ssl_tls.c (336687B)
1 /* 2 * TLS shared functions 3 * 4 * Copyright The Mbed TLS Contributors 5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 6 */ 7 /* 8 * http://www.ietf.org/rfc/rfc2246.txt 9 * http://www.ietf.org/rfc/rfc4346.txt 10 */ 11 12 #include "common.h" 13 14 #if defined(MBEDTLS_SSL_TLS_C) 15 16 #include "mbedtls/platform.h" 17 18 #include "mbedtls/ssl.h" 19 #include "ssl_client.h" 20 #include "ssl_debug_helpers.h" 21 #include "ssl_misc.h" 22 #include "ssl_tls13_keys.h" 23 24 #include "debug_internal.h" 25 #include "mbedtls/error.h" 26 #include "mbedtls/platform_util.h" 27 #include "mbedtls/version.h" 28 #include "mbedtls/constant_time.h" 29 30 #include <string.h> 31 32 #if defined(MBEDTLS_USE_PSA_CRYPTO) 33 #include "mbedtls/psa_util.h" 34 #include "md_psa.h" 35 #include "psa_util_internal.h" 36 #include "psa/crypto.h" 37 #endif 38 39 #if defined(MBEDTLS_X509_CRT_PARSE_C) 40 #include "mbedtls/oid.h" 41 #endif 42 43 #if defined(MBEDTLS_USE_PSA_CRYPTO) 44 /* Define local translating functions to save code size by not using too many 45 * arguments in each translating place. */ 46 static int local_err_translation(psa_status_t status) 47 { 48 return psa_status_to_mbedtls(status, psa_to_ssl_errors, 49 ARRAY_LENGTH(psa_to_ssl_errors), 50 psa_generic_status_to_mbedtls); 51 } 52 #define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status) 53 #endif 54 55 #if defined(MBEDTLS_TEST_HOOKS) 56 static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args; 57 58 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 59 const uint8_t *cur, const uint8_t *end, size_t need) 60 { 61 chk_buf_ptr_fail_args.cur = cur; 62 chk_buf_ptr_fail_args.end = end; 63 chk_buf_ptr_fail_args.need = need; 64 } 65 66 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void) 67 { 68 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args)); 69 } 70 71 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args) 72 { 73 return (chk_buf_ptr_fail_args.cur != args->cur) || 74 (chk_buf_ptr_fail_args.end != args->end) || 75 (chk_buf_ptr_fail_args.need != args->need); 76 } 77 #endif /* MBEDTLS_TEST_HOOKS */ 78 79 #if defined(MBEDTLS_SSL_PROTO_DTLS) 80 81 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 82 /* Top-level Connection ID API */ 83 84 int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, 85 size_t len, 86 int ignore_other_cid) 87 { 88 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) { 89 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 90 } 91 92 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL && 93 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) { 94 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 95 } 96 97 conf->ignore_unexpected_cid = ignore_other_cid; 98 conf->cid_len = len; 99 return 0; 100 } 101 102 int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl, 103 int enable, 104 unsigned char const *own_cid, 105 size_t own_cid_len) 106 { 107 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 108 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 109 } 110 111 ssl->negotiate_cid = enable; 112 if (enable == MBEDTLS_SSL_CID_DISABLED) { 113 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension.")); 114 return 0; 115 } 116 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension.")); 117 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len); 118 119 if (own_cid_len != ssl->conf->cid_len) { 120 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config", 121 (unsigned) own_cid_len, 122 (unsigned) ssl->conf->cid_len)); 123 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 124 } 125 126 memcpy(ssl->own_cid, own_cid, own_cid_len); 127 /* Truncation is not an issue here because 128 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */ 129 ssl->own_cid_len = (uint8_t) own_cid_len; 130 131 return 0; 132 } 133 134 int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl, 135 int *enabled, 136 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX], 137 size_t *own_cid_len) 138 { 139 *enabled = MBEDTLS_SSL_CID_DISABLED; 140 141 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 142 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 143 } 144 145 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is 146 * zero as this is indistinguishable from not requesting to use 147 * the CID extension. */ 148 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) { 149 return 0; 150 } 151 152 if (own_cid_len != NULL) { 153 *own_cid_len = ssl->own_cid_len; 154 if (own_cid != NULL) { 155 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len); 156 } 157 } 158 159 *enabled = MBEDTLS_SSL_CID_ENABLED; 160 161 return 0; 162 } 163 164 int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl, 165 int *enabled, 166 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX], 167 size_t *peer_cid_len) 168 { 169 *enabled = MBEDTLS_SSL_CID_DISABLED; 170 171 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 172 mbedtls_ssl_is_handshake_over(ssl) == 0) { 173 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 174 } 175 176 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions 177 * were used, but client and server requested the empty CID. 178 * This is indistinguishable from not using the CID extension 179 * in the first place. */ 180 if (ssl->transform_in->in_cid_len == 0 && 181 ssl->transform_in->out_cid_len == 0) { 182 return 0; 183 } 184 185 if (peer_cid_len != NULL) { 186 *peer_cid_len = ssl->transform_in->out_cid_len; 187 if (peer_cid != NULL) { 188 memcpy(peer_cid, ssl->transform_in->out_cid, 189 ssl->transform_in->out_cid_len); 190 } 191 } 192 193 *enabled = MBEDTLS_SSL_CID_ENABLED; 194 195 return 0; 196 } 197 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 198 199 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 200 201 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 202 /* 203 * Convert max_fragment_length codes to length. 204 * RFC 6066 says: 205 * enum{ 206 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255) 207 * } MaxFragmentLength; 208 * and we add 0 -> extension unused 209 */ 210 static unsigned int ssl_mfl_code_to_length(int mfl) 211 { 212 switch (mfl) { 213 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE: 214 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 215 case MBEDTLS_SSL_MAX_FRAG_LEN_512: 216 return 512; 217 case MBEDTLS_SSL_MAX_FRAG_LEN_1024: 218 return 1024; 219 case MBEDTLS_SSL_MAX_FRAG_LEN_2048: 220 return 2048; 221 case MBEDTLS_SSL_MAX_FRAG_LEN_4096: 222 return 4096; 223 default: 224 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN; 225 } 226 } 227 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 228 229 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 230 const mbedtls_ssl_session *src) 231 { 232 mbedtls_ssl_session_free(dst); 233 memcpy(dst, src, sizeof(mbedtls_ssl_session)); 234 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 235 dst->ticket = NULL; 236 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 237 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 238 dst->hostname = NULL; 239 #endif 240 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 241 242 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 243 defined(MBEDTLS_SSL_EARLY_DATA) 244 dst->ticket_alpn = NULL; 245 #endif 246 247 #if defined(MBEDTLS_X509_CRT_PARSE_C) 248 249 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 250 if (src->peer_cert != NULL) { 251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 252 253 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 254 if (dst->peer_cert == NULL) { 255 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 256 } 257 258 mbedtls_x509_crt_init(dst->peer_cert); 259 260 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p, 261 src->peer_cert->raw.len)) != 0) { 262 mbedtls_free(dst->peer_cert); 263 dst->peer_cert = NULL; 264 return ret; 265 } 266 } 267 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 268 if (src->peer_cert_digest != NULL) { 269 dst->peer_cert_digest = 270 mbedtls_calloc(1, src->peer_cert_digest_len); 271 if (dst->peer_cert_digest == NULL) { 272 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 273 } 274 275 memcpy(dst->peer_cert_digest, src->peer_cert_digest, 276 src->peer_cert_digest_len); 277 dst->peer_cert_digest_type = src->peer_cert_digest_type; 278 dst->peer_cert_digest_len = src->peer_cert_digest_len; 279 } 280 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 281 282 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 283 284 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \ 285 defined(MBEDTLS_SSL_EARLY_DATA) 286 { 287 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn); 288 if (ret != 0) { 289 return ret; 290 } 291 } 292 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */ 293 294 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 295 if (src->ticket != NULL) { 296 dst->ticket = mbedtls_calloc(1, src->ticket_len); 297 if (dst->ticket == NULL) { 298 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 299 } 300 301 memcpy(dst->ticket, src->ticket, src->ticket_len); 302 } 303 304 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 305 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 306 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) { 307 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 308 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname); 309 if (ret != 0) { 310 return ret; 311 } 312 } 313 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 314 MBEDTLS_SSL_SERVER_NAME_INDICATION */ 315 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 316 317 return 0; 318 } 319 320 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 321 MBEDTLS_CHECK_RETURN_CRITICAL 322 static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old) 323 { 324 unsigned char *resized_buffer = mbedtls_calloc(1, len_new); 325 if (resized_buffer == NULL) { 326 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 327 } 328 329 /* We want to copy len_new bytes when downsizing the buffer, and 330 * len_old bytes when upsizing, so we choose the smaller of two sizes, 331 * to fit one buffer into another. Size checks, ensuring that no data is 332 * lost, are done outside of this function. */ 333 memcpy(resized_buffer, *buffer, 334 (len_new < *len_old) ? len_new : *len_old); 335 mbedtls_zeroize_and_free(*buffer, *len_old); 336 337 *buffer = resized_buffer; 338 *len_old = len_new; 339 340 return 0; 341 } 342 343 static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing, 344 size_t in_buf_new_len, 345 size_t out_buf_new_len) 346 { 347 int modified = 0; 348 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0; 349 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0; 350 if (ssl->in_buf != NULL) { 351 written_in = ssl->in_msg - ssl->in_buf; 352 iv_offset_in = ssl->in_iv - ssl->in_buf; 353 len_offset_in = ssl->in_len - ssl->in_buf; 354 hdr_in = ssl->in_hdr - ssl->in_buf; 355 if (downsizing ? 356 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len : 357 ssl->in_buf_len < in_buf_new_len) { 358 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) { 359 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory")); 360 } else { 361 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET, 362 in_buf_new_len)); 363 modified = 1; 364 } 365 } 366 } 367 368 if (ssl->out_buf != NULL) { 369 written_out = ssl->out_msg - ssl->out_buf; 370 iv_offset_out = ssl->out_iv - ssl->out_buf; 371 len_offset_out = ssl->out_len - ssl->out_buf; 372 if (downsizing ? 373 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len : 374 ssl->out_buf_len < out_buf_new_len) { 375 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) { 376 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory")); 377 } else { 378 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET, 379 out_buf_new_len)); 380 modified = 1; 381 } 382 } 383 } 384 if (modified) { 385 /* Update pointers here to avoid doing it twice. */ 386 ssl->in_hdr = ssl->in_buf + hdr_in; 387 mbedtls_ssl_update_in_pointers(ssl); 388 mbedtls_ssl_reset_out_pointers(ssl); 389 390 /* Fields below might not be properly updated with record 391 * splitting or with CID, so they are manually updated here. */ 392 ssl->out_msg = ssl->out_buf + written_out; 393 ssl->out_len = ssl->out_buf + len_offset_out; 394 ssl->out_iv = ssl->out_buf + iv_offset_out; 395 396 ssl->in_msg = ssl->in_buf + written_in; 397 ssl->in_len = ssl->in_buf + len_offset_in; 398 ssl->in_iv = ssl->in_buf + iv_offset_in; 399 } 400 } 401 #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ 402 403 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 404 405 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 406 typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen, 407 const char *label, 408 const unsigned char *random, size_t rlen, 409 unsigned char *dstbuf, size_t dlen); 410 411 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id); 412 413 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 414 415 /* Type for the TLS PRF */ 416 typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *, 417 const unsigned char *, size_t, 418 unsigned char *, size_t); 419 420 MBEDTLS_CHECK_RETURN_CRITICAL 421 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 422 int ciphersuite, 423 const unsigned char master[48], 424 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 425 int encrypt_then_mac, 426 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 427 ssl_tls_prf_t tls_prf, 428 const unsigned char randbytes[64], 429 mbedtls_ssl_protocol_version tls_version, 430 unsigned endpoint, 431 const mbedtls_ssl_context *ssl); 432 433 #if defined(MBEDTLS_MD_CAN_SHA256) 434 MBEDTLS_CHECK_RETURN_CRITICAL 435 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 436 const char *label, 437 const unsigned char *random, size_t rlen, 438 unsigned char *dstbuf, size_t dlen); 439 static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *); 440 static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int); 441 442 #endif /* MBEDTLS_MD_CAN_SHA256*/ 443 444 #if defined(MBEDTLS_MD_CAN_SHA384) 445 MBEDTLS_CHECK_RETURN_CRITICAL 446 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 447 const char *label, 448 const unsigned char *random, size_t rlen, 449 unsigned char *dstbuf, size_t dlen); 450 451 static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *); 452 static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int); 453 #endif /* MBEDTLS_MD_CAN_SHA384*/ 454 455 MBEDTLS_CHECK_RETURN_CRITICAL 456 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 457 const unsigned char *buf, 458 size_t len); 459 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 460 461 static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t); 462 463 #if defined(MBEDTLS_MD_CAN_SHA256) 464 static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t); 465 #endif /* MBEDTLS_MD_CAN_SHA256*/ 466 467 #if defined(MBEDTLS_MD_CAN_SHA384) 468 static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t); 469 #endif /* MBEDTLS_MD_CAN_SHA384*/ 470 471 int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, 472 const unsigned char *secret, size_t slen, 473 const char *label, 474 const unsigned char *random, size_t rlen, 475 unsigned char *dstbuf, size_t dlen) 476 { 477 mbedtls_ssl_tls_prf_cb *tls_prf = NULL; 478 479 switch (prf) { 480 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 481 #if defined(MBEDTLS_MD_CAN_SHA384) 482 case MBEDTLS_SSL_TLS_PRF_SHA384: 483 tls_prf = tls_prf_sha384; 484 break; 485 #endif /* MBEDTLS_MD_CAN_SHA384*/ 486 #if defined(MBEDTLS_MD_CAN_SHA256) 487 case MBEDTLS_SSL_TLS_PRF_SHA256: 488 tls_prf = tls_prf_sha256; 489 break; 490 #endif /* MBEDTLS_MD_CAN_SHA256*/ 491 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 492 default: 493 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 494 } 495 496 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen); 497 } 498 499 #if defined(MBEDTLS_X509_CRT_PARSE_C) 500 static void ssl_clear_peer_cert(mbedtls_ssl_session *session) 501 { 502 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 503 if (session->peer_cert != NULL) { 504 mbedtls_x509_crt_free(session->peer_cert); 505 mbedtls_free(session->peer_cert); 506 session->peer_cert = NULL; 507 } 508 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 509 if (session->peer_cert_digest != NULL) { 510 /* Zeroization is not necessary. */ 511 mbedtls_free(session->peer_cert_digest); 512 session->peer_cert_digest = NULL; 513 session->peer_cert_digest_type = MBEDTLS_MD_NONE; 514 session->peer_cert_digest_len = 0; 515 } 516 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 517 } 518 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 519 520 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type) 521 { 522 switch (extension_type) { 523 case MBEDTLS_TLS_EXT_SERVERNAME: 524 return MBEDTLS_SSL_EXT_ID_SERVERNAME; 525 526 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH: 527 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH; 528 529 case MBEDTLS_TLS_EXT_STATUS_REQUEST: 530 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST; 531 532 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS: 533 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS; 534 535 case MBEDTLS_TLS_EXT_SIG_ALG: 536 return MBEDTLS_SSL_EXT_ID_SIG_ALG; 537 538 case MBEDTLS_TLS_EXT_USE_SRTP: 539 return MBEDTLS_SSL_EXT_ID_USE_SRTP; 540 541 case MBEDTLS_TLS_EXT_HEARTBEAT: 542 return MBEDTLS_SSL_EXT_ID_HEARTBEAT; 543 544 case MBEDTLS_TLS_EXT_ALPN: 545 return MBEDTLS_SSL_EXT_ID_ALPN; 546 547 case MBEDTLS_TLS_EXT_SCT: 548 return MBEDTLS_SSL_EXT_ID_SCT; 549 550 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE: 551 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE; 552 553 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE: 554 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE; 555 556 case MBEDTLS_TLS_EXT_PADDING: 557 return MBEDTLS_SSL_EXT_ID_PADDING; 558 559 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: 560 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY; 561 562 case MBEDTLS_TLS_EXT_EARLY_DATA: 563 return MBEDTLS_SSL_EXT_ID_EARLY_DATA; 564 565 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: 566 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS; 567 568 case MBEDTLS_TLS_EXT_COOKIE: 569 return MBEDTLS_SSL_EXT_ID_COOKIE; 570 571 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES: 572 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES; 573 574 case MBEDTLS_TLS_EXT_CERT_AUTH: 575 return MBEDTLS_SSL_EXT_ID_CERT_AUTH; 576 577 case MBEDTLS_TLS_EXT_OID_FILTERS: 578 return MBEDTLS_SSL_EXT_ID_OID_FILTERS; 579 580 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH: 581 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH; 582 583 case MBEDTLS_TLS_EXT_SIG_ALG_CERT: 584 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT; 585 586 case MBEDTLS_TLS_EXT_KEY_SHARE: 587 return MBEDTLS_SSL_EXT_ID_KEY_SHARE; 588 589 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC: 590 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC; 591 592 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS: 593 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS; 594 595 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC: 596 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC; 597 598 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET: 599 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET; 600 601 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT: 602 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT; 603 604 case MBEDTLS_TLS_EXT_SESSION_TICKET: 605 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET; 606 607 } 608 609 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED; 610 } 611 612 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type) 613 { 614 return 1 << mbedtls_ssl_get_extension_id(extension_type); 615 } 616 617 #if defined(MBEDTLS_DEBUG_C) 618 static const char *extension_name_table[] = { 619 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized", 620 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name", 621 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length", 622 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request", 623 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups", 624 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms", 625 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp", 626 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat", 627 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation", 628 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp", 629 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type", 630 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type", 631 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding", 632 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key", 633 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data", 634 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions", 635 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie", 636 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes", 637 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities", 638 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters", 639 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth", 640 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert", 641 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share", 642 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac", 643 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats", 644 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac", 645 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret", 646 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket", 647 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit" 648 }; 649 650 static const unsigned int extension_type_table[] = { 651 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff, 652 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME, 653 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH, 654 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST, 655 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS, 656 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG, 657 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP, 658 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT, 659 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN, 660 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT, 661 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE, 662 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE, 663 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING, 664 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY, 665 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA, 666 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS, 667 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE, 668 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES, 669 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH, 670 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS, 671 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH, 672 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT, 673 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE, 674 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC, 675 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS, 676 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC, 677 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET, 678 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET, 679 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT 680 }; 681 682 const char *mbedtls_ssl_get_extension_name(unsigned int extension_type) 683 { 684 return extension_name_table[ 685 mbedtls_ssl_get_extension_id(extension_type)]; 686 } 687 688 static const char *ssl_tls13_get_hs_msg_name(int hs_msg_type) 689 { 690 switch (hs_msg_type) { 691 case MBEDTLS_SSL_HS_CLIENT_HELLO: 692 return "ClientHello"; 693 case MBEDTLS_SSL_HS_SERVER_HELLO: 694 return "ServerHello"; 695 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST: 696 return "HelloRetryRequest"; 697 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET: 698 return "NewSessionTicket"; 699 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS: 700 return "EncryptedExtensions"; 701 case MBEDTLS_SSL_HS_CERTIFICATE: 702 return "Certificate"; 703 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST: 704 return "CertificateRequest"; 705 } 706 return "Unknown"; 707 } 708 709 void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl, 710 int level, const char *file, int line, 711 int hs_msg_type, unsigned int extension_type, 712 const char *extra_msg0, const char *extra_msg1) 713 { 714 const char *extra_msg; 715 if (extra_msg0 && extra_msg1) { 716 mbedtls_debug_print_msg( 717 ssl, level, file, line, 718 "%s: %s(%u) extension %s %s.", 719 ssl_tls13_get_hs_msg_name(hs_msg_type), 720 mbedtls_ssl_get_extension_name(extension_type), 721 extension_type, 722 extra_msg0, extra_msg1); 723 return; 724 } 725 726 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1; 727 if (extra_msg) { 728 mbedtls_debug_print_msg( 729 ssl, level, file, line, 730 "%s: %s(%u) extension %s.", ssl_tls13_get_hs_msg_name(hs_msg_type), 731 mbedtls_ssl_get_extension_name(extension_type), extension_type, 732 extra_msg); 733 return; 734 } 735 736 mbedtls_debug_print_msg( 737 ssl, level, file, line, 738 "%s: %s(%u) extension.", ssl_tls13_get_hs_msg_name(hs_msg_type), 739 mbedtls_ssl_get_extension_name(extension_type), extension_type); 740 } 741 742 void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl, 743 int level, const char *file, int line, 744 int hs_msg_type, uint32_t extensions_mask, 745 const char *extra) 746 { 747 748 for (unsigned i = 0; 749 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]); 750 i++) { 751 mbedtls_ssl_print_extension( 752 ssl, level, file, line, hs_msg_type, extension_type_table[i], 753 extensions_mask & (1 << i) ? "exists" : "does not exist", extra); 754 } 755 } 756 757 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 758 static const char *ticket_flag_name_table[] = 759 { 760 [0] = "ALLOW_PSK_RESUMPTION", 761 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION", 762 [3] = "ALLOW_EARLY_DATA", 763 }; 764 765 void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl, 766 int level, const char *file, int line, 767 unsigned int flags) 768 { 769 size_t i; 770 771 mbedtls_debug_print_msg(ssl, level, file, line, 772 "print ticket_flags (0x%02x)", flags); 773 774 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK; 775 776 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) { 777 if ((flags & (1 << i))) { 778 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.", 779 ticket_flag_name_table[i]); 780 } 781 } 782 } 783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 784 785 #endif /* MBEDTLS_DEBUG_C */ 786 787 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 788 const mbedtls_ssl_ciphersuite_t *ciphersuite_info) 789 { 790 ((void) ciphersuite_info); 791 792 #if defined(MBEDTLS_MD_CAN_SHA384) 793 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 794 ssl->handshake->update_checksum = ssl_update_checksum_sha384; 795 } else 796 #endif 797 #if defined(MBEDTLS_MD_CAN_SHA256) 798 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) { 799 ssl->handshake->update_checksum = ssl_update_checksum_sha256; 800 } else 801 #endif 802 { 803 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 804 return; 805 } 806 } 807 808 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 809 unsigned hs_type, 810 size_t total_hs_len) 811 { 812 unsigned char hs_hdr[4]; 813 814 /* Build HS header for checksum update. */ 815 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type); 816 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len); 817 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len); 818 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len); 819 820 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr)); 821 } 822 823 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 824 unsigned hs_type, 825 unsigned char const *msg, 826 size_t msg_len) 827 { 828 int ret; 829 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len); 830 if (ret != 0) { 831 return ret; 832 } 833 return ssl->handshake->update_checksum(ssl, msg, msg_len); 834 } 835 836 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl) 837 { 838 #if defined(MBEDTLS_MD_CAN_SHA256) || \ 839 defined(MBEDTLS_MD_CAN_SHA384) 840 #if defined(MBEDTLS_USE_PSA_CRYPTO) 841 psa_status_t status; 842 #else 843 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 844 #endif 845 #else /* SHA-256 or SHA-384 */ 846 ((void) ssl); 847 #endif /* SHA-256 or SHA-384 */ 848 #if defined(MBEDTLS_MD_CAN_SHA256) 849 #if defined(MBEDTLS_USE_PSA_CRYPTO) 850 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa); 851 if (status != PSA_SUCCESS) { 852 return mbedtls_md_error_from_psa(status); 853 } 854 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256); 855 if (status != PSA_SUCCESS) { 856 return mbedtls_md_error_from_psa(status); 857 } 858 #else 859 mbedtls_md_free(&ssl->handshake->fin_sha256); 860 mbedtls_md_init(&ssl->handshake->fin_sha256); 861 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256, 862 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 863 0); 864 if (ret != 0) { 865 return ret; 866 } 867 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256); 868 if (ret != 0) { 869 return ret; 870 } 871 #endif 872 #endif 873 #if defined(MBEDTLS_MD_CAN_SHA384) 874 #if defined(MBEDTLS_USE_PSA_CRYPTO) 875 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa); 876 if (status != PSA_SUCCESS) { 877 return mbedtls_md_error_from_psa(status); 878 } 879 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384); 880 if (status != PSA_SUCCESS) { 881 return mbedtls_md_error_from_psa(status); 882 } 883 #else 884 mbedtls_md_free(&ssl->handshake->fin_sha384); 885 mbedtls_md_init(&ssl->handshake->fin_sha384); 886 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384, 887 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 888 if (ret != 0) { 889 return ret; 890 } 891 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384); 892 if (ret != 0) { 893 return ret; 894 } 895 #endif 896 #endif 897 return 0; 898 } 899 900 static int ssl_update_checksum_start(mbedtls_ssl_context *ssl, 901 const unsigned char *buf, size_t len) 902 { 903 #if defined(MBEDTLS_MD_CAN_SHA256) || \ 904 defined(MBEDTLS_MD_CAN_SHA384) 905 #if defined(MBEDTLS_USE_PSA_CRYPTO) 906 psa_status_t status; 907 #else 908 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 909 #endif 910 #else /* SHA-256 or SHA-384 */ 911 ((void) ssl); 912 (void) buf; 913 (void) len; 914 #endif /* SHA-256 or SHA-384 */ 915 #if defined(MBEDTLS_MD_CAN_SHA256) 916 #if defined(MBEDTLS_USE_PSA_CRYPTO) 917 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len); 918 if (status != PSA_SUCCESS) { 919 return mbedtls_md_error_from_psa(status); 920 } 921 #else 922 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 923 if (ret != 0) { 924 return ret; 925 } 926 #endif 927 #endif 928 #if defined(MBEDTLS_MD_CAN_SHA384) 929 #if defined(MBEDTLS_USE_PSA_CRYPTO) 930 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len); 931 if (status != PSA_SUCCESS) { 932 return mbedtls_md_error_from_psa(status); 933 } 934 #else 935 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 936 if (ret != 0) { 937 return ret; 938 } 939 #endif 940 #endif 941 return 0; 942 } 943 944 #if defined(MBEDTLS_MD_CAN_SHA256) 945 static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl, 946 const unsigned char *buf, size_t len) 947 { 948 #if defined(MBEDTLS_USE_PSA_CRYPTO) 949 return mbedtls_md_error_from_psa(psa_hash_update( 950 &ssl->handshake->fin_sha256_psa, buf, len)); 951 #else 952 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len); 953 #endif 954 } 955 #endif 956 957 #if defined(MBEDTLS_MD_CAN_SHA384) 958 static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl, 959 const unsigned char *buf, size_t len) 960 { 961 #if defined(MBEDTLS_USE_PSA_CRYPTO) 962 return mbedtls_md_error_from_psa(psa_hash_update( 963 &ssl->handshake->fin_sha384_psa, buf, len)); 964 #else 965 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len); 966 #endif 967 } 968 #endif 969 970 static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake) 971 { 972 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params)); 973 974 #if defined(MBEDTLS_MD_CAN_SHA256) 975 #if defined(MBEDTLS_USE_PSA_CRYPTO) 976 handshake->fin_sha256_psa = psa_hash_operation_init(); 977 #else 978 mbedtls_md_init(&handshake->fin_sha256); 979 #endif 980 #endif 981 #if defined(MBEDTLS_MD_CAN_SHA384) 982 #if defined(MBEDTLS_USE_PSA_CRYPTO) 983 handshake->fin_sha384_psa = psa_hash_operation_init(); 984 #else 985 mbedtls_md_init(&handshake->fin_sha384); 986 #endif 987 #endif 988 989 handshake->update_checksum = ssl_update_checksum_start; 990 991 #if defined(MBEDTLS_DHM_C) 992 mbedtls_dhm_init(&handshake->dhm_ctx); 993 #endif 994 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 995 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 996 mbedtls_ecdh_init(&handshake->ecdh_ctx); 997 #endif 998 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 999 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1000 handshake->psa_pake_ctx = psa_pake_operation_init(); 1001 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 1002 #else 1003 mbedtls_ecjpake_init(&handshake->ecjpake_ctx); 1004 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1005 #if defined(MBEDTLS_SSL_CLI_C) 1006 handshake->ecjpake_cache = NULL; 1007 handshake->ecjpake_cache_len = 0; 1008 #endif 1009 #endif 1010 1011 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 1012 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx); 1013 #endif 1014 1015 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1016 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET; 1017 #endif 1018 1019 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 1020 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 1021 mbedtls_pk_init(&handshake->peer_pubkey); 1022 #endif 1023 } 1024 1025 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform) 1026 { 1027 memset(transform, 0, sizeof(mbedtls_ssl_transform)); 1028 1029 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1030 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT; 1031 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT; 1032 #else 1033 mbedtls_cipher_init(&transform->cipher_ctx_enc); 1034 mbedtls_cipher_init(&transform->cipher_ctx_dec); 1035 #endif 1036 1037 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1038 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1039 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT; 1040 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT; 1041 #else 1042 mbedtls_md_init(&transform->md_ctx_enc); 1043 mbedtls_md_init(&transform->md_ctx_dec); 1044 #endif 1045 #endif 1046 } 1047 1048 void mbedtls_ssl_session_init(mbedtls_ssl_session *session) 1049 { 1050 memset(session, 0, sizeof(mbedtls_ssl_session)); 1051 } 1052 1053 MBEDTLS_CHECK_RETURN_CRITICAL 1054 static int ssl_handshake_init(mbedtls_ssl_context *ssl) 1055 { 1056 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1057 1058 /* Clear old handshake information if present */ 1059 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1060 if (ssl->transform_negotiate) { 1061 mbedtls_ssl_transform_free(ssl->transform_negotiate); 1062 } 1063 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1064 if (ssl->session_negotiate) { 1065 mbedtls_ssl_session_free(ssl->session_negotiate); 1066 } 1067 if (ssl->handshake) { 1068 mbedtls_ssl_handshake_free(ssl); 1069 } 1070 1071 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1072 /* 1073 * Either the pointers are now NULL or cleared properly and can be freed. 1074 * Now allocate missing structures. 1075 */ 1076 if (ssl->transform_negotiate == NULL) { 1077 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform)); 1078 } 1079 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1080 1081 if (ssl->session_negotiate == NULL) { 1082 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session)); 1083 } 1084 1085 if (ssl->handshake == NULL) { 1086 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params)); 1087 } 1088 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1089 /* If the buffers are too small - reallocate */ 1090 1091 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN, 1092 MBEDTLS_SSL_OUT_BUFFER_LEN); 1093 #endif 1094 1095 /* All pointers should exist and can be directly freed without issue */ 1096 if (ssl->handshake == NULL || 1097 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1098 ssl->transform_negotiate == NULL || 1099 #endif 1100 ssl->session_negotiate == NULL) { 1101 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed")); 1102 1103 mbedtls_free(ssl->handshake); 1104 ssl->handshake = NULL; 1105 1106 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1107 mbedtls_free(ssl->transform_negotiate); 1108 ssl->transform_negotiate = NULL; 1109 #endif 1110 1111 mbedtls_free(ssl->session_negotiate); 1112 ssl->session_negotiate = NULL; 1113 1114 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1115 } 1116 1117 #if defined(MBEDTLS_SSL_EARLY_DATA) 1118 #if defined(MBEDTLS_SSL_CLI_C) 1119 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE; 1120 #endif 1121 #if defined(MBEDTLS_SSL_SRV_C) 1122 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD; 1123 #endif 1124 ssl->total_early_data_size = 0; 1125 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1126 1127 /* Initialize structures */ 1128 mbedtls_ssl_session_init(ssl->session_negotiate); 1129 ssl_handshake_params_init(ssl->handshake); 1130 1131 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1132 mbedtls_ssl_transform_init(ssl->transform_negotiate); 1133 #endif 1134 1135 /* Setup handshake checksums */ 1136 ret = mbedtls_ssl_reset_checksum(ssl); 1137 if (ret != 0) { 1138 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret); 1139 return ret; 1140 } 1141 1142 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 1143 defined(MBEDTLS_SSL_SRV_C) && \ 1144 defined(MBEDTLS_SSL_SESSION_TICKETS) 1145 ssl->handshake->new_session_tickets_count = 1146 ssl->conf->new_session_tickets_count; 1147 #endif 1148 1149 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1150 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1151 ssl->handshake->alt_transform_out = ssl->transform_out; 1152 1153 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 1154 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING; 1155 } else { 1156 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING; 1157 } 1158 1159 mbedtls_ssl_set_timer(ssl, 0); 1160 } 1161 #endif 1162 1163 /* 1164 * curve_list is translated to IANA TLS group identifiers here because 1165 * mbedtls_ssl_conf_curves returns void and so can't return 1166 * any error codes. 