170 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 171 mbedtls_ssl_is_handshake_over(ssl) == 0) { 172 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 173 } 174 175 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions 176 * were used, but client and server requested the empty CID. 177 * This is indistinguishable from not using the CID extension 178 * in the first place. */ 179 if (ssl->transform_in->in_cid_len == 0 && 180 ssl->transform_in->out_cid_len == 0) { 181 return 0; 182 } 183 184 if (peer_cid_len != NULL) { 185 *peer_cid_len = ssl->transform_in->out_cid_len; 186 if (peer_cid != NULL) { 187 memcpy(peer_cid, ssl->transform_in->out_cid, 188 ssl->transform_in->out_cid_len); 189 } 190 } 191 192 *enabled = MBEDTLS_SSL_CID_ENABLED; 193 194 return 0; 195} 196#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 197 198#endif /* MBEDTLS_SSL_PROTO_DTLS */ 199 200#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 201/* 202 * Convert max_fragment_length codes to length. 203 * RFC 6066 says: 204 * enum{ 205 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 206 * } MaxFragmentLength; 207 * and we add 0 -> extension unused 208 */ 209static unsigned int ssl_mfl_code_to_length(int mfl) 210{ 211 switch (mfl) { 212 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE: 213 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 214 case MBEDTLS_SSL_MAX_FRAG_LEN_512: 215 return 512; 216 case MBEDTLS_SSL_MAX_FRAG_LEN_1024: 217 return 1024; 218 case MBEDTLS_SSL_MAX_FRAG_LEN_2048: 219 return 2048; 220 case MBEDTLS_SSL_MAX_FRAG_LEN_4096: 221 return 4096; 222 default: 223 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 224 } 225} 226#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 227 228int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 229 const mbedtls_ssl_session *src) 230{ 231 mbedtls_ssl_session_free(dst); 232 memcpy(dst, src, sizeof(mbedtls_ssl_session)); 233#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 234 dst->ticket = NULL; 235#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 236 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 237 dst->hostname = NULL; 238#endif 239#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 240 241#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 242 defined(MBEDTLS_SSL_EARLY_DATA) 243 dst->ticket_alpn = NULL; 244#endif 245 246#if defined(MBEDTLS_X509_CRT_PARSE_C) 247 248#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 249 if (src->peer_cert != NULL) { 250 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 251 252 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 253 if (dst->peer_cert == NULL) { 254 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 255 } 256 257 mbedtls_x509_crt_init(dst->peer_cert); 258 259 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p, 260 src->peer_cert->raw.len)) != 0) { 261 mbedtls_free(dst->peer_cert); 262 dst->peer_cert = NULL; 263 return ret; 264 } 265 } 266#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 267 if (src->peer_cert_digest != NULL) { 268 dst->peer_cert_digest = 269 mbedtls_calloc(1, src->peer_cert_digest_len); 270 if (dst->peer_cert_digest == NULL) { 271 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 272 } 273 274 memcpy(dst->peer_cert_digest, src->peer_cert_digest, 275 src->peer_cert_digest_len); 276 dst->peer_cert_digest_type = src->peer_cert_digest_type; 277 dst->peer_cert_digest_len = src->peer_cert_digest_len; 278 } 279#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 280 281#endif /* MBEDTLS_X509_CRT_PARSE_C */ 282 283#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 284 defined(MBEDTLS_SSL_EARLY_DATA) 285 { 286 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn); 287 if (ret != 0) { 288 return ret; 289 } 290 } 291#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */ 292 293#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 294 if (src->ticket != NULL) { 295 dst->ticket = mbedtls_calloc(1, src->ticket_len); 296 if (dst->ticket == NULL) { 297 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 298 } 299 300 memcpy(dst->ticket, src->ticket, src->ticket_len); 301 } 302 303#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 304 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 305 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) { 306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 307 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname); 308 if (ret != 0) { 309 return ret; 310 } 311 } 312#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 313 MBEDTLS_SSL_SERVER_NAME_INDICATION */ 314#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 315 316 return 0; 317} 318 319#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 320MBEDTLS_CHECK_RETURN_CRITICAL 321static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old) 322{ 323 unsigned char *resized_buffer = mbedtls_calloc(1, len_new); 324 if (resized_buffer == NULL) { 325 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 326 } 327 328 /* We want to copy len_new bytes when downsizing the buffer, and 329 * len_old bytes when upsizing, so we choose the smaller of two sizes, 330 * to fit one buffer into another. Size checks, ensuring that no data is 331 * lost, are done outside of this function. */ 332 memcpy(resized_buffer, *buffer, 333 (len_new < *len_old) ? len_new : *len_old); 334 mbedtls_zeroize_and_free(*buffer, *len_old); 335 336 *buffer = resized_buffer; 337 *len_old = len_new; 338 339 return 0; 340} 341 342static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, 343 size_t in_buf_new_len, 344 size_t out_buf_new_len) 345{ 346 int modified = 0; 347 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0; 348 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; 349 if (ssl->in_buf != NULL) { 350 written_in = ssl->in_msg - ssl->in_buf; 351 iv_offset_in = ssl->in_iv - ssl->in_buf; 352 len_offset_in = ssl->in_len - ssl->in_buf; 353 if (downsizing ? 354 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : 355 ssl->in_buf_len < in_buf_new_len) { 356 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) { 357 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory")); 358 } else { 359 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET, 360 in_buf_new_len)); 361 modified = 1; 362 } 363 } 364 } 365 366 if (ssl->out_buf != NULL) { 367 written_out = ssl->out_msg - ssl->out_buf; 368 iv_offset_out = ssl->out_iv - ssl->out_buf; 369 len_offset_out = ssl->out_len - ssl->out_buf; 370 if (downsizing ? 371 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len : 372 ssl->out_buf_len < out_buf_new_len) { 373 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) { 374 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory")); 375 } else { 376 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET, 377 out_buf_new_len)); 378 modified = 1; 379 } 380 } 381 } 382 if (modified) { 383 /* Update pointers here to avoid doing it twice. */ 384 mbedtls_ssl_reset_in_out_pointers(ssl); 385 /* Fields below might not be properly updated with record 386 * splitting or with CID, so they are manually updated here. */ 387 ssl->out_msg = ssl->out_buf + written_out; 388 ssl->out_len = ssl->out_buf + len_offset_out; 389 ssl->out_iv = ssl->out_buf + iv_offset_out; 390 391 ssl->in_msg = ssl->in_buf + written_in; 392 ssl->in_len = ssl->in_buf + len_offset_in; 393 ssl->in_iv = ssl->in_buf + iv_offset_in; 394 } 395} 396#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ 397 398#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 399 400#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 401typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen, 402 const char *label, 403 const unsigned char *random, size_t rlen, 404 unsigned char *dstbuf, size_t dlen); 405 406static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id); 407 408#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 409 410/* Type for the TLS PRF */ 411typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, 412 const unsigned char *, size_t, 413 unsigned char *, size_t); 414 415MBEDTLS_CHECK_RETURN_CRITICAL 416static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 417 int ciphersuite, 418 const unsigned char master[48], 419#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 420 int encrypt_then_mac, 421#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 422 ssl_tls_prf_t tls_prf, 423 const unsigned char randbytes[64], 424 mbedtls_ssl_protocol_version tls_version, 425 unsigned endpoint, 426 const mbedtls_ssl_context *ssl); 427 428#if defined(MBEDTLS_MD_CAN_SHA256) 429MBEDTLS_CHECK_RETURN_CRITICAL 430static int tls_prf_sha256(const unsigned char *secret, size_t slen, 431 const char *label, 432 const unsigned char *random, size_t rlen, 433 unsigned char *dstbuf, size_t dlen); 434static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); 435static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); 436 437#endif /* MBEDTLS_MD_CAN_SHA256*/ 438 439#if defined(MBEDTLS_MD_CAN_SHA384) 440MBEDTLS_CHECK_RETURN_CRITICAL 441static int tls_prf_sha384(const unsigned char *secret, size_t slen, 442 const char *label, 443 const unsigned char *random, size_t rlen, 444 unsigned char *dstbuf, size_t dlen); 445 446static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); 447static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); 448#endif /* MBEDTLS_MD_CAN_SHA384*/ 449 450MBEDTLS_CHECK_RETURN_CRITICAL 451static int ssl_tls12_session_load(mbedtls_ssl_session *session, 452 const unsigned char *buf, 453 size_t len); 454#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 455 456static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); 457 458#if defined(MBEDTLS_MD_CAN_SHA256) 459static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); 460#endif /* MBEDTLS_MD_CAN_SHA256*/ 461 462#if defined(MBEDTLS_MD_CAN_SHA384) 463static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); 464#endif /* MBEDTLS_MD_CAN_SHA384*/ 465 466int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, 467 const unsigned char *secret, size_t slen, 468 const char *label, 469 const unsigned char *random, size_t rlen, 470 unsigned char *dstbuf, size_t dlen) 471{ 472 mbedtls_ssl_tls_prf_cb *tls_prf = NULL; 473 474 switch (prf) { 475#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 476#if defined(MBEDTLS_MD_CAN_SHA384) 477 case MBEDTLS_SSL_TLS_PRF_SHA384: 478 tls_prf = tls_prf_sha384; 479 break; 480#endif /* MBEDTLS_MD_CAN_SHA384*/ 481#if defined(MBEDTLS_MD_CAN_SHA256) 482 case MBEDTLS_SSL_TLS_PRF_SHA256: 483 tls_prf = tls_prf_sha256; 484 break; 485#endif /* MBEDTLS_MD_CAN_SHA256*/ 486#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 487 default: 488 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 489 } 490 491 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen); 492} 493 494#if defined(MBEDTLS_X509_CRT_PARSE_C) 495static void ssl_clear_peer_cert(mbedtls_ssl_session *session) 496{ 497#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 498 if (session->peer_cert != NULL) { 499 mbedtls_x509_crt_free(session->peer_cert); 500 mbedtls_free(session->peer_cert); 501 session->peer_cert = NULL; 502 } 503#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 504 if (session->peer_cert_digest != NULL) { 505 /* Zeroization is not necessary. */ 506 mbedtls_free(session->peer_cert_digest); 507 session->peer_cert_digest = NULL; 508 session->peer_cert_digest_type = MBEDTLS_MD_NONE; 509 session->peer_cert_digest_len = 0; 510 } 511#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 512} 513#endif /* MBEDTLS_X509_CRT_PARSE_C */ 514 515uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type) 516{ 517 switch (extension_type) { 518 case MBEDTLS_TLS_EXT_SERVERNAME: 519 return MBEDTLS_SSL_EXT_ID_SERVERNAME; 520 521 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 522 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH; 523 524 case MBEDTLS_TLS_EXT_STATUS_REQUEST: 525 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST; 526 527 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 528 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS; 529 530 case MBEDTLS_TLS_EXT_SIG_ALG: 531 return MBEDTLS_SSL_EXT_ID_SIG_ALG; 532 533 case MBEDTLS_TLS_EXT_USE_SRTP: 534 return MBEDTLS_SSL_EXT_ID_USE_SRTP; 535 536 case MBEDTLS_TLS_EXT_HEARTBEAT: 537 return MBEDTLS_SSL_EXT_ID_HEARTBEAT; 538 539 case MBEDTLS_TLS_EXT_ALPN: 540 return MBEDTLS_SSL_EXT_ID_ALPN; 541 542 case MBEDTLS_TLS_EXT_SCT: 543 return MBEDTLS_SSL_EXT_ID_SCT; 544 545 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: 546 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE; 547 548 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: 549 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE; 550 551 case MBEDTLS_TLS_EXT_PADDING: 552 return MBEDTLS_SSL_EXT_ID_PADDING; 553 554 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: 555 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY; 556 557 case MBEDTLS_TLS_EXT_EARLY_DATA: 558 return MBEDTLS_SSL_EXT_ID_EARLY_DATA; 559 560 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: 561 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS; 562 563 case MBEDTLS_TLS_EXT_COOKIE: 564 return MBEDTLS_SSL_EXT_ID_COOKIE; 565 566 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: 567 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES; 568 569 case MBEDTLS_TLS_EXT_CERT_AUTH: 570 return MBEDTLS_SSL_EXT_ID_CERT_AUTH; 571 572 case MBEDTLS_TLS_EXT_OID_FILTERS: 573 return MBEDTLS_SSL_EXT_ID_OID_FILTERS; 574 575 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: 576 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH; 577 578 case MBEDTLS_TLS_EXT_SIG_ALG_CERT: 579 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT; 580 581 case MBEDTLS_TLS_EXT_KEY_SHARE: 582 return MBEDTLS_SSL_EXT_ID_KEY_SHARE; 583 584 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 585 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC; 586 587 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 588 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS; 589 590 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 591 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC; 592 593 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 594 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET; 595 596 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: 597 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT; 598 599 case MBEDTLS_TLS_EXT_SESSION_TICKET: 600 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET; 601 602 } 603 604 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED; 605} 606 607uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type) 608{ 609 return 1 << mbedtls_ssl_get_extension_id(extension_type); 610} 611 612#if defined(MBEDTLS_DEBUG_C) 613static const char *extension_name_table[] = { 614 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", 615 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", 616 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", 617 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", 618 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", 619 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", 620 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", 621 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", 622 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", 623 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", 624 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", 625 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", 626 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", 627 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", 628 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", 629 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", 630 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", 631 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", 632 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", 633 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", 634 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", 635 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", 636 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", 637 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", 638 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", 639 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", 640 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", 641 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket", 642 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit" 643}; 644 645static const unsigned int extension_type_table[] = { 646 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, 647 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, 648 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, 649 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, 650 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, 651 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, 652 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, 653 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, 654 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, 655 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, 656 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, 657 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, 658 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, 659 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, 660 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, 661 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, 662 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, 663 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, 664 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, 665 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, 666 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, 667 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, 668 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, 669 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, 670 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, 671 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, 672 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, 673 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET, 674 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT 675}; 676 677const char *mbedtls_ssl_get_extension_name(unsigned int extension_type) 678{ 679 return extension_name_table[ 680 mbedtls_ssl_get_extension_id(extension_type)]; 681} 682 683static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type) 684{ 685 switch (hs_msg_type) { 686 case MBEDTLS_SSL_HS_CLIENT_HELLO: 687 return "ClientHello"; 688 case MBEDTLS_SSL_HS_SERVER_HELLO: 689 return "ServerHello"; 690 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: 691 return "HelloRetryRequest"; 692 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: 693 return "NewSessionTicket"; 694 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: 695 return "EncryptedExtensions"; 696 case MBEDTLS_SSL_HS_CERTIFICATE: 697 return "Certificate"; 698 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: 699 return "CertificateRequest"; 700 } 701 return "Unknown"; 702} 703 704void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, 705 int level, const char *file, int line, 706 int hs_msg_type, unsigned int extension_type, 707 const char *extra_msg0, const char *extra_msg1) 708{ 709 const char *extra_msg; 710 if (extra_msg0 && extra_msg1) { 711 mbedtls_debug_print_msg( 712 ssl, level, file, line, 713 "%s: %s(%u) extension %s %s.", 714 ssl_tls13_get_hs_msg_name(hs_msg_type), 715 mbedtls_ssl_get_extension_name(extension_type), 716 extension_type, 717 extra_msg0, extra_msg1); 718 return; 719 } 720 721 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; 722 if (extra_msg) { 723 mbedtls_debug_print_msg( 724 ssl, level, file, line, 725 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type), 726 mbedtls_ssl_get_extension_name(extension_type), extension_type, 727 extra_msg); 728 return; 729 } 730 731 mbedtls_debug_print_msg( 732 ssl, level, file, line, 733 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type), 734 mbedtls_ssl_get_extension_name(extension_type), extension_type); 735} 736 737void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl, 738 int level, const char *file, int line, 739 int hs_msg_type, uint32_t extensions_mask, 740 const char *extra) 741{ 742 743 for (unsigned i = 0; 744 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]); 745 i++) { 746 mbedtls_ssl_print_extension( 747 ssl, level, file, line, hs_msg_type, extension_type_table[i], 748 extensions_mask & (1 << i) ? "exists" : "does not exist", extra); 749 } 750} 751 752#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 753static const char *ticket_flag_name_table[] = 754{ 755 [0] = "ALLOW_PSK_RESUMPTION", 756 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", 757 [3] = "ALLOW_EARLY_DATA", 758}; 759 760void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, 761 int level, const char *file, int line, 762 unsigned int flags) 763{ 764 size_t i; 765 766 mbedtls_debug_print_msg(ssl, level, file, line, 767 "print ticket_flags (0x%02x)", flags); 768 769 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK; 770 771 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { 772 if ((flags & (1 << i))) { 773 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", 774 ticket_flag_name_table[i]); 775 } 776 } 777} 778#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 779 780#endif /* MBEDTLS_DEBUG_C */ 781 782void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 783 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 784{ 785 ((void) ciphersuite_info); 786 787#if defined(MBEDTLS_MD_CAN_SHA384) 788 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 789 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 790 } else 791#endif 792#if defined(MBEDTLS_MD_CAN_SHA256) 793 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) { 794 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 795 } else 796#endif 797 { 798 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 799 return; 800 } 801} 802 803int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 804 unsigned hs_type, 805 size_t total_hs_len) 806{ 807 unsigned char hs_hdr[4]; 808 809 /* Build HS header for checksum update. */ 810 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type); 811 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len); 812 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len); 813 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len); 814 815 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); 816} 817 818int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 819 unsigned hs_type, 820 unsigned char const *msg, 821 size_t msg_len) 822{ 823 int ret; 824 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); 825 if (ret != 0) { 826 return ret; 827 } 828 return ssl->handshake->update_checksum(ssl, msg, msg_len); 829} 830 831int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) 832{ 833#if defined(MBEDTLS_MD_CAN_SHA256) || \ 834 defined(MBEDTLS_MD_CAN_SHA384) 835#if defined(MBEDTLS_USE_PSA_CRYPTO) 836 psa_status_t status; 837#else 838 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 839#endif 840#else /* SHA-256 or SHA-384 */ 841 ((void) ssl); 842#endif /* SHA-256 or SHA-384 */ 843#if defined(MBEDTLS_MD_CAN_SHA256) 844#if defined(MBEDTLS_USE_PSA_CRYPTO) 845 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); 846 if (status != PSA_SUCCESS) { 847 return mbedtls_md_error_from_psa(status); 848 } 849 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); 850 if (status != PSA_SUCCESS) { 851 return mbedtls_md_error_from_psa(status); 852 } 853#else 854 mbedtls_md_free(&ssl->handshake->fin_sha256); 855 mbedtls_md_init(&ssl->handshake->fin_sha256); 856 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256, 857 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 858 0); 859 if (ret != 0) { 860 return ret; 861 } 862 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256); 863 if (ret != 0) { 864 return ret; 865 } 866#endif 867#endif 868#if defined(MBEDTLS_MD_CAN_SHA384) 869#if defined(MBEDTLS_USE_PSA_CRYPTO) 870 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa); 871 if (status != PSA_SUCCESS) { 872 return mbedtls_md_error_from_psa(status); 873 } 874 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); 875 if (status != PSA_SUCCESS) { 876 return mbedtls_md_error_from_psa(status); 877 } 878#else 879 mbedtls_md_free(&ssl->handshake->fin_sha384); 880 mbedtls_md_init(&ssl->handshake->fin_sha384); 881 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384, 882 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 883 if (ret != 0) { 884 return ret; 885 } 886 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384); 887 if (ret != 0) { 888 return ret; 889 } 890#endif 891#endif 892 return 0; 893} 894 895static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, 896 const unsigned char *buf, size_t len) 897{ 898#if defined(MBEDTLS_MD_CAN_SHA256) || \ 899 defined(MBEDTLS_MD_CAN_SHA384) 900#if defined(MBEDTLS_USE_PSA_CRYPTO) 901 psa_status_t status; 902#else 903 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 904#endif 905#else /* SHA-256 or SHA-384 */ 906 ((void) ssl); 907 (void) buf; 908 (void) len; 909#endif /* SHA-256 or SHA-384 */ 910#if defined(MBEDTLS_MD_CAN_SHA256) 911#if defined(MBEDTLS_USE_PSA_CRYPTO) 912 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); 913 if (status != PSA_SUCCESS) { 914 return mbedtls_md_error_from_psa(status); 915 } 916#else 917 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 918 if (ret != 0) { 919 return ret; 920 } 921#endif 922#endif 923#if defined(MBEDTLS_MD_CAN_SHA384) 924#if defined(MBEDTLS_USE_PSA_CRYPTO) 925 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); 926 if (status != PSA_SUCCESS) { 927 return mbedtls_md_error_from_psa(status); 928 } 929#else 930 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 931 if (ret != 0) { 932 return ret; 933 } 934#endif 935#endif 936 return 0; 937} 938 939#if defined(MBEDTLS_MD_CAN_SHA256) 940static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, 941 const unsigned char *buf, size_t len) 942{ 943#if defined(MBEDTLS_USE_PSA_CRYPTO) 944 return mbedtls_md_error_from_psa(psa_hash_update( 945 &ssl->handshake->fin_sha256_psa, buf, len)); 946#else 947 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 948#endif 949} 950#endif 951 952#if defined(MBEDTLS_MD_CAN_SHA384) 953static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, 954 const unsigned char *buf, size_t len) 955{ 956#if defined(MBEDTLS_USE_PSA_CRYPTO) 957 return mbedtls_md_error_from_psa(psa_hash_update( 958 &ssl->handshake->fin_sha384_psa, buf, len)); 959#else 960 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 961#endif 962} 963#endif 964 965static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) 966{ 967 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params)); 968 969#if defined(MBEDTLS_MD_CAN_SHA256) 970#if defined(MBEDTLS_USE_PSA_CRYPTO) 971 handshake->fin_sha256_psa = psa_hash_operation_init(); 972#else 973 mbedtls_md_init(&handshake->fin_sha256); 974#endif 975#endif 976#if defined(MBEDTLS_MD_CAN_SHA384) 977#if defined(MBEDTLS_USE_PSA_CRYPTO) 978 handshake->fin_sha384_psa = psa_hash_operation_init(); 979#else 980 mbedtls_md_init(&handshake->fin_sha384); 981#endif 982#endif 983 984 handshake->update_checksum = ssl_update_checksum_start; 985 986#if defined(MBEDTLS_DHM_C) 987 mbedtls_dhm_init(&handshake->dhm_ctx); 988#endif 989#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 990 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 991 mbedtls_ecdh_init(&handshake->ecdh_ctx); 992#endif 993#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 994#if defined(MBEDTLS_USE_PSA_CRYPTO) 995 handshake->psa_pake_ctx = psa_pake_operation_init(); 996 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 997#else 998 mbedtls_ecjpake_init(&handshake->ecjpake_ctx); 999#endif /* MBEDTLS_USE_PSA_CRYPTO */ 1000#if defined(MBEDTLS_SSL_CLI_C) 1001 handshake->ecjpake_cache = NULL; 1002 handshake->ecjpake_cache_len = 0; 1003#endif 1004#endif 1005 1006#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1007 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx); 1008#endif 1009 1010#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1011 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 1012#endif 1013 1014#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 1015 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1016 mbedtls_pk_init(&handshake->peer_pubkey); 1017#endif 1018} 1019 1020void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) 1021{ 1022 memset(transform, 0, sizeof(mbedtls_ssl_transform)); 1023 1024#if defined(MBEDTLS_USE_PSA_CRYPTO) 1025 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT; 1026 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT; 1027#else 1028 mbedtls_cipher_init(&transform->cipher_ctx_enc); 1029 mbedtls_cipher_init(&transform->cipher_ctx_dec); 1030#endif 1031 1032#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1033#if defined(MBEDTLS_USE_PSA_CRYPTO) 1034 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT; 1035 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT; 1036#else 1037 mbedtls_md_init(&transform->md_ctx_enc); 1038 mbedtls_md_init(&transform->md_ctx_dec); 1039#endif 1040#endif 1041} 1042 1043void mbedtls_ssl_session_init(mbedtls_ssl_session *session) 1044{ 1045 memset(session, 0, sizeof(mbedtls_ssl_session)); 1046} 1047 1048MBEDTLS_CHECK_RETURN_CRITICAL 1049static int ssl_handshake_init(mbedtls_ssl_context *ssl) 1050{ 1051 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1052 1053 /* Clear old handshake information if present */ 1054#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1055 if (ssl->transform_negotiate) { 1056 mbedtls_ssl_transform_free(ssl->transform_negotiate); 1057 } 1058#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1059 if (ssl->session_negotiate) { 1060 mbedtls_ssl_session_free(ssl->session_negotiate); 1061 } 1062 if (ssl->handshake) { 1063 mbedtls_ssl_handshake_free(ssl); 1064 } 1065 1066#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1067 /* 1068 * Either the pointers are now NULL or cleared properly and can be freed. 1069 * Now allocate missing structures. 1070 */ 1071 if (ssl->transform_negotiate == NULL) { 1072 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); 1073 } 1074#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1075 1076 if (ssl->session_negotiate == NULL) { 1077 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session)); 1078 } 1079 1080 if (ssl->handshake == NULL) { 1081 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params)); 1082 } 1083#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1084 /* If the buffers are too small - reallocate */ 1085 1086 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN, 1087 MBEDTLS_SSL_OUT_BUFFER_LEN); 1088#endif 1089 1090 /* All pointers should exist and can be directly freed without issue */ 1091 if (ssl->handshake == NULL || 1092#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1093 ssl->transform_negotiate == NULL || 1094#endif 1095 ssl->session_negotiate == NULL) { 1096 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed")); 1097 1098 mbedtls_free(ssl->handshake); 1099 ssl->handshake = NULL; 1100 1101#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1102 mbedtls_free(ssl->transform_negotiate); 1103 ssl->transform_negotiate = NULL; 1104#endif 1105 1106 mbedtls_free(ssl->session_negotiate); 1107 ssl->session_negotiate = NULL; 1108 1109 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1110 } 1111 1112#if defined(MBEDTLS_SSL_EARLY_DATA) 1113#if defined(MBEDTLS_SSL_CLI_C) 1114 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE; 1115#endif 1116#if defined(MBEDTLS_SSL_SRV_C) 1117 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; 1118#endif 1119 ssl->total_early_data_size = 0; 1120#endif /* MBEDTLS_SSL_EARLY_DATA */ 1121 1122 /* Initialize structures */ 1123 mbedtls_ssl_session_init(ssl->session_negotiate); 1124 ssl_handshake_params_init(ssl->handshake); 1125 1126#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1127 mbedtls_ssl_transform_init(ssl->transform_negotiate); 1128#endif 1129 1130 /* Setup handshake checksums */ 1131 ret = mbedtls_ssl_reset_checksum(ssl); 1132 if (ret != 0) { 1133 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); 1134 return ret; 1135 } 1136 1137#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 1138 defined(MBEDTLS_SSL_SRV_C) && \ 1139 defined(MBEDTLS_SSL_SESSION_TICKETS) 1140 ssl->handshake->new_session_tickets_count = 1141 ssl->conf->new_session_tickets_count; 1142#endif 1143 1144#if defined(MBEDTLS_SSL_PROTO_DTLS) 1145 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1146 ssl->handshake->alt_transform_out = ssl->transform_out; 1147 1148 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 1149 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 1150 } else { 1151 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 1152 } 1153 1154 mbedtls_ssl_set_timer(ssl, 0); 1155 } 1156#endif 1157 1158/* 1159 * curve_list is translated to IANA TLS group identifiers here because 1160 * mbedtls_ssl_conf_curves returns void and so can't return 1161 * any error codes. 1162 */ 1163#if defined(MBEDTLS_ECP_C) 1164#if !defined(MBEDTLS_DEPRECATED_REMOVED) 1165 /* Heap allocate and translate curve_list from internal to IANA group ids */ 1166 if (ssl->conf->curve_list != NULL) { 1167 size_t length; 1168 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; 1169 1170 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) { 1171 } 1172 1173 /* Leave room for zero termination */ 1174 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t)); 1175 if (group_list == NULL) { 1176 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1177 } 1178 1179 for (size_t i = 0; i < length; i++) { 1180 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 1181 curve_list[i]); 1182 if (tls_id == 0) { 1183 mbedtls_free(group_list); 1184 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1185 } 1186 group_list[i] = tls_id; 1187 } 1188 1189 group_list[length] = 0; 1190 1191 ssl->handshake->group_list = group_list; 1192 ssl->handshake->group_list_heap_allocated = 1; 1193 } else { 1194 ssl->handshake->group_list = ssl->conf->group_list; 1195 ssl->handshake->group_list_heap_allocated = 0; 1196 } 1197#endif /* MBEDTLS_DEPRECATED_REMOVED */ 1198#endif /* MBEDTLS_ECP_C */ 1199 1200#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1201#if !defined(MBEDTLS_DEPRECATED_REMOVED) 1202#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1203 /* Heap allocate and translate sig_hashes from internal hash identifiers to 1204 signature algorithms IANA identifiers. */ 1205 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) && 1206 ssl->conf->sig_hashes != NULL) { 1207 const int *md; 1208 const int *sig_hashes = ssl->conf->sig_hashes; 1209 size_t sig_algs_len = 0; 1210 uint16_t *p; 1211 1212 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 1213 <= (SIZE_MAX - (2 * sizeof(uint16_t))), 1214 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big"); 1215 1216 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1217 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) { 1218 continue; 1219 } 1220#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1221 sig_algs_len += sizeof(uint16_t); 1222#endif 1223 1224#if defined(MBEDTLS_RSA_C) 1225 sig_algs_len += sizeof(uint16_t); 1226#endif 1227 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) { 1228 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1229 } 1230 } 1231 1232 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) { 1233 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1234 } 1235 1236 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len + 1237 sizeof(uint16_t)); 1238 if (ssl->handshake->sig_algs == NULL) { 1239 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1240 } 1241 1242 p = (uint16_t *) ssl->handshake->sig_algs; 1243 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1244 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md); 1245 if (hash == MBEDTLS_SSL_HASH_NONE) { 1246 continue; 1247 } 1248#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1249 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA); 1250 p++; 1251#endif 1252#if defined(MBEDTLS_RSA_C) 1253 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA); 1254 p++; 1255#endif 1256 } 1257 *p = MBEDTLS_TLS_SIG_NONE; 1258 ssl->handshake->sig_algs_heap_allocated = 1; 1259 } else 1260#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1261 { 1262 ssl->handshake->sig_algs_heap_allocated = 0; 1263 } 1264#endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1265#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1266 return 0; 1267} 1268 1269#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1270/* Dummy cookie callbacks for defaults */ 1271MBEDTLS_CHECK_RETURN_CRITICAL 1272static int ssl_cookie_write_dummy(void *ctx, 1273 unsigned char **p, unsigned char *end, 1274 const unsigned char *cli_id, size_t cli_id_len) 1275{ 1276 ((void) ctx); 1277 ((void) p); 1278 ((void) end); 1279 ((void) cli_id); 1280 ((void) cli_id_len); 1281 1282 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1283} 1284 1285MBEDTLS_CHECK_RETURN_CRITICAL 1286static int ssl_cookie_check_dummy(void *ctx, 1287 const unsigned char *cookie, size_t cookie_len, 1288 const unsigned char *cli_id, size_t cli_id_len) 1289{ 1290 ((void) ctx); 1291 ((void) cookie); 1292 ((void) cookie_len); 1293 ((void) cli_id); 1294 ((void) cli_id_len); 1295 1296 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1297} 1298#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 1299 1300/* 1301 * Initialize an SSL context 1302 */ 1303void mbedtls_ssl_init(mbedtls_ssl_context *ssl) 1304{ 1305 memset(ssl, 0, sizeof(mbedtls_ssl_context)); 1306} 1307 1308MBEDTLS_CHECK_RETURN_CRITICAL 1309static int ssl_conf_version_check(const mbedtls_ssl_context *ssl) 1310{ 1311 const mbedtls_ssl_config *conf = ssl->conf; 1312 1313#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1314 if (mbedtls_ssl_conf_is_tls13_only(conf)) { 1315 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1316 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported.")); 1317 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1318 } 1319 1320 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only.")); 1321 return 0; 1322 } 1323#endif 1324 1325#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1326 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 1327 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only.")); 1328 return 0; 1329 } 1330#endif 1331 1332#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1333 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) { 1334 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1335 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2")); 1336 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1337 } 1338 1339 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2.")); 1340 return 0; 1341 } 1342#endif 1343 1344 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid.")); 1345 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1346} 1347 1348MBEDTLS_CHECK_RETURN_CRITICAL 1349static int ssl_conf_check(const mbedtls_ssl_context *ssl) 1350{ 1351 int ret; 1352 ret = ssl_conf_version_check(ssl); 1353 if (ret != 0) { 1354 return ret; 1355 } 1356 1357#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1358 /* RFC 8446 section 4.4.3 1359 * 1360 * If the verification fails, the receiver MUST terminate the handshake with 1361 * a "decrypt_error" alert. 