vxx / thirdparty / mbedtls / library / ssl_tls.c
10193 lines · 8794 sloc · 329.23 KB · 3d9911f887ecec942f9ae2a5be02d064f233b729
Raw
1/*
2 * TLS shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 */
7/*
8 * http://www.ietf.org/rfc/rfc2246.txt
9 * http://www.ietf.org/rfc/rfc4346.txt
10 */
11
12#include "common.h"
13
14#if defined(MBEDTLS_SSL_TLS_C)
15
16#include "mbedtls/platform.h"
17
18#include "mbedtls/ssl.h"
19#include "ssl_client.h"
20#include "ssl_debug_helpers.h"
21#include "ssl_misc.h"
22#include "ssl_tls13_keys.h"
23
24#include "debug_internal.h"
25#include "mbedtls/error.h"
26#include "mbedtls/platform_util.h"
27#include "mbedtls/version.h"
28#include "mbedtls/constant_time.h"
29
30#include <string.h>
31
32#if defined(MBEDTLS_USE_PSA_CRYPTO)
33#include "mbedtls/psa_util.h"
34#include "md_psa.h"
35#include "psa_util_internal.h"
36#include "psa/crypto.h"
37#endif
38
39#if defined(MBEDTLS_X509_CRT_PARSE_C)
40#include "mbedtls/oid.h"
41#endif
42
43#if defined(MBEDTLS_USE_PSA_CRYPTO)
44/* Define local translating functions to save code size by not using too many
45 * arguments in each translating place. */
46static int local_err_translation(psa_status_t status)
47{
48 return psa_status_to_mbedtls(status, psa_to_ssl_errors,
49 ARRAY_LENGTH(psa_to_ssl_errors),
50 psa_generic_status_to_mbedtls);
51}
52#define PSA_TO_MBEDTLS_ERR(status) local_err_translation(status)
53#endif
54
55#if defined(MBEDTLS_TEST_HOOKS)
56static mbedtls_ssl_chk_buf_ptr_args chk_buf_ptr_fail_args;
57
58void mbedtls_ssl_set_chk_buf_ptr_fail_args(
59 const uint8_t *cur, const uint8_t *end, size_t need)
60{
61 chk_buf_ptr_fail_args.cur = cur;
62 chk_buf_ptr_fail_args.end = end;
63 chk_buf_ptr_fail_args.need = need;
64}
65
66void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void)
67{
68 memset(&chk_buf_ptr_fail_args, 0, sizeof(chk_buf_ptr_fail_args));
69}
70
71int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args)
72{
73 return (chk_buf_ptr_fail_args.cur != args->cur) ||
74 (chk_buf_ptr_fail_args.end != args->end) ||
75 (chk_buf_ptr_fail_args.need != args->need);
76}
77#endif /* MBEDTLS_TEST_HOOKS */
78
79#if defined(MBEDTLS_SSL_PROTO_DTLS)
80
81#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
82/* Top-level Connection ID API */
83
84int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf,
85 size_t len,
86 int ignore_other_cid)
87{
88 if (len > MBEDTLS_SSL_CID_IN_LEN_MAX) {
89 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
90 }
91
92 if (ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_FAIL &&
93 ignore_other_cid != MBEDTLS_SSL_UNEXPECTED_CID_IGNORE) {
94 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
95 }
96
97 conf->ignore_unexpected_cid = ignore_other_cid;
98 conf->cid_len = len;
99 return 0;
100}
101
102int mbedtls_ssl_set_cid(mbedtls_ssl_context *ssl,
103 int enable,
104 unsigned char const *own_cid,
105 size_t own_cid_len)
106{