1167 */ 1168 #if defined(MBEDTLS_ECP_C) 1169 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1170 /* Heap allocate and translate curve_list from internal to IANA group ids */ 1171 if (ssl->conf->curve_list != NULL) { 1172 size_t length; 1173 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list; 1174 1175 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) { 1176 } 1177 1178 /* Leave room for zero termination */ 1179 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t)); 1180 if (group_list == NULL) { 1181 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1182 } 1183 1184 for (size_t i = 0; i < length; i++) { 1185 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id( 1186 curve_list[i]); 1187 if (tls_id == 0) { 1188 mbedtls_free(group_list); 1189 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1190 } 1191 group_list[i] = tls_id; 1192 } 1193 1194 group_list[length] = 0; 1195 1196 ssl->handshake->group_list = group_list; 1197 ssl->handshake->group_list_heap_allocated = 1; 1198 } else { 1199 ssl->handshake->group_list = ssl->conf->group_list; 1200 ssl->handshake->group_list_heap_allocated = 0; 1201 } 1202 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 1203 #endif /* MBEDTLS_ECP_C */ 1204 1205 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1206 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 1207 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1208 /* Heap allocate and translate sig_hashes from internal hash identifiers to 1209 signature algorithms IANA identifiers. */ 1210 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) && 1211 ssl->conf->sig_hashes != NULL) { 1212 const int *md; 1213 const int *sig_hashes = ssl->conf->sig_hashes; 1214 size_t sig_algs_len = 0; 1215 uint16_t *p; 1216 1217 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 1218 <= (SIZE_MAX - (2 * sizeof(uint16_t))), 1219 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big"); 1220 1221 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1222 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) { 1223 continue; 1224 } 1225 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1226 sig_algs_len += sizeof(uint16_t); 1227 #endif 1228 1229 #if defined(MBEDTLS_RSA_C) 1230 sig_algs_len += sizeof(uint16_t); 1231 #endif 1232 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) { 1233 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1234 } 1235 } 1236 1237 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) { 1238 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1239 } 1240 1241 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len + 1242 sizeof(uint16_t)); 1243 if (ssl->handshake->sig_algs == NULL) { 1244 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1245 } 1246 1247 p = (uint16_t *) ssl->handshake->sig_algs; 1248 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { 1249 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md); 1250 if (hash == MBEDTLS_SSL_HASH_NONE) { 1251 continue; 1252 } 1253 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 1254 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA); 1255 p++; 1256 #endif 1257 #if defined(MBEDTLS_RSA_C) 1258 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA); 1259 p++; 1260 #endif 1261 } 1262 *p = MBEDTLS_TLS_SIG_NONE; 1263 ssl->handshake->sig_algs_heap_allocated = 1; 1264 } else 1265 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1266 { 1267 ssl->handshake->sig_algs_heap_allocated = 0; 1268 } 1269 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 1270 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 1271 return 0; 1272 } 1273 1274 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1275 /* Dummy cookie callbacks for defaults */ 1276 MBEDTLS_CHECK_RETURN_CRITICAL 1277 static int ssl_cookie_write_dummy(void *ctx, 1278 unsigned char **p, unsigned char *end, 1279 const unsigned char *cli_id, size_t cli_id_len) 1280 { 1281 ((void) ctx); 1282 ((void) p); 1283 ((void) end); 1284 ((void) cli_id); 1285 ((void) cli_id_len); 1286 1287 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1288 } 1289 1290 MBEDTLS_CHECK_RETURN_CRITICAL 1291 static int ssl_cookie_check_dummy(void *ctx, 1292 const unsigned char *cookie, size_t cookie_len, 1293 const unsigned char *cli_id, size_t cli_id_len) 1294 { 1295 ((void) ctx); 1296 ((void) cookie); 1297 ((void) cookie_len); 1298 ((void) cli_id); 1299 ((void) cli_id_len); 1300 1301 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1302 } 1303 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */ 1304 1305 /* 1306 * Initialize an SSL context 1307 */ 1308 void mbedtls_ssl_init(mbedtls_ssl_context *ssl) 1309 { 1310 memset(ssl, 0, sizeof(mbedtls_ssl_context)); 1311 } 1312 1313 MBEDTLS_CHECK_RETURN_CRITICAL 1314 static int ssl_conf_version_check(const mbedtls_ssl_context *ssl) 1315 { 1316 const mbedtls_ssl_config *conf = ssl->conf; 1317 1318 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1319 if (mbedtls_ssl_conf_is_tls13_only(conf)) { 1320 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1321 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported.")); 1322 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1323 } 1324 1325 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only.")); 1326 return 0; 1327 } 1328 #endif 1329 1330 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1331 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 1332 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only.")); 1333 return 0; 1334 } 1335 #endif 1336 1337 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1338 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) { 1339 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1340 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2")); 1341 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1342 } 1343 1344 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2.")); 1345 return 0; 1346 } 1347 #endif 1348 1349 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid.")); 1350 return MBEDTLS_ERR_SSL_BAD_CONFIG; 1351 } 1352 1353 MBEDTLS_CHECK_RETURN_CRITICAL 1354 static int ssl_conf_check(const mbedtls_ssl_context *ssl) 1355 { 1356 int ret; 1357 ret = ssl_conf_version_check(ssl); 1358 if (ret != 0) { 1359 return ret; 1360 } 1361 1362 if (ssl->conf->f_rng == NULL) { 1363 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided")); 1364 return MBEDTLS_ERR_SSL_NO_RNG; 1365 } 1366 1367 /* Space for further checks */ 1368 1369 return 0; 1370 } 1371 1372 /* 1373 * Setup an SSL context 1374 */ 1375 1376 int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, 1377 const mbedtls_ssl_config *conf) 1378 { 1379 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1380 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1381 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1382 1383 ssl->conf = conf; 1384 1385 if ((ret = ssl_conf_check(ssl)) != 0) { 1386 return ret; 1387 } 1388 ssl->tls_version = ssl->conf->max_tls_version; 1389 1390 /* 1391 * Prepare base structures 1392 */ 1393 1394 /* Set to NULL in case of an error condition */ 1395 ssl->out_buf = NULL; 1396 1397 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1398 ssl->in_buf_len = in_buf_len; 1399 #endif 1400 ssl->in_buf = mbedtls_calloc(1, in_buf_len); 1401 if (ssl->in_buf == NULL) { 1402 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len)); 1403 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1404 goto error; 1405 } 1406 1407 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1408 ssl->out_buf_len = out_buf_len; 1409 #endif 1410 ssl->out_buf = mbedtls_calloc(1, out_buf_len); 1411 if (ssl->out_buf == NULL) { 1412 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len)); 1413 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 1414 goto error; 1415 } 1416 1417 mbedtls_ssl_reset_in_pointers(ssl); 1418 mbedtls_ssl_reset_out_pointers(ssl); 1419 1420 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1421 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info)); 1422 #endif 1423 1424 if ((ret = ssl_handshake_init(ssl)) != 0) { 1425 goto error; 1426 } 1427 1428 return 0; 1429 1430 error: 1431 mbedtls_free(ssl->in_buf); 1432 mbedtls_free(ssl->out_buf); 1433 1434 ssl->conf = NULL; 1435 1436 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1437 ssl->in_buf_len = 0; 1438 ssl->out_buf_len = 0; 1439 #endif 1440 ssl->in_buf = NULL; 1441 ssl->out_buf = NULL; 1442 1443 ssl->in_hdr = NULL; 1444 ssl->in_ctr = NULL; 1445 ssl->in_len = NULL; 1446 ssl->in_iv = NULL; 1447 ssl->in_msg = NULL; 1448 1449 ssl->out_hdr = NULL; 1450 ssl->out_ctr = NULL; 1451 ssl->out_len = NULL; 1452 ssl->out_iv = NULL; 1453 ssl->out_msg = NULL; 1454 1455 return ret; 1456 } 1457 1458 /* 1459 * Reset an initialized and used SSL context for re-use while retaining 1460 * all application-set variables, function pointers and data. 1461 * 1462 * If partial is non-zero, keep data in the input buffer and client ID. 1463 * (Use when a DTLS client reconnects from the same port.) 1464 */ 1465 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1466 int partial) 1467 { 1468 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 1469 size_t in_buf_len = ssl->in_buf_len; 1470 size_t out_buf_len = ssl->out_buf_len; 1471 #else 1472 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 1473 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 1474 #endif 1475 1476 #if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C) 1477 partial = 0; 1478 #endif 1479 1480 /* Cancel any possibly running timer */ 1481 mbedtls_ssl_set_timer(ssl, 0); 1482 1483 mbedtls_ssl_reset_in_pointers(ssl); 1484 mbedtls_ssl_reset_out_pointers(ssl); 1485 1486 /* Reset incoming message parsing */ 1487 ssl->in_offt = NULL; 1488 ssl->nb_zero = 0; 1489 ssl->in_msgtype = 0; 1490 ssl->in_msglen = 0; 1491 ssl->in_hslen = 0; 1492 ssl->keep_current_message = 0; 1493 ssl->transform_in = NULL; 1494 1495 /* TLS: reset in_hsfraglen, which is part of message parsing. 1496 * DTLS: on a client reconnect, don't reset badmac_seen. */ 1497 if (!partial) { 1498 ssl->badmac_seen_or_in_hsfraglen = 0; 1499 } 1500 1501 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1502 ssl->next_record_offset = 0; 1503 ssl->in_epoch = 0; 1504 #endif 1505 1506 /* Keep current datagram if partial == 1 */ 1507 if (partial == 0) { 1508 ssl->in_left = 0; 1509 memset(ssl->in_buf, 0, in_buf_len); 1510 } 1511 1512 ssl->send_alert = 0; 1513 1514 /* Reset outgoing message writing */ 1515 ssl->out_msgtype = 0; 1516 ssl->out_msglen = 0; 1517 ssl->out_left = 0; 1518 memset(ssl->out_buf, 0, out_buf_len); 1519 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 1520 ssl->transform_out = NULL; 1521 1522 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1523 mbedtls_ssl_dtls_replay_reset(ssl); 1524 #endif 1525 1526 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1527 if (ssl->transform) { 1528 mbedtls_ssl_transform_free(ssl->transform); 1529 mbedtls_free(ssl->transform); 1530 ssl->transform = NULL; 1531 } 1532 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1533 1534 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1535 mbedtls_ssl_transform_free(ssl->transform_application); 1536 mbedtls_free(ssl->transform_application); 1537 ssl->transform_application = NULL; 1538 1539 if (ssl->handshake != NULL) { 1540 #if defined(MBEDTLS_SSL_EARLY_DATA) 1541 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata); 1542 mbedtls_free(ssl->handshake->transform_earlydata); 1543 ssl->handshake->transform_earlydata = NULL; 1544 #endif 1545 1546 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake); 1547 mbedtls_free(ssl->handshake->transform_handshake); 1548 ssl->handshake->transform_handshake = NULL; 1549 } 1550 1551 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1552 } 1553 1554 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial) 1555 { 1556 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1557 1558 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST); 1559 ssl->tls_version = ssl->conf->max_tls_version; 1560 1561 mbedtls_ssl_session_reset_msg_layer(ssl, partial); 1562 1563 /* Reset renegotiation state */ 1564 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1565 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE; 1566 ssl->renego_records_seen = 0; 1567 1568 ssl->verify_data_len = 0; 1569 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1570 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN); 1571 #endif 1572 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION; 1573 1574 ssl->session_in = NULL; 1575 ssl->session_out = NULL; 1576 if (ssl->session) { 1577 mbedtls_ssl_session_free(ssl->session); 1578 mbedtls_free(ssl->session); 1579 ssl->session = NULL; 1580 } 1581 1582 #if defined(MBEDTLS_SSL_ALPN) 1583 ssl->alpn_chosen = NULL; 1584 #endif 1585 1586 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 1587 int free_cli_id = 1; 1588 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) 1589 free_cli_id = (partial == 0); 1590 #endif 1591 if (free_cli_id) { 1592 mbedtls_free(ssl->cli_id); 1593 ssl->cli_id = NULL; 1594 ssl->cli_id_len = 0; 1595 } 1596 #endif 1597 1598 if ((ret = ssl_handshake_init(ssl)) != 0) { 1599 return ret; 1600 } 1601 1602 return 0; 1603 } 1604 1605 /* 1606 * Reset an initialized and used SSL context for re-use while retaining 1607 * all application-set variables, function pointers and data. 1608 */ 1609 int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl) 1610 { 1611 return mbedtls_ssl_session_reset_int(ssl, 0); 1612 } 1613 1614 /* 1615 * SSL set accessors 1616 */ 1617 void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint) 1618 { 1619 conf->endpoint = endpoint; 1620 } 1621 1622 void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport) 1623 { 1624 conf->transport = transport; 1625 } 1626 1627 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1628 void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode) 1629 { 1630 conf->anti_replay = mode; 1631 } 1632 #endif 1633 1634 void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit) 1635 { 1636 conf->badmac_limit = limit; 1637 } 1638 1639 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1640 1641 void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl, 1642 unsigned allow_packing) 1643 { 1644 ssl->disable_datagram_packing = !allow_packing; 1645 } 1646 1647 void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf, 1648 uint32_t min, uint32_t max) 1649 { 1650 conf->hs_timeout_min = min; 1651 conf->hs_timeout_max = max; 1652 } 1653 #endif 1654 1655 void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode) 1656 { 1657 conf->authmode = authmode; 1658 } 1659 1660 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1661 void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, 1662 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1663 void *p_vrfy) 1664 { 1665 conf->f_vrfy = f_vrfy; 1666 conf->p_vrfy = p_vrfy; 1667 } 1668 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1669 1670 void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf, 1671 int (*f_rng)(void *, unsigned char *, size_t), 1672 void *p_rng) 1673 { 1674 conf->f_rng = f_rng; 1675 conf->p_rng = p_rng; 1676 } 1677 1678 void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf, 1679 void (*f_dbg)(void *, int, const char *, int, const char *), 1680 void *p_dbg) 1681 { 1682 conf->f_dbg = f_dbg; 1683 conf->p_dbg = p_dbg; 1684 } 1685 1686 void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl, 1687 void *p_bio, 1688 mbedtls_ssl_send_t *f_send, 1689 mbedtls_ssl_recv_t *f_recv, 1690 mbedtls_ssl_recv_timeout_t *f_recv_timeout) 1691 { 1692 ssl->p_bio = p_bio; 1693 ssl->f_send = f_send; 1694 ssl->f_recv = f_recv; 1695 ssl->f_recv_timeout = f_recv_timeout; 1696 } 1697 1698 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1699 void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu) 1700 { 1701 ssl->mtu = mtu; 1702 } 1703 #endif 1704 1705 void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout) 1706 { 1707 conf->read_timeout = timeout; 1708 } 1709 1710 void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, 1711 void *p_timer, 1712 mbedtls_ssl_set_timer_t *f_set_timer, 1713 mbedtls_ssl_get_timer_t *f_get_timer) 1714 { 1715 ssl->p_timer = p_timer; 1716 ssl->f_set_timer = f_set_timer; 1717 ssl->f_get_timer = f_get_timer; 1718 1719 /* Make sure we start with no timer running */ 1720 mbedtls_ssl_set_timer(ssl, 0); 1721 } 1722 1723 #if defined(MBEDTLS_SSL_SRV_C) 1724 void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf, 1725 void *p_cache, 1726 mbedtls_ssl_cache_get_t *f_get_cache, 1727 mbedtls_ssl_cache_set_t *f_set_cache) 1728 { 1729 conf->p_cache = p_cache; 1730 conf->f_get_cache = f_get_cache; 1731 conf->f_set_cache = f_set_cache; 1732 } 1733 #endif /* MBEDTLS_SSL_SRV_C */ 1734 1735 #if defined(MBEDTLS_SSL_CLI_C) 1736 int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session) 1737 { 1738 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 1739 1740 if (ssl == NULL || 1741 session == NULL || 1742 ssl->session_negotiate == NULL || 1743 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 1744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1745 } 1746 1747 if (ssl->handshake->resume == 1) { 1748 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 1749 } 1750 1751 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1752 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 1753 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 1754 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 1755 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); 1756 1757 if (mbedtls_ssl_validate_ciphersuite( 1758 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3, 1759 MBEDTLS_SSL_VERSION_TLS1_3) != 0) { 1760 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.", 1761 session->ciphersuite)); 1762 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 1763 } 1764 #else 1765 /* 1766 * If session tickets are not enabled, it is not possible to resume a 1767 * TLS 1.3 session, thus do not make any change to the SSL context in 1768 * the first place. 1769 */ 1770 return 0; 1771 #endif 1772 } 1773 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1774 1775 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate, 1776 session)) != 0) { 1777 return ret; 1778 } 1779 1780 ssl->handshake->resume = 1; 1781 1782 return 0; 1783 } 1784 #endif /* MBEDTLS_SSL_CLI_C */ 1785 1786 void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, 1787 const int *ciphersuites) 1788 { 1789 conf->ciphersuite_list = ciphersuites; 1790 } 1791 1792 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1793 void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, 1794 const int kex_modes) 1795 { 1796 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 1797 } 1798 1799 #if defined(MBEDTLS_SSL_EARLY_DATA) 1800 void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf, 1801 int early_data_enabled) 1802 { 1803 conf->early_data_enabled = early_data_enabled; 1804 } 1805 1806 #if defined(MBEDTLS_SSL_SRV_C) 1807 void mbedtls_ssl_conf_max_early_data_size( 1808 mbedtls_ssl_config *conf, uint32_t max_early_data_size) 1809 { 1810 conf->max_early_data_size = max_early_data_size; 1811 } 1812 #endif /* MBEDTLS_SSL_SRV_C */ 1813 1814 #endif /* MBEDTLS_SSL_EARLY_DATA */ 1815 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1816 1817 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1818 void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, 1819 const mbedtls_x509_crt_profile *profile) 1820 { 1821 conf->cert_profile = profile; 1822 } 1823 1824 static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert) 1825 { 1826 mbedtls_ssl_key_cert *cur = key_cert, *next; 1827 1828 while (cur != NULL) { 1829 next = cur->next; 1830 mbedtls_free(cur); 1831 cur = next; 1832 } 1833 } 1834 1835 /* Append a new keycert entry to a (possibly empty) list */ 1836 MBEDTLS_CHECK_RETURN_CRITICAL 1837 static int ssl_append_key_cert(mbedtls_ssl_key_cert **head, 1838 mbedtls_x509_crt *cert, 1839 mbedtls_pk_context *key) 1840 { 1841 mbedtls_ssl_key_cert *new_cert; 1842 1843 if (cert == NULL) { 1844 /* Free list if cert is null */ 1845 ssl_key_cert_free(*head); 1846 *head = NULL; 1847 return 0; 1848 } 1849 1850 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert)); 1851 if (new_cert == NULL) { 1852 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 1853 } 1854 1855 new_cert->cert = cert; 1856 new_cert->key = key; 1857 new_cert->next = NULL; 1858 1859 /* Update head if the list was null, else add to the end */ 1860 if (*head == NULL) { 1861 *head = new_cert; 1862 } else { 1863 mbedtls_ssl_key_cert *cur = *head; 1864 while (cur->next != NULL) { 1865 cur = cur->next; 1866 } 1867 cur->next = new_cert; 1868 } 1869 1870 return 0; 1871 } 1872 1873 int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, 1874 mbedtls_x509_crt *own_cert, 1875 mbedtls_pk_context *pk_key) 1876 { 1877 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key); 1878 } 1879 1880 void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, 1881 mbedtls_x509_crt *ca_chain, 1882 mbedtls_x509_crl *ca_crl) 1883 { 1884 conf->ca_chain = ca_chain; 1885 conf->ca_crl = ca_crl; 1886 1887 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1888 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1889 * cannot be used together. */ 1890 conf->f_ca_cb = NULL; 1891 conf->p_ca_cb = NULL; 1892 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1893 } 1894 1895 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 1896 void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, 1897 mbedtls_x509_crt_ca_cb_t f_ca_cb, 1898 void *p_ca_cb) 1899 { 1900 conf->f_ca_cb = f_ca_cb; 1901 conf->p_ca_cb = p_ca_cb; 1902 1903 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb() 1904 * cannot be used together. */ 1905 conf->ca_chain = NULL; 1906 conf->ca_crl = NULL; 1907 } 1908 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 1909 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1910 1911 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1912 const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, 1913 size_t *name_len) 1914 { 1915 *name_len = ssl->handshake->sni_name_len; 1916 return ssl->handshake->sni_name; 1917 } 1918 1919 int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, 1920 mbedtls_x509_crt *own_cert, 1921 mbedtls_pk_context *pk_key) 1922 { 1923 return ssl_append_key_cert(&ssl->handshake->sni_key_cert, 1924 own_cert, pk_key); 1925 } 1926 1927 void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, 1928 mbedtls_x509_crt *ca_chain, 1929 mbedtls_x509_crl *ca_crl) 1930 { 1931 ssl->handshake->sni_ca_chain = ca_chain; 1932 ssl->handshake->sni_ca_crl = ca_crl; 1933 } 1934 1935 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1936 void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl, 1937 const mbedtls_x509_crt *crt) 1938 { 1939 ssl->handshake->dn_hints = crt; 1940 } 1941 #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ 1942 1943 void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, 1944 int authmode) 1945 { 1946 ssl->handshake->sni_authmode = authmode; 1947 } 1948 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1949 1950 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1951 void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl, 1952 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), 1953 void *p_vrfy) 1954 { 1955 ssl->f_vrfy = f_vrfy; 1956 ssl->p_vrfy = p_vrfy; 1957 } 1958 #endif 1959 1960 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 1961 1962 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1963 static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' }; 1964 static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' }; 1965 1966 static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( 1967 mbedtls_ssl_context *ssl, 1968 mbedtls_svc_key_id_t pwd) 1969 { 1970 psa_status_t status; 1971 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); 1972 const uint8_t *user = NULL; 1973 size_t user_len = 0; 1974 const uint8_t *peer = NULL; 1975 size_t peer_len = 0; 1976 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); 1977 psa_pake_cs_set_primitive(&cipher_suite, 1978 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, 1979 PSA_ECC_FAMILY_SECP_R1, 1980 256)); 1981 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); 1982 1983 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite); 1984 if (status != PSA_SUCCESS) { 1985 return status; 1986 } 1987 1988 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 1989 user = jpake_server_id; 1990 user_len = sizeof(jpake_server_id); 1991 peer = jpake_client_id; 1992 peer_len = sizeof(jpake_client_id); 1993 } else { 1994 user = jpake_client_id; 1995 user_len = sizeof(jpake_client_id); 1996 peer = jpake_server_id; 1997 peer_len = sizeof(jpake_server_id); 1998 } 1999 2000 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len); 2001 if (status != PSA_SUCCESS) { 2002 return status; 2003 } 2004 2005 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len); 2006 if (status != PSA_SUCCESS) { 2007 return status; 2008 } 2009 2010 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd); 2011 if (status != PSA_SUCCESS) { 2012 return status; 2013 } 2014 2015 ssl->handshake->psa_pake_ctx_is_ok = 1; 2016 2017 return PSA_SUCCESS; 2018 } 2019 2020 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2021 const unsigned char *pw, 2022 size_t pw_len) 2023 { 2024 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 2025 psa_status_t status; 2026 2027 if (ssl->handshake == NULL || ssl->conf == NULL) { 2028 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2029 } 2030 2031 /* Empty password is not valid */ 2032 if ((pw == NULL) || (pw_len == 0)) { 2033 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2034 } 2035 2036 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); 2037 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); 2038 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); 2039 2040 status = psa_import_key(&attributes, pw, pw_len, 2041 &ssl->handshake->psa_pake_password); 2042 if (status != PSA_SUCCESS) { 2043 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2044 } 2045 2046 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, 2047 ssl->handshake->psa_pake_password); 2048 if (status != PSA_SUCCESS) { 2049 psa_destroy_key(ssl->handshake->psa_pake_password); 2050 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2051 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2052 } 2053 2054 return 0; 2055 } 2056 2057 int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, 2058 mbedtls_svc_key_id_t pwd) 2059 { 2060 psa_status_t status; 2061 2062 if (ssl->handshake == NULL || ssl->conf == NULL) { 2063 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2064 } 2065 2066 if (mbedtls_svc_key_id_is_null(pwd)) { 2067 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2068 } 2069 2070 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd); 2071 if (status != PSA_SUCCESS) { 2072 psa_pake_abort(&ssl->handshake->psa_pake_ctx); 2073 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2074 } 2075 2076 return 0; 2077 } 2078 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2079 int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, 2080 const unsigned char *pw, 2081 size_t pw_len) 2082 { 2083 mbedtls_ecjpake_role role; 2084 2085 if (ssl->handshake == NULL || ssl->conf == NULL) { 2086 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2087 } 2088 2089 /* Empty password is not valid */ 2090 if ((pw == NULL) || (pw_len == 0)) { 2091 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2092 } 2093 2094 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 2095 role = MBEDTLS_ECJPAKE_SERVER; 2096 } else { 2097 role = MBEDTLS_ECJPAKE_CLIENT; 2098 } 2099 2100 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx, 2101 role, 2102 MBEDTLS_MD_SHA256, 2103 MBEDTLS_ECP_DP_SECP256R1, 2104 pw, pw_len); 2105 } 2106 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2107 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 2108 2109 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 2110 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf) 2111 { 2112 if (conf->psk_identity == NULL || 2113 conf->psk_identity_len == 0) { 2114 return 0; 2115 } 2116 2117 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2118 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2119 return 1; 2120 } 2121 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2122 2123 if (conf->psk != NULL && conf->psk_len != 0) { 2124 return 1; 2125 } 2126 2127 return 0; 2128 } 2129 2130 static void ssl_conf_remove_psk(mbedtls_ssl_config *conf) 2131 { 2132 /* Remove reference to existing PSK, if any. */ 2133 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2134 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 2135 /* The maintenance of the PSK key slot is the 2136 * user's responsibility. */ 2137 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2138 } 2139 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2140 if (conf->psk != NULL) { 2141 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 2142 conf->psk = NULL; 2143 conf->psk_len = 0; 2144 } 2145 2146 /* Remove reference to PSK identity, if any. */ 2147 if (conf->psk_identity != NULL) { 2148 mbedtls_free(conf->psk_identity); 2149 conf->psk_identity = NULL; 2150 conf->psk_identity_len = 0; 2151 } 2152 } 2153 2154 /* This function assumes that PSK identity in the SSL config is unset. 2155 * It checks that the provided identity is well-formed and attempts 2156 * to make a copy of it in the SSL config. 2157 * On failure, the PSK identity in the config remains unset. */ 2158 MBEDTLS_CHECK_RETURN_CRITICAL 2159 static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf, 2160 unsigned char const *psk_identity, 2161 size_t psk_identity_len) 2162 { 2163 /* Identity len will be encoded on two bytes */ 2164 if (psk_identity == NULL || 2165 psk_identity_len == 0 || 2166 (psk_identity_len >> 16) != 0 || 2167 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) { 2168 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2169 } 2170 2171 conf->psk_identity = mbedtls_calloc(1, psk_identity_len); 2172 if (conf->psk_identity == NULL) { 2173 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2174 } 2175 2176 conf->psk_identity_len = psk_identity_len; 2177 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len); 2178 2179 return 0; 2180 } 2181 2182 int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf, 2183 const unsigned char *psk, size_t psk_len, 2184 const unsigned char *psk_identity, size_t psk_identity_len) 2185 { 2186 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2187 2188 /* We currently only support one PSK, raw or opaque. */ 2189 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2190 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2191 } 2192 2193 /* Check and set raw PSK */ 2194 if (psk == NULL) { 2195 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2196 } 2197 if (psk_len == 0) { 2198 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2199 } 2200 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2201 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2202 } 2203 2204 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2205 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2206 } 2207 conf->psk_len = psk_len; 2208 memcpy(conf->psk, psk, conf->psk_len); 2209 2210 /* Check and set PSK Identity */ 2211 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len); 2212 if (ret != 0) { 2213 ssl_conf_remove_psk(conf); 2214 } 2215 2216 return ret; 2217 } 2218 2219 static void ssl_remove_psk(mbedtls_ssl_context *ssl) 2220 { 2221 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2222 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 2223 /* The maintenance of the external PSK key slot is the 2224 * user's responsibility. */ 2225 if (ssl->handshake->psk_opaque_is_internal) { 2226 psa_destroy_key(ssl->handshake->psk_opaque); 2227 ssl->handshake->psk_opaque_is_internal = 0; 2228 } 2229 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 2230 } 2231 #else 2232 if (ssl->handshake->psk != NULL) { 2233 mbedtls_zeroize_and_free(ssl->handshake->psk, 2234 ssl->handshake->psk_len); 2235 ssl->handshake->psk_len = 0; 2236 ssl->handshake->psk = NULL; 2237 } 2238 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2239 } 2240 2241 int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl, 2242 const unsigned char *psk, size_t psk_len) 2243 { 2244 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2245 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 2246 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 2247 psa_algorithm_t alg = PSA_ALG_NONE; 2248 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; 2249 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2250 2251 if (psk == NULL || ssl->handshake == NULL) { 2252 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2253 } 2254 2255 if (psk_len > MBEDTLS_PSK_MAX_LEN) { 2256 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2257 } 2258 2259 ssl_remove_psk(ssl); 2260 2261 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2262 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2263 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2264 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 2265 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 2266 } else { 2267 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 2268 } 2269 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 2270 } 2271 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2272 2273 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 2274 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2275 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH); 2276 psa_set_key_usage_flags(&key_attributes, 2277 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT); 2278 } 2279 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2280 2281 psa_set_key_algorithm(&key_attributes, alg); 2282 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 2283 2284 status = psa_import_key(&key_attributes, psk, psk_len, &key); 2285 if (status != PSA_SUCCESS) { 2286 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 2287 } 2288 2289 /* Allow calling psa_destroy_key() on psk remove */ 2290 ssl->handshake->psk_opaque_is_internal = 1; 2291 return mbedtls_ssl_set_hs_psk_opaque(ssl, key); 2292 #else 2293 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) { 2294 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2295 } 2296 2297 ssl->handshake->psk_len = psk_len; 2298 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len); 2299 2300 return 0; 2301 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2302 } 2303 2304 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2305 int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf, 2306 mbedtls_svc_key_id_t psk, 2307 const unsigned char *psk_identity, 2308 size_t psk_identity_len) 2309 { 2310 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2311 2312 /* We currently only support one PSK, raw or opaque. */ 2313 if (mbedtls_ssl_conf_has_static_psk(conf)) { 2314 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2315 } 2316 2317 /* Check and set opaque PSK */ 2318 if (mbedtls_svc_key_id_is_null(psk)) { 2319 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2320 } 2321 conf->psk_opaque = psk; 2322 2323 /* Check and set PSK Identity */ 2324 ret = ssl_conf_set_psk_identity(conf, psk_identity, 2325 psk_identity_len); 2326 if (ret != 0) { 2327 ssl_conf_remove_psk(conf); 2328 } 2329 2330 return ret; 2331 } 2332 2333 int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl, 2334 mbedtls_svc_key_id_t psk) 2335 { 2336 if ((mbedtls_svc_key_id_is_null(psk)) || 2337 (ssl->handshake == NULL)) { 2338 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2339 } 2340 2341 ssl_remove_psk(ssl); 2342 ssl->handshake->psk_opaque = psk; 2343 return 0; 2344 } 2345 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2346 2347 #if defined(MBEDTLS_SSL_SRV_C) 2348 void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf, 2349 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *, 2350 size_t), 2351 void *p_psk) 2352 { 2353 conf->f_psk = f_psk; 2354 conf->p_psk = p_psk; 2355 } 2356 #endif /* MBEDTLS_SSL_SRV_C */ 2357 2358 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 2359 2360 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2361 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2362 psa_algorithm_t alg) 2363 { 2364 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2365 if (alg == PSA_ALG_CBC_NO_PADDING) { 2366 return MBEDTLS_SSL_MODE_CBC; 2367 } 2368 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2369 if (PSA_ALG_IS_AEAD(alg)) { 2370 return MBEDTLS_SSL_MODE_AEAD; 2371 } 2372 return MBEDTLS_SSL_MODE_STREAM; 2373 } 2374 2375 #else /* MBEDTLS_USE_PSA_CRYPTO */ 2376 2377 static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode( 2378 mbedtls_cipher_mode_t mode) 2379 { 2380 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 2381 if (mode == MBEDTLS_MODE_CBC) { 2382 return MBEDTLS_SSL_MODE_CBC; 2383 } 2384 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 2385 2386 #if defined(MBEDTLS_GCM_C) || \ 2387 defined(MBEDTLS_CCM_C) || \ 2388 defined(MBEDTLS_CHACHAPOLY_C) 2389 if (mode == MBEDTLS_MODE_GCM || 2390 mode == MBEDTLS_MODE_CCM || 2391 mode == MBEDTLS_MODE_CHACHAPOLY) { 2392 return MBEDTLS_SSL_MODE_AEAD; 2393 } 2394 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */ 2395 2396 return MBEDTLS_SSL_MODE_STREAM; 2397 } 2398 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2399 2400 static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode( 2401 mbedtls_ssl_mode_t base_mode, 2402 int encrypt_then_mac) 2403 { 2404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2405 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED && 2406 base_mode == MBEDTLS_SSL_MODE_CBC) { 2407 return MBEDTLS_SSL_MODE_CBC_ETM; 2408 } 2409 #else 2410 (void) encrypt_then_mac; 2411 #endif 2412 return base_mode; 2413 } 2414 2415 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2416 const mbedtls_ssl_transform *transform) 2417 { 2418 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode( 2419 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2420 transform->psa_alg 2421 #else 2422 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc) 2423 #endif 2424 ); 2425 2426 int encrypt_then_mac = 0; 2427 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2428 encrypt_then_mac = transform->encrypt_then_mac; 2429 #endif 2430 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2431 } 2432 2433 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2434 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2435 int encrypt_then_mac, 2436 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2437 const mbedtls_ssl_ciphersuite_t *suite) 2438 { 2439 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM; 2440 2441 #if defined(MBEDTLS_USE_PSA_CRYPTO) 2442 psa_status_t status; 2443 psa_algorithm_t alg; 2444 psa_key_type_t type; 2445 size_t size; 2446 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher, 2447 0, &alg, &type, &size); 2448 if (status == PSA_SUCCESS) { 2449 base_mode = mbedtls_ssl_get_base_mode(alg); 2450 } 2451 #else 2452 const mbedtls_cipher_info_t *cipher = 2453 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher); 2454 if (cipher != NULL) { 2455 base_mode = 2456 mbedtls_ssl_get_base_mode( 2457 mbedtls_cipher_info_get_mode(cipher)); 2458 } 2459 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 2460 2461 #if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2462 int encrypt_then_mac = 0; 2463 #endif 2464 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac); 2465 } 2466 2467 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2468 2469 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2470 size_t taglen, 2471 psa_algorithm_t *alg, 2472 psa_key_type_t *key_type, 2473 size_t *key_size) 2474 { 2475 #if !defined(MBEDTLS_SSL_HAVE_CCM) 2476 (void) taglen; 2477 #endif 2478 switch (mbedtls_cipher_type) { 2479 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2480 case MBEDTLS_CIPHER_AES_128_CBC: 2481 *alg = PSA_ALG_CBC_NO_PADDING; 2482 *key_type = PSA_KEY_TYPE_AES; 2483 *key_size = 128; 2484 break; 2485 #endif 2486 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2487 case MBEDTLS_CIPHER_AES_128_CCM: 2488 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2489 *key_type = PSA_KEY_TYPE_AES; 2490 *key_size = 128; 2491 break; 2492 #endif 2493 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2494 case MBEDTLS_CIPHER_AES_128_GCM: 2495 *alg = PSA_ALG_GCM; 2496 *key_type = PSA_KEY_TYPE_AES; 2497 *key_size = 128; 2498 break; 2499 #endif 2500 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2501 case MBEDTLS_CIPHER_AES_192_CCM: 2502 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2503 *key_type = PSA_KEY_TYPE_AES; 2504 *key_size = 192; 2505 break; 2506 #endif 2507 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2508 case MBEDTLS_CIPHER_AES_192_GCM: 2509 *alg = PSA_ALG_GCM; 2510 *key_type = PSA_KEY_TYPE_AES; 2511 *key_size = 192; 2512 break; 2513 #endif 2514 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC) 2515 case MBEDTLS_CIPHER_AES_256_CBC: 2516 *alg = PSA_ALG_CBC_NO_PADDING; 2517 *key_type = PSA_KEY_TYPE_AES; 2518 *key_size = 256; 2519 break; 2520 #endif 2521 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM) 2522 case MBEDTLS_CIPHER_AES_256_CCM: 2523 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2524 *key_type = PSA_KEY_TYPE_AES; 2525 *key_size = 256; 2526 break; 2527 #endif 2528 #if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) 2529 case MBEDTLS_CIPHER_AES_256_GCM: 2530 *alg = PSA_ALG_GCM; 2531 *key_type = PSA_KEY_TYPE_AES; 2532 *key_size = 256; 2533 break; 2534 #endif 2535 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2536 case MBEDTLS_CIPHER_ARIA_128_CBC: 2537 *alg = PSA_ALG_CBC_NO_PADDING; 2538 *key_type = PSA_KEY_TYPE_ARIA; 2539 *key_size = 128; 2540 break; 2541 #endif 2542 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2543 case MBEDTLS_CIPHER_ARIA_128_CCM: 2544 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2545 *key_type = PSA_KEY_TYPE_ARIA; 2546 *key_size = 128; 2547 break; 2548 #endif 2549 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2550 case MBEDTLS_CIPHER_ARIA_128_GCM: 2551 *alg = PSA_ALG_GCM; 2552 *key_type = PSA_KEY_TYPE_ARIA; 2553 *key_size = 128; 2554 break; 2555 #endif 2556 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2557 case MBEDTLS_CIPHER_ARIA_192_CCM: 2558 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2559 *key_type = PSA_KEY_TYPE_ARIA; 2560 *key_size = 192; 2561 break; 2562 #endif 2563 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2564 case MBEDTLS_CIPHER_ARIA_192_GCM: 2565 *alg = PSA_ALG_GCM; 2566 *key_type = PSA_KEY_TYPE_ARIA; 2567 *key_size = 192; 2568 break; 2569 #endif 2570 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2571 case MBEDTLS_CIPHER_ARIA_256_CBC: 2572 *alg = PSA_ALG_CBC_NO_PADDING; 2573 *key_type = PSA_KEY_TYPE_ARIA; 2574 *key_size = 256; 2575 break; 2576 #endif 2577 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2578 case MBEDTLS_CIPHER_ARIA_256_CCM: 2579 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2580 *key_type = PSA_KEY_TYPE_ARIA; 2581 *key_size = 256; 2582 break; 2583 #endif 2584 #if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2585 case MBEDTLS_CIPHER_ARIA_256_GCM: 2586 *alg = PSA_ALG_GCM; 2587 *key_type = PSA_KEY_TYPE_ARIA; 2588 *key_size = 256; 2589 break; 2590 #endif 2591 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2592 case MBEDTLS_CIPHER_CAMELLIA_128_CBC: 2593 *alg = PSA_ALG_CBC_NO_PADDING; 2594 *key_type = PSA_KEY_TYPE_CAMELLIA; 2595 *key_size = 128; 2596 break; 2597 #endif 2598 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2599 case MBEDTLS_CIPHER_CAMELLIA_128_CCM: 2600 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2601 *key_type = PSA_KEY_TYPE_CAMELLIA; 2602 *key_size = 128; 2603 break; 2604 #endif 2605 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2606 case MBEDTLS_CIPHER_CAMELLIA_128_GCM: 2607 *alg = PSA_ALG_GCM; 2608 *key_type = PSA_KEY_TYPE_CAMELLIA; 2609 *key_size = 128; 2610 break; 2611 #endif 2612 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2613 case MBEDTLS_CIPHER_CAMELLIA_192_CCM: 2614 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2615 *key_type = PSA_KEY_TYPE_CAMELLIA; 2616 *key_size = 192; 2617 break; 2618 #endif 2619 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2620 case MBEDTLS_CIPHER_CAMELLIA_192_GCM: 2621 *alg = PSA_ALG_GCM; 2622 *key_type = PSA_KEY_TYPE_CAMELLIA; 2623 *key_size = 192; 2624 break; 2625 #endif 2626 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC) 2627 case MBEDTLS_CIPHER_CAMELLIA_256_CBC: 2628 *alg = PSA_ALG_CBC_NO_PADDING; 2629 *key_type = PSA_KEY_TYPE_CAMELLIA; 2630 *key_size = 256; 2631 break; 2632 #endif 2633 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM) 2634 case MBEDTLS_CIPHER_CAMELLIA_256_CCM: 2635 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM; 2636 *key_type = PSA_KEY_TYPE_CAMELLIA; 2637 *key_size = 256; 2638 break; 2639 #endif 2640 #if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM) 2641 case MBEDTLS_CIPHER_CAMELLIA_256_GCM: 2642 *alg = PSA_ALG_GCM; 2643 *key_type = PSA_KEY_TYPE_CAMELLIA; 2644 *key_size = 256; 2645 break; 2646 #endif 2647 #if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) 2648 case MBEDTLS_CIPHER_CHACHA20_POLY1305: 2649 *alg = PSA_ALG_CHACHA20_POLY1305; 2650 *key_type = PSA_KEY_TYPE_CHACHA20; 2651 *key_size = 256; 2652 break; 2653 #endif 2654 case MBEDTLS_CIPHER_NULL: 2655 *alg = MBEDTLS_SSL_NULL_CIPHER; 2656 *key_type = 0; 2657 *key_size = 0; 2658 break; 2659 default: 2660 return PSA_ERROR_NOT_SUPPORTED; 2661 } 2662 2663 return PSA_SUCCESS; 2664 } 2665 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2666 2667 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 2668 int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf, 2669 const unsigned char *dhm_P, size_t P_len, 2670 const unsigned char *dhm_G, size_t G_len) 2671 { 2672 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2673 2674 mbedtls_mpi_free(&conf->dhm_P); 2675 mbedtls_mpi_free(&conf->dhm_G); 2676 2677 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 || 2678 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) { 2679 mbedtls_mpi_free(&conf->dhm_P); 2680 mbedtls_mpi_free(&conf->dhm_G); 2681 return ret; 2682 } 2683 2684 return 0; 2685 } 2686 2687 int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx) 2688 { 2689 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 2690 2691 mbedtls_mpi_free(&conf->dhm_P); 2692 mbedtls_mpi_free(&conf->dhm_G); 2693 2694 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P, 2695 &conf->dhm_P)) != 0 || 2696 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G, 2697 &conf->dhm_G)) != 0) { 2698 mbedtls_mpi_free(&conf->dhm_P); 2699 mbedtls_mpi_free(&conf->dhm_G); 2700 return ret; 2701 } 2702 2703 return 0; 2704 } 2705 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */ 2706 2707 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 2708 /* 2709 * Set the minimum length for Diffie-Hellman parameters 2710 */ 2711 void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, 2712 unsigned int bitlen) 2713 { 2714 conf->dhm_min_bitlen = bitlen; 2715 } 2716 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ 2717 2718 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2719 #if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) 2720 /* 2721 * Set allowed/preferred hashes for handshake signatures 2722 */ 2723 void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, 2724 const int *hashes) 2725 { 2726 conf->sig_hashes = hashes; 2727 } 2728 #endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ 2729 2730 /* Configure allowed signature algorithms for handshake */ 2731 void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, 2732 const uint16_t *sig_algs) 2733 { 2734 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2735 conf->sig_hashes = NULL; 2736 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2737 conf->sig_algs = sig_algs; 2738 } 2739 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2740 2741 #if defined(MBEDTLS_ECP_C) 2742 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2743 /* 2744 * Set the allowed elliptic curves 2745 * 2746 * mbedtls_ssl_setup() takes the provided list 2747 * and translates it to a list of IANA TLS group identifiers, 2748 * stored in ssl->handshake->group_list. 2749 * 2750 */ 2751 void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, 2752 const mbedtls_ecp_group_id *curve_list) 2753 { 2754 conf->curve_list = curve_list; 2755 conf->group_list = NULL; 2756 } 2757 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 2758 #endif /* MBEDTLS_ECP_C */ 2759 2760 /* 2761 * Set the allowed groups 2762 */ 2763 void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, 2764 const uint16_t *group_list) 2765 { 2766 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 2767 conf->curve_list = NULL; 2768 #endif 2769 conf->group_list = group_list; 2770 } 2771 2772 #if defined(MBEDTLS_X509_CRT_PARSE_C) 2773 2774 /* A magic value for `ssl->hostname` indicating that 2775 * mbedtls_ssl_set_hostname() has been called with `NULL`. 