1362 * 1363 * If the client is configured as TLS 1.3 only with optional verify, return 1364 * bad config. 1365 * 1366 */ 1367 if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled( 1368 (mbedtls_ssl_context *) ssl) && 1369 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 1370 ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1371 ssl->conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1372 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) { 1373 MBEDTLS_SSL_DEBUG_MSG( 1374 1, ("Optional verify auth mode " 1375 "is not available for TLS 1.3 client")); 1376 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1377 } 1378#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1379 1380 if (ssl->conf->f_rng == NULL) { 1381 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 1382 return MBEDTLS_ERR_SSL_NO_RNG; 1383 } 1384 1385 /* Space for further checks */ 1386 1387 return 0; 1388} 1389 1390/* 1391 * Setup an SSL context 1392 */ 1393 1394int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, 1395 const mbedtls_ssl_config *conf) 1396{ 1397 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1398 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1399 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1400 1401 ssl->conf = conf; 1402 1403 if ((ret = ssl_conf_check(ssl)) != 0) { 1404 return ret; 1405 } 1406 ssl->tls_version = ssl->conf->max_tls_version; 1407 1408 /* 1409 * Prepare base structures 1410 */ 1411 1412 /* Set to NULL in case of an error condition */ 1413 ssl->out_buf = NULL; 1414 1415#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1416 ssl->in_buf_len = in_buf_len; 1417#endif 1418 ssl->in_buf = mbedtls_calloc(1, in_buf_len); 1419 if (ssl->in_buf == NULL) { 1420 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len)); 1421 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1422 goto error; 1423 } 1424 1425#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1426 ssl->out_buf_len = out_buf_len; 1427#endif 1428 ssl->out_buf = mbedtls_calloc(1, out_buf_len); 1429 if (ssl->out_buf == NULL) { 1430 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len)); 1431 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1432 goto error; 1433 } 1434 1435 mbedtls_ssl_reset_in_out_pointers(ssl); 1436 1437#if defined(MBEDTLS_SSL_DTLS_SRTP) 1438 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); 1439#endif 1440 1441 if ((ret = ssl_handshake_init(ssl)) != 0) { 1442 goto error; 1443 } 1444 1445 return 0; 1446 1447error: 1448 mbedtls_free(ssl->in_buf); 1449 mbedtls_free(ssl->out_buf); 1450 1451 ssl->conf = NULL; 1452 1453#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1454 ssl->in_buf_len = 0; 1455 ssl->out_buf_len = 0; 1456#endif 1457 ssl->in_buf = NULL; 1458 ssl->out_buf = NULL; 1459 1460 ssl->in_hdr = NULL; 1461 ssl->in_ctr = NULL; 1462 ssl->in_len = NULL; 1463 ssl->in_iv = NULL; 1464 ssl->in_msg = NULL; 1465 1466 ssl->out_hdr = NULL; 1467 ssl->out_ctr = NULL; 1468 ssl->out_len = NULL; 1469 ssl->out_iv = NULL; 1470 ssl->out_msg = NULL; 1471 1472 return ret; 1473} 1474 1475/* 1476 * Reset an initialized and used SSL context for re-use while retaining 1477 * all application-set variables, function pointers and data. 1478 * 1479 * If partial is non-zero, keep data in the input buffer and client ID. 1480 * (Use when a DTLS client reconnects from the same port.) 1481 */ 1482void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1483 int partial) 1484{ 1485#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1486 size_t in_buf_len = ssl->in_buf_len; 1487 size_t out_buf_len = ssl->out_buf_len; 1488#else 1489 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1490 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1491#endif 1492 1493#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C) 1494 partial = 0; 1495#endif 1496 1497 /* Cancel any possibly running timer */ 1498 mbedtls_ssl_set_timer(ssl, 0); 1499 1500 mbedtls_ssl_reset_in_out_pointers(ssl); 1501 1502 /* Reset incoming message parsing */ 1503 ssl->in_offt = NULL; 1504 ssl->nb_zero = 0; 1505 ssl->in_msgtype = 0; 1506 ssl->in_msglen = 0; 1507 ssl->in_hslen = 0; 1508 ssl->keep_current_message = 0; 1509 ssl->transform_in = NULL; 1510 1511#if defined(MBEDTLS_SSL_PROTO_DTLS) 1512 ssl->next_record_offset = 0; 1513 ssl->in_epoch = 0; 1514#endif 1515 1516 /* Keep current datagram if partial == 1 */ 1517 if (partial == 0) { 1518 ssl->in_left = 0; 1519 memset(ssl->in_buf, 0, in_buf_len); 1520 } 1521 1522 ssl->send_alert = 0; 1523 1524 /* Reset outgoing message writing */ 1525 ssl->out_msgtype = 0; 1526 ssl->out_msglen = 0; 1527 ssl->out_left = 0; 1528 memset(ssl->out_buf, 0, out_buf_len); 1529 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 1530 ssl->transform_out = NULL; 1531 1532#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1533 mbedtls_ssl_dtls_replay_reset(ssl); 1534#endif 1535 1536#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1537 if (ssl->transform) { 1538 mbedtls_ssl_transform_free(ssl->transform); 1539 mbedtls_free(ssl->transform); 1540 ssl->transform = NULL; 1541 } 1542#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1543 1544#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1545 mbedtls_ssl_transform_free(ssl->transform_application); 1546 mbedtls_free(ssl->transform_application); 1547 ssl->transform_application = NULL; 1548 1549 if (ssl->handshake != NULL) { 1550#if defined(MBEDTLS_SSL_EARLY_DATA) 1551 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata); 1552 mbedtls_free(ssl->handshake->transform_earlydata); 1553 ssl->handshake->transform_earlydata = NULL; 1554#endif 1555 1556 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake); 1557 mbedtls_free(ssl->handshake->transform_handshake); 1558 ssl->handshake->transform_handshake = NULL; 1559 } 1560 1561#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1562} 1563 1564int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) 1565{ 1566 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1567 1568 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 1569 ssl->tls_version = ssl->conf->max_tls_version; 1570 1571 mbedtls_ssl_session_reset_msg_layer(ssl, partial); 1572 1573 /* Reset renegotiation state */ 1574#if defined(MBEDTLS_SSL_RENEGOTIATION) 1575 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 1576 ssl->renego_records_seen = 0; 1577 1578 ssl->verify_data_len = 0; 1579 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1580 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1581#endif 1582 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 1583 1584 ssl->session_in = NULL; 1585 ssl->session_out = NULL; 1586 if (ssl->session) { 1587 mbedtls_ssl_session_free(ssl->session); 1588 mbedtls_free(ssl->session); 1589 ssl->session = NULL; 1590 } 1591 1592#if defined(MBEDTLS_SSL_ALPN) 1593 ssl->alpn_chosen = NULL; 1594#endif 1595 1596#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1597 int free_cli_id = 1; 1598#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) 1599 free_cli_id = (partial == 0); 1600#endif 1601 if (free_cli_id) { 1602 mbedtls_free(ssl->cli_id); 1603 ssl->cli_id = NULL; 1604 ssl->cli_id_len = 0; 1605 } 1606#endif 1607 1608 if ((ret = ssl_handshake_init(ssl)) != 0) { 1609 return ret; 1610 } 1611 1612 return 0; 1613} 1614 1615/* 1616 * Reset an initialized and used SSL context for re-use while retaining 1617 * all application-set variables, function pointers and data. 1618 */ 1619int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl) 1620{ 1621 return mbedtls_ssl_session_reset_int(ssl, 0); 1622} 1623 1624/* 1625 * SSL set accessors 1626 */ 1627void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint) 1628{ 1629 conf->endpoint = endpoint; 1630} 1631 1632void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport) 1633{ 1634 conf->transport = transport; 1635} 1636 1637#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1638void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode) 1639{ 1640 conf->anti_replay = mode; 1641} 1642#endif 1643 1644void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit) 1645{ 1646 conf->badmac_limit = limit; 1647} 1648 1649#if defined(MBEDTLS_SSL_PROTO_DTLS) 1650 1651void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl, 1652 unsigned allow_packing) 1653{ 1654 ssl->disable_datagram_packing = !allow_packing; 1655} 1656 1657void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, 1658 uint32_t min, uint32_t max) 1659{ 1660 conf->hs_timeout_min = min; 1661 conf->hs_timeout_max = max; 1662} 1663#endif 1664 1665void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode) 1666{ 1667 conf->authmode = authmode; 1668} 1669 1670#if defined(MBEDTLS_X509_CRT_PARSE_C) 1671void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, 1672 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1673 void *p_vrfy) 1674{ 1675 conf->f_vrfy = f_vrfy; 1676 conf->p_vrfy = p_vrfy; 1677} 1678#endif /* MBEDTLS_X509_CRT_PARSE_C */ 1679 1680void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, 1681 int (*f_rng)(void *, unsigned char *, size_t), 1682 void *p_rng) 1683{ 1684 conf->f_rng = f_rng; 1685 conf->p_rng = p_rng; 1686} 1687 1688void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, 1689 void (*f_dbg)(void *, int, const char *, int, const char *), 1690 void *p_dbg) 1691{ 1692 conf->f_dbg = f_dbg; 1693 conf->p_dbg = p_dbg; 1694} 1695 1696void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, 1697 void *p_bio, 1698 mbedtls_ssl_send_t *f_send, 1699 mbedtls_ssl_recv_t *f_recv, 1700 mbedtls_ssl_recv_timeout_t *f_recv_timeout) 1701{ 1702 ssl->p_bio = p_bio; 1703 ssl->f_send = f_send; 1704 ssl->f_recv = f_recv; 1705 ssl->f_recv_timeout = f_recv_timeout; 1706} 1707 1708#if defined(MBEDTLS_SSL_PROTO_DTLS) 1709void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu) 1710{ 1711 ssl->mtu = mtu; 1712} 1713#endif 1714 1715void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout) 1716{ 1717 conf->read_timeout = timeout; 1718} 1719 1720void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, 1721 void *p_timer, 1722 mbedtls_ssl_set_timer_t *f_set_timer, 1723 mbedtls_ssl_get_timer_t *f_get_timer) 1724{ 1725 ssl->p_timer = p_timer; 1726 ssl->f_set_timer = f_set_timer; 1727 ssl->f_get_timer = f_get_timer; 1728 1729 /* Make sure we start with no timer running */ 1730 mbedtls_ssl_set_timer(ssl, 0); 1731} 1732 1733#if defined(MBEDTLS_SSL_SRV_C) 1734void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, 1735 void *p_cache, 1736 mbedtls_ssl_cache_get_t *f_get_cache, 1737 mbedtls_ssl_cache_set_t *f_set_cache) 1738{ 1739 conf->p_cache = p_cache; 1740 conf->f_get_cache = f_get_cache; 1741 conf->f_set_cache = f_set_cache; 1742} 1743#endif /* MBEDTLS_SSL_SRV_C */ 1744 1745#if defined(MBEDTLS_SSL_CLI_C) 1746int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session) 1747{ 1748 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1749 1750 if (ssl == NULL || 1751 session == NULL || 1752 ssl->session_negotiate == NULL || 1753 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 1754 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1755 } 1756 1757 if (ssl->handshake->resume == 1) { 1758 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1759 } 1760 1761#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1762 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1763 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 1764 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); 1765 1766 if (mbedtls_ssl_validate_ciphersuite( 1767 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, 1768 MBEDTLS_SSL_VERSION_TLS1_3) != 0) { 1769 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.", 1770 session->ciphersuite)); 1771 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1772 } 1773 } 1774#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1775 1776 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate, 1777 session)) != 0) { 1778 return ret; 1779 } 1780 1781 ssl->handshake->resume = 1; 1782 1783 return 0; 1784} 1785#endif /* MBEDTLS_SSL_CLI_C */ 1786 1787void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, 1788 const int *ciphersuites) 1789{ 1790 conf->ciphersuite_list = ciphersuites; 1791} 1792 1793#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1794void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, 1795 const int kex_modes) 1796{ 1797 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 1798} 1799 1800#if defined(MBEDTLS_SSL_EARLY_DATA) 1801void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, 1802 int early_data_enabled) 1803{ 1804 conf->early_data_enabled = early_data_enabled; 1805} 1806 1807#if defined(MBEDTLS_SSL_SRV_C) 1808void mbedtls_ssl_conf_max_early_data_size( 1809 mbedtls_ssl_config *conf, uint32_t max_early_data_size) 1810{ 1811 conf->max_early_data_size = max_early_data_size; 1812} 1813#endif /* MBEDTLS_SSL_SRV_C */ 1814 1815#endif /* MBEDTLS_SSL_EARLY_DATA */ 1816#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1817 1818#if defined(MBEDTLS_X509_CRT_PARSE_C) 1819void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, 1820 const mbedtls_x509_crt_profile *profile) 1821{ 1822 conf->cert_profile = profile; 1823} 1824 1825static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert) 1826{ 1827 mbedtls_ssl_key_cert *cur = key_cert, *next; 1828 1829 while (cur != NULL) { 1830 next = cur->next; 1831 mbedtls_free(cur); 1832 cur = next; 1833 } 1834} 1835 1836/* Append a new keycert entry to a (possibly empty) list */ 1837MBEDTLS_CHECK_RETURN_CRITICAL 1838static int ssl_append_key_cert(mbedtls_ssl_key_cert **head, 1839 mbedtls_x509_crt *cert, 1840 mbedtls_pk_context *key) 1841{ 1842 mbedtls_ssl_key_cert *new_cert; 1843 1844 if (cert == NULL) { 1845 /* Free list if cert is null */ 1846 ssl_key_cert_free(*head); 1847 *head = NULL; 1848 return 0; 1849 } 1850 1851 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert)); 1852 if (new_cert == NULL) { 1853 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1854 } 1855 1856 new_cert->cert = cert; 1857 new_cert->key = key; 1858 new_cert->next = NULL; 1859 1860 /* Update head if the list was null, else add to the end */ 1861 if (*head == NULL) { 1862 *head = new_cert; 1863 } else { 1864 mbedtls_ssl_key_cert *cur = *head; 1865 while (cur->next != NULL) { 1866 cur = cur->next; 1867 } 1868 cur->next = new_cert; 1869 } 1870 1871 return 0; 1872} 1873 1874int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, 1875 mbedtls_x509_crt *own_cert, 1876 mbedtls_pk_context *pk_key) 1877{ 1878 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); 1879} 1880 1881void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, 1882 mbedtls_x509_crt *ca_chain, 1883 mbedtls_x509_crl *ca_crl) 1884{ 1885 conf->ca_chain = ca_chain; 1886 conf->ca_crl = ca_crl; 1887 1888#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1889 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1890 * cannot be used together. */ 1891 conf->f_ca_cb = NULL; 1892 conf->p_ca_cb = NULL; 1893#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1894} 1895 1896#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1897void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, 1898 mbedtls_x509_crt_ca_cb_t f_ca_cb, 1899 void *p_ca_cb) 1900{ 1901 conf->f_ca_cb = f_ca_cb; 1902 conf->p_ca_cb = p_ca_cb; 1903 1904 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1905 * cannot be used together. */ 1906 conf->ca_chain = NULL; 1907 conf->ca_crl = NULL; 1908} 1909#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1910#endif /* MBEDTLS_X509_CRT_PARSE_C */ 1911 1912#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1913const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, 1914 size_t *name_len) 1915{ 1916 *name_len = ssl->handshake->sni_name_len; 1917 return ssl->handshake->sni_name; 1918} 1919 1920int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, 1921 mbedtls_x509_crt *own_cert, 1922 mbedtls_pk_context *pk_key) 1923{ 1924 return ssl_append_key_cert(&ssl->handshake->sni_key_cert, 1925 own_cert, pk_key); 1926} 1927 1928void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, 1929 mbedtls_x509_crt *ca_chain, 1930 mbedtls_x509_crl *ca_crl) 1931{ 1932 ssl->handshake->sni_ca_chain = ca_chain; 1933 ssl->handshake->sni_ca_crl = ca_crl; 1934} 1935 1936#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1937void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl, 1938 const mbedtls_x509_crt *crt) 1939{ 1940 ssl->handshake->dn_hints = crt; 1941} 1942#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 1943 1944void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, 1945 int authmode) 1946{ 1947 ssl->handshake->sni_authmode = authmode; 1948} 1949#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1950 1951#if defined(MBEDTLS_X509_CRT_PARSE_C) 1952void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl, 1953 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1954 void *p_vrfy) 1955{ 1956 ssl->f_vrfy = f_vrfy; 1957 ssl->p_vrfy = p_vrfy; 1958} 1959#endif 1960 1961#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1962 1963#if defined(MBEDTLS_USE_PSA_CRYPTO) 1964static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1965static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 1966 1967static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( 1968 mbedtls_ssl_context *ssl, 1969 mbedtls_svc_key_id_t pwd) 1970{ 1971 psa_status_t status; 1972 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1973 const uint8_t *user = NULL; 1974 size_t user_len = 0; 1975 const uint8_t *peer = NULL; 1976 size_t peer_len = 0; 1977 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1978 psa_pake_cs_set_primitive(&cipher_suite, 1979 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, 1980 PSA_ECC_FAMILY_SECP_R1, 1981 256)); 1982 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1983 1984 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite); 1985 if (status != PSA_SUCCESS) { 1986 return status; 1987 } 1988 1989 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 1990 user = jpake_server_id; 1991 user_len = sizeof(jpake_server_id); 1992 peer = jpake_client_id; 1993 peer_len = sizeof(jpake_client_id); 1994 } else { 1995 user = jpake_client_id; 1996 user_len = sizeof(jpake_client_id); 1997 peer = jpake_server_id; 1998 peer_len = sizeof(jpake_server_id); 1999 } 2000 2001 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len); 2002 if (status != PSA_SUCCESS) { 2003 return status; 2004 } 2005 2006 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len); 2007 if (status != PSA_SUCCESS) { 2008 return status; 2009 } 2010 2011 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd); 2012 if (status != PSA_SUCCESS) { 2013 return status; 2014 } 2015 2016 ssl->handshake->psa_pake_ctx_is_ok = 1; 2017 2018 return PSA_SUCCESS; 2019} 2020 2021int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2022 const unsigned char *pw, 2023 size_t pw_len) 2024{ 2025 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2026 psa_status_t status; 2027 2028 if (ssl->handshake == NULL || ssl->conf == NULL) { 2029 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2030 } 2031 2032 /* Empty password is not valid */ 2033 if ((pw == NULL) || (pw_len == 0)) { 2034 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2035 } 2036 2037 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 2038 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 2039 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 2040 2041 status = psa_import_key(&attributes, pw, pw_len, 2042 &ssl->handshake->psa_pake_password); 2043 if (status != PSA_SUCCESS) { 2044 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2045 } 2046 2047 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, 2048 ssl->handshake->psa_pake_password); 2049 if (status != PSA_SUCCESS) { 2050 psa_destroy_key(ssl->handshake->psa_pake_password); 2051 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2052 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2053 } 2054 2055 return 0; 2056} 2057 2058int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, 2059 mbedtls_svc_key_id_t pwd) 2060{ 2061 psa_status_t status; 2062 2063 if (ssl->handshake == NULL || ssl->conf == NULL) { 2064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2065 } 2066 2067 if (mbedtls_svc_key_id_is_null(pwd)) { 2068 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2069 } 2070 2071 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd); 2072 if (status != PSA_SUCCESS) { 2073 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2074 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2075 } 2076 2077 return 0; 2078} 2079#else /* MBEDTLS_USE_PSA_CRYPTO */ 2080int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2081 const unsigned char *pw, 2082 size_t pw_len) 2083{ 2084 mbedtls_ecjpake_role role; 2085 2086 if (ssl->handshake == NULL || ssl->conf == NULL) { 2087 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2088 } 2089 2090 /* Empty password is not valid */ 2091 if ((pw == NULL) || (pw_len == 0)) { 2092 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2093 } 2094 2095 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 2096 role = MBEDTLS_ECJPAKE_SERVER; 2097 } else { 2098 role = MBEDTLS_ECJPAKE_CLIENT; 2099 } 2100 2101 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx, 2102 role, 2103 MBEDTLS_MD_SHA256, 2104 MBEDTLS_ECP_DP_SECP256R1, 2105 pw, pw_len); 2106} 2107#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2108#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2109 2110#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 2111int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) 2112{ 2113 if (conf->psk_identity == NULL || 2114 conf->psk_identity_len == 0) { 2115 return 0; 2116 } 2117 2118#if defined(MBEDTLS_USE_PSA_CRYPTO) 2119 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2120 return 1; 2121 } 2122#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2123 2124 if (conf->psk != NULL && conf->psk_len != 0) { 2125 return 1; 2126 } 2127 2128 return 0; 2129} 2130 2131static void ssl_conf_remove_psk(mbedtls_ssl_config *conf) 2132{ 2133 /* Remove reference to existing PSK, if any. */ 2134#if defined(MBEDTLS_USE_PSA_CRYPTO) 2135 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2136 /* The maintenance of the PSK key slot is the 2137 * user's responsibility. */ 2138 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2139 } 2140#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2141 if (conf->psk != NULL) { 2142 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 2143 conf->psk = NULL; 2144 conf->psk_len = 0; 2145 } 2146 2147 /* Remove reference to PSK identity, if any. */ 2148 if (conf->psk_identity != NULL) { 2149 mbedtls_free(conf->psk_identity); 2150 conf->psk_identity = NULL; 2151 conf->psk_identity_len = 0; 2152 } 2153} 2154 2155/* This function assumes that PSK identity in the SSL config is unset. 2156 * It checks that the provided identity is well-formed and attempts 2157 * to make a copy of it in the SSL config. 2158 * On failure, the PSK identity in the config remains unset. */ 2159MBEDTLS_CHECK_RETURN_CRITICAL 2160static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf, 2161 unsigned char const *psk_identity, 2162 size_t psk_identity_len) 2163{ 2164 /* Identity len will be encoded on two bytes */ 2165 if (psk_identity == NULL || 2166 psk_identity_len == 0 || 2167 (psk_identity_len >> 16) != 0 || 2168 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { 2169 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2170 } 2171 2172 conf->psk_identity = mbedtls_calloc(1, psk_identity_len); 2173 if (conf->psk_identity == NULL) { 2174 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2175 } 2176 2177 conf->psk_identity_len = psk_identity_len; 2178 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len); 2179 2180 return 0; 2181} 2182 2183int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, 2184 const unsigned char *psk, size_t psk_len, 2185 const unsigned char *psk_identity, size_t psk_identity_len) 2186{ 2187 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2188 2189 /* We currently only support one PSK, raw or opaque. */ 2190 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2191 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2192 } 2193 2194 /* Check and set raw PSK */ 2195 if (psk == NULL) { 2196 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2197 } 2198 if (psk_len == 0) { 2199 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2200 } 2201 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2202 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2203 } 2204 2205 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2206 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2207 } 2208 conf->psk_len = psk_len; 2209 memcpy(conf->psk, psk, conf->psk_len); 2210 2211 /* Check and set PSK Identity */ 2212 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len); 2213 if (ret != 0) { 2214 ssl_conf_remove_psk(conf); 2215 } 2216 2217 return ret; 2218} 2219 2220static void ssl_remove_psk(mbedtls_ssl_context *ssl) 2221{ 2222#if defined(MBEDTLS_USE_PSA_CRYPTO) 2223 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 2224 /* The maintenance of the external PSK key slot is the 2225 * user's responsibility. */ 2226 if (ssl->handshake->psk_opaque_is_internal) { 2227 psa_destroy_key(ssl->handshake->psk_opaque); 2228 ssl->handshake->psk_opaque_is_internal = 0; 2229 } 2230 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2231 } 2232#else 2233 if (ssl->handshake->psk != NULL) { 2234 mbedtls_zeroize_and_free(ssl->handshake->psk, 2235 ssl->handshake->psk_len); 2236 ssl->handshake->psk_len = 0; 2237 } 2238#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2239} 2240 2241int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, 2242 const unsigned char *psk, size_t psk_len) 2243{ 2244#if defined(MBEDTLS_USE_PSA_CRYPTO) 2245 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 2246 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2247 psa_algorithm_t alg = PSA_ALG_NONE; 2248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2249#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2250 2251 if (psk == NULL || ssl->handshake == NULL) { 2252 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2253 } 2254 2255 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2256 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2257 } 2258 2259 ssl_remove_psk(ssl); 2260 2261#if defined(MBEDTLS_USE_PSA_CRYPTO) 2262#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2263 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2264 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 2265 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 2266 } else { 2267 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 2268 } 2269 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2270 } 2271#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2272 2273#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2274 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2275 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH); 2276 psa_set_key_usage_flags(&key_attributes, 2277 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT); 2278 } 2279#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2280 2281 psa_set_key_algorithm(&key_attributes, alg); 2282 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 2283 2284 status = psa_import_key(&key_attributes, psk, psk_len, &key); 2285 if (status != PSA_SUCCESS) { 2286 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2287 } 2288 2289 /* Allow calling psa_destroy_key() on psk remove */ 2290 ssl->handshake->psk_opaque_is_internal = 1; 2291 return mbedtls_ssl_set_hs_psk_opaque(ssl, key); 2292#else 2293 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2294 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2295 } 2296 2297 ssl->handshake->psk_len = psk_len; 2298 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len); 2299 2300 return 0; 2301#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2302} 2303 2304#if defined(MBEDTLS_USE_PSA_CRYPTO) 2305int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf, 2306 mbedtls_svc_key_id_t psk, 2307 const unsigned char *psk_identity, 2308 size_t psk_identity_len) 2309{ 2310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2311 2312 /* We currently only support one PSK, raw or opaque. */ 2313 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2314 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2315 } 2316 2317 /* Check and set opaque PSK */ 2318 if (mbedtls_svc_key_id_is_null(psk)) { 2319 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2320 } 2321 conf->psk_opaque = psk; 2322 2323 /* Check and set PSK Identity */ 2324 ret = ssl_conf_set_psk_identity(conf, psk_identity, 2325 psk_identity_len); 2326 if (ret != 0) { 2327 ssl_conf_remove_psk(conf); 2328 } 2329 2330 return ret; 2331} 2332 2333int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl, 2334 mbedtls_svc_key_id_t psk) 2335{ 2336 if ((mbedtls_svc_key_id_is_null(psk)) || 2337 (ssl->handshake == NULL)) { 2338 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2339 } 2340 2341 ssl_remove_psk(ssl); 2342 ssl->handshake->psk_opaque = psk; 2343 return 0; 2344} 2345#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2346 2347#if defined(MBEDTLS_SSL_SRV_C) 2348void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, 2349 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 2350 size_t), 2351 void *p_psk) 2352{ 2353 conf->f_psk = f_psk; 2354 conf->p_psk = p_psk; 2355} 2356#endif /* MBEDTLS_SSL_SRV_C */ 2357 2358#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 2359 2360#if defined(MBEDTLS_USE_PSA_CRYPTO) 2361static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2362 psa_algorithm_t alg) 2363{ 2364#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2365 if (alg == PSA_ALG_CBC_NO_PADDING) { 2366 return MBEDTLS_SSL_MODE_CBC; 2367 } 2368#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2369 if (PSA_ALG_IS_AEAD(alg)) { 2370 return MBEDTLS_SSL_MODE_AEAD; 2371 } 2372 return MBEDTLS_SSL_MODE_STREAM; 2373} 2374 2375#else /* MBEDTLS_USE_PSA_CRYPTO */ 2376 2377static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2378 mbedtls_cipher_mode_t mode) 2379{ 2380#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2381 if (mode == MBEDTLS_MODE_CBC) { 2382 return MBEDTLS_SSL_MODE_CBC; 2383 } 2384#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2385 2386#if defined(MBEDTLS_GCM_C) || \ 2387 defined(MBEDTLS_CCM_C) || \ 2388 defined(MBEDTLS_CHACHAPOLY_C) 2389 if (mode == MBEDTLS_MODE_GCM || 2390 mode == MBEDTLS_MODE_CCM || 2391 mode == MBEDTLS_MODE_CHACHAPOLY) { 2392 return MBEDTLS_SSL_MODE_AEAD; 2393 } 2394#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 2395 2396 return MBEDTLS_SSL_MODE_STREAM; 2397} 2398#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2399 2400static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode( 2401 mbedtls_ssl_mode_t base_mode, 2402 int encrypt_then_mac) 2403{ 2404#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2405 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 2406 base_mode == MBEDTLS_SSL_MODE_CBC) { 2407 return MBEDTLS_SSL_MODE_CBC_ETM; 2408 } 2409#else 2410 (void) encrypt_then_mac; 2411#endif 2412 return base_mode; 2413} 2414 2415mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2416 const mbedtls_ssl_transform *transform) 2417{ 2418 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode( 2419#if defined(MBEDTLS_USE_PSA_CRYPTO) 2420 transform->psa_alg 2421#else 2422 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc) 2423#endif 2424 ); 2425 2426 int encrypt_then_mac = 0; 2427#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2428 encrypt_then_mac = transform->encrypt_then_mac; 2429#endif 2430 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2431} 2432 2433mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2434#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2435 int encrypt_then_mac, 2436#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2437 const mbedtls_ssl_ciphersuite_t *suite) 2438{ 2439 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM; 2440 2441#if defined(MBEDTLS_USE_PSA_CRYPTO) 2442 psa_status_t status; 2443 psa_algorithm_t alg; 2444 psa_key_type_t type; 2445 size_t size; 2446 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher, 2447 0, &alg, &type, &size); 2448 if (status == PSA_SUCCESS) { 2449 base_mode = mbedtls_ssl_get_base_mode(alg); 2450 } 2451#else 2452 const mbedtls_cipher_info_t *cipher = 2453 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher); 2454 if (cipher != NULL) { 2455 base_mode = 2456 mbedtls_ssl_get_base_mode( 2457 mbedtls_cipher_info_get_mode(cipher)); 2458 } 2459#endif /* MBEDTLS_USE_PSA_CRYPTO */ 2460 2461#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2462 int encrypt_then_mac = 0; 2463#endif 2464 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2465} 2466 2467#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2468 2469psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2470 size_t taglen, 2471 psa_algorithm_t *alg, 2472 psa_key_type_t *key_type, 2473 size_t *key_size) 2474{ 2475#if !defined(MBEDTLS_SSL_HAVE_CCM) 2476 (void) taglen; 2477#endif 2478 switch (mbedtls_cipher_type) { 2479#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2480 case MBEDTLS_CIPHER_AES_128_CBC: 2481 *alg = PSA_ALG_CBC_NO_PADDING; 2482 *key_type = PSA_KEY_TYPE_AES; 2483 *key_size = 128; 2484 break; 2485#endif 2486#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2487 case MBEDTLS_CIPHER_AES_128_CCM: 2488 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2489 *key_type = PSA_KEY_TYPE_AES; 2490 *key_size = 128; 2491 break; 2492#endif 2493#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2494 case MBEDTLS_CIPHER_AES_128_GCM: 2495 *alg = PSA_ALG_GCM; 2496 *key_type = PSA_KEY_TYPE_AES; 2497 *key_size = 128; 2498 break; 2499#endif 2500#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2501 case MBEDTLS_CIPHER_AES_192_CCM: 2502 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2503 *key_type = PSA_KEY_TYPE_AES; 2504 *key_size = 192; 2505 break; 2506#endif 2507#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2508 case MBEDTLS_CIPHER_AES_192_GCM: 2509 *alg = PSA_ALG_GCM; 2510 *key_type = PSA_KEY_TYPE_AES; 2511 *key_size = 192; 2512 break; 2513#endif 2514#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2515 case MBEDTLS_CIPHER_AES_256_CBC: 2516 *alg = PSA_ALG_CBC_NO_PADDING; 2517 *key_type = PSA_KEY_TYPE_AES; 2518 *key_size = 256; 2519 break; 2520#endif 2521#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2522 case MBEDTLS_CIPHER_AES_256_CCM: 2523 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2524 *key_type = PSA_KEY_TYPE_AES; 2525 *key_size = 256; 2526 break; 2527#endif 2528#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2529 case MBEDTLS_CIPHER_AES_256_GCM: 2530 *alg = PSA_ALG_GCM; 2531 *key_type = PSA_KEY_TYPE_AES; 2532 *key_size = 256; 2533 break; 2534#endif 2535#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2536 case MBEDTLS_CIPHER_ARIA_128_CBC: 2537 *alg = PSA_ALG_CBC_NO_PADDING; 2538 *key_type = PSA_KEY_TYPE_ARIA; 2539 *key_size = 128; 2540 break; 2541#endif 2542#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2543 case MBEDTLS_CIPHER_ARIA_128_CCM: 2544 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2545 *key_type = PSA_KEY_TYPE_ARIA; 2546 *key_size = 128; 2547 break; 2548#endif 2549#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2550 case MBEDTLS_CIPHER_ARIA_128_GCM: 2551 *alg = PSA_ALG_GCM; 2552 *key_type = PSA_KEY_TYPE_ARIA; 2553 *key_size = 128; 2554 break; 2555#endif 2556#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2557 case MBEDTLS_CIPHER_ARIA_192_CCM: 2558 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2559 *key_type = PSA_KEY_TYPE_ARIA; 2560 *key_size = 192; 2561 break; 2562#endif 2563#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2564 case MBEDTLS_CIPHER_ARIA_192_GCM: 2565 *alg = PSA_ALG_GCM; 2566 *key_type = PSA_KEY_TYPE_ARIA; 2567 *key_size = 192; 2568 break; 2569#endif 2570#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2571 case MBEDTLS_CIPHER_ARIA_256_CBC: 2572 *alg = PSA_ALG_CBC_NO_PADDING; 2573 *key_type = PSA_KEY_TYPE_ARIA; 2574 *key_size = 256; 2575 break; 2576#endif 2577#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2578 case MBEDTLS_CIPHER_ARIA_256_CCM: 2579 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2580 *key_type = PSA_KEY_TYPE_ARIA; 2581 *key_size = 256; 2582 break; 2583#endif 2584#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2585 case MBEDTLS_CIPHER_ARIA_256_GCM: 2586 *alg = PSA_ALG_GCM; 2587 *key_type = PSA_KEY_TYPE_ARIA; 2588 *key_size = 256; 2589 break; 2590#endif 2591#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2592 case MBEDTLS_CIPHER_CAMELLIA_128_CBC: 2593 *alg = PSA_ALG_CBC_NO_PADDING; 2594 *key_type = PSA_KEY_TYPE_CAMELLIA; 2595 *key_size = 128; 2596 break; 2597#endif 2598#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2599 case MBEDTLS_CIPHER_CAMELLIA_128_CCM: 2600 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2601 *key_type = PSA_KEY_TYPE_CAMELLIA; 2602 *key_size = 128; 