107 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
108 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
109 }
110
111 ssl->negotiate_cid = enable;
112 if (enable == MBEDTLS_SSL_CID_DISABLED) {
113 MBEDTLS_SSL_DEBUG_MSG(3, ("Disable use of CID extension."));
114 return 0;
115 }
116 MBEDTLS_SSL_DEBUG_MSG(3, ("Enable use of CID extension."));
117 MBEDTLS_SSL_DEBUG_BUF(3, "Own CID", own_cid, own_cid_len);
118
119 if (own_cid_len != ssl->conf->cid_len) {
120 MBEDTLS_SSL_DEBUG_MSG(3, ("CID length %u does not match CID length %u in config",
121 (unsigned) own_cid_len,
122 (unsigned) ssl->conf->cid_len));
123 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
124 }
125
126 memcpy(ssl->own_cid, own_cid, own_cid_len);
127 /* Truncation is not an issue here because
128 * MBEDTLS_SSL_CID_IN_LEN_MAX at most 255. */
129 ssl->own_cid_len = (uint8_t) own_cid_len;
130
131 return 0;
132}
133
134int mbedtls_ssl_get_own_cid(mbedtls_ssl_context *ssl,
135 int *enabled,
136 unsigned char own_cid[MBEDTLS_SSL_CID_IN_LEN_MAX],
137 size_t *own_cid_len)
138{
139 *enabled = MBEDTLS_SSL_CID_DISABLED;
140
141 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
142 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
143 }
144
145 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID length is
146 * zero as this is indistinguishable from not requesting to use
147 * the CID extension. */
148 if (ssl->own_cid_len == 0 || ssl->negotiate_cid == MBEDTLS_SSL_CID_DISABLED) {
149 return 0;
150 }
151
152 if (own_cid_len != NULL) {
153 *own_cid_len = ssl->own_cid_len;
154 if (own_cid != NULL) {
155 memcpy(own_cid, ssl->own_cid, ssl->own_cid_len);
156 }
157 }
158
159 *enabled = MBEDTLS_SSL_CID_ENABLED;
160
161 return 0;
162}
163
164int mbedtls_ssl_get_peer_cid(mbedtls_ssl_context *ssl,
165 int *enabled,
166 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX],
167 size_t *peer_cid_len)
168{
169 *enabled = MBEDTLS_SSL_CID_DISABLED;
170
171 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
172 mbedtls_ssl_is_handshake_over(ssl) == 0) {
173 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
174 }
175
176 /* We report MBEDTLS_SSL_CID_DISABLED in case the CID extensions
177 * were used, but client and server requested the empty CID.
178 * This is indistinguishable from not using the CID extension
179 * in the first place. */
180 if (ssl->transform_in->in_cid_len == 0 &&
181 ssl->transform_in->out_cid_len == 0) {
182 return 0;
183 }
184
185 if (peer_cid_len != NULL) {
186 *peer_cid_len = ssl->transform_in->out_cid_len;
187 if (peer_cid != NULL) {
188 memcpy(peer_cid, ssl->transform_in->out_cid,
189 ssl->transform_in->out_cid_len);
190 }
191 }
192
193 *enabled = MBEDTLS_SSL_CID_ENABLED;
194
195 return 0;
196}
197#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
198
199#endif /* MBEDTLS_SSL_PROTO_DTLS */
200
201#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
202/*
203 * Convert max_fragment_length codes to length.
