--- /dev/null
+/*\r
+ * SSLv3/TLSv1 shared functions\r
+ *\r
+ * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved\r
+ * SPDX-License-Identifier: Apache-2.0\r
+ *\r
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may\r
+ * not use this file except in compliance with the License.\r
+ * You may obtain a copy of the License at\r
+ *\r
+ * http://www.apache.org/licenses/LICENSE-2.0\r
+ *\r
+ * Unless required by applicable law or agreed to in writing, software\r
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT\r
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r
+ * See the License for the specific language governing permissions and\r
+ * limitations under the License.\r
+ *\r
+ * This file is part of mbed TLS (https://tls.mbed.org)\r
+ */\r
+/*\r
+ * The SSL 3.0 specification was drafted by Netscape in 1996,\r
+ * and became an IETF standard in 1999.\r
+ *\r
+ * http://wp.netscape.com/eng/ssl3/\r
+ * http://www.ietf.org/rfc/rfc2246.txt\r
+ * http://www.ietf.org/rfc/rfc4346.txt\r
+ */\r
+\r
+#if !defined(MBEDTLS_CONFIG_FILE)\r
+#include "mbedtls/config.h"\r
+#else\r
+#include MBEDTLS_CONFIG_FILE\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_TLS_C)\r
+\r
+#if defined(MBEDTLS_PLATFORM_C)\r
+#include "mbedtls/platform.h"\r
+#else\r
+#include <stdlib.h>\r
+#define mbedtls_calloc calloc\r
+#define mbedtls_free free\r
+#endif\r
+\r
+#include "mbedtls/debug.h"\r
+#include "mbedtls/ssl.h"\r
+#include "mbedtls/ssl_internal.h"\r
+#include "mbedtls/platform_util.h"\r
+\r
+#include <string.h>\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+#include "mbedtls/psa_util.h"\r
+#include "psa/crypto.h"\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+#include "mbedtls/oid.h"\r
+#endif\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+#include "mbedtls/psa_util.h"\r
+#endif\r
+\r
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );\r
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );\r
+\r
+/* Length of the "epoch" field in the record header */\r
+static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ return( 2 );\r
+#else\r
+ ((void) ssl);\r
+#endif\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Start a timer.\r
+ * Passing millisecs = 0 cancels a running timer.\r
+ */\r
+static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )\r
+{\r
+ if( ssl->f_set_timer == NULL )\r
+ return;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );\r
+ ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );\r
+}\r
+\r
+/*\r
+ * Return -1 is timer is expired, 0 if it isn't.\r
+ */\r
+static int ssl_check_timer( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->f_get_timer == NULL )\r
+ return( 0 );\r
+\r
+ if( ssl->f_get_timer( ssl->p_timer ) == 2 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );\r
+ return( -1 );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,\r
+ mbedtls_ssl_transform *transform );\r
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );\r
+\r
+#define SSL_DONT_FORCE_FLUSH 0\r
+#define SSL_FORCE_FLUSH 1\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+/* Top-level Connection ID API */\r
+\r
+int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf,\r
+ size_t len,\r
+ int ignore_other_cid )\r
+{\r
+ if( len > MBEDTLS_SSL_CID_IN_LEN_MAX )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ if( ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&\r
+ ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ conf->ignore_unexpected_cid = ignore_other_cid;\r
+ conf->cid_len = len;\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_set_cid( mbedtls_ssl_context *ssl,\r
+ int enable,\r
+ unsigned char const *own_cid,\r
+ size_t own_cid_len )\r
+{\r
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ ssl->negotiate_cid = enable;\r
+ if( enable == MBEDTLS_SSL_CID_DISABLED )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Disable use of CID extension." ) );\r
+ return( 0 );\r
+ }\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Enable use of CID extension." ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Own CID", own_cid, own_cid_len );\r
+\r
+ if( own_cid_len != ssl->conf->cid_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "CID length %u does not match CID length %u in config",\r
+ (unsigned) own_cid_len,\r
+ (unsigned) ssl->conf->cid_len ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ memcpy( ssl->own_cid, own_cid, own_cid_len );\r
+ /* Truncation is not an issue here because\r
+ * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */\r
+ ssl->own_cid_len = (uint8_t) own_cid_len;\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_get_peer_cid( mbedtls_ssl_context *ssl,\r
+ int *enabled,\r
+ unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ],\r
+ size_t *peer_cid_len )\r
+{\r
+ *enabled = MBEDTLS_SSL_CID_DISABLED;\r
+\r
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||\r
+ ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions\r
+ * were used, but client and server requested the empty CID.\r
+ * This is indistinguishable from not using the CID extension\r
+ * in the first place. */\r
+ if( ssl->transform_in->in_cid_len == 0 &&\r
+ ssl->transform_in->out_cid_len == 0 )\r
+ {\r
+ return( 0 );\r
+ }\r
+\r
+ if( peer_cid_len != NULL )\r
+ {\r
+ *peer_cid_len = ssl->transform_in->out_cid_len;\r
+ if( peer_cid != NULL )\r
+ {\r
+ memcpy( peer_cid, ssl->transform_in->out_cid,\r
+ ssl->transform_in->out_cid_len );\r
+ }\r
+ }\r
+\r
+ *enabled = MBEDTLS_SSL_CID_ENABLED;\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+/* Forward declarations for functions related to message buffering. */\r
+static void ssl_buffering_free( mbedtls_ssl_context *ssl );\r
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,\r
+ uint8_t slot );\r
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );\r
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );\r
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );\r
+static int ssl_buffer_message( mbedtls_ssl_context *ssl );\r
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );\r
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );\r
+\r
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );\r
+static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )\r
+{\r
+ size_t mtu = ssl_get_current_mtu( ssl );\r
+\r
+ if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )\r
+ return( mtu );\r
+\r
+ return( MBEDTLS_SSL_OUT_BUFFER_LEN );\r
+}\r
+\r
+static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )\r
+{\r
+ size_t const bytes_written = ssl->out_left;\r
+ size_t const mtu = ssl_get_maximum_datagram_size( ssl );\r
+\r
+ /* Double-check that the write-index hasn't gone\r
+ * past what we can transmit in a single datagram. */\r
+ if( bytes_written > mtu )\r
+ {\r
+ /* Should never happen... */\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ return( (int) ( mtu - bytes_written ) );\r
+}\r
+\r
+static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )\r
+{\r
+ int ret;\r
+ size_t remaining, expansion;\r
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;\r
+\r
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)\r
+ const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );\r
+\r
+ if( max_len > mfl )\r
+ max_len = mfl;\r
+\r
+ /* By the standard (RFC 6066 Sect. 4), the MFL extension\r
+ * only limits the maximum record payload size, so in theory\r
+ * we would be allowed to pack multiple records of payload size\r
+ * MFL into a single datagram. However, this would mean that there's\r
+ * no way to explicitly communicate MTU restrictions to the peer.\r
+ *\r
+ * The following reduction of max_len makes sure that we never\r
+ * write datagrams larger than MFL + Record Expansion Overhead.\r
+ */\r
+ if( max_len <= ssl->out_left )\r
+ return( 0 );\r
+\r
+ max_len -= ssl->out_left;\r
+#endif\r
+\r
+ ret = ssl_get_remaining_space_in_datagram( ssl );\r
+ if( ret < 0 )\r
+ return( ret );\r
+ remaining = (size_t) ret;\r
+\r
+ ret = mbedtls_ssl_get_record_expansion( ssl );\r
+ if( ret < 0 )\r
+ return( ret );\r
+ expansion = (size_t) ret;\r
+\r
+ if( remaining <= expansion )\r
+ return( 0 );\r
+\r
+ remaining -= expansion;\r
+ if( remaining >= max_len )\r
+ remaining = max_len;\r
+\r
+ return( (int) remaining );\r
+}\r
+\r
+/*\r
+ * Double the retransmit timeout value, within the allowed range,\r
+ * returning -1 if the maximum value has already been reached.\r
+ */\r
+static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )\r
+{\r
+ uint32_t new_timeout;\r
+\r
+ if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )\r
+ return( -1 );\r
+\r
+ /* Implement the final paragraph of RFC 6347 section 4.1.1.1\r
+ * in the following way: after the initial transmission and a first\r
+ * retransmission, back off to a temporary estimated MTU of 508 bytes.\r
+ * This value is guaranteed to be deliverable (if not guaranteed to be\r
+ * delivered) of any compliant IPv4 (and IPv6) network, and should work\r
+ * on most non-IP stacks too. */\r
+ if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )\r
+ {\r
+ ssl->handshake->mtu = 508;\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );\r
+ }\r
+\r
+ new_timeout = 2 * ssl->handshake->retransmit_timeout;\r
+\r
+ /* Avoid arithmetic overflow and range overflow */\r
+ if( new_timeout < ssl->handshake->retransmit_timeout ||\r
+ new_timeout > ssl->conf->hs_timeout_max )\r
+ {\r
+ new_timeout = ssl->conf->hs_timeout_max;\r
+ }\r
+\r
+ ssl->handshake->retransmit_timeout = new_timeout;\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",\r
+ ssl->handshake->retransmit_timeout ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )\r
+{\r
+ ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",\r
+ ssl->handshake->retransmit_timeout ) );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)\r
+/*\r
+ * Convert max_fragment_length codes to length.\r
+ * RFC 6066 says:\r
+ * enum{\r
+ * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)\r
+ * } MaxFragmentLength;\r
+ * and we add 0 -> extension unused\r
+ */\r
+static unsigned int ssl_mfl_code_to_length( int mfl )\r
+{\r
+ switch( mfl )\r
+ {\r
+ case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:\r
+ return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );\r
+ case MBEDTLS_SSL_MAX_FRAG_LEN_512:\r
+ return 512;\r
+ case MBEDTLS_SSL_MAX_FRAG_LEN_1024:\r
+ return 1024;\r
+ case MBEDTLS_SSL_MAX_FRAG_LEN_2048:\r
+ return 2048;\r
+ case MBEDTLS_SSL_MAX_FRAG_LEN_4096:\r
+ return 4096;\r
+ default:\r
+ return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );\r
+ }\r
+}\r
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */\r
+\r
+int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,\r
+ const mbedtls_ssl_session *src )\r
+{\r
+ mbedtls_ssl_session_free( dst );\r
+ memcpy( dst, src, sizeof( mbedtls_ssl_session ) );\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+\r
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ if( src->peer_cert != NULL )\r
+ {\r
+ int ret;\r
+\r
+ dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );\r
+ if( dst->peer_cert == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ mbedtls_x509_crt_init( dst->peer_cert );\r
+\r
+ if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,\r
+ src->peer_cert->raw.len ) ) != 0 )\r
+ {\r
+ mbedtls_free( dst->peer_cert );\r
+ dst->peer_cert = NULL;\r
+ return( ret );\r
+ }\r
+ }\r
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+ if( src->peer_cert_digest != NULL )\r
+ {\r
+ dst->peer_cert_digest =\r
+ mbedtls_calloc( 1, src->peer_cert_digest_len );\r
+ if( dst->peer_cert_digest == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ memcpy( dst->peer_cert_digest, src->peer_cert_digest,\r
+ src->peer_cert_digest_len );\r
+ dst->peer_cert_digest_type = src->peer_cert_digest_type;\r
+ dst->peer_cert_digest_len = src->peer_cert_digest_len;\r
+ }\r
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)\r
+ if( src->ticket != NULL )\r
+ {\r
+ dst->ticket = mbedtls_calloc( 1, src->ticket_len );\r
+ if( dst->ticket == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ memcpy( dst->ticket, src->ticket, src->ticket_len );\r
+ }\r
+#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,\r
+ const unsigned char *key_enc, const unsigned char *key_dec,\r
+ size_t keylen,\r
+ const unsigned char *iv_enc, const unsigned char *iv_dec,\r
+ size_t ivlen,\r
+ const unsigned char *mac_enc, const unsigned char *mac_dec,\r
+ size_t maclen ) = NULL;\r
+int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;\r
+int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;\r
+int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;\r
+int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;\r
+int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;\r
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */\r
+\r
+/*\r
+ * Key material generation\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+static int ssl3_prf( const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ int ret = 0;\r
+ size_t i;\r
+ mbedtls_md5_context md5;\r
+ mbedtls_sha1_context sha1;\r
+ unsigned char padding[16];\r
+ unsigned char sha1sum[20];\r
+ ((void)label);\r
+\r
+ mbedtls_md5_init( &md5 );\r
+ mbedtls_sha1_init( &sha1 );\r
+\r
+ /*\r
+ * SSLv3:\r
+ * block =\r
+ * MD5( secret + SHA1( 'A' + secret + random ) ) +\r
+ * MD5( secret + SHA1( 'BB' + secret + random ) ) +\r
+ * MD5( secret + SHA1( 'CCC' + secret + random ) ) +\r
+ * ...\r
+ */\r
+ for( i = 0; i < dlen / 16; i++ )\r
+ {\r
+ memset( padding, (unsigned char) ('A' + i), 1 + i );\r
+\r
+ if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )\r
+ goto exit;\r
+\r
+ if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )\r
+ goto exit;\r
+ if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )\r
+ goto exit;\r
+ }\r
+\r
+exit:\r
+ mbedtls_md5_free( &md5 );\r
+ mbedtls_sha1_free( &sha1 );\r
+\r
+ mbedtls_platform_zeroize( padding, sizeof( padding ) );\r
+ mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+static int tls1_prf( const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ size_t nb, hs;\r
+ size_t i, j, k;\r
+ const unsigned char *S1, *S2;\r
+ unsigned char *tmp;\r
+ size_t tmp_len = 0;\r
+ unsigned char h_i[20];\r
+ const mbedtls_md_info_t *md_info;\r
+ mbedtls_md_context_t md_ctx;\r
+ int ret;\r
+\r
+ mbedtls_md_init( &md_ctx );\r
+\r
+ tmp_len = 20 + strlen( label ) + rlen;\r
+ tmp = mbedtls_calloc( 1, tmp_len );\r
+ if( tmp == NULL )\r
+ {\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto exit;\r
+ }\r
+\r
+ hs = ( slen + 1 ) / 2;\r
+ S1 = secret;\r
+ S2 = secret + slen - hs;\r
+\r
+ nb = strlen( label );\r
+ memcpy( tmp + 20, label, nb );\r
+ memcpy( tmp + 20 + nb, random, rlen );\r
+ nb += rlen;\r
+\r
+ /*\r
+ * First compute P_md5(secret,label+random)[0..dlen]\r
+ */\r
+ if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )\r
+ {\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto exit;\r
+ }\r
+\r
+ if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )\r
+ {\r
+ goto exit;\r
+ }\r
+\r
+ mbedtls_md_hmac_starts( &md_ctx, S1, hs );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );\r
+\r
+ for( i = 0; i < dlen; i += 16 )\r
+ {\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, h_i );\r
+\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );\r
+ mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );\r
+\r
+ k = ( i + 16 > dlen ) ? dlen % 16 : 16;\r
+\r
+ for( j = 0; j < k; j++ )\r
+ dstbuf[i + j] = h_i[j];\r
+ }\r
+\r
+ mbedtls_md_free( &md_ctx );\r
+\r
+ /*\r
+ * XOR out with P_sha1(secret,label+random)[0..dlen]\r
+ */\r
+ if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )\r
+ {\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto exit;\r
+ }\r
+\r
+ if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )\r
+ {\r
+ goto exit;\r
+ }\r
+\r
+ mbedtls_md_hmac_starts( &md_ctx, S2, hs );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, tmp );\r
+\r
+ for( i = 0; i < dlen; i += 20 )\r
+ {\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, h_i );\r
+\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp, 20 );\r
+ mbedtls_md_hmac_finish( &md_ctx, tmp );\r
+\r
+ k = ( i + 20 > dlen ) ? dlen % 20 : 20;\r
+\r
+ for( j = 0; j < k; j++ )\r
+ dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );\r
+ }\r
+\r
+exit:\r
+ mbedtls_md_free( &md_ctx );\r
+\r
+ mbedtls_platform_zeroize( tmp, tmp_len );\r
+ mbedtls_platform_zeroize( h_i, sizeof( h_i ) );\r
+\r
+ mbedtls_free( tmp );\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+static int tls_prf_generic( mbedtls_md_type_t md_type,\r
+ const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ psa_status_t status;\r
+ psa_algorithm_t alg;\r
+ psa_key_policy_t policy;\r
+ psa_key_handle_t master_slot;\r
+ psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;\r
+\r
+ if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+\r
+ if( md_type == MBEDTLS_MD_SHA384 )\r
+ alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);\r
+ else\r
+ alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);\r
+\r
+ policy = psa_key_policy_init();\r
+ psa_key_policy_set_usage( &policy,\r
+ PSA_KEY_USAGE_DERIVE,\r
+ alg );\r
+ status = psa_set_key_policy( master_slot, &policy );\r
+ if( status != PSA_SUCCESS )\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+\r
+ status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );\r
+ if( status != PSA_SUCCESS )\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+\r
+ status = psa_key_derivation( &generator,\r
+ master_slot, alg,\r
+ random, rlen,\r
+ (unsigned char const *) label,\r
+ (size_t) strlen( label ),\r
+ dlen );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ psa_generator_abort( &generator );\r
+ psa_destroy_key( master_slot );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ status = psa_generator_read( &generator, dstbuf, dlen );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ psa_generator_abort( &generator );\r
+ psa_destroy_key( master_slot );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ status = psa_generator_abort( &generator );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ psa_destroy_key( master_slot );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ status = psa_destroy_key( master_slot );\r
+ if( status != PSA_SUCCESS )\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#else /* MBEDTLS_USE_PSA_CRYPTO */\r
+\r
+static int tls_prf_generic( mbedtls_md_type_t md_type,\r
+ const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ size_t nb;\r
+ size_t i, j, k, md_len;\r
+ unsigned char *tmp;\r
+ size_t tmp_len = 0;\r
+ unsigned char h_i[MBEDTLS_MD_MAX_SIZE];\r
+ const mbedtls_md_info_t *md_info;\r
+ mbedtls_md_context_t md_ctx;\r
+ int ret;\r
+\r
+ mbedtls_md_init( &md_ctx );\r
+\r
+ if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+\r
+ md_len = mbedtls_md_get_size( md_info );\r
+\r
+ tmp_len = md_len + strlen( label ) + rlen;\r
+ tmp = mbedtls_calloc( 1, tmp_len );\r
+ if( tmp == NULL )\r
+ {\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto exit;\r
+ }\r
+\r
+ nb = strlen( label );\r
+ memcpy( tmp + md_len, label, nb );\r
+ memcpy( tmp + md_len + nb, random, rlen );\r
+ nb += rlen;\r
+\r
+ /*\r
+ * Compute P_<hash>(secret, label + random)[0..dlen]\r
+ */\r
+ if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )\r
+ goto exit;\r
+\r
+ mbedtls_md_hmac_starts( &md_ctx, secret, slen );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, tmp );\r
+\r
+ for( i = 0; i < dlen; i += md_len )\r
+ {\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );\r
+ mbedtls_md_hmac_finish( &md_ctx, h_i );\r
+\r
+ mbedtls_md_hmac_reset ( &md_ctx );\r
+ mbedtls_md_hmac_update( &md_ctx, tmp, md_len );\r
+ mbedtls_md_hmac_finish( &md_ctx, tmp );\r
+\r
+ k = ( i + md_len > dlen ) ? dlen % md_len : md_len;\r
+\r
+ for( j = 0; j < k; j++ )\r
+ dstbuf[i + j] = h_i[j];\r
+ }\r
+\r
+exit:\r
+ mbedtls_md_free( &md_ctx );\r
+\r
+ mbedtls_platform_zeroize( tmp, tmp_len );\r
+ mbedtls_platform_zeroize( h_i, sizeof( h_i ) );\r
+\r
+ mbedtls_free( tmp );\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+#if defined(MBEDTLS_SHA256_C)\r
+static int tls_prf_sha256( const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,\r
+ label, random, rlen, dstbuf, dlen ) );\r
+}\r
+#endif /* MBEDTLS_SHA256_C */\r
+\r
+#if defined(MBEDTLS_SHA512_C)\r
+static int tls_prf_sha384( const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,\r
+ label, random, rlen, dstbuf, dlen ) );\r
+}\r
+#endif /* MBEDTLS_SHA512_C */\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );\r
+static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );\r
+static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );\r
+static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *,unsigned char * );\r
+static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SHA512_C)\r
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );\r
+static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );\r
+static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \\r
+ defined(MBEDTLS_USE_PSA_CRYPTO)\r
+static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )\r
+{\r
+ if( ssl->conf->f_psk != NULL )\r
+ {\r
+ /* If we've used a callback to select the PSK,\r
+ * the static configuration is irrelevant. */\r
+ if( ssl->handshake->psk_opaque != 0 )\r
+ return( 1 );\r
+\r
+ return( 0 );\r
+ }\r
+\r
+ if( ssl->conf->psk_opaque != 0 )\r
+ return( 1 );\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO &&\r
+ MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */\r
+\r
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)\r
+static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( tls_prf == ssl3_prf )\r
+ {\r
+ return( MBEDTLS_SSL_TLS_PRF_SSL3 );\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ if( tls_prf == tls1_prf )\r
+ {\r
+ return( MBEDTLS_SSL_TLS_PRF_TLS1 );\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA512_C)\r
+ if( tls_prf == tls_prf_sha384 )\r
+ {\r
+ return( MBEDTLS_SSL_TLS_PRF_SHA384 );\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ if( tls_prf == tls_prf_sha256 )\r
+ {\r
+ return( MBEDTLS_SSL_TLS_PRF_SHA256 );\r
+ }\r
+ else\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ return( MBEDTLS_SSL_TLS_PRF_NONE );\r
+}\r
+#endif /* MBEDTLS_SSL_EXPORT_KEYS */\r
+\r
+int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,\r
+ const unsigned char *secret, size_t slen,\r
+ const char *label,\r
+ const unsigned char *random, size_t rlen,\r
+ unsigned char *dstbuf, size_t dlen )\r
+{\r
+ mbedtls_ssl_tls_prf_cb *tls_prf = NULL;\r
+\r
+ switch( prf )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ case MBEDTLS_SSL_TLS_PRF_SSL3:\r
+ tls_prf = ssl3_prf;\r
+ break;\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ case MBEDTLS_SSL_TLS_PRF_TLS1:\r
+ tls_prf = tls1_prf;\r
+ break;\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA512_C)\r
+ case MBEDTLS_SSL_TLS_PRF_SHA384:\r
+ tls_prf = tls_prf_sha384;\r
+ break;\r
+#endif /* MBEDTLS_SHA512_C */\r
+#if defined(MBEDTLS_SHA256_C)\r
+ case MBEDTLS_SSL_TLS_PRF_SHA256:\r
+ tls_prf = tls_prf_sha256;\r
+ break;\r
+#endif /* MBEDTLS_SHA256_C */\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ default:\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+ }\r
+\r
+ return( tls_prf( secret, slen, label, random, rlen, dstbuf, dlen ) );\r
+}\r
+\r
+int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = 0;\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ int psa_fallthrough;\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ unsigned char tmp[64];\r
+ unsigned char keyblk[256];\r
+ unsigned char *key1;\r
+ unsigned char *key2;\r
+ unsigned char *mac_enc;\r
+ unsigned char *mac_dec;\r
+ size_t mac_key_len;\r
+ size_t iv_copy_len;\r
+ unsigned keylen;\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info;\r
+ const mbedtls_cipher_info_t *cipher_info;\r
+ const mbedtls_md_info_t *md_info;\r
+\r
+ /* cf. RFC 5246, Section 8.1:\r
+ * "The master secret is always exactly 48 bytes in length." */\r
+ size_t const master_secret_len = 48;\r
+\r
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)\r
+ unsigned char session_hash[48];\r
+#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */\r
+\r
+ mbedtls_ssl_session *session = ssl->session_negotiate;\r
+ mbedtls_ssl_transform *transform = ssl->transform_negotiate;\r
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );\r
+\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \\r
+ defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ transform->encrypt_then_mac = session->encrypt_then_mac;\r
+#endif\r
+ transform->minor_ver = ssl->minor_ver;\r
+\r
+ ciphersuite_info = handshake->ciphersuite_info;\r
+ cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );\r
+ if( cipher_info == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",\r
+ ciphersuite_info->cipher ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );\r
+ if( md_info == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",\r
+ ciphersuite_info->mac ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ /* Copy own and peer's CID if the use of the CID\r
+ * extension has been negotiated. */\r
+ if( ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Copy CIDs into SSL transform" ) );\r
+\r
+ transform->in_cid_len = ssl->own_cid_len;\r
+ memcpy( transform->in_cid, ssl->own_cid, ssl->own_cid_len );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Incoming CID", transform->in_cid,\r
+ transform->in_cid_len );\r
+\r
+ transform->out_cid_len = ssl->handshake->peer_cid_len;\r
+ memcpy( transform->out_cid, ssl->handshake->peer_cid,\r
+ ssl->handshake->peer_cid_len );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Outgoing CID", transform->out_cid,\r
+ transform->out_cid_len );\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ /*\r
+ * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ handshake->tls_prf = ssl3_prf;\r
+ handshake->calc_verify = ssl_calc_verify_ssl;\r
+ handshake->calc_finished = ssl_calc_finished_ssl;\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+ handshake->tls_prf = tls1_prf;\r
+ handshake->calc_verify = ssl_calc_verify_tls;\r
+ handshake->calc_finished = ssl_calc_finished_tls;\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA512_C)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&\r
+ ciphersuite_info->mac == MBEDTLS_MD_SHA384 )\r
+ {\r
+ handshake->tls_prf = tls_prf_sha384;\r
+ handshake->calc_verify = ssl_calc_verify_tls_sha384;\r
+ handshake->calc_finished = ssl_calc_finished_tls_sha384;\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+ handshake->tls_prf = tls_prf_sha256;\r
+ handshake->calc_verify = ssl_calc_verify_tls_sha256;\r
+ handshake->calc_finished = ssl_calc_finished_tls_sha256;\r
+ }\r
+ else\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /*\r
+ * SSLv3:\r
+ * master =\r
+ * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +\r
+ * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +\r
+ * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )\r
+ *\r
+ * TLSv1+:\r
+ * master = PRF( premaster, "master secret", randbytes )[0..47]\r
+ */\r
+ if( handshake->resume != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );\r
+ }\r
+ else\r
+ {\r
+ /* The label for the KDF used for key expansion.\r
+ * This is either "master secret" or "extended master secret"\r
+ * depending on whether the Extended Master Secret extension\r
+ * is used. */\r
+ char const *lbl = "master secret";\r
+\r
+ /* The salt for the KDF used for key expansion.\r
+ * - If the Extended Master Secret extension is not used,\r
+ * this is ClientHello.Random + ServerHello.Random\r
+ * (see Sect. 8.1 in RFC 5246).\r
+ * - If the Extended Master Secret extension is used,\r
+ * this is the transcript of the handshake so far.\r
+ * (see Sect. 4 in RFC 7627). */\r
+ unsigned char const *salt = handshake->randbytes;\r
+ size_t salt_len = 64;\r
+\r
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)\r
+ if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );\r
+\r
+ lbl = "extended master secret";\r
+ salt = session_hash;\r
+ ssl->handshake->calc_verify( ssl, session_hash );\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+#if defined(MBEDTLS_SHA512_C)\r
+ if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )\r
+ {\r
+ salt_len = 48;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SHA512_C */\r
+ salt_len = 32;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ salt_len = 36;\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, salt_len );\r
+ }\r
+#endif /* MBEDTLS_SSL_EXTENDED_MS_ENABLED */\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && \\r
+ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)\r
+ if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&\r
+ ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&\r
+ ssl_use_opaque_psk( ssl ) == 1 )\r
+ {\r
+ /* Perform PSK-to-MS expansion in a single step. */\r
+ psa_status_t status;\r
+ psa_algorithm_t alg;\r
+ psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;\r
+ psa_key_handle_t psk;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );\r
+\r
+ psk = ssl->conf->psk_opaque;\r
+ if( ssl->handshake->psk_opaque != 0 )\r
+ psk = ssl->handshake->psk_opaque;\r
+\r
+ if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )\r
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);\r
+ else\r
+ alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);\r
+\r
+ status = psa_key_derivation( &generator, psk, alg,\r
+ salt, salt_len,\r
+ (unsigned char const *) lbl,\r
+ (size_t) strlen( lbl ),\r
+ master_secret_len );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ psa_generator_abort( &generator );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ status = psa_generator_read( &generator, session->master,\r
+ master_secret_len );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ psa_generator_abort( &generator );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ status = psa_generator_abort( &generator );\r
+ if( status != PSA_SUCCESS )\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,\r
+ lbl, salt, salt_len,\r
+ session->master,\r
+ master_secret_len );\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret",\r
+ handshake->premaster,\r
+ handshake->pmslen );\r
+\r
+ mbedtls_platform_zeroize( handshake->premaster,\r
+ sizeof(handshake->premaster) );\r
+ }\r
+ }\r
+\r
+ /*\r
+ * Swap the client and server random values.\r
+ */\r
+ memcpy( tmp, handshake->randbytes, 64 );\r
+ memcpy( handshake->randbytes, tmp + 32, 32 );\r
+ memcpy( handshake->randbytes + 32, tmp, 32 );\r
+ mbedtls_platform_zeroize( tmp, sizeof( tmp ) );\r
+\r
+ /*\r
+ * SSLv3:\r
+ * key block =\r
+ * MD5( master + SHA1( 'A' + master + randbytes ) ) +\r
+ * MD5( master + SHA1( 'BB' + master + randbytes ) ) +\r
+ * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +\r
+ * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +\r
+ * ...\r
+ *\r
+ * TLSv1:\r
+ * key block = PRF( master, "key expansion", randbytes )\r
+ */\r
+ ret = handshake->tls_prf( session->master, 48, "key expansion",\r
+ handshake->randbytes, 64, keyblk, 256 );\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",\r
+ mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );\r
+\r
+ /*\r
+ * Determine the appropriate key, IV and MAC length.\r
+ */\r
+\r
+ keylen = cipher_info->key_bitlen / 8;\r
+\r
+#if defined(MBEDTLS_GCM_C) || \\r
+ defined(MBEDTLS_CCM_C) || \\r
+ defined(MBEDTLS_CHACHAPOLY_C)\r
+ if( cipher_info->mode == MBEDTLS_MODE_GCM ||\r
+ cipher_info->mode == MBEDTLS_MODE_CCM ||\r
+ cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )\r
+ {\r
+ size_t explicit_ivlen;\r
+\r
+ transform->maclen = 0;\r
+ mac_key_len = 0;\r
+ transform->taglen =\r
+ ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;\r
+\r
+ /* All modes haves 96-bit IVs;\r
+ * GCM and CCM has 4 implicit and 8 explicit bytes\r
+ * ChachaPoly has all 12 bytes implicit\r
+ */\r
+ transform->ivlen = 12;\r
+ if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )\r
+ transform->fixed_ivlen = 12;\r
+ else\r
+ transform->fixed_ivlen = 4;\r
+\r
+ /* Minimum length of encrypted record */\r
+ explicit_ivlen = transform->ivlen - transform->fixed_ivlen;\r
+ transform->minlen = explicit_ivlen + transform->taglen;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ if( cipher_info->mode == MBEDTLS_MODE_STREAM ||\r
+ cipher_info->mode == MBEDTLS_MODE_CBC )\r
+ {\r
+ /* Initialize HMAC contexts */\r
+ if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||\r
+ ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );\r
+ goto end;\r
+ }\r
+\r
+ /* Get MAC length */\r
+ mac_key_len = mbedtls_md_get_size( md_info );\r
+ transform->maclen = mac_key_len;\r
+\r
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)\r
+ /*\r
+ * If HMAC is to be truncated, we shall keep the leftmost bytes,\r
+ * (rfc 6066 page 13 or rfc 2104 section 4),\r
+ * so we only need to adjust the length here.\r
+ */\r
+ if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )\r
+ {\r
+ transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;\r
+\r
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)\r
+ /* Fall back to old, non-compliant version of the truncated\r
+ * HMAC implementation which also truncates the key\r
+ * (Mbed TLS versions from 1.3 to 2.6.0) */\r
+ mac_key_len = transform->maclen;\r
+#endif\r
+ }\r
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */\r
+\r
+ /* IV length */\r
+ transform->ivlen = cipher_info->iv_size;\r
+\r
+ /* Minimum length */\r
+ if( cipher_info->mode == MBEDTLS_MODE_STREAM )\r
+ transform->minlen = transform->maclen;\r
+ else\r
+ {\r
+ /*\r
+ * GenericBlockCipher:\r
+ * 1. if EtM is in use: one block plus MAC\r
+ * otherwise: * first multiple of blocklen greater than maclen\r
+ * 2. IV except for SSL3 and TLS 1.0\r
+ */\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )\r
+ {\r
+ transform->minlen = transform->maclen\r
+ + cipher_info->block_size;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ transform->minlen = transform->maclen\r
+ + cipher_info->block_size\r
+ - transform->maclen % cipher_info->block_size;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||\r
+ ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )\r
+ ; /* No need to adjust minlen */\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||\r
+ ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+ transform->minlen += transform->ivlen;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto end;\r
+ }\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %u, minlen: %u, ivlen: %u, maclen: %u",\r
+ (unsigned) keylen,\r
+ (unsigned) transform->minlen,\r
+ (unsigned) transform->ivlen,\r
+ (unsigned) transform->maclen ) );\r
+\r
+ /*\r
+ * Finally setup the cipher contexts, IVs and MAC secrets.\r
+ */\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ key1 = keyblk + mac_key_len * 2;\r
+ key2 = keyblk + mac_key_len * 2 + keylen;\r
+\r
+ mac_enc = keyblk;\r
+ mac_dec = keyblk + mac_key_len;\r
+\r
+ /*\r
+ * This is not used in TLS v1.1.\r
+ */\r
+ iv_copy_len = ( transform->fixed_ivlen ) ?\r
+ transform->fixed_ivlen : transform->ivlen;\r
+ memcpy( transform->iv_enc, key2 + keylen, iv_copy_len );\r
+ memcpy( transform->iv_dec, key2 + keylen + iv_copy_len,\r