2603 break; 2604#endif 2605#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2606 case MBEDTLS_CIPHER_CAMELLIA_128_GCM: 2607 *alg = PSA_ALG_GCM; 2608 *key_type = PSA_KEY_TYPE_CAMELLIA; 2609 *key_size = 128; 2610 break; 2611#endif 2612#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2613 case MBEDTLS_CIPHER_CAMELLIA_192_CCM: 2614 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2615 *key_type = PSA_KEY_TYPE_CAMELLIA; 2616 *key_size = 192; 2617 break; 2618#endif 2619#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2620 case MBEDTLS_CIPHER_CAMELLIA_192_GCM: 2621 *alg = PSA_ALG_GCM; 2622 *key_type = PSA_KEY_TYPE_CAMELLIA; 2623 *key_size = 192; 2624 break; 2625#endif 2626#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2627 case MBEDTLS_CIPHER_CAMELLIA_256_CBC: 2628 *alg = PSA_ALG_CBC_NO_PADDING; 2629 *key_type = PSA_KEY_TYPE_CAMELLIA; 2630 *key_size = 256; 2631 break; 2632#endif 2633#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2634 case MBEDTLS_CIPHER_CAMELLIA_256_CCM: 2635 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2636 *key_type = PSA_KEY_TYPE_CAMELLIA; 2637 *key_size = 256; 2638 break; 2639#endif 2640#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2641 case MBEDTLS_CIPHER_CAMELLIA_256_GCM: 2642 *alg = PSA_ALG_GCM; 2643 *key_type = PSA_KEY_TYPE_CAMELLIA; 2644 *key_size = 256; 2645 break; 2646#endif 2647#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) 2648 case MBEDTLS_CIPHER_CHACHA20_POLY1305: 2649 *alg = PSA_ALG_CHACHA20_POLY1305; 2650 *key_type = PSA_KEY_TYPE_CHACHA20; 2651 *key_size = 256; 2652 break; 2653#endif 2654 case MBEDTLS_CIPHER_NULL: 2655 *alg = MBEDTLS_SSL_NULL_CIPHER; 2656 *key_type = 0; 2657 *key_size = 0; 2658 break; 2659 default: 2660 return PSA_ERROR_NOT_SUPPORTED; 2661 } 2662 2663 return PSA_SUCCESS; 2664} 2665#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2666 2667#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 2668int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf, 2669 const unsigned char *dhm_P, size_t P_len, 2670 const unsigned char *dhm_G, size_t G_len) 2671{ 2672 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2673 2674 mbedtls_mpi_free(&conf->dhm_P); 2675 mbedtls_mpi_free(&conf->dhm_G); 2676 2677 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 || 2678 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) { 2679 mbedtls_mpi_free(&conf->dhm_P); 2680 mbedtls_mpi_free(&conf->dhm_G); 2681 return ret; 2682 } 2683 2684 return 0; 2685} 2686 2687int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx) 2688{ 2689 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2690 2691 mbedtls_mpi_free(&conf->dhm_P); 2692 mbedtls_mpi_free(&conf->dhm_G); 2693 2694 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P, 2695 &conf->dhm_P)) != 0 || 2696 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G, 2697 &conf->dhm_G)) != 0) { 2698 mbedtls_mpi_free(&conf->dhm_P); 2699 mbedtls_mpi_free(&conf->dhm_G); 2700 return ret; 2701 } 2702 2703 return 0; 2704} 2705#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 2706 2707#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 2708/* 2709 * Set the minimum length for Diffie-Hellman parameters 2710 */ 2711void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, 2712 unsigned int bitlen) 2713{ 2714 conf->dhm_min_bitlen = bitlen; 2715} 2716#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 2717 2718#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2719#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2720/* 2721 * Set allowed/preferred hashes for handshake signatures 2722 */ 2723void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, 2724 const int *hashes) 2725{ 2726 conf->sig_hashes = hashes; 2727} 2728#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ 2729 2730/* Configure allowed signature algorithms for handshake */ 2731void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, 2732 const uint16_t *sig_algs) 2733{ 2734#if !defined(MBEDTLS_DEPRECATED_REMOVED) 2735 conf->sig_hashes = NULL; 2736#endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2737 conf->sig_algs = sig_algs; 2738} 2739#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2740 2741#if defined(MBEDTLS_ECP_C) 2742#if !defined(MBEDTLS_DEPRECATED_REMOVED) 2743/* 2744 * Set the allowed elliptic curves 2745 * 2746 * mbedtls_ssl_setup() takes the provided list 2747 * and translates it to a list of IANA TLS group identifiers, 2748 * stored in ssl->handshake->group_list. 2749 * 2750 */ 2751void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, 2752 const mbedtls_ecp_group_id *curve_list) 2753{ 2754 conf->curve_list = curve_list; 2755 conf->group_list = NULL; 2756} 2757#endif /* MBEDTLS_DEPRECATED_REMOVED */ 2758#endif /* MBEDTLS_ECP_C */ 2759 2760/* 2761 * Set the allowed groups 2762 */ 2763void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, 2764 const uint16_t *group_list) 2765{ 2766#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 2767 conf->curve_list = NULL; 2768#endif 2769 conf->group_list = group_list; 2770} 2771 2772#if defined(MBEDTLS_X509_CRT_PARSE_C) 2773int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) 2774{ 2775 /* Initialize to suppress unnecessary compiler warning */ 2776 size_t hostname_len = 0; 2777 2778 /* Check if new hostname is valid before 2779 * making any change to current one */ 2780 if (hostname != NULL) { 2781 hostname_len = strlen(hostname); 2782 2783 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 2784 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2785 } 2786 } 2787 2788 /* Now it's clear that we will overwrite the old hostname, 2789 * so we can free it safely */ 2790 2791 if (ssl->hostname != NULL) { 2792 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); 2793 } 2794 2795 /* Passing NULL as hostname shall clear the old one */ 2796 2797 if (hostname == NULL) { 2798 ssl->hostname = NULL; 2799 } else { 2800 ssl->hostname = mbedtls_calloc(1, hostname_len + 1); 2801 if (ssl->hostname == NULL) { 2802 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2803 } 2804 2805 memcpy(ssl->hostname, hostname, hostname_len); 2806 2807 ssl->hostname[hostname_len] = '\0'; 2808 } 2809 2810 return 0; 2811} 2812#endif /* MBEDTLS_X509_CRT_PARSE_C */ 2813 2814#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2815void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, 2816 int (*f_sni)(void *, mbedtls_ssl_context *, 2817 const unsigned char *, size_t), 2818 void *p_sni) 2819{ 2820 conf->f_sni = f_sni; 2821 conf->p_sni = p_sni; 2822} 2823#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2824 2825#if defined(MBEDTLS_SSL_ALPN) 2826int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos) 2827{ 2828 size_t cur_len, tot_len; 2829 const char **p; 2830 2831 /* 2832 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 2833 * MUST NOT be truncated." 2834 * We check lengths now rather than later. 2835 */ 2836 tot_len = 0; 2837 for (p = protos; *p != NULL; p++) { 2838 cur_len = strlen(*p); 2839 tot_len += cur_len; 2840 2841 if ((cur_len == 0) || 2842 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) || 2843 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) { 2844 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2845 } 2846 } 2847 2848 conf->alpn_list = protos; 2849 2850 return 0; 2851} 2852 2853const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl) 2854{ 2855 return ssl->alpn_chosen; 2856} 2857#endif /* MBEDTLS_SSL_ALPN */ 2858 2859#if defined(MBEDTLS_SSL_DTLS_SRTP) 2860void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, 2861 int support_mki_value) 2862{ 2863 conf->dtls_srtp_mki_support = support_mki_value; 2864} 2865 2866int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, 2867 unsigned char *mki_value, 2868 uint16_t mki_len) 2869{ 2870 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) { 2871 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2872 } 2873 2874 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) { 2875 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2876 } 2877 2878 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len); 2879 ssl->dtls_srtp_info.mki_len = mki_len; 2880 return 0; 2881} 2882 2883int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf, 2884 const mbedtls_ssl_srtp_profile *profiles) 2885{ 2886 const mbedtls_ssl_srtp_profile *p; 2887 size_t list_size = 0; 2888 2889 /* check the profiles list: all entry must be valid, 2890 * its size cannot be more than the total number of supported profiles, currently 4 */ 2891 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET && 2892 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH; 2893 p++) { 2894 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) { 2895 list_size++; 2896 } else { 2897 /* unsupported value, stop parsing and set the size to an error value */ 2898 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1; 2899 } 2900 } 2901 2902 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) { 2903 conf->dtls_srtp_profile_list = NULL; 2904 conf->dtls_srtp_profile_list_len = 0; 2905 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2906 } 2907 2908 conf->dtls_srtp_profile_list = profiles; 2909 conf->dtls_srtp_profile_list_len = list_size; 2910 2911 return 0; 2912} 2913 2914void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl, 2915 mbedtls_dtls_srtp_info *dtls_srtp_info) 2916{ 2917 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile; 2918 /* do not copy the mki value if there is no chosen profile */ 2919 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { 2920 dtls_srtp_info->mki_len = 0; 2921 } else { 2922 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len; 2923 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value, 2924 ssl->dtls_srtp_info.mki_len); 2925 } 2926} 2927#endif /* MBEDTLS_SSL_DTLS_SRTP */ 2928 2929#if !defined(MBEDTLS_DEPRECATED_REMOVED) 2930void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) 2931{ 2932 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2933} 2934 2935void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) 2936{ 2937 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2938} 2939#endif /* MBEDTLS_DEPRECATED_REMOVED */ 2940 2941#if defined(MBEDTLS_SSL_SRV_C) 2942void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, 2943 char cert_req_ca_list) 2944{ 2945 conf->cert_req_ca_list = cert_req_ca_list; 2946} 2947#endif 2948 2949#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2950void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm) 2951{ 2952 conf->encrypt_then_mac = etm; 2953} 2954#endif 2955 2956#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 2957void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems) 2958{ 2959 conf->extended_ms = ems; 2960} 2961#endif 2962 2963#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 2964int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code) 2965{ 2966 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 2967 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) { 2968 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2969 } 2970 2971 conf->mfl_code = mfl_code; 2972 2973 return 0; 2974} 2975#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 2976 2977void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy) 2978{ 2979 conf->allow_legacy_renegotiation = allow_legacy; 2980} 2981 2982#if defined(MBEDTLS_SSL_RENEGOTIATION) 2983void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation) 2984{ 2985 conf->disable_renegotiation = renegotiation; 2986} 2987 2988void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records) 2989{ 2990 conf->renego_max_records = max_records; 2991} 2992 2993void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, 2994 const unsigned char period[8]) 2995{ 2996 memcpy(conf->renego_period, period, 8); 2997} 2998#endif /* MBEDTLS_SSL_RENEGOTIATION */ 2999 3000#if defined(MBEDTLS_SSL_SESSION_TICKETS) 3001#if defined(MBEDTLS_SSL_CLI_C) 3002void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) 3003{ 3004 conf->session_tickets = use_tickets; 3005} 3006#endif 3007 3008#if defined(MBEDTLS_SSL_SRV_C) 3009 3010#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 3011void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf, 3012 uint16_t num_tickets) 3013{ 3014 conf->new_session_tickets_count = num_tickets; 3015} 3016#endif 3017 3018void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, 3019 mbedtls_ssl_ticket_write_t *f_ticket_write, 3020 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 3021 void *p_ticket) 3022{ 3023 conf->f_ticket_write = f_ticket_write; 3024 conf->f_ticket_parse = f_ticket_parse; 3025 conf->p_ticket = p_ticket; 3026} 3027#endif 3028#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3029 3030void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl, 3031 mbedtls_ssl_export_keys_t *f_export_keys, 3032 void *p_export_keys) 3033{ 3034 ssl->f_export_keys = f_export_keys; 3035 ssl->p_export_keys = p_export_keys; 3036} 3037 3038#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3039void mbedtls_ssl_conf_async_private_cb( 3040 mbedtls_ssl_config *conf, 3041 mbedtls_ssl_async_sign_t *f_async_sign, 3042 mbedtls_ssl_async_decrypt_t *f_async_decrypt, 3043 mbedtls_ssl_async_resume_t *f_async_resume, 3044 mbedtls_ssl_async_cancel_t *f_async_cancel, 3045 void *async_config_data) 3046{ 3047 conf->f_async_sign_start = f_async_sign; 3048 conf->f_async_decrypt_start = f_async_decrypt; 3049 conf->f_async_resume = f_async_resume; 3050 conf->f_async_cancel = f_async_cancel; 3051 conf->p_async_config_data = async_config_data; 3052} 3053 3054void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf) 3055{ 3056 return conf->p_async_config_data; 3057} 3058 3059void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl) 3060{ 3061 if (ssl->handshake == NULL) { 3062 return NULL; 3063 } else { 3064 return ssl->handshake->user_async_ctx; 3065 } 3066} 3067 3068void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl, 3069 void *ctx) 3070{ 3071 if (ssl->handshake != NULL) { 3072 ssl->handshake->user_async_ctx = ctx; 3073 } 3074} 3075#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3076 3077/* 3078 * SSL get accessors 3079 */ 3080uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl) 3081{ 3082 if (ssl->session != NULL) { 3083 return ssl->session->verify_result; 3084 } 3085 3086 if (ssl->session_negotiate != NULL) { 3087 return ssl->session_negotiate->verify_result; 3088 } 3089 3090 return 0xFFFFFFFF; 3091} 3092 3093int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl) 3094{ 3095 if (ssl == NULL || ssl->session == NULL) { 3096 return 0; 3097 } 3098 3099 return ssl->session->ciphersuite; 3100} 3101 3102const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl) 3103{ 3104 if (ssl == NULL || ssl->session == NULL) { 3105 return NULL; 3106 } 3107 3108 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite); 3109} 3110 3111const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl) 3112{ 3113#if defined(MBEDTLS_SSL_PROTO_DTLS) 3114 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3115 switch (ssl->tls_version) { 3116 case MBEDTLS_SSL_VERSION_TLS1_2: 3117 return "DTLSv1.2"; 3118 default: 3119 return "unknown (DTLS)"; 3120 } 3121 } 3122#endif 3123 3124 switch (ssl->tls_version) { 3125 case MBEDTLS_SSL_VERSION_TLS1_2: 3126 return "TLSv1.2"; 3127 case MBEDTLS_SSL_VERSION_TLS1_3: 3128 return "TLSv1.3"; 3129 default: 3130 return "unknown"; 3131 } 3132} 3133 3134#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3135 3136size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl) 3137{ 3138 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3139 size_t record_size_limit = max_len; 3140 3141 if (ssl->session != NULL && 3142 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3143 ssl->session->record_size_limit < max_len) { 3144 record_size_limit = ssl->session->record_size_limit; 3145 } 3146 3147 // TODO: this is currently untested 3148 /* During a handshake, use the value being negotiated */ 3149 if (ssl->session_negotiate != NULL && 3150 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3151 ssl->session_negotiate->record_size_limit < max_len) { 3152 record_size_limit = ssl->session_negotiate->record_size_limit; 3153 } 3154 3155 return record_size_limit; 3156} 3157#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3158 3159#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3160size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl) 3161{ 3162 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3163 size_t read_mfl; 3164 3165#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3166 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */ 3167 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3168 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) { 3169 return ssl_mfl_code_to_length(ssl->conf->mfl_code); 3170 } 3171#endif 3172 3173 /* Check if a smaller max length was negotiated */ 3174 if (ssl->session_out != NULL) { 3175 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3176 if (read_mfl < max_len) { 3177 max_len = read_mfl; 3178 } 3179 } 3180 3181 /* During a handshake, use the value being negotiated */ 3182 if (ssl->session_negotiate != NULL) { 3183 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3184 if (read_mfl < max_len) { 3185 max_len = read_mfl; 3186 } 3187 } 3188 3189 return max_len; 3190} 3191 3192size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl) 3193{ 3194 size_t max_len; 3195 3196 /* 3197 * Assume mfl_code is correct since it was checked when set 3198 */ 3199 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code); 3200 3201 /* Check if a smaller max length was negotiated */ 3202 if (ssl->session_out != NULL && 3203 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) { 3204 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3205 } 3206 3207 /* During a handshake, use the value being negotiated */ 3208 if (ssl->session_negotiate != NULL && 3209 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) { 3210 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3211 } 3212 3213 return max_len; 3214} 3215#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3216 3217#if defined(MBEDTLS_SSL_PROTO_DTLS) 3218size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl) 3219{ 3220 /* Return unlimited mtu for client hello messages to avoid fragmentation. */ 3221 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3222 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO || 3223 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) { 3224 return 0; 3225 } 3226 3227 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) { 3228 return ssl->mtu; 3229 } 3230 3231 if (ssl->mtu == 0) { 3232 return ssl->handshake->mtu; 3233 } 3234 3235 return ssl->mtu < ssl->handshake->mtu ? 3236 ssl->mtu : ssl->handshake->mtu; 3237} 3238#endif /* MBEDTLS_SSL_PROTO_DTLS */ 3239 3240int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl) 3241{ 3242 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3243 3244#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3245 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \ 3246 !defined(MBEDTLS_SSL_PROTO_DTLS) 3247 (void) ssl; 3248#endif 3249 3250#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3251 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl); 3252 3253 if (max_len > mfl) { 3254 max_len = mfl; 3255 } 3256#endif 3257 3258#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3259 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl); 3260 3261 if (max_len > record_size_limit) { 3262 max_len = record_size_limit; 3263 } 3264#endif 3265 3266 if (ssl->transform_out != NULL && 3267 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 3268 /* 3269 * In TLS 1.3 case, when records are protected, `max_len` as computed 3270 * above is the maximum length of the TLSInnerPlaintext structure that 3271 * along the plaintext payload contains the inner content type (one byte) 3272 * and some zero padding. Given the algorithm used for padding 3273 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for 3274 * the plaintext payload. Round down to a multiple of 3275 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and 3276 * subtract 1. 3277 */ 3278 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) * 3279 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1; 3280 } 3281 3282#if defined(MBEDTLS_SSL_PROTO_DTLS) 3283 if (mbedtls_ssl_get_current_mtu(ssl) != 0) { 3284 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl); 3285 const int ret = mbedtls_ssl_get_record_expansion(ssl); 3286 const size_t overhead = (size_t) ret; 3287 3288 if (ret < 0) { 3289 return ret; 3290 } 3291 3292 if (mtu <= overhead) { 3293 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion")); 3294 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3295 } 3296 3297 if (max_len > mtu - overhead) { 3298 max_len = mtu - overhead; 3299 } 3300 } 3301#endif /* MBEDTLS_SSL_PROTO_DTLS */ 3302 3303#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3304 !defined(MBEDTLS_SSL_PROTO_DTLS) && \ 3305 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3306 ((void) ssl); 3307#endif 3308 3309 return (int) max_len; 3310} 3311 3312int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl) 3313{ 3314 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3315 3316#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3317 (void) ssl; 3318#endif 3319 3320#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3321 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl); 3322 3323 if (max_len > mfl) { 3324 max_len = mfl; 3325 } 3326#endif 3327 3328 return (int) max_len; 3329} 3330 3331#if defined(MBEDTLS_X509_CRT_PARSE_C) 3332const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl) 3333{ 3334 if (ssl == NULL || ssl->session == NULL) { 3335 return NULL; 3336 } 3337 3338#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3339 return ssl->session->peer_cert; 3340#else 3341 return NULL; 3342#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3343} 3344#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3345 3346#if defined(MBEDTLS_SSL_CLI_C) 3347int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, 3348 mbedtls_ssl_session *dst) 3349{ 3350 int ret; 3351 3352 if (ssl == NULL || 3353 dst == NULL || 3354 ssl->session == NULL || 3355 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 3356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3357 } 3358 3359 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer 3360 * idempotent: Each session can only be exported once. 3361 * 3362 * (This is in preparation for TLS 1.3 support where we will 3363 * need the ability to export multiple sessions (aka tickets), 3364 * which will be achieved by calling mbedtls_ssl_get_session() 3365 * multiple times until it fails.) 3366 * 3367 * Check whether we have already exported the current session, 3368 * and fail if so. 3369 */ 3370 if (ssl->session->exported == 1) { 3371 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3372 } 3373 3374 ret = mbedtls_ssl_session_copy(dst, ssl->session); 3375 if (ret != 0) { 3376 return ret; 3377 } 3378 3379 /* Remember that we've exported the session. */ 3380 ssl->session->exported = 1; 3381 return 0; 3382} 3383#endif /* MBEDTLS_SSL_CLI_C */ 3384 3385#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3386 3387/* Serialization of TLS 1.2 sessions 3388 * 3389 * For more detail, see the description of ssl_session_save(). 3390 */ 3391static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, 3392 unsigned char *buf, 3393 size_t buf_len) 3394{ 3395 unsigned char *p = buf; 3396 size_t used = 0; 3397 3398#if defined(MBEDTLS_HAVE_TIME) 3399 uint64_t start; 3400#endif 3401#if defined(MBEDTLS_X509_CRT_PARSE_C) 3402#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3403 size_t cert_len; 3404#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3405#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3406 3407 /* 3408 * Time 3409 */ 3410#if defined(MBEDTLS_HAVE_TIME) 3411 used += 8; 3412 3413 if (used <= buf_len) { 3414 start = (uint64_t) session->start; 3415 3416 MBEDTLS_PUT_UINT64_BE(start, p, 0); 3417 p += 8; 3418 } 3419#endif /* MBEDTLS_HAVE_TIME */ 3420 3421 /* 3422 * Basic mandatory fields 3423 */ 3424 used += 1 /* id_len */ 3425 + sizeof(session->id) 3426 + sizeof(session->master) 3427 + 4; /* verify_result */ 3428 3429 if (used <= buf_len) { 3430 *p++ = MBEDTLS_BYTE_0(session->id_len); 3431 memcpy(p, session->id, 32); 3432 p += 32; 3433 3434 memcpy(p, session->master, 48); 3435 p += 48; 3436 3437 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); 3438 p += 4; 3439 } 3440 3441 /* 3442 * Peer's end-entity certificate 3443 */ 3444#if defined(MBEDTLS_X509_CRT_PARSE_C) 3445#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3446 if (session->peer_cert == NULL) { 3447 cert_len = 0; 3448 } else { 3449 cert_len = session->peer_cert->raw.len; 3450 } 3451 3452 used += 3 + cert_len; 3453 3454 if (used <= buf_len) { 3455 *p++ = MBEDTLS_BYTE_2(cert_len); 3456 *p++ = MBEDTLS_BYTE_1(cert_len); 3457 *p++ = MBEDTLS_BYTE_0(cert_len); 3458 3459 if (session->peer_cert != NULL) { 3460 memcpy(p, session->peer_cert->raw.p, cert_len); 3461 p += cert_len; 3462 } 3463 } 3464#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3465 if (session->peer_cert_digest != NULL) { 3466 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; 3467 if (used <= buf_len) { 3468 *p++ = (unsigned char) session->peer_cert_digest_type; 3469 *p++ = (unsigned char) session->peer_cert_digest_len; 3470 memcpy(p, session->peer_cert_digest, 3471 session->peer_cert_digest_len); 3472 p += session->peer_cert_digest_len; 3473 } 3474 } else { 3475 used += 2; 3476 if (used <= buf_len) { 3477 *p++ = (unsigned char) MBEDTLS_MD_NONE; 3478 *p++ = 0; 3479 } 3480 } 3481#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3482#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3483 3484 /* 3485 * Session ticket if any, plus associated data 3486 */ 3487#if defined(MBEDTLS_SSL_SESSION_TICKETS) 3488#if defined(MBEDTLS_SSL_CLI_C) 3489 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3490 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ 3491 3492 if (used <= buf_len) { 3493 *p++ = MBEDTLS_BYTE_2(session->ticket_len); 3494 *p++ = MBEDTLS_BYTE_1(session->ticket_len); 3495 *p++ = MBEDTLS_BYTE_0(session->ticket_len); 3496 3497 if (session->ticket != NULL) { 3498 memcpy(p, session->ticket, session->ticket_len); 3499 p += session->ticket_len; 3500 } 3501 3502 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3503 p += 4; 3504 } 3505 } 3506#endif /* MBEDTLS_SSL_CLI_C */ 3507#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3508 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3509 used += 8; 3510 3511 if (used <= buf_len) { 3512 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3513 p += 8; 3514 } 3515 } 3516#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3517#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3518 3519 /* 3520 * Misc extension-related info 3521 */ 3522#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3523 used += 1; 3524 3525 if (used <= buf_len) { 3526 *p++ = session->mfl_code; 3527 } 3528#endif 3529 3530#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3531 used += 1; 3532 3533 if (used <= buf_len) { 3534 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); 3535 } 3536#endif 3537 3538 return used; 3539} 3540 3541MBEDTLS_CHECK_RETURN_CRITICAL 3542static int ssl_tls12_session_load(mbedtls_ssl_session *session, 3543 const unsigned char *buf, 3544 size_t len) 3545{ 3546#if defined(MBEDTLS_HAVE_TIME) 3547 uint64_t start; 3548#endif 3549#if defined(MBEDTLS_X509_CRT_PARSE_C) 3550#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3551 size_t cert_len; 3552#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3553#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3554 3555 const unsigned char *p = buf; 3556 const unsigned char * const end = buf + len; 3557 3558 /* 3559 * Time 3560 */ 3561#if defined(MBEDTLS_HAVE_TIME) 3562 if (8 > (size_t) (end - p)) { 3563 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3564 } 3565 3566 start = MBEDTLS_GET_UINT64_BE(p, 0); 3567 p += 8; 3568 3569 session->start = (time_t) start; 3570#endif /* MBEDTLS_HAVE_TIME */ 3571 3572 /* 3573 * Basic mandatory fields 3574 */ 3575 if (1 + 32 + 48 + 4 > (size_t) (end - p)) { 3576 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3577 } 3578 3579 session->id_len = *p++; 3580 memcpy(session->id, p, 32); 3581 p += 32; 3582 3583 memcpy(session->master, p, 48); 3584 p += 48; 3585 3586 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0); 3587 p += 4; 3588 3589 /* Immediately clear invalid pointer values that have been read, in case 3590 * we exit early before we replaced them with valid ones. */ 3591#if defined(MBEDTLS_X509_CRT_PARSE_C) 3592#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3593 session->peer_cert = NULL; 3594#else 3595 session->peer_cert_digest = NULL; 3596#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3597#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3598#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 3599 session->ticket = NULL; 3600#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3601 3602 /* 3603 * Peer certificate 3604 */ 3605#if defined(MBEDTLS_X509_CRT_PARSE_C) 3606#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3607 /* Deserialize CRT from the end of the ticket. */ 3608 if (3 > (size_t) (end - p)) { 3609 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3610 } 3611 3612 cert_len = MBEDTLS_GET_UINT24_BE(p, 0); 3613 p += 3; 3614 3615 if (cert_len != 0) { 3616 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3617 3618 if (cert_len > (size_t) (end - p)) { 3619 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3620 } 3621 3622 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 3623 3624 if (session->peer_cert == NULL) { 3625 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3626 } 3627 3628 mbedtls_x509_crt_init(session->peer_cert); 3629 3630 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, 3631 p, cert_len)) != 0) { 3632 mbedtls_x509_crt_free(session->peer_cert); 3633 mbedtls_free(session->peer_cert); 3634 session->peer_cert = NULL; 3635 return ret; 3636 } 3637 3638 p += cert_len; 3639 } 3640#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3641 /* Deserialize CRT digest from the end of the ticket. */ 3642 if (2 > (size_t) (end - p)) { 3643 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3644 } 3645 3646 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; 3647 session->peer_cert_digest_len = (size_t) *p++; 3648 3649 if (session->peer_cert_digest_len != 0) { 3650 const mbedtls_md_info_t *md_info = 3651 mbedtls_md_info_from_type(session->peer_cert_digest_type); 3652 if (md_info == NULL) { 3653 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3654 } 3655 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { 3656 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3657 } 3658 3659 if (session->peer_cert_digest_len > (size_t) (end - p)) { 3660 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3661 } 3662 3663 session->peer_cert_digest = 3664 mbedtls_calloc(1, session->peer_cert_digest_len); 3665 if (session->peer_cert_digest == NULL) { 3666 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3667 } 3668 3669 memcpy(session->peer_cert_digest, p, 3670 session->peer_cert_digest_len); 3671 p += session->peer_cert_digest_len; 3672 } 3673#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3674#endif /* MBEDTLS_X509_CRT_PARSE_C */ 3675 3676 /* 3677 * Session ticket and associated data 3678 */ 3679#if defined(MBEDTLS_SSL_SESSION_TICKETS) 3680#if defined(MBEDTLS_SSL_CLI_C) 3681 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3682 if (3 > (size_t) (end - p)) { 3683 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3684 } 3685 3686 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); 3687 p += 3; 3688 3689 if (session->ticket_len != 0) { 3690 if (session->ticket_len > (size_t) (end - p)) { 3691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3692 } 3693 3694 session->ticket = mbedtls_calloc(1, session->ticket_len); 3695 if (session->ticket == NULL) { 3696 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3697 } 3698 3699 memcpy(session->ticket, p, session->ticket_len); 3700 p += session->ticket_len; 3701 } 3702 3703 if (4 > (size_t) (end - p)) { 3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3705 } 3706 3707 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 3708 p += 4; 3709 } 3710#endif /* MBEDTLS_SSL_CLI_C */ 3711#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3712 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3713 if (8 > (size_t) (end - p)) { 3714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3715 } 3716 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 3717 p += 8; 3718 } 3719#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3720#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3721 3722 /* 3723 * Misc extension-related info 3724 */ 3725#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3726 if (1 > (size_t) (end - p)) { 3727 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3728 } 3729 3730 session->mfl_code = *p++; 3731#endif 3732 3733#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3734 if (1 > (size_t) (end - p)) { 3735 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3736 } 3737 3738 session->encrypt_then_mac = *p++; 3739#endif 3740 3741 /* Done, should have consumed entire buffer */ 3742 if (p != end) { 3743 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3744 } 3745 3746 return 0; 3747} 3748 3749#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3750 3751#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3752/* Serialization of TLS 1.3 sessions: 3753 * 3754 * For more detail, see the description of ssl_session_save(). 3755 */ 3756#if defined(MBEDTLS_SSL_SESSION_TICKETS) 3757MBEDTLS_CHECK_RETURN_CRITICAL 3758static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 3759 unsigned char *buf, 3760 size_t buf_len, 3761 size_t *olen) 3762{ 3763 unsigned char *p = buf; 3764#if defined(MBEDTLS_SSL_CLI_C) && \ 3765 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3766 size_t hostname_len = (session->hostname == NULL) ? 3767 0 : strlen(session->hostname) + 1; 3768#endif 3769 3770#if defined(MBEDTLS_SSL_SRV_C) && \ 3771 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3772 const size_t alpn_len = (session->ticket_alpn == NULL) ? 