2776 * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then 2777 * `ssl->hostname == NULL`. */ 2778 static const char *const ssl_hostname_skip_cn_verification = ""; 2779 2780 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2781 /** Whether mbedtls_ssl_set_hostname() has been called. 2782 * 2783 * \param[in] ssl SSL context 2784 * 2785 * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl 2786 * (including `mbedtls_ssl_set_hostname(ssl, NULL)`), 2787 * otherwise \c 0. 2788 */ 2789 static int mbedtls_ssl_has_set_hostname_been_called( 2790 const mbedtls_ssl_context *ssl) 2791 { 2792 return ssl->hostname != NULL; 2793 } 2794 #endif 2795 2796 /* Micro-optimization: don't export this function if it isn't needed outside 2797 * of this source file. */ 2798 #if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2799 static 2800 #endif 2801 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl) 2802 { 2803 if (ssl->hostname == ssl_hostname_skip_cn_verification) { 2804 return NULL; 2805 } 2806 return ssl->hostname; 2807 } 2808 2809 static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl) 2810 { 2811 if (ssl->hostname != NULL && 2812 ssl->hostname != ssl_hostname_skip_cn_verification) { 2813 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname)); 2814 } 2815 ssl->hostname = NULL; 2816 } 2817 2818 int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname) 2819 { 2820 /* Initialize to suppress unnecessary compiler warning */ 2821 size_t hostname_len = 0; 2822 2823 /* Check if new hostname is valid before 2824 * making any change to current one */ 2825 if (hostname != NULL) { 2826 hostname_len = strlen(hostname); 2827 2828 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 2829 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2830 } 2831 } 2832 2833 /* Now it's clear that we will overwrite the old hostname, 2834 * so we can free it safely */ 2835 mbedtls_ssl_free_hostname(ssl); 2836 2837 if (hostname == NULL) { 2838 /* Passing NULL as hostname clears the old one, but leaves a 2839 * special marker to indicate that mbedtls_ssl_set_hostname() 2840 * has been called. */ 2841 /* ssl->hostname should be const, but isn't. We won't actually 2842 * write to the buffer, so it's ok to cast away the const. */ 2843 ssl->hostname = (char *) ssl_hostname_skip_cn_verification; 2844 } else { 2845 ssl->hostname = mbedtls_calloc(1, hostname_len + 1); 2846 if (ssl->hostname == NULL) { 2847 /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully. 2848 * Leave ssl->hostname in the same state as if the function had 2849 * not been called, i.e. a null pointer. */ 2850 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2851 } 2852 2853 memcpy(ssl->hostname, hostname, hostname_len); 2854 2855 ssl->hostname[hostname_len] = '\0'; 2856 } 2857 2858 return 0; 2859 } 2860 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 2861 2862 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2863 void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, 2864 int (*f_sni)(void *, mbedtls_ssl_context *, 2865 const unsigned char *, size_t), 2866 void *p_sni) 2867 { 2868 conf->f_sni = f_sni; 2869 conf->p_sni = p_sni; 2870 } 2871 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2872 2873 #if defined(MBEDTLS_SSL_ALPN) 2874 int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos) 2875 { 2876 size_t cur_len, tot_len; 2877 const char **p; 2878 2879 /* 2880 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings 2881 * MUST NOT be truncated." 2882 * We check lengths now rather than later. 2883 */ 2884 tot_len = 0; 2885 for (p = protos; *p != NULL; p++) { 2886 cur_len = strlen(*p); 2887 tot_len += cur_len; 2888 2889 if ((cur_len == 0) || 2890 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) || 2891 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) { 2892 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2893 } 2894 } 2895 2896 conf->alpn_list = protos; 2897 2898 return 0; 2899 } 2900 2901 const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl) 2902 { 2903 return ssl->alpn_chosen; 2904 } 2905 #endif /* MBEDTLS_SSL_ALPN */ 2906 2907 #if defined(MBEDTLS_SSL_DTLS_SRTP) 2908 void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, 2909 int support_mki_value) 2910 { 2911 conf->dtls_srtp_mki_support = support_mki_value; 2912 } 2913 2914 int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, 2915 unsigned char *mki_value, 2916 uint16_t mki_len) 2917 { 2918 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) { 2919 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2920 } 2921 2922 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) { 2923 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2924 } 2925 2926 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len); 2927 ssl->dtls_srtp_info.mki_len = mki_len; 2928 return 0; 2929 } 2930 2931 int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf, 2932 const mbedtls_ssl_srtp_profile *profiles) 2933 { 2934 const mbedtls_ssl_srtp_profile *p; 2935 size_t list_size = 0; 2936 2937 /* check the profiles list: all entry must be valid, 2938 * its size cannot be more than the total number of supported profiles, currently 4 */ 2939 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET && 2940 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH; 2941 p++) { 2942 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) { 2943 list_size++; 2944 } else { 2945 /* unsupported value, stop parsing and set the size to an error value */ 2946 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1; 2947 } 2948 } 2949 2950 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) { 2951 conf->dtls_srtp_profile_list = NULL; 2952 conf->dtls_srtp_profile_list_len = 0; 2953 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2954 } 2955 2956 conf->dtls_srtp_profile_list = profiles; 2957 conf->dtls_srtp_profile_list_len = list_size; 2958 2959 return 0; 2960 } 2961 2962 void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl, 2963 mbedtls_dtls_srtp_info *dtls_srtp_info) 2964 { 2965 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile; 2966 /* do not copy the mki value if there is no chosen profile */ 2967 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) { 2968 dtls_srtp_info->mki_len = 0; 2969 } else { 2970 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len; 2971 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value, 2972 ssl->dtls_srtp_info.mki_len); 2973 } 2974 } 2975 #endif /* MBEDTLS_SSL_DTLS_SRTP */ 2976 2977 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2978 void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) 2979 { 2980 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2981 } 2982 2983 void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) 2984 { 2985 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); 2986 } 2987 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 2988 2989 #if defined(MBEDTLS_SSL_SRV_C) 2990 void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, 2991 char cert_req_ca_list) 2992 { 2993 conf->cert_req_ca_list = cert_req_ca_list; 2994 } 2995 #endif 2996 2997 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 2998 void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm) 2999 { 3000 conf->encrypt_then_mac = etm; 3001 } 3002 #endif 3003 3004 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 3005 void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems) 3006 { 3007 conf->extended_ms = ems; 3008 } 3009 #endif 3010 3011 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3012 int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code) 3013 { 3014 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID || 3015 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) { 3016 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3017 } 3018 3019 conf->mfl_code = mfl_code; 3020 3021 return 0; 3022 } 3023 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3024 3025 void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy) 3026 { 3027 conf->allow_legacy_renegotiation = allow_legacy; 3028 } 3029 3030 #if defined(MBEDTLS_SSL_RENEGOTIATION) 3031 void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation) 3032 { 3033 conf->disable_renegotiation = renegotiation; 3034 } 3035 3036 void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records) 3037 { 3038 conf->renego_max_records = max_records; 3039 } 3040 3041 void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, 3042 const unsigned char period[8]) 3043 { 3044 memcpy(conf->renego_period, period, 8); 3045 } 3046 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 3047 3048 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3049 #if defined(MBEDTLS_SSL_CLI_C) 3050 3051 void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets) 3052 { 3053 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK; 3054 conf->session_tickets |= (use_tickets != 0) << 3055 MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT; 3056 } 3057 3058 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3059 void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( 3060 mbedtls_ssl_config *conf, int signal_new_session_tickets) 3061 { 3062 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK; 3063 conf->session_tickets |= (signal_new_session_tickets != 0) << 3064 MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT; 3065 } 3066 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3067 #endif /* MBEDTLS_SSL_CLI_C */ 3068 3069 #if defined(MBEDTLS_SSL_SRV_C) 3070 3071 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 3072 void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf, 3073 uint16_t num_tickets) 3074 { 3075 conf->new_session_tickets_count = num_tickets; 3076 } 3077 #endif 3078 3079 void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, 3080 mbedtls_ssl_ticket_write_t *f_ticket_write, 3081 mbedtls_ssl_ticket_parse_t *f_ticket_parse, 3082 void *p_ticket) 3083 { 3084 conf->f_ticket_write = f_ticket_write; 3085 conf->f_ticket_parse = f_ticket_parse; 3086 conf->p_ticket = p_ticket; 3087 } 3088 #endif 3089 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3090 3091 void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl, 3092 mbedtls_ssl_export_keys_t *f_export_keys, 3093 void *p_export_keys) 3094 { 3095 ssl->f_export_keys = f_export_keys; 3096 ssl->p_export_keys = p_export_keys; 3097 } 3098 3099 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 3100 void mbedtls_ssl_conf_async_private_cb( 3101 mbedtls_ssl_config *conf, 3102 mbedtls_ssl_async_sign_t *f_async_sign, 3103 mbedtls_ssl_async_decrypt_t *f_async_decrypt, 3104 mbedtls_ssl_async_resume_t *f_async_resume, 3105 mbedtls_ssl_async_cancel_t *f_async_cancel, 3106 void *async_config_data) 3107 { 3108 conf->f_async_sign_start = f_async_sign; 3109 conf->f_async_decrypt_start = f_async_decrypt; 3110 conf->f_async_resume = f_async_resume; 3111 conf->f_async_cancel = f_async_cancel; 3112 conf->p_async_config_data = async_config_data; 3113 } 3114 3115 void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf) 3116 { 3117 return conf->p_async_config_data; 3118 } 3119 3120 void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl) 3121 { 3122 if (ssl->handshake == NULL) { 3123 return NULL; 3124 } else { 3125 return ssl->handshake->user_async_ctx; 3126 } 3127 } 3128 3129 void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl, 3130 void *ctx) 3131 { 3132 if (ssl->handshake != NULL) { 3133 ssl->handshake->user_async_ctx = ctx; 3134 } 3135 } 3136 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 3137 3138 /* 3139 * SSL get accessors 3140 */ 3141 uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl) 3142 { 3143 if (ssl->session != NULL) { 3144 return ssl->session->verify_result; 3145 } 3146 3147 if (ssl->session_negotiate != NULL) { 3148 return ssl->session_negotiate->verify_result; 3149 } 3150 3151 return 0xFFFFFFFF; 3152 } 3153 3154 int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl) 3155 { 3156 if (ssl == NULL || ssl->session == NULL) { 3157 return 0; 3158 } 3159 3160 return ssl->session->ciphersuite; 3161 } 3162 3163 const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl) 3164 { 3165 if (ssl == NULL || ssl->session == NULL) { 3166 return NULL; 3167 } 3168 3169 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite); 3170 } 3171 3172 const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl) 3173 { 3174 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3175 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 3176 switch (ssl->tls_version) { 3177 case MBEDTLS_SSL_VERSION_TLS1_2: 3178 return "DTLSv1.2"; 3179 default: 3180 return "unknown (DTLS)"; 3181 } 3182 } 3183 #endif 3184 3185 switch (ssl->tls_version) { 3186 case MBEDTLS_SSL_VERSION_TLS1_2: 3187 return "TLSv1.2"; 3188 case MBEDTLS_SSL_VERSION_TLS1_3: 3189 return "TLSv1.3"; 3190 default: 3191 return "unknown"; 3192 } 3193 } 3194 3195 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3196 3197 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl) 3198 { 3199 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3200 size_t record_size_limit = max_len; 3201 3202 if (ssl->session != NULL && 3203 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3204 ssl->session->record_size_limit < max_len) { 3205 record_size_limit = ssl->session->record_size_limit; 3206 } 3207 3208 // TODO: this is currently untested 3209 /* During a handshake, use the value being negotiated */ 3210 if (ssl->session_negotiate != NULL && 3211 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN && 3212 ssl->session_negotiate->record_size_limit < max_len) { 3213 record_size_limit = ssl->session_negotiate->record_size_limit; 3214 } 3215 3216 return record_size_limit; 3217 } 3218 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3219 3220 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3221 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl) 3222 { 3223 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3224 size_t read_mfl; 3225 3226 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3227 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */ 3228 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3229 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) { 3230 return ssl_mfl_code_to_length(ssl->conf->mfl_code); 3231 } 3232 #endif 3233 3234 /* Check if a smaller max length was negotiated */ 3235 if (ssl->session_out != NULL) { 3236 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3237 if (read_mfl < max_len) { 3238 max_len = read_mfl; 3239 } 3240 } 3241 3242 /* During a handshake, use the value being negotiated */ 3243 if (ssl->session_negotiate != NULL) { 3244 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3245 if (read_mfl < max_len) { 3246 max_len = read_mfl; 3247 } 3248 } 3249 3250 return max_len; 3251 } 3252 3253 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl) 3254 { 3255 size_t max_len; 3256 3257 /* 3258 * Assume mfl_code is correct since it was checked when set 3259 */ 3260 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code); 3261 3262 /* Check if a smaller max length was negotiated */ 3263 if (ssl->session_out != NULL && 3264 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) { 3265 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code); 3266 } 3267 3268 /* During a handshake, use the value being negotiated */ 3269 if (ssl->session_negotiate != NULL && 3270 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) { 3271 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code); 3272 } 3273 3274 return max_len; 3275 } 3276 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 3277 3278 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3279 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl) 3280 { 3281 /* Return unlimited mtu for client hello messages to avoid fragmentation. */ 3282 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 3283 (ssl->state == MBEDTLS_SSL_CLIENT_HELLO || 3284 ssl->state == MBEDTLS_SSL_SERVER_HELLO)) { 3285 return 0; 3286 } 3287 3288 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) { 3289 return ssl->mtu; 3290 } 3291 3292 if (ssl->mtu == 0) { 3293 return ssl->handshake->mtu; 3294 } 3295 3296 return ssl->mtu < ssl->handshake->mtu ? 3297 ssl->mtu : ssl->handshake->mtu; 3298 } 3299 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3300 3301 int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl) 3302 { 3303 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN; 3304 3305 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3306 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \ 3307 !defined(MBEDTLS_SSL_PROTO_DTLS) 3308 (void) ssl; 3309 #endif 3310 3311 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3312 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl); 3313 3314 if (max_len > mfl) { 3315 max_len = mfl; 3316 } 3317 #endif 3318 3319 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3320 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl); 3321 3322 if (max_len > record_size_limit) { 3323 max_len = record_size_limit; 3324 } 3325 #endif 3326 3327 if (ssl->transform_out != NULL && 3328 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 3329 /* 3330 * In TLS 1.3 case, when records are protected, `max_len` as computed 3331 * above is the maximum length of the TLSInnerPlaintext structure that 3332 * along the plaintext payload contains the inner content type (one byte) 3333 * and some zero padding. Given the algorithm used for padding 3334 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for 3335 * the plaintext payload. Round down to a multiple of 3336 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and 3337 * subtract 1. 3338 */ 3339 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) * 3340 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1; 3341 } 3342 3343 #if defined(MBEDTLS_SSL_PROTO_DTLS) 3344 if (mbedtls_ssl_get_current_mtu(ssl) != 0) { 3345 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl); 3346 const int ret = mbedtls_ssl_get_record_expansion(ssl); 3347 const size_t overhead = (size_t) ret; 3348 3349 if (ret < 0) { 3350 return ret; 3351 } 3352 3353 if (mtu <= overhead) { 3354 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion")); 3355 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3356 } 3357 3358 if (max_len > mtu - overhead) { 3359 max_len = mtu - overhead; 3360 } 3361 } 3362 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 3363 3364 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \ 3365 !defined(MBEDTLS_SSL_PROTO_DTLS) && \ 3366 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3367 ((void) ssl); 3368 #endif 3369 3370 return (int) max_len; 3371 } 3372 3373 int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl) 3374 { 3375 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN; 3376 3377 #if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3378 (void) ssl; 3379 #endif 3380 3381 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3382 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl); 3383 3384 if (max_len > mfl) { 3385 max_len = mfl; 3386 } 3387 #endif 3388 3389 return (int) max_len; 3390 } 3391 3392 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3393 const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl) 3394 { 3395 if (ssl == NULL || ssl->session == NULL) { 3396 return NULL; 3397 } 3398 3399 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3400 return ssl->session->peer_cert; 3401 #else 3402 return NULL; 3403 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3404 } 3405 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3406 3407 #if defined(MBEDTLS_SSL_CLI_C) 3408 int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, 3409 mbedtls_ssl_session *dst) 3410 { 3411 int ret; 3412 3413 if (ssl == NULL || 3414 dst == NULL || 3415 ssl->session == NULL || 3416 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) { 3417 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3418 } 3419 3420 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer 3421 * idempotent: Each session can only be exported once. 3422 * 3423 * (This is in preparation for TLS 1.3 support where we will 3424 * need the ability to export multiple sessions (aka tickets), 3425 * which will be achieved by calling mbedtls_ssl_get_session() 3426 * multiple times until it fails.) 3427 * 3428 * Check whether we have already exported the current session, 3429 * and fail if so. 3430 */ 3431 if (ssl->session->exported == 1) { 3432 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 3433 } 3434 3435 ret = mbedtls_ssl_session_copy(dst, ssl->session); 3436 if (ret != 0) { 3437 return ret; 3438 } 3439 3440 /* Remember that we've exported the session. */ 3441 ssl->session->exported = 1; 3442 return 0; 3443 } 3444 #endif /* MBEDTLS_SSL_CLI_C */ 3445 3446 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3447 3448 /* Serialization of TLS 1.2 sessions 3449 * 3450 * For more detail, see the description of ssl_session_save(). 3451 */ 3452 static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session, 3453 unsigned char *buf, 3454 size_t buf_len) 3455 { 3456 unsigned char *p = buf; 3457 size_t used = 0; 3458 3459 #if defined(MBEDTLS_HAVE_TIME) 3460 uint64_t start; 3461 #endif 3462 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3463 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3464 size_t cert_len; 3465 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3466 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3467 3468 /* 3469 * Time 3470 */ 3471 #if defined(MBEDTLS_HAVE_TIME) 3472 used += 8; 3473 3474 if (used <= buf_len) { 3475 start = (uint64_t) session->start; 3476 3477 MBEDTLS_PUT_UINT64_BE(start, p, 0); 3478 p += 8; 3479 } 3480 #endif /* MBEDTLS_HAVE_TIME */ 3481 3482 /* 3483 * Basic mandatory fields 3484 */ 3485 used += 1 /* id_len */ 3486 + sizeof(session->id) 3487 + sizeof(session->master) 3488 + 4; /* verify_result */ 3489 3490 if (used <= buf_len) { 3491 *p++ = MBEDTLS_BYTE_0(session->id_len); 3492 memcpy(p, session->id, 32); 3493 p += 32; 3494 3495 memcpy(p, session->master, 48); 3496 p += 48; 3497 3498 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0); 3499 p += 4; 3500 } 3501 3502 /* 3503 * Peer's end-entity certificate 3504 */ 3505 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3506 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3507 if (session->peer_cert == NULL) { 3508 cert_len = 0; 3509 } else { 3510 cert_len = session->peer_cert->raw.len; 3511 } 3512 3513 used += 3 + cert_len; 3514 3515 if (used <= buf_len) { 3516 *p++ = MBEDTLS_BYTE_2(cert_len); 3517 *p++ = MBEDTLS_BYTE_1(cert_len); 3518 *p++ = MBEDTLS_BYTE_0(cert_len); 3519 3520 if (session->peer_cert != NULL) { 3521 memcpy(p, session->peer_cert->raw.p, cert_len); 3522 p += cert_len; 3523 } 3524 } 3525 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3526 if (session->peer_cert_digest != NULL) { 3527 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len; 3528 if (used <= buf_len) { 3529 *p++ = (unsigned char) session->peer_cert_digest_type; 3530 *p++ = (unsigned char) session->peer_cert_digest_len; 3531 memcpy(p, session->peer_cert_digest, 3532 session->peer_cert_digest_len); 3533 p += session->peer_cert_digest_len; 3534 } 3535 } else { 3536 used += 2; 3537 if (used <= buf_len) { 3538 *p++ = (unsigned char) MBEDTLS_MD_NONE; 3539 *p++ = 0; 3540 } 3541 } 3542 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3543 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3544 3545 /* 3546 * Session ticket if any, plus associated data 3547 */ 3548 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3549 #if defined(MBEDTLS_SSL_CLI_C) 3550 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3551 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */ 3552 3553 if (used <= buf_len) { 3554 *p++ = MBEDTLS_BYTE_2(session->ticket_len); 3555 *p++ = MBEDTLS_BYTE_1(session->ticket_len); 3556 *p++ = MBEDTLS_BYTE_0(session->ticket_len); 3557 3558 if (session->ticket != NULL) { 3559 memcpy(p, session->ticket, session->ticket_len); 3560 p += session->ticket_len; 3561 } 3562 3563 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3564 p += 4; 3565 } 3566 } 3567 #endif /* MBEDTLS_SSL_CLI_C */ 3568 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3569 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3570 used += 8; 3571 3572 if (used <= buf_len) { 3573 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3574 p += 8; 3575 } 3576 } 3577 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3578 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3579 3580 /* 3581 * Misc extension-related info 3582 */ 3583 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3584 used += 1; 3585 3586 if (used <= buf_len) { 3587 *p++ = session->mfl_code; 3588 } 3589 #endif 3590 3591 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3592 used += 1; 3593 3594 if (used <= buf_len) { 3595 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac); 3596 } 3597 #endif 3598 3599 return used; 3600 } 3601 3602 MBEDTLS_CHECK_RETURN_CRITICAL 3603 static int ssl_tls12_session_load(mbedtls_ssl_session *session, 3604 const unsigned char *buf, 3605 size_t len) 3606 { 3607 #if defined(MBEDTLS_HAVE_TIME) 3608 uint64_t start; 3609 #endif 3610 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3611 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3612 size_t cert_len; 3613 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3614 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3615 3616 const unsigned char *p = buf; 3617 const unsigned char * const end = buf + len; 3618 3619 /* 3620 * Time 3621 */ 3622 #if defined(MBEDTLS_HAVE_TIME) 3623 if (8 > (size_t) (end - p)) { 3624 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3625 } 3626 3627 start = MBEDTLS_GET_UINT64_BE(p, 0); 3628 p += 8; 3629 3630 session->start = (time_t) start; 3631 #endif /* MBEDTLS_HAVE_TIME */ 3632 3633 /* 3634 * Basic mandatory fields 3635 */ 3636 if (1 + 32 + 48 + 4 > (size_t) (end - p)) { 3637 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3638 } 3639 3640 session->id_len = *p++; 3641 memcpy(session->id, p, 32); 3642 p += 32; 3643 3644 memcpy(session->master, p, 48); 3645 p += 48; 3646 3647 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0); 3648 p += 4; 3649 3650 /* Immediately clear invalid pointer values that have been read, in case 3651 * we exit early before we replaced them with valid ones. */ 3652 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3653 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3654 session->peer_cert = NULL; 3655 #else 3656 session->peer_cert_digest = NULL; 3657 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3658 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3659 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 3660 session->ticket = NULL; 3661 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3662 3663 /* 3664 * Peer certificate 3665 */ 3666 #if defined(MBEDTLS_X509_CRT_PARSE_C) 3667 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 3668 /* Deserialize CRT from the end of the ticket. */ 3669 if (3 > (size_t) (end - p)) { 3670 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3671 } 3672 3673 cert_len = MBEDTLS_GET_UINT24_BE(p, 0); 3674 p += 3; 3675 3676 if (cert_len != 0) { 3677 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 3678 3679 if (cert_len > (size_t) (end - p)) { 3680 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3681 } 3682 3683 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 3684 3685 if (session->peer_cert == NULL) { 3686 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3687 } 3688 3689 mbedtls_x509_crt_init(session->peer_cert); 3690 3691 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert, 3692 p, cert_len)) != 0) { 3693 mbedtls_x509_crt_free(session->peer_cert); 3694 mbedtls_free(session->peer_cert); 3695 session->peer_cert = NULL; 3696 return ret; 3697 } 3698 3699 p += cert_len; 3700 } 3701 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3702 /* Deserialize CRT digest from the end of the ticket. */ 3703 if (2 > (size_t) (end - p)) { 3704 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3705 } 3706 3707 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++; 3708 session->peer_cert_digest_len = (size_t) *p++; 3709 3710 if (session->peer_cert_digest_len != 0) { 3711 const mbedtls_md_info_t *md_info = 3712 mbedtls_md_info_from_type(session->peer_cert_digest_type); 3713 if (md_info == NULL) { 3714 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3715 } 3716 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) { 3717 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3718 } 3719 3720 if (session->peer_cert_digest_len > (size_t) (end - p)) { 3721 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3722 } 3723 3724 session->peer_cert_digest = 3725 mbedtls_calloc(1, session->peer_cert_digest_len); 3726 if (session->peer_cert_digest == NULL) { 3727 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3728 } 3729 3730 memcpy(session->peer_cert_digest, p, 3731 session->peer_cert_digest_len); 3732 p += session->peer_cert_digest_len; 3733 } 3734 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 3735 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 3736 3737 /* 3738 * Session ticket and associated data 3739 */ 3740 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3741 #if defined(MBEDTLS_SSL_CLI_C) 3742 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3743 if (3 > (size_t) (end - p)) { 3744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3745 } 3746 3747 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0); 3748 p += 3; 3749 3750 if (session->ticket_len != 0) { 3751 if (session->ticket_len > (size_t) (end - p)) { 3752 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3753 } 3754 3755 session->ticket = mbedtls_calloc(1, session->ticket_len); 3756 if (session->ticket == NULL) { 3757 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 3758 } 3759 3760 memcpy(session->ticket, p, session->ticket_len); 3761 p += session->ticket_len; 3762 } 3763 3764 if (4 > (size_t) (end - p)) { 3765 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3766 } 3767 3768 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 3769 p += 4; 3770 } 3771 #endif /* MBEDTLS_SSL_CLI_C */ 3772 #if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C) 3773 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3774 if (8 > (size_t) (end - p)) { 3775 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3776 } 3777 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 3778 p += 8; 3779 } 3780 #endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */ 3781 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 3782 3783 /* 3784 * Misc extension-related info 3785 */ 3786 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 3787 if (1 > (size_t) (end - p)) { 3788 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3789 } 3790 3791 session->mfl_code = *p++; 3792 #endif 3793 3794 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 3795 if (1 > (size_t) (end - p)) { 3796 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3797 } 3798 3799 session->encrypt_then_mac = *p++; 3800 #endif 3801 3802 /* Done, should have consumed entire buffer */ 3803 if (p != end) { 3804 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3805 } 3806 3807 return 0; 3808 } 3809 3810 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3811 3812 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3813 /* Serialization of TLS 1.3 sessions: 3814 * 3815 * For more detail, see the description of ssl_session_save(). 3816 */ 3817 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 3818 MBEDTLS_CHECK_RETURN_CRITICAL 3819 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 3820 unsigned char *buf, 3821 size_t buf_len, 3822 size_t *olen) 3823 { 3824 unsigned char *p = buf; 3825 #if defined(MBEDTLS_SSL_CLI_C) && \ 3826 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3827 size_t hostname_len = (session->hostname == NULL) ? 3828 0 : strlen(session->hostname) + 1; 3829 #endif 3830 3831 #if defined(MBEDTLS_SSL_SRV_C) && \ 3832 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3833 const size_t alpn_len = (session->ticket_alpn == NULL) ? 