+ iv_copy_len );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ key1 = keyblk + mac_key_len * 2 + keylen;\r
+ key2 = keyblk + mac_key_len * 2;\r
+\r
+ mac_enc = keyblk + mac_key_len;\r
+ mac_dec = keyblk;\r
+\r
+ /*\r
+ * This is not used in TLS v1.1.\r
+ */\r
+ iv_copy_len = ( transform->fixed_ivlen ) ?\r
+ transform->fixed_ivlen : transform->ivlen;\r
+ memcpy( transform->iv_dec, key1 + keylen, iv_copy_len );\r
+ memcpy( transform->iv_enc, key1 + keylen + iv_copy_len,\r
+ iv_copy_len );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto end;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ if( mac_key_len > sizeof( transform->mac_enc ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto end;\r
+ }\r
+\r
+ memcpy( transform->mac_enc, mac_enc, mac_key_len );\r
+ memcpy( transform->mac_dec, mac_dec, mac_key_len );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )\r
+ {\r
+ /* For HMAC-based ciphersuites, initialize the HMAC transforms.\r
+ For AEAD-based ciphersuites, there is nothing to do here. */\r
+ if( mac_key_len != 0 )\r
+ {\r
+ mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );\r
+ mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );\r
+ }\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;\r
+ goto end;\r
+ }\r
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_init != NULL )\r
+ {\r
+ int ret = 0;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );\r
+\r
+ if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, keylen,\r
+ transform->iv_enc, transform->iv_dec,\r
+ iv_copy_len,\r
+ mac_enc, mac_dec,\r
+ mac_key_len ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );\r
+ ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;\r
+ goto end;\r
+ }\r
+ }\r
+#else\r
+ ((void) mac_dec);\r
+ ((void) mac_enc);\r
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */\r
+\r
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)\r
+ if( ssl->conf->f_export_keys != NULL )\r
+ {\r
+ ssl->conf->f_export_keys( ssl->conf->p_export_keys,\r
+ session->master, keyblk,\r
+ mac_key_len, keylen,\r
+ iv_copy_len );\r
+ }\r
+\r
+ if( ssl->conf->f_export_keys_ext != NULL )\r
+ {\r
+ ssl->conf->f_export_keys_ext( ssl->conf->p_export_keys,\r
+ session->master, keyblk,\r
+ mac_key_len, keylen,\r
+ iv_copy_len,\r
+ handshake->randbytes + 32,\r
+ handshake->randbytes,\r
+ tls_prf_get_type( handshake->tls_prf ) );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+\r
+ /* Only use PSA-based ciphers for TLS-1.2.\r
+ * That's relevant at least for TLS-1.0, where\r
+ * we assume that mbedtls_cipher_crypt() updates\r
+ * the structure field for the IV, which the PSA-based\r
+ * implementation currently doesn't. */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+ ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,\r
+ cipher_info, transform->taglen );\r
+ if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );\r
+ goto end;\r
+ }\r
+\r
+ if( ret == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based encryption cipher context" ) );\r
+ psa_fallthrough = 0;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record encryption - fall through to default setup." ) );\r
+ psa_fallthrough = 1;\r
+ }\r
+ }\r
+ else\r
+ psa_fallthrough = 1;\r
+#else\r
+ psa_fallthrough = 1;\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ if( psa_fallthrough == 1 )\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,\r
+ cipher_info ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );\r
+ goto end;\r
+ }\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ /* Only use PSA-based ciphers for TLS-1.2.\r
+ * That's relevant at least for TLS-1.0, where\r
+ * we assume that mbedtls_cipher_crypt() updates\r
+ * the structure field for the IV, which the PSA-based\r
+ * implementation currently doesn't. */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ {\r
+ ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,\r
+ cipher_info, transform->taglen );\r
+ if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup_psa", ret );\r
+ goto end;\r
+ }\r
+\r
+ if( ret == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Successfully setup PSA-based decryption cipher context" ) );\r
+ psa_fallthrough = 0;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to setup PSA-based cipher context for record decryption - fall through to default setup." ) );\r
+ psa_fallthrough = 1;\r
+ }\r
+ }\r
+ else\r
+ psa_fallthrough = 1;\r
+#else\r
+ psa_fallthrough = 1;\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ if( psa_fallthrough == 1 )\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,\r
+ cipher_info ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );\r
+ goto end;\r
+ }\r
+\r
+ if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,\r
+ cipher_info->key_bitlen,\r
+ MBEDTLS_ENCRYPT ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );\r
+ goto end;\r
+ }\r
+\r
+ if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,\r
+ cipher_info->key_bitlen,\r
+ MBEDTLS_DECRYPT ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );\r
+ goto end;\r
+ }\r
+\r
+#if defined(MBEDTLS_CIPHER_MODE_CBC)\r
+ if( cipher_info->mode == MBEDTLS_MODE_CBC )\r
+ {\r
+ if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,\r
+ MBEDTLS_PADDING_NONE ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );\r
+ goto end;\r
+ }\r
+\r
+ if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,\r
+ MBEDTLS_PADDING_NONE ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );\r
+ goto end;\r
+ }\r
+ }\r
+#endif /* MBEDTLS_CIPHER_MODE_CBC */\r
+\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ // Initialize compression\r
+ //\r
+ if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )\r
+ {\r
+ if( ssl->compress_buf == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );\r
+ ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );\r
+ if( ssl->compress_buf == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",\r
+ MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto end;\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );\r
+\r
+ memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );\r
+ memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );\r
+\r
+ if( deflateInit( &transform->ctx_deflate,\r
+ Z_DEFAULT_COMPRESSION ) != Z_OK ||\r
+ inflateInit( &transform->ctx_inflate ) != Z_OK )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );\r
+ ret = MBEDTLS_ERR_SSL_COMPRESSION_FAILED;\r
+ goto end;\r
+ }\r
+ }\r
+#endif /* MBEDTLS_ZLIB_SUPPORT */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );\r
+end:\r
+ mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );\r
+ mbedtls_platform_zeroize( handshake->randbytes,\r
+ sizeof( handshake->randbytes ) );\r
+ return( ret );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char hash[36] )\r
+{\r
+ mbedtls_md5_context md5;\r
+ mbedtls_sha1_context sha1;\r
+ unsigned char pad_1[48];\r
+ unsigned char pad_2[48];\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );\r
+\r
+ mbedtls_md5_init( &md5 );\r
+ mbedtls_sha1_init( &sha1 );\r
+\r
+ mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );\r
+ mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );\r
+\r
+ memset( pad_1, 0x36, 48 );\r
+ memset( pad_2, 0x5C, 48 );\r
+\r
+ mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );\r
+ mbedtls_md5_update_ret( &md5, pad_1, 48 );\r
+ mbedtls_md5_finish_ret( &md5, hash );\r
+\r
+ mbedtls_md5_starts_ret( &md5 );\r
+ mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );\r
+ mbedtls_md5_update_ret( &md5, pad_2, 48 );\r
+ mbedtls_md5_update_ret( &md5, hash, 16 );\r
+ mbedtls_md5_finish_ret( &md5, hash );\r
+\r
+ mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );\r
+ mbedtls_sha1_update_ret( &sha1, pad_1, 40 );\r
+ mbedtls_sha1_finish_ret( &sha1, hash + 16 );\r
+\r
+ mbedtls_sha1_starts_ret( &sha1 );\r
+ mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );\r
+ mbedtls_sha1_update_ret( &sha1, pad_2, 40 );\r
+ mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );\r
+ mbedtls_sha1_finish_ret( &sha1, hash + 16 );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );\r
+\r
+ mbedtls_md5_free( &md5 );\r
+ mbedtls_sha1_free( &sha1 );\r
+\r
+ return;\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char hash[36] )\r
+{\r
+ mbedtls_md5_context md5;\r
+ mbedtls_sha1_context sha1;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );\r
+\r
+ mbedtls_md5_init( &md5 );\r
+ mbedtls_sha1_init( &sha1 );\r
+\r
+ mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );\r
+ mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );\r
+\r
+ mbedtls_md5_finish_ret( &md5, hash );\r
+ mbedtls_sha1_finish_ret( &sha1, hash + 16 );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );\r
+\r
+ mbedtls_md5_free( &md5 );\r
+ mbedtls_sha1_free( &sha1 );\r
+\r
+ return;\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char hash[32] )\r
+{\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ size_t hash_size;\r
+ psa_status_t status;\r
+ psa_hash_operation_t sha256_psa = psa_hash_operation_init();\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha256" ) );\r
+ status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );\r
+ return;\r
+ }\r
+\r
+ status = psa_hash_finish( &sha256_psa, hash, 32, &hash_size );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );\r
+ return;\r
+ }\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 32 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );\r
+#else\r
+ mbedtls_sha256_context sha256;\r
+\r
+ mbedtls_sha256_init( &sha256 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );\r
+\r
+ mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );\r
+ mbedtls_sha256_finish_ret( &sha256, hash );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );\r
+\r
+ mbedtls_sha256_free( &sha256 );\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ return;\r
+}\r
+#endif /* MBEDTLS_SHA256_C */\r
+\r
+#if defined(MBEDTLS_SHA512_C)\r
+void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char hash[48] )\r
+{\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ size_t hash_size;\r
+ psa_status_t status;\r
+ psa_hash_operation_t sha384_psa = psa_hash_operation_init();\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PSA calc verify sha384" ) );\r
+ status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );\r
+ return;\r
+ }\r
+\r
+ status = psa_hash_finish( &sha384_psa, hash, 48, &hash_size );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );\r
+ return;\r
+ }\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated verify result", hash, 48 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= PSA calc verify" ) );\r
+#else\r
+ mbedtls_sha512_context sha512;\r
+\r
+ mbedtls_sha512_init( &sha512 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );\r
+\r
+ mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );\r
+ mbedtls_sha512_finish_ret( &sha512, hash );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );\r
+\r
+ mbedtls_sha512_free( &sha512 );\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ return;\r
+}\r
+#endif /* MBEDTLS_SHA512_C */\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)\r
+int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )\r
+{\r
+ unsigned char *p = ssl->handshake->premaster;\r
+ unsigned char *end = p + sizeof( ssl->handshake->premaster );\r
+ const unsigned char *psk = ssl->conf->psk;\r
+ size_t psk_len = ssl->conf->psk_len;\r
+\r
+ /* If the psk callback was called, use its result */\r
+ if( ssl->handshake->psk != NULL )\r
+ {\r
+ psk = ssl->handshake->psk;\r
+ psk_len = ssl->handshake->psk_len;\r
+ }\r
+\r
+ /*\r
+ * PMS = struct {\r
+ * opaque other_secret<0..2^16-1>;\r
+ * opaque psk<0..2^16-1>;\r
+ * };\r
+ * with "other_secret" depending on the particular key exchange\r
+ */\r
+#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)\r
+ if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )\r
+ {\r
+ if( end - p < 2 )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ *(p++) = (unsigned char)( psk_len >> 8 );\r
+ *(p++) = (unsigned char)( psk_len );\r
+\r
+ if( end < p || (size_t)( end - p ) < psk_len )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ memset( p, 0, psk_len );\r
+ p += psk_len;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */\r
+#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)\r
+ if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )\r
+ {\r
+ /*\r
+ * other_secret already set by the ClientKeyExchange message,\r
+ * and is 48 bytes long\r
+ */\r
+ if( end - p < 2 )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ *p++ = 0;\r
+ *p++ = 48;\r
+ p += 48;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */\r
+#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)\r
+ if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )\r
+ {\r
+ int ret;\r
+ size_t len;\r
+\r
+ /* Write length only when we know the actual value */\r
+ if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,\r
+ p + 2, end - ( p + 2 ), &len,\r
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );\r
+ return( ret );\r
+ }\r
+ *(p++) = (unsigned char)( len >> 8 );\r
+ *(p++) = (unsigned char)( len );\r
+ p += len;\r
+\r
+ MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */\r
+#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)\r
+ if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )\r
+ {\r
+ int ret;\r
+ size_t zlen;\r
+\r
+ if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,\r
+ p + 2, end - ( p + 2 ),\r
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );\r
+ return( ret );\r
+ }\r
+\r
+ *(p++) = (unsigned char)( zlen >> 8 );\r
+ *(p++) = (unsigned char)( zlen );\r
+ p += zlen;\r
+\r
+ MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,\r
+ MBEDTLS_DEBUG_ECDH_Z );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /* opaque psk<0..2^16-1>; */\r
+ if( end - p < 2 )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ *(p++) = (unsigned char)( psk_len >> 8 );\r
+ *(p++) = (unsigned char)( psk_len );\r
+\r
+ if( end < p || (size_t)( end - p ) < psk_len )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ memcpy( p, psk, psk_len );\r
+ p += psk_len;\r
+\r
+ ssl->handshake->pmslen = p - ssl->handshake->premaster;\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+/*\r
+ * SSLv3.0 MAC functions\r
+ */\r
+#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */\r
+static void ssl_mac( mbedtls_md_context_t *md_ctx,\r
+ const unsigned char *secret,\r
+ const unsigned char *buf, size_t len,\r
+ const unsigned char *ctr, int type,\r
+ unsigned char out[SSL_MAC_MAX_BYTES] )\r
+{\r
+ unsigned char header[11];\r
+ unsigned char padding[48];\r
+ int padlen;\r
+ int md_size = mbedtls_md_get_size( md_ctx->md_info );\r
+ int md_type = mbedtls_md_get_type( md_ctx->md_info );\r
+\r
+ /* Only MD5 and SHA-1 supported */\r
+ if( md_type == MBEDTLS_MD_MD5 )\r
+ padlen = 48;\r
+ else\r
+ padlen = 40;\r
+\r
+ memcpy( header, ctr, 8 );\r
+ header[ 8] = (unsigned char) type;\r
+ header[ 9] = (unsigned char)( len >> 8 );\r
+ header[10] = (unsigned char)( len );\r
+\r
+ memset( padding, 0x36, padlen );\r
+ mbedtls_md_starts( md_ctx );\r
+ mbedtls_md_update( md_ctx, secret, md_size );\r
+ mbedtls_md_update( md_ctx, padding, padlen );\r
+ mbedtls_md_update( md_ctx, header, 11 );\r
+ mbedtls_md_update( md_ctx, buf, len );\r
+ mbedtls_md_finish( md_ctx, out );\r
+\r
+ memset( padding, 0x5C, padlen );\r
+ mbedtls_md_starts( md_ctx );\r
+ mbedtls_md_update( md_ctx, secret, md_size );\r
+ mbedtls_md_update( md_ctx, padding, padlen );\r
+ mbedtls_md_update( md_ctx, out, md_size );\r
+ mbedtls_md_finish( md_ctx, out );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+\r
+/* The function below is only used in the Lucky 13 counter-measure in\r
+ * mbedtls_ssl_decrypt_buf(). These are the defines that guard the call site. */\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC) && \\r
+ ( defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2) )\r
+/* This function makes sure every byte in the memory region is accessed\r
+ * (in ascending addresses order) */\r
+static void ssl_read_memory( unsigned char *p, size_t len )\r
+{\r
+ unsigned char acc = 0;\r
+ volatile unsigned char force;\r
+\r
+ for( ; len != 0; p++, len-- )\r
+ acc ^= *p;\r
+\r
+ force = acc;\r
+ (void) force;\r
+}\r
+#endif /* SSL_SOME_MODES_USE_MAC && ( TLS1 || TLS1_1 || TLS1_2 ) */\r
+\r
+/*\r
+ * Encryption/decryption functions\r
+ */\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+/* This functions transforms a DTLS plaintext fragment and a record content\r
+ * type into an instance of the DTLSInnerPlaintext structure:\r
+ *\r
+ * struct {\r
+ * opaque content[DTLSPlaintext.length];\r
+ * ContentType real_type;\r
+ * uint8 zeros[length_of_padding];\r
+ * } DTLSInnerPlaintext;\r
+ *\r
+ * Input:\r
+ * - `content`: The beginning of the buffer holding the\r
+ * plaintext to be wrapped.\r
+ * - `*content_size`: The length of the plaintext in Bytes.\r
+ * - `max_len`: The number of Bytes available starting from\r
+ * `content`. This must be `>= *content_size`.\r
+ * - `rec_type`: The desired record content type.\r
+ *\r
+ * Output:\r
+ * - `content`: The beginning of the resulting DTLSInnerPlaintext structure.\r
+ * - `*content_size`: The length of the resulting DTLSInnerPlaintext structure.\r
+ *\r
+ * Returns:\r
+ * - `0` on success.\r
+ * - A negative error code if `max_len` didn't offer enough space\r
+ * for the expansion.\r
+ */\r
+static int ssl_cid_build_inner_plaintext( unsigned char *content,\r
+ size_t *content_size,\r
+ size_t remaining,\r
+ uint8_t rec_type )\r
+{\r
+ size_t len = *content_size;\r
+ size_t pad = ( MBEDTLS_SSL_CID_PADDING_GRANULARITY -\r
+ ( len + 1 ) % MBEDTLS_SSL_CID_PADDING_GRANULARITY ) %\r
+ MBEDTLS_SSL_CID_PADDING_GRANULARITY;\r
+\r
+ /* Write real content type */\r
+ if( remaining == 0 )\r
+ return( -1 );\r
+ content[ len ] = rec_type;\r
+ len++;\r
+ remaining--;\r
+\r
+ if( remaining < pad )\r
+ return( -1 );\r
+ memset( content + len, 0, pad );\r
+ len += pad;\r
+ remaining -= pad;\r
+\r
+ *content_size = len;\r
+ return( 0 );\r
+}\r
+\r
+/* This function parses a DTLSInnerPlaintext structure.\r
+ * See ssl_cid_build_inner_plaintext() for details. */\r
+static int ssl_cid_parse_inner_plaintext( unsigned char const *content,\r
+ size_t *content_size,\r
+ uint8_t *rec_type )\r
+{\r
+ size_t remaining = *content_size;\r
+\r
+ /* Determine length of padding by skipping zeroes from the back. */\r
+ do\r
+ {\r
+ if( remaining == 0 )\r
+ return( -1 );\r
+ remaining--;\r
+ } while( content[ remaining ] == 0 );\r
+\r
+ *content_size = remaining;\r
+ *rec_type = content[ remaining ];\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+/* `add_data` must have size 13 Bytes if the CID extension is disabled,\r
+ * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */\r
+static void ssl_extract_add_data_from_record( unsigned char* add_data,\r
+ size_t *add_data_len,\r
+ mbedtls_record *rec )\r
+{\r
+ /* Quoting RFC 5246 (TLS 1.2):\r
+ *\r
+ * additional_data = seq_num + TLSCompressed.type +\r
+ * TLSCompressed.version + TLSCompressed.length;\r
+ *\r
+ * For the CID extension, this is extended as follows\r
+ * (quoting draft-ietf-tls-dtls-connection-id-05,\r
+ * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):\r
+ *\r
+ * additional_data = seq_num + DTLSPlaintext.type +\r
+ * DTLSPlaintext.version +\r
+ * cid +\r
+ * cid_length +\r
+ * length_of_DTLSInnerPlaintext;\r
+ */\r
+\r
+ memcpy( add_data, rec->ctr, sizeof( rec->ctr ) );\r
+ add_data[8] = rec->type;\r
+ memcpy( add_data + 9, rec->ver, sizeof( rec->ver ) );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ if( rec->cid_len != 0 )\r
+ {\r
+ memcpy( add_data + 11, rec->cid, rec->cid_len );\r
+ add_data[11 + rec->cid_len + 0] = rec->cid_len;\r
+ add_data[11 + rec->cid_len + 1] = ( rec->data_len >> 8 ) & 0xFF;\r
+ add_data[11 + rec->cid_len + 2] = ( rec->data_len >> 0 ) & 0xFF;\r
+ *add_data_len = 13 + 1 + rec->cid_len;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ {\r
+ add_data[11 + 0] = ( rec->data_len >> 8 ) & 0xFF;\r
+ add_data[11 + 1] = ( rec->data_len >> 0 ) & 0xFF;\r
+ *add_data_len = 13;\r
+ }\r
+}\r
+\r
+int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,\r
+ mbedtls_ssl_transform *transform,\r
+ mbedtls_record *rec,\r
+ int (*f_rng)(void *, unsigned char *, size_t),\r
+ void *p_rng )\r
+{\r
+ mbedtls_cipher_mode_t mode;\r
+ int auth_done = 0;\r
+ unsigned char * data;\r
+ unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];\r
+ size_t add_data_len;\r
+ size_t post_avail;\r
+\r
+ /* The SSL context is only used for debugging purposes! */\r
+#if !defined(MBEDTLS_DEBUG_C)\r
+ ((void) ssl);\r
+#endif\r
+\r
+ /* The PRNG is used for dynamic IV generation that's used\r
+ * for CBC transformations in TLS 1.1 and TLS 1.2. */\r
+#if !( defined(MBEDTLS_CIPHER_MODE_CBC) && \\r
+ ( defined(MBEDTLS_AES_C) || \\r
+ defined(MBEDTLS_ARIA_C) || \\r
+ defined(MBEDTLS_CAMELLIA_C) ) && \\r
+ ( defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2) ) )\r
+ ((void) f_rng);\r
+ ((void) p_rng);\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );\r
+\r
+ if( transform == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ if( rec == NULL\r
+ || rec->buf == NULL\r
+ || rec->buf_len < rec->data_offset\r
+ || rec->buf_len - rec->data_offset < rec->data_len\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ || rec->cid_len != 0\r
+#endif\r
+ )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ data = rec->buf + rec->data_offset;\r
+ post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",\r
+ data, rec->data_len );\r
+\r
+ mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );\r
+\r
+ if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %u too large, maximum %d",\r
+ (unsigned) rec->data_len,\r
+ MBEDTLS_SSL_OUT_CONTENT_LEN ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ /*\r
+ * Add CID information\r
+ */\r
+ rec->cid_len = transform->out_cid_len;\r
+ memcpy( rec->cid, transform->out_cid, transform->out_cid_len );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );\r
+\r
+ if( rec->cid_len != 0 )\r
+ {\r
+ /*\r
+ * Wrap plaintext into DTLSInnerPlaintext structure.\r
+ * See ssl_cid_build_inner_plaintext() for more information.\r
+ *\r
+ * Note that this changes `rec->data_len`, and hence\r
+ * `post_avail` needs to be recalculated afterwards.\r
+ */\r
+ if( ssl_cid_build_inner_plaintext( data,\r
+ &rec->data_len,\r
+ post_avail,\r
+ rec->type ) != 0 )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+ rec->type = MBEDTLS_SSL_MSG_CID;\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );\r
+\r
+ /*\r
+ * Add MAC before if needed\r
+ */\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ if( mode == MBEDTLS_MODE_STREAM ||\r
+ ( mode == MBEDTLS_MODE_CBC\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED\r
+#endif\r
+ ) )\r
+ {\r
+ if( post_avail < transform->maclen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ unsigned char mac[SSL_MAC_MAX_BYTES];\r
+ ssl_mac( &transform->md_ctx_enc, transform->mac_enc,\r
+ data, rec->data_len, rec->ctr, rec->type, mac );\r
+ memcpy( data + rec->data_len, mac, transform->maclen );\r
+ }\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )\r
+ {\r
+ unsigned char mac[MBEDTLS_SSL_MAC_ADD];\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+\r
+ mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,\r
+ add_data_len );\r
+ mbedtls_md_hmac_update( &transform->md_ctx_enc,\r
+ data, rec->data_len );\r
+ mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );\r
+ mbedtls_md_hmac_reset( &transform->md_ctx_enc );\r
+\r
+ memcpy( data + rec->data_len, mac, transform->maclen );\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,\r
+ transform->maclen );\r
+\r
+ rec->data_len += transform->maclen;\r
+ post_avail -= transform->maclen;\r
+ auth_done++;\r
+ }\r
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */\r
+\r
+ /*\r
+ * Encrypt\r
+ */\r
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)\r
+ if( mode == MBEDTLS_MODE_STREAM )\r
+ {\r
+ int ret;\r
+ size_t olen;\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "\r
+ "including %d bytes of padding",\r
+ rec->data_len, 0 ) );\r
+\r
+ if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,\r
+ transform->iv_enc, transform->ivlen,\r
+ data, rec->data_len,\r
+ data, &olen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( rec->data_len != olen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */\r
+\r
+#if defined(MBEDTLS_GCM_C) || \\r
+ defined(MBEDTLS_CCM_C) || \\r
+ defined(MBEDTLS_CHACHAPOLY_C)\r
+ if( mode == MBEDTLS_MODE_GCM ||\r
+ mode == MBEDTLS_MODE_CCM ||\r
+ mode == MBEDTLS_MODE_CHACHAPOLY )\r
+ {\r
+ int ret;\r
+ unsigned char iv[12];\r
+ size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;\r
+\r
+ /* Check that there's space for both the authentication tag\r
+ * and the explicit IV before and after the record content. */\r
+ if( post_avail < transform->taglen ||\r
+ rec->data_offset < explicit_iv_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+ /*\r
+ * Generate IV\r
+ */\r
+ if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )\r
+ {\r
+ /* GCM and CCM: fixed || explicit (=seqnum) */\r
+ memcpy( iv, transform->iv_enc, transform->fixed_ivlen );\r
+ memcpy( iv + transform->fixed_ivlen, rec->ctr,\r
+ explicit_iv_len );\r
+ /* Prefix record content with explicit IV. */\r
+ memcpy( data - explicit_iv_len, rec->ctr, explicit_iv_len );\r
+ }\r
+ else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )\r
+ {\r
+ /* ChachaPoly: fixed XOR sequence number */\r
+ unsigned char i;\r
+\r
+ memcpy( iv, transform->iv_enc, transform->fixed_ivlen );\r
+\r
+ for( i = 0; i < 8; i++ )\r
+ iv[i+4] ^= rec->ctr[i];\r
+ }\r
+ else\r
+ {\r
+ /* Reminder if we ever add an AEAD mode with a different size */\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",\r
+ iv, transform->ivlen );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",\r
+ data - explicit_iv_len, explicit_iv_len );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",\r
+ add_data, add_data_len );\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "\r
+ "including 0 bytes of padding",\r
+ rec->data_len ) );\r
+\r
+ /*\r
+ * Encrypt and authenticate\r
+ */\r
+\r
+ if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,\r
+ iv, transform->ivlen,\r
+ add_data, add_data_len, /* add data */\r
+ data, rec->data_len, /* source */\r
+ data, &rec->data_len, /* destination */\r
+ data + rec->data_len, transform->taglen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",\r
+ data + rec->data_len, transform->taglen );\r
+\r
+ rec->data_len += transform->taglen + explicit_iv_len;\r
+ rec->data_offset -= explicit_iv_len;\r
+ post_avail -= transform->taglen;\r
+ auth_done++;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */\r
+#if defined(MBEDTLS_CIPHER_MODE_CBC) && \\r
+ ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )\r
+ if( mode == MBEDTLS_MODE_CBC )\r
+ {\r
+ int ret;\r
+ size_t padlen, i;\r
+ size_t olen;\r
+\r
+ /* Currently we're always using minimal padding\r
+ * (up to 255 bytes would be allowed). */\r
+ padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;\r
+ if( padlen == transform->ivlen )\r
+ padlen = 0;\r
+\r
+ /* Check there's enough space in the buffer for the padding. */\r
+ if( post_avail < padlen + 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+ for( i = 0; i <= padlen; i++ )\r
+ data[rec->data_len + i] = (unsigned char) padlen;\r
+\r
+ rec->data_len += padlen + 1;\r
+ post_avail -= padlen + 1;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ /*\r
+ * Prepend per-record IV for block cipher in TLS v1.1 and up as per\r
+ * Method 1 (6.2.3.2. in RFC4346 and RFC5246)\r
+ */\r
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ if( f_rng == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ if( rec->data_offset < transform->ivlen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+ /*\r
+ * Generate IV\r
+ */\r
+ ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );\r
+ if( ret != 0 )\r
+ return( ret );\r
+\r
+ memcpy( data - transform->ivlen, transform->iv_enc,\r
+ transform->ivlen );\r
+\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "\r
+ "including %d bytes of IV and %d bytes of padding",\r
+ rec->data_len, transform->ivlen,\r
+ padlen + 1 ) );\r
+\r
+ if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,\r
+ transform->iv_enc,\r
+ transform->ivlen,\r
+ data, rec->data_len,\r
+ data, &olen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( rec->data_len != olen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)\r
+ if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ /*\r
+ * Save IV in SSL3 and TLS1\r
+ */\r
+ memcpy( transform->iv_enc, transform->cipher_ctx_enc.iv,\r
+ transform->ivlen );\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ data -= transform->ivlen;\r
+ rec->data_offset -= transform->ivlen;\r
+ rec->data_len += transform->ivlen;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ if( auth_done == 0 )\r
+ {\r
+ unsigned char mac[MBEDTLS_SSL_MAC_ADD];\r
+\r
+ /*\r
+ * MAC(MAC_write_key, seq_num +\r
+ * TLSCipherText.type +\r
+ * TLSCipherText.version +\r
+ * length_of( (IV +) ENC(...) ) +\r
+ * IV + // except for TLS 1.0\r
+ * ENC(content + padding + padding_length));\r
+ */\r
+\r
+ if( post_avail < transform->maclen)\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+ }\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,\r
+ add_data_len );\r
+\r
+ mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,\r
+ add_data_len );\r
+ mbedtls_md_hmac_update( &transform->md_ctx_enc,\r
+ data, rec->data_len );\r
+ mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );\r
+ mbedtls_md_hmac_reset( &transform->md_ctx_enc );\r
+\r
+ memcpy( data + rec->data_len, mac, transform->maclen );\r
+\r
+ rec->data_len += transform->maclen;\r
+ post_avail -= transform->maclen;\r
+ auth_done++;\r
+ }\r
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */\r
+ }\r
+ else\r
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&\r
+ ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /* Make extra sure authentication was performed, exactly once */\r
+ if( auth_done != 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,\r
+ mbedtls_ssl_transform *transform,\r
+ mbedtls_record *rec )\r
+{\r
+ size_t olen;\r
+ mbedtls_cipher_mode_t mode;\r
+ int ret, auth_done = 0;\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ size_t padlen = 0, correct = 1;\r
+#endif\r
+ unsigned char* data;\r
+ unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];\r
+ size_t add_data_len;\r
+\r
+#if !defined(MBEDTLS_DEBUG_C)\r
+ ((void) ssl);\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );\r
+ if( transform == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to decrypt_buf" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ if( rec == NULL ||\r
+ rec->buf == NULL ||\r
+ rec->buf_len < rec->data_offset ||\r
+ rec->buf_len - rec->data_offset < rec->data_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ data = rec->buf + rec->data_offset;\r
+ mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ /*\r
+ * Match record's CID with incoming CID.\r
+ */\r
+ if( rec->cid_len != transform->in_cid_len ||\r
+ memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)\r
+ if( mode == MBEDTLS_MODE_STREAM )\r
+ {\r
+ padlen = 0;\r
+ if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,\r
+ transform->iv_dec,\r
+ transform->ivlen,\r
+ data, rec->data_len,\r
+ data, &olen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( rec->data_len != olen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */\r
+#if defined(MBEDTLS_GCM_C) || \\r
+ defined(MBEDTLS_CCM_C) || \\r
+ defined(MBEDTLS_CHACHAPOLY_C)\r
+ if( mode == MBEDTLS_MODE_GCM ||\r
+ mode == MBEDTLS_MODE_CCM ||\r
+ mode == MBEDTLS_MODE_CHACHAPOLY )\r
+ {\r
+ unsigned char iv[12];\r
+ size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;\r
+\r
+ /*\r
+ * Compute and update sizes\r
+ */\r
+ if( rec->data_len < explicit_iv_len + transform->taglen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "\r
+ "+ taglen (%d)", rec->data_len,\r
+ explicit_iv_len, transform->taglen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+\r
+ /*\r
+ * Prepare IV\r
+ */\r
+ if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )\r
+ {\r
+ /* GCM and CCM: fixed || explicit (transmitted) */\r
+ memcpy( iv, transform->iv_dec, transform->fixed_ivlen );\r
+ memcpy( iv + transform->fixed_ivlen, data, 8 );\r
+\r
+ }\r
+ else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )\r
+ {\r
+ /* ChachaPoly: fixed XOR sequence number */\r
+ unsigned char i;\r
+\r
+ memcpy( iv, transform->iv_dec, transform->fixed_ivlen );\r
+\r
+ for( i = 0; i < 8; i++ )\r
+ iv[i+4] ^= rec->ctr[i];\r
+ }\r
+ else\r
+ {\r
+ /* Reminder if we ever add an AEAD mode with a different size */\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ data += explicit_iv_len;\r
+ rec->data_offset += explicit_iv_len;\r
+ rec->data_len -= explicit_iv_len + transform->taglen;\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",\r
+ add_data, add_data_len );\r
+\r
+ memcpy( transform->iv_dec + transform->fixed_ivlen,\r
+ data - explicit_iv_len, explicit_iv_len );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,\r
+ transform->taglen );\r
+\r
+\r
+ /*\r
+ * Decrypt and authenticate\r
+ */\r
+ if( ( ret = mbedtls_cipher_auth_decrypt( &transform->cipher_ctx_dec,\r
+ iv, transform->ivlen,\r
+ add_data, add_data_len,\r
+ data, rec->data_len,\r
+ data, &olen,\r
+ data + rec->data_len,\r
+ transform->taglen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );\r
+\r
+ if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+\r
+ return( ret );\r
+ }\r
+ auth_done++;\r
+\r
+ if( olen != rec->data_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */\r
+#if defined(MBEDTLS_CIPHER_MODE_CBC) && \\r
+ ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) || defined(MBEDTLS_ARIA_C) )\r
+ if( mode == MBEDTLS_MODE_CBC )\r
+ {\r
+ size_t minlen = 0;\r
+\r
+ /*\r
+ * Check immediate ciphertext sanity\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ /* The ciphertext is prefixed with the CBC IV. */\r
+ minlen += transform->ivlen;\r
+ }\r
+#endif\r
+\r
+ /* Size considerations:\r
+ *\r
+ * - The CBC cipher text must not be empty and hence\r
+ * at least of size transform->ivlen.\r
+ *\r
+ * Together with the potential IV-prefix, this explains\r
+ * the first of the two checks below.\r
+ *\r
+ * - The record must contain a MAC, either in plain or\r
+ * encrypted, depending on whether Encrypt-then-MAC\r
+ * is used or not.\r
+ * - If it is, the message contains the IV-prefix,\r
+ * the CBC ciphertext, and the MAC.\r
+ * - If it is not, the padded plaintext, and hence\r
+ * the CBC ciphertext, has at least length maclen + 1\r
+ * because there is at least the padding length byte.\r
+ *\r
+ * As the CBC ciphertext is not empty, both cases give the\r
+ * lower bound minlen + maclen + 1 on the record size, which\r
+ * we test for in the second check below.\r
+ */\r
+ if( rec->data_len < minlen + transform->ivlen ||\r
+ rec->data_len < minlen + transform->maclen + 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "\r
+ "+ 1 ) ( + expl IV )", rec->data_len,\r