3773 0 : strlen(session->ticket_alpn) + 1; 3774#endif 3775 size_t needed = 4 /* ticket_age_add */ 3776 + 1 /* ticket_flags */ 3777 + 1; /* resumption_key length */ 3778 3779 *olen = 0; 3780 3781 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { 3782 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3783 } 3784 needed += session->resumption_key_len; /* resumption_key */ 3785 3786#if defined(MBEDTLS_SSL_EARLY_DATA) 3787 needed += 4; /* max_early_data_size */ 3788#endif 3789#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3790 needed += 2; /* record_size_limit */ 3791#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3792 3793#if defined(MBEDTLS_HAVE_TIME) 3794 needed += 8; /* ticket_creation_time or ticket_reception_time */ 3795#endif 3796 3797#if defined(MBEDTLS_SSL_SRV_C) 3798 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3799#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3800 needed += 2 /* alpn_len */ 3801 + alpn_len; /* alpn */ 3802#endif 3803 } 3804#endif /* MBEDTLS_SSL_SRV_C */ 3805 3806#if defined(MBEDTLS_SSL_CLI_C) 3807 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3808#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3809 needed += 2 /* hostname_len */ 3810 + hostname_len; /* hostname */ 3811#endif 3812 3813 needed += 4 /* ticket_lifetime */ 3814 + 2; /* ticket_len */ 3815 3816 /* Check size_t overflow */ 3817 if (session->ticket_len > SIZE_MAX - needed) { 3818 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3819 } 3820 3821 needed += session->ticket_len; /* ticket */ 3822 } 3823#endif /* MBEDTLS_SSL_CLI_C */ 3824 3825 *olen = needed; 3826 if (needed > buf_len) { 3827 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3828 } 3829 3830 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); 3831 p[4] = session->ticket_flags; 3832 3833 /* save resumption_key */ 3834 p[5] = session->resumption_key_len; 3835 p += 6; 3836 memcpy(p, session->resumption_key, session->resumption_key_len); 3837 p += session->resumption_key_len; 3838 3839#if defined(MBEDTLS_SSL_EARLY_DATA) 3840 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0); 3841 p += 4; 3842#endif 3843#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3844 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0); 3845 p += 2; 3846#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3847 3848#if defined(MBEDTLS_SSL_SRV_C) 3849 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3850#if defined(MBEDTLS_HAVE_TIME) 3851 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3852 p += 8; 3853#endif /* MBEDTLS_HAVE_TIME */ 3854 3855#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3856 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0); 3857 p += 2; 3858 3859 if (alpn_len > 0) { 3860 /* save chosen alpn */ 3861 memcpy(p, session->ticket_alpn, alpn_len); 3862 p += alpn_len; 3863 } 3864#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 3865 } 3866#endif /* MBEDTLS_SSL_SRV_C */ 3867 3868#if defined(MBEDTLS_SSL_CLI_C) 3869 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3870#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3871 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); 3872 p += 2; 3873 if (hostname_len > 0) { 3874 /* save host name */ 3875 memcpy(p, session->hostname, hostname_len); 3876 p += hostname_len; 3877 } 3878#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 3879 3880#if defined(MBEDTLS_HAVE_TIME) 3881 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0); 3882 p += 8; 3883#endif 3884 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3885 p += 4; 3886 3887 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); 3888 p += 2; 3889 3890 if (session->ticket != NULL && session->ticket_len > 0) { 3891 memcpy(p, session->ticket, session->ticket_len); 3892 p += session->ticket_len; 3893 } 3894 } 3895#endif /* MBEDTLS_SSL_CLI_C */ 3896 return 0; 3897} 3898 3899MBEDTLS_CHECK_RETURN_CRITICAL 3900static int ssl_tls13_session_load(mbedtls_ssl_session *session, 3901 const unsigned char *buf, 3902 size_t len) 3903{ 3904 const unsigned char *p = buf; 3905 const unsigned char *end = buf + len; 3906 3907 if (end - p < 6) { 3908 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3909 } 3910 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); 3911 session->ticket_flags = p[4]; 3912 3913 /* load resumption_key */ 3914 session->resumption_key_len = p[5]; 3915 p += 6; 3916 3917 if (end - p < session->resumption_key_len) { 3918 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3919 } 3920 3921 if (sizeof(session->resumption_key) < session->resumption_key_len) { 3922 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3923 } 3924 memcpy(session->resumption_key, p, session->resumption_key_len); 3925 p += session->resumption_key_len; 3926 3927#if defined(MBEDTLS_SSL_EARLY_DATA) 3928 if (end - p < 4) { 3929 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3930 } 3931 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0); 3932 p += 4; 3933#endif 3934#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3935 if (end - p < 2) { 3936 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3937 } 3938 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); 3939 p += 2; 3940#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3941 3942#if defined(MBEDTLS_SSL_SRV_C) 3943 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3944#if defined(MBEDTLS_HAVE_TIME) 3945 if (end - p < 8) { 3946 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3947 } 3948 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 3949 p += 8; 3950#endif /* MBEDTLS_HAVE_TIME */ 3951 3952#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3953 size_t alpn_len; 3954 3955 if (end - p < 2) { 3956 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3957 } 3958 3959 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0); 3960 p += 2; 3961 3962 if (end - p < (long int) alpn_len) { 3963 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3964 } 3965 3966 if (alpn_len > 0) { 3967 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p); 3968 if (ret != 0) { 3969 return ret; 3970 } 3971 p += alpn_len; 3972 } 3973#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 3974 } 3975#endif /* MBEDTLS_SSL_SRV_C */ 3976 3977#if defined(MBEDTLS_SSL_CLI_C) 3978 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3979#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3980 size_t hostname_len; 3981 /* load host name */ 3982 if (end - p < 2) { 3983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3984 } 3985 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); 3986 p += 2; 3987 3988 if (end - p < (long int) hostname_len) { 3989 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3990 } 3991 if (hostname_len > 0) { 3992 session->hostname = mbedtls_calloc(1, hostname_len); 3993 if (session->hostname == NULL) { 3994 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3995 } 3996 memcpy(session->hostname, p, hostname_len); 3997 p += hostname_len; 3998 } 3999#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4000 4001#if defined(MBEDTLS_HAVE_TIME) 4002 if (end - p < 8) { 4003 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4004 } 4005 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0); 4006 p += 8; 4007#endif 4008 if (end - p < 4) { 4009 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4010 } 4011 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 4012 p += 4; 4013 4014 if (end - p < 2) { 4015 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4016 } 4017 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); 4018 p += 2; 4019 4020 if (end - p < (long int) session->ticket_len) { 4021 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4022 } 4023 if (session->ticket_len > 0) { 4024 session->ticket = mbedtls_calloc(1, session->ticket_len); 4025 if (session->ticket == NULL) { 4026 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 4027 } 4028 memcpy(session->ticket, p, session->ticket_len); 4029 p += session->ticket_len; 4030 } 4031 } 4032#endif /* MBEDTLS_SSL_CLI_C */ 4033 4034 return 0; 4035 4036} 4037#else /* MBEDTLS_SSL_SESSION_TICKETS */ 4038MBEDTLS_CHECK_RETURN_CRITICAL 4039static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 4040 unsigned char *buf, 4041 size_t buf_len, 4042 size_t *olen) 4043{ 4044 ((void) session); 4045 ((void) buf); 4046 ((void) buf_len); 4047 *olen = 0; 4048 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4049} 4050 4051static int ssl_tls13_session_load(const mbedtls_ssl_session *session, 4052 unsigned char *buf, 4053 size_t buf_len) 4054{ 4055 ((void) session); 4056 ((void) buf); 4057 ((void) buf_len); 4058 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4059} 4060#endif /* !MBEDTLS_SSL_SESSION_TICKETS */ 4061#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4062 4063/* 4064 * Define ticket header determining Mbed TLS version 4065 * and structure of the ticket. 4066 */ 4067 4068/* 4069 * Define bitflag determining compile-time settings influencing 4070 * structure of serialized SSL sessions. 4071 */ 4072 4073#if defined(MBEDTLS_HAVE_TIME) 4074#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 4075#else 4076#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 4077#endif /* MBEDTLS_HAVE_TIME */ 4078 4079#if defined(MBEDTLS_X509_CRT_PARSE_C) 4080#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 4081#else 4082#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 4083#endif /* MBEDTLS_X509_CRT_PARSE_C */ 4084 4085#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4086#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1 4087#else 4088#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0 4089#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4090 4091#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 4092#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 4093#else 4094#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 4095#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ 4096 4097#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4098#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 4099#else 4100#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 4101#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 4102 4103#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4104#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 4105#else 4106#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 4107#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 4108 4109#if defined(MBEDTLS_SSL_SESSION_TICKETS) 4110#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 4111#else 4112#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 4113#endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4114 4115#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4116#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 4117#else 4118#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 4119#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4120 4121#if defined(MBEDTLS_SSL_EARLY_DATA) 4122#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 4123#else 4124#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 4125#endif /* MBEDTLS_SSL_EARLY_DATA */ 4126 4127#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4128#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 4129#else 4130#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 4131#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 4132 4133#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \ 4134 defined(MBEDTLS_SSL_EARLY_DATA) 4135#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1 4136#else 4137#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0 4138#endif /* MBEDTLS_SSL_ALPN */ 4139 4140#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 4141#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 4142#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 4143#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 4144#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 4145#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 4146#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6 4147#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 4148#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 4149#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 4150#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10 4151 4152#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ 4153 ((uint16_t) ( \ 4154 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ 4155 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ 4156 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ 4157 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ 4158 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ 4159 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ 4160 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ 4161 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \ 4162 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ 4163 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ 4164 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ 4165 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ 4166 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ 4167 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \ 4168 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \ 4169 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT))) 4170 4171static const unsigned char ssl_serialized_session_header[] = { 4172 MBEDTLS_VERSION_MAJOR, 4173 MBEDTLS_VERSION_MINOR, 4174 MBEDTLS_VERSION_PATCH, 4175 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4176 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4177}; 4178 4179/* 4180 * Serialize a session in the following format: 4181 * (in the presentation language of TLS, RFC 8446 section 3) 4182 * 4183 * TLS 1.2 session: 4184 * 4185 * struct { 4186 * #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4187 * opaque ticket<0..2^24-1>; // length 0 means no ticket 4188 * uint32 ticket_lifetime; 4189 * #endif 4190 * } ClientOnlyData; 4191 * 4192 * struct { 4193 * #if defined(MBEDTLS_HAVE_TIME) 4194 * uint64 start_time; 4195 * #endif 4196 * uint8 session_id_len; // at most 32 4197 * opaque session_id[32]; 4198 * opaque master[48]; // fixed length in the standard 4199 * uint32 verify_result; 4200 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 4201 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert 4202 * #else 4203 * uint8 peer_cert_digest_type; 4204 * opaque peer_cert_digest<0..2^8-1> 4205 * #endif 4206 * select (endpoint) { 4207 * case client: ClientOnlyData; 4208 * case server: uint64 ticket_creation_time; 4209 * }; 4210 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4211 * uint8 mfl_code; // up to 255 according to standard 4212 * #endif 4213 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4214 * uint8 encrypt_then_mac; // 0 or 1 4215 * #endif 4216 * } serialized_session_tls12; 4217 * 4218 * 4219 * TLS 1.3 Session: 4220 * 4221 * struct { 4222 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4223 * opaque hostname<0..2^16-1>; 4224 * #endif 4225 * #if defined(MBEDTLS_HAVE_TIME) 4226 * uint64 ticket_reception_time; 4227 * #endif 4228 * uint32 ticket_lifetime; 4229 * opaque ticket<1..2^16-1>; 4230 * } ClientOnlyData; 4231 * 4232 * struct { 4233 * uint32 ticket_age_add; 4234 * uint8 ticket_flags; 4235 * opaque resumption_key<0..255>; 4236 * #if defined(MBEDTLS_SSL_EARLY_DATA) 4237 * uint32 max_early_data_size; 4238 * #endif 4239 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4240 * uint16 record_size_limit; 4241 * #endif 4242 * select ( endpoint ) { 4243 * case client: ClientOnlyData; 4244 * case server: 4245 * #if defined(MBEDTLS_HAVE_TIME) 4246 * uint64 ticket_creation_time; 4247 * #endif 4248 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 4249 * opaque ticket_alpn<0..256>; 4250 * #endif 4251 * }; 4252 * } serialized_session_tls13; 4253 * 4254 * 4255 * SSL session: 4256 * 4257 * struct { 4258 * 4259 * opaque mbedtls_version[3]; // library version: major, minor, patch 4260 * opaque session_format[2]; // library-version specific 16-bit field 4261 * // determining the format of the remaining 4262 * // serialized data. 4263 * 4264 * Note: When updating the format, remember to keep 4265 * these version+format bytes. 4266 * 4267 * // In this version, `session_format` determines 4268 * // the setting of those compile-time 4269 * // configuration options which influence 4270 * // the structure of mbedtls_ssl_session. 4271 * 4272 * uint8_t minor_ver; // Protocol minor version. Possible values: 4273 * // - TLS 1.2 (0x0303) 4274 * // - TLS 1.3 (0x0304) 4275 * uint8_t endpoint; 4276 * uint16_t ciphersuite; 4277 * 4278 * select (serialized_session.tls_version) { 4279 * 4280 * case MBEDTLS_SSL_VERSION_TLS1_2: 4281 * serialized_session_tls12 data; 4282 * case MBEDTLS_SSL_VERSION_TLS1_3: 4283 * serialized_session_tls13 data; 4284 * 4285 * }; 4286 * 4287 * } serialized_session; 4288 * 4289 */ 4290 4291MBEDTLS_CHECK_RETURN_CRITICAL 4292static int ssl_session_save(const mbedtls_ssl_session *session, 4293 unsigned char omit_header, 4294 unsigned char *buf, 4295 size_t buf_len, 4296 size_t *olen) 4297{ 4298 unsigned char *p = buf; 4299 size_t used = 0; 4300 size_t remaining_len; 4301#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4302 size_t out_len; 4303 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4304#endif 4305 if (session == NULL) { 4306 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4307 } 4308 4309 if (!omit_header) { 4310 /* 4311 * Add Mbed TLS version identifier 4312 */ 4313 used += sizeof(ssl_serialized_session_header); 4314 4315 if (used <= buf_len) { 4316 memcpy(p, ssl_serialized_session_header, 4317 sizeof(ssl_serialized_session_header)); 4318 p += sizeof(ssl_serialized_session_header); 4319 } 4320 } 4321 4322 /* 4323 * TLS version identifier, endpoint, ciphersuite 4324 */ 4325 used += 1 /* TLS version */ 4326 + 1 /* endpoint */ 4327 + 2; /* ciphersuite */ 4328 if (used <= buf_len) { 4329 *p++ = MBEDTLS_BYTE_0(session->tls_version); 4330 *p++ = session->endpoint; 4331 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); 4332 p += 2; 4333 } 4334 4335 /* Forward to version-specific serialization routine. */ 4336 remaining_len = (buf_len >= used) ? buf_len - used : 0; 4337 switch (session->tls_version) { 4338#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4339 case MBEDTLS_SSL_VERSION_TLS1_2: 4340 used += ssl_tls12_session_save(session, p, remaining_len); 4341 break; 4342#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4343 4344#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4345 case MBEDTLS_SSL_VERSION_TLS1_3: 4346 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); 4347 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 4348 return ret; 4349 } 4350 used += out_len; 4351 break; 4352#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4353 4354 default: 4355 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4356 } 4357 4358 *olen = used; 4359 if (used > buf_len) { 4360 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 4361 } 4362 4363 return 0; 4364} 4365 4366/* 4367 * Public wrapper for ssl_session_save() 4368 */ 4369int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, 4370 unsigned char *buf, 4371 size_t buf_len, 4372 size_t *olen) 4373{ 4374 return ssl_session_save(session, 0, buf, buf_len, olen); 4375} 4376 4377/* 4378 * Deserialize session, see mbedtls_ssl_session_save() for format. 4379 * 4380 * This internal version is wrapped by a public function that cleans up in 4381 * case of error, and has an extra option omit_header. 4382 */ 4383MBEDTLS_CHECK_RETURN_CRITICAL 4384static int ssl_session_load(mbedtls_ssl_session *session, 4385 unsigned char omit_header, 4386 const unsigned char *buf, 4387 size_t len) 4388{ 4389 const unsigned char *p = buf; 4390 const unsigned char * const end = buf + len; 4391 size_t remaining_len; 4392 4393 4394 if (session == NULL) { 4395 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4396 } 4397 4398 if (!omit_header) { 4399 /* 4400 * Check Mbed TLS version identifier 4401 */ 4402 4403 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { 4404 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4405 } 4406 4407 if (memcmp(p, ssl_serialized_session_header, 4408 sizeof(ssl_serialized_session_header)) != 0) { 4409 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 4410 } 4411 p += sizeof(ssl_serialized_session_header); 4412 } 4413 4414 /* 4415 * TLS version identifier, endpoint, ciphersuite 4416 */ 4417 if (4 > (size_t) (end - p)) { 4418 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4419 } 4420 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); 4421 session->endpoint = *p++; 4422 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); 4423 p += 2; 4424 4425 /* Dispatch according to TLS version. */ 4426 remaining_len = (size_t) (end - p); 4427 switch (session->tls_version) { 4428#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4429 case MBEDTLS_SSL_VERSION_TLS1_2: 4430 return ssl_tls12_session_load(session, p, remaining_len); 4431#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4432 4433#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4434 case MBEDTLS_SSL_VERSION_TLS1_3: 4435 return ssl_tls13_session_load(session, p, remaining_len); 4436#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4437 4438 default: 4439 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4440 } 4441} 4442 4443/* 4444 * Deserialize session: public wrapper for error cleaning 4445 */ 4446int mbedtls_ssl_session_load(mbedtls_ssl_session *session, 4447 const unsigned char *buf, 4448 size_t len) 4449{ 4450 int ret = ssl_session_load(session, 0, buf, len); 4451 4452 if (ret != 0) { 4453 mbedtls_ssl_session_free(session); 4454 } 4455 4456 return ret; 4457} 4458 4459/* 4460 * Perform a single step of the SSL handshake 4461 */ 4462MBEDTLS_CHECK_RETURN_CRITICAL 4463static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) 4464{ 4465 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4466 4467 /* 4468 * We may have not been able to send to the peer all the handshake data 4469 * that were written into the output buffer by the previous handshake step, 4470 * if the write to the network callback returned with the 4471 * #MBEDTLS_ERR_SSL_WANT_WRITE error code. 4472 * We proceed to the next handshake step only when all data from the 4473 * previous one have been sent to the peer, thus we make sure that this is 4474 * the case here by calling `mbedtls_ssl_flush_output()`. The function may 4475 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case 4476 * we have to wait before to go ahead. 4477 * In the case of TLS 1.3, handshake step handlers do not send data to the 4478 * peer. Data are only sent here and through 4479 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an 4480 * alert occurred. 4481 */ 4482 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { 4483 return ret; 4484 } 4485 4486#if defined(MBEDTLS_SSL_PROTO_DTLS) 4487 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4488 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { 4489 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 4490 return ret; 4491 } 4492 } 4493#endif /* MBEDTLS_SSL_PROTO_DTLS */ 4494 4495 return ret; 4496} 4497 4498int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) 4499{ 4500 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4501 4502 if (ssl == NULL || 4503 ssl->conf == NULL || 4504 ssl->handshake == NULL || 4505 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { 4506 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4507 } 4508 4509 ret = ssl_prepare_handshake_step(ssl); 4510 if (ret != 0) { 4511 return ret; 4512 } 4513 4514 ret = mbedtls_ssl_handle_pending_alert(ssl); 4515 if (ret != 0) { 4516 goto cleanup; 4517 } 4518 4519 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or 4520 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ 4521 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4522 4523#if defined(MBEDTLS_SSL_CLI_C) 4524 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 4525 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", 4526 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state))); 4527 4528 switch (ssl->state) { 4529 case MBEDTLS_SSL_HELLO_REQUEST: 4530 ssl->state = MBEDTLS_SSL_CLIENT_HELLO; 4531 ret = 0; 4532 break; 4533 4534 case MBEDTLS_SSL_CLIENT_HELLO: 4535 ret = mbedtls_ssl_write_client_hello(ssl); 4536 break; 4537 4538 default: 4539#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4540 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4541 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4542 } else { 4543 ret = mbedtls_ssl_handshake_client_step(ssl); 4544 } 4545#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4546 ret = mbedtls_ssl_handshake_client_step(ssl); 4547#else 4548 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4549#endif 4550 } 4551 } 4552#endif /* MBEDTLS_SSL_CLI_C */ 4553 4554#if defined(MBEDTLS_SSL_SRV_C) 4555 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4556#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4557 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4558 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4559 } else { 4560 ret = mbedtls_ssl_handshake_server_step(ssl); 4561 } 4562#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4563 ret = mbedtls_ssl_handshake_server_step(ssl); 4564#else 4565 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4566#endif 4567 } 4568#endif /* MBEDTLS_SSL_SRV_C */ 4569 4570 if (ret != 0) { 4571 /* handshake_step return error. And it is same 4572 * with alert_reason. 4573 */ 4574 if (ssl->send_alert) { 4575 ret = mbedtls_ssl_handle_pending_alert(ssl); 4576 goto cleanup; 4577 } 4578 } 4579 4580cleanup: 4581 return ret; 4582} 4583 4584/* 4585 * Perform the SSL handshake 4586 */ 4587int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) 4588{ 4589 int ret = 0; 4590 4591 /* Sanity checks */ 4592 4593 if (ssl == NULL || ssl->conf == NULL) { 4594 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4595 } 4596 4597#if defined(MBEDTLS_SSL_PROTO_DTLS) 4598 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4599 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { 4600 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " 4601 "mbedtls_ssl_set_timer_cb() for DTLS")); 4602 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4603 } 4604#endif /* MBEDTLS_SSL_PROTO_DTLS */ 4605 4606 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); 4607 4608 /* Main handshake loop */ 4609 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { 4610 ret = mbedtls_ssl_handshake_step(ssl); 4611 4612 if (ret != 0) { 4613 break; 4614 } 4615 } 4616 4617 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); 4618 4619 return ret; 4620} 4621 4622#if defined(MBEDTLS_SSL_RENEGOTIATION) 4623#if defined(MBEDTLS_SSL_SRV_C) 4624/* 4625 * Write HelloRequest to request renegotiation on server 4626 */ 4627MBEDTLS_CHECK_RETURN_CRITICAL 4628static int ssl_write_hello_request(mbedtls_ssl_context *ssl) 4629{ 4630 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4631 4632 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); 4633 4634 ssl->out_msglen = 4; 4635 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4636 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 4637 4638 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 4639 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 4640 return ret; 4641 } 4642 4643 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); 4644 4645 return 0; 4646} 4647#endif /* MBEDTLS_SSL_SRV_C */ 4648 4649/* 4650 * Actually renegotiate current connection, triggered by either: 4651 * - any side: calling mbedtls_ssl_renegotiate(), 4652 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 4653 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 4654 * the initial handshake is completed. 4655 * If the handshake doesn't complete due to waiting for I/O, it will continue 4656 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 4657 */ 4658int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) 4659{ 4660 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4661 4662 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); 4663 4664 if ((ret = ssl_handshake_init(ssl)) != 0) { 4665 return ret; 4666 } 4667 4668 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 4669 * the ServerHello will have message_seq = 1" */ 4670#if defined(MBEDTLS_SSL_PROTO_DTLS) 4671 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4672 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { 4673 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4674 ssl->handshake->out_msg_seq = 1; 4675 } else { 4676 ssl->handshake->in_msg_seq = 1; 4677 } 4678 } 4679#endif 4680 4681 ssl->state = MBEDTLS_SSL_HELLO_REQUEST; 4682 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 4683 4684 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4686 return ret; 4687 } 4688 4689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); 4690 4691 return 0; 4692} 4693 4694/* 4695 * Renegotiate current connection on client, 4696 * or request renegotiation on server 4697 */ 4698int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) 4699{ 4700 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4701 4702 if (ssl == NULL || ssl->conf == NULL) { 4703 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4704 } 4705 4706#if defined(MBEDTLS_SSL_SRV_C) 4707 /* On server, just send the request */ 4708 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4709 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4710 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4711 } 4712 4713 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 4714 4715 /* Did we already try/start sending HelloRequest? */ 4716 if (ssl->out_left != 0) { 4717 return mbedtls_ssl_flush_output(ssl); 4718 } 4719 4720 return ssl_write_hello_request(ssl); 4721 } 4722#endif /* MBEDTLS_SSL_SRV_C */ 4723 4724#if defined(MBEDTLS_SSL_CLI_C) 4725 /* 4726 * On client, either start the renegotiation process or, 4727 * if already in progress, continue the handshake 4728 */ 4729 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 4730 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4731 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4732 } 4733 4734 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { 4735 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); 4736 return ret; 4737 } 4738 } else { 4739 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4740 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4741 return ret; 4742 } 4743 } 4744#endif /* MBEDTLS_SSL_CLI_C */ 4745 4746 return ret; 4747} 4748#endif /* MBEDTLS_SSL_RENEGOTIATION */ 4749 4750void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) 4751{ 4752 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 4753 4754 if (handshake == NULL) { 4755 return; 4756 } 4757 4758#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 4759#if !defined(MBEDTLS_DEPRECATED_REMOVED) 4760 if (ssl->handshake->group_list_heap_allocated) { 4761 mbedtls_free((void *) handshake->group_list); 4762 } 4763 handshake->group_list = NULL; 4764#endif /* MBEDTLS_DEPRECATED_REMOVED */ 4765#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 4766 4767#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 4768#if !defined(MBEDTLS_DEPRECATED_REMOVED) 4769 if (ssl->handshake->sig_algs_heap_allocated) { 4770 mbedtls_free((void *) handshake->sig_algs); 4771 } 4772 handshake->sig_algs = NULL; 4773#endif /* MBEDTLS_DEPRECATED_REMOVED */ 4774#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4775 if (ssl->handshake->certificate_request_context) { 4776 mbedtls_free((void *) handshake->certificate_request_context); 4777 } 4778#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4779#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 4780 4781#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 4782 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { 4783 ssl->conf->f_async_cancel(ssl); 4784 handshake->async_in_progress = 0; 4785 } 4786#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 4787 4788#if defined(MBEDTLS_MD_CAN_SHA256) 4789#if defined(MBEDTLS_USE_PSA_CRYPTO) 4790 psa_hash_abort(&handshake->fin_sha256_psa); 4791#else 4792 mbedtls_md_free(&handshake->fin_sha256); 4793#endif 4794#endif 4795#if defined(MBEDTLS_MD_CAN_SHA384) 4796#if defined(MBEDTLS_USE_PSA_CRYPTO) 4797 psa_hash_abort(&handshake->fin_sha384_psa); 4798#else 4799 mbedtls_md_free(&handshake->fin_sha384); 4800#endif 4801#endif 4802 4803#if defined(MBEDTLS_DHM_C) 4804 mbedtls_dhm_free(&handshake->dhm_ctx); 4805#endif 4806#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 4807 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 4808 mbedtls_ecdh_free(&handshake->ecdh_ctx); 4809#endif 4810 4811#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4812#if defined(MBEDTLS_USE_PSA_CRYPTO) 4813 psa_pake_abort(&handshake->psa_pake_ctx); 4814 /* 4815 * Opaque keys are not stored in the handshake's data and it's the user 4816 * responsibility to destroy them. Clear ones, instead, are created by 4817 * the TLS library and should be destroyed at the same level 4818 */ 4819 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { 4820 psa_destroy_key(handshake->psa_pake_password); 4821 } 4822 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 4823#else 4824 mbedtls_ecjpake_free(&handshake->ecjpake_ctx); 4825#endif /* MBEDTLS_USE_PSA_CRYPTO */ 4826#if defined(MBEDTLS_SSL_CLI_C) 4827 mbedtls_free(handshake->ecjpake_cache); 4828 handshake->ecjpake_cache = NULL; 4829 handshake->ecjpake_cache_len = 0; 4830#endif 4831#endif 4832 4833#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 4834 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \ 4835 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4836 /* explicit void pointer cast for buggy MS compiler */ 4837 mbedtls_free((void *) handshake->curves_tls_id); 4838#endif 4839 4840#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 4841#if defined(MBEDTLS_USE_PSA_CRYPTO) 4842 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 4843 /* The maintenance of the external PSK key slot is the 4844 * user's responsibility. */ 4845 if (ssl->handshake->psk_opaque_is_internal) { 4846 psa_destroy_key(ssl->handshake->psk_opaque); 4847 ssl->handshake->psk_opaque_is_internal = 0; 4848 } 4849 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 4850 } 4851#else 4852 if (handshake->psk != NULL) { 4853 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len); 4854 } 4855#endif /* MBEDTLS_USE_PSA_CRYPTO */ 4856#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 4857 4858#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4859 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4860 /* 4861 * Free only the linked list wrapper, not the keys themselves 4862 * since the belong to the SNI callback 4863 */ 4864 ssl_key_cert_free(handshake->sni_key_cert); 4865#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4866 4867#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 4868 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); 4869 if (handshake->ecrs_peer_cert != NULL) { 4870 mbedtls_x509_crt_free(handshake->ecrs_peer_cert); 4871 mbedtls_free(handshake->ecrs_peer_cert); 4872 } 4873#endif 4874 4875#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4876 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4877 mbedtls_pk_free(&handshake->peer_pubkey); 4878#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4879 4880#if defined(MBEDTLS_SSL_CLI_C) && \ 4881 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) 4882 mbedtls_free(handshake->cookie); 4883#endif /* MBEDTLS_SSL_CLI_C && 4884 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ 4885 4886#if defined(MBEDTLS_SSL_PROTO_DTLS) 4887 mbedtls_ssl_flight_free(handshake->flight); 4888 mbedtls_ssl_buffering_free(ssl); 4889#endif /* MBEDTLS_SSL_PROTO_DTLS */ 4890 4891#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 4892 if (handshake->xxdh_psa_privkey_is_external == 0) { 4893 psa_destroy_key(handshake->xxdh_psa_privkey); 4894 } 4895#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 4896 4897#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4898 mbedtls_ssl_transform_free(handshake->transform_handshake); 4899 mbedtls_free(handshake->transform_handshake); 4900#if defined(MBEDTLS_SSL_EARLY_DATA) 4901 mbedtls_ssl_transform_free(handshake->transform_earlydata); 4902 mbedtls_free(handshake->transform_earlydata); 4903#endif 4904#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4905 4906 4907#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4908 /* If the buffers are too big - reallocate. Because of the way Mbed TLS 4909 * processes datagrams and the fact that a datagram is allowed to have 4910 * several records in it, it is possible that the I/O buffers are not 4911 * empty at this stage */ 4912 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), 4913 mbedtls_ssl_get_output_buflen(ssl)); 4914#endif 4915 4916 /* mbedtls_platform_zeroize MUST be last one in this function */ 4917 mbedtls_platform_zeroize(handshake, 4918 sizeof(mbedtls_ssl_handshake_params)); 4919} 4920 4921void mbedtls_ssl_session_free(mbedtls_ssl_session *session) 4922{ 4923 if (session == NULL) { 4924 return; 4925 } 4926 4927#if defined(MBEDTLS_X509_CRT_PARSE_C) 4928 ssl_clear_peer_cert(session); 4929#endif 4930 4931#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 4932#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 4933 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4934 mbedtls_free(session->hostname); 4935#endif 4936 mbedtls_free(session->ticket); 4937#endif 4938 4939#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \ 4940 defined(MBEDTLS_SSL_SRV_C) 4941 mbedtls_free(session->ticket_alpn); 4942#endif 4943 4944 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); 4945} 4946 4947#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 4948 4949#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 4950#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u 4951#else 4952#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u 4953#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 4954 4955#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u 4956 4957#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 4958#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u 4959#else 4960#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u 4961#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 4962 4963#if defined(MBEDTLS_SSL_ALPN) 4964#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u 4965#else 4966#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u 4967#endif /* MBEDTLS_SSL_ALPN */ 4968 4969#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 4970#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 4971#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 4972#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 4973 4974#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ 4975 ((uint32_t) ( \ 4976 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ 4977 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ 4978 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ 4979 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ 4980 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ 4981 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ 4982 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ 4983 0u)) 4984 4985static const unsigned char ssl_serialized_context_header[] = { 4986 MBEDTLS_VERSION_MAJOR, 4987 MBEDTLS_VERSION_MINOR, 4988 MBEDTLS_VERSION_PATCH, 4989 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4990 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4991 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4992 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4993 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 4994}; 4995 4996/* 4997 * Serialize a full SSL context 4998 * 4999 * The format of the serialized data is: 5000 * (in the presentation language of TLS, RFC 8446 section 3) 5001 * 5002 * // header 5003 * opaque mbedtls_version[3]; // major, minor, patch 5004 * opaque context_format[5]; // version-specific field determining 5005 * // the format of the remaining 5006 * // serialized data. 5007 * Note: When updating the format, remember to keep these 5008 * version+format bytes. (We may make their size part of the API.) 5009 * 5010 * // session sub-structure 5011 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() 5012 * // transform sub-structure 5013 * uint8 random[64]; // ServerHello.random+ClientHello.random 5014 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value 5015 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use 5016 * // fields from ssl_context 5017 * uint32 badmac_seen; // DTLS: number of records with failing MAC 5018 * uint64 in_window_top; // DTLS: last validated record seq_num 5019 * uint64 in_window; // DTLS: bitmask for replay protection 5020 * uint8 disable_datagram_packing; // DTLS: only one record per datagram 5021 * uint64 cur_out_ctr; // Record layer: outgoing sequence number 5022 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) 5023 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol 5024 * 5025 * Note that many fields of the ssl_context or sub-structures are not 5026 * serialized, as they fall in one of the following categories: 5027 * 5028 * 1. forced value (eg in_left must be 0) 5029 * 2. pointer to dynamically-allocated memory (eg session, transform) 5030 * 3. value can be re-derived from other data (eg session keys from MS) 5031 * 4. value was temporary (eg content of input buffer) 5032 * 5. value will be provided by the user again (eg I/O callbacks and context) 5033 */ 5034int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, 5035 unsigned char *buf, 5036 size_t buf_len, 5037 size_t *olen) 5038{ 5039 unsigned char *p = buf; 5040 size_t used = 0; 5041 size_t session_len; 5042 int ret = 0; 5043 5044 /* 5045 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in 5046 * this function's documentation. 5047 * 5048 * These are due to assumptions/limitations in the implementation. Some of 5049 * them are likely to stay (no handshake in progress) some might go away 5050 * (only DTLS) but are currently used to simplify the implementation. 