3834 0 : strlen(session->ticket_alpn) + 1; 3835 #endif 3836 size_t needed = 4 /* ticket_age_add */ 3837 + 1 /* ticket_flags */ 3838 + 1; /* resumption_key length */ 3839 3840 *olen = 0; 3841 3842 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) { 3843 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3844 } 3845 needed += session->resumption_key_len; /* resumption_key */ 3846 3847 #if defined(MBEDTLS_SSL_EARLY_DATA) 3848 needed += 4; /* max_early_data_size */ 3849 #endif 3850 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3851 needed += 2; /* record_size_limit */ 3852 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3853 3854 #if defined(MBEDTLS_HAVE_TIME) 3855 needed += 8; /* ticket_creation_time or ticket_reception_time */ 3856 #endif 3857 3858 #if defined(MBEDTLS_SSL_SRV_C) 3859 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3860 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3861 needed += 2 /* alpn_len */ 3862 + alpn_len; /* alpn */ 3863 #endif 3864 } 3865 #endif /* MBEDTLS_SSL_SRV_C */ 3866 3867 #if defined(MBEDTLS_SSL_CLI_C) 3868 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3869 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3870 needed += 2 /* hostname_len */ 3871 + hostname_len; /* hostname */ 3872 #endif 3873 3874 needed += 4 /* ticket_lifetime */ 3875 + 2; /* ticket_len */ 3876 3877 /* Check size_t overflow */ 3878 if (session->ticket_len > SIZE_MAX - needed) { 3879 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3880 } 3881 3882 needed += session->ticket_len; /* ticket */ 3883 } 3884 #endif /* MBEDTLS_SSL_CLI_C */ 3885 3886 *olen = needed; 3887 if (needed > buf_len) { 3888 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 3889 } 3890 3891 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0); 3892 p[4] = session->ticket_flags; 3893 3894 /* save resumption_key */ 3895 p[5] = session->resumption_key_len; 3896 p += 6; 3897 memcpy(p, session->resumption_key, session->resumption_key_len); 3898 p += session->resumption_key_len; 3899 3900 #if defined(MBEDTLS_SSL_EARLY_DATA) 3901 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0); 3902 p += 4; 3903 #endif 3904 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3905 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0); 3906 p += 2; 3907 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 3908 3909 #if defined(MBEDTLS_SSL_SRV_C) 3910 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 3911 #if defined(MBEDTLS_HAVE_TIME) 3912 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0); 3913 p += 8; 3914 #endif /* MBEDTLS_HAVE_TIME */ 3915 3916 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 3917 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0); 3918 p += 2; 3919 3920 if (alpn_len > 0) { 3921 /* save chosen alpn */ 3922 memcpy(p, session->ticket_alpn, alpn_len); 3923 p += alpn_len; 3924 } 3925 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 3926 } 3927 #endif /* MBEDTLS_SSL_SRV_C */ 3928 3929 #if defined(MBEDTLS_SSL_CLI_C) 3930 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 3931 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 3932 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0); 3933 p += 2; 3934 if (hostname_len > 0) { 3935 /* save host name */ 3936 memcpy(p, session->hostname, hostname_len); 3937 p += hostname_len; 3938 } 3939 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 3940 3941 #if defined(MBEDTLS_HAVE_TIME) 3942 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0); 3943 p += 8; 3944 #endif 3945 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0); 3946 p += 4; 3947 3948 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0); 3949 p += 2; 3950 3951 if (session->ticket != NULL && session->ticket_len > 0) { 3952 memcpy(p, session->ticket, session->ticket_len); 3953 p += session->ticket_len; 3954 } 3955 } 3956 #endif /* MBEDTLS_SSL_CLI_C */ 3957 return 0; 3958 } 3959 3960 MBEDTLS_CHECK_RETURN_CRITICAL 3961 static int ssl_tls13_session_load(mbedtls_ssl_session *session, 3962 const unsigned char *buf, 3963 size_t len) 3964 { 3965 const unsigned char *p = buf; 3966 const unsigned char *end = buf + len; 3967 3968 if (end - p < 6) { 3969 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3970 } 3971 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0); 3972 session->ticket_flags = p[4]; 3973 3974 /* load resumption_key */ 3975 session->resumption_key_len = p[5]; 3976 p += 6; 3977 3978 if (end - p < session->resumption_key_len) { 3979 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3980 } 3981 3982 if (sizeof(session->resumption_key) < session->resumption_key_len) { 3983 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3984 } 3985 memcpy(session->resumption_key, p, session->resumption_key_len); 3986 p += session->resumption_key_len; 3987 3988 #if defined(MBEDTLS_SSL_EARLY_DATA) 3989 if (end - p < 4) { 3990 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3991 } 3992 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0); 3993 p += 4; 3994 #endif 3995 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 3996 if (end - p < 2) { 3997 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 3998 } 3999 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0); 4000 p += 2; 4001 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 4002 4003 #if defined(MBEDTLS_SSL_SRV_C) 4004 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) { 4005 #if defined(MBEDTLS_HAVE_TIME) 4006 if (end - p < 8) { 4007 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4008 } 4009 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0); 4010 p += 8; 4011 #endif /* MBEDTLS_HAVE_TIME */ 4012 4013 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 4014 size_t alpn_len; 4015 4016 if (end - p < 2) { 4017 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4018 } 4019 4020 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0); 4021 p += 2; 4022 4023 if (end - p < (long int) alpn_len) { 4024 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4025 } 4026 4027 if (alpn_len > 0) { 4028 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p); 4029 if (ret != 0) { 4030 return ret; 4031 } 4032 p += alpn_len; 4033 } 4034 #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 4035 } 4036 #endif /* MBEDTLS_SSL_SRV_C */ 4037 4038 #if defined(MBEDTLS_SSL_CLI_C) 4039 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) { 4040 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4041 size_t hostname_len; 4042 /* load host name */ 4043 if (end - p < 2) { 4044 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4045 } 4046 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0); 4047 p += 2; 4048 4049 if (end - p < (long int) hostname_len) { 4050 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4051 } 4052 if (hostname_len > 0) { 4053 session->hostname = mbedtls_calloc(1, hostname_len); 4054 if (session->hostname == NULL) { 4055 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 4056 } 4057 memcpy(session->hostname, p, hostname_len); 4058 p += hostname_len; 4059 } 4060 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4061 4062 #if defined(MBEDTLS_HAVE_TIME) 4063 if (end - p < 8) { 4064 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4065 } 4066 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0); 4067 p += 8; 4068 #endif 4069 if (end - p < 4) { 4070 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4071 } 4072 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0); 4073 p += 4; 4074 4075 if (end - p < 2) { 4076 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4077 } 4078 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0); 4079 p += 2; 4080 4081 if (end - p < (long int) session->ticket_len) { 4082 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4083 } 4084 if (session->ticket_len > 0) { 4085 session->ticket = mbedtls_calloc(1, session->ticket_len); 4086 if (session->ticket == NULL) { 4087 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 4088 } 4089 memcpy(session->ticket, p, session->ticket_len); 4090 p += session->ticket_len; 4091 } 4092 } 4093 #endif /* MBEDTLS_SSL_CLI_C */ 4094 4095 return 0; 4096 4097 } 4098 #else /* MBEDTLS_SSL_SESSION_TICKETS */ 4099 MBEDTLS_CHECK_RETURN_CRITICAL 4100 static int ssl_tls13_session_save(const mbedtls_ssl_session *session, 4101 unsigned char *buf, 4102 size_t buf_len, 4103 size_t *olen) 4104 { 4105 ((void) session); 4106 ((void) buf); 4107 ((void) buf_len); 4108 *olen = 0; 4109 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4110 } 4111 4112 static int ssl_tls13_session_load(const mbedtls_ssl_session *session, 4113 const unsigned char *buf, 4114 size_t buf_len) 4115 { 4116 ((void) session); 4117 ((void) buf); 4118 ((void) buf_len); 4119 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4120 } 4121 #endif /* !MBEDTLS_SSL_SESSION_TICKETS */ 4122 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4123 4124 /* 4125 * Define ticket header determining Mbed TLS version 4126 * and structure of the ticket. 4127 */ 4128 4129 /* 4130 * Define bitflag determining compile-time settings influencing 4131 * structure of serialized SSL sessions. 4132 */ 4133 4134 #if defined(MBEDTLS_HAVE_TIME) 4135 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 1 4136 #else 4137 #define SSL_SERIALIZED_SESSION_CONFIG_TIME 0 4138 #endif /* MBEDTLS_HAVE_TIME */ 4139 4140 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4141 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 1 4142 #else 4143 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 4144 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 4145 4146 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4147 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1 4148 #else 4149 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0 4150 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4151 4152 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 4153 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 4154 #else 4155 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0 4156 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */ 4157 4158 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4159 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 1 4160 #else 4161 #define SSL_SERIALIZED_SESSION_CONFIG_MFL 0 4162 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 4163 4164 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4165 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 1 4166 #else 4167 #define SSL_SERIALIZED_SESSION_CONFIG_ETM 0 4168 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */ 4169 4170 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4171 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1 4172 #else 4173 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0 4174 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 4175 4176 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4177 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 1 4178 #else 4179 #define SSL_SERIALIZED_SESSION_CONFIG_SNI 0 4180 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4181 4182 #if defined(MBEDTLS_SSL_EARLY_DATA) 4183 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1 4184 #else 4185 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0 4186 #endif /* MBEDTLS_SSL_EARLY_DATA */ 4187 4188 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4189 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1 4190 #else 4191 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0 4192 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 4193 4194 #if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \ 4195 defined(MBEDTLS_SSL_EARLY_DATA) 4196 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1 4197 #else 4198 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0 4199 #endif /* MBEDTLS_SSL_ALPN */ 4200 4201 #define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0 4202 #define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1 4203 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2 4204 #define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3 4205 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4 4206 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5 4207 #define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6 4208 #define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7 4209 #define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8 4210 #define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9 4211 #define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10 4212 4213 #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ 4214 ((uint16_t) ( \ 4215 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \ 4216 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \ 4217 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \ 4218 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \ 4219 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \ 4220 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ 4221 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \ 4222 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \ 4223 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \ 4224 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \ 4225 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \ 4226 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \ 4227 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \ 4228 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \ 4229 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \ 4230 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT))) 4231 4232 static const unsigned char ssl_serialized_session_header[] = { 4233 MBEDTLS_VERSION_MAJOR, 4234 MBEDTLS_VERSION_MINOR, 4235 MBEDTLS_VERSION_PATCH, 4236 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4237 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 4238 }; 4239 4240 /* 4241 * Serialize a session in the following format: 4242 * (in the presentation language of TLS, RFC 8446 section 3) 4243 * 4244 * TLS 1.2 session: 4245 * 4246 * struct { 4247 * #if defined(MBEDTLS_SSL_SESSION_TICKETS) 4248 * opaque ticket<0..2^24-1>; // length 0 means no ticket 4249 * uint32 ticket_lifetime; 4250 * #endif 4251 * } ClientOnlyData; 4252 * 4253 * struct { 4254 * #if defined(MBEDTLS_HAVE_TIME) 4255 * uint64 start_time; 4256 * #endif 4257 * uint8 session_id_len; // at most 32 4258 * opaque session_id[32]; 4259 * opaque master[48]; // fixed length in the standard 4260 * uint32 verify_result; 4261 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE 4262 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert 4263 * #else 4264 * uint8 peer_cert_digest_type; 4265 * opaque peer_cert_digest<0..2^8-1> 4266 * #endif 4267 * select (endpoint) { 4268 * case client: ClientOnlyData; 4269 * case server: uint64 ticket_creation_time; 4270 * }; 4271 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 4272 * uint8 mfl_code; // up to 255 according to standard 4273 * #endif 4274 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 4275 * uint8 encrypt_then_mac; // 0 or 1 4276 * #endif 4277 * } serialized_session_tls12; 4278 * 4279 * 4280 * TLS 1.3 Session: 4281 * 4282 * struct { 4283 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4284 * opaque hostname<0..2^16-1>; 4285 * #endif 4286 * #if defined(MBEDTLS_HAVE_TIME) 4287 * uint64 ticket_reception_time; 4288 * #endif 4289 * uint32 ticket_lifetime; 4290 * opaque ticket<1..2^16-1>; 4291 * } ClientOnlyData; 4292 * 4293 * struct { 4294 * uint32 ticket_age_add; 4295 * uint8 ticket_flags; 4296 * opaque resumption_key<0..255>; 4297 * #if defined(MBEDTLS_SSL_EARLY_DATA) 4298 * uint32 max_early_data_size; 4299 * #endif 4300 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 4301 * uint16 record_size_limit; 4302 * #endif 4303 * select ( endpoint ) { 4304 * case client: ClientOnlyData; 4305 * case server: 4306 * #if defined(MBEDTLS_HAVE_TIME) 4307 * uint64 ticket_creation_time; 4308 * #endif 4309 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) 4310 * opaque ticket_alpn<0..256>; 4311 * #endif 4312 * }; 4313 * } serialized_session_tls13; 4314 * 4315 * 4316 * SSL session: 4317 * 4318 * struct { 4319 * 4320 * opaque mbedtls_version[3]; // library version: major, minor, patch 4321 * opaque session_format[2]; // library-version specific 16-bit field 4322 * // determining the format of the remaining 4323 * // serialized data. 4324 * 4325 * Note: When updating the format, remember to keep 4326 * these version+format bytes. 4327 * 4328 * // In this version, `session_format` determines 4329 * // the setting of those compile-time 4330 * // configuration options which influence 4331 * // the structure of mbedtls_ssl_session. 4332 * 4333 * uint8_t minor_ver; // Protocol minor version. Possible values: 4334 * // - TLS 1.2 (0x0303) 4335 * // - TLS 1.3 (0x0304) 4336 * uint8_t endpoint; 4337 * uint16_t ciphersuite; 4338 * 4339 * select (serialized_session.tls_version) { 4340 * 4341 * case MBEDTLS_SSL_VERSION_TLS1_2: 4342 * serialized_session_tls12 data; 4343 * case MBEDTLS_SSL_VERSION_TLS1_3: 4344 * serialized_session_tls13 data; 4345 * 4346 * }; 4347 * 4348 * } serialized_session; 4349 * 4350 */ 4351 4352 MBEDTLS_CHECK_RETURN_CRITICAL 4353 static int ssl_session_save(const mbedtls_ssl_session *session, 4354 unsigned char omit_header, 4355 unsigned char *buf, 4356 size_t buf_len, 4357 size_t *olen) 4358 { 4359 unsigned char *p = buf; 4360 size_t used = 0; 4361 size_t remaining_len; 4362 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4363 size_t out_len; 4364 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4365 #endif 4366 if (session == NULL) { 4367 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4368 } 4369 4370 if (!omit_header) { 4371 /* 4372 * Add Mbed TLS version identifier 4373 */ 4374 used += sizeof(ssl_serialized_session_header); 4375 4376 if (used <= buf_len) { 4377 memcpy(p, ssl_serialized_session_header, 4378 sizeof(ssl_serialized_session_header)); 4379 p += sizeof(ssl_serialized_session_header); 4380 } 4381 } 4382 4383 /* 4384 * TLS version identifier, endpoint, ciphersuite 4385 */ 4386 used += 1 /* TLS version */ 4387 + 1 /* endpoint */ 4388 + 2; /* ciphersuite */ 4389 if (used <= buf_len) { 4390 *p++ = MBEDTLS_BYTE_0(session->tls_version); 4391 *p++ = session->endpoint; 4392 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0); 4393 p += 2; 4394 } 4395 4396 /* Forward to version-specific serialization routine. */ 4397 remaining_len = (buf_len >= used) ? buf_len - used : 0; 4398 switch (session->tls_version) { 4399 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4400 case MBEDTLS_SSL_VERSION_TLS1_2: 4401 used += ssl_tls12_session_save(session, p, remaining_len); 4402 break; 4403 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4404 4405 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4406 case MBEDTLS_SSL_VERSION_TLS1_3: 4407 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len); 4408 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 4409 return ret; 4410 } 4411 used += out_len; 4412 break; 4413 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4414 4415 default: 4416 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4417 } 4418 4419 *olen = used; 4420 if (used > buf_len) { 4421 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 4422 } 4423 4424 return 0; 4425 } 4426 4427 /* 4428 * Public wrapper for ssl_session_save() 4429 */ 4430 int mbedtls_ssl_session_save(const mbedtls_ssl_session *session, 4431 unsigned char *buf, 4432 size_t buf_len, 4433 size_t *olen) 4434 { 4435 return ssl_session_save(session, 0, buf, buf_len, olen); 4436 } 4437 4438 /* 4439 * Deserialize session, see mbedtls_ssl_session_save() for format. 4440 * 4441 * This internal version is wrapped by a public function that cleans up in 4442 * case of error, and has an extra option omit_header. 4443 */ 4444 MBEDTLS_CHECK_RETURN_CRITICAL 4445 static int ssl_session_load(mbedtls_ssl_session *session, 4446 unsigned char omit_header, 4447 const unsigned char *buf, 4448 size_t len) 4449 { 4450 const unsigned char *p = buf; 4451 const unsigned char * const end = buf + len; 4452 size_t remaining_len; 4453 4454 4455 if (session == NULL) { 4456 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 4457 } 4458 4459 if (!omit_header) { 4460 /* 4461 * Check Mbed TLS version identifier 4462 */ 4463 4464 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) { 4465 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4466 } 4467 4468 if (memcmp(p, ssl_serialized_session_header, 4469 sizeof(ssl_serialized_session_header)) != 0) { 4470 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 4471 } 4472 p += sizeof(ssl_serialized_session_header); 4473 } 4474 4475 /* 4476 * TLS version identifier, endpoint, ciphersuite 4477 */ 4478 if (4 > (size_t) (end - p)) { 4479 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4480 } 4481 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++); 4482 session->endpoint = *p++; 4483 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0); 4484 p += 2; 4485 4486 /* Dispatch according to TLS version. */ 4487 remaining_len = (size_t) (end - p); 4488 switch (session->tls_version) { 4489 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 4490 case MBEDTLS_SSL_VERSION_TLS1_2: 4491 return ssl_tls12_session_load(session, p, remaining_len); 4492 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 4493 4494 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4495 case MBEDTLS_SSL_VERSION_TLS1_3: 4496 return ssl_tls13_session_load(session, p, remaining_len); 4497 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4498 4499 default: 4500 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4501 } 4502 } 4503 4504 /* 4505 * Deserialize session: public wrapper for error cleaning 4506 */ 4507 int mbedtls_ssl_session_load(mbedtls_ssl_session *session, 4508 const unsigned char *buf, 4509 size_t len) 4510 { 4511 int ret = ssl_session_load(session, 0, buf, len); 4512 4513 if (ret != 0) { 4514 mbedtls_ssl_session_free(session); 4515 } 4516 4517 return ret; 4518 } 4519 4520 /* 4521 * Perform a single step of the SSL handshake 4522 */ 4523 MBEDTLS_CHECK_RETURN_CRITICAL 4524 static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl) 4525 { 4526 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4527 4528 /* 4529 * We may have not been able to send to the peer all the handshake data 4530 * that were written into the output buffer by the previous handshake step, 4531 * if the write to the network callback returned with the 4532 * #MBEDTLS_ERR_SSL_WANT_WRITE error code. 4533 * We proceed to the next handshake step only when all data from the 4534 * previous one have been sent to the peer, thus we make sure that this is 4535 * the case here by calling `mbedtls_ssl_flush_output()`. The function may 4536 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case 4537 * we have to wait before to go ahead. 4538 * In the case of TLS 1.3, handshake step handlers do not send data to the 4539 * peer. Data are only sent here and through 4540 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an 4541 * alert occurred. 4542 */ 4543 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) { 4544 return ret; 4545 } 4546 4547 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4548 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4549 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) { 4550 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 4551 return ret; 4552 } 4553 } 4554 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4555 4556 return ret; 4557 } 4558 4559 int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl) 4560 { 4561 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4562 4563 if (ssl == NULL || 4564 ssl->conf == NULL || 4565 ssl->handshake == NULL || 4566 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) { 4567 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4568 } 4569 4570 ret = ssl_prepare_handshake_step(ssl); 4571 if (ret != 0) { 4572 return ret; 4573 } 4574 4575 ret = mbedtls_ssl_handle_pending_alert(ssl); 4576 if (ret != 0) { 4577 goto cleanup; 4578 } 4579 4580 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or 4581 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */ 4582 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4583 4584 #if defined(MBEDTLS_SSL_CLI_C) 4585 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 4586 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s", 4587 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state))); 4588 4589 switch (ssl->state) { 4590 case MBEDTLS_SSL_HELLO_REQUEST: 4591 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO); 4592 ret = 0; 4593 break; 4594 4595 case MBEDTLS_SSL_CLIENT_HELLO: 4596 ret = mbedtls_ssl_write_client_hello(ssl); 4597 break; 4598 4599 default: 4600 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4601 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4602 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4603 } else { 4604 ret = mbedtls_ssl_handshake_client_step(ssl); 4605 } 4606 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4607 ret = mbedtls_ssl_handshake_client_step(ssl); 4608 #else 4609 ret = mbedtls_ssl_tls13_handshake_client_step(ssl); 4610 #endif 4611 } 4612 } 4613 #endif /* MBEDTLS_SSL_CLI_C */ 4614 4615 #if defined(MBEDTLS_SSL_SRV_C) 4616 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4617 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 4618 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 4619 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4620 } else { 4621 ret = mbedtls_ssl_handshake_server_step(ssl); 4622 } 4623 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 4624 ret = mbedtls_ssl_handshake_server_step(ssl); 4625 #else 4626 ret = mbedtls_ssl_tls13_handshake_server_step(ssl); 4627 #endif 4628 } 4629 #endif /* MBEDTLS_SSL_SRV_C */ 4630 4631 if (ret != 0) { 4632 /* handshake_step return error. And it is same 4633 * with alert_reason. 4634 */ 4635 if (ssl->send_alert) { 4636 ret = mbedtls_ssl_handle_pending_alert(ssl); 4637 goto cleanup; 4638 } 4639 } 4640 4641 cleanup: 4642 return ret; 4643 } 4644 4645 /* 4646 * Perform the SSL handshake 4647 */ 4648 int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl) 4649 { 4650 int ret = 0; 4651 4652 /* Sanity checks */ 4653 4654 if (ssl == NULL || ssl->conf == NULL) { 4655 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4656 } 4657 4658 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4659 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4660 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) { 4661 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use " 4662 "mbedtls_ssl_set_timer_cb() for DTLS")); 4663 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4664 } 4665 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4666 4667 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake")); 4668 4669 /* Main handshake loop */ 4670 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { 4671 ret = mbedtls_ssl_handshake_step(ssl); 4672 4673 if (ret != 0) { 4674 break; 4675 } 4676 } 4677 4678 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake")); 4679 4680 return ret; 4681 } 4682 4683 #if defined(MBEDTLS_SSL_RENEGOTIATION) 4684 #if defined(MBEDTLS_SSL_SRV_C) 4685 /* 4686 * Write HelloRequest to request renegotiation on server 4687 */ 4688 MBEDTLS_CHECK_RETURN_CRITICAL 4689 static int ssl_write_hello_request(mbedtls_ssl_context *ssl) 4690 { 4691 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4692 4693 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request")); 4694 4695 ssl->out_msglen = 4; 4696 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 4697 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST; 4698 4699 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 4700 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 4701 return ret; 4702 } 4703 4704 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request")); 4705 4706 return 0; 4707 } 4708 #endif /* MBEDTLS_SSL_SRV_C */ 4709 4710 /* 4711 * Actually renegotiate current connection, triggered by either: 4712 * - any side: calling mbedtls_ssl_renegotiate(), 4713 * - client: receiving a HelloRequest during mbedtls_ssl_read(), 4714 * - server: receiving any handshake message on server during mbedtls_ssl_read() after 4715 * the initial handshake is completed. 4716 * If the handshake doesn't complete due to waiting for I/O, it will continue 4717 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively. 4718 */ 4719 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl) 4720 { 4721 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 4722 4723 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate")); 4724 4725 if ((ret = ssl_handshake_init(ssl)) != 0) { 4726 return ret; 4727 } 4728 4729 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and 4730 * the ServerHello will have message_seq = 1" */ 4731 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4732 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 4733 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) { 4734 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4735 ssl->handshake->out_msg_seq = 1; 4736 } else { 4737 ssl->handshake->in_msg_seq = 1; 4738 } 4739 } 4740 #endif 4741 4742 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST); 4743 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS; 4744 4745 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4746 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4747 return ret; 4748 } 4749 4750 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate")); 4751 4752 return 0; 4753 } 4754 4755 /* 4756 * Renegotiate current connection on client, 4757 * or request renegotiation on server 4758 */ 4759 int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl) 4760 { 4761 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 4762 4763 if (ssl == NULL || ssl->conf == NULL) { 4764 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4765 } 4766 4767 #if defined(MBEDTLS_SSL_SRV_C) 4768 /* On server, just send the request */ 4769 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 4770 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4771 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4772 } 4773 4774 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING; 4775 4776 /* Did we already try/start sending HelloRequest? */ 4777 if (ssl->out_left != 0) { 4778 return mbedtls_ssl_flush_output(ssl); 4779 } 4780 4781 return ssl_write_hello_request(ssl); 4782 } 4783 #endif /* MBEDTLS_SSL_SRV_C */ 4784 4785 #if defined(MBEDTLS_SSL_CLI_C) 4786 /* 4787 * On client, either start the renegotiation process or, 4788 * if already in progress, continue the handshake 4789 */ 4790 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 4791 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 4792 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 4793 } 4794 4795 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) { 4796 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret); 4797 return ret; 4798 } 4799 } else { 4800 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) { 4801 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); 4802 return ret; 4803 } 4804 } 4805 #endif /* MBEDTLS_SSL_CLI_C */ 4806 4807 return ret; 4808 } 4809 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 4810 4811 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) 4812 { 4813 mbedtls_ssl_handshake_params *handshake = ssl->handshake; 4814 4815 if (handshake == NULL) { 4816 return; 4817 } 4818 4819 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 4820 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4821 if (ssl->handshake->group_list_heap_allocated) { 4822 mbedtls_free((void *) handshake->group_list); 4823 } 4824 handshake->group_list = NULL; 4825 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4826 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 4827 4828 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 4829 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 4830 if (ssl->handshake->sig_algs_heap_allocated) { 4831 mbedtls_free((void *) handshake->sig_algs); 4832 } 4833 handshake->sig_algs = NULL; 4834 #endif /* MBEDTLS_DEPRECATED_REMOVED */ 4835 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4836 if (ssl->handshake->certificate_request_context) { 4837 mbedtls_free((void *) handshake->certificate_request_context); 4838 } 4839 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4840 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 4841 4842 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 4843 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) { 4844 ssl->conf->f_async_cancel(ssl); 4845 handshake->async_in_progress = 0; 4846 } 4847 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 4848 4849 #if defined(MBEDTLS_MD_CAN_SHA256) 4850 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4851 psa_hash_abort(&handshake->fin_sha256_psa); 4852 #else 4853 mbedtls_md_free(&handshake->fin_sha256); 4854 #endif 4855 #endif 4856 #if defined(MBEDTLS_MD_CAN_SHA384) 4857 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4858 psa_hash_abort(&handshake->fin_sha384_psa); 4859 #else 4860 mbedtls_md_free(&handshake->fin_sha384); 4861 #endif 4862 #endif 4863 4864 #if defined(MBEDTLS_DHM_C) 4865 mbedtls_dhm_free(&handshake->dhm_ctx); 4866 #endif 4867 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 4868 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 4869 mbedtls_ecdh_free(&handshake->ecdh_ctx); 4870 #endif 4871 4872 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4873 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4874 psa_pake_abort(&handshake->psa_pake_ctx); 4875 /* 4876 * Opaque keys are not stored in the handshake's data and it's the user 4877 * responsibility to destroy them. Clear ones, instead, are created by 4878 * the TLS library and should be destroyed at the same level 4879 */ 4880 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) { 4881 psa_destroy_key(handshake->psa_pake_password); 4882 } 4883 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; 4884 #else 4885 mbedtls_ecjpake_free(&handshake->ecjpake_ctx); 4886 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4887 #if defined(MBEDTLS_SSL_CLI_C) 4888 mbedtls_free(handshake->ecjpake_cache); 4889 handshake->ecjpake_cache = NULL; 4890 handshake->ecjpake_cache_len = 0; 4891 #endif 4892 #endif 4893 4894 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 4895 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \ 4896 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 4897 /* explicit void pointer cast for buggy MS compiler */ 4898 mbedtls_free((void *) handshake->curves_tls_id); 4899 #endif 4900 4901 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 4902 #if defined(MBEDTLS_USE_PSA_CRYPTO) 4903 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 4904 /* The maintenance of the external PSK key slot is the 4905 * user's responsibility. */ 4906 if (ssl->handshake->psk_opaque_is_internal) { 4907 psa_destroy_key(ssl->handshake->psk_opaque); 4908 ssl->handshake->psk_opaque_is_internal = 0; 4909 } 4910 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 4911 } 4912 #else 4913 if (handshake->psk != NULL) { 4914 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len); 4915 } 4916 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 4917 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 4918 4919 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4920 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4921 /* 4922 * Free only the linked list wrapper, not the keys themselves 4923 * since the belong to the SNI callback 4924 */ 4925 ssl_key_cert_free(handshake->sni_key_cert); 4926 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */ 4927 4928 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 4929 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx); 4930 if (handshake->ecrs_peer_cert != NULL) { 4931 mbedtls_x509_crt_free(handshake->ecrs_peer_cert); 4932 mbedtls_free(handshake->ecrs_peer_cert); 4933 } 4934 #endif 4935 4936 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 4937 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 4938 mbedtls_pk_free(&handshake->peer_pubkey); 4939 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 4940 4941 #if defined(MBEDTLS_SSL_CLI_C) && \ 4942 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) 4943 mbedtls_free(handshake->cookie); 4944 #endif /* MBEDTLS_SSL_CLI_C && 4945 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */ 4946 4947 #if defined(MBEDTLS_SSL_PROTO_DTLS) 4948 mbedtls_ssl_flight_free(handshake->flight); 4949 mbedtls_ssl_buffering_free(ssl); 4950 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 4951 4952 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 4953 if (handshake->xxdh_psa_privkey_is_external == 0) { 4954 psa_destroy_key(handshake->xxdh_psa_privkey); 4955 } 4956 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 4957 4958 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 4959 mbedtls_ssl_transform_free(handshake->transform_handshake); 4960 mbedtls_free(handshake->transform_handshake); 4961 #if defined(MBEDTLS_SSL_EARLY_DATA) 4962 mbedtls_ssl_transform_free(handshake->transform_earlydata); 4963 mbedtls_free(handshake->transform_earlydata); 4964 #endif 4965 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 4966 4967 4968 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 4969 /* If the buffers are too big - reallocate. Because of the way Mbed TLS 4970 * processes datagrams and the fact that a datagram is allowed to have 4971 * several records in it, it is possible that the I/O buffers are not 4972 * empty at this stage */ 4973 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl), 4974 mbedtls_ssl_get_output_buflen(ssl)); 4975 #endif 4976 4977 /* mbedtls_platform_zeroize MUST be last one in this function */ 4978 mbedtls_platform_zeroize(handshake, 4979 sizeof(mbedtls_ssl_handshake_params)); 4980 } 4981 4982 void mbedtls_ssl_session_free(mbedtls_ssl_session *session) 4983 { 4984 if (session == NULL) { 4985 return; 4986 } 4987 4988 #if defined(MBEDTLS_X509_CRT_PARSE_C) 4989 ssl_clear_peer_cert(session); 4990 #endif 4991 4992 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 4993 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 4994 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 4995 mbedtls_free(session->hostname); 4996 #endif 4997 mbedtls_free(session->ticket); 4998 #endif 4999 5000 #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \ 5001 defined(MBEDTLS_SSL_SRV_C) 5002 mbedtls_free(session->ticket_alpn); 5003 #endif 5004 5005 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session)); 5006 } 5007 5008 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 5009 5010 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5011 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u 5012 #else 5013 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u 5014 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5015 5016 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u 5017 5018 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5019 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u 5020 #else 5021 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u 5022 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5023 5024 #if defined(MBEDTLS_SSL_ALPN) 5025 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u 5026 #else 5027 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u 5028 #endif /* MBEDTLS_SSL_ALPN */ 5029 5030 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0 5031 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1 5032 #define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2 5033 #define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3 5034 5035 #define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \ 5036 ((uint32_t) ( \ 5037 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \ 5038 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \ 5039 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \ 5040 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \ 5041 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \ 5042 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \ 5043 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \ 5044 0u)) 5045 5046 static const unsigned char ssl_serialized_context_header[] = { 5047 MBEDTLS_VERSION_MAJOR, 5048 MBEDTLS_VERSION_MINOR, 5049 MBEDTLS_VERSION_PATCH, 5050 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 5051 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG), 5052 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 5053 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 5054 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG), 5055 }; 5056 5057 /* 5058 * Serialize a full SSL context 5059 * 5060 * The format of the serialized data is: 5061 * (in the presentation language of TLS, RFC 8446 section 3) 5062 * 5063 * // header 5064 * opaque mbedtls_version[3]; // major, minor, patch 5065 * opaque context_format[5]; // version-specific field determining 5066 * // the format of the remaining 5067 * // serialized data. 5068 * Note: When updating the format, remember to keep these 5069 * version+format bytes. (We may make their size part of the API.) 5070 * 5071 * // session sub-structure 5072 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save() 5073 * // transform sub-structure 5074 * uint8 random[64]; // ServerHello.random+ClientHello.random 5075 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value 5076 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use 5077 * // fields from ssl_context 5078 * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC 5079 * uint64 in_window_top; // DTLS: last validated record seq_num 5080 * uint64 in_window; // DTLS: bitmask for replay protection 5081 * uint8 disable_datagram_packing; // DTLS: only one record per datagram 5082 * uint64 cur_out_ctr; // Record layer: outgoing sequence number 5083 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size) 5084 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol 5085 * 5086 * Note that many fields of the ssl_context or sub-structures are not 5087 * serialized, as they fall in one of the following categories: 5088 * 5089 * 1. forced value (eg in_left must be 0) 5090 * 2. pointer to dynamically-allocated memory (eg session, transform) 5091 * 3. value can be re-derived from other data (eg session keys from MS) 5092 * 4. value was temporary (eg content of input buffer) 5093 * 5. value will be provided by the user again (eg I/O callbacks and context) 5094 */ 5095 int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, 5096 unsigned char *buf, 5097 size_t buf_len, 5098 size_t *olen) 5099 { 5100 unsigned char *p = buf; 5101 size_t used = 0; 5102 size_t session_len; 5103 int ret = 0; 5104 5105 /* 5106 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in 5107 * this function's documentation. 5108 * 5109 * These are due to assumptions/limitations in the implementation. Some of 5110 * them are likely to stay (no handshake in progress) some might go away 5111 * (only DTLS) but are currently used to simplify the implementation. 