+ transform->ivlen,\r
+ transform->maclen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+\r
+ /*\r
+ * Authenticate before decrypt if enabled\r
+ */\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )\r
+ {\r
+ unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );\r
+\r
+ /* Safe due to the check data_len >= minlen + maclen + 1 above. */\r
+ rec->data_len -= transform->maclen;\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,\r
+ add_data_len );\r
+ mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,\r
+ add_data_len );\r
+ mbedtls_md_hmac_update( &transform->md_ctx_dec,\r
+ data, rec->data_len );\r
+ mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );\r
+ mbedtls_md_hmac_reset( &transform->md_ctx_dec );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len,\r
+ transform->maclen );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,\r
+ transform->maclen );\r
+\r
+ if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,\r
+ transform->maclen ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+ auth_done++;\r
+ }\r
+#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */\r
+\r
+ /*\r
+ * Check length sanity\r
+ */\r
+ if( rec->data_len % transform->ivlen != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",\r
+ rec->data_len, transform->ivlen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ /*\r
+ * Initialize for prepended IV for block cipher in TLS v1.1 and up\r
+ */\r
+ if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ /* This is safe because data_len >= minlen + maclen + 1 initially,\r
+ * and at this point we have at most subtracted maclen (note that\r
+ * minlen == transform->ivlen here). */\r
+ memcpy( transform->iv_dec, data, transform->ivlen );\r
+\r
+ data += transform->ivlen;\r
+ rec->data_offset += transform->ivlen;\r
+ rec->data_len -= transform->ivlen;\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,\r
+ transform->iv_dec, transform->ivlen,\r
+ data, rec->data_len, data, &olen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( rec->data_len != olen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)\r
+ if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ /*\r
+ * Save IV in SSL3 and TLS1\r
+ */\r
+ memcpy( transform->iv_dec, transform->cipher_ctx_dec.iv,\r
+ transform->ivlen );\r
+ }\r
+#endif\r
+\r
+ /* Safe since data_len >= minlen + maclen + 1, so after having\r
+ * subtracted at most minlen and maclen up to this point,\r
+ * data_len > 0. */\r
+ padlen = data[rec->data_len - 1];\r
+\r
+ if( auth_done == 1 )\r
+ {\r
+ correct *= ( rec->data_len >= padlen + 1 );\r
+ padlen *= ( rec->data_len >= padlen + 1 );\r
+ }\r
+ else\r
+ {\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ if( rec->data_len < transform->maclen + padlen + 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",\r
+ rec->data_len,\r
+ transform->maclen,\r
+ padlen + 1 ) );\r
+ }\r
+#endif\r
+\r
+ correct *= ( rec->data_len >= transform->maclen + padlen + 1 );\r
+ padlen *= ( rec->data_len >= transform->maclen + padlen + 1 );\r
+ }\r
+\r
+ padlen++;\r
+\r
+ /* Regardless of the validity of the padding,\r
+ * we have data_len >= padlen here. */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ if( padlen > transform->ivlen )\r
+ {\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "\r
+ "should be no more than %d",\r
+ padlen, transform->ivlen ) );\r
+#endif\r
+ correct = 0;\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ /* The padding check involves a series of up to 256\r
+ * consecutive memory reads at the end of the record\r
+ * plaintext buffer. In order to hide the length and\r
+ * validity of the padding, always perform exactly\r
+ * `min(256,plaintext_len)` reads (but take into account\r
+ * only the last `padlen` bytes for the padding check). */\r
+ size_t pad_count = 0;\r
+ size_t real_count = 0;\r
+ volatile unsigned char* const check = data;\r
+\r
+ /* Index of first padding byte; it has been ensured above\r
+ * that the subtraction is safe. */\r
+ size_t const padding_idx = rec->data_len - padlen;\r
+ size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;\r
+ size_t const start_idx = rec->data_len - num_checks;\r
+ size_t idx;\r
+\r
+ for( idx = start_idx; idx < rec->data_len; idx++ )\r
+ {\r
+ real_count |= ( idx >= padding_idx );\r
+ pad_count += real_count * ( check[idx] == padlen - 1 );\r
+ }\r
+ correct &= ( pad_count == padlen );\r
+\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ if( padlen > 0 && correct == 0 )\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );\r
+#endif\r
+ padlen &= correct * 0x1FF;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \\r
+ MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /* If the padding was found to be invalid, padlen == 0\r
+ * and the subtraction is safe. If the padding was found valid,\r
+ * padlen hasn't been changed and the previous assertion\r
+ * data_len >= padlen still holds. */\r
+ rec->data_len -= padlen;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_CIPHER_MODE_CBC &&\r
+ ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C || MBEDTLS_ARIA_C ) */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",\r
+ data, rec->data_len );\r
+#endif\r
+\r
+ /*\r
+ * Authenticate if not done yet.\r
+ * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).\r
+ */\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ if( auth_done == 0 )\r
+ {\r
+ unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];\r
+\r
+ /* If the initial value of padlen was such that\r
+ * data_len < maclen + padlen + 1, then padlen\r
+ * got reset to 1, and the initial check\r
+ * data_len >= minlen + maclen + 1\r
+ * guarantees that at this point we still\r
+ * have at least data_len >= maclen.\r
+ *\r
+ * If the initial value of padlen was such that\r
+ * data_len >= maclen + padlen + 1, then we have\r
+ * subtracted either padlen + 1 (if the padding was correct)\r
+ * or 0 (if the padding was incorrect) since then,\r
+ * hence data_len >= maclen in any case.\r
+ */\r
+ rec->data_len -= transform->maclen;\r
+\r
+ ssl_extract_add_data_from_record( add_data, &add_data_len, rec );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ ssl_mac( &transform->md_ctx_dec,\r
+ transform->mac_dec,\r
+ data, rec->data_len,\r
+ rec->ctr, rec->type,\r
+ mac_expect );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ /*\r
+ * Process MAC and always update for padlen afterwards to make\r
+ * total time independent of padlen.\r
+ *\r
+ * Known timing attacks:\r
+ * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)\r
+ *\r
+ * To compensate for different timings for the MAC calculation\r
+ * depending on how much padding was removed (which is determined\r
+ * by padlen), process extra_run more blocks through the hash\r
+ * function.\r
+ *\r
+ * The formula in the paper is\r
+ * extra_run = ceil( (L1-55) / 64 ) - ceil( (L2-55) / 64 )\r
+ * where L1 is the size of the header plus the decrypted message\r
+ * plus CBC padding and L2 is the size of the header plus the\r
+ * decrypted message. This is for an underlying hash function\r
+ * with 64-byte blocks.\r
+ * We use ( (Lx+8) / 64 ) to handle 'negative Lx' values\r
+ * correctly. We round down instead of up, so -56 is the correct\r
+ * value for our calculations instead of -55.\r
+ *\r
+ * Repeat the formula rather than defining a block_size variable.\r
+ * This avoids requiring division by a variable at runtime\r
+ * (which would be marginally less efficient and would require\r
+ * linking an extra division function in some builds).\r
+ */\r
+ size_t j, extra_run = 0;\r
+ unsigned char tmp[MBEDTLS_MD_MAX_BLOCK_SIZE];\r
+\r
+ /*\r
+ * The next two sizes are the minimum and maximum values of\r
+ * in_msglen over all padlen values.\r
+ *\r
+ * They're independent of padlen, since we previously did\r
+ * in_msglen -= padlen.\r
+ *\r
+ * Note that max_len + maclen is never more than the buffer\r
+ * length, as we previously did in_msglen -= maclen too.\r
+ */\r
+ const size_t max_len = rec->data_len + padlen;\r
+ const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;\r
+\r
+ memset( tmp, 0, sizeof( tmp ) );\r
+\r
+ switch( mbedtls_md_get_type( transform->md_ctx_dec.md_info ) )\r
+ {\r
+#if defined(MBEDTLS_MD5_C) || defined(MBEDTLS_SHA1_C) || \\r
+ defined(MBEDTLS_SHA256_C)\r
+ case MBEDTLS_MD_MD5:\r
+ case MBEDTLS_MD_SHA1:\r
+ case MBEDTLS_MD_SHA256:\r
+ /* 8 bytes of message size, 64-byte compression blocks */\r
+ extra_run =\r
+ ( add_data_len + rec->data_len + padlen + 8 ) / 64 -\r
+ ( add_data_len + rec->data_len + 8 ) / 64;\r
+ break;\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+ case MBEDTLS_MD_SHA384:\r
+ /* 16 bytes of message size, 128-byte compression blocks */\r
+ extra_run =\r
+ ( add_data_len + rec->data_len + padlen + 16 ) / 128 -\r
+ ( add_data_len + rec->data_len + 16 ) / 128;\r
+ break;\r
+#endif\r
+ default:\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ extra_run &= correct * 0xFF;\r
+\r
+ mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,\r
+ add_data_len );\r
+ mbedtls_md_hmac_update( &transform->md_ctx_dec, data,\r
+ rec->data_len );\r
+ /* Make sure we access everything even when padlen > 0. This\r
+ * makes the synchronisation requirements for just-in-time\r
+ * Prime+Probe attacks much tighter and hopefully impractical. */\r
+ ssl_read_memory( data + rec->data_len, padlen );\r
+ mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );\r
+\r
+ /* Call mbedtls_md_process at least once due to cache attacks\r
+ * that observe whether md_process() was called of not */\r
+ for( j = 0; j < extra_run + 1; j++ )\r
+ mbedtls_md_process( &transform->md_ctx_dec, tmp );\r
+\r
+ mbedtls_md_hmac_reset( &transform->md_ctx_dec );\r
+\r
+ /* Make sure we access all the memory that could contain the MAC,\r
+ * before we check it in the next code block. This makes the\r
+ * synchronisation requirements for just-in-time Prime+Probe\r
+ * attacks much tighter and hopefully impractical. */\r
+ ssl_read_memory( data + min_len,\r
+ max_len - min_len + transform->maclen );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \\r
+ MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", data + rec->data_len, transform->maclen );\r
+#endif\r
+\r
+ if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,\r
+ transform->maclen ) != 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_DEBUG_ALL)\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );\r
+#endif\r
+ correct = 0;\r
+ }\r
+ auth_done++;\r
+ }\r
+\r
+ /*\r
+ * Finally check the correct flag\r
+ */\r
+ if( correct == 0 )\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */\r
+\r
+ /* Make extra sure authentication was performed, exactly once */\r
+ if( auth_done != 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ if( rec->cid_len != 0 )\r
+ {\r
+ ret = ssl_cid_parse_inner_plaintext( data, &rec->data_len,\r
+ &rec->type );\r
+ if( ret != 0 )\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#undef MAC_NONE\r
+#undef MAC_PLAINTEXT\r
+#undef MAC_CIPHERTEXT\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+/*\r
+ * Compression/decompression functions\r
+ */\r
+static int ssl_compress_buf( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ unsigned char *msg_post = ssl->out_msg;\r
+ ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;\r
+ size_t len_pre = ssl->out_msglen;\r
+ unsigned char *msg_pre = ssl->compress_buf;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );\r
+\r
+ if( len_pre == 0 )\r
+ return( 0 );\r
+\r
+ memcpy( msg_pre, ssl->out_msg, len_pre );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",\r
+ ssl->out_msglen ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",\r
+ ssl->out_msg, ssl->out_msglen );\r
+\r
+ ssl->transform_out->ctx_deflate.next_in = msg_pre;\r
+ ssl->transform_out->ctx_deflate.avail_in = len_pre;\r
+ ssl->transform_out->ctx_deflate.next_out = msg_post;\r
+ ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;\r
+\r
+ ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );\r
+ if( ret != Z_OK )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );\r
+ return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );\r
+ }\r
+\r
+ ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -\r
+ ssl->transform_out->ctx_deflate.avail_out - bytes_written;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",\r
+ ssl->out_msglen ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",\r
+ ssl->out_msg, ssl->out_msglen );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+static int ssl_decompress_buf( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ unsigned char *msg_post = ssl->in_msg;\r
+ ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;\r
+ size_t len_pre = ssl->in_msglen;\r
+ unsigned char *msg_pre = ssl->compress_buf;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );\r
+\r
+ if( len_pre == 0 )\r
+ return( 0 );\r
+\r
+ memcpy( msg_pre, ssl->in_msg, len_pre );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",\r
+ ssl->in_msglen ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",\r
+ ssl->in_msg, ssl->in_msglen );\r
+\r
+ ssl->transform_in->ctx_inflate.next_in = msg_pre;\r
+ ssl->transform_in->ctx_inflate.avail_in = len_pre;\r
+ ssl->transform_in->ctx_inflate.next_out = msg_post;\r
+ ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -\r
+ header_bytes;\r
+\r
+ ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );\r
+ if( ret != Z_OK )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );\r
+ return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );\r
+ }\r
+\r
+ ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -\r
+ ssl->transform_in->ctx_inflate.avail_out - header_bytes;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",\r
+ ssl->in_msglen ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",\r
+ ssl->in_msg, ssl->in_msglen );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_ZLIB_SUPPORT */\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)\r
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )\r
+{\r
+ /* If renegotiation is not enforced, retransmit until we would reach max\r
+ * timeout if we were using the usual handshake doubling scheme */\r
+ if( ssl->conf->renego_max_records < 0 )\r
+ {\r
+ uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;\r
+ unsigned char doublings = 1;\r
+\r
+ while( ratio != 0 )\r
+ {\r
+ ++doublings;\r
+ ratio >>= 1;\r
+ }\r
+\r
+ if( ++ssl->renego_records_seen > doublings )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );\r
+ return( 0 );\r
+ }\r
+ }\r
+\r
+ return( ssl_write_hello_request( ssl ) );\r
+}\r
+#endif\r
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */\r
+\r
+/*\r
+ * Fill the input message buffer by appending data to it.\r
+ * The amount of data already fetched is in ssl->in_left.\r
+ *\r
+ * If we return 0, is it guaranteed that (at least) nb_want bytes are\r
+ * available (from this read and/or a previous one). Otherwise, an error code\r
+ * is returned (possibly EOF or WANT_READ).\r
+ *\r
+ * With stream transport (TLS) on success ssl->in_left == nb_want, but\r
+ * with datagram transport (DTLS) on success ssl->in_left >= nb_want,\r
+ * since we always read a whole datagram at once.\r
+ *\r
+ * For DTLS, it is up to the caller to set ssl->next_record_offset when\r
+ * they're done reading a record.\r
+ */\r
+int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )\r
+{\r
+ int ret;\r
+ size_t len;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );\r
+\r
+ if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "\r
+ "or mbedtls_ssl_set_bio()" ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ uint32_t timeout;\r
+\r
+ /* Just to be sure */\r
+ if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "\r
+ "mbedtls_ssl_set_timer_cb() for DTLS" ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ /*\r
+ * The point is, we need to always read a full datagram at once, so we\r
+ * sometimes read more then requested, and handle the additional data.\r
+ * It could be the rest of the current record (while fetching the\r
+ * header) and/or some other records in the same datagram.\r
+ */\r
+\r
+ /*\r
+ * Move to the next record in the already read datagram if applicable\r
+ */\r
+ if( ssl->next_record_offset != 0 )\r
+ {\r
+ if( ssl->in_left < ssl->next_record_offset )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ ssl->in_left -= ssl->next_record_offset;\r
+\r
+ if( ssl->in_left != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",\r
+ ssl->next_record_offset ) );\r
+ memmove( ssl->in_hdr,\r
+ ssl->in_hdr + ssl->next_record_offset,\r
+ ssl->in_left );\r
+ }\r
+\r
+ ssl->next_record_offset = 0;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",\r
+ ssl->in_left, nb_want ) );\r
+\r
+ /*\r
+ * Done if we already have enough data.\r
+ */\r
+ if( nb_want <= ssl->in_left)\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );\r
+ return( 0 );\r
+ }\r
+\r
+ /*\r
+ * A record can't be split across datagrams. If we need to read but\r
+ * are not at the beginning of a new record, the caller did something\r
+ * wrong.\r
+ */\r
+ if( ssl->in_left != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /*\r
+ * Don't even try to read if time's out already.\r
+ * This avoids by-passing the timer when repeatedly receiving messages\r
+ * that will end up being dropped.\r
+ */\r
+ if( ssl_check_timer( ssl ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );\r
+ ret = MBEDTLS_ERR_SSL_TIMEOUT;\r
+ }\r
+ else\r
+ {\r
+ len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ timeout = ssl->handshake->retransmit_timeout;\r
+ else\r
+ timeout = ssl->conf->read_timeout;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );\r
+\r
+ if( ssl->f_recv_timeout != NULL )\r
+ ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,\r
+ timeout );\r
+ else\r
+ ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );\r
+\r
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );\r
+\r
+ if( ret == 0 )\r
+ return( MBEDTLS_ERR_SSL_CONN_EOF );\r
+ }\r
+\r
+ if( ret == MBEDTLS_ERR_SSL_TIMEOUT )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );\r
+ ssl_set_timer( ssl, 0 );\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ if( ssl_double_retransmit_timeout( ssl ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );\r
+ return( MBEDTLS_ERR_SSL_TIMEOUT );\r
+ }\r
+\r
+ if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );\r
+ return( ret );\r
+ }\r
+\r
+ return( MBEDTLS_ERR_SSL_WANT_READ );\r
+ }\r
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&\r
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )\r
+ {\r
+ if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );\r
+ return( ret );\r
+ }\r
+\r
+ return( MBEDTLS_ERR_SSL_WANT_READ );\r
+ }\r
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */\r
+ }\r
+\r
+ if( ret < 0 )\r
+ return( ret );\r
+\r
+ ssl->in_left = ret;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",\r
+ ssl->in_left, nb_want ) );\r
+\r
+ while( ssl->in_left < nb_want )\r
+ {\r
+ len = nb_want - ssl->in_left;\r
+\r
+ if( ssl_check_timer( ssl ) != 0 )\r
+ ret = MBEDTLS_ERR_SSL_TIMEOUT;\r
+ else\r
+ {\r
+ if( ssl->f_recv_timeout != NULL )\r
+ {\r
+ ret = ssl->f_recv_timeout( ssl->p_bio,\r
+ ssl->in_hdr + ssl->in_left, len,\r
+ ssl->conf->read_timeout );\r
+ }\r
+ else\r
+ {\r
+ ret = ssl->f_recv( ssl->p_bio,\r
+ ssl->in_hdr + ssl->in_left, len );\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",\r
+ ssl->in_left, nb_want ) );\r
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );\r
+\r
+ if( ret == 0 )\r
+ return( MBEDTLS_ERR_SSL_CONN_EOF );\r
+\r
+ if( ret < 0 )\r
+ return( ret );\r
+\r
+ if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1,\r
+ ( "f_recv returned %d bytes but only %lu were requested",\r
+ ret, (unsigned long)len ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ ssl->in_left += ret;\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Flush any data not yet written\r
+ */\r
+int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ unsigned char *buf;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );\r
+\r
+ if( ssl->f_send == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "\r
+ "or mbedtls_ssl_set_bio()" ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ /* Avoid incrementing counter if data is flushed */\r
+ if( ssl->out_left == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );\r
+ return( 0 );\r
+ }\r
+\r
+ while( ssl->out_left > 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",\r
+ mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );\r
+\r
+ buf = ssl->out_hdr - ssl->out_left;\r
+ ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );\r
+\r
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );\r
+\r
+ if( ret <= 0 )\r
+ return( ret );\r
+\r
+ if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > SIZE_MAX ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1,\r
+ ( "f_send returned %d bytes but only %lu bytes were sent",\r
+ ret, (unsigned long)ssl->out_left ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ ssl->out_left -= ret;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ssl->out_hdr = ssl->out_buf;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ ssl->out_hdr = ssl->out_buf + 8;\r
+ }\r
+ ssl_update_out_pointers( ssl, ssl->transform_out );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Functions to handle the DTLS retransmission state machine\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+/*\r
+ * Append current handshake message to current outgoing flight\r
+ */\r
+static int ssl_flight_append( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_flight_item *msg;\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",\r
+ ssl->out_msg, ssl->out_msglen );\r
+\r
+ /* Allocate space for current message */\r
+ if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",\r
+ sizeof( mbedtls_ssl_flight_item ) ) );\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+ }\r
+\r
+ if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );\r
+ mbedtls_free( msg );\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+ }\r
+\r
+ /* Copy current handshake message with headers */\r
+ memcpy( msg->p, ssl->out_msg, ssl->out_msglen );\r
+ msg->len = ssl->out_msglen;\r
+ msg->type = ssl->out_msgtype;\r
+ msg->next = NULL;\r
+\r
+ /* Append to the current flight */\r
+ if( ssl->handshake->flight == NULL )\r
+ ssl->handshake->flight = msg;\r
+ else\r
+ {\r
+ mbedtls_ssl_flight_item *cur = ssl->handshake->flight;\r
+ while( cur->next != NULL )\r
+ cur = cur->next;\r
+ cur->next = msg;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Free the current flight of handshake messages\r
+ */\r
+static void ssl_flight_free( mbedtls_ssl_flight_item *flight )\r
+{\r
+ mbedtls_ssl_flight_item *cur = flight;\r
+ mbedtls_ssl_flight_item *next;\r
+\r
+ while( cur != NULL )\r
+ {\r
+ next = cur->next;\r
+\r
+ mbedtls_free( cur->p );\r
+ mbedtls_free( cur );\r
+\r
+ cur = next;\r
+ }\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );\r
+#endif\r
+\r
+/*\r
+ * Swap transform_out and out_ctr with the alternative ones\r
+ */\r
+static void ssl_swap_epochs( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_transform *tmp_transform;\r
+ unsigned char tmp_out_ctr[8];\r
+\r
+ if( ssl->transform_out == ssl->handshake->alt_transform_out )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );\r
+ return;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );\r
+\r
+ /* Swap transforms */\r
+ tmp_transform = ssl->transform_out;\r
+ ssl->transform_out = ssl->handshake->alt_transform_out;\r
+ ssl->handshake->alt_transform_out = tmp_transform;\r
+\r
+ /* Swap epoch + sequence_number */\r
+ memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );\r
+ memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );\r
+ memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );\r
+\r
+ /* Adjust to the newly activated transform */\r
+ ssl_update_out_pointers( ssl, ssl->transform_out );\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_activate != NULL )\r
+ {\r
+ if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+ }\r
+#endif\r
+}\r
+\r
+/*\r
+ * Retransmit the current flight of messages.\r
+ */\r
+int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = 0;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );\r
+\r
+ ret = mbedtls_ssl_flight_transmit( ssl );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );\r
+\r
+ return( ret );\r
+}\r
+\r
+/*\r
+ * Transmit or retransmit the current flight of messages.\r
+ *\r
+ * Need to remember the current message in case flush_output returns\r
+ * WANT_WRITE, causing us to exit this function and come back later.\r
+ * This function must be called until state is no longer SENDING.\r
+ */\r
+int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );\r
+\r
+ if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );\r
+\r
+ ssl->handshake->cur_msg = ssl->handshake->flight;\r
+ ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;\r
+ ssl_swap_epochs( ssl );\r
+\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;\r
+ }\r
+\r
+ while( ssl->handshake->cur_msg != NULL )\r
+ {\r
+ size_t max_frag_len;\r
+ const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;\r
+\r
+ int const is_finished =\r
+ ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ cur->p[0] == MBEDTLS_SSL_HS_FINISHED );\r
+\r
+ uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?\r
+ SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;\r
+\r
+ /* Swap epochs before sending Finished: we can't do it after\r
+ * sending ChangeCipherSpec, in case write returns WANT_READ.\r
+ * Must be done before copying, may change out_msg pointer */\r
+ if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );\r
+ ssl_swap_epochs( ssl );\r
+ }\r
+\r
+ ret = ssl_get_remaining_payload_in_datagram( ssl );\r
+ if( ret < 0 )\r
+ return( ret );\r
+ max_frag_len = (size_t) ret;\r
+\r
+ /* CCS is copied as is, while HS messages may need fragmentation */\r
+ if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )\r
+ {\r
+ if( max_frag_len == 0 )\r
+ {\r
+ if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ continue;\r
+ }\r
+\r
+ memcpy( ssl->out_msg, cur->p, cur->len );\r
+ ssl->out_msglen = cur->len;\r
+ ssl->out_msgtype = cur->type;\r
+\r
+ /* Update position inside current message */\r
+ ssl->handshake->cur_msg_p += cur->len;\r
+ }\r
+ else\r
+ {\r
+ const unsigned char * const p = ssl->handshake->cur_msg_p;\r
+ const size_t hs_len = cur->len - 12;\r
+ const size_t frag_off = p - ( cur->p + 12 );\r
+ const size_t rem_len = hs_len - frag_off;\r
+ size_t cur_hs_frag_len, max_hs_frag_len;\r
+\r
+ if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )\r
+ {\r
+ if( is_finished )\r
+ ssl_swap_epochs( ssl );\r
+\r
+ if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ continue;\r
+ }\r
+ max_hs_frag_len = max_frag_len - 12;\r
+\r
+ cur_hs_frag_len = rem_len > max_hs_frag_len ?\r
+ max_hs_frag_len : rem_len;\r
+\r
+ if( frag_off == 0 && cur_hs_frag_len != hs_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",\r
+ (unsigned) cur_hs_frag_len,\r
+ (unsigned) max_hs_frag_len ) );\r
+ }\r
+\r
+ /* Messages are stored with handshake headers as if not fragmented,\r
+ * copy beginning of headers then fill fragmentation fields.\r
+ * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */\r
+ memcpy( ssl->out_msg, cur->p, 6 );\r
+\r
+ ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );\r
+ ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );\r
+ ssl->out_msg[8] = ( ( frag_off ) & 0xff );\r
+\r
+ ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );\r
+ ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );\r
+ ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );\r
+\r
+ /* Copy the handshake message content and set records fields */\r
+ memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );\r
+ ssl->out_msglen = cur_hs_frag_len + 12;\r
+ ssl->out_msgtype = cur->type;\r
+\r
+ /* Update position inside current message */\r
+ ssl->handshake->cur_msg_p += cur_hs_frag_len;\r
+ }\r
+\r
+ /* If done with the current message move to the next one if any */\r
+ if( ssl->handshake->cur_msg_p >= cur->p + cur->len )\r
+ {\r
+ if( cur->next != NULL )\r
+ {\r
+ ssl->handshake->cur_msg = cur->next;\r
+ ssl->handshake->cur_msg_p = cur->next->p + 12;\r
+ }\r
+ else\r
+ {\r
+ ssl->handshake->cur_msg = NULL;\r
+ ssl->handshake->cur_msg_p = NULL;\r
+ }\r
+ }\r
+\r
+ /* Actually send the message out */\r
+ if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ /* Update state and set timer */\r
+ if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;\r
+ else\r
+ {\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;\r
+ ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * To be called when the last message of an incoming flight is received.\r
+ */\r
+void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )\r
+{\r
+ /* We won't need to resend that one any more */\r
+ ssl_flight_free( ssl->handshake->flight );\r
+ ssl->handshake->flight = NULL;\r
+ ssl->handshake->cur_msg = NULL;\r
+\r
+ /* The next incoming flight will start with this msg_seq */\r
+ ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;\r
+\r
+ /* We don't want to remember CCS's across flight boundaries. */\r
+ ssl->handshake->buffering.seen_ccs = 0;\r
+\r
+ /* Clear future message buffering structure. */\r
+ ssl_buffering_free( ssl );\r
+\r
+ /* Cancel timer */\r
+ ssl_set_timer( ssl, 0 );\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )\r
+ {\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;\r
+ }\r
+ else\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;\r
+}\r
+\r
+/*\r
+ * To be called when the last message of an outgoing flight is send.\r
+ */\r
+void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )\r
+{\r
+ ssl_reset_retransmit_timeout( ssl );\r
+ ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )\r
+ {\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;\r
+ }\r
+ else\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+/*\r
+ * Handshake layer functions\r
+ */\r
+\r
+/*\r
+ * Write (DTLS: or queue) current handshake (including CCS) message.\r
+ *\r
+ * - fill in handshake headers\r
+ * - update handshake checksum\r
+ * - DTLS: save message for resending\r
+ * - then pass to the record layer\r
+ *\r
+ * DTLS: except for HelloRequest, messages are only queued, and will only be\r
+ * actually sent when calling flight_transmit() or resend().\r
+ *\r
+ * Inputs:\r
+ * - ssl->out_msglen: 4 + actual handshake message len\r
+ * (4 is the size of handshake headers for TLS)\r
+ * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)\r
+ * - ssl->out_msg + 4: the handshake message body\r
+ *\r
+ * Outputs, ie state before passing to flight_append() or write_record():\r
+ * - ssl->out_msglen: the length of the record contents\r
+ * (including handshake headers but excluding record headers)\r
+ * - ssl->out_msg: the record contents (handshake headers + content)\r
+ */\r
+int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ const size_t hs_len = ssl->out_msglen - 4;\r
+ const unsigned char hs_type = ssl->out_msg[0];\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );\r
+\r
+ /*\r
+ * Sanity checks\r
+ */\r
+ if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )\r
+ {\r
+ /* In SSLv3, the client might send a NoCertificate alert. */\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)\r
+ if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&\r
+ ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&\r
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+\r
+ /* Whenever we send anything different from a\r
+ * HelloRequest we should be in a handshake - double check. */\r
+ if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&\r
+ ssl->handshake == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->handshake != NULL &&\r
+ ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+#endif\r
+\r
+ /* Double-check that we did not exceed the bounds\r
+ * of the outgoing record buffer.\r
+ * This should never fail as the various message\r
+ * writing functions must obey the bounds of the\r
+ * outgoing record buffer, but better be safe.\r
+ *\r
+ * Note: We deliberately do not check for the MTU or MFL here.\r
+ */\r
+ if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "\r
+ "size %u, maximum %u",\r
+ (unsigned) ssl->out_msglen,\r
+ (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /*\r
+ * Fill handshake headers\r
+ */\r
+ if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ {\r
+ ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );\r
+ ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );\r
+ ssl->out_msg[3] = (unsigned char)( hs_len );\r
+\r
+ /*\r
+ * DTLS has additional fields in the Handshake layer,\r
+ * between the length field and the actual payload:\r
+ * uint16 message_seq;\r
+ * uint24 fragment_offset;\r
+ * uint24 fragment_length;\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ /* Make room for the additional DTLS fields */\r
+ if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "\r
+ "size %u, maximum %u",\r
+ (unsigned) ( hs_len ),\r
+ (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );\r
+ ssl->out_msglen += 8;\r
+\r
+ /* Write message_seq and update it, except for HelloRequest */\r
+ if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )\r
+ {\r
+ ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;\r
+ ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;\r
+ ++( ssl->handshake->out_msg_seq );\r
+ }\r
+ else\r
+ {\r
+ ssl->out_msg[4] = 0;\r
+ ssl->out_msg[5] = 0;\r
+ }\r
+\r
+ /* Handshake hashes are computed without fragmentation,\r
+ * so set frag_offset = 0 and frag_len = hs_len for now */\r
+ memset( ssl->out_msg + 6, 0x00, 3 );\r
+ memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ /* Update running hashes of handshake messages seen */\r
+ if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )\r
+ ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );\r
+ }\r
+\r
+ /* Either send now, or just save to be sent (and resent) later */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )\r
+ {\r
+ if( ( ret = ssl_flight_append( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Record layer functions\r
+ */\r
+\r
+/*\r
+ * Write current record.\r
+ *\r
+ * Uses:\r
+ * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)\r
+ * - ssl->out_msglen: length of the record content (excl headers)\r
+ * - ssl->out_msg: record content\r
+ */\r
+int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )\r
+{\r
+ int ret, done = 0;\r
+ size_t len = ssl->out_msglen;\r
+ uint8_t flush = force_flush;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ if( ssl->transform_out != NULL &&\r
+ ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )\r
+ {\r
+ if( ( ret = ssl_compress_buf( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );\r
+ return( ret );\r
+ }\r
+\r
+ len = ssl->out_msglen;\r
+ }\r
+#endif /*MBEDTLS_ZLIB_SUPPORT */\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_write != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );\r
+\r
+ ret = mbedtls_ssl_hw_record_write( ssl );\r
+ if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ if( ret == 0 )\r
+ done = 1;\r