5051 */ 5052 /* The initial handshake must be over */ 5053 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 5054 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); 5055 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5056 } 5057 if (ssl->handshake != NULL) { 5058 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); 5059 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5060 } 5061 /* Double-check that sub-structures are indeed ready */ 5062 if (ssl->transform == NULL || ssl->session == NULL) { 5063 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); 5064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5065 } 5066 /* There must be no pending incoming or outgoing data */ 5067 if (mbedtls_ssl_check_pending(ssl) != 0) { 5068 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); 5069 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5070 } 5071 if (ssl->out_left != 0) { 5072 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); 5073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5074 } 5075 /* Protocol must be DTLS, not TLS */ 5076 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5077 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); 5078 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5079 } 5080 /* Version must be 1.2 */ 5081 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 5082 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); 5083 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5084 } 5085 /* We must be using an AEAD ciphersuite */ 5086 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { 5087 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); 5088 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5089 } 5090 /* Renegotiation must not be enabled */ 5091#if defined(MBEDTLS_SSL_RENEGOTIATION) 5092 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { 5093 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); 5094 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5095 } 5096#endif 5097 5098 /* 5099 * Version and format identifier 5100 */ 5101 used += sizeof(ssl_serialized_context_header); 5102 5103 if (used <= buf_len) { 5104 memcpy(p, ssl_serialized_context_header, 5105 sizeof(ssl_serialized_context_header)); 5106 p += sizeof(ssl_serialized_context_header); 5107 } 5108 5109 /* 5110 * Session (length + data) 5111 */ 5112 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); 5113 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 5114 return ret; 5115 } 5116 5117 used += 4 + session_len; 5118 if (used <= buf_len) { 5119 MBEDTLS_PUT_UINT32_BE(session_len, p, 0); 5120 p += 4; 5121 5122 ret = ssl_session_save(ssl->session, 1, 5123 p, session_len, &session_len); 5124 if (ret != 0) { 5125 return ret; 5126 } 5127 5128 p += session_len; 5129 } 5130 5131 /* 5132 * Transform 5133 */ 5134 used += sizeof(ssl->transform->randbytes); 5135 if (used <= buf_len) { 5136 memcpy(p, ssl->transform->randbytes, 5137 sizeof(ssl->transform->randbytes)); 5138 p += sizeof(ssl->transform->randbytes); 5139 } 5140 5141#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5142 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len; 5143 if (used <= buf_len) { 5144 *p++ = ssl->transform->in_cid_len; 5145 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); 5146 p += ssl->transform->in_cid_len; 5147 5148 *p++ = ssl->transform->out_cid_len; 5149 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); 5150 p += ssl->transform->out_cid_len; 5151 } 5152#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5153 5154 /* 5155 * Saved fields from top-level ssl_context structure 5156 */ 5157 used += 4; 5158 if (used <= buf_len) { 5159 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen, p, 0); 5160 p += 4; 5161 } 5162 5163#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5164 used += 16; 5165 if (used <= buf_len) { 5166 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); 5167 p += 8; 5168 5169 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); 5170 p += 8; 5171 } 5172#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5173 5174#if defined(MBEDTLS_SSL_PROTO_DTLS) 5175 used += 1; 5176 if (used <= buf_len) { 5177 *p++ = ssl->disable_datagram_packing; 5178 } 5179#endif /* MBEDTLS_SSL_PROTO_DTLS */ 5180 5181 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5182 if (used <= buf_len) { 5183 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); 5184 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5185 } 5186 5187#if defined(MBEDTLS_SSL_PROTO_DTLS) 5188 used += 2; 5189 if (used <= buf_len) { 5190 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); 5191 p += 2; 5192 } 5193#endif /* MBEDTLS_SSL_PROTO_DTLS */ 5194 5195#if defined(MBEDTLS_SSL_ALPN) 5196 { 5197 const uint8_t alpn_len = ssl->alpn_chosen 5198 ? (uint8_t) strlen(ssl->alpn_chosen) 5199 : 0; 5200 5201 used += 1 + alpn_len; 5202 if (used <= buf_len) { 5203 *p++ = alpn_len; 5204 5205 if (ssl->alpn_chosen != NULL) { 5206 memcpy(p, ssl->alpn_chosen, alpn_len); 5207 p += alpn_len; 5208 } 5209 } 5210 } 5211#endif /* MBEDTLS_SSL_ALPN */ 5212 5213 /* 5214 * Done 5215 */ 5216 *olen = used; 5217 5218 if (used > buf_len) { 5219 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 5220 } 5221 5222 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); 5223 5224 return mbedtls_ssl_session_reset_int(ssl, 0); 5225} 5226 5227/* 5228 * Deserialize context, see mbedtls_ssl_context_save() for format. 5229 * 5230 * This internal version is wrapped by a public function that cleans up in 5231 * case of error. 5232 */ 5233MBEDTLS_CHECK_RETURN_CRITICAL 5234static int ssl_context_load(mbedtls_ssl_context *ssl, 5235 const unsigned char *buf, 5236 size_t len) 5237{ 5238 const unsigned char *p = buf; 5239 const unsigned char * const end = buf + len; 5240 size_t session_len; 5241 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5242#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5243 tls_prf_fn prf_func = NULL; 5244#endif 5245 5246 /* 5247 * The context should have been freshly setup or reset. 5248 * Give the user an error in case of obvious misuse. 5249 * (Checking session is useful because it won't be NULL if we're 5250 * renegotiating, or if the user mistakenly loaded a session first.) 5251 */ 5252 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || 5253 ssl->session != NULL) { 5254 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5255 } 5256 5257 /* 5258 * We can't check that the config matches the initial one, but we can at 5259 * least check it matches the requirements for serializing. 5260 */ 5261 if ( 5262#if defined(MBEDTLS_SSL_RENEGOTIATION) 5263 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || 5264#endif 5265 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 5266 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || 5267 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 5268 ) { 5269 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5270 } 5271 5272 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); 5273 5274 /* 5275 * Check version identifier 5276 */ 5277 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { 5278 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5279 } 5280 5281 if (memcmp(p, ssl_serialized_context_header, 5282 sizeof(ssl_serialized_context_header)) != 0) { 5283 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 5284 } 5285 p += sizeof(ssl_serialized_context_header); 5286 5287 /* 5288 * Session 5289 */ 5290 if ((size_t) (end - p) < 4) { 5291 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5292 } 5293 5294 session_len = MBEDTLS_GET_UINT32_BE(p, 0); 5295 p += 4; 5296 5297 /* This has been allocated by ssl_handshake_init(), called by 5298 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5299 ssl->session = ssl->session_negotiate; 5300 ssl->session_in = ssl->session; 5301 ssl->session_out = ssl->session; 5302 ssl->session_negotiate = NULL; 5303 5304 if ((size_t) (end - p) < session_len) { 5305 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5306 } 5307 5308 ret = ssl_session_load(ssl->session, 1, p, session_len); 5309 if (ret != 0) { 5310 mbedtls_ssl_session_free(ssl->session); 5311 return ret; 5312 } 5313 5314 p += session_len; 5315 5316 /* 5317 * Transform 5318 */ 5319 5320 /* This has been allocated by ssl_handshake_init(), called by 5321 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5322#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5323 ssl->transform = ssl->transform_negotiate; 5324 ssl->transform_in = ssl->transform; 5325 ssl->transform_out = ssl->transform; 5326 ssl->transform_negotiate = NULL; 5327#endif 5328 5329#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5330 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); 5331 if (prf_func == NULL) { 5332 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5333 } 5334 5335 /* Read random bytes and populate structure */ 5336 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { 5337 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5338 } 5339 5340 ret = ssl_tls12_populate_transform(ssl->transform, 5341 ssl->session->ciphersuite, 5342 ssl->session->master, 5343#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 5344 ssl->session->encrypt_then_mac, 5345#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 5346 prf_func, 5347 p, /* currently pointing to randbytes */ 5348 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ 5349 ssl->conf->endpoint, 5350 ssl); 5351 if (ret != 0) { 5352 return ret; 5353 } 5354#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5355 p += sizeof(ssl->transform->randbytes); 5356 5357#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5358 /* Read connection IDs and store them */ 5359 if ((size_t) (end - p) < 1) { 5360 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5361 } 5362 5363 ssl->transform->in_cid_len = *p++; 5364 5365 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { 5366 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5367 } 5368 5369 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); 5370 p += ssl->transform->in_cid_len; 5371 5372 ssl->transform->out_cid_len = *p++; 5373 5374 if ((size_t) (end - p) < ssl->transform->out_cid_len) { 5375 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5376 } 5377 5378 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); 5379 p += ssl->transform->out_cid_len; 5380#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5381 5382 /* 5383 * Saved fields from top-level ssl_context structure 5384 */ 5385 if ((size_t) (end - p) < 4) { 5386 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5387 } 5388 5389 ssl->badmac_seen = MBEDTLS_GET_UINT32_BE(p, 0); 5390 p += 4; 5391 5392#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5393 if ((size_t) (end - p) < 16) { 5394 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5395 } 5396 5397 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0); 5398 p += 8; 5399 5400 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0); 5401 p += 8; 5402#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5403 5404#if defined(MBEDTLS_SSL_PROTO_DTLS) 5405 if ((size_t) (end - p) < 1) { 5406 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5407 } 5408 5409 ssl->disable_datagram_packing = *p++; 5410#endif /* MBEDTLS_SSL_PROTO_DTLS */ 5411 5412 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { 5413 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5414 } 5415 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); 5416 p += sizeof(ssl->cur_out_ctr); 5417 5418#if defined(MBEDTLS_SSL_PROTO_DTLS) 5419 if ((size_t) (end - p) < 2) { 5420 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5421 } 5422 5423 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0); 5424 p += 2; 5425#endif /* MBEDTLS_SSL_PROTO_DTLS */ 5426 5427#if defined(MBEDTLS_SSL_ALPN) 5428 { 5429 uint8_t alpn_len; 5430 const char **cur; 5431 5432 if ((size_t) (end - p) < 1) { 5433 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5434 } 5435 5436 alpn_len = *p++; 5437 5438 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { 5439 /* alpn_chosen should point to an item in the configured list */ 5440 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { 5441 if (strlen(*cur) == alpn_len && 5442 memcmp(p, *cur, alpn_len) == 0) { 5443 ssl->alpn_chosen = *cur; 5444 break; 5445 } 5446 } 5447 } 5448 5449 /* can only happen on conf mismatch */ 5450 if (alpn_len != 0 && ssl->alpn_chosen == NULL) { 5451 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5452 } 5453 5454 p += alpn_len; 5455 } 5456#endif /* MBEDTLS_SSL_ALPN */ 5457 5458 /* 5459 * Forced fields from top-level ssl_context structure 5460 * 5461 * Most of them already set to the correct value by mbedtls_ssl_init() and 5462 * mbedtls_ssl_reset(), so we only need to set the remaining ones. 5463 */ 5464 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 5465 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5466 5467 /* Adjust pointers for header fields of outgoing records to 5468 * the given transform, accounting for explicit IV and CID. */ 5469 mbedtls_ssl_update_out_pointers(ssl, ssl->transform); 5470 5471#if defined(MBEDTLS_SSL_PROTO_DTLS) 5472 ssl->in_epoch = 1; 5473#endif 5474 5475 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, 5476 * which we don't want - otherwise we'd end up freeing the wrong transform 5477 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() 5478 * inappropriately. */ 5479 if (ssl->handshake != NULL) { 5480 mbedtls_ssl_handshake_free(ssl); 5481 mbedtls_free(ssl->handshake); 5482 ssl->handshake = NULL; 5483 } 5484 5485 /* 5486 * Done - should have consumed entire buffer 5487 */ 5488 if (p != end) { 5489 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5490 } 5491 5492 return 0; 5493} 5494 5495/* 5496 * Deserialize context: public wrapper for error cleaning 5497 */ 5498int mbedtls_ssl_context_load(mbedtls_ssl_context *context, 5499 const unsigned char *buf, 5500 size_t len) 5501{ 5502 int ret = ssl_context_load(context, buf, len); 5503 5504 if (ret != 0) { 5505 mbedtls_ssl_free(context); 5506 } 5507 5508 return ret; 5509} 5510#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 5511 5512/* 5513 * Free an SSL context 5514 */ 5515void mbedtls_ssl_free(mbedtls_ssl_context *ssl) 5516{ 5517 if (ssl == NULL) { 5518 return; 5519 } 5520 5521 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); 5522 5523 if (ssl->out_buf != NULL) { 5524#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5525 size_t out_buf_len = ssl->out_buf_len; 5526#else 5527 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 5528#endif 5529 5530 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len); 5531 ssl->out_buf = NULL; 5532 } 5533 5534 if (ssl->in_buf != NULL) { 5535#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5536 size_t in_buf_len = ssl->in_buf_len; 5537#else 5538 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 5539#endif 5540 5541 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len); 5542 ssl->in_buf = NULL; 5543 } 5544 5545 if (ssl->transform) { 5546 mbedtls_ssl_transform_free(ssl->transform); 5547 mbedtls_free(ssl->transform); 5548 } 5549 5550 if (ssl->handshake) { 5551 mbedtls_ssl_handshake_free(ssl); 5552 mbedtls_free(ssl->handshake); 5553 5554#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5555 mbedtls_ssl_transform_free(ssl->transform_negotiate); 5556 mbedtls_free(ssl->transform_negotiate); 5557#endif 5558 5559 mbedtls_ssl_session_free(ssl->session_negotiate); 5560 mbedtls_free(ssl->session_negotiate); 5561 } 5562 5563#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5564 mbedtls_ssl_transform_free(ssl->transform_application); 5565 mbedtls_free(ssl->transform_application); 5566#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5567 5568 if (ssl->session) { 5569 mbedtls_ssl_session_free(ssl->session); 5570 mbedtls_free(ssl->session); 5571 } 5572 5573#if defined(MBEDTLS_X509_CRT_PARSE_C) 5574 if (ssl->hostname != NULL) { 5575 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); 5576 } 5577#endif 5578 5579#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5580 mbedtls_free(ssl->cli_id); 5581#endif 5582 5583 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); 5584 5585 /* Actually clear after last debug message */ 5586 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); 5587} 5588 5589/* 5590 * Initialize mbedtls_ssl_config 5591 */ 5592void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) 5593{ 5594 memset(conf, 0, sizeof(mbedtls_ssl_config)); 5595} 5596 5597/* The selection should be the same as mbedtls_x509_crt_profile_default in 5598 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: 5599 * curves with a lower resource usage come first. 5600 * See the documentation of mbedtls_ssl_conf_curves() for what we promise 5601 * about this list. 5602 */ 5603static const uint16_t ssl_preset_default_groups[] = { 5604#if defined(MBEDTLS_ECP_HAVE_CURVE25519) 5605 MBEDTLS_SSL_IANA_TLS_GROUP_X25519, 5606#endif 5607#if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5608 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5609#endif 5610#if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5611 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5612#endif 5613#if defined(MBEDTLS_ECP_HAVE_CURVE448) 5614 MBEDTLS_SSL_IANA_TLS_GROUP_X448, 5615#endif 5616#if defined(MBEDTLS_ECP_HAVE_SECP521R1) 5617 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, 5618#endif 5619#if defined(MBEDTLS_ECP_HAVE_BP256R1) 5620 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, 5621#endif 5622#if defined(MBEDTLS_ECP_HAVE_BP384R1) 5623 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, 5624#endif 5625#if defined(MBEDTLS_ECP_HAVE_BP512R1) 5626 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, 5627#endif 5628#if defined(PSA_WANT_ALG_FFDH) 5629 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, 5630 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, 5631 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, 5632 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, 5633 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, 5634#endif 5635 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5636}; 5637 5638static const int ssl_preset_suiteb_ciphersuites[] = { 5639 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 5640 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 5641 0 5642}; 5643 5644#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5645 5646/* NOTICE: 5647 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following 5648 * rules SHOULD be upheld. 5649 * - No duplicate entries. 5650 * - But if there is a good reason, do not change the order of the algorithms. 5651 * - ssl_tls12_preset* is for TLS 1.2 use only. 5652 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. 5653 */ 5654static const uint16_t ssl_preset_default_sig_algs[] = { 5655 5656#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5657 defined(MBEDTLS_MD_CAN_SHA256) && \ 5658 defined(PSA_WANT_ECC_SECP_R1_256) 5659 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5660 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5661#endif 5662 5663#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5664 defined(MBEDTLS_MD_CAN_SHA384) && \ 5665 defined(PSA_WANT_ECC_SECP_R1_384) 5666 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5667 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5668#endif 5669 5670#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5671 defined(MBEDTLS_MD_CAN_SHA512) && \ 5672 defined(PSA_WANT_ECC_SECP_R1_521) 5673 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, 5674 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) 5675#endif 5676 5677#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512) 5678 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5679#endif 5680 5681#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384) 5682 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5683#endif 5684 5685#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256) 5686 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5687#endif 5688 5689#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) 5690 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, 5691#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */ 5692 5693#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384) 5694 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, 5695#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */ 5696 5697#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) 5698 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, 5699#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */ 5700 5701 MBEDTLS_TLS_SIG_NONE 5702}; 5703 5704/* NOTICE: see above */ 5705#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5706static uint16_t ssl_tls12_preset_default_sig_algs[] = { 5707 5708#if defined(MBEDTLS_MD_CAN_SHA512) 5709#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5710 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), 5711#endif 5712#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5713 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5714#endif 5715#if defined(MBEDTLS_RSA_C) 5716 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), 5717#endif 5718#endif /* MBEDTLS_MD_CAN_SHA512 */ 5719 5720#if defined(MBEDTLS_MD_CAN_SHA384) 5721#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5722 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5723#endif 5724#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5725 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5726#endif 5727#if defined(MBEDTLS_RSA_C) 5728 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), 5729#endif 5730#endif /* MBEDTLS_MD_CAN_SHA384 */ 5731 5732#if defined(MBEDTLS_MD_CAN_SHA256) 5733#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5734 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5735#endif 5736#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5737 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5738#endif 5739#if defined(MBEDTLS_RSA_C) 5740 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), 5741#endif 5742#endif /* MBEDTLS_MD_CAN_SHA256 */ 5743 5744 MBEDTLS_TLS_SIG_NONE 5745}; 5746#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5747 5748/* NOTICE: see above */ 5749static const uint16_t ssl_preset_suiteb_sig_algs[] = { 5750 5751#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5752 defined(MBEDTLS_MD_CAN_SHA256) && \ 5753 defined(MBEDTLS_ECP_HAVE_SECP256R1) 5754 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5755 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5756#endif 5757 5758#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5759 defined(MBEDTLS_MD_CAN_SHA384) && \ 5760 defined(MBEDTLS_ECP_HAVE_SECP384R1) 5761 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5762 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5763#endif 5764 5765 MBEDTLS_TLS_SIG_NONE 5766}; 5767 5768/* NOTICE: see above */ 5769#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5770static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { 5771 5772#if defined(MBEDTLS_MD_CAN_SHA256) 5773#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5774 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5775#endif 5776#endif /* MBEDTLS_MD_CAN_SHA256 */ 5777 5778#if defined(MBEDTLS_MD_CAN_SHA384) 5779#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5780 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5781#endif 5782#endif /* MBEDTLS_MD_CAN_SHA384 */ 5783 5784 MBEDTLS_TLS_SIG_NONE 5785}; 5786#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5787 5788#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5789 5790static const uint16_t ssl_preset_suiteb_groups[] = { 5791#if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5792 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5793#endif 5794#if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5795 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5796#endif 5797 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5798}; 5799 5800#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5801/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` 5802 * to make sure there are no duplicated signature algorithm entries. */ 5803MBEDTLS_CHECK_RETURN_CRITICAL 5804static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) 5805{ 5806 size_t i, j; 5807 int ret = 0; 5808 5809 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 5810 for (j = 0; j < i; j++) { 5811 if (sig_algs[i] != sig_algs[j]) { 5812 continue; 5813 } 5814 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET 5815 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", 5816 sig_algs[i], j, i); 5817 ret = -1; 5818 } 5819 } 5820 return ret; 5821} 5822 5823#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5824 5825/* 5826 * Load default in mbedtls_ssl_config 5827 */ 5828int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, 5829 int endpoint, int transport, int preset) 5830{ 5831#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5832 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5833#endif 5834 5835#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5836 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { 5837 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); 5838 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5839 } 5840 5841 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { 5842 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); 5843 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5844 } 5845 5846#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5847 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { 5848 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); 5849 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5850 } 5851 5852 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { 5853 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); 5854 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5855 } 5856#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5857#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5858 5859 /* Use the functions here so that they are covered in tests, 5860 * but otherwise access member directly for efficiency */ 5861 mbedtls_ssl_conf_endpoint(conf, endpoint); 5862 mbedtls_ssl_conf_transport(conf, transport); 5863 5864 /* 5865 * Things that are common to all presets 5866 */ 5867#if defined(MBEDTLS_SSL_CLI_C) 5868 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 5869 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 5870#if defined(MBEDTLS_SSL_SESSION_TICKETS) 5871 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED; 5872#endif 5873 } 5874#endif 5875 5876#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 5877 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 5878#endif 5879 5880#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 5881 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 5882#endif 5883 5884#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5885 conf->f_cookie_write = ssl_cookie_write_dummy; 5886 conf->f_cookie_check = ssl_cookie_check_dummy; 5887#endif 5888 5889#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5890 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 5891#endif 5892 5893#if defined(MBEDTLS_SSL_SRV_C) 5894 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 5895 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; 5896#endif 5897 5898#if defined(MBEDTLS_SSL_PROTO_DTLS) 5899 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 5900 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 5901#endif 5902 5903#if defined(MBEDTLS_SSL_RENEGOTIATION) 5904 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 5905 memset(conf->renego_period, 0x00, 2); 5906 memset(conf->renego_period + 2, 0xFF, 6); 5907#endif 5908 5909#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5910 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 5911 const unsigned char dhm_p[] = 5912 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 5913 const unsigned char dhm_g[] = 5914 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 5915 5916 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, 5917 dhm_p, sizeof(dhm_p), 5918 dhm_g, sizeof(dhm_g))) != 0) { 5919 return ret; 5920 } 5921 } 5922#endif 5923 5924#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5925 5926#if defined(MBEDTLS_SSL_EARLY_DATA) 5927 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); 5928#if defined(MBEDTLS_SSL_SRV_C) 5929 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); 5930#endif 5931#endif /* MBEDTLS_SSL_EARLY_DATA */ 5932 5933#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 5934 mbedtls_ssl_conf_new_session_tickets( 5935 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); 5936#endif 5937 /* 5938 * Allow all TLS 1.3 key exchange modes by default. 5939 */ 5940 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 5941#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5942 5943 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5944#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5945 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5946 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5947#else 5948 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5949#endif 5950 } else { 5951#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 5952 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5953 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5954#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) 5955 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5956 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 5957#elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 5958 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5959 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5960#else 5961 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 5962#endif 5963 } 5964 5965 /* 5966 * Preset-specific defaults 5967 */ 5968 switch (preset) { 5969 /* 5970 * NSA Suite B 5971 */ 5972 case MBEDTLS_SSL_PRESET_SUITEB: 5973 5974 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; 5975 5976#if defined(MBEDTLS_X509_CRT_PARSE_C) 5977 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 5978#endif 5979 5980#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5981#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5982 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 5983 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; 5984 } else 5985#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5986 conf->sig_algs = ssl_preset_suiteb_sig_algs; 5987#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5988 5989#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 5990 conf->curve_list = NULL; 5991#endif 5992 conf->group_list = ssl_preset_suiteb_groups; 5993 break; 5994 5995 /* 5996 * Default 5997 */ 5998 default: 5999 6000 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); 6001 6002#if defined(MBEDTLS_X509_CRT_PARSE_C) 6003 conf->cert_profile = &mbedtls_x509_crt_profile_default; 6004#endif 6005 6006#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6007#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6008 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 6009 conf->sig_algs = ssl_tls12_preset_default_sig_algs; 6010 } else 6011#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6012 conf->sig_algs = ssl_preset_default_sig_algs; 6013#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6014 6015#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 6016 conf->curve_list = NULL; 6017#endif 6018 conf->group_list = ssl_preset_default_groups; 6019 6020#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 6021 conf->dhm_min_bitlen = 1024; 6022#endif 6023 } 6024 6025 return 0; 6026} 6027 6028/* 6029 * Free mbedtls_ssl_config 6030 */ 6031void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) 6032{ 6033#if defined(MBEDTLS_DHM_C) 6034 mbedtls_mpi_free(&conf->dhm_P); 6035 mbedtls_mpi_free(&conf->dhm_G); 6036#endif 6037 6038#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 6039#if defined(MBEDTLS_USE_PSA_CRYPTO) 6040 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 6041 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 6042 } 6043#endif /* MBEDTLS_USE_PSA_CRYPTO */ 6044 if (conf->psk != NULL) { 6045 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 6046 conf->psk = NULL; 6047 conf->psk_len = 0; 6048 } 6049 6050 if (conf->psk_identity != NULL) { 6051 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len); 6052 conf->psk_identity = NULL; 6053 conf->psk_identity_len = 0; 6054 } 6055#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 6056 6057#if defined(MBEDTLS_X509_CRT_PARSE_C) 6058 ssl_key_cert_free(conf->key_cert); 6059#endif 6060 6061 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); 6062} 6063 6064#if defined(MBEDTLS_PK_C) && \ 6065 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) 6066/* 6067 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 6068 */ 6069unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) 6070{ 6071#if defined(MBEDTLS_RSA_C) 6072 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { 6073 return MBEDTLS_SSL_SIG_RSA; 6074 } 6075#endif 6076#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6077 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { 6078 return MBEDTLS_SSL_SIG_ECDSA; 6079 } 6080#endif 6081 return MBEDTLS_SSL_SIG_ANON; 6082} 6083 6084unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) 6085{ 6086 switch (type) { 6087 case MBEDTLS_PK_RSA: 6088 return MBEDTLS_SSL_SIG_RSA; 6089 case MBEDTLS_PK_ECDSA: 6090 case MBEDTLS_PK_ECKEY: 6091 return MBEDTLS_SSL_SIG_ECDSA; 6092 default: 6093 return MBEDTLS_SSL_SIG_ANON; 6094 } 6095} 6096 6097mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) 6098{ 6099 switch (sig) { 6100#if defined(MBEDTLS_RSA_C) 6101 case MBEDTLS_SSL_SIG_RSA: 6102 return MBEDTLS_PK_RSA; 6103#endif 6104#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6105 case MBEDTLS_SSL_SIG_ECDSA: 6106 return MBEDTLS_PK_ECDSA; 6107#endif 6108 default: 6109 return MBEDTLS_PK_NONE; 6110 } 6111} 6112#endif /* MBEDTLS_PK_C && 6113 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ 6114 6115/* 6116 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 6117 */ 6118mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) 6119{ 6120 switch (hash) { 6121#if defined(MBEDTLS_MD_CAN_MD5) 6122 case MBEDTLS_SSL_HASH_MD5: 6123 return MBEDTLS_MD_MD5; 6124#endif 6125#if defined(MBEDTLS_MD_CAN_SHA1) 6126 case MBEDTLS_SSL_HASH_SHA1: 6127 return MBEDTLS_MD_SHA1; 6128#endif 6129#if defined(MBEDTLS_MD_CAN_SHA224) 6130 case MBEDTLS_SSL_HASH_SHA224: 6131 return MBEDTLS_MD_SHA224; 6132#endif 6133#if defined(MBEDTLS_MD_CAN_SHA256) 6134 case MBEDTLS_SSL_HASH_SHA256: 6135 return MBEDTLS_MD_SHA256; 6136#endif 6137#if defined(MBEDTLS_MD_CAN_SHA384) 6138 case MBEDTLS_SSL_HASH_SHA384: 6139 return MBEDTLS_MD_SHA384; 6140#endif 6141#if defined(MBEDTLS_MD_CAN_SHA512) 6142 case MBEDTLS_SSL_HASH_SHA512: 6143 return MBEDTLS_MD_SHA512; 6144#endif 6145 default: 6146 return MBEDTLS_MD_NONE; 6147 } 6148} 6149 6150/* 6151 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 6152 */ 6153unsigned char mbedtls_ssl_hash_from_md_alg(int md) 6154{ 6155 switch (md) { 6156#if defined(MBEDTLS_MD_CAN_MD5) 6157 case MBEDTLS_MD_MD5: 6158 return MBEDTLS_SSL_HASH_MD5; 6159#endif 6160#if defined(MBEDTLS_MD_CAN_SHA1) 6161 case MBEDTLS_MD_SHA1: 6162 return MBEDTLS_SSL_HASH_SHA1; 6163#endif 6164#if defined(MBEDTLS_MD_CAN_SHA224) 6165 case MBEDTLS_MD_SHA224: 6166 return MBEDTLS_SSL_HASH_SHA224; 6167#endif 6168#if defined(MBEDTLS_MD_CAN_SHA256) 6169 case MBEDTLS_MD_SHA256: 6170 return MBEDTLS_SSL_HASH_SHA256; 6171#endif 6172#if defined(MBEDTLS_MD_CAN_SHA384) 6173 case MBEDTLS_MD_SHA384: 6174 return MBEDTLS_SSL_HASH_SHA384; 6175#endif 6176#if defined(MBEDTLS_MD_CAN_SHA512) 6177 case MBEDTLS_MD_SHA512: 6178 return MBEDTLS_SSL_HASH_SHA512; 6179#endif 6180 default: 6181 return MBEDTLS_SSL_HASH_NONE; 6182 } 6183} 6184 6185/* 6186 * Check if a curve proposed by the peer is in our list. 6187 * Return 0 if we're willing to use it, -1 otherwise. 6188 */ 6189int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) 6190{ 6191 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 6192 6193 if (group_list == NULL) { 6194 return -1; 6195 } 6196 6197 for (; *group_list != 0; group_list++) { 6198 if (*group_list == tls_id) { 6199 return 0; 6200 } 6201 } 6202 6203 return -1; 6204} 6205 6206#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 6207/* 6208 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. 