204 * RFC 6066 says:
205 * enum{
206 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
207 * } MaxFragmentLength;
208 * and we add 0 -> extension unused
209 */
210static unsigned int ssl_mfl_code_to_length(int mfl)
211{
212 switch (mfl) {
213 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
214 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
215 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
216 return 512;
217 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
218 return 1024;
219 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
220 return 2048;
221 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
222 return 4096;
223 default:
224 return MBEDTLS_TLS_EXT_ADV_CONTENT_LEN;
225 }
226}
227#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
228
229int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
230 const mbedtls_ssl_session *src)
231{
232 mbedtls_ssl_session_free(dst);
233 memcpy(dst, src, sizeof(mbedtls_ssl_session));
234#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
235 dst->ticket = NULL;
236#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
237 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
238 dst->hostname = NULL;
239#endif
240#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
241
242#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
243 defined(MBEDTLS_SSL_EARLY_DATA)
244 dst->ticket_alpn = NULL;
245#endif
246
247#if defined(MBEDTLS_X509_CRT_PARSE_C)
248
249#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
250 if (src->peer_cert != NULL) {
251 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
252
253 dst->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
254 if (dst->peer_cert == NULL) {
255 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
256 }
257
258 mbedtls_x509_crt_init(dst->peer_cert);
259
260 if ((ret = mbedtls_x509_crt_parse_der(dst->peer_cert, src->peer_cert->raw.p,
261 src->peer_cert->raw.len)) != 0) {
262 mbedtls_free(dst->peer_cert);
263 dst->peer_cert = NULL;
264 return ret;
265 }
266 }
267#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
268 if (src->peer_cert_digest != NULL) {
269 dst->peer_cert_digest =
270 mbedtls_calloc(1, src->peer_cert_digest_len);
271 if (dst->peer_cert_digest == NULL) {
272 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
273 }
274
275 memcpy(dst->peer_cert_digest, src->peer_cert_digest,
276 src->peer_cert_digest_len);
277 dst->peer_cert_digest_type = src->peer_cert_digest_type;
278 dst->peer_cert_digest_len = src->peer_cert_digest_len;
279 }
280#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
281
282#endif /* MBEDTLS_X509_CRT_PARSE_C */
283
284#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_ALPN) && \
285 defined(MBEDTLS_SSL_EARLY_DATA)
286 {
287 int ret = mbedtls_ssl_session_set_ticket_alpn(dst, src->ticket_alpn);
288 if (ret != 0) {
289 return ret;
290 }
291 }
292#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_ALPN && MBEDTLS_SSL_EARLY_DATA */
293
294#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
295 if (src->ticket != NULL) {
296 dst->ticket = mbedtls_calloc(1, src->ticket_len);
297 if (dst->ticket == NULL) {
298 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
299 }
300
301 memcpy(dst->ticket, src->ticket, src->ticket_len);
302 }
303
304#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
305 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
306 if (src->endpoint == MBEDTLS_SSL_IS_CLIENT) {
307 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
308 ret = mbedtls_ssl_session_set_hostname(dst, src->hostname);
309 if (ret != 0) {
310 return ret;
311 }
312 }
313#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
314 MBEDTLS_SSL_SERVER_NAME_INDICATION */
315#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
316
317 return 0;
318}
319
320#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
321MBEDTLS_CHECK_RETURN_CRITICAL
322static int resize_buffer(unsigned char **buffer, size_t len_new, size_t *len_old)
323{
324 unsigned char *resized_buffer = mbedtls_calloc(1, len_new);
325 if (resized_buffer == NULL) {
326 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
327 }
328
329 /* We want to copy len_new bytes when downsizing the buffer, and
330 * len_old bytes when upsizing, so we choose the smaller of two sizes,
331 * to fit one buffer into another. Size checks, ensuring that no data is
332 * lost, are done outside of this function. */
333 memcpy(resized_buffer, *buffer,
334 (len_new < *len_old) ? len_new : *len_old);
335 mbedtls_zeroize_and_free(*buffer, *len_old);
336
337 *buffer = resized_buffer;
338 *len_old = len_new;
339
340 return 0;
341}
342
343static void handle_buffer_resizing(mbedtls_ssl_context *ssl, int downsizing,
344 size_t in_buf_new_len,
345 size_t out_buf_new_len)
346{
347 int modified = 0;
348 size_t written_in = 0, iv_offset_in = 0, len_offset_in = 0, hdr_in = 0;
349 size_t written_out = 0, iv_offset_out = 0, len_offset_out = 0;
350 if (ssl->in_buf != NULL) {
351 written_in = ssl->in_msg - ssl->in_buf;
352 iv_offset_in = ssl->in_iv - ssl->in_buf;
353 len_offset_in = ssl->in_len - ssl->in_buf;
354 hdr_in = ssl->in_hdr - ssl->in_buf;
355 if (downsizing ?