+ }\r
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */\r
+ if( !done )\r
+ {\r
+ unsigned i;\r
+ size_t protected_record_size;\r
+\r
+ /* Skip writing the record content type to after the encryption,\r
+ * as it may change when using the CID extension. */\r
+\r
+ mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,\r
+ ssl->conf->transport, ssl->out_hdr + 1 );\r
+\r
+ memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );\r
+ ssl->out_len[0] = (unsigned char)( len >> 8 );\r
+ ssl->out_len[1] = (unsigned char)( len );\r
+\r
+ if( ssl->transform_out != NULL )\r
+ {\r
+ mbedtls_record rec;\r
+\r
+ rec.buf = ssl->out_iv;\r
+ rec.buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN -\r
+ ( ssl->out_iv - ssl->out_buf );\r
+ rec.data_len = ssl->out_msglen;\r
+ rec.data_offset = ssl->out_msg - rec.buf;\r
+\r
+ memcpy( &rec.ctr[0], ssl->out_ctr, 8 );\r
+ mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,\r
+ ssl->conf->transport, rec.ver );\r
+ rec.type = ssl->out_msgtype;\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ /* The CID is set by mbedtls_ssl_encrypt_buf(). */\r
+ rec.cid_len = 0;\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,\r
+ ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( rec.data_offset != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /* Update the record content type and CID. */\r
+ ssl->out_msgtype = rec.type;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )\r
+ memcpy( ssl->out_cid, rec.cid, rec.cid_len );\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ ssl->out_msglen = len = rec.data_len;\r
+ ssl->out_len[0] = (unsigned char)( rec.data_len >> 8 );\r
+ ssl->out_len[1] = (unsigned char)( rec.data_len );\r
+ }\r
+\r
+ protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ /* In case of DTLS, double-check that we don't exceed\r
+ * the remaining space in the datagram. */\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ret = ssl_get_remaining_space_in_datagram( ssl );\r
+ if( ret < 0 )\r
+ return( ret );\r
+\r
+ if( protected_record_size > (size_t) ret )\r
+ {\r
+ /* Should never happen */\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ /* Now write the potentially updated record content type. */\r
+ ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "\r
+ "version = [%d:%d], msglen = %d",\r
+ ssl->out_hdr[0], ssl->out_hdr[1],\r
+ ssl->out_hdr[2], len ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",\r
+ ssl->out_hdr, protected_record_size );\r
+\r
+ ssl->out_left += protected_record_size;\r
+ ssl->out_hdr += protected_record_size;\r
+ ssl_update_out_pointers( ssl, ssl->transform_out );\r
+\r
+ for( i = 8; i > ssl_ep_len( ssl ); i-- )\r
+ if( ++ssl->cur_out_ctr[i - 1] != 0 )\r
+ break;\r
+\r
+ /* The loop goes to its end iff the counter is wrapping */\r
+ if( i == ssl_ep_len( ssl ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );\r
+ return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );\r
+ }\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ flush == SSL_DONT_FORCE_FLUSH )\r
+ {\r
+ size_t remaining;\r
+ ret = ssl_get_remaining_payload_in_datagram( ssl );\r
+ if( ret < 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",\r
+ ret );\r
+ return( ret );\r
+ }\r
+\r
+ remaining = (size_t) ret;\r
+ if( remaining == 0 )\r
+ {\r
+ flush = SSL_FORCE_FLUSH;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ if( ( flush == SSL_FORCE_FLUSH ) &&\r
+ ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+\r
+static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->in_msglen < ssl->in_hslen ||\r
+ memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||\r
+ memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )\r
+ {\r
+ return( 1 );\r
+ }\r
+ return( 0 );\r
+}\r
+\r
+static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )\r
+{\r
+ return( ( ssl->in_msg[9] << 16 ) |\r
+ ( ssl->in_msg[10] << 8 ) |\r
+ ssl->in_msg[11] );\r
+}\r
+\r
+static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )\r
+{\r
+ return( ( ssl->in_msg[6] << 16 ) |\r
+ ( ssl->in_msg[7] << 8 ) |\r
+ ssl->in_msg[8] );\r
+}\r
+\r
+static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )\r
+{\r
+ uint32_t msg_len, frag_off, frag_len;\r
+\r
+ msg_len = ssl_get_hs_total_len( ssl );\r
+ frag_off = ssl_get_hs_frag_off( ssl );\r
+ frag_len = ssl_get_hs_frag_len( ssl );\r
+\r
+ if( frag_off > msg_len )\r
+ return( -1 );\r
+\r
+ if( frag_len > msg_len - frag_off )\r
+ return( -1 );\r
+\r
+ if( frag_len + 12 > ssl->in_msglen )\r
+ return( -1 );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Mark bits in bitmask (used for DTLS HS reassembly)\r
+ */\r
+static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )\r
+{\r
+ unsigned int start_bits, end_bits;\r
+\r
+ start_bits = 8 - ( offset % 8 );\r
+ if( start_bits != 8 )\r
+ {\r
+ size_t first_byte_idx = offset / 8;\r
+\r
+ /* Special case */\r
+ if( len <= start_bits )\r
+ {\r
+ for( ; len != 0; len-- )\r
+ mask[first_byte_idx] |= 1 << ( start_bits - len );\r
+\r
+ /* Avoid potential issues with offset or len becoming invalid */\r
+ return;\r
+ }\r
+\r
+ offset += start_bits; /* Now offset % 8 == 0 */\r
+ len -= start_bits;\r
+\r
+ for( ; start_bits != 0; start_bits-- )\r
+ mask[first_byte_idx] |= 1 << ( start_bits - 1 );\r
+ }\r
+\r
+ end_bits = len % 8;\r
+ if( end_bits != 0 )\r
+ {\r
+ size_t last_byte_idx = ( offset + len ) / 8;\r
+\r
+ len -= end_bits; /* Now len % 8 == 0 */\r
+\r
+ for( ; end_bits != 0; end_bits-- )\r
+ mask[last_byte_idx] |= 1 << ( 8 - end_bits );\r
+ }\r
+\r
+ memset( mask + offset / 8, 0xFF, len / 8 );\r
+}\r
+\r
+/*\r
+ * Check that bitmask is full\r
+ */\r
+static int ssl_bitmask_check( unsigned char *mask, size_t len )\r
+{\r
+ size_t i;\r
+\r
+ for( i = 0; i < len / 8; i++ )\r
+ if( mask[i] != 0xFF )\r
+ return( -1 );\r
+\r
+ for( i = 0; i < len % 8; i++ )\r
+ if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )\r
+ return( -1 );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/* msg_len does not include the handshake header */\r
+static size_t ssl_get_reassembly_buffer_size( size_t msg_len,\r
+ unsigned add_bitmap )\r
+{\r
+ size_t alloc_len;\r
+\r
+ alloc_len = 12; /* Handshake header */\r
+ alloc_len += msg_len; /* Content buffer */\r
+\r
+ if( add_bitmap )\r
+ alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */\r
+\r
+ return( alloc_len );\r
+}\r
+\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )\r
+{\r
+ return( ( ssl->in_msg[1] << 16 ) |\r
+ ( ssl->in_msg[2] << 8 ) |\r
+ ssl->in_msg[3] );\r
+}\r
+\r
+int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",\r
+ ssl->in_msglen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="\r
+ " %d, type = %d, hslen = %d",\r
+ ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ int ret;\r
+ unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];\r
+\r
+ if( ssl_check_hs_header( ssl ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ if( ssl->handshake != NULL &&\r
+ ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&\r
+ recv_msg_seq != ssl->handshake->in_msg_seq ) ||\r
+ ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&\r
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )\r
+ {\r
+ if( recv_msg_seq > ssl->handshake->in_msg_seq )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",\r
+ recv_msg_seq,\r
+ ssl->handshake->in_msg_seq ) );\r
+ return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );\r
+ }\r
+\r
+ /* Retransmit only on last message from previous flight, to avoid\r
+ * too many retransmissions.\r
+ * Besides, No sane server ever retransmits HelloVerifyRequest */\r
+ if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&\r
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "\r
+ "message_seq = %d, start_of_flight = %d",\r
+ recv_msg_seq,\r
+ ssl->handshake->in_flight_start_seq ) );\r
+\r
+ if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "\r
+ "message_seq = %d, expected = %d",\r
+ recv_msg_seq,\r
+ ssl->handshake->in_msg_seq ) );\r
+ }\r
+\r
+ return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );\r
+ }\r
+ /* Wait until message completion to increment in_msg_seq */\r
+\r
+ /* Message reassembly is handled alongside buffering of future\r
+ * messages; the commonality is that both handshake fragments and\r
+ * future messages cannot be forwarded immediately to the\r
+ * handshake logic layer. */\r
+ if( ssl_hs_is_proper_fragment( ssl ) == 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );\r
+ return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ /* With TLS we don't handle fragmentation (for now) */\r
+ if( ssl->in_msglen < ssl->in_hslen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )\r
+ {\r
+ ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );\r
+ }\r
+\r
+ /* Handshake message is complete, increment counter */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->handshake != NULL )\r
+ {\r
+ unsigned offset;\r
+ mbedtls_ssl_hs_buffer *hs_buf;\r
+\r
+ /* Increment handshake sequence number */\r
+ hs->in_msg_seq++;\r
+\r
+ /*\r
+ * Clear up handshake buffering and reassembly structure.\r
+ */\r
+\r
+ /* Free first entry */\r
+ ssl_buffering_free_slot( ssl, 0 );\r
+\r
+ /* Shift all other entries */\r
+ for( offset = 0, hs_buf = &hs->buffering.hs[0];\r
+ offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;\r
+ offset++, hs_buf++ )\r
+ {\r
+ *hs_buf = *(hs_buf + 1);\r
+ }\r
+\r
+ /* Create a fresh last entry */\r
+ memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );\r
+ }\r
+#endif\r
+}\r
+\r
+/*\r
+ * DTLS anti-replay: RFC 6347 4.1.2.6\r
+ *\r
+ * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).\r
+ * Bit n is set iff record number in_window_top - n has been seen.\r
+ *\r
+ * Usually, in_window_top is the last record number seen and the lsb of\r
+ * in_window is set. The only exception is the initial state (record number 0\r
+ * not seen yet).\r
+ */\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )\r
+{\r
+ ssl->in_window_top = 0;\r
+ ssl->in_window = 0;\r
+}\r
+\r
+static inline uint64_t ssl_load_six_bytes( unsigned char *buf )\r
+{\r
+ return( ( (uint64_t) buf[0] << 40 ) |\r
+ ( (uint64_t) buf[1] << 32 ) |\r
+ ( (uint64_t) buf[2] << 24 ) |\r
+ ( (uint64_t) buf[3] << 16 ) |\r
+ ( (uint64_t) buf[4] << 8 ) |\r
+ ( (uint64_t) buf[5] ) );\r
+}\r
+\r
+/*\r
+ * Return 0 if sequence number is acceptable, -1 otherwise\r
+ */\r
+int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )\r
+{\r
+ uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );\r
+ uint64_t bit;\r
+\r
+ if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )\r
+ return( 0 );\r
+\r
+ if( rec_seqnum > ssl->in_window_top )\r
+ return( 0 );\r
+\r
+ bit = ssl->in_window_top - rec_seqnum;\r
+\r
+ if( bit >= 64 )\r
+ return( -1 );\r
+\r
+ if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )\r
+ return( -1 );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Update replay window on new validated record\r
+ */\r
+void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )\r
+{\r
+ uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );\r
+\r
+ if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )\r
+ return;\r
+\r
+ if( rec_seqnum > ssl->in_window_top )\r
+ {\r
+ /* Update window_top and the contents of the window */\r
+ uint64_t shift = rec_seqnum - ssl->in_window_top;\r
+\r
+ if( shift >= 64 )\r
+ ssl->in_window = 1;\r
+ else\r
+ {\r
+ ssl->in_window <<= shift;\r
+ ssl->in_window |= 1;\r
+ }\r
+\r
+ ssl->in_window_top = rec_seqnum;\r
+ }\r
+ else\r
+ {\r
+ /* Mark that number as seen in the current window */\r
+ uint64_t bit = ssl->in_window_top - rec_seqnum;\r
+\r
+ if( bit < 64 ) /* Always true, but be extra sure */\r
+ ssl->in_window |= (uint64_t) 1 << bit;\r
+ }\r
+}\r
+#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)\r
+/* Forward declaration */\r
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );\r
+\r
+/*\r
+ * Without any SSL context, check if a datagram looks like a ClientHello with\r
+ * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.\r
+ * Both input and output include full DTLS headers.\r
+ *\r
+ * - if cookie is valid, return 0\r
+ * - if ClientHello looks superficially valid but cookie is not,\r
+ * fill obuf and set olen, then\r
+ * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED\r
+ * - otherwise return a specific error code\r
+ */\r
+static int ssl_check_dtls_clihlo_cookie(\r
+ mbedtls_ssl_cookie_write_t *f_cookie_write,\r
+ mbedtls_ssl_cookie_check_t *f_cookie_check,\r
+ void *p_cookie,\r
+ const unsigned char *cli_id, size_t cli_id_len,\r
+ const unsigned char *in, size_t in_len,\r
+ unsigned char *obuf, size_t buf_len, size_t *olen )\r
+{\r
+ size_t sid_len, cookie_len;\r
+ unsigned char *p;\r
+\r
+ if( f_cookie_write == NULL || f_cookie_check == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ /*\r
+ * Structure of ClientHello with record and handshake headers,\r
+ * and expected values. We don't need to check a lot, more checks will be\r
+ * done when actually parsing the ClientHello - skipping those checks\r
+ * avoids code duplication and does not make cookie forging any easier.\r
+ *\r
+ * 0-0 ContentType type; copied, must be handshake\r
+ * 1-2 ProtocolVersion version; copied\r
+ * 3-4 uint16 epoch; copied, must be 0\r
+ * 5-10 uint48 sequence_number; copied\r
+ * 11-12 uint16 length; (ignored)\r
+ *\r
+ * 13-13 HandshakeType msg_type; (ignored)\r
+ * 14-16 uint24 length; (ignored)\r
+ * 17-18 uint16 message_seq; copied\r
+ * 19-21 uint24 fragment_offset; copied, must be 0\r
+ * 22-24 uint24 fragment_length; (ignored)\r
+ *\r
+ * 25-26 ProtocolVersion client_version; (ignored)\r
+ * 27-58 Random random; (ignored)\r
+ * 59-xx SessionID session_id; 1 byte len + sid_len content\r
+ * 60+ opaque cookie<0..2^8-1>; 1 byte len + content\r
+ * ...\r
+ *\r
+ * Minimum length is 61 bytes.\r
+ */\r
+ if( in_len < 61 ||\r
+ in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||\r
+ in[3] != 0 || in[4] != 0 ||\r
+ in[19] != 0 || in[20] != 0 || in[21] != 0 )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );\r
+ }\r
+\r
+ sid_len = in[59];\r
+ if( sid_len > in_len - 61 )\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );\r
+\r
+ cookie_len = in[60 + sid_len];\r
+ if( cookie_len > in_len - 60 )\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );\r
+\r
+ if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,\r
+ cli_id, cli_id_len ) == 0 )\r
+ {\r
+ /* Valid cookie */\r
+ return( 0 );\r
+ }\r
+\r
+ /*\r
+ * If we get here, we've got an invalid cookie, let's prepare HVR.\r
+ *\r
+ * 0-0 ContentType type; copied\r
+ * 1-2 ProtocolVersion version; copied\r
+ * 3-4 uint16 epoch; copied\r
+ * 5-10 uint48 sequence_number; copied\r
+ * 11-12 uint16 length; olen - 13\r
+ *\r
+ * 13-13 HandshakeType msg_type; hello_verify_request\r
+ * 14-16 uint24 length; olen - 25\r
+ * 17-18 uint16 message_seq; copied\r
+ * 19-21 uint24 fragment_offset; copied\r
+ * 22-24 uint24 fragment_length; olen - 25\r
+ *\r
+ * 25-26 ProtocolVersion server_version; 0xfe 0xff\r
+ * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie\r
+ *\r
+ * Minimum length is 28.\r
+ */\r
+ if( buf_len < 28 )\r
+ return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );\r
+\r
+ /* Copy most fields and adapt others */\r
+ memcpy( obuf, in, 25 );\r
+ obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;\r
+ obuf[25] = 0xfe;\r
+ obuf[26] = 0xff;\r
+\r
+ /* Generate and write actual cookie */\r
+ p = obuf + 28;\r
+ if( f_cookie_write( p_cookie,\r
+ &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ *olen = p - obuf;\r
+\r
+ /* Go back and fill length fields */\r
+ obuf[27] = (unsigned char)( *olen - 28 );\r
+\r
+ obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );\r
+ obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );\r
+ obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );\r
+\r
+ obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );\r
+ obuf[12] = (unsigned char)( ( *olen - 13 ) );\r
+\r
+ return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );\r
+}\r
+\r
+/*\r
+ * Handle possible client reconnect with the same UDP quadruplet\r
+ * (RFC 6347 Section 4.2.8).\r
+ *\r
+ * Called by ssl_parse_record_header() in case we receive an epoch 0 record\r
+ * that looks like a ClientHello.\r
+ *\r
+ * - if the input looks like a ClientHello without cookies,\r
+ * send back HelloVerifyRequest, then\r
+ * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED\r
+ * - if the input looks like a ClientHello with a valid cookie,\r
+ * reset the session of the current context, and\r
+ * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT\r
+ * - if anything goes wrong, return a specific error code\r
+ *\r
+ * mbedtls_ssl_read_record() will ignore the record if anything else than\r
+ * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function\r
+ * cannot not return 0.\r
+ */\r
+static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ size_t len;\r
+\r
+ ret = ssl_check_dtls_clihlo_cookie(\r
+ ssl->conf->f_cookie_write,\r
+ ssl->conf->f_cookie_check,\r
+ ssl->conf->p_cookie,\r
+ ssl->cli_id, ssl->cli_id_len,\r
+ ssl->in_buf, ssl->in_left,\r
+ ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );\r
+\r
+ MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );\r
+\r
+ if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )\r
+ {\r
+ /* Don't check write errors as we can't do anything here.\r
+ * If the error is permanent we'll catch it later,\r
+ * if it's not, then hopefully it'll work next time. */\r
+ (void) ssl->f_send( ssl->p_bio, ssl->out_buf, len );\r
+\r
+ return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );\r
+ }\r
+\r
+ if( ret == 0 )\r
+ {\r
+ /* Got a valid cookie, partially reset context */\r
+ if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );\r
+ return( ret );\r
+ }\r
+\r
+ return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );\r
+ }\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */\r
+\r
+static int ssl_check_record_type( uint8_t record_type )\r
+{\r
+ if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ record_type != MBEDTLS_SSL_MSG_ALERT &&\r
+ record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&\r
+ record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * ContentType type;\r
+ * ProtocolVersion version;\r
+ * uint16 epoch; // DTLS only\r
+ * uint48 sequence_number; // DTLS only\r
+ * uint16 length;\r
+ *\r
+ * Return 0 if header looks sane (and, for DTLS, the record is expected)\r
+ * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,\r
+ * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.\r
+ *\r
+ * With DTLS, mbedtls_ssl_read_record() will:\r
+ * 1. proceed with the record if this function returns 0\r
+ * 2. drop only the current record if this function returns UNEXPECTED_RECORD\r
+ * 3. return CLIENT_RECONNECT if this function return that value\r
+ * 4. drop the whole datagram if this function returns anything else.\r
+ * Point 2 is needed when the peer is resending, and we have already received\r
+ * the first record from a datagram but are still waiting for the others.\r
+ */\r
+static int ssl_parse_record_header( mbedtls_ssl_context *ssl )\r
+{\r
+ int major_ver, minor_ver;\r
+ int ret;\r
+\r
+ /* Parse and validate record content type and version */\r
+\r
+ ssl->in_msgtype = ssl->in_hdr[0];\r
+ mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );\r
+\r
+ /* Check record type */\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_CID &&\r
+ ssl->conf->cid_len != 0 )\r
+ {\r
+ /* Shift pointers to account for record header including CID\r
+ * struct {\r
+ * ContentType special_type = tls12_cid;\r
+ * ProtocolVersion version;\r
+ * uint16 epoch;\r
+ * uint48 sequence_number;\r
+ * opaque cid[cid_length]; // Additional field compared to\r
+ * // default DTLS record format\r
+ * uint16 length;\r
+ * opaque enc_content[DTLSCiphertext.length];\r
+ * } DTLSCiphertext;\r
+ */\r
+\r
+ /* So far, we only support static CID lengths\r
+ * fixed in the configuration. */\r
+ ssl->in_len = ssl->in_cid + ssl->conf->cid_len;\r
+ ssl->in_iv = ssl->in_msg = ssl->in_len + 2;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ if( ssl_check_record_type( ssl->in_msgtype ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ /* Silently ignore invalid DTLS records as recommended by RFC 6347\r
+ * Section 4.1.2.7 */\r
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );\r
+\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ /* Check version */\r
+ if( major_ver != ssl->major_ver )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ if( minor_ver > ssl->conf->max_minor_ver )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ /* Now that the total length of the record header is known, ensure\r
+ * that the current datagram is large enough to hold it.\r
+ * This would fail, for example, if we received a datagram of\r
+ * size 13 + n Bytes where n is less than the size of incoming CIDs. */\r
+ ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );\r
+ return( ret );\r
+ }\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_in_hdr_len( ssl ) );\r
+\r
+ /* Parse and validate record length\r
+ * This must happen after the CID parsing because\r
+ * its position in the record header depends on\r
+ * the presence of a CID. */\r
+\r
+ ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];\r
+ if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN\r
+ - (size_t)( ssl->in_msg - ssl->in_buf ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "\r
+ "version = [%d:%d], msglen = %d",\r
+ ssl->in_msgtype,\r
+ major_ver, minor_ver, ssl->in_msglen ) );\r
+\r
+ /*\r
+ * DTLS-related tests.\r
+ * Check epoch before checking length constraint because\r
+ * the latter varies with the epoch. E.g., if a ChangeCipherSpec\r
+ * message gets duplicated before the corresponding Finished message,\r
+ * the second ChangeCipherSpec should be discarded because it belongs\r
+ * to an old epoch, but not because its length is shorter than\r
+ * the minimum record length for packets using the new record transform.\r
+ * Note that these two kinds of failures are handled differently,\r
+ * as an unexpected record is silently skipped but an invalid\r
+ * record leads to the entire datagram being dropped.\r
+ */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];\r
+\r
+ /* Check epoch (and sequence number) with DTLS */\r
+ if( rec_epoch != ssl->in_epoch )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "\r
+ "expected %d, received %d",\r
+ ssl->in_epoch, rec_epoch ) );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)\r
+ /*\r
+ * Check for an epoch 0 ClientHello. We can't use in_msg here to\r
+ * access the first byte of record content (handshake type), as we\r
+ * have an active transform (possibly iv_len != 0), so use the\r
+ * fact that the record header len is 13 instead.\r
+ */\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&\r
+ ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&\r
+ rec_epoch == 0 &&\r
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ ssl->in_left > 13 &&\r
+ ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "\r
+ "from the same port" ) );\r
+ return( ssl_handle_possible_reconnect( ssl ) );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */\r
+ {\r
+ /* Consider buffering the record. */\r
+ if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );\r
+ return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );\r
+ }\r
+\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );\r
+ }\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+ /* Replay detection only works for the current epoch */\r
+ if( rec_epoch == ssl->in_epoch &&\r
+ mbedtls_ssl_dtls_replay_check( ssl ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );\r
+ }\r
+#endif\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+\r
+ /* Check length against bounds of the current transform and version */\r
+ if( ssl->transform_in == NULL )\r
+ {\r
+ if( ssl->in_msglen < 1 ||\r
+ ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+ }\r
+ else\r
+ {\r
+ if( ssl->in_msglen < ssl->transform_in->minlen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&\r
+ ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ /*\r
+ * TLS encrypted messages can have up to 256 bytes of padding\r
+ */\r
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&\r
+ ssl->in_msglen > ssl->transform_in->minlen +\r
+ MBEDTLS_SSL_IN_CONTENT_LEN + 256 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+#endif\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * If applicable, decrypt (and decompress) record content\r
+ */\r
+static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret, done = 0;\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",\r
+ ssl->in_hdr, mbedtls_ssl_in_hdr_len( ssl ) + ssl->in_msglen );\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_read != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );\r
+\r
+ ret = mbedtls_ssl_hw_record_read( ssl );\r
+ if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+\r
+ if( ret == 0 )\r
+ done = 1;\r
+ }\r
+#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */\r
+ if( !done && ssl->transform_in != NULL )\r
+ {\r
+ mbedtls_record rec;\r
+\r
+ rec.buf = ssl->in_iv;\r
+ rec.buf_len = MBEDTLS_SSL_IN_BUFFER_LEN\r
+ - ( ssl->in_iv - ssl->in_buf );\r
+ rec.data_len = ssl->in_msglen;\r
+ rec.data_offset = 0;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )\r
+ rec.cid_len = (uint8_t)( ssl->in_len - ssl->in_cid );\r
+ memcpy( rec.cid, ssl->in_cid, rec.cid_len );\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ memcpy( &rec.ctr[0], ssl->in_ctr, 8 );\r
+ mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,\r
+ ssl->conf->transport, rec.ver );\r
+ rec.type = ssl->in_msgtype;\r
+ if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,\r
+ &rec ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&\r
+ ssl->conf->ignore_unexpected_cid\r
+ == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );\r
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ return( ret );\r
+ }\r
+\r
+ if( ssl->in_msgtype != rec.type )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",\r
+ ssl->in_msgtype, rec.type ) );\r
+ }\r
+\r
+ /* The record content type may change during decryption,\r
+ * so re-read it. */\r
+ ssl->in_msgtype = rec.type;\r
+ /* Also update the input buffer, because unfortunately\r
+ * the server-side ssl_parse_client_hello() reparses the\r
+ * record header when receiving a ClientHello initiating\r
+ * a renegotiation. */\r
+ ssl->in_hdr[0] = rec.type;\r
+ ssl->in_msg = rec.buf + rec.data_offset;\r
+ ssl->in_msglen = rec.data_len;\r
+ ssl->in_len[0] = (unsigned char)( rec.data_len >> 8 );\r
+ ssl->in_len[1] = (unsigned char)( rec.data_len );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",\r
+ ssl->in_msg, ssl->in_msglen );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ /* We have already checked the record content type\r
+ * in ssl_parse_record_header(), failing or silently\r
+ * dropping the record in the case of an unknown type.\r
+ *\r
+ * Since with the use of CIDs, the record content type\r
+ * might change during decryption, re-check the record\r
+ * content type, but treat a failure as fatal this time. */\r
+ if( ssl_check_record_type( ssl->in_msgtype ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+ else if( ssl->in_msglen == 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3\r
+ && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )\r
+ {\r
+ /* TLS v1.2 explicitly disallows zero-length messages which are not application data */\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ ssl->nb_zero++;\r
+\r
+ /*\r
+ * Three or more empty messages may be a DoS attack\r
+ * (excessive CPU consumption).\r
+ */\r
+ if( ssl->nb_zero > 3 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "\r
+ "messages, possible DoS attack" ) );\r
+ /* Treat the records as if they were not properly authenticated,\r
+ * thereby failing the connection if we see more than allowed\r
+ * by the configured bad MAC threshold. */\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+ }\r
+ else\r
+ ssl->nb_zero = 0;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ; /* in_ctr read from peer, not maintained internally */\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ unsigned i;\r
+ for( i = 8; i > ssl_ep_len( ssl ); i-- )\r
+ if( ++ssl->in_ctr[i - 1] != 0 )\r
+ break;\r
+\r
+ /* The loop goes to its end iff the counter is wrapping */\r
+ if( i == ssl_ep_len( ssl ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );\r
+ return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );\r
+ }\r
+ }\r
+\r
+ }\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ if( ssl->transform_in != NULL &&\r
+ ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )\r
+ {\r
+ if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_ZLIB_SUPPORT */\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ mbedtls_ssl_dtls_replay_update( ssl );\r
+ }\r
+#endif\r
+\r
+ return( 0 );\r
+}\r
+\r
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );\r
+\r
+/*\r
+ * Read a record.\r
+ *\r
+ * Silently ignore non-fatal alert (and for DTLS, invalid records as well,\r
+ * RFC 6347 4.1.2.7) and continue reading until a valid record is found.\r
+ *\r
+ */\r
+\r
+/* Helper functions for mbedtls_ssl_read_record(). */\r
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl );\r
+static int ssl_get_next_record( mbedtls_ssl_context *ssl );\r
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );\r
+\r
+int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,\r
+ unsigned update_hs_digest )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );\r
+\r
+ if( ssl->keep_current_message == 0 )\r
+ {\r
+ do {\r
+\r
+ ret = ssl_consume_current_message( ssl );\r
+ if( ret != 0 )\r
+ return( ret );\r
+\r
+ if( ssl_record_is_in_progress( ssl ) == 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ int have_buffered = 0;\r
+\r
+ /* We only check for buffered messages if the\r
+ * current datagram is fully consumed. */\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl_next_record_is_in_datagram( ssl ) == 0 )\r
+ {\r
+ if( ssl_load_buffered_message( ssl ) == 0 )\r
+ have_buffered = 1;\r
+ }\r
+\r
+ if( have_buffered == 0 )\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ {\r
+ ret = ssl_get_next_record( ssl );\r
+ if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )\r
+ continue;\r
+\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ }\r
+\r
+ ret = mbedtls_ssl_handle_message_type( ssl );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )\r
+ {\r
+ /* Buffer future message */\r
+ ret = ssl_buffer_message( ssl );\r
+ if( ret != 0 )\r
+ return( ret );\r
+\r
+ ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||\r
+ MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );\r
+\r
+ if( 0 != ret )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ update_hs_digest == 1 )\r
+ {\r
+ mbedtls_ssl_update_handshake_status( ssl );\r
+ }\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );\r
+ ssl->keep_current_message = 0;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->in_left > ssl->next_record_offset )\r
+ return( 1 );\r
+\r
+ return( 0 );\r
+}\r
+\r
+static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ mbedtls_ssl_hs_buffer * hs_buf;\r
+ int ret = 0;\r
+\r
+ if( hs == NULL )\r
+ return( -1 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );\r
+\r
+ if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||\r
+ ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )\r
+ {\r
+ /* Check if we have seen a ChangeCipherSpec before.\r
+ * If yes, synthesize a CCS record. */\r
+ if( !hs->buffering.seen_ccs )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );\r
+ ret = -1;\r
+ goto exit;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );\r
+ ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;\r
+ ssl->in_msglen = 1;\r
+ ssl->in_msg[0] = 1;\r
+\r
+ /* As long as they are equal, the exact value doesn't matter. */\r
+ ssl->in_left = 0;\r
+ ssl->next_record_offset = 0;\r
+\r
+ hs->buffering.seen_ccs = 0;\r
+ goto exit;\r
+ }\r
+\r
+#if defined(MBEDTLS_DEBUG_C)\r
+ /* Debug only */\r
+ {\r
+ unsigned offset;\r
+ for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )\r
+ {\r
+ hs_buf = &hs->buffering.hs[offset];\r
+ if( hs_buf->is_valid == 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",\r
+ hs->in_msg_seq + offset,\r
+ hs_buf->is_complete ? "fully" : "partially" ) );\r
+ }\r
+ }\r
+ }\r
+#endif /* MBEDTLS_DEBUG_C */\r
+\r
+ /* Check if we have buffered and/or fully reassembled the\r
+ * next handshake message. */\r
+ hs_buf = &hs->buffering.hs[0];\r
+ if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )\r
+ {\r
+ /* Synthesize a record containing the buffered HS message. */\r
+ size_t msg_len = ( hs_buf->data[1] << 16 ) |\r
+ ( hs_buf->data[2] << 8 ) |\r
+ hs_buf->data[3];\r
+\r
+ /* Double-check that we haven't accidentally buffered\r
+ * a message that doesn't fit into the input buffer. */\r
+ if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",\r
+ hs_buf->data, msg_len + 12 );\r
+\r
+ ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;\r
+ ssl->in_hslen = msg_len + 12;\r
+ ssl->in_msglen = msg_len + 12;\r
+ memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );\r
+\r
+ ret = 0;\r
+ goto exit;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",\r
+ hs->in_msg_seq ) );\r
+ }\r
+\r
+ ret = -1;\r
+\r
+exit:\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );\r
+ return( ret );\r
+}\r
+\r
+static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,\r
+ size_t desired )\r
+{\r
+ int offset;\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",\r
+ (unsigned) desired ) );\r
+\r
+ /* Get rid of future records epoch first, if such exist. */\r
+ ssl_free_buffered_record( ssl );\r
+\r
+ /* Check if we have enough space available now. */\r
+ if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -\r
+ hs->buffering.total_bytes_buffered ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );\r
+ return( 0 );\r
+ }\r
+\r
+ /* We don't have enough space to buffer the next expected handshake\r
+ * message. Remove buffers used for future messages to gain space,\r
+ * starting with the most distant one. */\r
+ for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;\r
+ offset >= 0; offset-- )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",\r
+ offset ) );\r
+\r
+ ssl_buffering_free_slot( ssl, (uint8_t) offset );\r
+\r
+ /* Check if we have enough space available now. */\r
+ if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -\r
+ hs->buffering.total_bytes_buffered ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );\r
+ return( 0 );\r
+ }\r
+ }\r
+\r
+ return( -1 );\r
+}\r
+\r
+static int ssl_buffer_message( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = 0;\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+\r
+ if( hs == NULL )\r
+ return( 0 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );\r
+\r
+ switch( ssl->in_msgtype )\r
+ {\r
+ case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );\r
+\r
+ hs->buffering.seen_ccs = 1;\r
+ break;\r
+\r
+ case MBEDTLS_SSL_MSG_HANDSHAKE:\r
+ {\r
+ unsigned recv_msg_seq_offset;\r
+ unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];\r
+ mbedtls_ssl_hs_buffer *hs_buf;\r
+ size_t msg_len = ssl->in_hslen - 12;\r
+\r
+ /* We should never receive an old handshake\r
+ * message - double-check nonetheless. */\r
+ if( recv_msg_seq < ssl->handshake->in_msg_seq )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;\r
+ if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )\r
+ {\r
+ /* Silently ignore -- message too far in the future */\r
+ MBEDTLS_SSL_DEBUG_MSG( 2,\r
+ ( "Ignore future HS message with sequence number %u, "\r
+ "buffering window %u - %u",\r
+ recv_msg_seq, ssl->handshake->in_msg_seq,\r
+ ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );\r
+\r
+ goto exit;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",\r
+ recv_msg_seq, recv_msg_seq_offset ) );\r
+\r
+ hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];\r
+\r
+ /* Check if the buffering for this seq nr has already commenced. */\r
+ if( !hs_buf->is_valid )\r
+ {\r
+ size_t reassembly_buf_sz;\r
+\r
+ hs_buf->is_fragmented =\r
+ ( ssl_hs_is_proper_fragment( ssl ) == 1 );\r
+\r
+ /* We copy the message back into the input buffer\r
+ * after reassembly, so check that it's not too large.\r
+ * This is an implementation-specific limitation\r
+ * and not one from the standard, hence it is not\r
+ * checked in ssl_check_hs_header(). */\r
+ if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )\r
+ {\r
+ /* Ignore message */\r
+ goto exit;\r
+ }\r
+\r
+ /* Check if we have enough space to buffer the message. */\r
+ if( hs->buffering.total_bytes_buffered >\r
+ MBEDTLS_SSL_DTLS_MAX_BUFFERING )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,\r
+ hs_buf->is_fragmented );\r
+\r
+ if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -\r
+ hs->buffering.total_bytes_buffered ) )\r
+ {\r
+ if( recv_msg_seq_offset > 0 )\r
+ {\r
+ /* If we can't buffer a future message because\r
+ * of space limitations -- ignore. */\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",\r
+ (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,\r
+ (unsigned) hs->buffering.total_bytes_buffered ) );\r
+ goto exit;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",\r
+ (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,\r
+ (unsigned) hs->buffering.total_bytes_buffered ) );\r
+ }\r
+\r
+ if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",\r
+ (unsigned) msg_len,\r
+ (unsigned) reassembly_buf_sz,\r
+ MBEDTLS_SSL_DTLS_MAX_BUFFERING,\r
+ (unsigned) hs->buffering.total_bytes_buffered ) );\r
+ ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;\r
+ goto exit;\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",\r
+ msg_len ) );\r
+\r
+ hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );\r
+ if( hs_buf->data == NULL )\r
+ {\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto exit;\r
+ }\r
+ hs_buf->data_len = reassembly_buf_sz;\r
+\r
+ /* Prepare final header: copy msg_type, length and message_seq,\r
+ * then add standardised fragment_offset and fragment_length */\r
+ memcpy( hs_buf->data, ssl->in_msg, 6 );\r
+ memset( hs_buf->data + 6, 0, 3 );\r
+ memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );\r
+\r
+ hs_buf->is_valid = 1;\r
+\r
+ hs->buffering.total_bytes_buffered += reassembly_buf_sz;\r
+ }\r
+ else\r
+ {\r
+ /* Make sure msg_type and length are consistent */\r
+ if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );\r
+ /* Ignore */\r
+ goto exit;\r
+ }\r
+ }\r
+\r
+ if( !hs_buf->is_complete )\r
+ {\r
+ size_t frag_len, frag_off;\r
+ unsigned char * const msg = hs_buf->data + 12;\r
+\r
+ /*\r
+ * Check and copy current fragment\r
+ */\r
+\r
+ /* Validation of header fields already done in\r
+ * mbedtls_ssl_prepare_handshake_record(). */\r
+ frag_off = ssl_get_hs_frag_off( ssl );\r
+ frag_len = ssl_get_hs_frag_len( ssl );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",\r
+ frag_off, frag_len ) );\r
+ memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );\r
+\r
+ if( hs_buf->is_fragmented )\r
+ {\r
+ unsigned char * const bitmask = msg + msg_len;\r
+ ssl_bitmask_set( bitmask, frag_off, frag_len );\r
+ hs_buf->is_complete = ( ssl_bitmask_check( bitmask,\r
+ msg_len ) == 0 );\r
+ }\r
+ else\r
+ {\r
+ hs_buf->is_complete = 1;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",\r
+ hs_buf->is_complete ? "" : "not yet " ) );\r
+ }\r
+\r
+ break;\r
+ }\r
+\r
+ default:\r
+ /* We don't buffer other types of messages. */\r
+ break;\r
+ }\r
+\r
+exit:\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+static int ssl_consume_current_message( mbedtls_ssl_context *ssl )\r
+{\r
+ /*\r
+ * Consume last content-layer message and potentially\r
+ * update in_msglen which keeps track of the contents'\r
+ * consumption state.\r
+ *\r
+ * (1) Handshake messages:\r
+ * Remove last handshake message, move content\r
+ * and adapt in_msglen.\r
+ *\r
+ * (2) Alert messages:\r
+ * Consume whole record content, in_msglen = 0.\r
+ *\r
+ * (3) Change cipher spec:\r
+ * Consume whole record content, in_msglen = 0.\r
+ *\r
+ * (4) Application data:\r
+ * Don't do anything - the record layer provides\r
+ * the application data as a stream transport\r
+ * and consumes through mbedtls_ssl_read only.\r
+ *\r
+ */\r
+\r
+ /* Case (1): Handshake messages */\r
+ if( ssl->in_hslen != 0 )\r
+ {\r
+ /* Hard assertion to be sure that no application data\r
+ * is in flight, as corrupting ssl->in_msglen during\r
+ * ssl->in_offt != NULL is fatal. */\r
+ if( ssl->in_offt != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ /*\r
+ * Get next Handshake message in the current record\r
+ */\r
+\r
+ /* Notes:\r
+ * (1) in_hslen is not necessarily the size of the\r
+ * current handshake content: If DTLS handshake\r
+ * fragmentation is used, that's the fragment\r
+ * size instead. Using the total handshake message\r
+ * size here is faulty and should be changed at\r
+ * some point.\r
+ * (2) While it doesn't seem to cause problems, one\r
+ * has to be very careful not to assume that in_hslen\r
+ * is always <= in_msglen in a sensible communication.\r
+ * Again, it's wrong for DTLS handshake fragmentation.\r
+ * The following check is therefore mandatory, and\r
+ * should not be treated as a silently corrected assertion.\r
+ * Additionally, ssl->in_hslen might be arbitrarily out of\r
+ * bounds after handling a DTLS message with an unexpected\r
+ * sequence number, see mbedtls_ssl_prepare_handshake_record.\r
+ */\r
+ if( ssl->in_hslen < ssl->in_msglen )\r
+ {\r
+ ssl->in_msglen -= ssl->in_hslen;\r
+ memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,\r
+ ssl->in_msglen );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",\r
+ ssl->in_msg, ssl->in_msglen );\r
+ }\r
+ else\r
+ {\r
+ ssl->in_msglen = 0;\r
+ }\r
+\r
+ ssl->in_hslen = 0;\r
+ }\r
+ /* Case (4): Application data */\r
+ else if( ssl->in_offt != NULL )\r
+ {\r
+ return( 0 );\r
+ }\r
+ /* Everything else (CCS & Alerts) */\r
+ else\r
+ {\r
+ ssl->in_msglen = 0;\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->in_msglen > 0 )\r
+ return( 1 );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+\r
+static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ if( hs == NULL )\r
+ return;\r
+\r
+ if( hs->buffering.future_record.data != NULL )\r
+ {\r
+ hs->buffering.total_bytes_buffered -=\r
+ hs->buffering.future_record.len;\r
+\r
+ mbedtls_free( hs->buffering.future_record.data );\r
+ hs->buffering.future_record.data = NULL;\r
+ }\r
+}\r
+\r
+static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ unsigned char * rec;\r
+ size_t rec_len;\r
+ unsigned rec_epoch;\r
+\r
+ if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ return( 0 );\r
+\r
+ if( hs == NULL )\r
+ return( 0 );\r
+\r
+ rec = hs->buffering.future_record.data;\r
+ rec_len = hs->buffering.future_record.len;\r
+ rec_epoch = hs->buffering.future_record.epoch;\r
+\r
+ if( rec == NULL )\r
+ return( 0 );\r
+\r
+ /* Only consider loading future records if the\r
+ * input buffer is empty. */\r
+ if( ssl_next_record_is_in_datagram( ssl ) == 1 )\r
+ return( 0 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );\r
+\r
+ if( rec_epoch != ssl->in_epoch )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );\r
+ goto exit;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );\r
+\r
+ /* Double-check that the record is not too large */\r
+ if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -\r
+ (size_t)( ssl->in_hdr - ssl->in_buf ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ memcpy( ssl->in_hdr, rec, rec_len );\r
+ ssl->in_left = rec_len;\r
+ ssl->next_record_offset = 0;\r
+\r
+ ssl_free_buffered_record( ssl );\r
+\r
+exit:\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );\r
+ return( 0 );\r
+}\r
+\r
+static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ size_t const rec_hdr_len = 13;\r
+ size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;\r
+\r
+ /* Don't buffer future records outside handshakes. */\r
+ if( hs == NULL )\r
+ return( 0 );\r
+\r
+ /* Only buffer handshake records (we are only interested\r
+ * in Finished messages). */\r
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ return( 0 );\r
+\r
+ /* Don't buffer more than one future epoch record. */\r
+ if( hs->buffering.future_record.data != NULL )\r
+ return( 0 );\r
+\r
+ /* Don't buffer record if there's not enough buffering space remaining. */\r
+ if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -\r
+ hs->buffering.total_bytes_buffered ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",\r
+ (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,\r
+ (unsigned) hs->buffering.total_bytes_buffered ) );\r
+ return( 0 );\r
+ }\r
+\r
+ /* Buffer record */\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",\r
+ ssl->in_epoch + 1 ) );\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,\r
+ rec_hdr_len + ssl->in_msglen );\r
+\r
+ /* ssl_parse_record_header() only considers records\r
+ * of the next epoch as candidates for buffering. */\r
+ hs->buffering.future_record.epoch = ssl->in_epoch + 1;\r
+ hs->buffering.future_record.len = total_buf_sz;\r
+\r
+ hs->buffering.future_record.data =\r
+ mbedtls_calloc( 1, hs->buffering.future_record.len );\r
+ if( hs->buffering.future_record.data == NULL )\r
+ {\r
+ /* If we run out of RAM trying to buffer a\r
+ * record from the next epoch, just ignore. */\r
+ return( 0 );\r
+ }\r
+\r
+ memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );\r
+\r
+ hs->buffering.total_bytes_buffered += total_buf_sz;\r
+ return( 0 );\r
+}\r
+\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+static int ssl_get_next_record( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ /* We might have buffered a future record; if so,\r
+ * and if the epoch matches now, load it.\r
+ * On success, this call will set ssl->in_left to\r
+ * the length of the buffered record, so that\r
+ * the calls to ssl_fetch_input() below will\r
+ * essentially be no-ops. */\r
+ ret = ssl_load_buffered_record( ssl );\r
+ if( ret != 0 )\r
+ return( ret );\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ /* Reset in pointers to default state for TLS/DTLS records,\r
+ * assuming no CID and no offset between record content and\r
+ * record plaintext. */\r
+ ssl_update_in_pointers( ssl );\r
+\r
+ /* Ensure that we have enough space available for the default form\r
+ * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,\r
+ * with no space for CIDs counted in). */\r
+ ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )\r
+ {\r
+ if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )\r
+ {\r
+ ret = ssl_buffer_future_record( ssl );\r
+ if( ret != 0 )\r
+ return( ret );\r
+\r
+ /* Fall through to handling of unexpected records */\r
+ ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;\r
+ }\r
+\r
+ if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )\r
+ {\r
+ /* Skip unexpected record (but not whole datagram) */\r
+ ssl->next_record_offset = ssl->in_msglen\r
+ + mbedtls_ssl_in_hdr_len( ssl );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "\r
+ "(header)" ) );\r
+ }\r
+ else\r
+ {\r
+ /* Skip invalid record and the rest of the datagram */\r
+ ssl->next_record_offset = 0;\r
+ ssl->in_left = 0;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "\r
+ "(header)" ) );\r
+ }\r
+\r
+ /* Get next record */\r
+ return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );\r
+ }\r
+#endif\r
+ return( ret );\r
+ }\r
+\r
+ /*\r
+ * Read and optionally decrypt the message contents\r
+ */\r
+ if( ( ret = mbedtls_ssl_fetch_input( ssl,\r
+ mbedtls_ssl_in_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );\r
+ return( ret );\r
+ }\r
+\r
+ /* Done reading this record, get ready for the next one */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_in_hdr_len( ssl );\r
+ if( ssl->next_record_offset < ssl->in_left )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );\r
+ }\r
+ }\r
+ else\r
+#endif\r
+ ssl->in_left = 0;\r
+\r
+ if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ /* Silently discard invalid records */\r
+ if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )\r
+ {\r
+ /* Except when waiting for Finished as a bad mac here\r
+ * probably means something went wrong in the handshake\r
+ * (eg wrong psk used, mitm downgrade attempt, etc.) */\r
+ if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||\r
+ ssl->state == MBEDTLS_SSL_SERVER_FINISHED )\r
+ {\r
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)\r
+ if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )\r
+ {\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );\r
+ }\r
+#endif\r
+ return( ret );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)\r
+ if( ssl->conf->badmac_limit != 0 &&\r
+ ++ssl->badmac_seen >= ssl->conf->badmac_limit )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_MAC );\r
+ }\r
+#endif\r
+\r
+ /* As above, invalid records cause\r
+ * dismissal of the whole datagram. */\r
+\r
+ ssl->next_record_offset = 0;\r
+ ssl->in_left = 0;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );\r
+ return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );\r
+ }\r
+\r
+ return( ret );\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ /* Error out (and send alert) on invalid records */\r
+#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)\r
+ if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )\r
+ {\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );\r
+ }\r
+#endif\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ /*\r
+ * Handle particular types of records\r
+ */\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ {\r
+ if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )\r
+ {\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )\r
+ {\r
+ if( ssl->in_msglen != 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",\r
+ ssl->in_msglen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ if( ssl->in_msg[0] != 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",\r
+ ssl->in_msg[0] ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&\r
+ ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )\r
+ {\r
+ if( ssl->handshake == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );\r
+ return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );\r
+ }\r
+#endif\r
+ }\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )\r
+ {\r
+ if( ssl->in_msglen != 2 )\r
+ {\r
+ /* Note: Standard allows for more than one 2 byte alert\r
+ to be packed in a single message, but Mbed TLS doesn't\r
+ currently support this. */\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",\r
+ ssl->in_msglen ) );\r
+ return( MBEDTLS_ERR_SSL_INVALID_RECORD );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",\r
+ ssl->in_msg[0], ssl->in_msg[1] ) );\r
+\r
+ /*\r
+ * Ignore non-fatal alerts, except close_notify and no_renegotiation\r
+ */\r
+ if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",\r
+ ssl->in_msg[1] ) );\r
+ return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );\r
+ }\r
+\r
+ if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&\r
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );\r
+ return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)\r
+ if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&\r
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );\r
+ /* Will be handled when trying to parse ServerHello */\r
+ return( 0 );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&\r
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&\r
+ ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&\r
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );\r
+ /* Will be handled in mbedtls_ssl_parse_certificate() */\r
+ return( 0 );\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */\r
+\r
+ /* Silently ignore: fetch new message */\r
+ return MBEDTLS_ERR_SSL_NON_FATAL;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ /* Drop unexpected ApplicationData records,\r
+ * except at the beginning of renegotiations */\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&\r
+ ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&\r
+ ssl->state == MBEDTLS_SSL_SERVER_HELLO )\r
+#endif\r
+ )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );\r
+ return( MBEDTLS_ERR_SSL_NON_FATAL );\r
+ }\r
+\r
+ if( ssl->handshake != NULL &&\r
+ ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ ssl_handshake_wrapup_free_hs_transform( ssl );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ if( ( ret = mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )\r
+ {\r
+ return( ret );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,\r
+ unsigned char level,\r
+ unsigned char message )\r
+{\r
+ int ret;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));\r
+\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;\r
+ ssl->out_msglen = 2;\r
+ ssl->out_msg[0] = level;\r
+ ssl->out_msg[1] = message;\r
+\r
+ if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );\r
+ return( ret );\r
+ }\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+static void ssl_clear_peer_cert( mbedtls_ssl_session *session )\r
+{\r
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ if( session->peer_cert != NULL )\r
+ {\r
+ mbedtls_x509_crt_free( session->peer_cert );\r
+ mbedtls_free( session->peer_cert );\r
+ session->peer_cert = NULL;\r
+ }\r
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+ if( session->peer_cert_digest != NULL )\r
+ {\r
+ /* Zeroization is not necessary. */\r
+ mbedtls_free( session->peer_cert_digest );\r
+ session->peer_cert_digest = NULL;\r
+ session->peer_cert_digest_type = MBEDTLS_MD_NONE;\r
+ session->peer_cert_digest_len = 0;\r
+ }\r
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+/*\r
+ * Handshake functions\r
+ */\r
+#if !defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+/* No certificate support -> dummy functions */\r
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )\r
+{\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =\r
+ ssl->handshake->ciphersuite_info;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );\r
+\r
+ if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );\r
+ ssl->state++;\r
+ return( 0 );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+}\r
+\r
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )\r
+{\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =\r
+ ssl->handshake->ciphersuite_info;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );\r
+\r
+ if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );\r
+ ssl->state++;\r
+ return( 0 );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+}\r
+\r
+#else /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */\r
+/* Some certificate support -> implement write and parse */\r
+\r
+int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;\r
+ size_t i, n;\r
+ const mbedtls_x509_crt *crt;\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =\r
+ ssl->handshake->ciphersuite_info;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );\r
+\r
+ if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );\r
+ ssl->state++;\r
+ return( 0 );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ if( ssl->client_auth == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );\r
+ ssl->state++;\r
+ return( 0 );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ /*\r
+ * If using SSLv3 and got no cert, send an Alert message\r
+ * (otherwise an empty Certificate message will be sent).\r
+ */\r
+ if( mbedtls_ssl_own_cert( ssl ) == NULL &&\r
+ ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ ssl->out_msglen = 2;\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;\r
+ ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;\r
+ ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );\r
+ goto write_msg;\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+ }\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ if( mbedtls_ssl_own_cert( ssl ) == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );\r
+ return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );\r
+ }\r
+ }\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );\r
+\r
+ /*\r
+ * 0 . 0 handshake type\r
+ * 1 . 3 handshake length\r
+ * 4 . 6 length of all certs\r
+ * 7 . 9 length of cert. 1\r
+ * 10 . n-1 peer certificate\r
+ * n . n+2 length of cert. 2\r
+ * n+3 . ... upper level cert, etc.\r
+ */\r
+ i = 7;\r
+ crt = mbedtls_ssl_own_cert( ssl );\r
+\r
+ while( crt != NULL )\r
+ {\r
+ n = crt->raw.len;\r
+ if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",\r
+ i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );\r
+ return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );\r
+ }\r
+\r
+ ssl->out_msg[i ] = (unsigned char)( n >> 16 );\r
+ ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );\r
+ ssl->out_msg[i + 2] = (unsigned char)( n );\r
+\r
+ i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );\r
+ i += n; crt = crt->next;\r
+ }\r
+\r
+ ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );\r
+ ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );\r
+ ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );\r
+\r
+ ssl->out_msglen = i;\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;\r
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)\r
+write_msg:\r
+#endif\r
+\r
+ ssl->state++;\r
+\r
+ if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );\r
+\r
+ return( ret );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)\r
+\r
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,\r
+ unsigned char *crt_buf,\r
+ size_t crt_buf_len )\r
+{\r
+ mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;\r
+\r
+ if( peer_crt == NULL )\r
+ return( -1 );\r
+\r
+ if( peer_crt->raw.len != crt_buf_len )\r
+ return( -1 );\r
+\r
+ return( memcmp( peer_crt->raw.p, crt_buf, crt_buf_len ) );\r
+}\r
+#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+static int ssl_check_peer_crt_unchanged( mbedtls_ssl_context *ssl,\r
+ unsigned char *crt_buf,\r
+ size_t crt_buf_len )\r
+{\r
+ int ret;\r
+ unsigned char const * const peer_cert_digest =\r
+ ssl->session->peer_cert_digest;\r
+ mbedtls_md_type_t const peer_cert_digest_type =\r
+ ssl->session->peer_cert_digest_type;\r
+ mbedtls_md_info_t const * const digest_info =\r
+ mbedtls_md_info_from_type( peer_cert_digest_type );\r
+ unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];\r
+ size_t digest_len;\r
+\r
+ if( peer_cert_digest == NULL || digest_info == NULL )\r
+ return( -1 );\r
+\r
+ digest_len = mbedtls_md_get_size( digest_info );\r
+ if( digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN )\r
+ return( -1 );\r
+\r
+ ret = mbedtls_md( digest_info, crt_buf, crt_buf_len, tmp_digest );\r
+ if( ret != 0 )\r
+ return( -1 );\r
+\r
+ return( memcmp( tmp_digest, peer_cert_digest, digest_len ) );\r
+}\r
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */\r
+\r
+/*\r
+ * Once the certificate message is read, parse it into a cert chain and\r
+ * perform basic checks, but leave actual verification to the caller\r
+ */\r
+static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl,\r
+ mbedtls_x509_crt *chain )\r
+{\r
+ int ret;\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)\r
+ int crt_cnt=0;\r
+#endif\r
+ size_t i, n;\r
+ uint8_t alert;\r
+\r
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+\r
+ if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||\r
+ ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+\r
+ i = mbedtls_ssl_hs_hdr_len( ssl );\r
+\r
+ /*\r
+ * Same message structure as in mbedtls_ssl_write_certificate()\r
+ */\r
+ n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];\r
+\r
+ if( ssl->in_msg[i] != 0 ||\r
+ ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+\r
+ /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */\r
+ i += 3;\r
+\r
+ /* Iterate through and parse the CRTs in the provided chain. */\r
+ while( i < ssl->in_hslen )\r
+ {\r
+ /* Check that there's room for the next CRT's length fields. */\r
+ if ( i + 3 > ssl->in_hslen ) {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+ /* In theory, the CRT can be up to 2**24 Bytes, but we don't support\r
+ * anything beyond 2**16 ~ 64K. */\r
+ if( ssl->in_msg[i] != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+\r
+ /* Read length of the next CRT in the chain. */\r
+ n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )\r
+ | (unsigned int) ssl->in_msg[i + 2];\r
+ i += 3;\r
+\r
+ if( n < 128 || i + n > ssl->in_hslen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+\r
+ /* Check if we're handling the first CRT in the chain. */\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)\r
+ if( crt_cnt++ == 0 &&\r
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&\r
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )\r
+ {\r
+ /* During client-side renegotiation, check that the server's\r
+ * end-CRTs hasn't changed compared to the initial handshake,\r
+ * mitigating the triple handshake attack. On success, reuse\r
+ * the original end-CRT instead of parsing it again. */\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Check that peer CRT hasn't changed during renegotiation" ) );\r
+ if( ssl_check_peer_crt_unchanged( ssl,\r
+ &ssl->in_msg[i],\r
+ n ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );\r
+ }\r
+\r
+ /* Now we can safely free the original chain. */\r
+ ssl_clear_peer_cert( ssl->session );\r
+ }\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */\r
+\r
+ /* Parse the next certificate in the chain. */\r
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ ret = mbedtls_x509_crt_parse_der( chain, ssl->in_msg + i, n );\r
+#else\r
+ /* If we don't need to store the CRT chain permanently, parse\r
+ * it in-place from the input buffer instead of making a copy. */\r
+ ret = mbedtls_x509_crt_parse_der_nocopy( chain, ssl->in_msg + i, n );\r
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+ switch( ret )\r
+ {\r
+ case 0: /*ok*/\r
+ case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:\r
+ /* Ignore certificate with an unknown algorithm: maybe a\r
+ prior certificate was already trusted. */\r
+ break;\r
+\r
+ case MBEDTLS_ERR_X509_ALLOC_FAILED:\r
+ alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;\r
+ goto crt_parse_der_failed;\r
+\r
+ case MBEDTLS_ERR_X509_UNKNOWN_VERSION:\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ goto crt_parse_der_failed;\r
+\r
+ default:\r
+ alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;\r
+ crt_parse_der_failed:\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );\r
+ MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );\r
+ return( ret );\r
+ }\r
+\r
+ i += n;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", chain );\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ return( -1 );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ /*\r
+ * Check if the client sent an empty certificate\r
+ */\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ if( ssl->in_msglen == 2 &&\r
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&\r
+ ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&\r
+ ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );\r
+ return( 0 );\r
+ }\r
+\r
+ return( -1 );\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&\r
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&\r
+ ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&\r
+ memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );\r
+ return( 0 );\r
+ }\r
+\r
+ return( -1 );\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \\r
+ MBEDTLS_SSL_PROTO_TLS1_2 */\r
+}\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+/* Check if a certificate message is expected.\r
+ * Return either\r
+ * - SSL_CERTIFICATE_EXPECTED, or\r
+ * - SSL_CERTIFICATE_SKIP\r
+ * indicating whether a Certificate message is expected or not.\r
+ */\r
+#define SSL_CERTIFICATE_EXPECTED 0\r
+#define SSL_CERTIFICATE_SKIP 1\r
+static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,\r
+ int authmode )\r
+{\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =\r
+ ssl->handshake->ciphersuite_info;\r
+\r
+ if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )\r
+ return( SSL_CERTIFICATE_SKIP );\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )\r
+ return( SSL_CERTIFICATE_SKIP );\r
+\r
+ if( authmode == MBEDTLS_SSL_VERIFY_NONE )\r
+ {\r
+ ssl->session_negotiate->verify_result =\r
+ MBEDTLS_X509_BADCERT_SKIP_VERIFY;\r
+ return( SSL_CERTIFICATE_SKIP );\r
+ }\r
+ }\r
+#else\r
+ ((void) authmode);\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+ return( SSL_CERTIFICATE_EXPECTED );\r
+}\r
+\r
+static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,\r
+ int authmode,\r
+ mbedtls_x509_crt *chain,\r
+ void *rs_ctx )\r
+{\r
+ int ret = 0;\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info =\r
+ ssl->handshake->ciphersuite_info;\r
+ int have_ca_chain = 0;\r
+\r
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);\r
+ void *p_vrfy;\r
+\r
+ if( authmode == MBEDTLS_SSL_VERIFY_NONE )\r
+ return( 0 );\r
+\r
+ if( ssl->f_vrfy != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );\r
+ f_vrfy = ssl->f_vrfy;\r
+ p_vrfy = ssl->p_vrfy;\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );\r
+ f_vrfy = ssl->conf->f_vrfy;\r
+ p_vrfy = ssl->conf->p_vrfy;\r
+ }\r
+\r
+ /*\r
+ * Main check: verify certificate\r
+ */\r
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)\r
+ if( ssl->conf->f_ca_cb != NULL )\r
+ {\r
+ ((void) rs_ctx);\r
+ have_ca_chain = 1;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );\r
+ ret = mbedtls_x509_crt_verify_with_ca_cb(\r
+ chain,\r
+ ssl->conf->f_ca_cb,\r
+ ssl->conf->p_ca_cb,\r
+ ssl->conf->cert_profile,\r
+ ssl->hostname,\r
+ &ssl->session_negotiate->verify_result,\r
+ f_vrfy, p_vrfy );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */\r
+ {\r
+ mbedtls_x509_crt *ca_chain;\r
+ mbedtls_x509_crl *ca_crl;\r
+\r
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+ if( ssl->handshake->sni_ca_chain != NULL )\r
+ {\r
+ ca_chain = ssl->handshake->sni_ca_chain;\r
+ ca_crl = ssl->handshake->sni_ca_crl;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ ca_chain = ssl->conf->ca_chain;\r
+ ca_crl = ssl->conf->ca_crl;\r
+ }\r
+\r
+ if( ca_chain != NULL )\r
+ have_ca_chain = 1;\r
+\r
+ ret = mbedtls_x509_crt_verify_restartable(\r
+ chain,\r
+ ca_chain, ca_crl,\r
+ ssl->conf->cert_profile,\r
+ ssl->hostname,\r
+ &ssl->session_negotiate->verify_result,\r
+ f_vrfy, p_vrfy, rs_ctx );\r
+ }\r
+\r
+ if( ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )\r
+ return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );\r
+#endif\r
+\r
+ /*\r
+ * Secondary checks: always done, but change 'ret' only if it was 0\r
+ */\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+ {\r
+ const mbedtls_pk_context *pk = &chain->pk;\r
+\r
+ /* If certificate uses an EC key, make sure the curve is OK */\r
+ if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&\r
+ mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )\r
+ {\r
+ ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );\r
+ if( ret == 0 )\r
+ ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;\r
+ }\r
+ }\r
+#endif /* MBEDTLS_ECP_C */\r
+\r
+ if( mbedtls_ssl_check_cert_usage( chain,\r
+ ciphersuite_info,\r
+ ! ssl->conf->endpoint,\r
+ &ssl->session_negotiate->verify_result ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );\r
+ if( ret == 0 )\r
+ ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;\r
+ }\r
+\r
+ /* mbedtls_x509_crt_verify_with_profile is supposed to report a\r
+ * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,\r
+ * with details encoded in the verification flags. All other kinds\r
+ * of error codes, including those from the user provided f_vrfy\r
+ * functions, are treated as fatal and lead to a failure of\r
+ * ssl_parse_certificate even if verification was optional. */\r
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&\r
+ ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||\r
+ ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )\r
+ {\r
+ ret = 0;\r
+ }\r
+\r
+ if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );\r
+ ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;\r
+ }\r
+\r
+ if( ret != 0 )\r
+ {\r
+ uint8_t alert;\r
+\r
+ /* The certificate may have been rejected for several reasons.\r
+ Pick one and send the corresponding alert. Which alert to send\r
+ may be a subject of debate in some cases. */\r
+ if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;\r
+ else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )\r
+ alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;\r
+ else\r
+ alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ alert );\r
+ }\r
+\r
+#if defined(MBEDTLS_DEBUG_C)\r
+ if( ssl->session_negotiate->verify_result != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",\r
+ ssl->session_negotiate->verify_result ) );\r
+ }\r
+ else\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );\r
+ }\r
+#endif /* MBEDTLS_DEBUG_C */\r
+\r
+ return( ret );\r
+}\r
+\r
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+static int ssl_remember_peer_crt_digest( mbedtls_ssl_context *ssl,\r
+ unsigned char *start, size_t len )\r
+{\r
+ int ret;\r
+ /* Remember digest of the peer's end-CRT. */\r
+ ssl->session_negotiate->peer_cert_digest =\r
+ mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );\r
+ if( ssl->session_negotiate->peer_cert_digest == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",\r
+ sizeof( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN ) ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+ }\r
+\r
+ ret = mbedtls_md( mbedtls_md_info_from_type(\r
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),\r
+ start, len,\r
+ ssl->session_negotiate->peer_cert_digest );\r
+\r
+ ssl->session_negotiate->peer_cert_digest_type =\r
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;\r
+ ssl->session_negotiate->peer_cert_digest_len =\r
+ MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;\r
+\r
+ return( ret );\r
+}\r
+\r
+static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,\r
+ unsigned char *start, size_t len )\r
+{\r
+ unsigned char *end = start + len;\r
+ int ret;\r
+\r
+ /* Make a copy of the peer's raw public key. */\r
+ mbedtls_pk_init( &ssl->handshake->peer_pubkey );\r
+ ret = mbedtls_pk_parse_subpubkey( &start, end,\r