6209 */ 6210int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) 6211{ 6212 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); 6213 6214 if (tls_id == 0) { 6215 return -1; 6216 } 6217 6218 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); 6219} 6220#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 6221 6222static const struct { 6223 uint16_t tls_id; 6224 mbedtls_ecp_group_id ecp_group_id; 6225 psa_ecc_family_t psa_family; 6226 uint16_t bits; 6227} tls_id_match_table[] = 6228{ 6229#if defined(MBEDTLS_ECP_HAVE_SECP521R1) 6230 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 }, 6231#endif 6232#if defined(MBEDTLS_ECP_HAVE_BP512R1) 6233 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 }, 6234#endif 6235#if defined(MBEDTLS_ECP_HAVE_SECP384R1) 6236 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 }, 6237#endif 6238#if defined(MBEDTLS_ECP_HAVE_BP384R1) 6239 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 }, 6240#endif 6241#if defined(MBEDTLS_ECP_HAVE_SECP256R1) 6242 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 }, 6243#endif 6244#if defined(MBEDTLS_ECP_HAVE_SECP256K1) 6245 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 }, 6246#endif 6247#if defined(MBEDTLS_ECP_HAVE_BP256R1) 6248 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, 6249#endif 6250#if defined(MBEDTLS_ECP_HAVE_SECP224R1) 6251 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, 6252#endif 6253#if defined(MBEDTLS_ECP_HAVE_SECP224K1) 6254 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, 6255#endif 6256#if defined(MBEDTLS_ECP_HAVE_SECP192R1) 6257 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, 6258#endif 6259#if defined(MBEDTLS_ECP_HAVE_SECP192K1) 6260 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, 6261#endif 6262#if defined(MBEDTLS_ECP_HAVE_CURVE25519) 6263 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, 6264#endif 6265#if defined(MBEDTLS_ECP_HAVE_CURVE448) 6266 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 }, 6267#endif 6268 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 }, 6269}; 6270 6271int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 6272 psa_key_type_t *type, 6273 size_t *bits) 6274{ 6275 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6276 if (tls_id_match_table[i].tls_id == tls_id) { 6277 if (type != NULL) { 6278 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family); 6279 } 6280 if (bits != NULL) { 6281 *bits = tls_id_match_table[i].bits; 6282 } 6283 return PSA_SUCCESS; 6284 } 6285 } 6286 6287 return PSA_ERROR_NOT_SUPPORTED; 6288} 6289 6290mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) 6291{ 6292 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6293 if (tls_id_match_table[i].tls_id == tls_id) { 6294 return tls_id_match_table[i].ecp_group_id; 6295 } 6296 } 6297 6298 return MBEDTLS_ECP_DP_NONE; 6299} 6300 6301uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) 6302{ 6303 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; 6304 i++) { 6305 if (tls_id_match_table[i].ecp_group_id == grp_id) { 6306 return tls_id_match_table[i].tls_id; 6307 } 6308 } 6309 6310 return 0; 6311} 6312 6313#if defined(MBEDTLS_DEBUG_C) 6314static const struct { 6315 uint16_t tls_id; 6316 const char *name; 6317} tls_id_curve_name_table[] = 6318{ 6319 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, 6320 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, 6321 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, 6322 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, 6323 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, 6324 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, 6325 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, 6326 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, 6327 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, 6328 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, 6329 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, 6330 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, 6331 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, 6332 { 0, NULL }, 6333}; 6334 6335const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) 6336{ 6337 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { 6338 if (tls_id_curve_name_table[i].tls_id == tls_id) { 6339 return tls_id_curve_name_table[i].name; 6340 } 6341 } 6342 6343 return NULL; 6344} 6345#endif 6346 6347#if defined(MBEDTLS_X509_CRT_PARSE_C) 6348int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 6349 const mbedtls_ssl_ciphersuite_t *ciphersuite, 6350 int cert_endpoint, 6351 uint32_t *flags) 6352{ 6353 int ret = 0; 6354 unsigned int usage = 0; 6355 const char *ext_oid; 6356 size_t ext_len; 6357 6358 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { 6359 /* Server part of the key exchange */ 6360 switch (ciphersuite->key_exchange) { 6361 case MBEDTLS_KEY_EXCHANGE_RSA: 6362 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 6363 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 6364 break; 6365 6366 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 6367 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 6368 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 6369 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 6370 break; 6371 6372 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 6373 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 6374 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 6375 break; 6376 6377 /* Don't use default: we want warnings when adding new values */ 6378 case MBEDTLS_KEY_EXCHANGE_NONE: 6379 case MBEDTLS_KEY_EXCHANGE_PSK: 6380 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 6381 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 6382 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 6383 usage = 0; 6384 } 6385 } else { 6386 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */ 6387 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 6388 } 6389 6390 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { 6391 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 6392 ret = -1; 6393 } 6394 6395 if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) { 6396 ext_oid = MBEDTLS_OID_SERVER_AUTH; 6397 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); 6398 } else { 6399 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 6400 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); 6401 } 6402 6403 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { 6404 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 6405 ret = -1; 6406 } 6407 6408 return ret; 6409} 6410#endif /* MBEDTLS_X509_CRT_PARSE_C */ 6411 6412#if defined(MBEDTLS_USE_PSA_CRYPTO) 6413int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6414 const mbedtls_md_type_t md, 6415 unsigned char *dst, 6416 size_t dst_len, 6417 size_t *olen) 6418{ 6419 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6420 psa_hash_operation_t *hash_operation_to_clone; 6421 psa_hash_operation_t hash_operation = psa_hash_operation_init(); 6422 6423 *olen = 0; 6424 6425 switch (md) { 6426#if defined(MBEDTLS_MD_CAN_SHA384) 6427 case MBEDTLS_MD_SHA384: 6428 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; 6429 break; 6430#endif 6431 6432#if defined(MBEDTLS_MD_CAN_SHA256) 6433 case MBEDTLS_MD_SHA256: 6434 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; 6435 break; 6436#endif 6437 6438 default: 6439 goto exit; 6440 } 6441 6442 status = psa_hash_clone(hash_operation_to_clone, &hash_operation); 6443 if (status != PSA_SUCCESS) { 6444 goto exit; 6445 } 6446 6447 status = psa_hash_finish(&hash_operation, dst, dst_len, olen); 6448 if (status != PSA_SUCCESS) { 6449 goto exit; 6450 } 6451 6452exit: 6453#if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6454 !defined(MBEDTLS_MD_CAN_SHA256) 6455 (void) ssl; 6456#endif 6457 return PSA_TO_MBEDTLS_ERR(status); 6458} 6459#else /* MBEDTLS_USE_PSA_CRYPTO */ 6460 6461#if defined(MBEDTLS_MD_CAN_SHA384) 6462MBEDTLS_CHECK_RETURN_CRITICAL 6463static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, 6464 unsigned char *dst, 6465 size_t dst_len, 6466 size_t *olen) 6467{ 6468 int ret; 6469 mbedtls_md_context_t sha384; 6470 6471 if (dst_len < 48) { 6472 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6473 } 6474 6475 mbedtls_md_init(&sha384); 6476 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 6477 if (ret != 0) { 6478 goto exit; 6479 } 6480 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 6481 if (ret != 0) { 6482 goto exit; 6483 } 6484 6485 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { 6486 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6487 goto exit; 6488 } 6489 6490 *olen = 48; 6491 6492exit: 6493 6494 mbedtls_md_free(&sha384); 6495 return ret; 6496} 6497#endif /* MBEDTLS_MD_CAN_SHA384 */ 6498 6499#if defined(MBEDTLS_MD_CAN_SHA256) 6500MBEDTLS_CHECK_RETURN_CRITICAL 6501static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, 6502 unsigned char *dst, 6503 size_t dst_len, 6504 size_t *olen) 6505{ 6506 int ret; 6507 mbedtls_md_context_t sha256; 6508 6509 if (dst_len < 32) { 6510 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6511 } 6512 6513 mbedtls_md_init(&sha256); 6514 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 6515 if (ret != 0) { 6516 goto exit; 6517 } 6518 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 6519 if (ret != 0) { 6520 goto exit; 6521 } 6522 6523 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { 6524 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6525 goto exit; 6526 } 6527 6528 *olen = 32; 6529 6530exit: 6531 6532 mbedtls_md_free(&sha256); 6533 return ret; 6534} 6535#endif /* MBEDTLS_MD_CAN_SHA256 */ 6536 6537int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6538 const mbedtls_md_type_t md, 6539 unsigned char *dst, 6540 size_t dst_len, 6541 size_t *olen) 6542{ 6543 switch (md) { 6544 6545#if defined(MBEDTLS_MD_CAN_SHA384) 6546 case MBEDTLS_MD_SHA384: 6547 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); 6548#endif /* MBEDTLS_MD_CAN_SHA384*/ 6549 6550#if defined(MBEDTLS_MD_CAN_SHA256) 6551 case MBEDTLS_MD_SHA256: 6552 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); 6553#endif /* MBEDTLS_MD_CAN_SHA256*/ 6554 6555 default: 6556#if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6557 !defined(MBEDTLS_MD_CAN_SHA256) 6558 (void) ssl; 6559 (void) dst; 6560 (void) dst_len; 6561 (void) olen; 6562#endif 6563 break; 6564 } 6565 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6566} 6567 6568#endif /* !MBEDTLS_USE_PSA_CRYPTO */ 6569 6570#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6571/* mbedtls_ssl_parse_sig_alg_ext() 6572 * 6573 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 6574 * value (TLS 1.3 RFC8446): 6575 * enum { 6576 * .... 6577 * ecdsa_secp256r1_sha256( 0x0403 ), 6578 * ecdsa_secp384r1_sha384( 0x0503 ), 6579 * ecdsa_secp521r1_sha512( 0x0603 ), 6580 * .... 6581 * } SignatureScheme; 6582 * 6583 * struct { 6584 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 6585 * } SignatureSchemeList; 6586 * 6587 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 6588 * value (TLS 1.2 RFC5246): 6589 * enum { 6590 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 6591 * sha512(6), (255) 6592 * } HashAlgorithm; 6593 * 6594 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 6595 * SignatureAlgorithm; 6596 * 6597 * struct { 6598 * HashAlgorithm hash; 6599 * SignatureAlgorithm signature; 6600 * } SignatureAndHashAlgorithm; 6601 * 6602 * SignatureAndHashAlgorithm 6603 * supported_signature_algorithms<2..2^16-2>; 6604 * 6605 * The TLS 1.3 signature algorithm extension was defined to be a compatible 6606 * generalization of the TLS 1.2 signature algorithm extension. 6607 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 6608 * `SignatureScheme` field of TLS 1.3 6609 * 6610 */ 6611int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 6612 const unsigned char *buf, 6613 const unsigned char *end) 6614{ 6615 const unsigned char *p = buf; 6616 size_t supported_sig_algs_len = 0; 6617 const unsigned char *supported_sig_algs_end; 6618 uint16_t sig_alg; 6619 uint32_t common_idx = 0; 6620 6621 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 6622 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); 6623 p += 2; 6624 6625 memset(ssl->handshake->received_sig_algs, 0, 6626 sizeof(ssl->handshake->received_sig_algs)); 6627 6628 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); 6629 supported_sig_algs_end = p + supported_sig_algs_len; 6630 while (p < supported_sig_algs_end) { 6631 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); 6632 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); 6633 p += 2; 6634 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", 6635 sig_alg, 6636 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6637#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6638 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 6639 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && 6640 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { 6641 continue; 6642 } 6643#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6644 6645 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", 6646 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6647 6648 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { 6649 ssl->handshake->received_sig_algs[common_idx] = sig_alg; 6650 common_idx += 1; 6651 } 6652 } 6653 /* Check that we consumed all the message. */ 6654 if (p != end) { 6655 MBEDTLS_SSL_DEBUG_MSG(1, 6656 ("Signature algorithms extension length misaligned")); 6657 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 6658 MBEDTLS_ERR_SSL_DECODE_ERROR); 6659 return MBEDTLS_ERR_SSL_DECODE_ERROR; 6660 } 6661 6662 if (common_idx == 0) { 6663 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); 6664 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 6665 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 6666 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 6667 } 6668 6669 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; 6670 return 0; 6671} 6672 6673#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6674 6675#if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6676 6677#if defined(MBEDTLS_USE_PSA_CRYPTO) 6678 6679static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, 6680 mbedtls_svc_key_id_t key, 6681 psa_algorithm_t alg, 6682 const unsigned char *raw_psk, size_t raw_psk_length, 6683 const unsigned char *seed, size_t seed_length, 6684 const unsigned char *label, size_t label_length, 6685 const unsigned char *other_secret, 6686 size_t other_secret_length, 6687 size_t capacity) 6688{ 6689 psa_status_t status; 6690 6691 status = psa_key_derivation_setup(derivation, alg); 6692 if (status != PSA_SUCCESS) { 6693 return status; 6694 } 6695 6696 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 6697 status = psa_key_derivation_input_bytes(derivation, 6698 PSA_KEY_DERIVATION_INPUT_SEED, 6699 seed, seed_length); 6700 if (status != PSA_SUCCESS) { 6701 return status; 6702 } 6703 6704 if (other_secret != NULL) { 6705 status = psa_key_derivation_input_bytes(derivation, 6706 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 6707 other_secret, other_secret_length); 6708 if (status != PSA_SUCCESS) { 6709 return status; 6710 } 6711 } 6712 6713 if (mbedtls_svc_key_id_is_null(key)) { 6714 status = psa_key_derivation_input_bytes( 6715 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, 6716 raw_psk, raw_psk_length); 6717 } else { 6718 status = psa_key_derivation_input_key( 6719 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); 6720 } 6721 if (status != PSA_SUCCESS) { 6722 return status; 6723 } 6724 6725 status = psa_key_derivation_input_bytes(derivation, 6726 PSA_KEY_DERIVATION_INPUT_LABEL, 6727 label, label_length); 6728 if (status != PSA_SUCCESS) { 6729 return status; 6730 } 6731 } else { 6732 return PSA_ERROR_NOT_SUPPORTED; 6733 } 6734 6735 status = psa_key_derivation_set_capacity(derivation, capacity); 6736 if (status != PSA_SUCCESS) { 6737 return status; 6738 } 6739 6740 return PSA_SUCCESS; 6741} 6742 6743#if defined(PSA_WANT_ALG_SHA_384) || \ 6744 defined(PSA_WANT_ALG_SHA_256) 6745MBEDTLS_CHECK_RETURN_CRITICAL 6746static int tls_prf_generic(mbedtls_md_type_t md_type, 6747 const unsigned char *secret, size_t slen, 6748 const char *label, 6749 const unsigned char *random, size_t rlen, 6750 unsigned char *dstbuf, size_t dlen) 6751{ 6752 psa_status_t status; 6753 psa_algorithm_t alg; 6754 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; 6755 psa_key_derivation_operation_t derivation = 6756 PSA_KEY_DERIVATION_OPERATION_INIT; 6757 6758 if (md_type == MBEDTLS_MD_SHA384) { 6759 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); 6760 } else { 6761 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); 6762 } 6763 6764 /* Normally a "secret" should be long enough to be impossible to 6765 * find by brute force, and in particular should not be empty. But 6766 * this PRF is also used to derive an IV, in particular in EAP-TLS, 6767 * and for this use case it makes sense to have a 0-length "secret". 6768 * Since the key API doesn't allow importing a key of length 0, 6769 * keep master_key=0, which setup_psa_key_derivation() understands 6770 * to mean a 0-length "secret" input. */ 6771 if (slen != 0) { 6772 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 6773 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 6774 psa_set_key_algorithm(&key_attributes, alg); 6775 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 6776 6777 status = psa_import_key(&key_attributes, secret, slen, &master_key); 6778 if (status != PSA_SUCCESS) { 6779 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6780 } 6781 } 6782 6783 status = setup_psa_key_derivation(&derivation, 6784 master_key, alg, 6785 NULL, 0, 6786 random, rlen, 6787 (unsigned char const *) label, 6788 (size_t) strlen(label), 6789 NULL, 0, 6790 dlen); 6791 if (status != PSA_SUCCESS) { 6792 psa_key_derivation_abort(&derivation); 6793 psa_destroy_key(master_key); 6794 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6795 } 6796 6797 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); 6798 if (status != PSA_SUCCESS) { 6799 psa_key_derivation_abort(&derivation); 6800 psa_destroy_key(master_key); 6801 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6802 } 6803 6804 status = psa_key_derivation_abort(&derivation); 6805 if (status != PSA_SUCCESS) { 6806 psa_destroy_key(master_key); 6807 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6808 } 6809 6810 if (!mbedtls_svc_key_id_is_null(master_key)) { 6811 status = psa_destroy_key(master_key); 6812 } 6813 if (status != PSA_SUCCESS) { 6814 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6815 } 6816 6817 return 0; 6818} 6819#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ 6820#else /* MBEDTLS_USE_PSA_CRYPTO */ 6821 6822#if defined(MBEDTLS_MD_C) && \ 6823 (defined(MBEDTLS_MD_CAN_SHA256) || \ 6824 defined(MBEDTLS_MD_CAN_SHA384)) 6825MBEDTLS_CHECK_RETURN_CRITICAL 6826static int tls_prf_generic(mbedtls_md_type_t md_type, 6827 const unsigned char *secret, size_t slen, 6828 const char *label, 6829 const unsigned char *random, size_t rlen, 6830 unsigned char *dstbuf, size_t dlen) 6831{ 6832 size_t nb; 6833 size_t i, j, k, md_len; 6834 unsigned char *tmp; 6835 size_t tmp_len = 0; 6836 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 6837 const mbedtls_md_info_t *md_info; 6838 mbedtls_md_context_t md_ctx; 6839 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6840 6841 mbedtls_md_init(&md_ctx); 6842 6843 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { 6844 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6845 } 6846 6847 md_len = mbedtls_md_get_size(md_info); 6848 6849 tmp_len = md_len + strlen(label) + rlen; 6850 tmp = mbedtls_calloc(1, tmp_len); 6851 if (tmp == NULL) { 6852 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 6853 goto exit; 6854 } 6855 6856 nb = strlen(label); 6857 memcpy(tmp + md_len, label, nb); 6858 memcpy(tmp + md_len + nb, random, rlen); 6859 nb += rlen; 6860 6861 /* 6862 * Compute P_<hash>(secret, label + random)[0..dlen] 6863 */ 6864 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { 6865 goto exit; 6866 } 6867 6868 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); 6869 if (ret != 0) { 6870 goto exit; 6871 } 6872 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); 6873 if (ret != 0) { 6874 goto exit; 6875 } 6876 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6877 if (ret != 0) { 6878 goto exit; 6879 } 6880 6881 for (i = 0; i < dlen; i += md_len) { 6882 ret = mbedtls_md_hmac_reset(&md_ctx); 6883 if (ret != 0) { 6884 goto exit; 6885 } 6886 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); 6887 if (ret != 0) { 6888 goto exit; 6889 } 6890 ret = mbedtls_md_hmac_finish(&md_ctx, h_i); 6891 if (ret != 0) { 6892 goto exit; 6893 } 6894 6895 ret = mbedtls_md_hmac_reset(&md_ctx); 6896 if (ret != 0) { 6897 goto exit; 6898 } 6899 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); 6900 if (ret != 0) { 6901 goto exit; 6902 } 6903 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6904 if (ret != 0) { 6905 goto exit; 6906 } 6907 6908 k = (i + md_len > dlen) ? dlen % md_len : md_len; 6909 6910 for (j = 0; j < k; j++) { 6911 dstbuf[i + j] = h_i[j]; 6912 } 6913 } 6914 6915exit: 6916 mbedtls_md_free(&md_ctx); 6917 6918 if (tmp != NULL) { 6919 mbedtls_platform_zeroize(tmp, tmp_len); 6920 } 6921 6922 mbedtls_platform_zeroize(h_i, sizeof(h_i)); 6923 6924 mbedtls_free(tmp); 6925 6926 return ret; 6927} 6928#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */ 6929#endif /* MBEDTLS_USE_PSA_CRYPTO */ 6930 6931#if defined(MBEDTLS_MD_CAN_SHA256) 6932MBEDTLS_CHECK_RETURN_CRITICAL 6933static int tls_prf_sha256(const unsigned char *secret, size_t slen, 6934 const char *label, 6935 const unsigned char *random, size_t rlen, 6936 unsigned char *dstbuf, size_t dlen) 6937{ 6938 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, 6939 label, random, rlen, dstbuf, dlen); 6940} 6941#endif /* MBEDTLS_MD_CAN_SHA256*/ 6942 6943#if defined(MBEDTLS_MD_CAN_SHA384) 6944MBEDTLS_CHECK_RETURN_CRITICAL 6945static int tls_prf_sha384(const unsigned char *secret, size_t slen, 6946 const char *label, 6947 const unsigned char *random, size_t rlen, 6948 unsigned char *dstbuf, size_t dlen) 6949{ 6950 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, 6951 label, random, rlen, dstbuf, dlen); 6952} 6953#endif /* MBEDTLS_MD_CAN_SHA384*/ 6954 6955/* 6956 * Set appropriate PRF function and other SSL / TLS1.2 functions 6957 * 6958 * Inputs: 6959 * - hash associated with the ciphersuite (only used by TLS 1.2) 6960 * 6961 * Outputs: 6962 * - the tls_prf, calc_verify and calc_finished members of handshake structure 6963 */ 6964MBEDTLS_CHECK_RETURN_CRITICAL 6965static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, 6966 mbedtls_md_type_t hash) 6967{ 6968#if defined(MBEDTLS_MD_CAN_SHA384) 6969 if (hash == MBEDTLS_MD_SHA384) { 6970 handshake->tls_prf = tls_prf_sha384; 6971 handshake->calc_verify = ssl_calc_verify_tls_sha384; 6972 handshake->calc_finished = ssl_calc_finished_tls_sha384; 6973 } else 6974#endif 6975#if defined(MBEDTLS_MD_CAN_SHA256) 6976 { 6977 (void) hash; 6978 handshake->tls_prf = tls_prf_sha256; 6979 handshake->calc_verify = ssl_calc_verify_tls_sha256; 6980 handshake->calc_finished = ssl_calc_finished_tls_sha256; 6981 } 6982#else 6983 { 6984 (void) handshake; 6985 (void) hash; 6986 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6987 } 6988#endif 6989 6990 return 0; 6991} 6992 6993/* 6994 * Compute master secret if needed 6995 * 6996 * Parameters: 6997 * [in/out] handshake 6998 * [in] resume, premaster, extended_ms, calc_verify, tls_prf 6999 * (PSA-PSK) ciphersuite_info, psk_opaque 7000 * [out] premaster (cleared) 7001 * [out] master 7002 * [in] ssl: optionally used for debugging, EMS and PSA-PSK 7003 * debug: conf->f_dbg, conf->p_dbg 7004 * EMS: passed to calc_verify (debug + session_negotiate) 7005 * PSA-PSA: conf 7006 */ 7007MBEDTLS_CHECK_RETURN_CRITICAL 7008static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, 7009 unsigned char *master, 7010 const mbedtls_ssl_context *ssl) 7011{ 7012 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7013 7014 /* cf. RFC 5246, Section 8.1: 7015 * "The master secret is always exactly 48 bytes in length." */ 7016 size_t const master_secret_len = 48; 7017 7018#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 7019 unsigned char session_hash[48]; 7020#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 7021 7022 /* The label for the KDF used for key expansion. 7023 * This is either "master secret" or "extended master secret" 7024 * depending on whether the Extended Master Secret extension 7025 * is used. */ 7026 char const *lbl = "master secret"; 7027 7028 /* The seed for the KDF used for key expansion. 7029 * - If the Extended Master Secret extension is not used, 7030 * this is ClientHello.Random + ServerHello.Random 7031 * (see Sect. 8.1 in RFC 5246). 7032 * - If the Extended Master Secret extension is used, 7033 * this is the transcript of the handshake so far. 7034 * (see Sect. 4 in RFC 7627). */ 7035 unsigned char const *seed = handshake->randbytes; 7036 size_t seed_len = 64; 7037 7038#if !defined(MBEDTLS_DEBUG_C) && \ 7039 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ 7040 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7041 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) 7042 ssl = NULL; /* make sure we don't use it except for those cases */ 7043 (void) ssl; 7044#endif 7045 7046 if (handshake->resume != 0) { 7047 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); 7048 return 0; 7049 } 7050 7051#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 7052 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 7053 lbl = "extended master secret"; 7054 seed = session_hash; 7055 ret = handshake->calc_verify(ssl, session_hash, &seed_len); 7056 if (ret != 0) { 7057 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); 7058 } 7059 7060 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", 7061 session_hash, seed_len); 7062 } 7063#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 7064 7065#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7066 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7067 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { 7068 /* Perform PSK-to-MS expansion in a single step. */ 7069 psa_status_t status; 7070 psa_algorithm_t alg; 7071 mbedtls_svc_key_id_t psk; 7072 psa_key_derivation_operation_t derivation = 7073 PSA_KEY_DERIVATION_OPERATION_INIT; 7074 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; 7075 7076 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); 7077 7078 psk = mbedtls_ssl_get_opaque_psk(ssl); 7079 7080 if (hash_alg == MBEDTLS_MD_SHA384) { 7081 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 7082 } else { 7083 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 7084 } 7085 7086 size_t other_secret_len = 0; 7087 unsigned char *other_secret = NULL; 7088 7089 switch (handshake->ciphersuite_info->key_exchange) { 7090 /* Provide other secret. 7091 * Other secret is stored in premaster, where first 2 bytes hold the 7092 * length of the other key. 7093 */ 7094 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 7095 /* For RSA-PSK other key length is always 48 bytes. */ 7096 other_secret_len = 48; 7097 other_secret = handshake->premaster + 2; 7098 break; 7099 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 7100 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 7101 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); 7102 other_secret = handshake->premaster + 2; 7103 break; 7104 default: 7105 break; 7106 } 7107 7108 status = setup_psa_key_derivation(&derivation, psk, alg, 7109 ssl->conf->psk, ssl->conf->psk_len, 7110 seed, seed_len, 7111 (unsigned char const *) lbl, 7112 (size_t) strlen(lbl), 7113 other_secret, other_secret_len, 7114 master_secret_len); 7115 if (status != PSA_SUCCESS) { 7116 psa_key_derivation_abort(&derivation); 7117 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7118 } 7119 7120 status = psa_key_derivation_output_bytes(&derivation, 7121 master, 7122 master_secret_len); 7123 if (status != PSA_SUCCESS) { 7124 psa_key_derivation_abort(&derivation); 7125 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7126 } 7127 7128 status = psa_key_derivation_abort(&derivation); 7129 if (status != PSA_SUCCESS) { 7130 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7131 } 7132 } else 7133#endif 7134 { 7135#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7136 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 7137 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 7138 psa_status_t status; 7139 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 7140 psa_key_derivation_operation_t derivation = 7141 PSA_KEY_DERIVATION_OPERATION_INIT; 7142 7143 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); 7144 7145 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; 7146 7147 status = psa_key_derivation_setup(&derivation, alg); 7148 if (status != PSA_SUCCESS) { 7149 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7150 } 7151 7152 status = psa_key_derivation_set_capacity(&derivation, 7153 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); 7154 if (status != PSA_SUCCESS) { 7155 psa_key_derivation_abort(&derivation); 7156 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7157 } 7158 7159 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, 7160 &derivation); 7161 if (status != PSA_SUCCESS) { 7162 psa_key_derivation_abort(&derivation); 7163 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7164 } 7165 7166 status = psa_key_derivation_output_bytes(&derivation, 7167 handshake->premaster, 7168 handshake->pmslen); 7169 if (status != PSA_SUCCESS) { 7170 psa_key_derivation_abort(&derivation); 7171 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7172 } 7173 7174 status = psa_key_derivation_abort(&derivation); 7175 if (status != PSA_SUCCESS) { 7176 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7177 } 7178 } 7179#endif 7180 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, 7181 lbl, seed, seed_len, 7182 master, 7183 master_secret_len); 7184 if (ret != 0) { 7185 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 7186 return ret; 7187 } 7188 7189 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", 7190 handshake->premaster, 7191 handshake->pmslen); 7192 7193 mbedtls_platform_zeroize(handshake->premaster, 7194 sizeof(handshake->premaster)); 7195 } 7196 7197 return 0; 7198} 7199 7200int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) 7201{ 7202 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7203 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 7204 ssl->handshake->ciphersuite_info; 7205 7206 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); 7207 7208 /* Set PRF, calc_verify and calc_finished function pointers */ 7209 ret = ssl_set_handshake_prfs(ssl->handshake, 7210 (mbedtls_md_type_t) ciphersuite_info->mac); 7211 if (ret != 0) { 7212 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); 7213 return ret; 7214 } 7215 7216 /* Compute master secret if needed */ 7217 ret = ssl_compute_master(ssl->handshake, 7218 ssl->session_negotiate->master, 7219 ssl); 7220 if (ret != 0) { 7221 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); 7222 return ret; 7223 } 7224 7225 /* Swap the client and server random values: 7226 * - MS derivation wanted client+server (RFC 5246 8.1) 7227 * - key derivation wants server+client (RFC 5246 6.3) */ 7228 { 7229 unsigned char tmp[64]; 7230 memcpy(tmp, ssl->handshake->randbytes, 64); 7231 memcpy(ssl->handshake->randbytes, tmp + 32, 32); 7232 memcpy(ssl->handshake->randbytes + 32, tmp, 32); 7233 mbedtls_platform_zeroize(tmp, sizeof(tmp)); 7234 } 7235 7236 /* Populate transform structure */ 7237 ret = ssl_tls12_populate_transform(ssl->transform_negotiate, 7238 ssl->session_negotiate->ciphersuite, 7239 ssl->session_negotiate->master, 7240#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 7241 ssl->session_negotiate->encrypt_then_mac, 7242#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 7243 ssl->handshake->tls_prf, 7244 ssl->handshake->randbytes, 7245 ssl->tls_version, 7246 ssl->conf->endpoint, 7247 ssl); 7248 if (ret != 0) { 7249 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); 7250 return ret; 7251 } 7252 7253 /* We no longer need Server/ClientHello.random values */ 7254 mbedtls_platform_zeroize(ssl->handshake->randbytes, 7255 sizeof(ssl->handshake->randbytes)); 7256 7257 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); 7258 7259 return 0; 7260} 7261 7262int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) 7263{ 7264 switch (md) { 7265#if defined(MBEDTLS_MD_CAN_SHA384) 7266 case MBEDTLS_SSL_HASH_SHA384: 7267 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 7268 break; 7269#endif 7270#if defined(MBEDTLS_MD_CAN_SHA256) 7271 case MBEDTLS_SSL_HASH_SHA256: 7272 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 7273 break; 7274#endif 7275 default: 7276 return -1; 7277 } 7278#if !defined(MBEDTLS_MD_CAN_SHA384) && \ 7279 !defined(MBEDTLS_MD_CAN_SHA256) 7280 (void) ssl; 7281#endif 7282 return 0; 7283} 7284 7285#if defined(MBEDTLS_USE_PSA_CRYPTO) 7286static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, 7287 const psa_hash_operation_t *hs_op, 7288 size_t buffer_size, 7289 unsigned char *hash, 7290 size_t *hlen) 7291{ 7292 psa_status_t status; 7293 psa_hash_operation_t cloned_op = psa_hash_operation_init(); 7294 7295#if !defined(MBEDTLS_DEBUG_C) 7296 (void) ssl; 7297#endif 7298 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); 7299 status = psa_hash_clone(hs_op, &cloned_op); 7300 if (status != PSA_SUCCESS) { 7301 goto exit; 7302 } 7303 7304 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen); 7305 if (status != PSA_SUCCESS) { 7306 goto exit; 7307 } 7308 7309 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); 7310 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); 7311 7312exit: 7313 psa_hash_abort(&cloned_op); 7314 return mbedtls_md_error_from_psa(status); 7315} 7316#else 7317static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, 7318 const mbedtls_md_context_t *hs_ctx, 7319 unsigned char *hash, 7320 size_t *hlen) 7321{ 7322 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7323 mbedtls_md_context_t cloned_ctx; 7324 7325 mbedtls_md_init(&cloned_ctx); 7326 7327#if !defined(MBEDTLS_DEBUG_C) 7328 (void) ssl; 7329#endif 7330 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); 7331 7332 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 7333 if (ret != 0) { 7334 goto exit; 7335 } 7336 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 7337 if (ret != 0) { 7338 goto exit; 7339 } 7340 7341 ret = mbedtls_md_finish(&cloned_ctx, hash); 7342 if (ret != 0) { 7343 goto exit; 7344 } 7345 7346 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); 7347 7348 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); 7349 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); 7350 7351exit: 7352 mbedtls_md_free(&cloned_ctx); 7353 return ret; 7354} 7355#endif /* MBEDTLS_USE_PSA_CRYPTO */ 7356 7357#if defined(MBEDTLS_MD_CAN_SHA256) 7358int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, 7359 unsigned char *hash, 7360 size_t *hlen) 7361{ 7362#if defined(MBEDTLS_USE_PSA_CRYPTO) 7363 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, 7364 hash, hlen); 7365#else 7366 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, 7367 hash, hlen); 7368#endif /* MBEDTLS_USE_PSA_CRYPTO */ 7369} 7370#endif /* MBEDTLS_MD_CAN_SHA256 */ 7371 7372#if defined(MBEDTLS_MD_CAN_SHA384) 7373int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, 7374 unsigned char *hash, 7375 size_t *hlen) 7376{ 7377#if defined(MBEDTLS_USE_PSA_CRYPTO) 7378 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, 7379 hash, hlen); 7380#else 7381 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, 7382 hash, hlen); 7383#endif /* MBEDTLS_USE_PSA_CRYPTO */ 7384} 7385#endif /* MBEDTLS_MD_CAN_SHA384 */ 7386 7387#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7388 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7389int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) 7390{ 7391 unsigned char *p = ssl->handshake->premaster; 7392 unsigned char *end = p + sizeof(ssl->handshake->premaster); 7393 const unsigned char *psk = NULL; 7394 size_t psk_len = 0; 7395 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); 7396 7397 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { 7398 /* 7399 * This should never happen because the existence of a PSK is always 7400 * checked before calling this function. 7401 * 7402 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with 7403 * the shared secret without PSK. 7404 */ 7405 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7406 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7407 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7408 } 7409 } 7410 7411 /* 7412 * PMS = struct { 7413 * opaque other_secret<0..2^16-1>; 7414 * opaque psk<0..2^16-1>; 7415 * }; 7416 * with "other_secret" depending on the particular key exchange 7417 */ 7418#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 7419 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { 7420 if (end - p < 2) { 7421 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7422 } 7423 7424 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7425 p += 2; 7426 7427 if (end < p || (size_t) (end - p) < psk_len) { 7428 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7429 } 7430 7431 memset(p, 0, psk_len); 7432 p += psk_len; 7433 } else 7434#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 7435#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 7436 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7437 /* 7438 * other_secret already set by the ClientKeyExchange message, 7439 * and is 48 bytes long 7440 */ 7441 if (end - p < 2) { 7442 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7443 } 7444 7445 *p++ = 0; 7446 *p++ = 48; 7447 p += 48; 7448 } else 7449#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 7450#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 7451 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7452 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7453 size_t len; 7454 7455 /* Write length only when we know the actual value */ 7456 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 7457 p + 2, (size_t) (end - (p + 2)), &len, 7458 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7459 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 7460 return ret; 7461 } 7462 MBEDTLS_PUT_UINT16_BE(len, p, 0); 7463 p += 2 + len; 7464 7465 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 7466 } else 7467#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 7468#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 7469 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 7470 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7471 size_t zlen; 7472 7473 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, 7474 p + 2, (size_t) (end - (p + 2)), 7475 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7476 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 7477 return ret; 7478 } 7479 7480 MBEDTLS_PUT_UINT16_BE(zlen, p, 0); 7481 p += 2 + zlen; 7482 7483 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 7484 MBEDTLS_DEBUG_ECDH_Z); 7485 } else 7486#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 7487 { 7488 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7489 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7490 } 7491 7492 /* opaque psk<0..2^16-1>; */ 7493 if (end - p < 2) { 7494 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7495 } 7496 7497 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7498 p += 2; 7499 7500 if (end < p || (size_t) (end - p) < psk_len) { 7501 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7502 } 7503 7504 memcpy(p, psk, psk_len); 7505 p += psk_len; 7506 7507 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster); 7508 7509 return 0; 7510} 7511#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 7512 7513#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 7514MBEDTLS_CHECK_RETURN_CRITICAL 7515static int ssl_write_hello_request(mbedtls_ssl_context *ssl); 7516 7517#if defined(MBEDTLS_SSL_PROTO_DTLS) 7518int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) 7519{ 7520 /* If renegotiation is not enforced, retransmit until we would reach max 7521 * timeout if we were using the usual handshake doubling scheme */ 7522 if (ssl->conf->renego_max_records < 0) { 7523 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 7524 unsigned char doublings = 1; 7525 7526 while (ratio != 0) { 7527 ++doublings; 7528 ratio >>= 1; 7529 } 7530 7531 if (++ssl->renego_records_seen > doublings) { 7532 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); 7533 return 0; 7534 } 7535 } 7536 7537 return ssl_write_hello_request(ssl); 7538} 7539#endif 7540#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 7541 7542/* 7543 * Handshake functions 7544 */ 7545#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 7546/* No certificate support -> dummy functions */ 7547int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7548{ 7549 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7550 ssl->handshake->ciphersuite_info; 7551 7552 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7553 7554 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7555 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7556 ssl->state++; 7557 return 0; 7558 } 7559 7560 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7561 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7562} 7563 7564int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 7565{ 7566 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7567 ssl->handshake->ciphersuite_info; 7568 7569 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 7570 7571 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7572 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 7573 ssl->state++; 7574 return 0; 7575 } 7576 7577 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7578 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7579} 7580 7581#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 7582/* Some certificate support -> implement write and parse */ 7583 7584int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7585{ 7586 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 7587 size_t i, n; 7588 const mbedtls_x509_crt *crt; 7589 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7590 ssl->handshake->ciphersuite_info; 7591 7592 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7593 7594 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7595 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7596 ssl->state++; 7597 return 0; 7598 } 7599 7600#if defined(MBEDTLS_SSL_CLI_C) 7601 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7602 if (ssl->handshake->client_auth == 0) { 7603 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7604 ssl->state++; 7605 return 0; 7606 } 7607 } 7608#endif /* MBEDTLS_SSL_CLI_C */ 7609#if defined(MBEDTLS_SSL_SRV_C) 7610 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7611 if (mbedtls_ssl_own_cert(ssl) == NULL) { 7612 /* Should never happen because we shouldn't have picked the 7613 * ciphersuite if we don't have a certificate. */ 7614 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7615 } 7616 } 7617#endif 7618 7619 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); 7620 7621 /* 7622 * 0 . 