5112 */ 5113 /* The initial handshake must be over */ 5114 if (mbedtls_ssl_is_handshake_over(ssl) == 0) { 5115 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over")); 5116 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5117 } 5118 if (ssl->handshake != NULL) { 5119 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed")); 5120 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5121 } 5122 /* Double-check that sub-structures are indeed ready */ 5123 if (ssl->transform == NULL || ssl->session == NULL) { 5124 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready")); 5125 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5126 } 5127 /* There must be no pending incoming or outgoing data */ 5128 if (mbedtls_ssl_check_pending(ssl) != 0) { 5129 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data")); 5130 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5131 } 5132 if (ssl->out_left != 0) { 5133 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data")); 5134 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5135 } 5136 /* Protocol must be DTLS, not TLS */ 5137 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 5138 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported")); 5139 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5140 } 5141 /* Version must be 1.2 */ 5142 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) { 5143 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported")); 5144 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5145 } 5146 /* We must be using an AEAD ciphersuite */ 5147 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) { 5148 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported")); 5149 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5150 } 5151 /* Renegotiation must not be enabled */ 5152 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5153 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) { 5154 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled")); 5155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5156 } 5157 #endif 5158 5159 /* 5160 * Version and format identifier 5161 */ 5162 used += sizeof(ssl_serialized_context_header); 5163 5164 if (used <= buf_len) { 5165 memcpy(p, ssl_serialized_context_header, 5166 sizeof(ssl_serialized_context_header)); 5167 p += sizeof(ssl_serialized_context_header); 5168 } 5169 5170 /* 5171 * Session (length + data) 5172 */ 5173 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len); 5174 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) { 5175 return ret; 5176 } 5177 5178 used += 4 + session_len; 5179 if (used <= buf_len) { 5180 MBEDTLS_PUT_UINT32_BE(session_len, p, 0); 5181 p += 4; 5182 5183 ret = ssl_session_save(ssl->session, 1, 5184 p, session_len, &session_len); 5185 if (ret != 0) { 5186 return ret; 5187 } 5188 5189 p += session_len; 5190 } 5191 5192 /* 5193 * Transform 5194 */ 5195 used += sizeof(ssl->transform->randbytes); 5196 if (used <= buf_len) { 5197 memcpy(p, ssl->transform->randbytes, 5198 sizeof(ssl->transform->randbytes)); 5199 p += sizeof(ssl->transform->randbytes); 5200 } 5201 5202 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5203 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len; 5204 if (used <= buf_len) { 5205 *p++ = ssl->transform->in_cid_len; 5206 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len); 5207 p += ssl->transform->in_cid_len; 5208 5209 *p++ = ssl->transform->out_cid_len; 5210 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len); 5211 p += ssl->transform->out_cid_len; 5212 } 5213 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5214 5215 /* 5216 * Saved fields from top-level ssl_context structure 5217 */ 5218 used += 4; 5219 if (used <= buf_len) { 5220 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0); 5221 p += 4; 5222 } 5223 5224 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5225 used += 16; 5226 if (used <= buf_len) { 5227 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0); 5228 p += 8; 5229 5230 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0); 5231 p += 8; 5232 } 5233 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5234 5235 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5236 used += 1; 5237 if (used <= buf_len) { 5238 *p++ = ssl->disable_datagram_packing; 5239 } 5240 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5241 5242 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5243 if (used <= buf_len) { 5244 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN); 5245 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; 5246 } 5247 5248 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5249 used += 2; 5250 if (used <= buf_len) { 5251 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0); 5252 p += 2; 5253 } 5254 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5255 5256 #if defined(MBEDTLS_SSL_ALPN) 5257 { 5258 const uint8_t alpn_len = ssl->alpn_chosen 5259 ? (uint8_t) strlen(ssl->alpn_chosen) 5260 : 0; 5261 5262 used += 1 + alpn_len; 5263 if (used <= buf_len) { 5264 *p++ = alpn_len; 5265 5266 if (ssl->alpn_chosen != NULL) { 5267 memcpy(p, ssl->alpn_chosen, alpn_len); 5268 p += alpn_len; 5269 } 5270 } 5271 } 5272 #endif /* MBEDTLS_SSL_ALPN */ 5273 5274 /* 5275 * Done 5276 */ 5277 *olen = used; 5278 5279 if (used > buf_len) { 5280 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 5281 } 5282 5283 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used); 5284 5285 return mbedtls_ssl_session_reset_int(ssl, 0); 5286 } 5287 5288 /* 5289 * Deserialize context, see mbedtls_ssl_context_save() for format. 5290 * 5291 * This internal version is wrapped by a public function that cleans up in 5292 * case of error. 5293 */ 5294 MBEDTLS_CHECK_RETURN_CRITICAL 5295 static int ssl_context_load(mbedtls_ssl_context *ssl, 5296 const unsigned char *buf, 5297 size_t len) 5298 { 5299 const unsigned char *p = buf; 5300 const unsigned char * const end = buf + len; 5301 size_t session_len; 5302 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5303 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5304 tls_prf_fn prf_func = NULL; 5305 #endif 5306 5307 /* 5308 * The context should have been freshly setup or reset. 5309 * Give the user an error in case of obvious misuse. 5310 * (Checking session is useful because it won't be NULL if we're 5311 * renegotiating, or if the user mistakenly loaded a session first.) 5312 */ 5313 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST || 5314 ssl->session != NULL) { 5315 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5316 } 5317 5318 /* 5319 * We can't check that the config matches the initial one, but we can at 5320 * least check it matches the requirements for serializing. 5321 */ 5322 if ( 5323 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5324 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED || 5325 #endif 5326 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM || 5327 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 || 5328 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2 5329 ) { 5330 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5331 } 5332 5333 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len); 5334 5335 /* 5336 * Check version identifier 5337 */ 5338 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) { 5339 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5340 } 5341 5342 if (memcmp(p, ssl_serialized_context_header, 5343 sizeof(ssl_serialized_context_header)) != 0) { 5344 return MBEDTLS_ERR_SSL_VERSION_MISMATCH; 5345 } 5346 p += sizeof(ssl_serialized_context_header); 5347 5348 /* 5349 * Session 5350 */ 5351 if ((size_t) (end - p) < 4) { 5352 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5353 } 5354 5355 session_len = MBEDTLS_GET_UINT32_BE(p, 0); 5356 p += 4; 5357 5358 /* This has been allocated by ssl_handshake_init(), called by 5359 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5360 ssl->session = ssl->session_negotiate; 5361 ssl->session_in = ssl->session; 5362 ssl->session_out = ssl->session; 5363 ssl->session_negotiate = NULL; 5364 5365 if ((size_t) (end - p) < session_len) { 5366 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5367 } 5368 5369 ret = ssl_session_load(ssl->session, 1, p, session_len); 5370 if (ret != 0) { 5371 mbedtls_ssl_session_free(ssl->session); 5372 return ret; 5373 } 5374 5375 p += session_len; 5376 5377 /* 5378 * Transform 5379 */ 5380 5381 /* This has been allocated by ssl_handshake_init(), called by 5382 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ 5383 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5384 ssl->transform = ssl->transform_negotiate; 5385 ssl->transform_in = ssl->transform; 5386 ssl->transform_out = ssl->transform; 5387 ssl->transform_negotiate = NULL; 5388 #endif 5389 5390 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5391 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite); 5392 if (prf_func == NULL) { 5393 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5394 } 5395 5396 /* Read random bytes and populate structure */ 5397 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) { 5398 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5399 } 5400 5401 ret = ssl_tls12_populate_transform(ssl->transform, 5402 ssl->session->ciphersuite, 5403 ssl->session->master, 5404 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 5405 ssl->session->encrypt_then_mac, 5406 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 5407 prf_func, 5408 p, /* currently pointing to randbytes */ 5409 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */ 5410 ssl->conf->endpoint, 5411 ssl); 5412 if (ret != 0) { 5413 return ret; 5414 } 5415 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5416 p += sizeof(ssl->transform->randbytes); 5417 5418 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 5419 /* Read connection IDs and store them */ 5420 if ((size_t) (end - p) < 1) { 5421 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5422 } 5423 5424 ssl->transform->in_cid_len = *p++; 5425 5426 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) { 5427 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5428 } 5429 5430 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len); 5431 p += ssl->transform->in_cid_len; 5432 5433 ssl->transform->out_cid_len = *p++; 5434 5435 if ((size_t) (end - p) < ssl->transform->out_cid_len) { 5436 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5437 } 5438 5439 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len); 5440 p += ssl->transform->out_cid_len; 5441 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 5442 5443 /* 5444 * Saved fields from top-level ssl_context structure 5445 */ 5446 if ((size_t) (end - p) < 4) { 5447 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5448 } 5449 5450 ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0); 5451 p += 4; 5452 5453 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5454 if ((size_t) (end - p) < 16) { 5455 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5456 } 5457 5458 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0); 5459 p += 8; 5460 5461 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0); 5462 p += 8; 5463 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */ 5464 5465 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5466 if ((size_t) (end - p) < 1) { 5467 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5468 } 5469 5470 ssl->disable_datagram_packing = *p++; 5471 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5472 5473 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) { 5474 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5475 } 5476 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr)); 5477 p += sizeof(ssl->cur_out_ctr); 5478 5479 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5480 if ((size_t) (end - p) < 2) { 5481 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5482 } 5483 5484 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0); 5485 p += 2; 5486 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 5487 5488 #if defined(MBEDTLS_SSL_ALPN) 5489 { 5490 uint8_t alpn_len; 5491 const char **cur; 5492 5493 if ((size_t) (end - p) < 1) { 5494 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5495 } 5496 5497 alpn_len = *p++; 5498 5499 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) { 5500 /* alpn_chosen should point to an item in the configured list */ 5501 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) { 5502 if (strlen(*cur) == alpn_len && 5503 memcmp(p, *cur, alpn_len) == 0) { 5504 ssl->alpn_chosen = *cur; 5505 break; 5506 } 5507 } 5508 } 5509 5510 /* can only happen on conf mismatch */ 5511 if (alpn_len != 0 && ssl->alpn_chosen == NULL) { 5512 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5513 } 5514 5515 p += alpn_len; 5516 } 5517 #endif /* MBEDTLS_SSL_ALPN */ 5518 5519 /* 5520 * Forced fields from top-level ssl_context structure 5521 * 5522 * Most of them already set to the correct value by mbedtls_ssl_init() and 5523 * mbedtls_ssl_reset(), so we only need to set the remaining ones. 5524 */ 5525 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); 5526 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 5527 5528 /* Adjust pointers for header fields of outgoing records to 5529 * the given transform, accounting for explicit IV and CID. */ 5530 mbedtls_ssl_update_out_pointers(ssl, ssl->transform); 5531 5532 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5533 ssl->in_epoch = 1; 5534 #endif 5535 5536 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated, 5537 * which we don't want - otherwise we'd end up freeing the wrong transform 5538 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform() 5539 * inappropriately. */ 5540 if (ssl->handshake != NULL) { 5541 mbedtls_ssl_handshake_free(ssl); 5542 mbedtls_free(ssl->handshake); 5543 ssl->handshake = NULL; 5544 } 5545 5546 /* 5547 * Done - should have consumed entire buffer 5548 */ 5549 if (p != end) { 5550 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 5551 } 5552 5553 return 0; 5554 } 5555 5556 /* 5557 * Deserialize context: public wrapper for error cleaning 5558 */ 5559 int mbedtls_ssl_context_load(mbedtls_ssl_context *context, 5560 const unsigned char *buf, 5561 size_t len) 5562 { 5563 int ret = ssl_context_load(context, buf, len); 5564 5565 if (ret != 0) { 5566 mbedtls_ssl_free(context); 5567 } 5568 5569 return ret; 5570 } 5571 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 5572 5573 /* 5574 * Free an SSL context 5575 */ 5576 void mbedtls_ssl_free(mbedtls_ssl_context *ssl) 5577 { 5578 if (ssl == NULL) { 5579 return; 5580 } 5581 5582 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free")); 5583 5584 if (ssl->out_buf != NULL) { 5585 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5586 size_t out_buf_len = ssl->out_buf_len; 5587 #else 5588 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN; 5589 #endif 5590 5591 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len); 5592 ssl->out_buf = NULL; 5593 } 5594 5595 if (ssl->in_buf != NULL) { 5596 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 5597 size_t in_buf_len = ssl->in_buf_len; 5598 #else 5599 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; 5600 #endif 5601 5602 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len); 5603 ssl->in_buf = NULL; 5604 } 5605 5606 if (ssl->transform) { 5607 mbedtls_ssl_transform_free(ssl->transform); 5608 mbedtls_free(ssl->transform); 5609 } 5610 5611 if (ssl->handshake) { 5612 mbedtls_ssl_handshake_free(ssl); 5613 mbedtls_free(ssl->handshake); 5614 5615 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5616 mbedtls_ssl_transform_free(ssl->transform_negotiate); 5617 mbedtls_free(ssl->transform_negotiate); 5618 #endif 5619 5620 mbedtls_ssl_session_free(ssl->session_negotiate); 5621 mbedtls_free(ssl->session_negotiate); 5622 } 5623 5624 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5625 mbedtls_ssl_transform_free(ssl->transform_application); 5626 mbedtls_free(ssl->transform_application); 5627 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 5628 5629 if (ssl->session) { 5630 mbedtls_ssl_session_free(ssl->session); 5631 mbedtls_free(ssl->session); 5632 } 5633 5634 #if defined(MBEDTLS_X509_CRT_PARSE_C) 5635 mbedtls_ssl_free_hostname(ssl); 5636 #endif 5637 5638 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5639 mbedtls_free(ssl->cli_id); 5640 #endif 5641 5642 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free")); 5643 5644 /* Actually clear after last debug message */ 5645 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context)); 5646 } 5647 5648 /* 5649 * Initialize mbedtls_ssl_config 5650 */ 5651 void mbedtls_ssl_config_init(mbedtls_ssl_config *conf) 5652 { 5653 memset(conf, 0, sizeof(mbedtls_ssl_config)); 5654 } 5655 5656 /* The selection should be the same as mbedtls_x509_crt_profile_default in 5657 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters: 5658 * curves with a lower resource usage come first. 5659 * See the documentation of mbedtls_ssl_conf_curves() for what we promise 5660 * about this list. 5661 */ 5662 static const uint16_t ssl_preset_default_groups[] = { 5663 #if defined(MBEDTLS_ECP_HAVE_CURVE25519) 5664 MBEDTLS_SSL_IANA_TLS_GROUP_X25519, 5665 #endif 5666 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5667 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5668 #endif 5669 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5670 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5671 #endif 5672 #if defined(MBEDTLS_ECP_HAVE_CURVE448) 5673 MBEDTLS_SSL_IANA_TLS_GROUP_X448, 5674 #endif 5675 #if defined(MBEDTLS_ECP_HAVE_SECP521R1) 5676 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, 5677 #endif 5678 #if defined(MBEDTLS_ECP_HAVE_BP256R1) 5679 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, 5680 #endif 5681 #if defined(MBEDTLS_ECP_HAVE_BP384R1) 5682 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, 5683 #endif 5684 #if defined(MBEDTLS_ECP_HAVE_BP512R1) 5685 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, 5686 #endif 5687 #if defined(PSA_WANT_ALG_FFDH) 5688 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048, 5689 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072, 5690 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096, 5691 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144, 5692 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192, 5693 #endif 5694 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5695 }; 5696 5697 static const int ssl_preset_suiteb_ciphersuites[] = { 5698 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, 5699 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, 5700 0 5701 }; 5702 5703 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5704 5705 /* NOTICE: 5706 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following 5707 * rules SHOULD be upheld. 5708 * - No duplicate entries. 5709 * - But if there is a good reason, do not change the order of the algorithms. 5710 * - ssl_tls12_preset* is for TLS 1.2 use only. 5711 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes. 5712 */ 5713 static const uint16_t ssl_preset_default_sig_algs[] = { 5714 5715 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5716 defined(MBEDTLS_MD_CAN_SHA256) && \ 5717 defined(PSA_WANT_ECC_SECP_R1_256) 5718 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5719 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5720 #endif 5721 5722 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5723 defined(MBEDTLS_MD_CAN_SHA384) && \ 5724 defined(PSA_WANT_ECC_SECP_R1_384) 5725 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5726 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5727 #endif 5728 5729 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5730 defined(MBEDTLS_MD_CAN_SHA512) && \ 5731 defined(PSA_WANT_ECC_SECP_R1_521) 5732 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512, 5733 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512) 5734 #endif 5735 5736 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512) 5737 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5738 #endif 5739 5740 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384) 5741 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5742 #endif 5743 5744 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256) 5745 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5746 #endif 5747 5748 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512) 5749 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512, 5750 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */ 5751 5752 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384) 5753 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384, 5754 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */ 5755 5756 #if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256) 5757 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256, 5758 #endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */ 5759 5760 MBEDTLS_TLS_SIG_NONE 5761 }; 5762 5763 /* NOTICE: see above */ 5764 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5765 static const uint16_t ssl_tls12_preset_default_sig_algs[] = { 5766 5767 #if defined(MBEDTLS_MD_CAN_SHA512) 5768 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5769 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512), 5770 #endif 5771 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5772 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512, 5773 #endif 5774 #if defined(MBEDTLS_RSA_C) 5775 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512), 5776 #endif 5777 #endif /* MBEDTLS_MD_CAN_SHA512 */ 5778 5779 #if defined(MBEDTLS_MD_CAN_SHA384) 5780 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5781 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5782 #endif 5783 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5784 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384, 5785 #endif 5786 #if defined(MBEDTLS_RSA_C) 5787 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384), 5788 #endif 5789 #endif /* MBEDTLS_MD_CAN_SHA384 */ 5790 5791 #if defined(MBEDTLS_MD_CAN_SHA256) 5792 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5793 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5794 #endif 5795 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) 5796 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256, 5797 #endif 5798 #if defined(MBEDTLS_RSA_C) 5799 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256), 5800 #endif 5801 #endif /* MBEDTLS_MD_CAN_SHA256 */ 5802 5803 MBEDTLS_TLS_SIG_NONE 5804 }; 5805 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5806 5807 /* NOTICE: see above */ 5808 static const uint16_t ssl_preset_suiteb_sig_algs[] = { 5809 5810 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5811 defined(MBEDTLS_MD_CAN_SHA256) && \ 5812 defined(MBEDTLS_ECP_HAVE_SECP256R1) 5813 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256, 5814 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256) 5815 #endif 5816 5817 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \ 5818 defined(MBEDTLS_MD_CAN_SHA384) && \ 5819 defined(MBEDTLS_ECP_HAVE_SECP384R1) 5820 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384, 5821 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384) 5822 #endif 5823 5824 MBEDTLS_TLS_SIG_NONE 5825 }; 5826 5827 /* NOTICE: see above */ 5828 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5829 static const uint16_t ssl_tls12_preset_suiteb_sig_algs[] = { 5830 5831 #if defined(MBEDTLS_MD_CAN_SHA256) 5832 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5833 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256), 5834 #endif 5835 #endif /* MBEDTLS_MD_CAN_SHA256 */ 5836 5837 #if defined(MBEDTLS_MD_CAN_SHA384) 5838 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 5839 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384), 5840 #endif 5841 #endif /* MBEDTLS_MD_CAN_SHA384 */ 5842 5843 MBEDTLS_TLS_SIG_NONE 5844 }; 5845 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5846 5847 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5848 5849 static const uint16_t ssl_preset_suiteb_groups[] = { 5850 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 5851 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, 5852 #endif 5853 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 5854 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, 5855 #endif 5856 MBEDTLS_SSL_IANA_TLS_GROUP_NONE 5857 }; 5858 5859 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5860 /* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs` 5861 * to make sure there are no duplicated signature algorithm entries. */ 5862 MBEDTLS_CHECK_RETURN_CRITICAL 5863 static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs) 5864 { 5865 size_t i, j; 5866 int ret = 0; 5867 5868 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 5869 for (j = 0; j < i; j++) { 5870 if (sig_algs[i] != sig_algs[j]) { 5871 continue; 5872 } 5873 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET 5874 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n", 5875 sig_algs[i], j, i); 5876 ret = -1; 5877 } 5878 } 5879 return ret; 5880 } 5881 5882 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5883 5884 /* 5885 * Load default in mbedtls_ssl_config 5886 */ 5887 int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf, 5888 int endpoint, int transport, int preset) 5889 { 5890 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5891 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5892 #endif 5893 5894 #if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 5895 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) { 5896 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n"); 5897 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5898 } 5899 5900 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) { 5901 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n"); 5902 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5903 } 5904 5905 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 5906 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) { 5907 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n"); 5908 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5909 } 5910 5911 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) { 5912 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n"); 5913 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 5914 } 5915 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 5916 #endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 5917 5918 /* Use the functions here so that they are covered in tests, 5919 * but otherwise access member directly for efficiency */ 5920 mbedtls_ssl_conf_endpoint(conf, endpoint); 5921 mbedtls_ssl_conf_transport(conf, transport); 5922 5923 /* 5924 * Things that are common to all presets 5925 */ 5926 #if defined(MBEDTLS_SSL_CLI_C) 5927 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 5928 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED; 5929 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 5930 mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED); 5931 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 5932 /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message 5933 * handling is disabled by default in Mbed TLS 3.6.x for backward 5934 * compatibility with client applications developed using Mbed TLS 3.5 5935 * or earlier with the default configuration. 5936 * 5937 * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was 5938 * disabled, and a Mbed TLS client with the default configuration would 5939 * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable 5940 * server. 5941 * 5942 * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus 5943 * an Mbed TLS client with the default configuration establishes a 5944 * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If 5945 * following the handshake the TLS 1.3 server sends NewSessionTicket 5946 * messages and the Mbed TLS client processes them, this results in 5947 * Mbed TLS high level APIs (mbedtls_ssl_read(), 5948 * mbedtls_ssl_handshake(), ...) to eventually return an 5949 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code 5950 * (see the documentation of mbedtls_ssl_read() for more information on 5951 * that error code). Applications unaware of that TLS 1.3 specific non 5952 * fatal error code are then failing. 5953 */ 5954 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets( 5955 conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED); 5956 #endif 5957 #endif 5958 } 5959 #endif 5960 5961 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 5962 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED; 5963 #endif 5964 5965 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 5966 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED; 5967 #endif 5968 5969 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C) 5970 conf->f_cookie_write = ssl_cookie_write_dummy; 5971 conf->f_cookie_check = ssl_cookie_check_dummy; 5972 #endif 5973 5974 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 5975 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED; 5976 #endif 5977 5978 #if defined(MBEDTLS_SSL_SRV_C) 5979 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED; 5980 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER; 5981 #endif 5982 5983 #if defined(MBEDTLS_SSL_PROTO_DTLS) 5984 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN; 5985 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX; 5986 #endif 5987 5988 #if defined(MBEDTLS_SSL_RENEGOTIATION) 5989 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT; 5990 memset(conf->renego_period, 0x00, 2); 5991 memset(conf->renego_period + 2, 0xFF, 6); 5992 #endif 5993 5994 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C) 5995 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 5996 const unsigned char dhm_p[] = 5997 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN; 5998 const unsigned char dhm_g[] = 5999 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN; 6000 6001 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf, 6002 dhm_p, sizeof(dhm_p), 6003 dhm_g, sizeof(dhm_g))) != 0) { 6004 return ret; 6005 } 6006 } 6007 #endif 6008 6009 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 6010 6011 #if defined(MBEDTLS_SSL_EARLY_DATA) 6012 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED); 6013 #if defined(MBEDTLS_SSL_SRV_C) 6014 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE); 6015 #endif 6016 #endif /* MBEDTLS_SSL_EARLY_DATA */ 6017 6018 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) 6019 mbedtls_ssl_conf_new_session_tickets( 6020 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS); 6021 #endif 6022 /* 6023 * Allow all TLS 1.3 key exchange modes by default. 6024 */ 6025 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; 6026 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 6027 6028 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 6029 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6030 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 6031 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 6032 #else 6033 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 6034 #endif 6035 } else { 6036 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 6037 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 6038 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 6039 #elif defined(MBEDTLS_SSL_PROTO_TLS1_3) 6040 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 6041 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; 6042 #elif defined(MBEDTLS_SSL_PROTO_TLS1_2) 6043 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 6044 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; 6045 #else 6046 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 6047 #endif 6048 } 6049 6050 /* 6051 * Preset-specific defaults 6052 */ 6053 switch (preset) { 6054 /* 6055 * NSA Suite B 6056 */ 6057 case MBEDTLS_SSL_PRESET_SUITEB: 6058 6059 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites; 6060 6061 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6062 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb; 6063 #endif 6064 6065 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6066 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6067 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 6068 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs; 6069 } else 6070 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6071 conf->sig_algs = ssl_preset_suiteb_sig_algs; 6072 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6073 6074 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 6075 conf->curve_list = NULL; 6076 #endif 6077 conf->group_list = ssl_preset_suiteb_groups; 6078 break; 6079 6080 /* 6081 * Default 6082 */ 6083 default: 6084 6085 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites(); 6086 6087 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6088 conf->cert_profile = &mbedtls_x509_crt_profile_default; 6089 #endif 6090 6091 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6092 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6093 if (mbedtls_ssl_conf_is_tls12_only(conf)) { 6094 conf->sig_algs = ssl_tls12_preset_default_sig_algs; 6095 } else 6096 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6097 conf->sig_algs = ssl_preset_default_sig_algs; 6098 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6099 6100 #if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED) 6101 conf->curve_list = NULL; 6102 #endif 6103 conf->group_list = ssl_preset_default_groups; 6104 6105 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C) 6106 conf->dhm_min_bitlen = 1024; 6107 #endif 6108 } 6109 6110 return 0; 6111 } 6112 6113 /* 6114 * Free mbedtls_ssl_config 6115 */ 6116 void mbedtls_ssl_config_free(mbedtls_ssl_config *conf) 6117 { 6118 if (conf == NULL) { 6119 return; 6120 } 6121 6122 #if defined(MBEDTLS_DHM_C) 6123 mbedtls_mpi_free(&conf->dhm_P); 6124 mbedtls_mpi_free(&conf->dhm_G); 6125 #endif 6126 6127 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 6128 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6129 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) { 6130 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT; 6131 } 6132 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6133 if (conf->psk != NULL) { 6134 mbedtls_zeroize_and_free(conf->psk, conf->psk_len); 6135 conf->psk = NULL; 6136 conf->psk_len = 0; 6137 } 6138 6139 if (conf->psk_identity != NULL) { 6140 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len); 6141 conf->psk_identity = NULL; 6142 conf->psk_identity_len = 0; 6143 } 6144 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 6145 6146 #if defined(MBEDTLS_X509_CRT_PARSE_C) 6147 ssl_key_cert_free(conf->key_cert); 6148 #endif 6149 6150 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config)); 6151 } 6152 6153 #if defined(MBEDTLS_PK_C) && \ 6154 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)) 6155 /* 6156 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX 6157 */ 6158 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk) 6159 { 6160 #if defined(MBEDTLS_RSA_C) 6161 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) { 6162 return MBEDTLS_SSL_SIG_RSA; 6163 } 6164 #endif 6165 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6166 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) { 6167 return MBEDTLS_SSL_SIG_ECDSA; 6168 } 6169 #endif 6170 return MBEDTLS_SSL_SIG_ANON; 6171 } 6172 6173 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type) 6174 { 6175 switch (type) { 6176 case MBEDTLS_PK_RSA: 6177 return MBEDTLS_SSL_SIG_RSA; 6178 case MBEDTLS_PK_ECDSA: 6179 case MBEDTLS_PK_ECKEY: 6180 return MBEDTLS_SSL_SIG_ECDSA; 6181 default: 6182 return MBEDTLS_SSL_SIG_ANON; 6183 } 6184 } 6185 6186 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig) 6187 { 6188 switch (sig) { 6189 #if defined(MBEDTLS_RSA_C) 6190 case MBEDTLS_SSL_SIG_RSA: 6191 return MBEDTLS_PK_RSA; 6192 #endif 6193 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) 6194 case MBEDTLS_SSL_SIG_ECDSA: 6195 return MBEDTLS_PK_ECDSA; 6196 #endif 6197 default: 6198 return MBEDTLS_PK_NONE; 6199 } 6200 } 6201 #endif /* MBEDTLS_PK_C && 6202 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */ 6203 6204 /* 6205 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX 6206 */ 6207 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash) 6208 { 6209 switch (hash) { 6210 #if defined(MBEDTLS_MD_CAN_MD5) 6211 case MBEDTLS_SSL_HASH_MD5: 6212 return MBEDTLS_MD_MD5; 6213 #endif 6214 #if defined(MBEDTLS_MD_CAN_SHA1) 6215 case MBEDTLS_SSL_HASH_SHA1: 6216 return MBEDTLS_MD_SHA1; 6217 #endif 6218 #if defined(MBEDTLS_MD_CAN_SHA224) 6219 case MBEDTLS_SSL_HASH_SHA224: 6220 return MBEDTLS_MD_SHA224; 6221 #endif 6222 #if defined(MBEDTLS_MD_CAN_SHA256) 6223 case MBEDTLS_SSL_HASH_SHA256: 6224 return MBEDTLS_MD_SHA256; 6225 #endif 6226 #if defined(MBEDTLS_MD_CAN_SHA384) 6227 case MBEDTLS_SSL_HASH_SHA384: 6228 return MBEDTLS_MD_SHA384; 6229 #endif 6230 #if defined(MBEDTLS_MD_CAN_SHA512) 6231 case MBEDTLS_SSL_HASH_SHA512: 6232 return MBEDTLS_MD_SHA512; 6233 #endif 6234 default: 6235 return MBEDTLS_MD_NONE; 6236 } 6237 } 6238 6239 /* 6240 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX 6241 */ 6242 unsigned char mbedtls_ssl_hash_from_md_alg(int md) 6243 { 6244 switch (md) { 6245 #if defined(MBEDTLS_MD_CAN_MD5) 6246 case MBEDTLS_MD_MD5: 6247 return MBEDTLS_SSL_HASH_MD5; 6248 #endif 6249 #if defined(MBEDTLS_MD_CAN_SHA1) 6250 case MBEDTLS_MD_SHA1: 6251 return MBEDTLS_SSL_HASH_SHA1; 6252 #endif 6253 #if defined(MBEDTLS_MD_CAN_SHA224) 6254 case MBEDTLS_MD_SHA224: 6255 return MBEDTLS_SSL_HASH_SHA224; 6256 #endif 6257 #if defined(MBEDTLS_MD_CAN_SHA256) 6258 case MBEDTLS_MD_SHA256: 6259 return MBEDTLS_SSL_HASH_SHA256; 6260 #endif 6261 #if defined(MBEDTLS_MD_CAN_SHA384) 6262 case MBEDTLS_MD_SHA384: 6263 return MBEDTLS_SSL_HASH_SHA384; 6264 #endif 6265 #if defined(MBEDTLS_MD_CAN_SHA512) 6266 case MBEDTLS_MD_SHA512: 6267 return MBEDTLS_SSL_HASH_SHA512; 6268 #endif 6269 default: 6270 return MBEDTLS_SSL_HASH_NONE; 6271 } 6272 } 6273 6274 /* 6275 * Check if a curve proposed by the peer is in our list. 6276 * Return 0 if we're willing to use it, -1 otherwise. 