+ &ssl->handshake->peer_pubkey );\r
+ if( ret != 0 )\r
+ {\r
+ /* We should have parsed the public key before. */\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+\r
+int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = 0;\r
+ int crt_expected;\r
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+ const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET\r
+ ? ssl->handshake->sni_authmode\r
+ : ssl->conf->authmode;\r
+#else\r
+ const int authmode = ssl->conf->authmode;\r
+#endif\r
+ void *rs_ctx = NULL;\r
+ mbedtls_x509_crt *chain = NULL;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );\r
+\r
+ crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );\r
+ if( crt_expected == SSL_CERTIFICATE_SKIP )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );\r
+ goto exit;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ if( ssl->handshake->ecrs_enabled &&\r
+ ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )\r
+ {\r
+ chain = ssl->handshake->ecrs_peer_cert;\r
+ ssl->handshake->ecrs_peer_cert = NULL;\r
+ goto crt_verify;\r
+ }\r
+#endif\r
+\r
+ if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )\r
+ {\r
+ /* mbedtls_ssl_read_record may have sent an alert already. We\r
+ let it decide whether to alert. */\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );\r
+ goto exit;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )\r
+ {\r
+ ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;\r
+\r
+ if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )\r
+ ret = 0;\r
+ else\r
+ ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;\r
+\r
+ goto exit;\r
+ }\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+ /* Clear existing peer CRT structure in case we tried to\r
+ * reuse a session but it failed, and allocate a new one. */\r
+ ssl_clear_peer_cert( ssl->session_negotiate );\r
+\r
+ chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );\r
+ if( chain == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",\r
+ sizeof( mbedtls_x509_crt ) ) );\r
+ mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto exit;\r
+ }\r
+ mbedtls_x509_crt_init( chain );\r
+\r
+ ret = ssl_parse_certificate_chain( ssl, chain );\r
+ if( ret != 0 )\r
+ goto exit;\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ if( ssl->handshake->ecrs_enabled)\r
+ ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;\r
+\r
+crt_verify:\r
+ if( ssl->handshake->ecrs_enabled)\r
+ rs_ctx = &ssl->handshake->ecrs_ctx;\r
+#endif\r
+\r
+ ret = ssl_parse_certificate_verify( ssl, authmode,\r
+ chain, rs_ctx );\r
+ if( ret != 0 )\r
+ goto exit;\r
+\r
+#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ {\r
+ unsigned char *crt_start, *pk_start;\r
+ size_t crt_len, pk_len;\r
+\r
+ /* We parse the CRT chain without copying, so\r
+ * these pointers point into the input buffer,\r
+ * and are hence still valid after freeing the\r
+ * CRT chain. */\r
+\r
+ crt_start = chain->raw.p;\r
+ crt_len = chain->raw.len;\r
+\r
+ pk_start = chain->pk_raw.p;\r
+ pk_len = chain->pk_raw.len;\r
+\r
+ /* Free the CRT structures before computing\r
+ * digest and copying the peer's public key. */\r
+ mbedtls_x509_crt_free( chain );\r
+ mbedtls_free( chain );\r
+ chain = NULL;\r
+\r
+ ret = ssl_remember_peer_crt_digest( ssl, crt_start, crt_len );\r
+ if( ret != 0 )\r
+ goto exit;\r
+\r
+ ret = ssl_remember_peer_pubkey( ssl, pk_start, pk_len );\r
+ if( ret != 0 )\r
+ goto exit;\r
+ }\r
+#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+ /* Pass ownership to session structure. */\r
+ ssl->session_negotiate->peer_cert = chain;\r
+ chain = NULL;\r
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );\r
+\r
+exit:\r
+\r
+ if( ret == 0 )\r
+ ssl->state++;\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )\r
+ {\r
+ ssl->handshake->ecrs_peer_cert = chain;\r
+ chain = NULL;\r
+ }\r
+#endif\r
+\r
+ if( chain != NULL )\r
+ {\r
+ mbedtls_x509_crt_free( chain );\r
+ mbedtls_free( chain );\r
+ }\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */\r
+\r
+int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );\r
+\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;\r
+ ssl->out_msglen = 1;\r
+ ssl->out_msg[0] = 1;\r
+\r
+ ssl->state++;\r
+\r
+ if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );\r
+\r
+ if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+\r
+ /* CCS records are only accepted if they have length 1 and content '1',\r
+ * so we don't need to check this here. */\r
+\r
+ /*\r
+ * Switch to our negotiated transform and session parameters for inbound\r
+ * data.\r
+ */\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );\r
+ ssl->transform_in = ssl->transform_negotiate;\r
+ ssl->session_in = ssl->session_negotiate;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+ ssl_dtls_replay_reset( ssl );\r
+#endif\r
+\r
+ /* Increment epoch */\r
+ if( ++ssl->in_epoch == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );\r
+ /* This is highly unlikely to happen for legitimate reasons, so\r
+ treat it as an attack and don't send an alert. */\r
+ return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ memset( ssl->in_ctr, 0, 8 );\r
+\r
+ ssl_update_in_pointers( ssl );\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_activate != NULL )\r
+ {\r
+ if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+ }\r
+#endif\r
+\r
+ ssl->state++;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite_info )\r
+{\r
+ ((void) ciphersuite_info);\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA512_C)\r
+ if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )\r
+ ssl->handshake->update_checksum = ssl_update_checksum_sha384;\r
+ else\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )\r
+ ssl->handshake->update_checksum = ssl_update_checksum_sha256;\r
+ else\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return;\r
+ }\r
+}\r
+\r
+void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );\r
+ mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_abort( &ssl->handshake->fin_sha256_psa );\r
+ psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );\r
+#else\r
+ mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );\r
+#endif\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_abort( &ssl->handshake->fin_sha384_psa );\r
+ psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );\r
+#else\r
+ mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );\r
+#endif\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+}\r
+\r
+static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );\r
+ mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );\r
+#else\r
+ mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );\r
+#endif\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );\r
+#else\r
+ mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );\r
+#endif\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+ mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );\r
+ mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );\r
+#else\r
+ mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );\r
+#endif\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SHA512_C)\r
+static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_update( &ssl->handshake->fin_sha384_psa, buf, len );\r
+#else\r
+ mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );\r
+#endif\r
+}\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+static void ssl_calc_finished_ssl(\r
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from )\r
+{\r
+ const char *sender;\r
+ mbedtls_md5_context md5;\r
+ mbedtls_sha1_context sha1;\r
+\r
+ unsigned char padbuf[48];\r
+ unsigned char md5sum[16];\r
+ unsigned char sha1sum[20];\r
+\r
+ mbedtls_ssl_session *session = ssl->session_negotiate;\r
+ if( !session )\r
+ session = ssl->session;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );\r
+\r
+ mbedtls_md5_init( &md5 );\r
+ mbedtls_sha1_init( &sha1 );\r
+\r
+ mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );\r
+ mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );\r
+\r
+ /*\r
+ * SSLv3:\r
+ * hash =\r
+ * MD5( master + pad2 +\r
+ * MD5( handshake + sender + master + pad1 ) )\r
+ * + SHA1( master + pad2 +\r
+ * SHA1( handshake + sender + master + pad1 ) )\r
+ */\r
+\r
+#if !defined(MBEDTLS_MD5_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)\r
+ md5.state, sizeof( md5.state ) );\r
+#endif\r
+\r
+#if !defined(MBEDTLS_SHA1_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)\r
+ sha1.state, sizeof( sha1.state ) );\r
+#endif\r
+\r
+ sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"\r
+ : "SRVR";\r
+\r
+ memset( padbuf, 0x36, 48 );\r
+\r
+ mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );\r
+ mbedtls_md5_update_ret( &md5, session->master, 48 );\r
+ mbedtls_md5_update_ret( &md5, padbuf, 48 );\r
+ mbedtls_md5_finish_ret( &md5, md5sum );\r
+\r
+ mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );\r
+ mbedtls_sha1_update_ret( &sha1, session->master, 48 );\r
+ mbedtls_sha1_update_ret( &sha1, padbuf, 40 );\r
+ mbedtls_sha1_finish_ret( &sha1, sha1sum );\r
+\r
+ memset( padbuf, 0x5C, 48 );\r
+\r
+ mbedtls_md5_starts_ret( &md5 );\r
+ mbedtls_md5_update_ret( &md5, session->master, 48 );\r
+ mbedtls_md5_update_ret( &md5, padbuf, 48 );\r
+ mbedtls_md5_update_ret( &md5, md5sum, 16 );\r
+ mbedtls_md5_finish_ret( &md5, buf );\r
+\r
+ mbedtls_sha1_starts_ret( &sha1 );\r
+ mbedtls_sha1_update_ret( &sha1, session->master, 48 );\r
+ mbedtls_sha1_update_ret( &sha1, padbuf , 40 );\r
+ mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );\r
+ mbedtls_sha1_finish_ret( &sha1, buf + 16 );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );\r
+\r
+ mbedtls_md5_free( &md5 );\r
+ mbedtls_sha1_free( &sha1 );\r
+\r
+ mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );\r
+ mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );\r
+ mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+static void ssl_calc_finished_tls(\r
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from )\r
+{\r
+ int len = 12;\r
+ const char *sender;\r
+ mbedtls_md5_context md5;\r
+ mbedtls_sha1_context sha1;\r
+ unsigned char padbuf[36];\r
+\r
+ mbedtls_ssl_session *session = ssl->session_negotiate;\r
+ if( !session )\r
+ session = ssl->session;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );\r
+\r
+ mbedtls_md5_init( &md5 );\r
+ mbedtls_sha1_init( &sha1 );\r
+\r
+ mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );\r
+ mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );\r
+\r
+ /*\r
+ * TLSv1:\r
+ * hash = PRF( master, finished_label,\r
+ * MD5( handshake ) + SHA1( handshake ) )[0..11]\r
+ */\r
+\r
+#if !defined(MBEDTLS_MD5_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)\r
+ md5.state, sizeof( md5.state ) );\r
+#endif\r
+\r
+#if !defined(MBEDTLS_SHA1_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)\r
+ sha1.state, sizeof( sha1.state ) );\r
+#endif\r
+\r
+ sender = ( from == MBEDTLS_SSL_IS_CLIENT )\r
+ ? "client finished"\r
+ : "server finished";\r
+\r
+ mbedtls_md5_finish_ret( &md5, padbuf );\r
+ mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );\r
+\r
+ ssl->handshake->tls_prf( session->master, 48, sender,\r
+ padbuf, 36, buf, len );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );\r
+\r
+ mbedtls_md5_free( &md5 );\r
+ mbedtls_sha1_free( &sha1 );\r
+\r
+ mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+static void ssl_calc_finished_tls_sha256(\r
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from )\r
+{\r
+ int len = 12;\r
+ const char *sender;\r
+ unsigned char padbuf[32];\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ size_t hash_size;\r
+ psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;\r
+ psa_status_t status;\r
+#else\r
+ mbedtls_sha256_context sha256;\r
+#endif\r
+\r
+ mbedtls_ssl_session *session = ssl->session_negotiate;\r
+ if( !session )\r
+ session = ssl->session;\r
+\r
+ sender = ( from == MBEDTLS_SSL_IS_CLIENT )\r
+ ? "client finished"\r
+ : "server finished";\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ sha256_psa = psa_hash_operation_init();\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha256" ) );\r
+\r
+ status = psa_hash_clone( &ssl->handshake->fin_sha256_psa, &sha256_psa );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );\r
+ return;\r
+ }\r
+\r
+ status = psa_hash_finish( &sha256_psa, padbuf, sizeof( padbuf ), &hash_size );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );\r
+ return;\r
+ }\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 32 );\r
+#else\r
+\r
+ mbedtls_sha256_init( &sha256 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );\r
+\r
+ mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );\r
+\r
+ /*\r
+ * TLSv1.2:\r
+ * hash = PRF( master, finished_label,\r
+ * Hash( handshake ) )[0.11]\r
+ */\r
+\r
+#if !defined(MBEDTLS_SHA256_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)\r
+ sha256.state, sizeof( sha256.state ) );\r
+#endif\r
+\r
+ mbedtls_sha256_finish_ret( &sha256, padbuf );\r
+ mbedtls_sha256_free( &sha256 );\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+\r
+ ssl->handshake->tls_prf( session->master, 48, sender,\r
+ padbuf, 32, buf, len );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );\r
+\r
+ mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );\r
+}\r
+#endif /* MBEDTLS_SHA256_C */\r
+\r
+#if defined(MBEDTLS_SHA512_C)\r
+static void ssl_calc_finished_tls_sha384(\r
+ mbedtls_ssl_context *ssl, unsigned char *buf, int from )\r
+{\r
+ int len = 12;\r
+ const char *sender;\r
+ unsigned char padbuf[48];\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ size_t hash_size;\r
+ psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;\r
+ psa_status_t status;\r
+#else\r
+ mbedtls_sha512_context sha512;\r
+#endif\r
+\r
+ mbedtls_ssl_session *session = ssl->session_negotiate;\r
+ if( !session )\r
+ session = ssl->session;\r
+\r
+ sender = ( from == MBEDTLS_SSL_IS_CLIENT )\r
+ ? "client finished"\r
+ : "server finished";\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ sha384_psa = psa_hash_operation_init();\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc PSA finished tls sha384" ) );\r
+\r
+ status = psa_hash_clone( &ssl->handshake->fin_sha384_psa, &sha384_psa );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash clone failed" ) );\r
+ return;\r
+ }\r
+\r
+ status = psa_hash_finish( &sha384_psa, padbuf, sizeof( padbuf ), &hash_size );\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "PSA hash finish failed" ) );\r
+ return;\r
+ }\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "PSA calculated padbuf", padbuf, 48 );\r
+#else\r
+ mbedtls_sha512_init( &sha512 );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );\r
+\r
+ mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );\r
+\r
+ /*\r
+ * TLSv1.2:\r
+ * hash = PRF( master, finished_label,\r
+ * Hash( handshake ) )[0.11]\r
+ */\r
+\r
+#if !defined(MBEDTLS_SHA512_ALT)\r
+ MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)\r
+ sha512.state, sizeof( sha512.state ) );\r
+#endif\r
+\r
+ mbedtls_sha512_finish_ret( &sha512, padbuf );\r
+ mbedtls_sha512_free( &sha512 );\r
+#endif\r
+\r
+ ssl->handshake->tls_prf( session->master, 48, sender,\r
+ padbuf, 48, buf, len );\r
+\r
+ MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );\r
+\r
+ mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );\r
+}\r
+#endif /* MBEDTLS_SHA512_C */\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )\r
+{\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );\r
+\r
+ /*\r
+ * Free our handshake params\r
+ */\r
+ mbedtls_ssl_handshake_free( ssl );\r
+ mbedtls_free( ssl->handshake );\r
+ ssl->handshake = NULL;\r
+\r
+ /*\r
+ * Free the previous transform and swith in the current one\r
+ */\r
+ if( ssl->transform )\r
+ {\r
+ mbedtls_ssl_transform_free( ssl->transform );\r
+ mbedtls_free( ssl->transform );\r
+ }\r
+ ssl->transform = ssl->transform_negotiate;\r
+ ssl->transform_negotiate = NULL;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );\r
+}\r
+\r
+void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )\r
+{\r
+ int resume = ssl->handshake->resume;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )\r
+ {\r
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;\r
+ ssl->renego_records_seen = 0;\r
+ }\r
+#endif\r
+\r
+ /*\r
+ * Free the previous session and switch in the current one\r
+ */\r
+ if( ssl->session )\r
+ {\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ /* RFC 7366 3.1: keep the EtM state */\r
+ ssl->session_negotiate->encrypt_then_mac =\r
+ ssl->session->encrypt_then_mac;\r
+#endif\r
+\r
+ mbedtls_ssl_session_free( ssl->session );\r
+ mbedtls_free( ssl->session );\r
+ }\r
+ ssl->session = ssl->session_negotiate;\r
+ ssl->session_negotiate = NULL;\r
+\r
+ /*\r
+ * Add cache entry\r
+ */\r
+ if( ssl->conf->f_set_cache != NULL &&\r
+ ssl->session->id_len != 0 &&\r
+ resume == 0 )\r
+ {\r
+ if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->handshake->flight != NULL )\r
+ {\r
+ /* Cancel handshake timer */\r
+ ssl_set_timer( ssl, 0 );\r
+\r
+ /* Keep last flight around in case we need to resend it:\r
+ * we need the handshake and transform structures for that */\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );\r
+ }\r
+ else\r
+#endif\r
+ ssl_handshake_wrapup_free_hs_transform( ssl );\r
+\r
+ ssl->state++;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );\r
+}\r
+\r
+int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret, hash_len;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );\r
+\r
+ ssl_update_out_pointers( ssl, ssl->transform_negotiate );\r
+\r
+ ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );\r
+\r
+ /*\r
+ * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites\r
+ * may define some other value. Currently (early 2016), no defined\r
+ * ciphersuite does this (and this is unlikely to change as activity has\r
+ * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.\r
+ */\r
+ hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ ssl->verify_data_len = hash_len;\r
+ memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );\r
+#endif\r
+\r
+ ssl->out_msglen = 4 + hash_len;\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;\r
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;\r
+\r
+ /*\r
+ * In case of session resuming, invert the client and server\r
+ * ChangeCipherSpec messages order.\r
+ */\r
+ if( ssl->handshake->resume != 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;\r
+#endif\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;\r
+#endif\r
+ }\r
+ else\r
+ ssl->state++;\r
+\r
+ /*\r
+ * Switch to our negotiated transform and session parameters for outbound\r
+ * data.\r
+ */\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ unsigned char i;\r
+\r
+ /* Remember current epoch settings for resending */\r
+ ssl->handshake->alt_transform_out = ssl->transform_out;\r
+ memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );\r
+\r
+ /* Set sequence_number to zero */\r
+ memset( ssl->cur_out_ctr + 2, 0, 6 );\r
+\r
+ /* Increment epoch */\r
+ for( i = 2; i > 0; i-- )\r
+ if( ++ssl->cur_out_ctr[i - 1] != 0 )\r
+ break;\r
+\r
+ /* The loop goes to its end iff the counter is wrapping */\r
+ if( i == 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );\r
+ return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ memset( ssl->cur_out_ctr, 0, 8 );\r
+\r
+ ssl->transform_out = ssl->transform_negotiate;\r
+ ssl->session_out = ssl->session_negotiate;\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_activate != NULL )\r
+ {\r
+ if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ mbedtls_ssl_send_flight_completed( ssl );\r
+#endif\r
+\r
+ if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );\r
+ return( ret );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );\r
+ return( ret );\r
+ }\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+#define SSL_MAX_HASH_LEN 36\r
+#else\r
+#define SSL_MAX_HASH_LEN 12\r
+#endif\r
+\r
+int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+ unsigned int hash_len;\r
+ unsigned char buf[SSL_MAX_HASH_LEN];\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );\r
+\r
+ ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );\r
+\r
+ if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+\r
+ /* There is currently no ciphersuite using another length with TLS 1.2 */\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ hash_len = 36;\r
+ else\r
+#endif\r
+ hash_len = 12;\r
+\r
+ if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||\r
+ ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );\r
+ }\r
+\r
+ if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),\r
+ buf, hash_len ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );\r
+ return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ ssl->verify_data_len = hash_len;\r
+ memcpy( ssl->peer_verify_data, buf, hash_len );\r
+#endif\r
+\r
+ if( ssl->handshake->resume != 0 )\r
+ {\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;\r
+#endif\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;\r
+#endif\r
+ }\r
+ else\r
+ ssl->state++;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ mbedtls_ssl_recv_flight_completed( ssl );\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )\r
+{\r
+ memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ mbedtls_md5_init( &handshake->fin_md5 );\r
+ mbedtls_sha1_init( &handshake->fin_sha1 );\r
+ mbedtls_md5_starts_ret( &handshake->fin_md5 );\r
+ mbedtls_sha1_starts_ret( &handshake->fin_sha1 );\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ handshake->fin_sha256_psa = psa_hash_operation_init();\r
+ psa_hash_setup( &handshake->fin_sha256_psa, PSA_ALG_SHA_256 );\r
+#else\r
+ mbedtls_sha256_init( &handshake->fin_sha256 );\r
+ mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );\r
+#endif\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ handshake->fin_sha384_psa = psa_hash_operation_init();\r
+ psa_hash_setup( &handshake->fin_sha384_psa, PSA_ALG_SHA_384 );\r
+#else\r
+ mbedtls_sha512_init( &handshake->fin_sha512 );\r
+ mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );\r
+#endif\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ handshake->update_checksum = ssl_update_checksum_start;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \\r
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+ mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );\r
+#endif\r
+\r
+#if defined(MBEDTLS_DHM_C)\r
+ mbedtls_dhm_init( &handshake->dhm_ctx );\r
+#endif\r
+#if defined(MBEDTLS_ECDH_C)\r
+ mbedtls_ecdh_init( &handshake->ecdh_ctx );\r
+#endif\r
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)\r
+ mbedtls_ecjpake_init( &handshake->ecjpake_ctx );\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ handshake->ecjpake_cache = NULL;\r
+ handshake->ecjpake_cache_len = 0;\r
+#endif\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+ handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \\r
+ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ mbedtls_pk_init( &handshake->peer_pubkey );\r
+#endif\r
+}\r
+\r
+void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform )\r
+{\r
+ memset( transform, 0, sizeof(mbedtls_ssl_transform) );\r
+\r
+ mbedtls_cipher_init( &transform->cipher_ctx_enc );\r
+ mbedtls_cipher_init( &transform->cipher_ctx_dec );\r
+\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ mbedtls_md_init( &transform->md_ctx_enc );\r
+ mbedtls_md_init( &transform->md_ctx_dec );\r
+#endif\r
+}\r
+\r
+void mbedtls_ssl_session_init( mbedtls_ssl_session *session )\r
+{\r
+ memset( session, 0, sizeof(mbedtls_ssl_session) );\r
+}\r
+\r
+static int ssl_handshake_init( mbedtls_ssl_context *ssl )\r
+{\r
+ /* Clear old handshake information if present */\r
+ if( ssl->transform_negotiate )\r
+ mbedtls_ssl_transform_free( ssl->transform_negotiate );\r
+ if( ssl->session_negotiate )\r
+ mbedtls_ssl_session_free( ssl->session_negotiate );\r
+ if( ssl->handshake )\r
+ mbedtls_ssl_handshake_free( ssl );\r
+\r
+ /*\r
+ * Either the pointers are now NULL or cleared properly and can be freed.\r
+ * Now allocate missing structures.\r
+ */\r
+ if( ssl->transform_negotiate == NULL )\r
+ {\r
+ ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );\r
+ }\r
+\r
+ if( ssl->session_negotiate == NULL )\r
+ {\r
+ ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );\r
+ }\r
+\r
+ if( ssl->handshake == NULL )\r
+ {\r
+ ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );\r
+ }\r
+\r
+ /* All pointers should exist and can be directly freed without issue */\r
+ if( ssl->handshake == NULL ||\r
+ ssl->transform_negotiate == NULL ||\r
+ ssl->session_negotiate == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );\r
+\r
+ mbedtls_free( ssl->handshake );\r
+ mbedtls_free( ssl->transform_negotiate );\r
+ mbedtls_free( ssl->session_negotiate );\r
+\r
+ ssl->handshake = NULL;\r
+ ssl->transform_negotiate = NULL;\r
+ ssl->session_negotiate = NULL;\r
+\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+ }\r
+\r
+ /* Initialize structures */\r
+ mbedtls_ssl_session_init( ssl->session_negotiate );\r
+ mbedtls_ssl_transform_init( ssl->transform_negotiate );\r
+ ssl_handshake_params_init( ssl->handshake );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ssl->handshake->alt_transform_out = ssl->transform_out;\r
+\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;\r
+ else\r
+ ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;\r
+\r
+ ssl_set_timer( ssl, 0 );\r
+ }\r
+#endif\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)\r
+/* Dummy cookie callbacks for defaults */\r
+static int ssl_cookie_write_dummy( void *ctx,\r
+ unsigned char **p, unsigned char *end,\r
+ const unsigned char *cli_id, size_t cli_id_len )\r
+{\r
+ ((void) ctx);\r
+ ((void) p);\r
+ ((void) end);\r
+ ((void) cli_id);\r
+ ((void) cli_id_len);\r
+\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+}\r
+\r
+static int ssl_cookie_check_dummy( void *ctx,\r
+ const unsigned char *cookie, size_t cookie_len,\r
+ const unsigned char *cli_id, size_t cli_id_len )\r
+{\r
+ ((void) ctx);\r
+ ((void) cookie);\r
+ ((void) cookie_len);\r
+ ((void) cli_id);\r
+ ((void) cli_id_len);\r
+\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+}\r
+#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */\r
+\r
+/* Once ssl->out_hdr as the address of the beginning of the\r
+ * next outgoing record is set, deduce the other pointers.\r
+ *\r
+ * Note: For TLS, we save the implicit record sequence number\r
+ * (entering MAC computation) in the 8 bytes before ssl->out_hdr,\r
+ * and the caller has to make sure there's space for this.\r
+ */\r
+\r
+static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,\r
+ mbedtls_ssl_transform *transform )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ssl->out_ctr = ssl->out_hdr + 3;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ ssl->out_cid = ssl->out_ctr + 8;\r
+ ssl->out_len = ssl->out_cid;\r
+ if( transform != NULL )\r
+ ssl->out_len += transform->out_cid_len;\r
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ ssl->out_len = ssl->out_ctr + 8;\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ ssl->out_iv = ssl->out_len + 2;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ ssl->out_ctr = ssl->out_hdr - 8;\r
+ ssl->out_len = ssl->out_hdr + 3;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ ssl->out_cid = ssl->out_len;\r
+#endif\r
+ ssl->out_iv = ssl->out_hdr + 5;\r
+ }\r
+\r
+ /* Adjust out_msg to make space for explicit IV, if used. */\r
+ if( transform != NULL &&\r
+ ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ {\r
+ ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;\r
+ }\r
+ else\r
+ ssl->out_msg = ssl->out_iv;\r
+}\r
+\r
+/* Once ssl->in_hdr as the address of the beginning of the\r
+ * next incoming record is set, deduce the other pointers.\r
+ *\r
+ * Note: For TLS, we save the implicit record sequence number\r
+ * (entering MAC computation) in the 8 bytes before ssl->in_hdr,\r
+ * and the caller has to make sure there's space for this.\r
+ */\r
+\r
+static void ssl_update_in_pointers( mbedtls_ssl_context *ssl )\r
+{\r
+ /* This function sets the pointers to match the case\r
+ * of unprotected TLS/DTLS records, with both ssl->in_iv\r
+ * and ssl->in_msg pointing to the beginning of the record\r
+ * content.\r
+ *\r
+ * When decrypting a protected record, ssl->in_msg\r
+ * will be shifted to point to the beginning of the\r
+ * record plaintext.\r
+ */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ /* This sets the header pointers to match records\r
+ * without CID. When we receive a record containing\r
+ * a CID, the fields are shifted accordingly in\r
+ * ssl_parse_record_header(). */\r
+ ssl->in_ctr = ssl->in_hdr + 3;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ ssl->in_cid = ssl->in_ctr + 8;\r
+ ssl->in_len = ssl->in_cid; /* Default: no CID */\r
+#else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ ssl->in_len = ssl->in_ctr + 8;\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+ ssl->in_iv = ssl->in_len + 2;\r
+ }\r
+ else\r
+#endif\r
+ {\r
+ ssl->in_ctr = ssl->in_hdr - 8;\r
+ ssl->in_len = ssl->in_hdr + 3;\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ ssl->in_cid = ssl->in_len;\r
+#endif\r
+ ssl->in_iv = ssl->in_hdr + 5;\r
+ }\r
+\r
+ /* This will be adjusted at record decryption time. */\r
+ ssl->in_msg = ssl->in_iv;\r
+}\r
+\r
+/*\r
+ * Initialize an SSL context\r
+ */\r
+void mbedtls_ssl_init( mbedtls_ssl_context *ssl )\r
+{\r
+ memset( ssl, 0, sizeof( mbedtls_ssl_context ) );\r
+}\r
+\r
+/*\r
+ * Setup an SSL context\r
+ */\r
+\r
+static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )\r
+{\r
+ /* Set the incoming and outgoing record pointers. */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ ssl->out_hdr = ssl->out_buf;\r
+ ssl->in_hdr = ssl->in_buf;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ {\r
+ ssl->out_hdr = ssl->out_buf + 8;\r
+ ssl->in_hdr = ssl->in_buf + 8;\r
+ }\r
+\r
+ /* Derive other internal pointers. */\r
+ ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );\r
+ ssl_update_in_pointers ( ssl );\r
+}\r
+\r
+int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,\r
+ const mbedtls_ssl_config *conf )\r
+{\r
+ int ret;\r
+\r
+ ssl->conf = conf;\r
+\r
+ /*\r
+ * Prepare base structures\r
+ */\r
+\r
+ /* Set to NULL in case of an error condition */\r
+ ssl->out_buf = NULL;\r
+\r
+ ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );\r
+ if( ssl->in_buf == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto error;\r
+ }\r
+\r
+ ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );\r
+ if( ssl->out_buf == NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );\r
+ ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;\r
+ goto error;\r
+ }\r
+\r
+ ssl_reset_in_out_pointers( ssl );\r
+\r
+ if( ( ret = ssl_handshake_init( ssl ) ) != 0 )\r
+ goto error;\r
+\r
+ return( 0 );\r
+\r
+error:\r
+ mbedtls_free( ssl->in_buf );\r
+ mbedtls_free( ssl->out_buf );\r
+\r
+ ssl->conf = NULL;\r
+\r
+ ssl->in_buf = NULL;\r
+ ssl->out_buf = NULL;\r
+\r
+ ssl->in_hdr = NULL;\r
+ ssl->in_ctr = NULL;\r
+ ssl->in_len = NULL;\r
+ ssl->in_iv = NULL;\r
+ ssl->in_msg = NULL;\r
+\r
+ ssl->out_hdr = NULL;\r
+ ssl->out_ctr = NULL;\r
+ ssl->out_len = NULL;\r
+ ssl->out_iv = NULL;\r
+ ssl->out_msg = NULL;\r
+\r
+ return( ret );\r
+}\r
+\r
+/*\r
+ * Reset an initialized and used SSL context for re-use while retaining\r
+ * all application-set variables, function pointers and data.\r
+ *\r
+ * If partial is non-zero, keep data in the input buffer and client ID.\r
+ * (Use when a DTLS client reconnects from the same port.)\r
+ */\r
+static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )\r
+{\r
+ int ret;\r
+\r
+#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \\r
+ !defined(MBEDTLS_SSL_SRV_C)\r
+ ((void) partial);\r
+#endif\r
+\r
+ ssl->state = MBEDTLS_SSL_HELLO_REQUEST;\r
+\r
+ /* Cancel any possibly running timer */\r
+ ssl_set_timer( ssl, 0 );\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;\r
+ ssl->renego_records_seen = 0;\r
+\r
+ ssl->verify_data_len = 0;\r
+ memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );\r
+ memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );\r
+#endif\r
+ ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;\r
+\r
+ ssl->in_offt = NULL;\r
+ ssl_reset_in_out_pointers( ssl );\r
+\r
+ ssl->in_msgtype = 0;\r
+ ssl->in_msglen = 0;\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ ssl->next_record_offset = 0;\r
+ ssl->in_epoch = 0;\r
+#endif\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+ ssl_dtls_replay_reset( ssl );\r
+#endif\r
+\r
+ ssl->in_hslen = 0;\r
+ ssl->nb_zero = 0;\r
+\r
+ ssl->keep_current_message = 0;\r
+\r
+ ssl->out_msgtype = 0;\r
+ ssl->out_msglen = 0;\r
+ ssl->out_left = 0;\r
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)\r
+ if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )\r
+ ssl->split_done = 0;\r
+#endif\r
+\r
+ memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );\r
+\r
+ ssl->transform_in = NULL;\r
+ ssl->transform_out = NULL;\r
+\r
+ ssl->session_in = NULL;\r
+ ssl->session_out = NULL;\r
+\r
+ memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)\r
+ if( partial == 0 )\r
+#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */\r
+ {\r
+ ssl->in_left = 0;\r
+ memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_reset != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );\r
+ if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );\r
+ return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );\r
+ }\r
+ }\r
+#endif\r
+\r
+ if( ssl->transform )\r
+ {\r
+ mbedtls_ssl_transform_free( ssl->transform );\r
+ mbedtls_free( ssl->transform );\r
+ ssl->transform = NULL;\r
+ }\r
+\r
+ if( ssl->session )\r
+ {\r
+ mbedtls_ssl_session_free( ssl->session );\r
+ mbedtls_free( ssl->session );\r
+ ssl->session = NULL;\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_ALPN)\r
+ ssl->alpn_chosen = NULL;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)\r
+#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)\r
+ if( partial == 0 )\r
+#endif\r
+ {\r
+ mbedtls_free( ssl->cli_id );\r
+ ssl->cli_id = NULL;\r
+ ssl->cli_id_len = 0;\r
+ }\r
+#endif\r
+\r
+ if( ( ret = ssl_handshake_init( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Reset an initialized and used SSL context for re-use while retaining\r
+ * all application-set variables, function pointers and data.\r
+ */\r
+int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )\r
+{\r
+ return( ssl_session_reset_int( ssl, 0 ) );\r
+}\r
+\r
+/*\r
+ * SSL set accessors\r
+ */\r
+void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )\r
+{\r
+ conf->endpoint = endpoint;\r
+}\r
+\r
+void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )\r
+{\r
+ conf->transport = transport;\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )\r
+{\r
+ conf->anti_replay = mode;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)\r
+void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )\r
+{\r
+ conf->badmac_limit = limit;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+\r
+void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,\r
+ unsigned allow_packing )\r
+{\r
+ ssl->disable_datagram_packing = !allow_packing;\r
+}\r
+\r