0 handshake type 7623 * 1 . 3 handshake length 7624 * 4 . 6 length of all certs 7625 * 7 . 9 length of cert. 1 7626 * 10 . n-1 peer certificate 7627 * n . n+2 length of cert. 2 7628 * n+3 . ... upper level cert, etc. 7629 */ 7630 i = 7; 7631 crt = mbedtls_ssl_own_cert(ssl); 7632 7633 while (crt != NULL) { 7634 n = crt->raw.len; 7635 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { 7636 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET 7637 " > %" MBEDTLS_PRINTF_SIZET, 7638 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); 7639 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 7640 } 7641 7642 ssl->out_msg[i] = MBEDTLS_BYTE_2(n); 7643 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); 7644 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); 7645 7646 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); 7647 i += n; crt = crt->next; 7648 } 7649 7650 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); 7651 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); 7652 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); 7653 7654 ssl->out_msglen = i; 7655 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 7656 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 7657 7658 ssl->state++; 7659 7660 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 7661 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 7662 return ret; 7663 } 7664 7665 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); 7666 7667 return ret; 7668} 7669 7670#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7671 7672#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7673MBEDTLS_CHECK_RETURN_CRITICAL 7674static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7675 unsigned char *crt_buf, 7676 size_t crt_buf_len) 7677{ 7678 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; 7679 7680 if (peer_crt == NULL) { 7681 return -1; 7682 } 7683 7684 if (peer_crt->raw.len != crt_buf_len) { 7685 return -1; 7686 } 7687 7688 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); 7689} 7690#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7691MBEDTLS_CHECK_RETURN_CRITICAL 7692static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7693 unsigned char *crt_buf, 7694 size_t crt_buf_len) 7695{ 7696 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7697 unsigned char const * const peer_cert_digest = 7698 ssl->session->peer_cert_digest; 7699 mbedtls_md_type_t const peer_cert_digest_type = 7700 ssl->session->peer_cert_digest_type; 7701 mbedtls_md_info_t const * const digest_info = 7702 mbedtls_md_info_from_type(peer_cert_digest_type); 7703 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; 7704 size_t digest_len; 7705 7706 if (peer_cert_digest == NULL || digest_info == NULL) { 7707 return -1; 7708 } 7709 7710 digest_len = mbedtls_md_get_size(digest_info); 7711 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { 7712 return -1; 7713 } 7714 7715 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); 7716 if (ret != 0) { 7717 return -1; 7718 } 7719 7720 return memcmp(tmp_digest, peer_cert_digest, digest_len); 7721} 7722#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7723#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7724 7725/* 7726 * Once the certificate message is read, parse it into a cert chain and 7727 * perform basic checks, but leave actual verification to the caller 7728 */ 7729MBEDTLS_CHECK_RETURN_CRITICAL 7730static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, 7731 mbedtls_x509_crt *chain) 7732{ 7733 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7734#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7735 int crt_cnt = 0; 7736#endif 7737 size_t i, n; 7738 uint8_t alert; 7739 7740 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 7741 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7742 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7743 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7744 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7745 } 7746 7747 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { 7748 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7749 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7750 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7751 } 7752 7753 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { 7754 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7755 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7756 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7757 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7758 } 7759 7760 i = mbedtls_ssl_hs_hdr_len(ssl); 7761 7762 /* 7763 * Same message structure as in mbedtls_ssl_write_certificate() 7764 */ 7765 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7766 7767 if (ssl->in_msg[i] != 0 || 7768 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { 7769 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7770 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7771 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7772 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7773 } 7774 7775 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ 7776 i += 3; 7777 7778 /* Iterate through and parse the CRTs in the provided chain. */ 7779 while (i < ssl->in_hslen) { 7780 /* Check that there's room for the next CRT's length fields. */ 7781 if (i + 3 > ssl->in_hslen) { 7782 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7783 mbedtls_ssl_send_alert_message(ssl, 7784 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7785 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7786 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7787 } 7788 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support 7789 * anything beyond 2**16 ~ 64K. */ 7790 if (ssl->in_msg[i] != 0) { 7791 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7792 mbedtls_ssl_send_alert_message(ssl, 7793 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7794 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); 7795 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7796 } 7797 7798 /* Read length of the next CRT in the chain. */ 7799 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7800 i += 3; 7801 7802 if (n < 128 || i + n > ssl->in_hslen) { 7803 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7804 mbedtls_ssl_send_alert_message(ssl, 7805 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7806 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7807 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7808 } 7809 7810 /* Check if we're handling the first CRT in the chain. */ 7811#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7812 if (crt_cnt++ == 0 && 7813 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 7814 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 7815 /* During client-side renegotiation, check that the server's 7816 * end-CRTs hasn't changed compared to the initial handshake, 7817 * mitigating the triple handshake attack. On success, reuse 7818 * the original end-CRT instead of parsing it again. */ 7819 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); 7820 if (ssl_check_peer_crt_unchanged(ssl, 7821 &ssl->in_msg[i], 7822 n) != 0) { 7823 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); 7824 mbedtls_ssl_send_alert_message(ssl, 7825 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7826 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); 7827 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7828 } 7829 7830 /* Now we can safely free the original chain. */ 7831 ssl_clear_peer_cert(ssl->session); 7832 } 7833#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7834 7835 /* Parse the next certificate in the chain. */ 7836#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7837 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); 7838#else 7839 /* If we don't need to store the CRT chain permanently, parse 7840 * it in-place from the input buffer instead of making a copy. */ 7841 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); 7842#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7843 switch (ret) { 7844 case 0: /*ok*/ 7845 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 7846 /* Ignore certificate with an unknown algorithm: maybe a 7847 prior certificate was already trusted. */ 7848 break; 7849 7850 case MBEDTLS_ERR_X509_ALLOC_FAILED: 7851 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 7852 goto crt_parse_der_failed; 7853 7854 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 7855 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7856 goto crt_parse_der_failed; 7857 7858 default: 7859 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 7860crt_parse_der_failed: 7861 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); 7862 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 7863 return ret; 7864 } 7865 7866 i += n; 7867 } 7868 7869 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); 7870 return 0; 7871} 7872 7873#if defined(MBEDTLS_SSL_SRV_C) 7874MBEDTLS_CHECK_RETURN_CRITICAL 7875static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) 7876{ 7877 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7878 return -1; 7879 } 7880 7881 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && 7882 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 7883 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 7884 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { 7885 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); 7886 return 0; 7887 } 7888 return -1; 7889} 7890#endif /* MBEDTLS_SSL_SRV_C */ 7891 7892/* Check if a certificate message is expected. 7893 * Return either 7894 * - SSL_CERTIFICATE_EXPECTED, or 7895 * - SSL_CERTIFICATE_SKIP 7896 * indicating whether a Certificate message is expected or not. 7897 */ 7898#define SSL_CERTIFICATE_EXPECTED 0 7899#define SSL_CERTIFICATE_SKIP 1 7900MBEDTLS_CHECK_RETURN_CRITICAL 7901static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, 7902 int authmode) 7903{ 7904 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7905 ssl->handshake->ciphersuite_info; 7906 7907 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7908 return SSL_CERTIFICATE_SKIP; 7909 } 7910 7911#if defined(MBEDTLS_SSL_SRV_C) 7912 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7913 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7914 return SSL_CERTIFICATE_SKIP; 7915 } 7916 7917 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7918 ssl->session_negotiate->verify_result = 7919 MBEDTLS_X509_BADCERT_SKIP_VERIFY; 7920 return SSL_CERTIFICATE_SKIP; 7921 } 7922 } 7923#else 7924 ((void) authmode); 7925#endif /* MBEDTLS_SSL_SRV_C */ 7926 7927 return SSL_CERTIFICATE_EXPECTED; 7928} 7929 7930MBEDTLS_CHECK_RETURN_CRITICAL 7931static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl, 7932 int authmode, 7933 mbedtls_x509_crt *chain, 7934 void *rs_ctx) 7935{ 7936 int ret = 0; 7937 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7938 ssl->handshake->ciphersuite_info; 7939 int have_ca_chain = 0; 7940 7941 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); 7942 void *p_vrfy; 7943 7944 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7945 return 0; 7946 } 7947 7948 if (ssl->f_vrfy != NULL) { 7949 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); 7950 f_vrfy = ssl->f_vrfy; 7951 p_vrfy = ssl->p_vrfy; 7952 } else { 7953 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); 7954 f_vrfy = ssl->conf->f_vrfy; 7955 p_vrfy = ssl->conf->p_vrfy; 7956 } 7957 7958 /* 7959 * Main check: verify certificate 7960 */ 7961#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 7962 if (ssl->conf->f_ca_cb != NULL) { 7963 ((void) rs_ctx); 7964 have_ca_chain = 1; 7965 7966 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); 7967 ret = mbedtls_x509_crt_verify_with_ca_cb( 7968 chain, 7969 ssl->conf->f_ca_cb, 7970 ssl->conf->p_ca_cb, 7971 ssl->conf->cert_profile, 7972 ssl->hostname, 7973 &ssl->session_negotiate->verify_result, 7974 f_vrfy, p_vrfy); 7975 } else 7976#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 7977 { 7978 mbedtls_x509_crt *ca_chain; 7979 mbedtls_x509_crl *ca_crl; 7980 7981#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 7982 if (ssl->handshake->sni_ca_chain != NULL) { 7983 ca_chain = ssl->handshake->sni_ca_chain; 7984 ca_crl = ssl->handshake->sni_ca_crl; 7985 } else 7986#endif 7987 { 7988 ca_chain = ssl->conf->ca_chain; 7989 ca_crl = ssl->conf->ca_crl; 7990 } 7991 7992 if (ca_chain != NULL) { 7993 have_ca_chain = 1; 7994 } 7995 7996 ret = mbedtls_x509_crt_verify_restartable( 7997 chain, 7998 ca_chain, ca_crl, 7999 ssl->conf->cert_profile, 8000 ssl->hostname, 8001 &ssl->session_negotiate->verify_result, 8002 f_vrfy, p_vrfy, rs_ctx); 8003 } 8004 8005 if (ret != 0) { 8006 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); 8007 } 8008 8009#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8010 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 8011 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 8012 } 8013#endif 8014 8015 /* 8016 * Secondary checks: always done, but change 'ret' only if it was 0 8017 */ 8018 8019#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 8020 { 8021 const mbedtls_pk_context *pk = &chain->pk; 8022 8023 /* If certificate uses an EC key, make sure the curve is OK. 8024 * This is a public key, so it can't be opaque, so can_do() is a good 8025 * enough check to ensure pk_ec() is safe to use here. */ 8026 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { 8027 /* and in the unlikely case the above assumption no longer holds 8028 * we are making sure that pk_ec() here does not return a NULL 8029 */ 8030 mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk); 8031 if (grp_id == MBEDTLS_ECP_DP_NONE) { 8032 MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID")); 8033 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8034 } 8035 if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { 8036 ssl->session_negotiate->verify_result |= 8037 MBEDTLS_X509_BADCERT_BAD_KEY; 8038 8039 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); 8040 if (ret == 0) { 8041 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 8042 } 8043 } 8044 } 8045 } 8046#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 8047 8048 if (mbedtls_ssl_check_cert_usage(chain, 8049 ciphersuite_info, 8050 !ssl->conf->endpoint, 8051 &ssl->session_negotiate->verify_result) != 0) { 8052 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); 8053 if (ret == 0) { 8054 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 8055 } 8056 } 8057 8058 /* mbedtls_x509_crt_verify_with_profile is supposed to report a 8059 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED, 8060 * with details encoded in the verification flags. All other kinds 8061 * of error codes, including those from the user provided f_vrfy 8062 * functions, are treated as fatal and lead to a failure of 8063 * ssl_parse_certificate even if verification was optional. */ 8064 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 8065 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 8066 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { 8067 ret = 0; 8068 } 8069 8070 if (have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { 8071 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); 8072 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 8073 } 8074 8075 if (ret != 0) { 8076 uint8_t alert; 8077 8078 /* The certificate may have been rejected for several reasons. 8079 Pick one and send the corresponding alert. Which alert to send 8080 may be a subject of debate in some cases. */ 8081 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { 8082 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 8083 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { 8084 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 8085 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { 8086 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 8087 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { 8088 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 8089 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE) { 8090 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 8091 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { 8092 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 8093 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { 8094 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 8095 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { 8096 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 8097 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { 8098 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 8099 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { 8100 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 8101 } else { 8102 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 8103 } 8104 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8105 alert); 8106 } 8107 8108#if defined(MBEDTLS_DEBUG_C) 8109 if (ssl->session_negotiate->verify_result != 0) { 8110 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", 8111 (unsigned int) ssl->session_negotiate->verify_result)); 8112 } else { 8113 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); 8114 } 8115#endif /* MBEDTLS_DEBUG_C */ 8116 8117 return ret; 8118} 8119 8120#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 8121MBEDTLS_CHECK_RETURN_CRITICAL 8122static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, 8123 unsigned char *start, size_t len) 8124{ 8125 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8126 /* Remember digest of the peer's end-CRT. */ 8127 ssl->session_negotiate->peer_cert_digest = 8128 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); 8129 if (ssl->session_negotiate->peer_cert_digest == NULL) { 8130 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", 8131 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); 8132 mbedtls_ssl_send_alert_message(ssl, 8133 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8134 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8135 8136 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 8137 } 8138 8139 ret = mbedtls_md(mbedtls_md_info_from_type( 8140 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), 8141 start, len, 8142 ssl->session_negotiate->peer_cert_digest); 8143 8144 ssl->session_negotiate->peer_cert_digest_type = 8145 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; 8146 ssl->session_negotiate->peer_cert_digest_len = 8147 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; 8148 8149 return ret; 8150} 8151 8152MBEDTLS_CHECK_RETURN_CRITICAL 8153static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, 8154 unsigned char *start, size_t len) 8155{ 8156 unsigned char *end = start + len; 8157 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8158 8159 /* Make a copy of the peer's raw public key. */ 8160 mbedtls_pk_init(&ssl->handshake->peer_pubkey); 8161 ret = mbedtls_pk_parse_subpubkey(&start, end, 8162 &ssl->handshake->peer_pubkey); 8163 if (ret != 0) { 8164 /* We should have parsed the public key before. */ 8165 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8166 } 8167 8168 return 0; 8169} 8170#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8171 8172int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 8173{ 8174 int ret = 0; 8175 int crt_expected; 8176#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 8177 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET 8178 ? ssl->handshake->sni_authmode 8179 : ssl->conf->authmode; 8180#else 8181 const int authmode = ssl->conf->authmode; 8182#endif 8183 void *rs_ctx = NULL; 8184 mbedtls_x509_crt *chain = NULL; 8185 8186 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 8187 8188 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); 8189 if (crt_expected == SSL_CERTIFICATE_SKIP) { 8190 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 8191 goto exit; 8192 } 8193 8194#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8195 if (ssl->handshake->ecrs_enabled && 8196 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { 8197 chain = ssl->handshake->ecrs_peer_cert; 8198 ssl->handshake->ecrs_peer_cert = NULL; 8199 goto crt_verify; 8200 } 8201#endif 8202 8203 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8204 /* mbedtls_ssl_read_record may have sent an alert already. We 8205 let it decide whether to alert. */ 8206 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8207 goto exit; 8208 } 8209 8210#if defined(MBEDTLS_SSL_SRV_C) 8211 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { 8212 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 8213 8214 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { 8215 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 8216 } 8217 8218 goto exit; 8219 } 8220#endif /* MBEDTLS_SSL_SRV_C */ 8221 8222 /* Clear existing peer CRT structure in case we tried to 8223 * reuse a session but it failed, and allocate a new one. */ 8224 ssl_clear_peer_cert(ssl->session_negotiate); 8225 8226 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 8227 if (chain == NULL) { 8228 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", 8229 sizeof(mbedtls_x509_crt))); 8230 mbedtls_ssl_send_alert_message(ssl, 8231 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8232 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8233 8234 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 8235 goto exit; 8236 } 8237 mbedtls_x509_crt_init(chain); 8238 8239 ret = ssl_parse_certificate_chain(ssl, chain); 8240 if (ret != 0) { 8241 goto exit; 8242 } 8243 8244#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8245 if (ssl->handshake->ecrs_enabled) { 8246 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; 8247 } 8248 8249crt_verify: 8250 if (ssl->handshake->ecrs_enabled) { 8251 rs_ctx = &ssl->handshake->ecrs_ctx; 8252 } 8253#endif 8254 8255 ret = ssl_parse_certificate_verify(ssl, authmode, 8256 chain, rs_ctx); 8257 if (ret != 0) { 8258 goto exit; 8259 } 8260 8261#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 8262 { 8263 unsigned char *crt_start, *pk_start; 8264 size_t crt_len, pk_len; 8265 8266 /* We parse the CRT chain without copying, so 8267 * these pointers point into the input buffer, 8268 * and are hence still valid after freeing the 8269 * CRT chain. */ 8270 8271 crt_start = chain->raw.p; 8272 crt_len = chain->raw.len; 8273 8274 pk_start = chain->pk_raw.p; 8275 pk_len = chain->pk_raw.len; 8276 8277 /* Free the CRT structures before computing 8278 * digest and copying the peer's public key. */ 8279 mbedtls_x509_crt_free(chain); 8280 mbedtls_free(chain); 8281 chain = NULL; 8282 8283 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); 8284 if (ret != 0) { 8285 goto exit; 8286 } 8287 8288 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); 8289 if (ret != 0) { 8290 goto exit; 8291 } 8292 } 8293#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8294 /* Pass ownership to session structure. */ 8295 ssl->session_negotiate->peer_cert = chain; 8296 chain = NULL; 8297#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8298 8299 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); 8300 8301exit: 8302 8303 if (ret == 0) { 8304 ssl->state++; 8305 } 8306 8307#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8308 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { 8309 ssl->handshake->ecrs_peer_cert = chain; 8310 chain = NULL; 8311 } 8312#endif 8313 8314 if (chain != NULL) { 8315 mbedtls_x509_crt_free(chain); 8316 mbedtls_free(chain); 8317 } 8318 8319 return ret; 8320} 8321#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 8322 8323static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, 8324 unsigned char *padbuf, size_t hlen, 8325 unsigned char *buf, int from) 8326{ 8327 unsigned int len = 12; 8328 const char *sender; 8329#if defined(MBEDTLS_USE_PSA_CRYPTO) 8330 psa_status_t status; 8331 psa_hash_operation_t *hs_op = ctx; 8332 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT; 8333 size_t hash_size; 8334#else 8335 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8336 mbedtls_md_context_t *hs_ctx = ctx; 8337 mbedtls_md_context_t cloned_ctx; 8338 mbedtls_md_init(&cloned_ctx); 8339#endif 8340 8341 mbedtls_ssl_session *session = ssl->session_negotiate; 8342 if (!session) { 8343 session = ssl->session; 8344 } 8345 8346 sender = (from == MBEDTLS_SSL_IS_CLIENT) 8347 ? "client finished" 8348 : "server finished"; 8349 8350#if defined(MBEDTLS_USE_PSA_CRYPTO) 8351 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls")); 8352 8353 status = psa_hash_clone(hs_op, &cloned_op); 8354 if (status != PSA_SUCCESS) { 8355 goto exit; 8356 } 8357 8358 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size); 8359 if (status != PSA_SUCCESS) { 8360 goto exit; 8361 } 8362 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen); 8363#else 8364 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls")); 8365 8366 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 8367 if (ret != 0) { 8368 goto exit; 8369 } 8370 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 8371 if (ret != 0) { 8372 goto exit; 8373 } 8374 8375 ret = mbedtls_md_finish(&cloned_ctx, padbuf); 8376 if (ret != 0) { 8377 goto exit; 8378 } 8379#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8380 8381 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen); 8382 8383 /* 8384 * TLSv1.2: 8385 * hash = PRF( master, finished_label, 8386 * Hash( handshake ) )[0.11] 8387 */ 8388 ssl->handshake->tls_prf(session->master, 48, sender, 8389 padbuf, hlen, buf, len); 8390 8391 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); 8392 8393 mbedtls_platform_zeroize(padbuf, hlen); 8394 8395 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); 8396 8397exit: 8398#if defined(MBEDTLS_USE_PSA_CRYPTO) 8399 psa_hash_abort(&cloned_op); 8400 return mbedtls_md_error_from_psa(status); 8401#else 8402 mbedtls_md_free(&cloned_ctx); 8403 return ret; 8404#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8405} 8406 8407#if defined(MBEDTLS_MD_CAN_SHA256) 8408static int ssl_calc_finished_tls_sha256( 8409 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8410{ 8411 unsigned char padbuf[32]; 8412 return ssl_calc_finished_tls_generic(ssl, 8413#if defined(MBEDTLS_USE_PSA_CRYPTO) 8414 &ssl->handshake->fin_sha256_psa, 8415#else 8416 &ssl->handshake->fin_sha256, 8417#endif 8418 padbuf, sizeof(padbuf), 8419 buf, from); 8420} 8421#endif /* MBEDTLS_MD_CAN_SHA256*/ 8422 8423 8424#if defined(MBEDTLS_MD_CAN_SHA384) 8425static int ssl_calc_finished_tls_sha384( 8426 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8427{ 8428 unsigned char padbuf[48]; 8429 return ssl_calc_finished_tls_generic(ssl, 8430#if defined(MBEDTLS_USE_PSA_CRYPTO) 8431 &ssl->handshake->fin_sha384_psa, 8432#else 8433 &ssl->handshake->fin_sha384, 8434#endif 8435 padbuf, sizeof(padbuf), 8436 buf, from); 8437} 8438#endif /* MBEDTLS_MD_CAN_SHA384*/ 8439 8440void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) 8441{ 8442 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); 8443 8444 /* 8445 * Free our handshake params 8446 */ 8447 mbedtls_ssl_handshake_free(ssl); 8448 mbedtls_free(ssl->handshake); 8449 ssl->handshake = NULL; 8450 8451 /* 8452 * Free the previous transform and switch in the current one 8453 */ 8454 if (ssl->transform) { 8455 mbedtls_ssl_transform_free(ssl->transform); 8456 mbedtls_free(ssl->transform); 8457 } 8458 ssl->transform = ssl->transform_negotiate; 8459 ssl->transform_negotiate = NULL; 8460 8461 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); 8462} 8463 8464void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) 8465{ 8466 int resume = ssl->handshake->resume; 8467 8468 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); 8469 8470#if defined(MBEDTLS_SSL_RENEGOTIATION) 8471 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 8472 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 8473 ssl->renego_records_seen = 0; 8474 } 8475#endif 8476 8477 /* 8478 * Free the previous session and switch in the current one 8479 */ 8480 if (ssl->session) { 8481#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8482 /* RFC 7366 3.1: keep the EtM state */ 8483 ssl->session_negotiate->encrypt_then_mac = 8484 ssl->session->encrypt_then_mac; 8485#endif 8486 8487 mbedtls_ssl_session_free(ssl->session); 8488 mbedtls_free(ssl->session); 8489 } 8490 ssl->session = ssl->session_negotiate; 8491 ssl->session_negotiate = NULL; 8492 8493 /* 8494 * Add cache entry 8495 */ 8496 if (ssl->conf->f_set_cache != NULL && 8497 ssl->session->id_len != 0 && 8498 resume == 0) { 8499 if (ssl->conf->f_set_cache(ssl->conf->p_cache, 8500 ssl->session->id, 8501 ssl->session->id_len, 8502 ssl->session) != 0) { 8503 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); 8504 } 8505 } 8506 8507#if defined(MBEDTLS_SSL_PROTO_DTLS) 8508 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8509 ssl->handshake->flight != NULL) { 8510 /* Cancel handshake timer */ 8511 mbedtls_ssl_set_timer(ssl, 0); 8512 8513 /* Keep last flight around in case we need to resend it: 8514 * we need the handshake and transform structures for that */ 8515 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); 8516 } else 8517#endif 8518 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); 8519 8520 ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER; 8521 8522 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); 8523} 8524 8525int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) 8526{ 8527 int ret; 8528 unsigned int hash_len; 8529 8530 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); 8531 8532 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); 8533 8534 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); 8535 if (ret != 0) { 8536 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8537 } 8538 8539 /* 8540 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 8541 * may define some other value. Currently (early 2016), no defined 8542 * ciphersuite does this (and this is unlikely to change as activity has 8543 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 8544 */ 8545 hash_len = 12; 8546 8547#if defined(MBEDTLS_SSL_RENEGOTIATION) 8548 ssl->verify_data_len = hash_len; 8549 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); 8550#endif 8551 8552 ssl->out_msglen = 4 + hash_len; 8553 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 8554 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 8555 8556 /* 8557 * In case of session resuming, invert the client and server 8558 * ChangeCipherSpec messages order. 8559 */ 8560 if (ssl->handshake->resume != 0) { 8561#if defined(MBEDTLS_SSL_CLI_C) 8562 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8563 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 8564 } 8565#endif 8566#if defined(MBEDTLS_SSL_SRV_C) 8567 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8568 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8569 } 8570#endif 8571 } else { 8572 ssl->state++; 8573 } 8574 8575 /* 8576 * Switch to our negotiated transform and session parameters for outbound 8577 * data. 8578 */ 8579 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); 8580 8581#if defined(MBEDTLS_SSL_PROTO_DTLS) 8582 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8583 unsigned char i; 8584 8585 /* Remember current epoch settings for resending */ 8586 ssl->handshake->alt_transform_out = ssl->transform_out; 8587 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8588 sizeof(ssl->handshake->alt_out_ctr)); 8589 8590 /* Set sequence_number to zero */ 8591 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); 8592 8593 8594 /* Increment epoch */ 8595 for (i = 2; i > 0; i--) { 8596 if (++ssl->cur_out_ctr[i - 1] != 0) { 8597 break; 8598 } 8599 } 8600 8601 /* The loop goes to its end iff the counter is wrapping */ 8602 if (i == 0) { 8603 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); 8604 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; 8605 } 8606 } else 8607#endif /* MBEDTLS_SSL_PROTO_DTLS */ 8608 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 8609 8610 ssl->transform_out = ssl->transform_negotiate; 8611 ssl->session_out = ssl->session_negotiate; 8612 8613#if defined(MBEDTLS_SSL_PROTO_DTLS) 8614 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8615 mbedtls_ssl_send_flight_completed(ssl); 8616 } 8617#endif 8618 8619 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 8620 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 8621 return ret; 8622 } 8623 8624#if defined(MBEDTLS_SSL_PROTO_DTLS) 8625 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8626 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 8627 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 8628 return ret; 8629 } 8630#endif 8631 8632 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); 8633 8634 return 0; 8635} 8636 8637#define SSL_MAX_HASH_LEN 12 8638 8639int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) 8640{ 8641 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8642 unsigned int hash_len = 12; 8643 unsigned char buf[SSL_MAX_HASH_LEN]; 8644 8645 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); 8646 8647 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); 8648 if (ret != 0) { 8649 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8650 } 8651 8652 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8653 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8654 goto exit; 8655 } 8656 8657 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 8658 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8659 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8660 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8661 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8662 goto exit; 8663 } 8664 8665 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { 8666 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8667 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8668 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8669 goto exit; 8670 } 8671 8672 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { 8673 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8674 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8675 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 8676 ret = MBEDTLS_ERR_SSL_DECODE_ERROR; 8677 goto exit; 8678 } 8679 8680 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), 8681 buf, hash_len) != 0) { 8682 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8683 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8684 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); 8685 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8686 goto exit; 8687 } 8688 8689#if defined(MBEDTLS_SSL_RENEGOTIATION) 8690 ssl->verify_data_len = hash_len; 8691 memcpy(ssl->peer_verify_data, buf, hash_len); 8692#endif 8693 8694 if (ssl->handshake->resume != 0) { 8695#if defined(MBEDTLS_SSL_CLI_C) 8696 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8697 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC; 8698 } 8699#endif 8700#if defined(MBEDTLS_SSL_SRV_C) 8701 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8702 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP; 8703 } 8704#endif 8705 } else { 8706 ssl->state++; 8707 } 8708 8709#if defined(MBEDTLS_SSL_PROTO_DTLS) 8710 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8711 mbedtls_ssl_recv_flight_completed(ssl); 8712 } 8713#endif 8714 8715 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); 8716 8717exit: 8718 mbedtls_platform_zeroize(buf, hash_len); 8719 return ret; 8720} 8721 8722#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8723/* 8724 * Helper to get TLS 1.2 PRF from ciphersuite 8725 * (Duplicates bits of logic from ssl_set_handshake_prfs().) 