6277 */ 6278 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id) 6279 { 6280 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 6281 6282 if (group_list == NULL) { 6283 return -1; 6284 } 6285 6286 for (; *group_list != 0; group_list++) { 6287 if (*group_list == tls_id) { 6288 return 0; 6289 } 6290 } 6291 6292 return -1; 6293 } 6294 6295 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 6296 /* 6297 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id. 6298 */ 6299 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id) 6300 { 6301 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); 6302 6303 if (tls_id == 0) { 6304 return -1; 6305 } 6306 6307 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id); 6308 } 6309 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 6310 6311 static const struct { 6312 uint16_t tls_id; 6313 mbedtls_ecp_group_id ecp_group_id; 6314 psa_ecc_family_t psa_family; 6315 uint16_t bits; 6316 } tls_id_match_table[] = 6317 { 6318 #if defined(MBEDTLS_ECP_HAVE_SECP521R1) 6319 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 }, 6320 #endif 6321 #if defined(MBEDTLS_ECP_HAVE_BP512R1) 6322 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 }, 6323 #endif 6324 #if defined(MBEDTLS_ECP_HAVE_SECP384R1) 6325 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 }, 6326 #endif 6327 #if defined(MBEDTLS_ECP_HAVE_BP384R1) 6328 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 }, 6329 #endif 6330 #if defined(MBEDTLS_ECP_HAVE_SECP256R1) 6331 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 }, 6332 #endif 6333 #if defined(MBEDTLS_ECP_HAVE_SECP256K1) 6334 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 }, 6335 #endif 6336 #if defined(MBEDTLS_ECP_HAVE_BP256R1) 6337 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, 6338 #endif 6339 #if defined(MBEDTLS_ECP_HAVE_SECP224R1) 6340 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, 6341 #endif 6342 #if defined(MBEDTLS_ECP_HAVE_SECP224K1) 6343 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 }, 6344 #endif 6345 #if defined(MBEDTLS_ECP_HAVE_SECP192R1) 6346 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, 6347 #endif 6348 #if defined(MBEDTLS_ECP_HAVE_SECP192K1) 6349 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, 6350 #endif 6351 #if defined(MBEDTLS_ECP_HAVE_CURVE25519) 6352 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, 6353 #endif 6354 #if defined(MBEDTLS_ECP_HAVE_CURVE448) 6355 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 }, 6356 #endif 6357 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 }, 6358 }; 6359 6360 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 6361 psa_key_type_t *type, 6362 size_t *bits) 6363 { 6364 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6365 if (tls_id_match_table[i].tls_id == tls_id) { 6366 if (type != NULL) { 6367 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family); 6368 } 6369 if (bits != NULL) { 6370 *bits = tls_id_match_table[i].bits; 6371 } 6372 return PSA_SUCCESS; 6373 } 6374 } 6375 6376 return PSA_ERROR_NOT_SUPPORTED; 6377 } 6378 6379 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id) 6380 { 6381 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) { 6382 if (tls_id_match_table[i].tls_id == tls_id) { 6383 return tls_id_match_table[i].ecp_group_id; 6384 } 6385 } 6386 6387 return MBEDTLS_ECP_DP_NONE; 6388 } 6389 6390 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id) 6391 { 6392 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE; 6393 i++) { 6394 if (tls_id_match_table[i].ecp_group_id == grp_id) { 6395 return tls_id_match_table[i].tls_id; 6396 } 6397 } 6398 6399 return 0; 6400 } 6401 6402 #if defined(MBEDTLS_DEBUG_C) 6403 static const struct { 6404 uint16_t tls_id; 6405 const char *name; 6406 } tls_id_curve_name_table[] = 6407 { 6408 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" }, 6409 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" }, 6410 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" }, 6411 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" }, 6412 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, 6413 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, 6414 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, 6415 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, 6416 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, 6417 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, 6418 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, 6419 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, 6420 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, 6421 { 0, NULL }, 6422 }; 6423 6424 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id) 6425 { 6426 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) { 6427 if (tls_id_curve_name_table[i].tls_id == tls_id) { 6428 return tls_id_curve_name_table[i].name; 6429 } 6430 } 6431 6432 return NULL; 6433 } 6434 #endif 6435 6436 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6437 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6438 const mbedtls_md_type_t md, 6439 unsigned char *dst, 6440 size_t dst_len, 6441 size_t *olen) 6442 { 6443 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 6444 psa_hash_operation_t *hash_operation_to_clone; 6445 psa_hash_operation_t hash_operation = psa_hash_operation_init(); 6446 6447 *olen = 0; 6448 6449 switch (md) { 6450 #if defined(MBEDTLS_MD_CAN_SHA384) 6451 case MBEDTLS_MD_SHA384: 6452 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa; 6453 break; 6454 #endif 6455 6456 #if defined(MBEDTLS_MD_CAN_SHA256) 6457 case MBEDTLS_MD_SHA256: 6458 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa; 6459 break; 6460 #endif 6461 6462 default: 6463 goto exit; 6464 } 6465 6466 status = psa_hash_clone(hash_operation_to_clone, &hash_operation); 6467 if (status != PSA_SUCCESS) { 6468 goto exit; 6469 } 6470 6471 status = psa_hash_finish(&hash_operation, dst, dst_len, olen); 6472 if (status != PSA_SUCCESS) { 6473 goto exit; 6474 } 6475 6476 exit: 6477 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6478 !defined(MBEDTLS_MD_CAN_SHA256) 6479 (void) ssl; 6480 #endif 6481 return PSA_TO_MBEDTLS_ERR(status); 6482 } 6483 #else /* MBEDTLS_USE_PSA_CRYPTO */ 6484 6485 #if defined(MBEDTLS_MD_CAN_SHA384) 6486 MBEDTLS_CHECK_RETURN_CRITICAL 6487 static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl, 6488 unsigned char *dst, 6489 size_t dst_len, 6490 size_t *olen) 6491 { 6492 int ret; 6493 mbedtls_md_context_t sha384; 6494 6495 if (dst_len < 48) { 6496 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6497 } 6498 6499 mbedtls_md_init(&sha384); 6500 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0); 6501 if (ret != 0) { 6502 goto exit; 6503 } 6504 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384); 6505 if (ret != 0) { 6506 goto exit; 6507 } 6508 6509 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) { 6510 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6511 goto exit; 6512 } 6513 6514 *olen = 48; 6515 6516 exit: 6517 6518 mbedtls_md_free(&sha384); 6519 return ret; 6520 } 6521 #endif /* MBEDTLS_MD_CAN_SHA384 */ 6522 6523 #if defined(MBEDTLS_MD_CAN_SHA256) 6524 MBEDTLS_CHECK_RETURN_CRITICAL 6525 static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl, 6526 unsigned char *dst, 6527 size_t dst_len, 6528 size_t *olen) 6529 { 6530 int ret; 6531 mbedtls_md_context_t sha256; 6532 6533 if (dst_len < 32) { 6534 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6535 } 6536 6537 mbedtls_md_init(&sha256); 6538 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0); 6539 if (ret != 0) { 6540 goto exit; 6541 } 6542 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256); 6543 if (ret != 0) { 6544 goto exit; 6545 } 6546 6547 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) { 6548 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 6549 goto exit; 6550 } 6551 6552 *olen = 32; 6553 6554 exit: 6555 6556 mbedtls_md_free(&sha256); 6557 return ret; 6558 } 6559 #endif /* MBEDTLS_MD_CAN_SHA256 */ 6560 6561 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 6562 const mbedtls_md_type_t md, 6563 unsigned char *dst, 6564 size_t dst_len, 6565 size_t *olen) 6566 { 6567 switch (md) { 6568 6569 #if defined(MBEDTLS_MD_CAN_SHA384) 6570 case MBEDTLS_MD_SHA384: 6571 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen); 6572 #endif /* MBEDTLS_MD_CAN_SHA384*/ 6573 6574 #if defined(MBEDTLS_MD_CAN_SHA256) 6575 case MBEDTLS_MD_SHA256: 6576 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen); 6577 #endif /* MBEDTLS_MD_CAN_SHA256*/ 6578 6579 default: 6580 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 6581 !defined(MBEDTLS_MD_CAN_SHA256) 6582 (void) ssl; 6583 (void) dst; 6584 (void) dst_len; 6585 (void) olen; 6586 #endif 6587 break; 6588 } 6589 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6590 } 6591 6592 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 6593 6594 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 6595 /* mbedtls_ssl_parse_sig_alg_ext() 6596 * 6597 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 6598 * value (TLS 1.3 RFC8446): 6599 * enum { 6600 * .... 6601 * ecdsa_secp256r1_sha256( 0x0403 ), 6602 * ecdsa_secp384r1_sha384( 0x0503 ), 6603 * ecdsa_secp521r1_sha512( 0x0603 ), 6604 * .... 6605 * } SignatureScheme; 6606 * 6607 * struct { 6608 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 6609 * } SignatureSchemeList; 6610 * 6611 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 6612 * value (TLS 1.2 RFC5246): 6613 * enum { 6614 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 6615 * sha512(6), (255) 6616 * } HashAlgorithm; 6617 * 6618 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 6619 * SignatureAlgorithm; 6620 * 6621 * struct { 6622 * HashAlgorithm hash; 6623 * SignatureAlgorithm signature; 6624 * } SignatureAndHashAlgorithm; 6625 * 6626 * SignatureAndHashAlgorithm 6627 * supported_signature_algorithms<2..2^16-2>; 6628 * 6629 * The TLS 1.3 signature algorithm extension was defined to be a compatible 6630 * generalization of the TLS 1.2 signature algorithm extension. 6631 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 6632 * `SignatureScheme` field of TLS 1.3 6633 * 6634 */ 6635 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 6636 const unsigned char *buf, 6637 const unsigned char *end) 6638 { 6639 const unsigned char *p = buf; 6640 size_t supported_sig_algs_len = 0; 6641 const unsigned char *supported_sig_algs_end; 6642 uint16_t sig_alg; 6643 uint32_t common_idx = 0; 6644 6645 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 6646 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0); 6647 p += 2; 6648 6649 memset(ssl->handshake->received_sig_algs, 0, 6650 sizeof(ssl->handshake->received_sig_algs)); 6651 6652 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len); 6653 supported_sig_algs_end = p + supported_sig_algs_len; 6654 while (p < supported_sig_algs_end) { 6655 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2); 6656 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0); 6657 p += 2; 6658 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s", 6659 sig_alg, 6660 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6661 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6662 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 6663 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) && 6664 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) { 6665 continue; 6666 } 6667 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 6668 6669 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s", 6670 mbedtls_ssl_sig_alg_to_str(sig_alg))); 6671 6672 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) { 6673 ssl->handshake->received_sig_algs[common_idx] = sig_alg; 6674 common_idx += 1; 6675 } 6676 } 6677 /* Check that we consumed all the message. */ 6678 if (p != end) { 6679 MBEDTLS_SSL_DEBUG_MSG(1, 6680 ("Signature algorithms extension length misaligned")); 6681 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, 6682 MBEDTLS_ERR_SSL_DECODE_ERROR); 6683 return MBEDTLS_ERR_SSL_DECODE_ERROR; 6684 } 6685 6686 if (common_idx == 0) { 6687 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common")); 6688 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, 6689 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE); 6690 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 6691 } 6692 6693 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE; 6694 return 0; 6695 } 6696 6697 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 6698 6699 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 6700 6701 #if defined(MBEDTLS_USE_PSA_CRYPTO) 6702 6703 static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation, 6704 mbedtls_svc_key_id_t key, 6705 psa_algorithm_t alg, 6706 const unsigned char *raw_psk, size_t raw_psk_length, 6707 const unsigned char *seed, size_t seed_length, 6708 const unsigned char *label, size_t label_length, 6709 const unsigned char *other_secret, 6710 size_t other_secret_length, 6711 size_t capacity) 6712 { 6713 psa_status_t status; 6714 6715 status = psa_key_derivation_setup(derivation, alg); 6716 if (status != PSA_SUCCESS) { 6717 return status; 6718 } 6719 6720 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) { 6721 status = psa_key_derivation_input_bytes(derivation, 6722 PSA_KEY_DERIVATION_INPUT_SEED, 6723 seed, seed_length); 6724 if (status != PSA_SUCCESS) { 6725 return status; 6726 } 6727 6728 if (other_secret != NULL) { 6729 status = psa_key_derivation_input_bytes(derivation, 6730 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET, 6731 other_secret, other_secret_length); 6732 if (status != PSA_SUCCESS) { 6733 return status; 6734 } 6735 } 6736 6737 if (mbedtls_svc_key_id_is_null(key)) { 6738 status = psa_key_derivation_input_bytes( 6739 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, 6740 raw_psk, raw_psk_length); 6741 } else { 6742 status = psa_key_derivation_input_key( 6743 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key); 6744 } 6745 if (status != PSA_SUCCESS) { 6746 return status; 6747 } 6748 6749 status = psa_key_derivation_input_bytes(derivation, 6750 PSA_KEY_DERIVATION_INPUT_LABEL, 6751 label, label_length); 6752 if (status != PSA_SUCCESS) { 6753 return status; 6754 } 6755 } else { 6756 return PSA_ERROR_NOT_SUPPORTED; 6757 } 6758 6759 status = psa_key_derivation_set_capacity(derivation, capacity); 6760 if (status != PSA_SUCCESS) { 6761 return status; 6762 } 6763 6764 return PSA_SUCCESS; 6765 } 6766 6767 #if defined(PSA_WANT_ALG_SHA_384) || \ 6768 defined(PSA_WANT_ALG_SHA_256) 6769 MBEDTLS_CHECK_RETURN_CRITICAL 6770 static int tls_prf_generic(mbedtls_md_type_t md_type, 6771 const unsigned char *secret, size_t slen, 6772 const char *label, size_t label_len, 6773 const unsigned char *random, size_t rlen, 6774 unsigned char *dstbuf, size_t dlen) 6775 { 6776 psa_status_t status; 6777 psa_algorithm_t alg; 6778 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; 6779 psa_key_derivation_operation_t derivation = 6780 PSA_KEY_DERIVATION_OPERATION_INIT; 6781 6782 if (md_type == MBEDTLS_MD_SHA384) { 6783 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); 6784 } else { 6785 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); 6786 } 6787 6788 /* Normally a "secret" should be long enough to be impossible to 6789 * find by brute force, and in particular should not be empty. But 6790 * this PRF is also used to derive an IV, in particular in EAP-TLS, 6791 * and for this use case it makes sense to have a 0-length "secret". 6792 * Since the key API doesn't allow importing a key of length 0, 6793 * keep master_key=0, which setup_psa_key_derivation() understands 6794 * to mean a 0-length "secret" input. */ 6795 if (slen != 0) { 6796 psa_key_attributes_t key_attributes = psa_key_attributes_init(); 6797 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); 6798 psa_set_key_algorithm(&key_attributes, alg); 6799 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE); 6800 6801 status = psa_import_key(&key_attributes, secret, slen, &master_key); 6802 if (status != PSA_SUCCESS) { 6803 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6804 } 6805 } 6806 6807 status = setup_psa_key_derivation(&derivation, 6808 master_key, alg, 6809 NULL, 0, 6810 random, rlen, 6811 (unsigned char const *) label, 6812 label_len, 6813 NULL, 0, 6814 dlen); 6815 if (status != PSA_SUCCESS) { 6816 psa_key_derivation_abort(&derivation); 6817 psa_destroy_key(master_key); 6818 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6819 } 6820 6821 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen); 6822 if (status != PSA_SUCCESS) { 6823 psa_key_derivation_abort(&derivation); 6824 psa_destroy_key(master_key); 6825 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6826 } 6827 6828 status = psa_key_derivation_abort(&derivation); 6829 if (status != PSA_SUCCESS) { 6830 psa_destroy_key(master_key); 6831 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6832 } 6833 6834 if (!mbedtls_svc_key_id_is_null(master_key)) { 6835 status = psa_destroy_key(master_key); 6836 } 6837 if (status != PSA_SUCCESS) { 6838 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 6839 } 6840 6841 return 0; 6842 } 6843 #endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */ 6844 #else /* MBEDTLS_USE_PSA_CRYPTO */ 6845 6846 #if defined(MBEDTLS_MD_C) && \ 6847 (defined(MBEDTLS_MD_CAN_SHA256) || \ 6848 defined(MBEDTLS_MD_CAN_SHA384)) 6849 MBEDTLS_CHECK_RETURN_CRITICAL 6850 static int tls_prf_generic(mbedtls_md_type_t md_type, 6851 const unsigned char *secret, size_t slen, 6852 const char *label, size_t label_len, 6853 const unsigned char *random, size_t rlen, 6854 unsigned char *dstbuf, size_t dlen) 6855 { 6856 size_t nb; 6857 size_t i, j, k, md_len; 6858 unsigned char *tmp; 6859 size_t tmp_len = 0; 6860 unsigned char h_i[MBEDTLS_MD_MAX_SIZE]; 6861 const mbedtls_md_info_t *md_info; 6862 mbedtls_md_context_t md_ctx; 6863 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 6864 6865 mbedtls_md_init(&md_ctx); 6866 6867 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) { 6868 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 6869 } 6870 6871 md_len = mbedtls_md_get_size(md_info); 6872 6873 tmp_len = md_len + label_len + rlen; 6874 tmp = mbedtls_calloc(1, tmp_len); 6875 if (tmp == NULL) { 6876 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 6877 goto exit; 6878 } 6879 6880 nb = label_len; 6881 memcpy(tmp + md_len, label, nb); 6882 memcpy(tmp + md_len + nb, random, rlen); 6883 nb += rlen; 6884 6885 /* 6886 * Compute P_<hash>(secret, label + random)[0..dlen] 6887 */ 6888 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) { 6889 goto exit; 6890 } 6891 6892 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen); 6893 if (ret != 0) { 6894 goto exit; 6895 } 6896 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb); 6897 if (ret != 0) { 6898 goto exit; 6899 } 6900 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6901 if (ret != 0) { 6902 goto exit; 6903 } 6904 6905 for (i = 0; i < dlen; i += md_len) { 6906 ret = mbedtls_md_hmac_reset(&md_ctx); 6907 if (ret != 0) { 6908 goto exit; 6909 } 6910 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb); 6911 if (ret != 0) { 6912 goto exit; 6913 } 6914 ret = mbedtls_md_hmac_finish(&md_ctx, h_i); 6915 if (ret != 0) { 6916 goto exit; 6917 } 6918 6919 ret = mbedtls_md_hmac_reset(&md_ctx); 6920 if (ret != 0) { 6921 goto exit; 6922 } 6923 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len); 6924 if (ret != 0) { 6925 goto exit; 6926 } 6927 ret = mbedtls_md_hmac_finish(&md_ctx, tmp); 6928 if (ret != 0) { 6929 goto exit; 6930 } 6931 6932 k = (i + md_len > dlen) ? dlen % md_len : md_len; 6933 6934 for (j = 0; j < k; j++) { 6935 dstbuf[i + j] = h_i[j]; 6936 } 6937 } 6938 6939 exit: 6940 mbedtls_md_free(&md_ctx); 6941 6942 if (tmp != NULL) { 6943 mbedtls_platform_zeroize(tmp, tmp_len); 6944 } 6945 6946 mbedtls_platform_zeroize(h_i, sizeof(h_i)); 6947 6948 mbedtls_free(tmp); 6949 6950 return ret; 6951 } 6952 #endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */ 6953 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 6954 6955 #if defined(MBEDTLS_MD_CAN_SHA256) 6956 MBEDTLS_CHECK_RETURN_CRITICAL 6957 static int tls_prf_sha256(const unsigned char *secret, size_t slen, 6958 const char *label, 6959 const unsigned char *random, size_t rlen, 6960 unsigned char *dstbuf, size_t dlen) 6961 { 6962 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen, 6963 label, strlen(label), random, rlen, dstbuf, dlen); 6964 } 6965 #endif /* MBEDTLS_MD_CAN_SHA256*/ 6966 6967 #if defined(MBEDTLS_MD_CAN_SHA384) 6968 MBEDTLS_CHECK_RETURN_CRITICAL 6969 static int tls_prf_sha384(const unsigned char *secret, size_t slen, 6970 const char *label, 6971 const unsigned char *random, size_t rlen, 6972 unsigned char *dstbuf, size_t dlen) 6973 { 6974 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen, 6975 label, strlen(label), random, rlen, dstbuf, dlen); 6976 } 6977 #endif /* MBEDTLS_MD_CAN_SHA384*/ 6978 6979 /* 6980 * Set appropriate PRF function and other SSL / TLS1.2 functions 6981 * 6982 * Inputs: 6983 * - hash associated with the ciphersuite (only used by TLS 1.2) 6984 * 6985 * Outputs: 6986 * - the tls_prf, calc_verify and calc_finished members of handshake structure 6987 */ 6988 MBEDTLS_CHECK_RETURN_CRITICAL 6989 static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake, 6990 mbedtls_md_type_t hash) 6991 { 6992 #if defined(MBEDTLS_MD_CAN_SHA384) 6993 if (hash == MBEDTLS_MD_SHA384) { 6994 handshake->tls_prf = tls_prf_sha384; 6995 handshake->calc_verify = ssl_calc_verify_tls_sha384; 6996 handshake->calc_finished = ssl_calc_finished_tls_sha384; 6997 } else 6998 #endif 6999 #if defined(MBEDTLS_MD_CAN_SHA256) 7000 { 7001 (void) hash; 7002 handshake->tls_prf = tls_prf_sha256; 7003 handshake->calc_verify = ssl_calc_verify_tls_sha256; 7004 handshake->calc_finished = ssl_calc_finished_tls_sha256; 7005 } 7006 #else 7007 { 7008 (void) handshake; 7009 (void) hash; 7010 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7011 } 7012 #endif 7013 7014 return 0; 7015 } 7016 7017 /* 7018 * Compute master secret if needed 7019 * 7020 * Parameters: 7021 * [in/out] handshake 7022 * [in] resume, premaster, extended_ms, calc_verify, tls_prf 7023 * (PSA-PSK) ciphersuite_info, psk_opaque 7024 * [out] premaster (cleared) 7025 * [out] master 7026 * [in] ssl: optionally used for debugging, EMS and PSA-PSK 7027 * debug: conf->f_dbg, conf->p_dbg 7028 * EMS: passed to calc_verify (debug + session_negotiate) 7029 * PSA-PSA: conf 7030 */ 7031 MBEDTLS_CHECK_RETURN_CRITICAL 7032 static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, 7033 unsigned char *master, 7034 const mbedtls_ssl_context *ssl) 7035 { 7036 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7037 7038 /* cf. RFC 5246, Section 8.1: 7039 * "The master secret is always exactly 48 bytes in length." */ 7040 size_t const master_secret_len = 48; 7041 7042 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 7043 unsigned char session_hash[48]; 7044 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 7045 7046 /* The label for the KDF used for key expansion. 7047 * This is either "master secret" or "extended master secret" 7048 * depending on whether the Extended Master Secret extension 7049 * is used. */ 7050 char const *lbl = "master secret"; 7051 7052 /* The seed for the KDF used for key expansion. 7053 * - If the Extended Master Secret extension is not used, 7054 * this is ClientHello.Random + ServerHello.Random 7055 * (see Sect. 8.1 in RFC 5246). 7056 * - If the Extended Master Secret extension is used, 7057 * this is the transcript of the handshake so far. 7058 * (see Sect. 4 in RFC 7627). */ 7059 unsigned char const *seed = handshake->randbytes; 7060 size_t seed_len = 64; 7061 7062 #if !defined(MBEDTLS_DEBUG_C) && \ 7063 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \ 7064 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7065 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)) 7066 ssl = NULL; /* make sure we don't use it except for those cases */ 7067 (void) ssl; 7068 #endif 7069 7070 if (handshake->resume != 0) { 7071 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)")); 7072 return 0; 7073 } 7074 7075 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 7076 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) { 7077 lbl = "extended master secret"; 7078 seed = session_hash; 7079 ret = handshake->calc_verify(ssl, session_hash, &seed_len); 7080 if (ret != 0) { 7081 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret); 7082 } 7083 7084 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret", 7085 session_hash, seed_len); 7086 } 7087 #endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */ 7088 7089 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7090 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7091 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) { 7092 /* Perform PSK-to-MS expansion in a single step. */ 7093 psa_status_t status; 7094 psa_algorithm_t alg; 7095 mbedtls_svc_key_id_t psk; 7096 psa_key_derivation_operation_t derivation = 7097 PSA_KEY_DERIVATION_OPERATION_INIT; 7098 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac; 7099 7100 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion")); 7101 7102 psk = mbedtls_ssl_get_opaque_psk(ssl); 7103 7104 if (hash_alg == MBEDTLS_MD_SHA384) { 7105 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384); 7106 } else { 7107 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); 7108 } 7109 7110 size_t other_secret_len = 0; 7111 unsigned char *other_secret = NULL; 7112 7113 switch (handshake->ciphersuite_info->key_exchange) { 7114 /* Provide other secret. 7115 * Other secret is stored in premaster, where first 2 bytes hold the 7116 * length of the other key. 7117 */ 7118 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 7119 /* For RSA-PSK other key length is always 48 bytes. */ 7120 other_secret_len = 48; 7121 other_secret = handshake->premaster + 2; 7122 break; 7123 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 7124 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 7125 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0); 7126 other_secret = handshake->premaster + 2; 7127 break; 7128 default: 7129 break; 7130 } 7131 7132 status = setup_psa_key_derivation(&derivation, psk, alg, 7133 ssl->conf->psk, ssl->conf->psk_len, 7134 seed, seed_len, 7135 (unsigned char const *) lbl, 7136 (size_t) strlen(lbl), 7137 other_secret, other_secret_len, 7138 master_secret_len); 7139 if (status != PSA_SUCCESS) { 7140 psa_key_derivation_abort(&derivation); 7141 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7142 } 7143 7144 status = psa_key_derivation_output_bytes(&derivation, 7145 master, 7146 master_secret_len); 7147 if (status != PSA_SUCCESS) { 7148 psa_key_derivation_abort(&derivation); 7149 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7150 } 7151 7152 status = psa_key_derivation_abort(&derivation); 7153 if (status != PSA_SUCCESS) { 7154 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7155 } 7156 } else 7157 #endif 7158 { 7159 #if defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7160 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 7161 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) { 7162 psa_status_t status; 7163 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; 7164 psa_key_derivation_operation_t derivation = 7165 PSA_KEY_DERIVATION_OPERATION_INIT; 7166 7167 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE")); 7168 7169 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; 7170 7171 status = psa_key_derivation_setup(&derivation, alg); 7172 if (status != PSA_SUCCESS) { 7173 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7174 } 7175 7176 status = psa_key_derivation_set_capacity(&derivation, 7177 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE); 7178 if (status != PSA_SUCCESS) { 7179 psa_key_derivation_abort(&derivation); 7180 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7181 } 7182 7183 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, 7184 &derivation); 7185 if (status != PSA_SUCCESS) { 7186 psa_key_derivation_abort(&derivation); 7187 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7188 } 7189 7190 status = psa_key_derivation_output_bytes(&derivation, 7191 handshake->premaster, 7192 handshake->pmslen); 7193 if (status != PSA_SUCCESS) { 7194 psa_key_derivation_abort(&derivation); 7195 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7196 } 7197 7198 status = psa_key_derivation_abort(&derivation); 7199 if (status != PSA_SUCCESS) { 7200 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; 7201 } 7202 } 7203 #endif 7204 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen, 7205 lbl, seed, seed_len, 7206 master, 7207 master_secret_len); 7208 if (ret != 0) { 7209 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 7210 return ret; 7211 } 7212 7213 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret", 7214 handshake->premaster, 7215 handshake->pmslen); 7216 7217 mbedtls_platform_zeroize(handshake->premaster, 7218 sizeof(handshake->premaster)); 7219 } 7220 7221 return 0; 7222 } 7223 7224 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl) 7225 { 7226 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7227 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 7228 ssl->handshake->ciphersuite_info; 7229 7230 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys")); 7231 7232 /* Set PRF, calc_verify and calc_finished function pointers */ 7233 ret = ssl_set_handshake_prfs(ssl->handshake, 7234 (mbedtls_md_type_t) ciphersuite_info->mac); 7235 if (ret != 0) { 7236 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret); 7237 return ret; 7238 } 7239 7240 /* Compute master secret if needed */ 7241 ret = ssl_compute_master(ssl->handshake, 7242 ssl->session_negotiate->master, 7243 ssl); 7244 if (ret != 0) { 7245 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret); 7246 return ret; 7247 } 7248 7249 /* Swap the client and server random values: 7250 * - MS derivation wanted client+server (RFC 5246 8.1) 7251 * - key derivation wants server+client (RFC 5246 6.3) */ 7252 { 7253 unsigned char tmp[64]; 7254 memcpy(tmp, ssl->handshake->randbytes, 64); 7255 memcpy(ssl->handshake->randbytes, tmp + 32, 32); 7256 memcpy(ssl->handshake->randbytes + 32, tmp, 32); 7257 mbedtls_platform_zeroize(tmp, sizeof(tmp)); 7258 } 7259 7260 /* Populate transform structure */ 7261 ret = ssl_tls12_populate_transform(ssl->transform_negotiate, 7262 ssl->session_negotiate->ciphersuite, 7263 ssl->session_negotiate->master, 7264 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 7265 ssl->session_negotiate->encrypt_then_mac, 7266 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 7267 ssl->handshake->tls_prf, 7268 ssl->handshake->randbytes, 7269 ssl->tls_version, 7270 ssl->conf->endpoint, 7271 ssl); 7272 if (ret != 0) { 7273 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret); 7274 return ret; 7275 } 7276 7277 /* We no longer need Server/ClientHello.random values */ 7278 mbedtls_platform_zeroize(ssl->handshake->randbytes, 7279 sizeof(ssl->handshake->randbytes)); 7280 7281 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys")); 7282 7283 return 0; 7284 } 7285 7286 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md) 7287 { 7288 switch (md) { 7289 #if defined(MBEDTLS_MD_CAN_SHA384) 7290 case MBEDTLS_SSL_HASH_SHA384: 7291 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384; 7292 break; 7293 #endif 7294 #if defined(MBEDTLS_MD_CAN_SHA256) 7295 case MBEDTLS_SSL_HASH_SHA256: 7296 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256; 7297 break; 7298 #endif 7299 default: 7300 return -1; 7301 } 7302 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 7303 !defined(MBEDTLS_MD_CAN_SHA256) 7304 (void) ssl; 7305 #endif 7306 return 0; 7307 } 7308 7309 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7310 static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl, 7311 const psa_hash_operation_t *hs_op, 7312 size_t buffer_size, 7313 unsigned char *hash, 7314 size_t *hlen) 7315 { 7316 psa_status_t status; 7317 psa_hash_operation_t cloned_op = psa_hash_operation_init(); 7318 7319 #if !defined(MBEDTLS_DEBUG_C) 7320 (void) ssl; 7321 #endif 7322 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify")); 7323 status = psa_hash_clone(hs_op, &cloned_op); 7324 if (status != PSA_SUCCESS) { 7325 goto exit; 7326 } 7327 7328 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen); 7329 if (status != PSA_SUCCESS) { 7330 goto exit; 7331 } 7332 7333 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen); 7334 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify")); 7335 7336 exit: 7337 psa_hash_abort(&cloned_op); 7338 return mbedtls_md_error_from_psa(status); 7339 } 7340 #else 7341 static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl, 7342 const mbedtls_md_context_t *hs_ctx, 7343 unsigned char *hash, 7344 size_t *hlen) 7345 { 7346 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7347 mbedtls_md_context_t cloned_ctx; 7348 7349 mbedtls_md_init(&cloned_ctx); 7350 7351 #if !defined(MBEDTLS_DEBUG_C) 7352 (void) ssl; 7353 #endif 7354 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify")); 7355 7356 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 7357 if (ret != 0) { 7358 goto exit; 7359 } 7360 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 7361 if (ret != 0) { 7362 goto exit; 7363 } 7364 7365 ret = mbedtls_md_finish(&cloned_ctx, hash); 7366 if (ret != 0) { 7367 goto exit; 7368 } 7369 7370 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx)); 7371 7372 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen); 7373 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify")); 7374 7375 exit: 7376 mbedtls_md_free(&cloned_ctx); 7377 return ret; 7378 } 7379 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7380 7381 #if defined(MBEDTLS_MD_CAN_SHA256) 7382 int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl, 7383 unsigned char *hash, 7384 size_t *hlen) 7385 { 7386 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7387 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32, 7388 hash, hlen); 7389 #else 7390 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256, 7391 hash, hlen); 7392 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7393 } 7394 #endif /* MBEDTLS_MD_CAN_SHA256 */ 7395 7396 #if defined(MBEDTLS_MD_CAN_SHA384) 7397 int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl, 7398 unsigned char *hash, 7399 size_t *hlen) 7400 { 7401 #if defined(MBEDTLS_USE_PSA_CRYPTO) 7402 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48, 7403 hash, hlen); 7404 #else 7405 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384, 7406 hash, hlen); 7407 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 7408 } 7409 #endif /* MBEDTLS_MD_CAN_SHA384 */ 7410 7411 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 7412 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 7413 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex) 7414 { 7415 unsigned char *p = ssl->handshake->premaster; 7416 unsigned char *end = p + sizeof(ssl->handshake->premaster); 7417 const unsigned char *psk = NULL; 7418 size_t psk_len = 0; 7419 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len); 7420 7421 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) { 7422 /* 7423 * This should never happen because the existence of a PSK is always 7424 * checked before calling this function. 7425 * 7426 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with 7427 * the shared secret without PSK. 7428 */ 7429 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7430 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7431 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7432 } 7433 } 7434 7435 /* 7436 * PMS = struct { 7437 * opaque other_secret<0..2^16-1>; 7438 * opaque psk<0..2^16-1>; 7439 * }; 7440 * with "other_secret" depending on the particular key exchange 7441 */ 7442 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) 7443 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) { 7444 if (end - p < 2) { 7445 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7446 } 7447 7448 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7449 p += 2; 7450 7451 if (end < p || (size_t) (end - p) < psk_len) { 7452 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7453 } 7454 7455 memset(p, 0, psk_len); 7456 p += psk_len; 7457 } else 7458 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ 7459 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) 7460 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7461 /* 7462 * other_secret already set by the ClientKeyExchange message, 7463 * and is 48 bytes long 7464 */ 7465 if (end - p < 2) { 7466 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7467 } 7468 7469 *p++ = 0; 7470 *p++ = 48; 7471 p += 48; 7472 } else 7473 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ 7474 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) 7475 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) { 7476 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7477 size_t len; 7478 7479 /* Write length only when we know the actual value */ 7480 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx, 7481 p + 2, (size_t) (end - (p + 2)), &len, 7482 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7483 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret); 7484 return ret; 7485 } 7486 MBEDTLS_PUT_UINT16_BE(len, p, 0); 7487 p += 2 + len; 7488 7489 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K); 7490 } else 7491 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ 7492 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) 7493 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { 7494 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7495 size_t zlen; 7496 7497 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen, 7498 p + 2, (size_t) (end - (p + 2)), 7499 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) { 7500 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret); 7501 return ret; 7502 } 7503 7504 MBEDTLS_PUT_UINT16_BE(zlen, p, 0); 7505 p += 2 + zlen; 7506 7507 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx, 7508 MBEDTLS_DEBUG_ECDH_Z); 7509 } else 7510 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ 7511 { 7512 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7513 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7514 } 7515 7516 /* opaque psk<0..2^16-1>; */ 7517 if (end - p < 2) { 7518 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7519 } 7520 7521 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0); 7522 p += 2; 7523 7524 if (end < p || (size_t) (end - p) < psk_len) { 7525 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 7526 } 7527 7528 memcpy(p, psk, psk_len); 7529 p += psk_len; 7530 7531 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster); 7532 7533 return 0; 7534 } 7535 #endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 7536 7537 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION) 7538 MBEDTLS_CHECK_RETURN_CRITICAL 7539 static int ssl_write_hello_request(mbedtls_ssl_context *ssl); 7540 7541 #if defined(MBEDTLS_SSL_PROTO_DTLS) 7542 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl) 7543 { 7544 /* If renegotiation is not enforced, retransmit until we would reach max 7545 * timeout if we were using the usual handshake doubling scheme */ 7546 if (ssl->conf->renego_max_records < 0) { 7547 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1; 7548 unsigned char doublings = 1; 7549 7550 while (ratio != 0) { 7551 ++doublings; 7552 ratio >>= 1; 7553 } 7554 7555 if (++ssl->renego_records_seen > doublings) { 7556 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request")); 7557 return 0; 7558 } 7559 } 7560 7561 return ssl_write_hello_request(ssl); 7562 } 7563 #endif 7564 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */ 7565 7566 /* 7567 * Handshake functions 7568 */ 7569 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 7570 /* No certificate support -> dummy functions */ 7571 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7572 { 7573 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7574 ssl->handshake->ciphersuite_info; 7575 7576 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7577 7578 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7579 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7580 mbedtls_ssl_handshake_increment_state(ssl); 7581 return 0; 7582 } 7583 7584 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7585 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7586 } 7587 7588 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 7589 { 7590 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7591 ssl->handshake->ciphersuite_info; 7592 7593 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 7594 7595 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7596 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 7597 mbedtls_ssl_handshake_increment_state(ssl); 7598 return 0; 7599 } 7600 7601 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 7602 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7603 } 7604 7605 #else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 7606 /* Some certificate support -> implement write and parse */ 7607 7608 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl) 7609 { 7610 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 7611 size_t i, n; 7612 const mbedtls_x509_crt *crt; 7613 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7614 ssl->handshake->ciphersuite_info; 7615 7616 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate")); 7617 7618 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7619 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7620 mbedtls_ssl_handshake_increment_state(ssl); 7621 return 0; 7622 } 7623 7624 #if defined(MBEDTLS_SSL_CLI_C) 7625 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7626 if (ssl->handshake->client_auth == 0) { 7627 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate")); 7628 mbedtls_ssl_handshake_increment_state(ssl); 7629 return 0; 7630 } 7631 } 7632 #endif /* MBEDTLS_SSL_CLI_C */ 7633 #if defined(MBEDTLS_SSL_SRV_C) 7634 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7635 if (mbedtls_ssl_own_cert(ssl) == NULL) { 7636 /* Should never happen because we shouldn't have picked the 7637 * ciphersuite if we don't have a certificate. */ 7638 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 7639 } 7640 } 7641 #endif 7642 7643 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl)); 7644 7645 /* 7646 * 0 . 0 handshake type 7647 * 1 . 3 handshake length 7648 * 4 . 6 length of all certs 7649 * 7 . 