+void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,\r
+ uint32_t min, uint32_t max )\r
+{\r
+ conf->hs_timeout_min = min;\r
+ conf->hs_timeout_max = max;\r
+}\r
+#endif\r
+\r
+void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )\r
+{\r
+ conf->authmode = authmode;\r
+}\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,\r
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),\r
+ void *p_vrfy )\r
+{\r
+ conf->f_vrfy = f_vrfy;\r
+ conf->p_vrfy = p_vrfy;\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,\r
+ int (*f_rng)(void *, unsigned char *, size_t),\r
+ void *p_rng )\r
+{\r
+ conf->f_rng = f_rng;\r
+ conf->p_rng = p_rng;\r
+}\r
+\r
+void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,\r
+ void (*f_dbg)(void *, int, const char *, int, const char *),\r
+ void *p_dbg )\r
+{\r
+ conf->f_dbg = f_dbg;\r
+ conf->p_dbg = p_dbg;\r
+}\r
+\r
+void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,\r
+ void *p_bio,\r
+ mbedtls_ssl_send_t *f_send,\r
+ mbedtls_ssl_recv_t *f_recv,\r
+ mbedtls_ssl_recv_timeout_t *f_recv_timeout )\r
+{\r
+ ssl->p_bio = p_bio;\r
+ ssl->f_send = f_send;\r
+ ssl->f_recv = f_recv;\r
+ ssl->f_recv_timeout = f_recv_timeout;\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )\r
+{\r
+ ssl->mtu = mtu;\r
+}\r
+#endif\r
+\r
+void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )\r
+{\r
+ conf->read_timeout = timeout;\r
+}\r
+\r
+void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,\r
+ void *p_timer,\r
+ mbedtls_ssl_set_timer_t *f_set_timer,\r
+ mbedtls_ssl_get_timer_t *f_get_timer )\r
+{\r
+ ssl->p_timer = p_timer;\r
+ ssl->f_set_timer = f_set_timer;\r
+ ssl->f_get_timer = f_get_timer;\r
+\r
+ /* Make sure we start with no timer running */\r
+ ssl_set_timer( ssl, 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,\r
+ void *p_cache,\r
+ int (*f_get_cache)(void *, mbedtls_ssl_session *),\r
+ int (*f_set_cache)(void *, const mbedtls_ssl_session *) )\r
+{\r
+ conf->p_cache = p_cache;\r
+ conf->f_get_cache = f_get_cache;\r
+ conf->f_set_cache = f_set_cache;\r
+}\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )\r
+{\r
+ int ret;\r
+\r
+ if( ssl == NULL ||\r
+ session == NULL ||\r
+ ssl->session_negotiate == NULL ||\r
+ ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,\r
+ session ) ) != 0 )\r
+ return( ret );\r
+\r
+ ssl->handshake->resume = 1;\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+\r
+void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,\r
+ const int *ciphersuites )\r
+{\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;\r
+}\r
+\r
+void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,\r
+ const int *ciphersuites,\r
+ int major, int minor )\r
+{\r
+ if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )\r
+ return;\r
+\r
+ if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ return;\r
+\r
+ conf->ciphersuite_list[minor] = ciphersuites;\r
+}\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,\r
+ const mbedtls_x509_crt_profile *profile )\r
+{\r
+ conf->cert_profile = profile;\r
+}\r
+\r
+/* Append a new keycert entry to a (possibly empty) list */\r
+static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,\r
+ mbedtls_x509_crt *cert,\r
+ mbedtls_pk_context *key )\r
+{\r
+ mbedtls_ssl_key_cert *new_cert;\r
+\r
+ new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );\r
+ if( new_cert == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ new_cert->cert = cert;\r
+ new_cert->key = key;\r
+ new_cert->next = NULL;\r
+\r
+ /* Update head is the list was null, else add to the end */\r
+ if( *head == NULL )\r
+ {\r
+ *head = new_cert;\r
+ }\r
+ else\r
+ {\r
+ mbedtls_ssl_key_cert *cur = *head;\r
+ while( cur->next != NULL )\r
+ cur = cur->next;\r
+ cur->next = new_cert;\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,\r
+ mbedtls_x509_crt *own_cert,\r
+ mbedtls_pk_context *pk_key )\r
+{\r
+ return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );\r
+}\r
+\r
+void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,\r
+ mbedtls_x509_crt *ca_chain,\r
+ mbedtls_x509_crl *ca_crl )\r
+{\r
+ conf->ca_chain = ca_chain;\r
+ conf->ca_crl = ca_crl;\r
+\r
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)\r
+ /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()\r
+ * cannot be used together. */\r
+ conf->f_ca_cb = NULL;\r
+ conf->p_ca_cb = NULL;\r
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */\r
+}\r
+\r
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)\r
+void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,\r
+ mbedtls_x509_crt_ca_cb_t f_ca_cb,\r
+ void *p_ca_cb )\r
+{\r
+ conf->f_ca_cb = f_ca_cb;\r
+ conf->p_ca_cb = p_ca_cb;\r
+\r
+ /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()\r
+ * cannot be used together. */\r
+ conf->ca_chain = NULL;\r
+ conf->ca_crl = NULL;\r
+}\r
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,\r
+ mbedtls_x509_crt *own_cert,\r
+ mbedtls_pk_context *pk_key )\r
+{\r
+ return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,\r
+ own_cert, pk_key ) );\r
+}\r
+\r
+void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,\r
+ mbedtls_x509_crt *ca_chain,\r
+ mbedtls_x509_crl *ca_crl )\r
+{\r
+ ssl->handshake->sni_ca_chain = ca_chain;\r
+ ssl->handshake->sni_ca_crl = ca_crl;\r
+}\r
+\r
+void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,\r
+ int authmode )\r
+{\r
+ ssl->handshake->sni_authmode = authmode;\r
+}\r
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,\r
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),\r
+ void *p_vrfy )\r
+{\r
+ ssl->f_vrfy = f_vrfy;\r
+ ssl->p_vrfy = p_vrfy;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)\r
+/*\r
+ * Set EC J-PAKE password for current handshake\r
+ */\r
+int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,\r
+ const unsigned char *pw,\r
+ size_t pw_len )\r
+{\r
+ mbedtls_ecjpake_role role;\r
+\r
+ if( ssl->handshake == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ role = MBEDTLS_ECJPAKE_SERVER;\r
+ else\r
+ role = MBEDTLS_ECJPAKE_CLIENT;\r
+\r
+ return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,\r
+ role,\r
+ MBEDTLS_MD_SHA256,\r
+ MBEDTLS_ECP_DP_SECP256R1,\r
+ pw, pw_len ) );\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)\r
+\r
+static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )\r
+{\r
+ /* Remove reference to existing PSK, if any. */\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ if( conf->psk_opaque != 0 )\r
+ {\r
+ /* The maintenance of the PSK key slot is the\r
+ * user's responsibility. */\r
+ conf->psk_opaque = 0;\r
+ }\r
+ /* This and the following branch should never\r
+ * be taken simultaenously as we maintain the\r
+ * invariant that raw and opaque PSKs are never\r
+ * configured simultaneously. As a safeguard,\r
+ * though, `else` is omitted here. */\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ if( conf->psk != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( conf->psk, conf->psk_len );\r
+\r
+ mbedtls_free( conf->psk );\r
+ conf->psk = NULL;\r
+ conf->psk_len = 0;\r
+ }\r
+\r
+ /* Remove reference to PSK identity, if any. */\r
+ if( conf->psk_identity != NULL )\r
+ {\r
+ mbedtls_free( conf->psk_identity );\r
+ conf->psk_identity = NULL;\r
+ conf->psk_identity_len = 0;\r
+ }\r
+}\r
+\r
+/* This function assumes that PSK identity in the SSL config is unset.\r
+ * It checks that the provided identity is well-formed and attempts\r
+ * to make a copy of it in the SSL config.\r
+ * On failure, the PSK identity in the config remains unset. */\r
+static int ssl_conf_set_psk_identity( mbedtls_ssl_config *conf,\r
+ unsigned char const *psk_identity,\r
+ size_t psk_identity_len )\r
+{\r
+ /* Identity len will be encoded on two bytes */\r
+ if( psk_identity == NULL ||\r
+ ( psk_identity_len >> 16 ) != 0 ||\r
+ psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ conf->psk_identity = mbedtls_calloc( 1, psk_identity_len );\r
+ if( conf->psk_identity == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ conf->psk_identity_len = psk_identity_len;\r
+ memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,\r
+ const unsigned char *psk, size_t psk_len,\r
+ const unsigned char *psk_identity, size_t psk_identity_len )\r
+{\r
+ int ret;\r
+ /* Remove opaque/raw PSK + PSK Identity */\r
+ ssl_conf_remove_psk( conf );\r
+\r
+ /* Check and set raw PSK */\r
+ if( psk == NULL || psk_len > MBEDTLS_PSK_MAX_LEN )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+ conf->psk_len = psk_len;\r
+ memcpy( conf->psk, psk, conf->psk_len );\r
+\r
+ /* Check and set PSK Identity */\r
+ ret = ssl_conf_set_psk_identity( conf, psk_identity, psk_identity_len );\r
+ if( ret != 0 )\r
+ ssl_conf_remove_psk( conf );\r
+\r
+ return( ret );\r
+}\r
+\r
+static void ssl_remove_psk( mbedtls_ssl_context *ssl )\r
+{\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ if( ssl->handshake->psk_opaque != 0 )\r
+ {\r
+ ssl->handshake->psk_opaque = 0;\r
+ }\r
+ else\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+ if( ssl->handshake->psk != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->handshake->psk,\r
+ ssl->handshake->psk_len );\r
+ mbedtls_free( ssl->handshake->psk );\r
+ ssl->handshake->psk_len = 0;\r
+ }\r
+}\r
+\r
+int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,\r
+ const unsigned char *psk, size_t psk_len )\r
+{\r
+ if( psk == NULL || ssl->handshake == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ if( psk_len > MBEDTLS_PSK_MAX_LEN )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ ssl_remove_psk( ssl );\r
+\r
+ if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ ssl->handshake->psk_len = psk_len;\r
+ memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );\r
+\r
+ return( 0 );\r
+}\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,\r
+ psa_key_handle_t psk_slot,\r
+ const unsigned char *psk_identity,\r
+ size_t psk_identity_len )\r
+{\r
+ int ret;\r
+ /* Clear opaque/raw PSK + PSK Identity, if present. */\r
+ ssl_conf_remove_psk( conf );\r
+\r
+ /* Check and set opaque PSK */\r
+ if( psk_slot == 0 )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ conf->psk_opaque = psk_slot;\r
+\r
+ /* Check and set PSK Identity */\r
+ ret = ssl_conf_set_psk_identity( conf, psk_identity,\r
+ psk_identity_len );\r
+ if( ret != 0 )\r
+ ssl_conf_remove_psk( conf );\r
+\r
+ return( ret );\r
+}\r
+\r
+int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,\r
+ psa_key_handle_t psk_slot )\r
+{\r
+ if( psk_slot == 0 || ssl->handshake == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ ssl_remove_psk( ssl );\r
+ ssl->handshake->psk_opaque = psk_slot;\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+\r
+void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,\r
+ int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,\r
+ size_t),\r
+ void *p_psk )\r
+{\r
+ conf->f_psk = f_psk;\r
+ conf->p_psk = p_psk;\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */\r
+\r
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)\r
+\r
+#if !defined(MBEDTLS_DEPRECATED_REMOVED)\r
+int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )\r
+{\r
+ int ret;\r
+\r
+ if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||\r
+ ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )\r
+ {\r
+ mbedtls_mpi_free( &conf->dhm_P );\r
+ mbedtls_mpi_free( &conf->dhm_G );\r
+ return( ret );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_DEPRECATED_REMOVED */\r
+\r
+int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,\r
+ const unsigned char *dhm_P, size_t P_len,\r
+ const unsigned char *dhm_G, size_t G_len )\r
+{\r
+ int ret;\r
+\r
+ if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||\r
+ ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )\r
+ {\r
+ mbedtls_mpi_free( &conf->dhm_P );\r
+ mbedtls_mpi_free( &conf->dhm_G );\r
+ return( ret );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )\r
+{\r
+ int ret;\r
+\r
+ if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||\r
+ ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )\r
+ {\r
+ mbedtls_mpi_free( &conf->dhm_P );\r
+ mbedtls_mpi_free( &conf->dhm_G );\r
+ return( ret );\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */\r
+\r
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)\r
+/*\r
+ * Set the minimum length for Diffie-Hellman parameters\r
+ */\r
+void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,\r
+ unsigned int bitlen )\r
+{\r
+ conf->dhm_min_bitlen = bitlen;\r
+}\r
+#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+/*\r
+ * Set allowed/preferred hashes for handshake signatures\r
+ */\r
+void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,\r
+ const int *hashes )\r
+{\r
+ conf->sig_hashes = hashes;\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+/*\r
+ * Set the allowed elliptic curves\r
+ */\r
+void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,\r
+ const mbedtls_ecp_group_id *curve_list )\r
+{\r
+ conf->curve_list = curve_list;\r
+}\r
+#endif /* MBEDTLS_ECP_C */\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )\r
+{\r
+ /* Initialize to suppress unnecessary compiler warning */\r
+ size_t hostname_len = 0;\r
+\r
+ /* Check if new hostname is valid before\r
+ * making any change to current one */\r
+ if( hostname != NULL )\r
+ {\r
+ hostname_len = strlen( hostname );\r
+\r
+ if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ /* Now it's clear that we will overwrite the old hostname,\r
+ * so we can free it safely */\r
+\r
+ if( ssl->hostname != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );\r
+ mbedtls_free( ssl->hostname );\r
+ }\r
+\r
+ /* Passing NULL as hostname shall clear the old one */\r
+\r
+ if( hostname == NULL )\r
+ {\r
+ ssl->hostname = NULL;\r
+ }\r
+ else\r
+ {\r
+ ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );\r
+ if( ssl->hostname == NULL )\r
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );\r
+\r
+ memcpy( ssl->hostname, hostname, hostname_len );\r
+\r
+ ssl->hostname[hostname_len] = '\0';\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,\r
+ int (*f_sni)(void *, mbedtls_ssl_context *,\r
+ const unsigned char *, size_t),\r
+ void *p_sni )\r
+{\r
+ conf->f_sni = f_sni;\r
+ conf->p_sni = p_sni;\r
+}\r
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */\r
+\r
+#if defined(MBEDTLS_SSL_ALPN)\r
+int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )\r
+{\r
+ size_t cur_len, tot_len;\r
+ const char **p;\r
+\r
+ /*\r
+ * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings\r
+ * MUST NOT be truncated."\r
+ * We check lengths now rather than later.\r
+ */\r
+ tot_len = 0;\r
+ for( p = protos; *p != NULL; p++ )\r
+ {\r
+ cur_len = strlen( *p );\r
+ tot_len += cur_len;\r
+\r
+ if( cur_len == 0 || cur_len > 255 || tot_len > 65535 )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ conf->alpn_list = protos;\r
+\r
+ return( 0 );\r
+}\r
+\r
+const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )\r
+{\r
+ return( ssl->alpn_chosen );\r
+}\r
+#endif /* MBEDTLS_SSL_ALPN */\r
+\r
+void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )\r
+{\r
+ conf->max_major_ver = major;\r
+ conf->max_minor_ver = minor;\r
+}\r
+\r
+void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )\r
+{\r
+ conf->min_major_ver = major;\r
+ conf->min_minor_ver = minor;\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)\r
+void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )\r
+{\r
+ conf->fallback = fallback;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,\r
+ char cert_req_ca_list )\r
+{\r
+ conf->cert_req_ca_list = cert_req_ca_list;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )\r
+{\r
+ conf->encrypt_then_mac = etm;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)\r
+void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )\r
+{\r
+ conf->extended_ms = ems;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_ARC4_C)\r
+void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )\r
+{\r
+ conf->arc4_disabled = arc4;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)\r
+int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )\r
+{\r
+ if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||\r
+ ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ conf->mfl_code = mfl_code;\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */\r
+\r
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)\r
+void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )\r
+{\r
+ conf->trunc_hmac = truncate;\r
+}\r
+#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */\r
+\r
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)\r
+void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )\r
+{\r
+ conf->cbc_record_splitting = split;\r
+}\r
+#endif\r
+\r
+void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )\r
+{\r
+ conf->allow_legacy_renegotiation = allow_legacy;\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )\r
+{\r
+ conf->disable_renegotiation = renegotiation;\r
+}\r
+\r
+void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )\r
+{\r
+ conf->renego_max_records = max_records;\r
+}\r
+\r
+void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,\r
+ const unsigned char period[8] )\r
+{\r
+ memcpy( conf->renego_period, period, 8 );\r
+}\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION */\r
+\r
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )\r
+{\r
+ conf->session_tickets = use_tickets;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,\r
+ mbedtls_ssl_ticket_write_t *f_ticket_write,\r
+ mbedtls_ssl_ticket_parse_t *f_ticket_parse,\r
+ void *p_ticket )\r
+{\r
+ conf->f_ticket_write = f_ticket_write;\r
+ conf->f_ticket_parse = f_ticket_parse;\r
+ conf->p_ticket = p_ticket;\r
+}\r
+#endif\r
+#endif /* MBEDTLS_SSL_SESSION_TICKETS */\r
+\r
+#if defined(MBEDTLS_SSL_EXPORT_KEYS)\r
+void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,\r
+ mbedtls_ssl_export_keys_t *f_export_keys,\r
+ void *p_export_keys )\r
+{\r
+ conf->f_export_keys = f_export_keys;\r
+ conf->p_export_keys = p_export_keys;\r
+}\r
+\r
+void mbedtls_ssl_conf_export_keys_ext_cb( mbedtls_ssl_config *conf,\r
+ mbedtls_ssl_export_keys_ext_t *f_export_keys_ext,\r
+ void *p_export_keys )\r
+{\r
+ conf->f_export_keys_ext = f_export_keys_ext;\r
+ conf->p_export_keys = p_export_keys;\r
+}\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)\r
+void mbedtls_ssl_conf_async_private_cb(\r
+ mbedtls_ssl_config *conf,\r
+ mbedtls_ssl_async_sign_t *f_async_sign,\r
+ mbedtls_ssl_async_decrypt_t *f_async_decrypt,\r
+ mbedtls_ssl_async_resume_t *f_async_resume,\r
+ mbedtls_ssl_async_cancel_t *f_async_cancel,\r
+ void *async_config_data )\r
+{\r
+ conf->f_async_sign_start = f_async_sign;\r
+ conf->f_async_decrypt_start = f_async_decrypt;\r
+ conf->f_async_resume = f_async_resume;\r
+ conf->f_async_cancel = f_async_cancel;\r
+ conf->p_async_config_data = async_config_data;\r
+}\r
+\r
+void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )\r
+{\r
+ return( conf->p_async_config_data );\r
+}\r
+\r
+void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->handshake == NULL )\r
+ return( NULL );\r
+ else\r
+ return( ssl->handshake->user_async_ctx );\r
+}\r
+\r
+void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,\r
+ void *ctx )\r
+{\r
+ if( ssl->handshake != NULL )\r
+ ssl->handshake->user_async_ctx = ctx;\r
+}\r
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */\r
+\r
+/*\r
+ * SSL get accessors\r
+ */\r
+size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )\r
+{\r
+ return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );\r
+}\r
+\r
+int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )\r
+{\r
+ /*\r
+ * Case A: We're currently holding back\r
+ * a message for further processing.\r
+ */\r
+\r
+ if( ssl->keep_current_message == 1 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );\r
+ return( 1 );\r
+ }\r
+\r
+ /*\r
+ * Case B: Further records are pending in the current datagram.\r
+ */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->in_left > ssl->next_record_offset )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );\r
+ return( 1 );\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+ /*\r
+ * Case C: A handshake message is being processed.\r
+ */\r
+\r
+ if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );\r
+ return( 1 );\r
+ }\r
+\r
+ /*\r
+ * Case D: An application data message is being processed\r
+ */\r
+ if( ssl->in_offt != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );\r
+ return( 1 );\r
+ }\r
+\r
+ /*\r
+ * In all other cases, the rest of the message can be dropped.\r
+ * As in ssl_get_next_record, this needs to be adapted if\r
+ * we implement support for multiple alerts in single records.\r
+ */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );\r
+ return( 0 );\r
+}\r
+\r
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl->session != NULL )\r
+ return( ssl->session->verify_result );\r
+\r
+ if( ssl->session_negotiate != NULL )\r
+ return( ssl->session_negotiate->verify_result );\r
+\r
+ return( 0xFFFFFFFF );\r
+}\r
+\r
+const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl == NULL || ssl->session == NULL )\r
+ return( NULL );\r
+\r
+ return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );\r
+}\r
+\r
+const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ switch( ssl->minor_ver )\r
+ {\r
+ case MBEDTLS_SSL_MINOR_VERSION_2:\r
+ return( "DTLSv1.0" );\r
+\r
+ case MBEDTLS_SSL_MINOR_VERSION_3:\r
+ return( "DTLSv1.2" );\r
+\r
+ default:\r
+ return( "unknown (DTLS)" );\r
+ }\r
+ }\r
+#endif\r
+\r
+ switch( ssl->minor_ver )\r
+ {\r
+ case MBEDTLS_SSL_MINOR_VERSION_0:\r
+ return( "SSLv3.0" );\r
+\r
+ case MBEDTLS_SSL_MINOR_VERSION_1:\r
+ return( "TLSv1.0" );\r
+\r
+ case MBEDTLS_SSL_MINOR_VERSION_2:\r
+ return( "TLSv1.1" );\r
+\r
+ case MBEDTLS_SSL_MINOR_VERSION_3:\r
+ return( "TLSv1.2" );\r
+\r
+ default:\r
+ return( "unknown" );\r
+ }\r
+}\r
+\r
+int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )\r
+{\r
+ size_t transform_expansion = 0;\r
+ const mbedtls_ssl_transform *transform = ssl->transform_out;\r
+ unsigned block_size;\r
+\r
+ size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );\r
+\r
+ if( transform == NULL )\r
+ return( (int) out_hdr_len );\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+#endif\r
+\r
+ switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )\r
+ {\r
+ case MBEDTLS_MODE_GCM:\r
+ case MBEDTLS_MODE_CCM:\r
+ case MBEDTLS_MODE_CHACHAPOLY:\r
+ case MBEDTLS_MODE_STREAM:\r
+ transform_expansion = transform->minlen;\r
+ break;\r
+\r
+ case MBEDTLS_MODE_CBC:\r
+\r
+ block_size = mbedtls_cipher_get_block_size(\r
+ &transform->cipher_ctx_enc );\r
+\r
+ /* Expansion due to the addition of the MAC. */\r
+ transform_expansion += transform->maclen;\r
+\r
+ /* Expansion due to the addition of CBC padding;\r
+ * Theoretically up to 256 bytes, but we never use\r
+ * more than the block size of the underlying cipher. */\r
+ transform_expansion += block_size;\r
+\r
+ /* For TLS 1.1 or higher, an explicit IV is added\r
+ * after the record header. */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ transform_expansion += block_size;\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+ break;\r
+\r
+ default:\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)\r
+ if( transform->out_cid_len != 0 )\r
+ transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;\r
+#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */\r
+\r
+ return( (int)( out_hdr_len + transform_expansion ) );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)\r
+size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )\r
+{\r
+ size_t max_len;\r
+\r
+ /*\r
+ * Assume mfl_code is correct since it was checked when set\r
+ */\r
+ max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );\r
+\r
+ /* Check if a smaller max length was negotiated */\r
+ if( ssl->session_out != NULL &&\r
+ ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )\r
+ {\r
+ max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );\r
+ }\r
+\r
+ /* During a handshake, use the value being negotiated */\r
+ if( ssl->session_negotiate != NULL &&\r
+ ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )\r
+ {\r
+ max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );\r
+ }\r
+\r
+ return( max_len );\r
+}\r
+#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )\r
+{\r
+ /* Return unlimited mtu for client hello messages to avoid fragmentation. */\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&\r
+ ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||\r
+ ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )\r
+ return ( 0 );\r
+\r
+ if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )\r
+ return( ssl->mtu );\r
+\r
+ if( ssl->mtu == 0 )\r
+ return( ssl->handshake->mtu );\r
+\r
+ return( ssl->mtu < ssl->handshake->mtu ?\r
+ ssl->mtu : ssl->handshake->mtu );\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )\r
+{\r
+ size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;\r
+\r
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \\r
+ !defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ (void) ssl;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)\r
+ const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );\r
+\r
+ if( max_len > mfl )\r
+ max_len = mfl;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl_get_current_mtu( ssl ) != 0 )\r
+ {\r
+ const size_t mtu = ssl_get_current_mtu( ssl );\r
+ const int ret = mbedtls_ssl_get_record_expansion( ssl );\r
+ const size_t overhead = (size_t) ret;\r
+\r
+ if( ret < 0 )\r
+ return( ret );\r
+\r
+ if( mtu <= overhead )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );\r
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );\r
+ }\r
+\r
+ if( max_len > mtu - overhead )\r
+ max_len = mtu - overhead;\r
+ }\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \\r
+ !defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ ((void) ssl);\r
+#endif\r
+\r
+ return( (int) max_len );\r
+}\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl == NULL || ssl->session == NULL )\r
+ return( NULL );\r
+\r
+#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ return( ssl->session->peer_cert );\r
+#else\r
+ return( NULL );\r
+#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl,\r
+ mbedtls_ssl_session *dst )\r
+{\r
+ if( ssl == NULL ||\r
+ dst == NULL ||\r
+ ssl->session == NULL ||\r
+ ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+\r
+ return( mbedtls_ssl_session_copy( dst, ssl->session ) );\r
+}\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+\r
+/*\r
+ * Perform a single step of the SSL handshake\r
+ */\r
+int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ ret = mbedtls_ssl_handshake_client_step( ssl );\r
+#endif\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ ret = mbedtls_ssl_handshake_server_step( ssl );\r
+#endif\r
+\r
+ return( ret );\r
+}\r
+\r
+/*\r
+ * Perform the SSL handshake\r
+ */\r
+int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = 0;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );\r
+\r
+ while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ ret = mbedtls_ssl_handshake_step( ssl );\r
+\r
+ if( ret != 0 )\r
+ break;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );\r
+\r
+ return( ret );\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+/*\r
+ * Write HelloRequest to request renegotiation on server\r
+ */\r
+static int ssl_write_hello_request( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );\r
+\r
+ ssl->out_msglen = 4;\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;\r
+ ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;\r
+\r
+ if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );\r
+\r
+ return( 0 );\r
+}\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+/*\r
+ * Actually renegotiate current connection, triggered by either:\r
+ * - any side: calling mbedtls_ssl_renegotiate(),\r
+ * - client: receiving a HelloRequest during mbedtls_ssl_read(),\r
+ * - server: receiving any handshake message on server during mbedtls_ssl_read() after\r
+ * the initial handshake is completed.\r
+ * If the handshake doesn't complete due to waiting for I/O, it will continue\r
+ * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.\r
+ */\r
+static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );\r
+\r
+ if( ( ret = ssl_handshake_init( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and\r
+ * the ServerHello will have message_seq = 1" */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )\r
+ {\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ ssl->handshake->out_msg_seq = 1;\r
+ else\r
+ ssl->handshake->in_msg_seq = 1;\r
+ }\r
+#endif\r
+\r
+ ssl->state = MBEDTLS_SSL_HELLO_REQUEST;\r
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;\r
+\r
+ if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );\r
+ return( ret );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Renegotiate current connection on client,\r
+ * or request renegotiation on server\r
+ */\r
+int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ /* On server, just send the request */\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;\r
+\r
+ /* Did we already try/start sending HelloRequest? */\r
+ if( ssl->out_left != 0 )\r
+ return( mbedtls_ssl_flush_output( ssl ) );\r
+\r
+ return( ssl_write_hello_request( ssl ) );\r
+ }\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ /*\r
+ * On client, either start the renegotiation process or,\r
+ * if already in progress, continue the handshake\r
+ */\r
+ if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )\r
+ {\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+ {\r
+ if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+\r
+ return( ret );\r
+}\r
+\r
+/*\r
+ * Check record counters and renegotiate if they're above the limit.\r
+ */\r
+static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )\r
+{\r
+ size_t ep_len = ssl_ep_len( ssl );\r
+ int in_ctr_cmp;\r
+ int out_ctr_cmp;\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||\r
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||\r
+ ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )\r
+ {\r
+ return( 0 );\r
+ }\r
+\r
+ in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,\r
+ ssl->conf->renego_period + ep_len, 8 - ep_len );\r
+ out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,\r
+ ssl->conf->renego_period + ep_len, 8 - ep_len );\r
+\r
+ if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )\r
+ {\r
+ return( 0 );\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );\r
+ return( mbedtls_ssl_renegotiate( ssl ) );\r
+}\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION */\r
+\r
+/*\r
+ * Receive application data decrypted from the SSL layer\r
+ */\r
+int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )\r
+{\r
+ int ret;\r
+ size_t n;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ return( ret );\r
+\r
+ if( ssl->handshake != NULL &&\r
+ ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )\r
+ {\r
+ if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )\r
+ return( ret );\r
+ }\r
+ }\r
+#endif\r
+\r
+ /*\r
+ * Check if renegotiation is necessary and/or handshake is\r
+ * in process. If yes, perform/continue, and fall through\r
+ * if an unexpected packet is received while the client\r
+ * is waiting for the ServerHello.\r
+ *\r
+ * (There is no equivalent to the last condition on\r
+ * the server-side as it is not treated as within\r
+ * a handshake while waiting for the ClientHello\r
+ * after a renegotiation request.)\r
+ */\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ ret = ssl_check_ctr_renegotiate( ssl );\r
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&\r
+ ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );\r
+ return( ret );\r
+ }\r
+#endif\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ ret = mbedtls_ssl_handshake( ssl );\r
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&\r
+ ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ /* Loop as long as no application data record is available */\r
+ while( ssl->in_offt == NULL )\r
+ {\r
+ /* Start timer if not already running */\r
+ if( ssl->f_get_timer != NULL &&\r
+ ssl->f_get_timer( ssl->p_timer ) == -1 )\r
+ {\r
+ ssl_set_timer( ssl, ssl->conf->read_timeout );\r
+ }\r
+\r
+ if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )\r
+ {\r
+ if( ret == MBEDTLS_ERR_SSL_CONN_EOF )\r
+ return( 0 );\r
+\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( ssl->in_msglen == 0 &&\r
+ ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )\r
+ {\r
+ /*\r
+ * OpenSSL sends empty messages to randomize the IV\r
+ */\r
+ if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )\r
+ {\r
+ if( ret == MBEDTLS_ERR_SSL_CONN_EOF )\r
+ return( 0 );\r
+\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );\r
+\r
+ /*\r
+ * - For client-side, expect SERVER_HELLO_REQUEST.\r
+ * - For server-side, expect CLIENT_HELLO.\r
+ * - Fail (TLS) or silently drop record (DTLS) in other cases.\r
+ */\r
+\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&\r
+ ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||\r
+ ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );\r
+\r
+ /* With DTLS, drop the packet (probably from last handshake) */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ continue;\r
+ }\r
+#endif\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+#endif /* MBEDTLS_SSL_CLI_C */\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&\r
+ ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );\r
+\r
+ /* With DTLS, drop the packet (probably from last handshake) */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ continue;\r
+ }\r
+#endif\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+#endif /* MBEDTLS_SSL_SRV_C */\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ /* Determine whether renegotiation attempt should be accepted */\r
+ if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||\r
+ ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&\r
+ ssl->conf->allow_legacy_renegotiation ==\r
+ MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )\r
+ {\r
+ /*\r
+ * Accept renegotiation request\r
+ */\r
+\r
+ /* DTLS clients need to know renego is server-initiated */\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&\r
+ ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;\r
+ }\r
+#endif\r
+ ret = ssl_start_renegotiation( ssl );\r
+ if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&\r
+ ret != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION */\r
+ {\r
+ /*\r
+ * Refuse renegotiation\r
+ */\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3)\r
+ if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )\r
+ {\r
+ /* SSLv3 does not have a "no_renegotiation" warning, so\r
+ we send a fatal alert and abort the connection. */\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 */\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )\r
+ {\r
+ if( ( ret = mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_WARNING,\r
+ MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )\r
+ {\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||\r
+ MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );\r
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );\r
+ }\r
+ }\r
+\r