8726 */ 8727static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) 8728{ 8729 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 8730 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 8731#if defined(MBEDTLS_MD_CAN_SHA384) 8732 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 8733 return tls_prf_sha384; 8734 } else 8735#endif 8736#if defined(MBEDTLS_MD_CAN_SHA256) 8737 { 8738 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { 8739 return tls_prf_sha256; 8740 } 8741 } 8742#endif 8743#if !defined(MBEDTLS_MD_CAN_SHA384) && \ 8744 !defined(MBEDTLS_MD_CAN_SHA256) 8745 (void) ciphersuite_info; 8746#endif 8747 8748 return NULL; 8749} 8750#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 8751 8752static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) 8753{ 8754 ((void) tls_prf); 8755#if defined(MBEDTLS_MD_CAN_SHA384) 8756 if (tls_prf == tls_prf_sha384) { 8757 return MBEDTLS_SSL_TLS_PRF_SHA384; 8758 } else 8759#endif 8760#if defined(MBEDTLS_MD_CAN_SHA256) 8761 if (tls_prf == tls_prf_sha256) { 8762 return MBEDTLS_SSL_TLS_PRF_SHA256; 8763 } else 8764#endif 8765 return MBEDTLS_SSL_TLS_PRF_NONE; 8766} 8767 8768/* 8769 * Populate a transform structure with session keys and all the other 8770 * necessary information. 8771 * 8772 * Parameters: 8773 * - [in/out]: transform: structure to populate 8774 * [in] must be just initialised with mbedtls_ssl_transform_init() 8775 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() 8776 * - [in] ciphersuite 8777 * - [in] master 8778 * - [in] encrypt_then_mac 8779 * - [in] tls_prf: pointer to PRF to use for key derivation 8780 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random 8781 * - [in] tls_version: TLS version 8782 * - [in] endpoint: client or server 8783 * - [in] ssl: used for: 8784 * - ssl->conf->{f,p}_export_keys 8785 * [in] optionally used for: 8786 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg 8787 */ 8788MBEDTLS_CHECK_RETURN_CRITICAL 8789static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 8790 int ciphersuite, 8791 const unsigned char master[48], 8792#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8793 int encrypt_then_mac, 8794#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8795 ssl_tls_prf_t tls_prf, 8796 const unsigned char randbytes[64], 8797 mbedtls_ssl_protocol_version tls_version, 8798 unsigned endpoint, 8799 const mbedtls_ssl_context *ssl) 8800{ 8801 int ret = 0; 8802 unsigned char keyblk[256]; 8803 unsigned char *key1; 8804 unsigned char *key2; 8805 unsigned char *mac_enc; 8806 unsigned char *mac_dec; 8807 size_t mac_key_len = 0; 8808 size_t iv_copy_len; 8809 size_t keylen; 8810 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 8811 mbedtls_ssl_mode_t ssl_mode; 8812#if !defined(MBEDTLS_USE_PSA_CRYPTO) 8813 const mbedtls_cipher_info_t *cipher_info; 8814 const mbedtls_md_info_t *md_info; 8815#endif /* !MBEDTLS_USE_PSA_CRYPTO */ 8816 8817#if defined(MBEDTLS_USE_PSA_CRYPTO) 8818 psa_key_type_t key_type; 8819 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8820 psa_algorithm_t alg; 8821 psa_algorithm_t mac_alg = 0; 8822 size_t key_bits; 8823 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8824#endif 8825 8826 /* 8827 * Some data just needs copying into the structure 8828 */ 8829#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8830 transform->encrypt_then_mac = encrypt_then_mac; 8831#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8832 transform->tls_version = tls_version; 8833 8834#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8835 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); 8836#endif 8837 8838#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 8839 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 8840 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform 8841 * generation separate. This should never happen. */ 8842 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8843 } 8844#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 8845 8846 /* 8847 * Get various info structures 8848 */ 8849 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); 8850 if (ciphersuite_info == NULL) { 8851 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", 8852 ciphersuite)); 8853 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8854 } 8855 8856 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( 8857#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8858 encrypt_then_mac, 8859#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8860 ciphersuite_info); 8861 8862 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8863 transform->taglen = 8864 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 8865 } 8866 8867#if defined(MBEDTLS_USE_PSA_CRYPTO) 8868 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, 8869 transform->taglen, 8870 &alg, 8871 &key_type, 8872 &key_bits)) != PSA_SUCCESS) { 8873 ret = PSA_TO_MBEDTLS_ERR(status); 8874 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); 8875 goto end; 8876 } 8877#else 8878 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher); 8879 if (cipher_info == NULL) { 8880 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", 8881 ciphersuite_info->cipher)); 8882 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8883 } 8884#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8885 8886#if defined(MBEDTLS_USE_PSA_CRYPTO) 8887 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8888 if (mac_alg == 0) { 8889 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found", 8890 (unsigned) ciphersuite_info->mac)); 8891 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8892 } 8893#else 8894 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8895 if (md_info == NULL) { 8896 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", 8897 (unsigned) ciphersuite_info->mac)); 8898 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8899 } 8900#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8901 8902#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 8903 /* Copy own and peer's CID if the use of the CID 8904 * extension has been negotiated. */ 8905 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { 8906 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); 8907 8908 transform->in_cid_len = ssl->own_cid_len; 8909 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); 8910 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, 8911 transform->in_cid_len); 8912 8913 transform->out_cid_len = ssl->handshake->peer_cid_len; 8914 memcpy(transform->out_cid, ssl->handshake->peer_cid, 8915 ssl->handshake->peer_cid_len); 8916 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, 8917 transform->out_cid_len); 8918 } 8919#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 8920 8921 /* 8922 * Compute key block using the PRF 8923 */ 8924 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); 8925 if (ret != 0) { 8926 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 8927 return ret; 8928 } 8929 8930 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", 8931 mbedtls_ssl_get_ciphersuite_name(ciphersuite))); 8932 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); 8933 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); 8934 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); 8935 8936 /* 8937 * Determine the appropriate key, IV and MAC length. 8938 */ 8939 8940#if defined(MBEDTLS_USE_PSA_CRYPTO) 8941 keylen = PSA_BITS_TO_BYTES(key_bits); 8942#else 8943 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; 8944#endif 8945 8946#if defined(MBEDTLS_SSL_HAVE_AEAD) 8947 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8948 size_t explicit_ivlen; 8949 8950 transform->maclen = 0; 8951 mac_key_len = 0; 8952 8953 /* All modes haves 96-bit IVs, but the length of the static parts vary 8954 * with mode and version: 8955 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes 8956 * (to be concatenated with a dynamically chosen IV of 8 Bytes) 8957 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's 8958 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record 8959 * sequence number). 8960 */ 8961 transform->ivlen = 12; 8962 8963 int is_chachapoly = 0; 8964#if defined(MBEDTLS_USE_PSA_CRYPTO) 8965 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); 8966#else 8967 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) 8968 == MBEDTLS_MODE_CHACHAPOLY); 8969#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8970 8971 if (is_chachapoly) { 8972 transform->fixed_ivlen = 12; 8973 } else { 8974 transform->fixed_ivlen = 4; 8975 } 8976 8977 /* Minimum length of encrypted record */ 8978 explicit_ivlen = transform->ivlen - transform->fixed_ivlen; 8979 transform->minlen = explicit_ivlen + transform->taglen; 8980 } else 8981#endif /* MBEDTLS_SSL_HAVE_AEAD */ 8982#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8983 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || 8984 ssl_mode == MBEDTLS_SSL_MODE_CBC || 8985 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8986#if defined(MBEDTLS_USE_PSA_CRYPTO) 8987 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); 8988#else 8989 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info); 8990#endif /* MBEDTLS_USE_PSA_CRYPTO */ 8991 8992#if defined(MBEDTLS_USE_PSA_CRYPTO) 8993 /* Get MAC length */ 8994 mac_key_len = PSA_HASH_LENGTH(mac_alg); 8995#else 8996 /* Initialize HMAC contexts */ 8997 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || 8998 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { 8999 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 9000 goto end; 9001 } 9002 9003 /* Get MAC length */ 9004 mac_key_len = mbedtls_md_get_size(md_info); 9005#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9006 transform->maclen = mac_key_len; 9007 9008 /* IV length */ 9009#if defined(MBEDTLS_USE_PSA_CRYPTO) 9010 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); 9011#else 9012 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info); 9013#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9014 9015 /* Minimum length */ 9016 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { 9017 transform->minlen = transform->maclen; 9018 } else { 9019 /* 9020 * GenericBlockCipher: 9021 * 1. if EtM is in use: one block plus MAC 9022 * otherwise: * first multiple of blocklen greater than maclen 9023 * 2. IV 9024 */ 9025#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 9026 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 9027 transform->minlen = transform->maclen 9028 + block_size; 9029 } else 9030#endif 9031 { 9032 transform->minlen = transform->maclen 9033 + block_size 9034 - transform->maclen % block_size; 9035 } 9036 9037 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 9038 transform->minlen += transform->ivlen; 9039 } else { 9040 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 9041 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9042 goto end; 9043 } 9044 } 9045 } else 9046#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 9047 { 9048 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 9049 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9050 } 9051 9052 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", 9053 (unsigned) keylen, 9054 (unsigned) transform->minlen, 9055 (unsigned) transform->ivlen, 9056 (unsigned) transform->maclen)); 9057 9058 /* 9059 * Finally setup the cipher contexts, IVs and MAC secrets. 9060 */ 9061#if defined(MBEDTLS_SSL_CLI_C) 9062 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 9063 key1 = keyblk + mac_key_len * 2; 9064 key2 = keyblk + mac_key_len * 2 + keylen; 9065 9066 mac_enc = keyblk; 9067 mac_dec = keyblk + mac_key_len; 9068 9069 iv_copy_len = (transform->fixed_ivlen) ? 9070 transform->fixed_ivlen : transform->ivlen; 9071 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); 9072 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, 9073 iv_copy_len); 9074 } else 9075#endif /* MBEDTLS_SSL_CLI_C */ 9076#if defined(MBEDTLS_SSL_SRV_C) 9077 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 9078 key1 = keyblk + mac_key_len * 2 + keylen; 9079 key2 = keyblk + mac_key_len * 2; 9080 9081 mac_enc = keyblk + mac_key_len; 9082 mac_dec = keyblk; 9083 9084 iv_copy_len = (transform->fixed_ivlen) ? 9085 transform->fixed_ivlen : transform->ivlen; 9086 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); 9087 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, 9088 iv_copy_len); 9089 } else 9090#endif /* MBEDTLS_SSL_SRV_C */ 9091 { 9092 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 9093 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9094 goto end; 9095 } 9096 9097 if (ssl->f_export_keys != NULL) { 9098 ssl->f_export_keys(ssl->p_export_keys, 9099 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, 9100 master, 48, 9101 randbytes + 32, 9102 randbytes, 9103 tls_prf_get_type(tls_prf)); 9104 } 9105 9106#if defined(MBEDTLS_USE_PSA_CRYPTO) 9107 transform->psa_alg = alg; 9108 9109 if (alg != MBEDTLS_SSL_NULL_CIPHER) { 9110 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 9111 psa_set_key_algorithm(&attributes, alg); 9112 psa_set_key_type(&attributes, key_type); 9113 9114 if ((status = psa_import_key(&attributes, 9115 key1, 9116 PSA_BITS_TO_BYTES(key_bits), 9117 &transform->psa_key_enc)) != PSA_SUCCESS) { 9118 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); 9119 ret = PSA_TO_MBEDTLS_ERR(status); 9120 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 9121 goto end; 9122 } 9123 9124 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 9125 9126 if ((status = psa_import_key(&attributes, 9127 key2, 9128 PSA_BITS_TO_BYTES(key_bits), 9129 &transform->psa_key_dec)) != PSA_SUCCESS) { 9130 ret = PSA_TO_MBEDTLS_ERR(status); 9131 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 9132 goto end; 9133 } 9134 } 9135#else 9136 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, 9137 cipher_info)) != 0) { 9138 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 9139 goto end; 9140 } 9141 9142 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, 9143 cipher_info)) != 0) { 9144 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 9145 goto end; 9146 } 9147 9148 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, 9149 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 9150 MBEDTLS_ENCRYPT)) != 0) { 9151 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 9152 goto end; 9153 } 9154 9155 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, 9156 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 9157 MBEDTLS_DECRYPT)) != 0) { 9158 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 9159 goto end; 9160 } 9161 9162#if defined(MBEDTLS_CIPHER_MODE_CBC) 9163 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { 9164 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, 9165 MBEDTLS_PADDING_NONE)) != 0) { 9166 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 9167 goto end; 9168 } 9169 9170 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, 9171 MBEDTLS_PADDING_NONE)) != 0) { 9172 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 9173 goto end; 9174 } 9175 } 9176#endif /* MBEDTLS_CIPHER_MODE_CBC */ 9177#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9178 9179#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 9180 /* For HMAC-based ciphersuites, initialize the HMAC transforms. 9181 For AEAD-based ciphersuites, there is nothing to do here. */ 9182 if (mac_key_len != 0) { 9183#if defined(MBEDTLS_USE_PSA_CRYPTO) 9184 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); 9185 9186 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 9187 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); 9188 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 9189 9190 if ((status = psa_import_key(&attributes, 9191 mac_enc, mac_key_len, 9192 &transform->psa_mac_enc)) != PSA_SUCCESS) { 9193 ret = PSA_TO_MBEDTLS_ERR(status); 9194 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 9195 goto end; 9196 } 9197 9198 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || 9199 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) 9200#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 9201 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) 9202#endif 9203 )) { 9204 /* mbedtls_ct_hmac() requires the key to be exportable */ 9205 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | 9206 PSA_KEY_USAGE_VERIFY_HASH); 9207 } else { 9208 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 9209 } 9210 9211 if ((status = psa_import_key(&attributes, 9212 mac_dec, mac_key_len, 9213 &transform->psa_mac_dec)) != PSA_SUCCESS) { 9214 ret = PSA_TO_MBEDTLS_ERR(status); 9215 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 9216 goto end; 9217 } 9218#else 9219 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); 9220 if (ret != 0) { 9221 goto end; 9222 } 9223 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); 9224 if (ret != 0) { 9225 goto end; 9226 } 9227#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9228 } 9229#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 9230 9231 ((void) mac_dec); 9232 ((void) mac_enc); 9233 9234end: 9235 mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); 9236 return ret; 9237} 9238 9239#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 9240 defined(MBEDTLS_USE_PSA_CRYPTO) 9241int mbedtls_psa_ecjpake_read_round( 9242 psa_pake_operation_t *pake_ctx, 9243 const unsigned char *buf, 9244 size_t len, mbedtls_ecjpake_rounds_t round) 9245{ 9246 psa_status_t status; 9247 size_t input_offset = 0; 9248 /* 9249 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9250 * At round two perform a single cycle 9251 */ 9252 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9253 9254 for (; remaining_steps > 0; remaining_steps--) { 9255 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9256 step <= PSA_PAKE_STEP_ZK_PROOF; 9257 ++step) { 9258 /* Length is stored at the first byte */ 9259 size_t length = buf[input_offset]; 9260 input_offset += 1; 9261 9262 if (input_offset + length > len) { 9263 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9264 } 9265 9266 status = psa_pake_input(pake_ctx, step, 9267 buf + input_offset, length); 9268 if (status != PSA_SUCCESS) { 9269 return PSA_TO_MBEDTLS_ERR(status); 9270 } 9271 9272 input_offset += length; 9273 } 9274 } 9275 9276 if (input_offset != len) { 9277 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9278 } 9279 9280 return 0; 9281} 9282 9283int mbedtls_psa_ecjpake_write_round( 9284 psa_pake_operation_t *pake_ctx, 9285 unsigned char *buf, 9286 size_t len, size_t *olen, 9287 mbedtls_ecjpake_rounds_t round) 9288{ 9289 psa_status_t status; 9290 size_t output_offset = 0; 9291 size_t output_len; 9292 /* 9293 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9294 * At round two perform a single cycle 9295 */ 9296 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9297 9298 for (; remaining_steps > 0; remaining_steps--) { 9299 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9300 step <= PSA_PAKE_STEP_ZK_PROOF; 9301 ++step) { 9302 /* 9303 * For each step, prepend 1 byte with the length of the data as 9304 * given by psa_pake_output(). 9305 */ 9306 status = psa_pake_output(pake_ctx, step, 9307 buf + output_offset + 1, 9308 len - output_offset - 1, 9309 &output_len); 9310 if (status != PSA_SUCCESS) { 9311 return PSA_TO_MBEDTLS_ERR(status); 9312 } 9313 9314 *(buf + output_offset) = (uint8_t) output_len; 9315 9316 output_offset += output_len + 1; 9317 } 9318 } 9319 9320 *olen = output_offset; 9321 9322 return 0; 9323} 9324#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 9325 9326#if defined(MBEDTLS_USE_PSA_CRYPTO) 9327int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9328 unsigned char *hash, size_t *hashlen, 9329 unsigned char *data, size_t data_len, 9330 mbedtls_md_type_t md_alg) 9331{ 9332 psa_status_t status; 9333 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; 9334 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg); 9335 9336 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); 9337 9338 if ((status = psa_hash_setup(&hash_operation, 9339 hash_alg)) != PSA_SUCCESS) { 9340 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); 9341 goto exit; 9342 } 9343 9344 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, 9345 64)) != PSA_SUCCESS) { 9346 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9347 goto exit; 9348 } 9349 9350 if ((status = psa_hash_update(&hash_operation, 9351 data, data_len)) != PSA_SUCCESS) { 9352 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9353 goto exit; 9354 } 9355 9356 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, 9357 hashlen)) != PSA_SUCCESS) { 9358 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); 9359 goto exit; 9360 } 9361 9362exit: 9363 if (status != PSA_SUCCESS) { 9364 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9365 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9366 switch (status) { 9367 case PSA_ERROR_NOT_SUPPORTED: 9368 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; 9369 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ 9370 case PSA_ERROR_BUFFER_TOO_SMALL: 9371 return MBEDTLS_ERR_MD_BAD_INPUT_DATA; 9372 case PSA_ERROR_INSUFFICIENT_MEMORY: 9373 return MBEDTLS_ERR_MD_ALLOC_FAILED; 9374 default: 9375 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 9376 } 9377 } 9378 return 0; 9379} 9380 9381#else 9382 9383int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9384 unsigned char *hash, size_t *hashlen, 9385 unsigned char *data, size_t data_len, 9386 mbedtls_md_type_t md_alg) 9387{ 9388 int ret = 0; 9389 mbedtls_md_context_t ctx; 9390 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); 9391 *hashlen = mbedtls_md_get_size(md_info); 9392 9393 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); 9394 9395 mbedtls_md_init(&ctx); 9396 9397 /* 9398 * digitally-signed struct { 9399 * opaque client_random[32]; 9400 * opaque server_random[32]; 9401 * ServerDHParams params; 9402 * }; 9403 */ 9404 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { 9405 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 9406 goto exit; 9407 } 9408 if ((ret = mbedtls_md_starts(&ctx)) != 0) { 9409 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); 9410 goto exit; 9411 } 9412 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { 9413 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9414 goto exit; 9415 } 9416 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { 9417 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9418 goto exit; 9419 } 9420 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { 9421 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 9422 goto exit; 9423 } 9424 9425exit: 9426 mbedtls_md_free(&ctx); 9427 9428 if (ret != 0) { 9429 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9430 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9431 } 9432 9433 return ret; 9434} 9435#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9436 9437#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 9438 9439/* Find the preferred hash for a given signature algorithm. */ 9440unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 9441 mbedtls_ssl_context *ssl, 9442 unsigned int sig_alg) 9443{ 9444 unsigned int i; 9445 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 9446 9447 if (sig_alg == MBEDTLS_SSL_SIG_ANON) { 9448 return MBEDTLS_SSL_HASH_NONE; 9449 } 9450 9451 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 9452 unsigned int hash_alg_received = 9453 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( 9454 received_sig_algs[i]); 9455 unsigned int sig_alg_received = 9456 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( 9457 received_sig_algs[i]); 9458 9459 mbedtls_md_type_t md_alg = 9460 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received); 9461 if (md_alg == MBEDTLS_MD_NONE) { 9462 continue; 9463 } 9464 9465 if (sig_alg == sig_alg_received) { 9466#if defined(MBEDTLS_USE_PSA_CRYPTO) 9467 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { 9468 psa_algorithm_t psa_hash_alg = 9469 mbedtls_md_psa_alg_from_type(md_alg); 9470 9471 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && 9472 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9473 PSA_ALG_ECDSA(psa_hash_alg), 9474 PSA_KEY_USAGE_SIGN_HASH)) { 9475 continue; 9476 } 9477 9478 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && 9479 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9480 PSA_ALG_RSA_PKCS1V15_SIGN( 9481 psa_hash_alg), 9482 PSA_KEY_USAGE_SIGN_HASH)) { 9483 continue; 9484 } 9485 } 9486#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9487 9488 return hash_alg_received; 9489 } 9490 } 9491 9492 return MBEDTLS_SSL_HASH_NONE; 9493} 9494 9495#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 9496 9497#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9498 9499int mbedtls_ssl_validate_ciphersuite( 9500 const mbedtls_ssl_context *ssl, 9501 const mbedtls_ssl_ciphersuite_t *suite_info, 9502 mbedtls_ssl_protocol_version min_tls_version, 9503 mbedtls_ssl_protocol_version max_tls_version) 9504{ 9505 (void) ssl; 9506 9507 if (suite_info == NULL) { 9508 return -1; 9509 } 9510 9511 if ((suite_info->min_tls_version > max_tls_version) || 9512 (suite_info->max_tls_version < min_tls_version)) { 9513 return -1; 9514 } 9515 9516#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) 9517#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 9518#if defined(MBEDTLS_USE_PSA_CRYPTO) 9519 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9520 ssl->handshake->psa_pake_ctx_is_ok != 1) 9521#else 9522 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9523 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 9524#endif /* MBEDTLS_USE_PSA_CRYPTO */ 9525 { 9526 return -1; 9527 } 9528#endif 9529 9530 /* Don't suggest PSK-based ciphersuite if no PSK is available. */ 9531#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 9532 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 9533 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 9534 return -1; 9535 } 9536#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 9537#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9538 9539 return 0; 9540} 9541 9542#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9543/* 9544 * Function for writing a signature algorithm extension. 9545 * 9546 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 9547 * value (TLS 1.3 RFC8446): 9548 * enum { 9549 * .... 9550 * ecdsa_secp256r1_sha256( 0x0403 ), 9551 * ecdsa_secp384r1_sha384( 0x0503 ), 9552 * ecdsa_secp521r1_sha512( 0x0603 ), 9553 * .... 9554 * } SignatureScheme; 9555 * 9556 * struct { 9557 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 9558 * } SignatureSchemeList; 9559 * 9560 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 9561 * value (TLS 1.2 RFC5246): 9562 * enum { 9563 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 9564 * sha512(6), (255) 9565 * } HashAlgorithm; 9566 * 9567 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 9568 * SignatureAlgorithm; 9569 * 9570 * struct { 9571 * HashAlgorithm hash; 9572 * SignatureAlgorithm signature; 9573 * } SignatureAndHashAlgorithm; 9574 * 9575 * SignatureAndHashAlgorithm 9576 * supported_signature_algorithms<2..2^16-2>; 9577 * 9578 * The TLS 1.3 signature algorithm extension was defined to be a compatible 9579 * generalization of the TLS 1.2 signature algorithm extension. 9580 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 9581 * `SignatureScheme` field of TLS 1.3 9582 * 9583 */ 9584int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 9585 const unsigned char *end, size_t *out_len) 9586{ 9587 unsigned char *p = buf; 9588 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */ 9589 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ 9590 9591 *out_len = 0; 9592 9593 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension")); 9594 9595 /* Check if we have space for header and length field: 9596 * - extension_type (2 bytes) 9597 * - extension_data_length (2 bytes) 9598 * - supported_signature_algorithms_length (2 bytes) 9599 */ 9600 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 9601 p += 6; 9602 9603 /* 9604 * Write supported_signature_algorithms 9605 */ 9606 supported_sig_alg = p; 9607 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 9608 if (sig_alg == NULL) { 9609 return MBEDTLS_ERR_SSL_BAD_CONFIG; 9610 } 9611 9612 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 9613 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s", 9614 *sig_alg, 9615 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9616 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 9617 continue; 9618 } 9619 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 9620 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); 9621 p += 2; 9622 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s", 9623 *sig_alg, 9624 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9625 } 9626 9627 /* Length of supported_signature_algorithms */ 9628 supported_sig_alg_len = (size_t) (p - supported_sig_alg); 9629 if (supported_sig_alg_len == 0) { 9630 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined.")); 9631 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9632 } 9633 9634 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0); 9635 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2); 9636 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4); 9637 9638 *out_len = (size_t) (p - buf); 9639 9640#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9641 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG); 9642#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 9643 9644 return 0; 9645} 9646#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 9647 9648#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9649/* 9650 * mbedtls_ssl_parse_server_name_ext 9651 * 9652 * Structure of server_name extension: 9653 * 9654 * enum { 9655 * host_name(0), (255) 9656 * } NameType; 9657 * opaque HostName<1..2^16-1>; 9658 * 9659 * struct { 9660 * NameType name_type; 9661 * select (name_type) { 9662 * case host_name: HostName; 9663 * } name; 9664 * } ServerName; 9665 * struct { 9666 * ServerName server_name_list<1..2^16-1> 9667 * } ServerNameList; 9668 */ 9669MBEDTLS_CHECK_RETURN_CRITICAL 9670int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 9671 const unsigned char *buf, 9672 const unsigned char *end) 9673{ 9674 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 9675 const unsigned char *p = buf; 9676 size_t server_name_list_len, hostname_len; 9677 const unsigned char *server_name_list_end; 9678 9679 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension")); 9680 9681 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 9682 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9683 p += 2; 9684 9685 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len); 9686 server_name_list_end = p + server_name_list_len; 9687 while (p < server_name_list_end) { 9688 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3); 9689 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1); 9690 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 9691 hostname_len + 3); 9692 9693 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) { 9694 /* sni_name is intended to be used only during the parsing of the 9695 * ClientHello message (it is reset to NULL before the end of 9696 * the message parsing). Thus it is ok to just point to the 9697 * reception buffer and not make a copy of it. 9698 */ 9699 ssl->handshake->sni_name = p + 3; 9700 ssl->handshake->sni_name_len = hostname_len; 9701 if (ssl->conf->f_sni == NULL) { 9702 return 0; 9703 } 9704 ret = ssl->conf->f_sni(ssl->conf->p_sni, 9705 ssl, p + 3, hostname_len); 9706 if (ret != 0) { 9707 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret); 9708 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME, 9709 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME); 9710 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME; 9711 } 9712 return 0; 9713 } 9714 9715 p += hostname_len + 3; 9716 } 9717 9718 return 0; 9719} 9720#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 9721 9722#if defined(MBEDTLS_SSL_ALPN) 9723MBEDTLS_CHECK_RETURN_CRITICAL 9724int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 9725 const unsigned char *buf, 9726 const unsigned char *end) 9727{ 9728 const unsigned char *p = buf; 9729 size_t protocol_name_list_len; 9730 const unsigned char *protocol_name_list; 9731 const unsigned char *protocol_name_list_end; 9732 size_t protocol_name_len; 9733 9734 /* If ALPN not configured, just ignore the extension */ 9735 if (ssl->conf->alpn_list == NULL) { 9736 return 0; 9737 } 9738 9739 /* 9740 * RFC7301, section 3.1 9741 * opaque ProtocolName<1..2^8-1>; 9742 * 9743 * struct { 9744 * ProtocolName protocol_name_list<2..2^16-1> 9745 * } ProtocolNameList; 9746 */ 9747 9748 /* 9749 * protocol_name_list_len 2 bytes 9750 * protocol_name_len 1 bytes 9751 * protocol_name >=1 byte 9752 */ 9753 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); 9754 9755 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9756 p += 2; 9757 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len); 9758 protocol_name_list = p; 9759 protocol_name_list_end = p + protocol_name_list_len; 9760 9761 /* Validate peer's list (lengths) */ 9762 while (p < protocol_name_list_end) { 9763 protocol_name_len = *p++; 9764 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 9765 protocol_name_len); 9766 if (protocol_name_len == 0) { 9767 MBEDTLS_SSL_PEND_FATAL_ALERT( 9768 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 9769 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 9770 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 9771 } 9772 9773 p += protocol_name_len; 9774 } 9775 9776 /* Use our order of preference */ 9777 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) { 9778 size_t const alpn_len = strlen(*alpn); 9779 p = protocol_name_list; 9780 while (p < protocol_name_list_end) { 9781 protocol_name_len = *p++; 9782 if (protocol_name_len == alpn_len && 9783 memcmp(p, *alpn, alpn_len) == 0) { 9784 ssl->alpn_chosen = *alpn; 9785 return 0; 9786 } 9787 9788 p += protocol_name_len; 9789 } 9790 } 9791 9792 /* If we get here, no match was found */ 9793 MBEDTLS_SSL_PEND_FATAL_ALERT( 9794 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL, 9795 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL); 9796 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL; 9797} 9798 9799int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 9800 unsigned char *buf, 9801 unsigned char *end, 9802 size_t *out_len) 9803{ 9804 unsigned char *p = buf; 9805 size_t protocol_name_len; 9806 *out_len = 0; 9807 9808 if (ssl->alpn_chosen == NULL) { 9809 return 0; 9810 } 9811 9812 protocol_name_len = strlen(ssl->alpn_chosen); 9813 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len); 9814 9815 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension")); 9816 /* 9817 * 0 . 1 ext identifier 9818 * 2 . 3 ext length 9819 * 4 . 5 protocol list length 9820 * 6 . 6 protocol name length 9821 * 7 . 7+n protocol name 9822 */ 9823 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); 9824 9825 *out_len = 7 + protocol_name_len; 9826 9827 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2); 9828 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4); 9829 /* Note: the length of the chosen protocol has been checked to be less 9830 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`. 9831 */ 9832 p[6] = MBEDTLS_BYTE_0(protocol_name_len); 9833 9834 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len); 9835 9836#if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9837 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN); 9838#endif 9839 9840 return 0; 9841} 9842#endif /* MBEDTLS_SSL_ALPN */ 9843 9844#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 9845 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 9846 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 9847 defined(MBEDTLS_SSL_CLI_C) 9848int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 9849 const char *hostname) 9850{ 9851 /* Initialize to suppress unnecessary compiler warning */ 9852 size_t hostname_len = 0; 9853 9854 /* Check if new hostname is valid before 9855 * making any change to current one */ 9856 if (hostname != NULL) { 9857 hostname_len = strlen(hostname); 9858 9859 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 9860 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9861 } 9862 } 9863 9864 /* Now it's clear that we will overwrite the old hostname, 9865 * so we can free it safely */ 9866 if (session->hostname != NULL) { 9867 mbedtls_zeroize_and_free(session->hostname, 9868 strlen(session->hostname)); 9869 } 9870 9871 /* Passing NULL as hostname shall clear the old one */ 9872 if (hostname == NULL) { 9873 session->hostname = NULL; 9874 } else { 9875 session->hostname = mbedtls_calloc(1, hostname_len + 1); 9876 if (session->hostname == NULL) { 9877 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9878 } 9879 9880 memcpy(session->hostname, hostname, hostname_len); 9881 } 9882 9883 return 0; 9884} 9885#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 9886 MBEDTLS_SSL_SESSION_TICKETS && 9887 MBEDTLS_SSL_SERVER_NAME_INDICATION && 9888 MBEDTLS_SSL_CLI_C */ 9889 9890#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 9891 defined(MBEDTLS_SSL_ALPN) 9892int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 9893 const char *alpn) 9894{ 9895 size_t alpn_len = 0; 9896 9897 if (alpn != NULL) { 9898 alpn_len = strlen(alpn); 9899 9900 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) { 9901 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9902 } 9903 } 9904 9905 if (session->ticket_alpn != NULL) { 9906 mbedtls_zeroize_and_free(session->ticket_alpn, 9907 strlen(session->ticket_alpn)); 9908 session->ticket_alpn = NULL; 9909 } 9910 9911 if (alpn != NULL) { 9912 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1); 9913 if (session->ticket_alpn == NULL) { 9914 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9915 } 9916 memcpy(session->ticket_alpn, alpn, alpn_len); 9917 } 9918 9919 return 0; 9920} 9921#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 9922#endif /* MBEDTLS_SSL_TLS_C */ 9923