9 length of cert. 1 7650 * 10 . n-1 peer certificate 7651 * n . n+2 length of cert. 2 7652 * n+3 . ... upper level cert, etc. 7653 */ 7654 i = 7; 7655 crt = mbedtls_ssl_own_cert(ssl); 7656 7657 while (crt != NULL) { 7658 n = crt->raw.len; 7659 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) { 7660 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET 7661 " > %" MBEDTLS_PRINTF_SIZET, 7662 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN)); 7663 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 7664 } 7665 7666 ssl->out_msg[i] = MBEDTLS_BYTE_2(n); 7667 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n); 7668 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n); 7669 7670 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n); 7671 i += n; crt = crt->next; 7672 } 7673 7674 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7); 7675 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7); 7676 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7); 7677 7678 ssl->out_msglen = i; 7679 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 7680 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE; 7681 7682 mbedtls_ssl_handshake_increment_state(ssl); 7683 7684 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 7685 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 7686 return ret; 7687 } 7688 7689 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate")); 7690 7691 return ret; 7692 } 7693 7694 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7695 7696 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7697 MBEDTLS_CHECK_RETURN_CRITICAL 7698 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7699 unsigned char *crt_buf, 7700 size_t crt_buf_len) 7701 { 7702 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert; 7703 7704 if (peer_crt == NULL) { 7705 return -1; 7706 } 7707 7708 if (peer_crt->raw.len != crt_buf_len) { 7709 return -1; 7710 } 7711 7712 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len); 7713 } 7714 #else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7715 MBEDTLS_CHECK_RETURN_CRITICAL 7716 static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl, 7717 unsigned char *crt_buf, 7718 size_t crt_buf_len) 7719 { 7720 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7721 unsigned char const * const peer_cert_digest = 7722 ssl->session->peer_cert_digest; 7723 mbedtls_md_type_t const peer_cert_digest_type = 7724 ssl->session->peer_cert_digest_type; 7725 mbedtls_md_info_t const * const digest_info = 7726 mbedtls_md_info_from_type(peer_cert_digest_type); 7727 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN]; 7728 size_t digest_len; 7729 7730 if (peer_cert_digest == NULL || digest_info == NULL) { 7731 return -1; 7732 } 7733 7734 digest_len = mbedtls_md_get_size(digest_info); 7735 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) { 7736 return -1; 7737 } 7738 7739 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest); 7740 if (ret != 0) { 7741 return -1; 7742 } 7743 7744 return memcmp(tmp_digest, peer_cert_digest, digest_len); 7745 } 7746 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7747 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7748 7749 /* 7750 * Once the certificate message is read, parse it into a cert chain and 7751 * perform basic checks, but leave actual verification to the caller 7752 */ 7753 MBEDTLS_CHECK_RETURN_CRITICAL 7754 static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl, 7755 mbedtls_x509_crt *chain) 7756 { 7757 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7758 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7759 int crt_cnt = 0; 7760 #endif 7761 size_t i, n; 7762 uint8_t alert; 7763 7764 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 7765 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7766 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7767 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7768 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7769 } 7770 7771 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) { 7772 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7773 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 7774 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 7775 } 7776 7777 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) { 7778 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7779 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7780 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7781 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7782 } 7783 7784 i = mbedtls_ssl_hs_hdr_len(ssl); 7785 7786 /* 7787 * Same message structure as in mbedtls_ssl_write_certificate() 7788 */ 7789 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7790 7791 if (ssl->in_msg[i] != 0 || 7792 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) { 7793 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7794 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7795 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7796 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7797 } 7798 7799 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */ 7800 i += 3; 7801 7802 /* Iterate through and parse the CRTs in the provided chain. */ 7803 while (i < ssl->in_hslen) { 7804 /* Check that there's room for the next CRT's length fields. */ 7805 if (i + 3 > ssl->in_hslen) { 7806 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7807 mbedtls_ssl_send_alert_message(ssl, 7808 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7809 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7810 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7811 } 7812 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support 7813 * anything beyond 2**16 ~ 64K. */ 7814 if (ssl->in_msg[i] != 0) { 7815 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7816 mbedtls_ssl_send_alert_message(ssl, 7817 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7818 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT); 7819 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7820 } 7821 7822 /* Read length of the next CRT in the chain. */ 7823 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1); 7824 i += 3; 7825 7826 if (n < 128 || i + n > ssl->in_hslen) { 7827 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message")); 7828 mbedtls_ssl_send_alert_message(ssl, 7829 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7830 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 7831 return MBEDTLS_ERR_SSL_DECODE_ERROR; 7832 } 7833 7834 /* Check if we're handling the first CRT in the chain. */ 7835 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C) 7836 if (crt_cnt++ == 0 && 7837 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && 7838 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 7839 /* During client-side renegotiation, check that the server's 7840 * end-CRTs hasn't changed compared to the initial handshake, 7841 * mitigating the triple handshake attack. On success, reuse 7842 * the original end-CRT instead of parsing it again. */ 7843 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation")); 7844 if (ssl_check_peer_crt_unchanged(ssl, 7845 &ssl->in_msg[i], 7846 n) != 0) { 7847 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation")); 7848 mbedtls_ssl_send_alert_message(ssl, 7849 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7850 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED); 7851 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 7852 } 7853 7854 /* Now we can safely free the original chain. */ 7855 ssl_clear_peer_cert(ssl->session); 7856 } 7857 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */ 7858 7859 /* Parse the next certificate in the chain. */ 7860 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7861 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n); 7862 #else 7863 /* If we don't need to store the CRT chain permanently, parse 7864 * it in-place from the input buffer instead of making a copy. */ 7865 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n); 7866 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 7867 switch (ret) { 7868 case 0: /*ok*/ 7869 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND: 7870 /* Ignore certificate with an unknown algorithm: maybe a 7871 prior certificate was already trusted. */ 7872 break; 7873 7874 case MBEDTLS_ERR_X509_ALLOC_FAILED: 7875 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR; 7876 goto crt_parse_der_failed; 7877 7878 case MBEDTLS_ERR_X509_UNKNOWN_VERSION: 7879 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 7880 goto crt_parse_der_failed; 7881 7882 default: 7883 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 7884 crt_parse_der_failed: 7885 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert); 7886 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret); 7887 return ret; 7888 } 7889 7890 i += n; 7891 } 7892 7893 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain); 7894 return 0; 7895 } 7896 7897 #if defined(MBEDTLS_SSL_SRV_C) 7898 MBEDTLS_CHECK_RETURN_CRITICAL 7899 static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl) 7900 { 7901 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 7902 return -1; 7903 } 7904 7905 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) && 7906 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE && 7907 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE && 7908 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) { 7909 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate")); 7910 return 0; 7911 } 7912 return -1; 7913 } 7914 #endif /* MBEDTLS_SSL_SRV_C */ 7915 7916 /* Check if a certificate message is expected. 7917 * Return either 7918 * - SSL_CERTIFICATE_EXPECTED, or 7919 * - SSL_CERTIFICATE_SKIP 7920 * indicating whether a Certificate message is expected or not. 7921 */ 7922 #define SSL_CERTIFICATE_EXPECTED 0 7923 #define SSL_CERTIFICATE_SKIP 1 7924 MBEDTLS_CHECK_RETURN_CRITICAL 7925 static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl, 7926 int authmode) 7927 { 7928 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = 7929 ssl->handshake->ciphersuite_info; 7930 7931 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) { 7932 return SSL_CERTIFICATE_SKIP; 7933 } 7934 7935 #if defined(MBEDTLS_SSL_SRV_C) 7936 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 7937 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) { 7938 return SSL_CERTIFICATE_SKIP; 7939 } 7940 7941 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 7942 ssl->session_negotiate->verify_result = 7943 MBEDTLS_X509_BADCERT_SKIP_VERIFY; 7944 return SSL_CERTIFICATE_SKIP; 7945 } 7946 } 7947 #else 7948 ((void) authmode); 7949 #endif /* MBEDTLS_SSL_SRV_C */ 7950 7951 return SSL_CERTIFICATE_EXPECTED; 7952 } 7953 7954 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 7955 MBEDTLS_CHECK_RETURN_CRITICAL 7956 static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl, 7957 unsigned char *start, size_t len) 7958 { 7959 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7960 /* Remember digest of the peer's end-CRT. */ 7961 ssl->session_negotiate->peer_cert_digest = 7962 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN); 7963 if (ssl->session_negotiate->peer_cert_digest == NULL) { 7964 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed", 7965 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN)); 7966 mbedtls_ssl_send_alert_message(ssl, 7967 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 7968 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 7969 7970 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 7971 } 7972 7973 ret = mbedtls_md(mbedtls_md_info_from_type( 7974 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), 7975 start, len, 7976 ssl->session_negotiate->peer_cert_digest); 7977 7978 ssl->session_negotiate->peer_cert_digest_type = 7979 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE; 7980 ssl->session_negotiate->peer_cert_digest_len = 7981 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN; 7982 7983 return ret; 7984 } 7985 7986 MBEDTLS_CHECK_RETURN_CRITICAL 7987 static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl, 7988 unsigned char *start, size_t len) 7989 { 7990 unsigned char *end = start + len; 7991 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 7992 7993 /* Make a copy of the peer's raw public key. */ 7994 mbedtls_pk_init(&ssl->handshake->peer_pubkey); 7995 ret = mbedtls_pk_parse_subpubkey(&start, end, 7996 &ssl->handshake->peer_pubkey); 7997 if (ret != 0) { 7998 /* We should have parsed the public key before. */ 7999 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8000 } 8001 8002 return 0; 8003 } 8004 #endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8005 8006 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl) 8007 { 8008 int ret = 0; 8009 int crt_expected; 8010 /* Authmode: precedence order is SNI if used else configuration */ 8011 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 8012 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET 8013 ? ssl->handshake->sni_authmode 8014 : ssl->conf->authmode; 8015 #else 8016 const int authmode = ssl->conf->authmode; 8017 #endif 8018 void *rs_ctx = NULL; 8019 mbedtls_x509_crt *chain = NULL; 8020 8021 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate")); 8022 8023 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode); 8024 if (crt_expected == SSL_CERTIFICATE_SKIP) { 8025 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate")); 8026 goto exit; 8027 } 8028 8029 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8030 if (ssl->handshake->ecrs_enabled && 8031 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) { 8032 chain = ssl->handshake->ecrs_peer_cert; 8033 ssl->handshake->ecrs_peer_cert = NULL; 8034 goto crt_verify; 8035 } 8036 #endif 8037 8038 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8039 /* mbedtls_ssl_read_record may have sent an alert already. We 8040 let it decide whether to alert. */ 8041 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8042 goto exit; 8043 } 8044 8045 #if defined(MBEDTLS_SSL_SRV_C) 8046 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) { 8047 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; 8048 8049 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) { 8050 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; 8051 } 8052 8053 goto exit; 8054 } 8055 #endif /* MBEDTLS_SSL_SRV_C */ 8056 8057 /* Clear existing peer CRT structure in case we tried to 8058 * reuse a session but it failed, and allocate a new one. */ 8059 ssl_clear_peer_cert(ssl->session_negotiate); 8060 8061 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt)); 8062 if (chain == NULL) { 8063 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", 8064 sizeof(mbedtls_x509_crt))); 8065 mbedtls_ssl_send_alert_message(ssl, 8066 MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8067 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 8068 8069 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED; 8070 goto exit; 8071 } 8072 mbedtls_x509_crt_init(chain); 8073 8074 ret = ssl_parse_certificate_chain(ssl, chain); 8075 if (ret != 0) { 8076 goto exit; 8077 } 8078 8079 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8080 if (ssl->handshake->ecrs_enabled) { 8081 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; 8082 } 8083 8084 crt_verify: 8085 if (ssl->handshake->ecrs_enabled) { 8086 rs_ctx = &ssl->handshake->ecrs_ctx; 8087 } 8088 #endif 8089 8090 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain, 8091 ssl->handshake->ciphersuite_info, 8092 rs_ctx); 8093 if (ret != 0) { 8094 goto exit; 8095 } 8096 8097 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 8098 { 8099 unsigned char *crt_start, *pk_start; 8100 size_t crt_len, pk_len; 8101 8102 /* We parse the CRT chain without copying, so 8103 * these pointers point into the input buffer, 8104 * and are hence still valid after freeing the 8105 * CRT chain. */ 8106 8107 crt_start = chain->raw.p; 8108 crt_len = chain->raw.len; 8109 8110 pk_start = chain->pk_raw.p; 8111 pk_len = chain->pk_raw.len; 8112 8113 /* Free the CRT structures before computing 8114 * digest and copying the peer's public key. */ 8115 mbedtls_x509_crt_free(chain); 8116 mbedtls_free(chain); 8117 chain = NULL; 8118 8119 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len); 8120 if (ret != 0) { 8121 goto exit; 8122 } 8123 8124 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len); 8125 if (ret != 0) { 8126 goto exit; 8127 } 8128 } 8129 #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8130 /* Pass ownership to session structure. */ 8131 ssl->session_negotiate->peer_cert = chain; 8132 chain = NULL; 8133 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 8134 8135 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate")); 8136 8137 exit: 8138 8139 if (ret == 0) { 8140 mbedtls_ssl_handshake_increment_state(ssl); 8141 } 8142 8143 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 8144 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { 8145 ssl->handshake->ecrs_peer_cert = chain; 8146 chain = NULL; 8147 } 8148 #endif 8149 8150 if (chain != NULL) { 8151 mbedtls_x509_crt_free(chain); 8152 mbedtls_free(chain); 8153 } 8154 8155 return ret; 8156 } 8157 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 8158 8159 static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx, 8160 unsigned char *padbuf, size_t hlen, 8161 unsigned char *buf, int from) 8162 { 8163 unsigned int len = 12; 8164 const char *sender; 8165 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8166 psa_status_t status; 8167 psa_hash_operation_t *hs_op = ctx; 8168 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT; 8169 size_t hash_size; 8170 #else 8171 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8172 mbedtls_md_context_t *hs_ctx = ctx; 8173 mbedtls_md_context_t cloned_ctx; 8174 mbedtls_md_init(&cloned_ctx); 8175 #endif 8176 8177 mbedtls_ssl_session *session = ssl->session_negotiate; 8178 if (!session) { 8179 session = ssl->session; 8180 } 8181 8182 sender = (from == MBEDTLS_SSL_IS_CLIENT) 8183 ? "client finished" 8184 : "server finished"; 8185 8186 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8187 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls")); 8188 8189 status = psa_hash_clone(hs_op, &cloned_op); 8190 if (status != PSA_SUCCESS) { 8191 goto exit; 8192 } 8193 8194 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size); 8195 if (status != PSA_SUCCESS) { 8196 goto exit; 8197 } 8198 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen); 8199 #else 8200 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls")); 8201 8202 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0); 8203 if (ret != 0) { 8204 goto exit; 8205 } 8206 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx); 8207 if (ret != 0) { 8208 goto exit; 8209 } 8210 8211 ret = mbedtls_md_finish(&cloned_ctx, padbuf); 8212 if (ret != 0) { 8213 goto exit; 8214 } 8215 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8216 8217 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen); 8218 8219 /* 8220 * TLSv1.2: 8221 * hash = PRF( master, finished_label, 8222 * Hash( handshake ) )[0.11] 8223 */ 8224 ssl->handshake->tls_prf(session->master, 48, sender, 8225 padbuf, hlen, buf, len); 8226 8227 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len); 8228 8229 mbedtls_platform_zeroize(padbuf, hlen); 8230 8231 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished")); 8232 8233 exit: 8234 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8235 psa_hash_abort(&cloned_op); 8236 return mbedtls_md_error_from_psa(status); 8237 #else 8238 mbedtls_md_free(&cloned_ctx); 8239 return ret; 8240 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8241 } 8242 8243 #if defined(MBEDTLS_MD_CAN_SHA256) 8244 static int ssl_calc_finished_tls_sha256( 8245 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8246 { 8247 unsigned char padbuf[32]; 8248 return ssl_calc_finished_tls_generic(ssl, 8249 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8250 &ssl->handshake->fin_sha256_psa, 8251 #else 8252 &ssl->handshake->fin_sha256, 8253 #endif 8254 padbuf, sizeof(padbuf), 8255 buf, from); 8256 } 8257 #endif /* MBEDTLS_MD_CAN_SHA256*/ 8258 8259 8260 #if defined(MBEDTLS_MD_CAN_SHA384) 8261 static int ssl_calc_finished_tls_sha384( 8262 mbedtls_ssl_context *ssl, unsigned char *buf, int from) 8263 { 8264 unsigned char padbuf[48]; 8265 return ssl_calc_finished_tls_generic(ssl, 8266 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8267 &ssl->handshake->fin_sha384_psa, 8268 #else 8269 &ssl->handshake->fin_sha384, 8270 #endif 8271 padbuf, sizeof(padbuf), 8272 buf, from); 8273 } 8274 #endif /* MBEDTLS_MD_CAN_SHA384*/ 8275 8276 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl) 8277 { 8278 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free")); 8279 8280 /* 8281 * Free our handshake params 8282 */ 8283 mbedtls_ssl_handshake_free(ssl); 8284 mbedtls_free(ssl->handshake); 8285 ssl->handshake = NULL; 8286 8287 /* 8288 * Free the previous transform and switch in the current one 8289 */ 8290 if (ssl->transform) { 8291 mbedtls_ssl_transform_free(ssl->transform); 8292 mbedtls_free(ssl->transform); 8293 } 8294 ssl->transform = ssl->transform_negotiate; 8295 ssl->transform_negotiate = NULL; 8296 8297 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free")); 8298 } 8299 8300 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl) 8301 { 8302 int resume = ssl->handshake->resume; 8303 8304 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup")); 8305 8306 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8307 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) { 8308 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE; 8309 ssl->renego_records_seen = 0; 8310 } 8311 #endif 8312 8313 /* 8314 * Free the previous session and switch in the current one 8315 */ 8316 if (ssl->session) { 8317 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8318 /* RFC 7366 3.1: keep the EtM state */ 8319 ssl->session_negotiate->encrypt_then_mac = 8320 ssl->session->encrypt_then_mac; 8321 #endif 8322 8323 mbedtls_ssl_session_free(ssl->session); 8324 mbedtls_free(ssl->session); 8325 } 8326 ssl->session = ssl->session_negotiate; 8327 ssl->session_negotiate = NULL; 8328 8329 /* 8330 * Add cache entry 8331 */ 8332 if (ssl->conf->f_set_cache != NULL && 8333 ssl->session->id_len != 0 && 8334 resume == 0) { 8335 if (ssl->conf->f_set_cache(ssl->conf->p_cache, 8336 ssl->session->id, 8337 ssl->session->id_len, 8338 ssl->session) != 0) { 8339 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session")); 8340 } 8341 } 8342 8343 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8344 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8345 ssl->handshake->flight != NULL) { 8346 /* Cancel handshake timer */ 8347 mbedtls_ssl_set_timer(ssl, 0); 8348 8349 /* Keep last flight around in case we need to resend it: 8350 * we need the handshake and transform structures for that */ 8351 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform")); 8352 } else 8353 #endif 8354 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl); 8355 8356 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER); 8357 8358 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup")); 8359 } 8360 8361 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl) 8362 { 8363 int ret; 8364 unsigned int hash_len; 8365 8366 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished")); 8367 8368 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate); 8369 8370 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint); 8371 if (ret != 0) { 8372 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8373 return ret; 8374 } 8375 8376 /* 8377 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites 8378 * may define some other value. Currently (early 2016), no defined 8379 * ciphersuite does this (and this is unlikely to change as activity has 8380 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here. 8381 */ 8382 hash_len = 12; 8383 8384 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8385 ssl->verify_data_len = hash_len; 8386 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len); 8387 #endif 8388 8389 ssl->out_msglen = 4 + hash_len; 8390 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; 8391 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED; 8392 8393 /* 8394 * In case of session resuming, invert the client and server 8395 * ChangeCipherSpec messages order. 8396 */ 8397 if (ssl->handshake->resume != 0) { 8398 #if defined(MBEDTLS_SSL_CLI_C) 8399 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8400 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); 8401 } 8402 #endif 8403 #if defined(MBEDTLS_SSL_SRV_C) 8404 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8405 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC); 8406 } 8407 #endif 8408 } else { 8409 mbedtls_ssl_handshake_increment_state(ssl); 8410 } 8411 8412 /* 8413 * Switch to our negotiated transform and session parameters for outbound 8414 * data. 8415 */ 8416 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data")); 8417 8418 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8419 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8420 unsigned char i; 8421 8422 /* Remember current epoch settings for resending */ 8423 ssl->handshake->alt_transform_out = ssl->transform_out; 8424 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8425 sizeof(ssl->handshake->alt_out_ctr)); 8426 8427 /* Set sequence_number to zero */ 8428 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2); 8429 8430 8431 /* Increment epoch */ 8432 for (i = 2; i > 0; i--) { 8433 if (++ssl->cur_out_ctr[i - 1] != 0) { 8434 break; 8435 } 8436 } 8437 8438 /* The loop goes to its end iff the counter is wrapping */ 8439 if (i == 0) { 8440 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap")); 8441 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING; 8442 } 8443 } else 8444 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 8445 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr)); 8446 8447 ssl->transform_out = ssl->transform_negotiate; 8448 ssl->session_out = ssl->session_negotiate; 8449 8450 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8451 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8452 mbedtls_ssl_send_flight_completed(ssl); 8453 } 8454 #endif 8455 8456 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) { 8457 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret); 8458 return ret; 8459 } 8460 8461 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8462 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && 8463 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) { 8464 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret); 8465 return ret; 8466 } 8467 #endif 8468 8469 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished")); 8470 8471 return 0; 8472 } 8473 8474 #define SSL_MAX_HASH_LEN 12 8475 8476 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl) 8477 { 8478 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 8479 unsigned int hash_len = 12; 8480 unsigned char buf[SSL_MAX_HASH_LEN]; 8481 8482 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished")); 8483 8484 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1); 8485 if (ret != 0) { 8486 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret); 8487 return ret; 8488 } 8489 8490 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) { 8491 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret); 8492 goto exit; 8493 } 8494 8495 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { 8496 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8497 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8498 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8499 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8500 goto exit; 8501 } 8502 8503 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) { 8504 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8505 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE); 8506 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; 8507 goto exit; 8508 } 8509 8510 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) { 8511 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8512 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8513 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR); 8514 ret = MBEDTLS_ERR_SSL_DECODE_ERROR; 8515 goto exit; 8516 } 8517 8518 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), 8519 buf, hash_len) != 0) { 8520 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message")); 8521 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 8522 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR); 8523 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 8524 goto exit; 8525 } 8526 8527 #if defined(MBEDTLS_SSL_RENEGOTIATION) 8528 ssl->verify_data_len = hash_len; 8529 memcpy(ssl->peer_verify_data, buf, hash_len); 8530 #endif 8531 8532 if (ssl->handshake->resume != 0) { 8533 #if defined(MBEDTLS_SSL_CLI_C) 8534 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) { 8535 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC); 8536 } 8537 #endif 8538 #if defined(MBEDTLS_SSL_SRV_C) 8539 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { 8540 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP); 8541 } 8542 #endif 8543 } else { 8544 mbedtls_ssl_handshake_increment_state(ssl); 8545 } 8546 8547 #if defined(MBEDTLS_SSL_PROTO_DTLS) 8548 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 8549 mbedtls_ssl_recv_flight_completed(ssl); 8550 } 8551 #endif 8552 8553 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished")); 8554 8555 exit: 8556 mbedtls_platform_zeroize(buf, hash_len); 8557 return ret; 8558 } 8559 8560 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 8561 /* 8562 * Helper to get TLS 1.2 PRF from ciphersuite 8563 * (Duplicates bits of logic from ssl_set_handshake_prfs().) 8564 */ 8565 static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id) 8566 { 8567 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = 8568 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 8569 #if defined(MBEDTLS_MD_CAN_SHA384) 8570 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) { 8571 return tls_prf_sha384; 8572 } else 8573 #endif 8574 #if defined(MBEDTLS_MD_CAN_SHA256) 8575 { 8576 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) { 8577 return tls_prf_sha256; 8578 } 8579 } 8580 #endif 8581 #if !defined(MBEDTLS_MD_CAN_SHA384) && \ 8582 !defined(MBEDTLS_MD_CAN_SHA256) 8583 (void) ciphersuite_info; 8584 #endif 8585 8586 return NULL; 8587 } 8588 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 8589 8590 static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf) 8591 { 8592 ((void) tls_prf); 8593 #if defined(MBEDTLS_MD_CAN_SHA384) 8594 if (tls_prf == tls_prf_sha384) { 8595 return MBEDTLS_SSL_TLS_PRF_SHA384; 8596 } else 8597 #endif 8598 #if defined(MBEDTLS_MD_CAN_SHA256) 8599 if (tls_prf == tls_prf_sha256) { 8600 return MBEDTLS_SSL_TLS_PRF_SHA256; 8601 } else 8602 #endif 8603 return MBEDTLS_SSL_TLS_PRF_NONE; 8604 } 8605 8606 /* 8607 * Populate a transform structure with session keys and all the other 8608 * necessary information. 8609 * 8610 * Parameters: 8611 * - [in/out]: transform: structure to populate 8612 * [in] must be just initialised with mbedtls_ssl_transform_init() 8613 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf() 8614 * - [in] ciphersuite 8615 * - [in] master 8616 * - [in] encrypt_then_mac 8617 * - [in] tls_prf: pointer to PRF to use for key derivation 8618 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random 8619 * - [in] tls_version: TLS version 8620 * - [in] endpoint: client or server 8621 * - [in] ssl: used for: 8622 * - ssl->conf->{f,p}_export_keys 8623 * [in] optionally used for: 8624 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg 8625 */ 8626 MBEDTLS_CHECK_RETURN_CRITICAL 8627 static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform, 8628 int ciphersuite, 8629 const unsigned char master[48], 8630 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8631 int encrypt_then_mac, 8632 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8633 ssl_tls_prf_t tls_prf, 8634 const unsigned char randbytes[64], 8635 mbedtls_ssl_protocol_version tls_version, 8636 unsigned endpoint, 8637 const mbedtls_ssl_context *ssl) 8638 { 8639 int ret = 0; 8640 unsigned char keyblk[256]; 8641 unsigned char *key1; 8642 unsigned char *key2; 8643 unsigned char *mac_enc; 8644 unsigned char *mac_dec; 8645 size_t mac_key_len = 0; 8646 size_t iv_copy_len; 8647 size_t keylen; 8648 const mbedtls_ssl_ciphersuite_t *ciphersuite_info; 8649 mbedtls_ssl_mode_t ssl_mode; 8650 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 8651 const mbedtls_cipher_info_t *cipher_info; 8652 const mbedtls_md_info_t *md_info; 8653 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 8654 8655 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8656 psa_key_type_t key_type; 8657 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; 8658 psa_algorithm_t alg; 8659 psa_algorithm_t mac_alg = 0; 8660 size_t key_bits; 8661 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; 8662 #endif 8663 8664 /* 8665 * Some data just needs copying into the structure 8666 */ 8667 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8668 transform->encrypt_then_mac = encrypt_then_mac; 8669 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8670 transform->tls_version = tls_version; 8671 8672 #if defined(MBEDTLS_SSL_KEEP_RANDBYTES) 8673 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes)); 8674 #endif 8675 8676 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 8677 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 8678 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform 8679 * generation separate. This should never happen. */ 8680 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8681 } 8682 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 8683 8684 /* 8685 * Get various info structures 8686 */ 8687 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite); 8688 if (ciphersuite_info == NULL) { 8689 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found", 8690 ciphersuite)); 8691 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8692 } 8693 8694 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite( 8695 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 8696 encrypt_then_mac, 8697 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 8698 ciphersuite_info); 8699 8700 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8701 transform->taglen = 8702 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; 8703 } 8704 8705 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8706 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher, 8707 transform->taglen, 8708 &alg, 8709 &key_type, 8710 &key_bits)) != PSA_SUCCESS) { 8711 ret = PSA_TO_MBEDTLS_ERR(status); 8712 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret); 8713 goto end; 8714 } 8715 #else 8716 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher); 8717 if (cipher_info == NULL) { 8718 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found", 8719 ciphersuite_info->cipher)); 8720 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8721 } 8722 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8723 8724 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8725 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8726 if (mac_alg == 0) { 8727 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found", 8728 (unsigned) ciphersuite_info->mac)); 8729 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8730 } 8731 #else 8732 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac); 8733 if (md_info == NULL) { 8734 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found", 8735 (unsigned) ciphersuite_info->mac)); 8736 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 8737 } 8738 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8739 8740 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 8741 /* Copy own and peer's CID if the use of the CID 8742 * extension has been negotiated. */ 8743 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) { 8744 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform")); 8745 8746 transform->in_cid_len = ssl->own_cid_len; 8747 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len); 8748 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid, 8749 transform->in_cid_len); 8750 8751 transform->out_cid_len = ssl->handshake->peer_cid_len; 8752 memcpy(transform->out_cid, ssl->handshake->peer_cid, 8753 ssl->handshake->peer_cid_len); 8754 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid, 8755 transform->out_cid_len); 8756 } 8757 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 8758 8759 /* 8760 * Compute key block using the PRF 8761 */ 8762 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256); 8763 if (ret != 0) { 8764 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret); 8765 return ret; 8766 } 8767 8768 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s", 8769 mbedtls_ssl_get_ciphersuite_name(ciphersuite))); 8770 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48); 8771 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64); 8772 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256); 8773 8774 /* 8775 * Determine the appropriate key, IV and MAC length. 8776 */ 8777 8778 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8779 keylen = PSA_BITS_TO_BYTES(key_bits); 8780 #else 8781 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8; 8782 #endif 8783 8784 #if defined(MBEDTLS_SSL_HAVE_AEAD) 8785 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) { 8786 size_t explicit_ivlen; 8787 8788 transform->maclen = 0; 8789 mac_key_len = 0; 8790 8791 /* All modes haves 96-bit IVs, but the length of the static parts vary 8792 * with mode and version: 8793 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes 8794 * (to be concatenated with a dynamically chosen IV of 8 Bytes) 8795 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's 8796 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record 8797 * sequence number). 8798 */ 8799 transform->ivlen = 12; 8800 8801 int is_chachapoly = 0; 8802 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8803 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20); 8804 #else 8805 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info) 8806 == MBEDTLS_MODE_CHACHAPOLY); 8807 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8808 8809 if (is_chachapoly) { 8810 transform->fixed_ivlen = 12; 8811 } else { 8812 transform->fixed_ivlen = 4; 8813 } 8814 8815 /* Minimum length of encrypted record */ 8816 explicit_ivlen = transform->ivlen - transform->fixed_ivlen; 8817 transform->minlen = explicit_ivlen + transform->taglen; 8818 } else 8819 #endif /* MBEDTLS_SSL_HAVE_AEAD */ 8820 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 8821 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM || 8822 ssl_mode == MBEDTLS_SSL_MODE_CBC || 8823 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8824 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8825 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type); 8826 #else 8827 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info); 8828 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8829 8830 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8831 /* Get MAC length */ 8832 mac_key_len = PSA_HASH_LENGTH(mac_alg); 8833 #else 8834 /* Initialize HMAC contexts */ 8835 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 || 8836 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) { 8837 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 8838 goto end; 8839 } 8840 8841 /* Get MAC length */ 8842 mac_key_len = mbedtls_md_get_size(md_info); 8843 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8844 transform->maclen = mac_key_len; 8845 8846 /* IV length */ 8847 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8848 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg); 8849 #else 8850 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info); 8851 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 8852 8853 /* Minimum length */ 8854 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) { 8855 transform->minlen = transform->maclen; 8856 } else { 8857 /* 8858 * GenericBlockCipher: 8859 * 1. if EtM is in use: one block plus MAC 8860 * otherwise: * first multiple of blocklen greater than maclen 8861 * 2. IV 8862 */ 8863 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 8864 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) { 8865 transform->minlen = transform->maclen 8866 + block_size; 8867 } else 8868 #endif 8869 { 8870 transform->minlen = transform->maclen 8871 + block_size 8872 - transform->maclen % block_size; 8873 } 8874 8875 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 8876 transform->minlen += transform->ivlen; 8877 } else { 8878 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8879 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8880 goto end; 8881 } 8882 } 8883 } else 8884 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 8885 { 8886 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8887 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8888 } 8889 8890 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u", 8891 (unsigned) keylen, 8892 (unsigned) transform->minlen, 8893 (unsigned) transform->ivlen, 8894 (unsigned) transform->maclen)); 8895 8896 /* 8897 * Finally setup the cipher contexts, IVs and MAC secrets. 8898 */ 8899 #if defined(MBEDTLS_SSL_CLI_C) 8900 if (endpoint == MBEDTLS_SSL_IS_CLIENT) { 8901 key1 = keyblk + mac_key_len * 2; 8902 key2 = keyblk + mac_key_len * 2 + keylen; 8903 8904 mac_enc = keyblk; 8905 mac_dec = keyblk + mac_key_len; 8906 8907 iv_copy_len = (transform->fixed_ivlen) ? 8908 transform->fixed_ivlen : transform->ivlen; 8909 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len); 8910 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len, 8911 iv_copy_len); 8912 } else 8913 #endif /* MBEDTLS_SSL_CLI_C */ 8914 #if defined(MBEDTLS_SSL_SRV_C) 8915 if (endpoint == MBEDTLS_SSL_IS_SERVER) { 8916 key1 = keyblk + mac_key_len * 2 + keylen; 8917 key2 = keyblk + mac_key_len * 2; 8918 8919 mac_enc = keyblk + mac_key_len; 8920 mac_dec = keyblk; 8921 8922 iv_copy_len = (transform->fixed_ivlen) ? 