+ /* At this point, we don't know whether the renegotiation has been\r
+ * completed or not. The cases to consider are the following:\r
+ * 1) The renegotiation is complete. In this case, no new record\r
+ * has been read yet.\r
+ * 2) The renegotiation is incomplete because the client received\r
+ * an application data record while awaiting the ServerHello.\r
+ * 3) The renegotiation is incomplete because the client received\r
+ * a non-handshake, non-application data message while awaiting\r
+ * the ServerHello.\r
+ * In each of these case, looping will be the proper action:\r
+ * - For 1), the next iteration will read a new record and check\r
+ * if it's application data.\r
+ * - For 2), the loop condition isn't satisfied as application data\r
+ * is present, hence continue is the same as break\r
+ * - For 3), the loop condition is satisfied and read_record\r
+ * will re-deliver the message that was held back by the client\r
+ * when expecting the ServerHello.\r
+ */\r
+ continue;\r
+ }\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )\r
+ {\r
+ if( ssl->conf->renego_max_records >= 0 )\r
+ {\r
+ if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "\r
+ "but not honored by client" ) );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_RENEGOTIATION */\r
+\r
+ /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */\r
+ if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );\r
+ return( MBEDTLS_ERR_SSL_WANT_READ );\r
+ }\r
+\r
+ if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );\r
+ return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );\r
+ }\r
+\r
+ ssl->in_offt = ssl->in_msg;\r
+\r
+ /* We're going to return something now, cancel timer,\r
+ * except if handshake (renegotiation) is in progress */\r
+ if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ ssl_set_timer( ssl, 0 );\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ /* If we requested renego but received AppData, resend HelloRequest.\r
+ * Do it now, after setting in_offt, to avoid taking this branch\r
+ * again if ssl_write_hello_request() returns WANT_WRITE */\r
+#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&\r
+ ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )\r
+ {\r
+ if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+ }\r
+\r
+ n = ( len < ssl->in_msglen )\r
+ ? len : ssl->in_msglen;\r
+\r
+ memcpy( buf, ssl->in_offt, n );\r
+ ssl->in_msglen -= n;\r
+\r
+ if( ssl->in_msglen == 0 )\r
+ {\r
+ /* all bytes consumed */\r
+ ssl->in_offt = NULL;\r
+ ssl->keep_current_message = 0;\r
+ }\r
+ else\r
+ {\r
+ /* more data available */\r
+ ssl->in_offt += n;\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );\r
+\r
+ return( (int) n );\r
+}\r
+\r
+/*\r
+ * Send application data to be encrypted by the SSL layer, taking care of max\r
+ * fragment length and buffer size.\r
+ *\r
+ * According to RFC 5246 Section 6.2.1:\r
+ *\r
+ * Zero-length fragments of Application data MAY be sent as they are\r
+ * potentially useful as a traffic analysis countermeasure.\r
+ *\r
+ * Therefore, it is possible that the input message length is 0 and the\r
+ * corresponding return code is 0 on success.\r
+ */\r
+static int ssl_write_real( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+ int ret = mbedtls_ssl_get_max_out_record_payload( ssl );\r
+ const size_t max_len = (size_t) ret;\r
+\r
+ if( ret < 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );\r
+ return( ret );\r
+ }\r
+\r
+ if( len > max_len )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "\r
+ "maximum fragment length: %d > %d",\r
+ len, max_len ) );\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+ }\r
+ else\r
+#endif\r
+ len = max_len;\r
+ }\r
+\r
+ if( ssl->out_left != 0 )\r
+ {\r
+ /*\r
+ * The user has previously tried to send the data and\r
+ * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially\r
+ * written. In this case, we expect the high-level write function\r
+ * (e.g. mbedtls_ssl_write()) to be called with the same parameters\r
+ */\r
+ if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+ else\r
+ {\r
+ /*\r
+ * The user is trying to send a message the first time, so we need to\r
+ * copy the data into the internal buffers and setup the data structure\r
+ * to keep track of partial writes\r
+ */\r
+ ssl->out_msglen = len;\r
+ ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;\r
+ memcpy( ssl->out_msg, buf, len );\r
+\r
+ if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ return( (int) len );\r
+}\r
+\r
+/*\r
+ * Write application data, doing 1/n-1 splitting if necessary.\r
+ *\r
+ * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,\r
+ * then the caller will call us again with the same arguments, so\r
+ * remember whether we already did the split or not.\r
+ */\r
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)\r
+static int ssl_write_split( mbedtls_ssl_context *ssl,\r
+ const unsigned char *buf, size_t len )\r
+{\r
+ int ret;\r
+\r
+ if( ssl->conf->cbc_record_splitting ==\r
+ MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||\r
+ len <= 1 ||\r
+ ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||\r
+ mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )\r
+ != MBEDTLS_MODE_CBC )\r
+ {\r
+ return( ssl_write_real( ssl, buf, len ) );\r
+ }\r
+\r
+ if( ssl->split_done == 0 )\r
+ {\r
+ if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )\r
+ return( ret );\r
+ ssl->split_done = 1;\r
+ }\r
+\r
+ if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )\r
+ return( ret );\r
+ ssl->split_done = 0;\r
+\r
+ return( ret + 1 );\r
+}\r
+#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */\r
+\r
+/*\r
+ * Write application data (public-facing wrapper)\r
+ */\r
+int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )\r
+{\r
+ int ret;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );\r
+ return( ret );\r
+ }\r
+#endif\r
+\r
+ if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)\r
+ ret = ssl_write_split( ssl, buf, len );\r
+#else\r
+ ret = ssl_write_real( ssl, buf, len );\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );\r
+\r
+ return( ret );\r
+}\r
+\r
+/*\r
+ * Notify the peer that the connection is being closed\r
+ */\r
+int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )\r
+{\r
+ int ret;\r
+\r
+ if( ssl == NULL || ssl->conf == NULL )\r
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );\r
+\r
+ if( ssl->out_left != 0 )\r
+ return( mbedtls_ssl_flush_output( ssl ) );\r
+\r
+ if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )\r
+ {\r
+ if( ( ret = mbedtls_ssl_send_alert_message( ssl,\r
+ MBEDTLS_SSL_ALERT_LEVEL_WARNING,\r
+ MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );\r
+ return( ret );\r
+ }\r
+ }\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );\r
+\r
+ return( 0 );\r
+}\r
+\r
+void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )\r
+{\r
+ if( transform == NULL )\r
+ return;\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ deflateEnd( &transform->ctx_deflate );\r
+ inflateEnd( &transform->ctx_inflate );\r
+#endif\r
+\r
+ mbedtls_cipher_free( &transform->cipher_ctx_enc );\r
+ mbedtls_cipher_free( &transform->cipher_ctx_dec );\r
+\r
+#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)\r
+ mbedtls_md_free( &transform->md_ctx_enc );\r
+ mbedtls_md_free( &transform->md_ctx_dec );\r
+#endif\r
+\r
+ mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );\r
+}\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )\r
+{\r
+ mbedtls_ssl_key_cert *cur = key_cert, *next;\r
+\r
+ while( cur != NULL )\r
+ {\r
+ next = cur->next;\r
+ mbedtls_free( cur );\r
+ cur = next;\r
+ }\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+\r
+static void ssl_buffering_free( mbedtls_ssl_context *ssl )\r
+{\r
+ unsigned offset;\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+\r
+ if( hs == NULL )\r
+ return;\r
+\r
+ ssl_free_buffered_record( ssl );\r
+\r
+ for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )\r
+ ssl_buffering_free_slot( ssl, offset );\r
+}\r
+\r
+static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,\r
+ uint8_t slot )\r
+{\r
+ mbedtls_ssl_handshake_params * const hs = ssl->handshake;\r
+ mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];\r
+\r
+ if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )\r
+ return;\r
+\r
+ if( hs_buf->is_valid == 1 )\r
+ {\r
+ hs->buffering.total_bytes_buffered -= hs_buf->data_len;\r
+ mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );\r
+ mbedtls_free( hs_buf->data );\r
+ memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );\r
+ }\r
+}\r
+\r
+#endif /* MBEDTLS_SSL_PROTO_DTLS */\r
+\r
+void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )\r
+{\r
+ mbedtls_ssl_handshake_params *handshake = ssl->handshake;\r
+\r
+ if( handshake == NULL )\r
+ return;\r
+\r
+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)\r
+ if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )\r
+ {\r
+ ssl->conf->f_async_cancel( ssl );\r
+ handshake->async_in_progress = 0;\r
+ }\r
+#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+ mbedtls_md5_free( &handshake->fin_md5 );\r
+ mbedtls_sha1_free( &handshake->fin_sha1 );\r
+#endif\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+#if defined(MBEDTLS_SHA256_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_abort( &handshake->fin_sha256_psa );\r
+#else\r
+ mbedtls_sha256_free( &handshake->fin_sha256 );\r
+#endif\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_hash_abort( &handshake->fin_sha384_psa );\r
+#else\r
+ mbedtls_sha512_free( &handshake->fin_sha512 );\r
+#endif\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+#if defined(MBEDTLS_DHM_C)\r
+ mbedtls_dhm_free( &handshake->dhm_ctx );\r
+#endif\r
+#if defined(MBEDTLS_ECDH_C)\r
+ mbedtls_ecdh_free( &handshake->ecdh_ctx );\r
+#endif\r
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)\r
+ mbedtls_ecjpake_free( &handshake->ecjpake_ctx );\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ mbedtls_free( handshake->ecjpake_cache );\r
+ handshake->ecjpake_cache = NULL;\r
+ handshake->ecjpake_cache_len = 0;\r
+#endif\r
+#endif\r
+\r
+#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \\r
+ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)\r
+ /* explicit void pointer cast for buggy MS compiler */\r
+ mbedtls_free( (void *) handshake->curves );\r
+#endif\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)\r
+ if( handshake->psk != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );\r
+ mbedtls_free( handshake->psk );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \\r
+ defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)\r
+ /*\r
+ * Free only the linked list wrapper, not the keys themselves\r
+ * since the belong to the SNI callback\r
+ */\r
+ if( handshake->sni_key_cert != NULL )\r
+ {\r
+ mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;\r
+\r
+ while( cur != NULL )\r
+ {\r
+ next = cur->next;\r
+ mbedtls_free( cur );\r
+ cur = next;\r
+ }\r
+ }\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */\r
+\r
+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)\r
+ mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );\r
+ if( handshake->ecrs_peer_cert != NULL )\r
+ {\r
+ mbedtls_x509_crt_free( handshake->ecrs_peer_cert );\r
+ mbedtls_free( handshake->ecrs_peer_cert );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \\r
+ !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)\r
+ mbedtls_pk_free( &handshake->peer_pubkey );\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ mbedtls_free( handshake->verify_cookie );\r
+ ssl_flight_free( handshake->flight );\r
+ ssl_buffering_free( ssl );\r
+#endif\r
+\r
+#if defined(MBEDTLS_ECDH_C) && \\r
+ defined(MBEDTLS_USE_PSA_CRYPTO)\r
+ psa_destroy_key( handshake->ecdh_psa_privkey );\r
+#endif /* MBEDTLS_ECDH_C && MBEDTLS_USE_PSA_CRYPTO */\r
+\r
+ mbedtls_platform_zeroize( handshake,\r
+ sizeof( mbedtls_ssl_handshake_params ) );\r
+}\r
+\r
+void mbedtls_ssl_session_free( mbedtls_ssl_session *session )\r
+{\r
+ if( session == NULL )\r
+ return;\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+ ssl_clear_peer_cert( session );\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)\r
+ mbedtls_free( session->ticket );\r
+#endif\r
+\r
+ mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );\r
+}\r
+\r
+/*\r
+ * Free an SSL context\r
+ */\r
+void mbedtls_ssl_free( mbedtls_ssl_context *ssl )\r
+{\r
+ if( ssl == NULL )\r
+ return;\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );\r
+\r
+ if( ssl->out_buf != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );\r
+ mbedtls_free( ssl->out_buf );\r
+ }\r
+\r
+ if( ssl->in_buf != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );\r
+ mbedtls_free( ssl->in_buf );\r
+ }\r
+\r
+#if defined(MBEDTLS_ZLIB_SUPPORT)\r
+ if( ssl->compress_buf != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );\r
+ mbedtls_free( ssl->compress_buf );\r
+ }\r
+#endif\r
+\r
+ if( ssl->transform )\r
+ {\r
+ mbedtls_ssl_transform_free( ssl->transform );\r
+ mbedtls_free( ssl->transform );\r
+ }\r
+\r
+ if( ssl->handshake )\r
+ {\r
+ mbedtls_ssl_handshake_free( ssl );\r
+ mbedtls_ssl_transform_free( ssl->transform_negotiate );\r
+ mbedtls_ssl_session_free( ssl->session_negotiate );\r
+\r
+ mbedtls_free( ssl->handshake );\r
+ mbedtls_free( ssl->transform_negotiate );\r
+ mbedtls_free( ssl->session_negotiate );\r
+ }\r
+\r
+ if( ssl->session )\r
+ {\r
+ mbedtls_ssl_session_free( ssl->session );\r
+ mbedtls_free( ssl->session );\r
+ }\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+ if( ssl->hostname != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );\r
+ mbedtls_free( ssl->hostname );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)\r
+ if( mbedtls_ssl_hw_record_finish != NULL )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );\r
+ mbedtls_ssl_hw_record_finish( ssl );\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)\r
+ mbedtls_free( ssl->cli_id );\r
+#endif\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );\r
+\r
+ /* Actually clear after last debug message */\r
+ mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );\r
+}\r
+\r
+/*\r
+ * Initialze mbedtls_ssl_config\r
+ */\r
+void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )\r
+{\r
+ memset( conf, 0, sizeof( mbedtls_ssl_config ) );\r
+}\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+static int ssl_preset_default_hashes[] = {\r
+#if defined(MBEDTLS_SHA512_C)\r
+ MBEDTLS_MD_SHA512,\r
+ MBEDTLS_MD_SHA384,\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ MBEDTLS_MD_SHA256,\r
+ MBEDTLS_MD_SHA224,\r
+#endif\r
+#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)\r
+ MBEDTLS_MD_SHA1,\r
+#endif\r
+ MBEDTLS_MD_NONE\r
+};\r
+#endif\r
+\r
+static int ssl_preset_suiteb_ciphersuites[] = {\r
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,\r
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,\r
+ 0\r
+};\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+static int ssl_preset_suiteb_hashes[] = {\r
+ MBEDTLS_MD_SHA256,\r
+ MBEDTLS_MD_SHA384,\r
+ MBEDTLS_MD_NONE\r
+};\r
+#endif\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {\r
+ MBEDTLS_ECP_DP_SECP256R1,\r
+ MBEDTLS_ECP_DP_SECP384R1,\r
+ MBEDTLS_ECP_DP_NONE\r
+};\r
+#endif\r
+\r
+/*\r
+ * Load default in mbedtls_ssl_config\r
+ */\r
+int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,\r
+ int endpoint, int transport, int preset )\r
+{\r
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)\r
+ int ret;\r
+#endif\r
+\r
+ /* Use the functions here so that they are covered in tests,\r
+ * but otherwise access member directly for efficiency */\r
+ mbedtls_ssl_conf_endpoint( conf, endpoint );\r
+ mbedtls_ssl_conf_transport( conf, transport );\r
+\r
+ /*\r
+ * Things that are common to all presets\r
+ */\r
+#if defined(MBEDTLS_SSL_CLI_C)\r
+ if( endpoint == MBEDTLS_SSL_IS_CLIENT )\r
+ {\r
+ conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;\r
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)\r
+ conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;\r
+#endif\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_ARC4_C)\r
+ conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)\r
+ conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)\r
+ conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)\r
+ conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)\r
+ conf->f_cookie_write = ssl_cookie_write_dummy;\r
+ conf->f_cookie_check = ssl_cookie_check_dummy;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)\r
+ conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_SRV_C)\r
+ conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;\r
+ conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;\r
+#endif\r
+\r
+#if defined(MBEDTLS_SSL_RENEGOTIATION)\r
+ conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;\r
+ memset( conf->renego_period, 0x00, 2 );\r
+ memset( conf->renego_period + 2, 0xFF, 6 );\r
+#endif\r
+\r
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)\r
+ if( endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ const unsigned char dhm_p[] =\r
+ MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;\r
+ const unsigned char dhm_g[] =\r
+ MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;\r
+\r
+ if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,\r
+ dhm_p, sizeof( dhm_p ),\r
+ dhm_g, sizeof( dhm_g ) ) ) != 0 )\r
+ {\r
+ return( ret );\r
+ }\r
+ }\r
+#endif\r
+\r
+ /*\r
+ * Preset-specific defaults\r
+ */\r
+ switch( preset )\r
+ {\r
+ /*\r
+ * NSA Suite B\r
+ */\r
+ case MBEDTLS_SSL_PRESET_SUITEB:\r
+ conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;\r
+ conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */\r
+ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;\r
+ conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;\r
+\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =\r
+ ssl_preset_suiteb_ciphersuites;\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+ conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;\r
+#endif\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+ conf->sig_hashes = ssl_preset_suiteb_hashes;\r
+#endif\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+ conf->curve_list = ssl_preset_suiteb_curves;\r
+#endif\r
+ break;\r
+\r
+ /*\r
+ * Default\r
+ */\r
+ default:\r
+ conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >\r
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?\r
+ MBEDTLS_SSL_MIN_MAJOR_VERSION :\r
+ MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;\r
+ conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >\r
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?\r
+ MBEDTLS_SSL_MIN_MINOR_VERSION :\r
+ MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;\r
+ conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;\r
+ conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;\r
+#endif\r
+\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =\r
+ conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =\r
+ mbedtls_ssl_list_ciphersuites();\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+ conf->cert_profile = &mbedtls_x509_crt_profile_default;\r
+#endif\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+ conf->sig_hashes = ssl_preset_default_hashes;\r
+#endif\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+ conf->curve_list = mbedtls_ecp_grp_id_list();\r
+#endif\r
+\r
+#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)\r
+ conf->dhm_min_bitlen = 1024;\r
+#endif\r
+ }\r
+\r
+ return( 0 );\r
+}\r
+\r
+/*\r
+ * Free mbedtls_ssl_config\r
+ */\r
+void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )\r
+{\r
+#if defined(MBEDTLS_DHM_C)\r
+ mbedtls_mpi_free( &conf->dhm_P );\r
+ mbedtls_mpi_free( &conf->dhm_G );\r
+#endif\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)\r
+ if( conf->psk != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( conf->psk, conf->psk_len );\r
+ mbedtls_free( conf->psk );\r
+ conf->psk = NULL;\r
+ conf->psk_len = 0;\r
+ }\r
+\r
+ if( conf->psk_identity != NULL )\r
+ {\r
+ mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );\r
+ mbedtls_free( conf->psk_identity );\r
+ conf->psk_identity = NULL;\r
+ conf->psk_identity_len = 0;\r
+ }\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+ ssl_key_cert_free( conf->key_cert );\r
+#endif\r
+\r
+ mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );\r
+}\r
+\r
+#if defined(MBEDTLS_PK_C) && \\r
+ ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )\r
+/*\r
+ * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX\r
+ */\r
+unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )\r
+{\r
+#if defined(MBEDTLS_RSA_C)\r
+ if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )\r
+ return( MBEDTLS_SSL_SIG_RSA );\r
+#endif\r
+#if defined(MBEDTLS_ECDSA_C)\r
+ if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )\r
+ return( MBEDTLS_SSL_SIG_ECDSA );\r
+#endif\r
+ return( MBEDTLS_SSL_SIG_ANON );\r
+}\r
+\r
+unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )\r
+{\r
+ switch( type ) {\r
+ case MBEDTLS_PK_RSA:\r
+ return( MBEDTLS_SSL_SIG_RSA );\r
+ case MBEDTLS_PK_ECDSA:\r
+ case MBEDTLS_PK_ECKEY:\r
+ return( MBEDTLS_SSL_SIG_ECDSA );\r
+ default:\r
+ return( MBEDTLS_SSL_SIG_ANON );\r
+ }\r
+}\r
+\r
+mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )\r
+{\r
+ switch( sig )\r
+ {\r
+#if defined(MBEDTLS_RSA_C)\r
+ case MBEDTLS_SSL_SIG_RSA:\r
+ return( MBEDTLS_PK_RSA );\r
+#endif\r
+#if defined(MBEDTLS_ECDSA_C)\r
+ case MBEDTLS_SSL_SIG_ECDSA:\r
+ return( MBEDTLS_PK_ECDSA );\r
+#endif\r
+ default:\r
+ return( MBEDTLS_PK_NONE );\r
+ }\r
+}\r
+#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \\r
+ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+\r
+/* Find an entry in a signature-hash set matching a given hash algorithm. */\r
+mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,\r
+ mbedtls_pk_type_t sig_alg )\r
+{\r
+ switch( sig_alg )\r
+ {\r
+ case MBEDTLS_PK_RSA:\r
+ return( set->rsa );\r
+ case MBEDTLS_PK_ECDSA:\r
+ return( set->ecdsa );\r
+ default:\r
+ return( MBEDTLS_MD_NONE );\r
+ }\r
+}\r
+\r
+/* Add a signature-hash-pair to a signature-hash set */\r
+void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,\r
+ mbedtls_pk_type_t sig_alg,\r
+ mbedtls_md_type_t md_alg )\r
+{\r
+ switch( sig_alg )\r
+ {\r
+ case MBEDTLS_PK_RSA:\r
+ if( set->rsa == MBEDTLS_MD_NONE )\r
+ set->rsa = md_alg;\r
+ break;\r
+\r
+ case MBEDTLS_PK_ECDSA:\r
+ if( set->ecdsa == MBEDTLS_MD_NONE )\r
+ set->ecdsa = md_alg;\r
+ break;\r
+\r
+ default:\r
+ break;\r
+ }\r
+}\r
+\r
+/* Allow exactly one hash algorithm for each signature. */\r
+void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,\r
+ mbedtls_md_type_t md_alg )\r
+{\r
+ set->rsa = md_alg;\r
+ set->ecdsa = md_alg;\r
+}\r
+\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&\r
+ MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */\r
+\r
+/*\r
+ * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX\r
+ */\r
+mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )\r
+{\r
+ switch( hash )\r
+ {\r
+#if defined(MBEDTLS_MD5_C)\r
+ case MBEDTLS_SSL_HASH_MD5:\r
+ return( MBEDTLS_MD_MD5 );\r
+#endif\r
+#if defined(MBEDTLS_SHA1_C)\r
+ case MBEDTLS_SSL_HASH_SHA1:\r
+ return( MBEDTLS_MD_SHA1 );\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ case MBEDTLS_SSL_HASH_SHA224:\r
+ return( MBEDTLS_MD_SHA224 );\r
+ case MBEDTLS_SSL_HASH_SHA256:\r
+ return( MBEDTLS_MD_SHA256 );\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+ case MBEDTLS_SSL_HASH_SHA384:\r
+ return( MBEDTLS_MD_SHA384 );\r
+ case MBEDTLS_SSL_HASH_SHA512:\r
+ return( MBEDTLS_MD_SHA512 );\r
+#endif\r
+ default:\r
+ return( MBEDTLS_MD_NONE );\r
+ }\r
+}\r
+\r
+/*\r
+ * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX\r
+ */\r
+unsigned char mbedtls_ssl_hash_from_md_alg( int md )\r
+{\r
+ switch( md )\r
+ {\r
+#if defined(MBEDTLS_MD5_C)\r
+ case MBEDTLS_MD_MD5:\r
+ return( MBEDTLS_SSL_HASH_MD5 );\r
+#endif\r
+#if defined(MBEDTLS_SHA1_C)\r
+ case MBEDTLS_MD_SHA1:\r
+ return( MBEDTLS_SSL_HASH_SHA1 );\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ case MBEDTLS_MD_SHA224:\r
+ return( MBEDTLS_SSL_HASH_SHA224 );\r
+ case MBEDTLS_MD_SHA256:\r
+ return( MBEDTLS_SSL_HASH_SHA256 );\r
+#endif\r
+#if defined(MBEDTLS_SHA512_C)\r
+ case MBEDTLS_MD_SHA384:\r
+ return( MBEDTLS_SSL_HASH_SHA384 );\r
+ case MBEDTLS_MD_SHA512:\r
+ return( MBEDTLS_SSL_HASH_SHA512 );\r
+#endif\r
+ default:\r
+ return( MBEDTLS_SSL_HASH_NONE );\r
+ }\r
+}\r
+\r
+#if defined(MBEDTLS_ECP_C)\r
+/*\r
+ * Check if a curve proposed by the peer is in our list.\r
+ * Return 0 if we're willing to use it, -1 otherwise.\r
+ */\r
+int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )\r
+{\r
+ const mbedtls_ecp_group_id *gid;\r
+\r
+ if( ssl->conf->curve_list == NULL )\r
+ return( -1 );\r
+\r
+ for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )\r
+ if( *gid == grp_id )\r
+ return( 0 );\r
+\r
+ return( -1 );\r
+}\r
+#endif /* MBEDTLS_ECP_C */\r
+\r
+#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)\r
+/*\r
+ * Check if a hash proposed by the peer is in our list.\r
+ * Return 0 if we're willing to use it, -1 otherwise.\r
+ */\r
+int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,\r
+ mbedtls_md_type_t md )\r
+{\r
+ const int *cur;\r
+\r
+ if( ssl->conf->sig_hashes == NULL )\r
+ return( -1 );\r
+\r
+ for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )\r
+ if( *cur == (int) md )\r
+ return( 0 );\r
+\r
+ return( -1 );\r
+}\r
+#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */\r
+\r
+#if defined(MBEDTLS_X509_CRT_PARSE_C)\r
+int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,\r
+ const mbedtls_ssl_ciphersuite_t *ciphersuite,\r
+ int cert_endpoint,\r
+ uint32_t *flags )\r
+{\r
+ int ret = 0;\r
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)\r
+ int usage = 0;\r
+#endif\r
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)\r
+ const char *ext_oid;\r
+ size_t ext_len;\r
+#endif\r
+\r
+#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \\r
+ !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)\r
+ ((void) cert);\r
+ ((void) cert_endpoint);\r
+ ((void) flags);\r
+#endif\r
+\r
+#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)\r
+ if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ /* Server part of the key exchange */\r
+ switch( ciphersuite->key_exchange )\r
+ {\r
+ case MBEDTLS_KEY_EXCHANGE_RSA:\r
+ case MBEDTLS_KEY_EXCHANGE_RSA_PSK:\r
+ usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;\r
+ break;\r
+\r
+ case MBEDTLS_KEY_EXCHANGE_DHE_RSA:\r
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:\r
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:\r
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;\r
+ break;\r
+\r
+ case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:\r
+ case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:\r
+ usage = MBEDTLS_X509_KU_KEY_AGREEMENT;\r
+ break;\r
+\r
+ /* Don't use default: we want warnings when adding new values */\r
+ case MBEDTLS_KEY_EXCHANGE_NONE:\r
+ case MBEDTLS_KEY_EXCHANGE_PSK:\r
+ case MBEDTLS_KEY_EXCHANGE_DHE_PSK:\r
+ case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:\r
+ case MBEDTLS_KEY_EXCHANGE_ECJPAKE:\r
+ usage = 0;\r
+ }\r
+ }\r
+ else\r
+ {\r
+ /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */\r
+ usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;\r
+ }\r
+\r
+ if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )\r
+ {\r
+ *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;\r
+ ret = -1;\r
+ }\r
+#else\r
+ ((void) ciphersuite);\r
+#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */\r
+\r
+#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)\r
+ if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )\r
+ {\r
+ ext_oid = MBEDTLS_OID_SERVER_AUTH;\r
+ ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );\r
+ }\r
+ else\r
+ {\r
+ ext_oid = MBEDTLS_OID_CLIENT_AUTH;\r
+ ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );\r
+ }\r
+\r
+ if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )\r
+ {\r
+ *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;\r
+ ret = -1;\r
+ }\r
+#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_X509_CRT_PARSE_C */\r
+\r
+/*\r
+ * Convert version numbers to/from wire format\r
+ * and, for DTLS, to/from TLS equivalent.\r
+ *\r
+ * For TLS this is the identity.\r
+ * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:\r
+ * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)\r
+ * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)\r
+ */\r
+void mbedtls_ssl_write_version( int major, int minor, int transport,\r
+ unsigned char ver[2] )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )\r
+ --minor; /* DTLS 1.0 stored as TLS 1.1 internally */\r
+\r
+ ver[0] = (unsigned char)( 255 - ( major - 2 ) );\r
+ ver[1] = (unsigned char)( 255 - ( minor - 1 ) );\r
+ }\r
+ else\r
+#else\r
+ ((void) transport);\r
+#endif\r
+ {\r
+ ver[0] = (unsigned char) major;\r
+ ver[1] = (unsigned char) minor;\r
+ }\r
+}\r
+\r
+void mbedtls_ssl_read_version( int *major, int *minor, int transport,\r
+ const unsigned char ver[2] )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_DTLS)\r
+ if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )\r
+ {\r
+ *major = 255 - ver[0] + 2;\r
+ *minor = 255 - ver[1] + 1;\r
+\r
+ if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )\r
+ ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */\r
+ }\r
+ else\r
+#else\r
+ ((void) transport);\r
+#endif\r
+ {\r
+ *major = ver[0];\r
+ *minor = ver[1];\r
+ }\r
+}\r
+\r
+int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )\r
+{\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+ if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )\r
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;\r
+\r
+ switch( md )\r
+ {\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+#if defined(MBEDTLS_MD5_C)\r
+ case MBEDTLS_SSL_HASH_MD5:\r
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;\r
+#endif\r
+#if defined(MBEDTLS_SHA1_C)\r
+ case MBEDTLS_SSL_HASH_SHA1:\r
+ ssl->handshake->calc_verify = ssl_calc_verify_tls;\r
+ break;\r
+#endif\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */\r
+#if defined(MBEDTLS_SHA512_C)\r
+ case MBEDTLS_SSL_HASH_SHA384:\r
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;\r
+ break;\r
+#endif\r
+#if defined(MBEDTLS_SHA256_C)\r
+ case MBEDTLS_SSL_HASH_SHA256:\r
+ ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;\r
+ break;\r
+#endif\r
+ default:\r
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;\r
+ }\r
+\r
+ return 0;\r
+#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */\r
+ (void) ssl;\r
+ (void) md;\r
+\r
+ return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */\r
+}\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_1)\r
+int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,\r
+ unsigned char *output,\r
+ unsigned char *data, size_t data_len )\r
+{\r
+ int ret = 0;\r
+ mbedtls_md5_context mbedtls_md5;\r
+ mbedtls_sha1_context mbedtls_sha1;\r
+\r
+ mbedtls_md5_init( &mbedtls_md5 );\r
+ mbedtls_sha1_init( &mbedtls_sha1 );\r
+\r
+ /*\r
+ * digitally-signed struct {\r
+ * opaque md5_hash[16];\r
+ * opaque sha_hash[20];\r
+ * };\r
+ *\r
+ * md5_hash\r
+ * MD5(ClientHello.random + ServerHello.random\r
+ * + ServerParams);\r
+ * sha_hash\r
+ * SHA(ClientHello.random + ServerHello.random\r
+ * + ServerParams);\r
+ */\r
+ if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,\r
+ ssl->handshake->randbytes, 64 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );\r
+ goto exit;\r
+ }\r
+\r
+ if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,\r
+ ssl->handshake->randbytes, 64 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,\r
+ data_len ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,\r
+ output + 16 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );\r
+ goto exit;\r
+ }\r
+\r
+exit:\r
+ mbedtls_md5_free( &mbedtls_md5 );\r
+ mbedtls_sha1_free( &mbedtls_sha1 );\r
+\r
+ if( ret != 0 )\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+\r
+ return( ret );\r
+\r
+}\r
+#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \\r
+ MBEDTLS_SSL_PROTO_TLS1_1 */\r
+\r
+#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \\r
+ defined(MBEDTLS_SSL_PROTO_TLS1_2)\r
+\r
+#if defined(MBEDTLS_USE_PSA_CRYPTO)\r
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,\r
+ unsigned char *hash, size_t *hashlen,\r
+ unsigned char *data, size_t data_len,\r
+ mbedtls_md_type_t md_alg )\r
+{\r
+ psa_status_t status;\r
+ psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;\r
+ psa_algorithm_t hash_alg = mbedtls_psa_translate_md( md_alg );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform PSA-based computation of digest of ServerKeyExchange" ) );\r
+\r
+ if( ( status = psa_hash_setup( &hash_operation,\r
+ hash_alg ) ) != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_setup", status );\r
+ goto exit;\r
+ }\r
+\r
+ if( ( status = psa_hash_update( &hash_operation, ssl->handshake->randbytes,\r
+ 64 ) ) != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );\r
+ goto exit;\r
+ }\r
+\r
+ if( ( status = psa_hash_update( &hash_operation,\r
+ data, data_len ) ) != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_update", status );\r
+ goto exit;\r
+ }\r
+\r
+ if( ( status = psa_hash_finish( &hash_operation, hash, MBEDTLS_MD_MAX_SIZE,\r
+ hashlen ) ) != PSA_SUCCESS )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "psa_hash_finish", status );\r
+ goto exit;\r
+ }\r
+\r
+exit:\r
+ if( status != PSA_SUCCESS )\r
+ {\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+ switch( status )\r
+ {\r
+ case PSA_ERROR_NOT_SUPPORTED:\r
+ return( MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE );\r
+ case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */\r
+ case PSA_ERROR_BUFFER_TOO_SMALL:\r
+ return( MBEDTLS_ERR_MD_BAD_INPUT_DATA );\r
+ case PSA_ERROR_INSUFFICIENT_MEMORY:\r
+ return( MBEDTLS_ERR_MD_ALLOC_FAILED );\r
+ default:\r
+ return( MBEDTLS_ERR_MD_HW_ACCEL_FAILED );\r
+ }\r
+ }\r
+ return( 0 );\r
+}\r
+\r
+#else\r
+\r
+int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,\r
+ unsigned char *hash, size_t *hashlen,\r
+ unsigned char *data, size_t data_len,\r
+ mbedtls_md_type_t md_alg )\r
+{\r
+ int ret = 0;\r
+ mbedtls_md_context_t ctx;\r
+ const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );\r
+ *hashlen = mbedtls_md_get_size( md_info );\r
+\r
+ MBEDTLS_SSL_DEBUG_MSG( 3, ( "Perform mbedtls-based computation of digest of ServerKeyExchange" ) );\r
+\r
+ mbedtls_md_init( &ctx );\r
+\r
+ /*\r
+ * digitally-signed struct {\r
+ * opaque client_random[32];\r
+ * opaque server_random[32];\r
+ * ServerDHParams params;\r
+ * };\r
+ */\r
+ if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );\r
+ goto exit;\r
+ }\r
+ if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )\r
+ {\r
+ MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );\r
+ goto exit;\r
+ }\r
+\r
+exit:\r
+ mbedtls_md_free( &ctx );\r
+\r
+ if( ret != 0 )\r
+ mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,\r
+ MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );\r
+\r
+ return( ret );\r
+}\r
+#endif /* MBEDTLS_USE_PSA_CRYPTO */\r
+\r
+#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \\r
+ MBEDTLS_SSL_PROTO_TLS1_2 */\r
+\r
+#endif /* MBEDTLS_SSL_TLS_C */\r