8923 transform->fixed_ivlen : transform->ivlen; 8924 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len); 8925 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len, 8926 iv_copy_len); 8927 } else 8928 #endif /* MBEDTLS_SSL_SRV_C */ 8929 { 8930 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); 8931 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; 8932 goto end; 8933 } 8934 8935 if (ssl->f_export_keys != NULL) { 8936 ssl->f_export_keys(ssl->p_export_keys, 8937 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET, 8938 master, 48, 8939 randbytes + 32, 8940 randbytes, 8941 tls_prf_get_type(tls_prf)); 8942 } 8943 8944 #if defined(MBEDTLS_USE_PSA_CRYPTO) 8945 transform->psa_alg = alg; 8946 8947 if (alg != MBEDTLS_SSL_NULL_CIPHER) { 8948 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT); 8949 psa_set_key_algorithm(&attributes, alg); 8950 psa_set_key_type(&attributes, key_type); 8951 8952 if ((status = psa_import_key(&attributes, 8953 key1, 8954 PSA_BITS_TO_BYTES(key_bits), 8955 &transform->psa_key_enc)) != PSA_SUCCESS) { 8956 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status); 8957 ret = PSA_TO_MBEDTLS_ERR(status); 8958 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8959 goto end; 8960 } 8961 8962 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT); 8963 8964 if ((status = psa_import_key(&attributes, 8965 key2, 8966 PSA_BITS_TO_BYTES(key_bits), 8967 &transform->psa_key_dec)) != PSA_SUCCESS) { 8968 ret = PSA_TO_MBEDTLS_ERR(status); 8969 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret); 8970 goto end; 8971 } 8972 } 8973 #else 8974 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc, 8975 cipher_info)) != 0) { 8976 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8977 goto end; 8978 } 8979 8980 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec, 8981 cipher_info)) != 0) { 8982 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret); 8983 goto end; 8984 } 8985 8986 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1, 8987 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8988 MBEDTLS_ENCRYPT)) != 0) { 8989 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8990 goto end; 8991 } 8992 8993 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2, 8994 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info), 8995 MBEDTLS_DECRYPT)) != 0) { 8996 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret); 8997 goto end; 8998 } 8999 9000 #if defined(MBEDTLS_CIPHER_MODE_CBC) 9001 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) { 9002 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc, 9003 MBEDTLS_PADDING_NONE)) != 0) { 9004 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 9005 goto end; 9006 } 9007 9008 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec, 9009 MBEDTLS_PADDING_NONE)) != 0) { 9010 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret); 9011 goto end; 9012 } 9013 } 9014 #endif /* MBEDTLS_CIPHER_MODE_CBC */ 9015 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9016 9017 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 9018 /* For HMAC-based ciphersuites, initialize the HMAC transforms. 9019 For AEAD-based ciphersuites, there is nothing to do here. */ 9020 if (mac_key_len != 0) { 9021 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9022 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg); 9023 9024 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE); 9025 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg)); 9026 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); 9027 9028 if ((status = psa_import_key(&attributes, 9029 mac_enc, mac_key_len, 9030 &transform->psa_mac_enc)) != PSA_SUCCESS) { 9031 ret = PSA_TO_MBEDTLS_ERR(status); 9032 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 9033 goto end; 9034 } 9035 9036 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) || 9037 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING) 9038 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 9039 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED) 9040 #endif 9041 )) { 9042 /* mbedtls_ct_hmac() requires the key to be exportable */ 9043 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | 9044 PSA_KEY_USAGE_VERIFY_HASH); 9045 } else { 9046 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH); 9047 } 9048 9049 if ((status = psa_import_key(&attributes, 9050 mac_dec, mac_key_len, 9051 &transform->psa_mac_dec)) != PSA_SUCCESS) { 9052 ret = PSA_TO_MBEDTLS_ERR(status); 9053 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret); 9054 goto end; 9055 } 9056 #else 9057 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len); 9058 if (ret != 0) { 9059 goto end; 9060 } 9061 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len); 9062 if (ret != 0) { 9063 goto end; 9064 } 9065 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9066 } 9067 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 9068 9069 ((void) mac_dec); 9070 ((void) mac_enc); 9071 9072 end: 9073 mbedtls_platform_zeroize(keyblk, sizeof(keyblk)); 9074 return ret; 9075 } 9076 9077 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 9078 defined(MBEDTLS_USE_PSA_CRYPTO) 9079 int mbedtls_psa_ecjpake_read_round( 9080 psa_pake_operation_t *pake_ctx, 9081 const unsigned char *buf, 9082 size_t len, mbedtls_ecjpake_rounds_t round) 9083 { 9084 psa_status_t status; 9085 size_t input_offset = 0; 9086 /* 9087 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9088 * At round two perform a single cycle 9089 */ 9090 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9091 9092 for (; remaining_steps > 0; remaining_steps--) { 9093 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9094 step <= PSA_PAKE_STEP_ZK_PROOF; 9095 ++step) { 9096 /* Length is stored at the first byte */ 9097 size_t length = buf[input_offset]; 9098 input_offset += 1; 9099 9100 if (input_offset + length > len) { 9101 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9102 } 9103 9104 status = psa_pake_input(pake_ctx, step, 9105 buf + input_offset, length); 9106 if (status != PSA_SUCCESS) { 9107 return PSA_TO_MBEDTLS_ERR(status); 9108 } 9109 9110 input_offset += length; 9111 } 9112 } 9113 9114 if (input_offset != len) { 9115 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; 9116 } 9117 9118 return 0; 9119 } 9120 9121 int mbedtls_psa_ecjpake_write_round( 9122 psa_pake_operation_t *pake_ctx, 9123 unsigned char *buf, 9124 size_t len, size_t *olen, 9125 mbedtls_ecjpake_rounds_t round) 9126 { 9127 psa_status_t status; 9128 size_t output_offset = 0; 9129 size_t output_len; 9130 /* 9131 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice 9132 * At round two perform a single cycle 9133 */ 9134 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; 9135 9136 for (; remaining_steps > 0; remaining_steps--) { 9137 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; 9138 step <= PSA_PAKE_STEP_ZK_PROOF; 9139 ++step) { 9140 /* 9141 * For each step, prepend 1 byte with the length of the data as 9142 * given by psa_pake_output(). 9143 */ 9144 status = psa_pake_output(pake_ctx, step, 9145 buf + output_offset + 1, 9146 len - output_offset - 1, 9147 &output_len); 9148 if (status != PSA_SUCCESS) { 9149 return PSA_TO_MBEDTLS_ERR(status); 9150 } 9151 9152 *(buf + output_offset) = (uint8_t) output_len; 9153 9154 output_offset += output_len + 1; 9155 } 9156 } 9157 9158 *olen = output_offset; 9159 9160 return 0; 9161 } 9162 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 9163 9164 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9165 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9166 unsigned char *hash, size_t *hashlen, 9167 unsigned char *data, size_t data_len, 9168 mbedtls_md_type_t md_alg) 9169 { 9170 psa_status_t status; 9171 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT; 9172 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg); 9173 9174 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange")); 9175 9176 if ((status = psa_hash_setup(&hash_operation, 9177 hash_alg)) != PSA_SUCCESS) { 9178 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status); 9179 goto exit; 9180 } 9181 9182 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes, 9183 64)) != PSA_SUCCESS) { 9184 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9185 goto exit; 9186 } 9187 9188 if ((status = psa_hash_update(&hash_operation, 9189 data, data_len)) != PSA_SUCCESS) { 9190 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status); 9191 goto exit; 9192 } 9193 9194 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE, 9195 hashlen)) != PSA_SUCCESS) { 9196 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status); 9197 goto exit; 9198 } 9199 9200 exit: 9201 if (status != PSA_SUCCESS) { 9202 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9203 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9204 switch (status) { 9205 case PSA_ERROR_NOT_SUPPORTED: 9206 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE; 9207 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */ 9208 case PSA_ERROR_BUFFER_TOO_SMALL: 9209 return MBEDTLS_ERR_MD_BAD_INPUT_DATA; 9210 case PSA_ERROR_INSUFFICIENT_MEMORY: 9211 return MBEDTLS_ERR_MD_ALLOC_FAILED; 9212 default: 9213 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 9214 } 9215 } 9216 return 0; 9217 } 9218 9219 #else 9220 9221 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 9222 unsigned char *hash, size_t *hashlen, 9223 unsigned char *data, size_t data_len, 9224 mbedtls_md_type_t md_alg) 9225 { 9226 int ret = 0; 9227 mbedtls_md_context_t ctx; 9228 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg); 9229 *hashlen = mbedtls_md_get_size(md_info); 9230 9231 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange")); 9232 9233 mbedtls_md_init(&ctx); 9234 9235 /* 9236 * digitally-signed struct { 9237 * opaque client_random[32]; 9238 * opaque server_random[32]; 9239 * ServerDHParams params; 9240 * }; 9241 */ 9242 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) { 9243 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret); 9244 goto exit; 9245 } 9246 if ((ret = mbedtls_md_starts(&ctx)) != 0) { 9247 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret); 9248 goto exit; 9249 } 9250 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) { 9251 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9252 goto exit; 9253 } 9254 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) { 9255 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret); 9256 goto exit; 9257 } 9258 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) { 9259 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret); 9260 goto exit; 9261 } 9262 9263 exit: 9264 mbedtls_md_free(&ctx); 9265 9266 if (ret != 0) { 9267 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 9268 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR); 9269 } 9270 9271 return ret; 9272 } 9273 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9274 9275 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 9276 9277 /* Find the preferred hash for a given signature algorithm. */ 9278 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 9279 mbedtls_ssl_context *ssl, 9280 unsigned int sig_alg) 9281 { 9282 unsigned int i; 9283 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs; 9284 9285 if (sig_alg == MBEDTLS_SSL_SIG_ANON) { 9286 return MBEDTLS_SSL_HASH_NONE; 9287 } 9288 9289 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) { 9290 unsigned int hash_alg_received = 9291 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG( 9292 received_sig_algs[i]); 9293 unsigned int sig_alg_received = 9294 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG( 9295 received_sig_algs[i]); 9296 9297 mbedtls_md_type_t md_alg = 9298 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received); 9299 if (md_alg == MBEDTLS_MD_NONE) { 9300 continue; 9301 } 9302 9303 if (sig_alg == sig_alg_received) { 9304 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9305 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) { 9306 psa_algorithm_t psa_hash_alg = 9307 mbedtls_md_psa_alg_from_type(md_alg); 9308 9309 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA && 9310 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9311 PSA_ALG_ECDSA(psa_hash_alg), 9312 PSA_KEY_USAGE_SIGN_HASH)) { 9313 continue; 9314 } 9315 9316 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA && 9317 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key, 9318 PSA_ALG_RSA_PKCS1V15_SIGN( 9319 psa_hash_alg), 9320 PSA_KEY_USAGE_SIGN_HASH)) { 9321 continue; 9322 } 9323 } 9324 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9325 9326 return hash_alg_received; 9327 } 9328 } 9329 9330 return MBEDTLS_SSL_HASH_NONE; 9331 } 9332 9333 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 9334 9335 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9336 9337 int mbedtls_ssl_validate_ciphersuite( 9338 const mbedtls_ssl_context *ssl, 9339 const mbedtls_ssl_ciphersuite_t *suite_info, 9340 mbedtls_ssl_protocol_version min_tls_version, 9341 mbedtls_ssl_protocol_version max_tls_version) 9342 { 9343 (void) ssl; 9344 9345 if (suite_info == NULL) { 9346 return -1; 9347 } 9348 9349 if ((suite_info->min_tls_version > max_tls_version) || 9350 (suite_info->max_tls_version < min_tls_version)) { 9351 return -1; 9352 } 9353 9354 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) 9355 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 9356 #if defined(MBEDTLS_USE_PSA_CRYPTO) 9357 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9358 ssl->handshake->psa_pake_ctx_is_ok != 1) 9359 #else 9360 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && 9361 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0) 9362 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 9363 { 9364 return -1; 9365 } 9366 #endif 9367 9368 /* Don't suggest PSK-based ciphersuite if no PSK is available. */ 9369 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 9370 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) && 9371 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) { 9372 return -1; 9373 } 9374 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 9375 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 9376 9377 return 0; 9378 } 9379 9380 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9381 /* 9382 * Function for writing a signature algorithm extension. 9383 * 9384 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList` 9385 * value (TLS 1.3 RFC8446): 9386 * enum { 9387 * .... 9388 * ecdsa_secp256r1_sha256( 0x0403 ), 9389 * ecdsa_secp384r1_sha384( 0x0503 ), 9390 * ecdsa_secp521r1_sha512( 0x0603 ), 9391 * .... 9392 * } SignatureScheme; 9393 * 9394 * struct { 9395 * SignatureScheme supported_signature_algorithms<2..2^16-2>; 9396 * } SignatureSchemeList; 9397 * 9398 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm` 9399 * value (TLS 1.2 RFC5246): 9400 * enum { 9401 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5), 9402 * sha512(6), (255) 9403 * } HashAlgorithm; 9404 * 9405 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) } 9406 * SignatureAlgorithm; 9407 * 9408 * struct { 9409 * HashAlgorithm hash; 9410 * SignatureAlgorithm signature; 9411 * } SignatureAndHashAlgorithm; 9412 * 9413 * SignatureAndHashAlgorithm 9414 * supported_signature_algorithms<2..2^16-2>; 9415 * 9416 * The TLS 1.3 signature algorithm extension was defined to be a compatible 9417 * generalization of the TLS 1.2 signature algorithm extension. 9418 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by 9419 * `SignatureScheme` field of TLS 1.3 9420 * 9421 */ 9422 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 9423 const unsigned char *end, size_t *out_len) 9424 { 9425 unsigned char *p = buf; 9426 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */ 9427 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */ 9428 9429 *out_len = 0; 9430 9431 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension")); 9432 9433 /* Check if we have space for header and length field: 9434 * - extension_type (2 bytes) 9435 * - extension_data_length (2 bytes) 9436 * - supported_signature_algorithms_length (2 bytes) 9437 */ 9438 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6); 9439 p += 6; 9440 9441 /* 9442 * Write supported_signature_algorithms 9443 */ 9444 supported_sig_alg = p; 9445 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 9446 if (sig_alg == NULL) { 9447 return MBEDTLS_ERR_SSL_BAD_CONFIG; 9448 } 9449 9450 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) { 9451 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s", 9452 *sig_alg, 9453 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9454 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) { 9455 continue; 9456 } 9457 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); 9458 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0); 9459 p += 2; 9460 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s", 9461 *sig_alg, 9462 mbedtls_ssl_sig_alg_to_str(*sig_alg))); 9463 } 9464 9465 /* Length of supported_signature_algorithms */ 9466 supported_sig_alg_len = (size_t) (p - supported_sig_alg); 9467 if (supported_sig_alg_len == 0) { 9468 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined.")); 9469 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 9470 } 9471 9472 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0); 9473 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2); 9474 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4); 9475 9476 *out_len = (size_t) (p - buf); 9477 9478 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9479 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG); 9480 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 9481 9482 return 0; 9483 } 9484 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 9485 9486 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9487 /* 9488 * mbedtls_ssl_parse_server_name_ext 9489 * 9490 * Structure of server_name extension: 9491 * 9492 * enum { 9493 * host_name(0), (255) 9494 * } NameType; 9495 * opaque HostName<1..2^16-1>; 9496 * 9497 * struct { 9498 * NameType name_type; 9499 * select (name_type) { 9500 * case host_name: HostName; 9501 * } name; 9502 * } ServerName; 9503 * struct { 9504 * ServerName server_name_list<1..2^16-1> 9505 * } ServerNameList; 9506 */ 9507 MBEDTLS_CHECK_RETURN_CRITICAL 9508 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 9509 const unsigned char *buf, 9510 const unsigned char *end) 9511 { 9512 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; 9513 const unsigned char *p = buf; 9514 size_t server_name_list_len, hostname_len; 9515 const unsigned char *server_name_list_end; 9516 9517 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension")); 9518 9519 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2); 9520 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9521 p += 2; 9522 9523 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len); 9524 server_name_list_end = p + server_name_list_len; 9525 while (p < server_name_list_end) { 9526 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3); 9527 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1); 9528 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 9529 hostname_len + 3); 9530 9531 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) { 9532 /* sni_name is intended to be used only during the parsing of the 9533 * ClientHello message (it is reset to NULL before the end of 9534 * the message parsing). Thus it is ok to just point to the 9535 * reception buffer and not make a copy of it. 9536 */ 9537 ssl->handshake->sni_name = p + 3; 9538 ssl->handshake->sni_name_len = hostname_len; 9539 if (ssl->conf->f_sni == NULL) { 9540 return 0; 9541 } 9542 ret = ssl->conf->f_sni(ssl->conf->p_sni, 9543 ssl, p + 3, hostname_len); 9544 if (ret != 0) { 9545 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret); 9546 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME, 9547 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME); 9548 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME; 9549 } 9550 return 0; 9551 } 9552 9553 p += hostname_len + 3; 9554 } 9555 9556 return 0; 9557 } 9558 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 9559 9560 #if defined(MBEDTLS_SSL_ALPN) 9561 MBEDTLS_CHECK_RETURN_CRITICAL 9562 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 9563 const unsigned char *buf, 9564 const unsigned char *end) 9565 { 9566 const unsigned char *p = buf; 9567 size_t protocol_name_list_len; 9568 const unsigned char *protocol_name_list; 9569 const unsigned char *protocol_name_list_end; 9570 size_t protocol_name_len; 9571 9572 /* If ALPN not configured, just ignore the extension */ 9573 if (ssl->conf->alpn_list == NULL) { 9574 return 0; 9575 } 9576 9577 /* 9578 * RFC7301, section 3.1 9579 * opaque ProtocolName<1..2^8-1>; 9580 * 9581 * struct { 9582 * ProtocolName protocol_name_list<2..2^16-1> 9583 * } ProtocolNameList; 9584 */ 9585 9586 /* 9587 * protocol_name_list_len 2 bytes 9588 * protocol_name_len 1 bytes 9589 * protocol_name >=1 byte 9590 */ 9591 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4); 9592 9593 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0); 9594 p += 2; 9595 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len); 9596 protocol_name_list = p; 9597 protocol_name_list_end = p + protocol_name_list_len; 9598 9599 /* Validate peer's list (lengths) */ 9600 while (p < protocol_name_list_end) { 9601 protocol_name_len = *p++; 9602 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end, 9603 protocol_name_len); 9604 if (protocol_name_len == 0) { 9605 MBEDTLS_SSL_PEND_FATAL_ALERT( 9606 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, 9607 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); 9608 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; 9609 } 9610 9611 p += protocol_name_len; 9612 } 9613 9614 /* Use our order of preference */ 9615 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) { 9616 size_t const alpn_len = strlen(*alpn); 9617 p = protocol_name_list; 9618 while (p < protocol_name_list_end) { 9619 protocol_name_len = *p++; 9620 if (protocol_name_len == alpn_len && 9621 memcmp(p, *alpn, alpn_len) == 0) { 9622 ssl->alpn_chosen = *alpn; 9623 return 0; 9624 } 9625 9626 p += protocol_name_len; 9627 } 9628 } 9629 9630 /* If we get here, no match was found */ 9631 MBEDTLS_SSL_PEND_FATAL_ALERT( 9632 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL, 9633 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL); 9634 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL; 9635 } 9636 9637 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 9638 unsigned char *buf, 9639 unsigned char *end, 9640 size_t *out_len) 9641 { 9642 unsigned char *p = buf; 9643 size_t protocol_name_len; 9644 *out_len = 0; 9645 9646 if (ssl->alpn_chosen == NULL) { 9647 return 0; 9648 } 9649 9650 protocol_name_len = strlen(ssl->alpn_chosen); 9651 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len); 9652 9653 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension")); 9654 /* 9655 * 0 . 1 ext identifier 9656 * 2 . 3 ext length 9657 * 4 . 5 protocol list length 9658 * 6 . 6 protocol name length 9659 * 7 . 7+n protocol name 9660 */ 9661 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0); 9662 9663 *out_len = 7 + protocol_name_len; 9664 9665 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2); 9666 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4); 9667 /* Note: the length of the chosen protocol has been checked to be less 9668 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`. 9669 */ 9670 p[6] = MBEDTLS_BYTE_0(protocol_name_len); 9671 9672 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len); 9673 9674 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 9675 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN); 9676 #endif 9677 9678 return 0; 9679 } 9680 #endif /* MBEDTLS_SSL_ALPN */ 9681 9682 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 9683 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 9684 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 9685 defined(MBEDTLS_SSL_CLI_C) 9686 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 9687 const char *hostname) 9688 { 9689 /* Initialize to suppress unnecessary compiler warning */ 9690 size_t hostname_len = 0; 9691 9692 /* Check if new hostname is valid before 9693 * making any change to current one */ 9694 if (hostname != NULL) { 9695 hostname_len = strlen(hostname); 9696 9697 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) { 9698 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9699 } 9700 } 9701 9702 /* Now it's clear that we will overwrite the old hostname, 9703 * so we can free it safely */ 9704 if (session->hostname != NULL) { 9705 mbedtls_zeroize_and_free(session->hostname, 9706 strlen(session->hostname)); 9707 } 9708 9709 /* Passing NULL as hostname shall clear the old one */ 9710 if (hostname == NULL) { 9711 session->hostname = NULL; 9712 } else { 9713 session->hostname = mbedtls_calloc(1, hostname_len + 1); 9714 if (session->hostname == NULL) { 9715 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9716 } 9717 9718 memcpy(session->hostname, hostname, hostname_len); 9719 } 9720 9721 return 0; 9722 } 9723 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && 9724 MBEDTLS_SSL_SESSION_TICKETS && 9725 MBEDTLS_SSL_SERVER_NAME_INDICATION && 9726 MBEDTLS_SSL_CLI_C */ 9727 9728 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 9729 defined(MBEDTLS_SSL_ALPN) 9730 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 9731 const char *alpn) 9732 { 9733 size_t alpn_len = 0; 9734 9735 if (alpn != NULL) { 9736 alpn_len = strlen(alpn); 9737 9738 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) { 9739 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 9740 } 9741 } 9742 9743 if (session->ticket_alpn != NULL) { 9744 mbedtls_zeroize_and_free(session->ticket_alpn, 9745 strlen(session->ticket_alpn)); 9746 session->ticket_alpn = NULL; 9747 } 9748 9749 if (alpn != NULL) { 9750 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1); 9751 if (session->ticket_alpn == NULL) { 9752 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 9753 } 9754 memcpy(session->ticket_alpn, alpn, alpn_len); 9755 } 9756 9757 return 0; 9758 } 9759 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */ 9760 9761 /* 9762 * The following functions are used by 1.2 and 1.3, client and server. 9763 */ 9764 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 9765 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 9766 const mbedtls_ssl_ciphersuite_t *ciphersuite, 9767 int recv_endpoint, 9768 mbedtls_ssl_protocol_version tls_version, 9769 uint32_t *flags) 9770 { 9771 int ret = 0; 9772 unsigned int usage = 0; 9773 const char *ext_oid; 9774 size_t ext_len; 9775 9776 /* 9777 * keyUsage 9778 */ 9779 9780 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants 9781 * to check what a compliant client will think while choosing which cert 9782 * to send to the client. */ 9783 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 9784 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 9785 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { 9786 /* TLS 1.2 server part of the key exchange */ 9787 switch (ciphersuite->key_exchange) { 9788 case MBEDTLS_KEY_EXCHANGE_RSA: 9789 case MBEDTLS_KEY_EXCHANGE_RSA_PSK: 9790 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT; 9791 break; 9792 9793 case MBEDTLS_KEY_EXCHANGE_DHE_RSA: 9794 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: 9795 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: 9796 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 9797 break; 9798 9799 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: 9800 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: 9801 usage = MBEDTLS_X509_KU_KEY_AGREEMENT; 9802 break; 9803 9804 /* Don't use default: we want warnings when adding new values */ 9805 case MBEDTLS_KEY_EXCHANGE_NONE: 9806 case MBEDTLS_KEY_EXCHANGE_PSK: 9807 case MBEDTLS_KEY_EXCHANGE_DHE_PSK: 9808 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: 9809 case MBEDTLS_KEY_EXCHANGE_ECJPAKE: 9810 usage = 0; 9811 } 9812 } else 9813 #endif 9814 { 9815 /* This is either TLS 1.3 authentication, which always uses signatures, 9816 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only 9817 * options we implement, both using signatures. */ 9818 (void) tls_version; 9819 (void) ciphersuite; 9820 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; 9821 } 9822 9823 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) { 9824 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE; 9825 ret = -1; 9826 } 9827 9828 /* 9829 * extKeyUsage 9830 */ 9831 9832 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) { 9833 ext_oid = MBEDTLS_OID_SERVER_AUTH; 9834 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH); 9835 } else { 9836 ext_oid = MBEDTLS_OID_CLIENT_AUTH; 9837 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH); 9838 } 9839 9840 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) { 9841 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE; 9842 ret = -1; 9843 } 9844 9845 return ret; 9846 } 9847 9848 static int get_hostname_for_verification(mbedtls_ssl_context *ssl, 9849 const char **hostname) 9850 { 9851 if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) { 9852 MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname")); 9853 #if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME) 9854 if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT && 9855 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { 9856 return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME; 9857 } 9858 #endif 9859 } 9860 9861 *hostname = mbedtls_ssl_get_hostname_pointer(ssl); 9862 if (*hostname == NULL) { 9863 MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification")); 9864 } 9865 9866 return 0; 9867 } 9868 9869 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, 9870 int authmode, 9871 mbedtls_x509_crt *chain, 9872 const mbedtls_ssl_ciphersuite_t *ciphersuite_info, 9873 void *rs_ctx) 9874 { 9875 if (authmode == MBEDTLS_SSL_VERIFY_NONE) { 9876 return 0; 9877 } 9878 9879 /* 9880 * Primary check: use the appropriate X.509 verification function 9881 */ 9882 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); 9883 void *p_vrfy; 9884 if (ssl->f_vrfy != NULL) { 9885 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback")); 9886 f_vrfy = ssl->f_vrfy; 9887 p_vrfy = ssl->p_vrfy; 9888 } else { 9889 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback")); 9890 f_vrfy = ssl->conf->f_vrfy; 9891 p_vrfy = ssl->conf->p_vrfy; 9892 } 9893 9894 const char *hostname = ""; 9895 int ret = get_hostname_for_verification(ssl, &hostname); 9896 if (ret != 0) { 9897 MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret); 9898 return ret; 9899 } 9900 9901 int have_ca_chain_or_callback = 0; 9902 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) 9903 if (ssl->conf->f_ca_cb != NULL) { 9904 ((void) rs_ctx); 9905 have_ca_chain_or_callback = 1; 9906 9907 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification")); 9908 ret = mbedtls_x509_crt_verify_with_ca_cb( 9909 chain, 9910 ssl->conf->f_ca_cb, 9911 ssl->conf->p_ca_cb, 9912 ssl->conf->cert_profile, 9913 hostname, 9914 &ssl->session_negotiate->verify_result, 9915 f_vrfy, p_vrfy); 9916 } else 9917 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ 9918 { 9919 mbedtls_x509_crt *ca_chain; 9920 mbedtls_x509_crl *ca_crl; 9921 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 9922 if (ssl->handshake->sni_ca_chain != NULL) { 9923 ca_chain = ssl->handshake->sni_ca_chain; 9924 ca_crl = ssl->handshake->sni_ca_crl; 9925 } else 9926 #endif 9927 { 9928 ca_chain = ssl->conf->ca_chain; 9929 ca_crl = ssl->conf->ca_crl; 9930 } 9931 9932 if (ca_chain != NULL) { 9933 have_ca_chain_or_callback = 1; 9934 } 9935 9936 ret = mbedtls_x509_crt_verify_restartable( 9937 chain, 9938 ca_chain, ca_crl, 9939 ssl->conf->cert_profile, 9940 hostname, 9941 &ssl->session_negotiate->verify_result, 9942 f_vrfy, p_vrfy, rs_ctx); 9943 } 9944 9945 if (ret != 0) { 9946 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); 9947 } 9948 9949 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 9950 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) { 9951 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; 9952 } 9953 #endif 9954 9955 /* 9956 * Secondary checks: always done, but change 'ret' only if it was 0 9957 */ 9958 9959 /* With TLS 1.2 and ECC certs, check that the curve used by the 9960 * certificate is on our list of acceptable curves. 9961 * 9962 * With TLS 1.3 this is not needed because the curve is part of the 9963 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when 9964 * we validate the signature made with the key associated to this cert. 9965 */ 9966 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 9967 defined(MBEDTLS_PK_HAVE_ECC_KEYS) 9968 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 9969 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) { 9970 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) { 9971 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)")); 9972 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY; 9973 if (ret == 0) { 9974 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 9975 } 9976 } 9977 } 9978 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */ 9979 9980 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */ 9981 if (mbedtls_ssl_check_cert_usage(chain, 9982 ciphersuite_info, 9983 ssl->conf->endpoint, 9984 ssl->tls_version, 9985 &ssl->session_negotiate->verify_result) != 0) { 9986 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)")); 9987 if (ret == 0) { 9988 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE; 9989 } 9990 } 9991 9992 /* With authmode optional, we want to keep going if the certificate was 9993 * unacceptable, but still fail on other errors (out of memory etc), 9994 * including fatal errors from the f_vrfy callback. 9995 * 9996 * The only acceptable errors are: 9997 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check; 9998 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks. 9999 * Anything else is a fatal error. */ 10000 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL && 10001 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED || 10002 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) { 10003 ret = 0; 10004 } 10005 10006 /* Return a specific error as this is a user error: inconsistent 10007 * configuration - can't verify without trust anchors. */ 10008 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { 10009 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); 10010 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; 10011 } 10012 10013 if (ret != 0) { 10014 uint8_t alert; 10015 10016 /* The certificate may have been rejected for several reasons. 10017 Pick one and send the corresponding alert. Which alert to send 10018 may be a subject of debate in some cases. */ 10019 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) { 10020 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED; 10021 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) { 10022 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT; 10023 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) { 10024 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 10025 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) { 10026 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 10027 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) { 10028 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 10029 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) { 10030 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT; 10031 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) { 10032 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED; 10033 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) { 10034 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED; 10035 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) { 10036 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA; 10037 } else { 10038 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN; 10039 } 10040 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, 10041 alert); 10042 } 10043 10044 #if defined(MBEDTLS_DEBUG_C) 10045 if (ssl->session_negotiate->verify_result != 0) { 10046 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x", 10047 (unsigned int) ssl->session_negotiate->verify_result)); 10048 } else { 10049 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear")); 10050 } 10051 #endif /* MBEDTLS_DEBUG_C */ 10052 10053 return ret; 10054 } 10055 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 10056 10057 #if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) 10058 10059 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 10060 static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl, 10061 const mbedtls_md_type_t hash_alg, 10062 uint8_t *out, 10063 const size_t key_len, 10064 const char *label, 10065 const size_t label_len, 10066 const unsigned char *context, 10067 const size_t context_len, 10068 const int use_context) 10069 { 10070 int ret = 0; 10071 unsigned char *prf_input = NULL; 10072 10073 /* The input to the PRF is client_random, then server_random. 10074 * If a context is provided, this is then followed by the context length 10075 * as a 16-bit big-endian integer, and then the context itself. */ 10076 const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN; 10077 size_t prf_input_len = randbytes_len; 10078 if (use_context) { 10079 if (context_len > UINT16_MAX) { 10080 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 10081 } 10082 10083 /* This does not overflow a 32-bit size_t because the current value of 10084 * prf_input_len is 64 (length of client_random + server_random) and 10085 * context_len fits into two bytes (checked above). */ 10086 prf_input_len += sizeof(uint16_t) + context_len; 10087 } 10088 10089 prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char)); 10090 if (prf_input == NULL) { 10091 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 10092 } 10093 10094 memcpy(prf_input, 10095 ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN, 10096 MBEDTLS_CLIENT_HELLO_RANDOM_LEN); 10097 memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN, 10098 ssl->transform->randbytes, 10099 MBEDTLS_SERVER_HELLO_RANDOM_LEN); 10100 if (use_context) { 10101 MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len); 10102 memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len); 10103 } 10104 ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master), 10105 label, label_len, 10106 prf_input, prf_input_len, 10107 out, key_len); 10108 mbedtls_free(prf_input); 10109 return ret; 10110 } 10111 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */ 10112 10113 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 10114 static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl, 10115 const mbedtls_md_type_t hash_alg, 10116 uint8_t *out, 10117 const size_t key_len, 10118 const char *label, 10119 const size_t label_len, 10120 const unsigned char *context, 10121 const size_t context_len) 10122 { 10123 const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg); 10124 const size_t hash_len = PSA_HASH_LENGTH(hash_alg); 10125 const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret; 10126 10127 /* The length of the label must be at most 249 bytes to fit into the HkdfLabel 10128 * struct as defined in RFC 8446, Section 7.1. 10129 * 10130 * The length of the context is unlimited even though the context field in the 10131 * struct can only hold up to 255 bytes. This is because we place a *hash* of 10132 * the context in the field. */ 10133 if (label_len > 249) { 10134 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 10135 } 10136 10137 return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len, 10138 (const unsigned char *) label, label_len, 10139 context, context_len, out, key_len); 10140 } 10141 #endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */ 10142 10143 int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, 10144 uint8_t *out, const size_t key_len, 10145 const char *label, const size_t label_len, 10146 const unsigned char *context, const size_t context_len, 10147 const int use_context) 10148 { 10149 if (!mbedtls_ssl_is_handshake_over(ssl)) { 10150 /* TODO: Change this to a more appropriate error code when one is available. */ 10151 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 10152 } 10153 10154 if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) { 10155 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 10156 } 10157 10158 int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl); 10159 const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id); 10160 const mbedtls_md_type_t hash_alg = ciphersuite->mac; 10161 10162 switch (mbedtls_ssl_get_version_number(ssl)) { 10163 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 10164 case MBEDTLS_SSL_VERSION_TLS1_2: 10165 return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len, 10166 label, label_len, 10167 context, context_len, use_context); 10168 #endif 10169 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 10170 case MBEDTLS_SSL_VERSION_TLS1_3: 10171 return mbedtls_ssl_tls13_export_keying_material(ssl, 10172 hash_alg, 10173 out, 10174 key_len, 10175 label, 10176 label_len, 10177 use_context ? context : NULL, 10178 use_context ? context_len : 0); 10179 #endif 10180 default: 10181 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION; 10182 } 10183 } 10184 10185 #endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */ 10186 10187 #endif /* MBEDTLS_SSL_TLS_C */