356 ssl->in_buf_len > in_buf_new_len && ssl->in_left < in_buf_new_len :
357 ssl->in_buf_len < in_buf_new_len) {
358 if (resize_buffer(&ssl->in_buf, in_buf_new_len, &ssl->in_buf_len) != 0) {
359 MBEDTLS_SSL_DEBUG_MSG(1, ("input buffer resizing failed - out of memory"));
360 } else {
361 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating in_buf to %" MBEDTLS_PRINTF_SIZET,
362 in_buf_new_len));
363 modified = 1;
364 }
365 }
366 }
367
368 if (ssl->out_buf != NULL) {
369 written_out = ssl->out_msg - ssl->out_buf;
370 iv_offset_out = ssl->out_iv - ssl->out_buf;
371 len_offset_out = ssl->out_len - ssl->out_buf;
372 if (downsizing ?
373 ssl->out_buf_len > out_buf_new_len && ssl->out_left < out_buf_new_len :
374 ssl->out_buf_len < out_buf_new_len) {
375 if (resize_buffer(&ssl->out_buf, out_buf_new_len, &ssl->out_buf_len) != 0) {
376 MBEDTLS_SSL_DEBUG_MSG(1, ("output buffer resizing failed - out of memory"));
377 } else {
378 MBEDTLS_SSL_DEBUG_MSG(2, ("Reallocating out_buf to %" MBEDTLS_PRINTF_SIZET,
379 out_buf_new_len));
380 modified = 1;
381 }
382 }
383 }
384 if (modified) {
385 /* Update pointers here to avoid doing it twice. */
386 ssl->in_hdr = ssl->in_buf + hdr_in;
387 mbedtls_ssl_update_in_pointers(ssl);
388 mbedtls_ssl_reset_out_pointers(ssl);
389
390 /* Fields below might not be properly updated with record
391 * splitting or with CID, so they are manually updated here. */
392 ssl->out_msg = ssl->out_buf + written_out;
393 ssl->out_len = ssl->out_buf + len_offset_out;
394 ssl->out_iv = ssl->out_buf + iv_offset_out;
395
396 ssl->in_msg = ssl->in_buf + written_in;
397 ssl->in_len = ssl->in_buf + len_offset_in;
398 ssl->in_iv = ssl->in_buf + iv_offset_in;
399 }
400}
401#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
402
403#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
404
405#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
406typedef int (*tls_prf_fn)(const unsigned char *secret, size_t slen,
407 const char *label,
408 const unsigned char *random, size_t rlen,
409 unsigned char *dstbuf, size_t dlen);
410
411static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id);
412
413#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
414
415/* Type for the TLS PRF */
416typedef int ssl_tls_prf_t(const unsigned char *, size_t, const char *,
417 const unsigned char *, size_t,
418 unsigned char *, size_t);
419
420MBEDTLS_CHECK_RETURN_CRITICAL
421static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
422 int ciphersuite,
423 const unsigned char master[48],
424#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
425 int encrypt_then_mac,
426#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
427 ssl_tls_prf_t tls_prf,
428 const unsigned char randbytes[64],
429 mbedtls_ssl_protocol_version tls_version,
430 unsigned endpoint,
431 const mbedtls_ssl_context *ssl);
432
433#if defined(MBEDTLS_MD_CAN_SHA256)
434MBEDTLS_CHECK_RETURN_CRITICAL
435static int tls_prf_sha256(const unsigned char *secret, size_t slen,
436 const char *label,
437 const unsigned char *random, size_t rlen,
438 unsigned char *dstbuf, size_t dlen);
439static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
440static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
441
442#endif /* MBEDTLS_MD_CAN_SHA256*/
443
444#if defined(MBEDTLS_MD_CAN_SHA384)
445MBEDTLS_CHECK_RETURN_CRITICAL
446static int tls_prf_sha384(const unsigned char *secret, size_t slen,
447 const char *label,
448 const unsigned char *random, size_t rlen,
449 unsigned char *dstbuf, size_t dlen);
450
451static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
452static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
453#endif /* MBEDTLS_MD_CAN_SHA384*/
454
455MBEDTLS_CHECK_RETURN_CRITICAL
456static int ssl_tls12_session_load(mbedtls_ssl_session *session,
457 const unsigned char *buf,
458 size_t len);
459#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
460
461static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
462
463#if defined(MBEDTLS_MD_CAN_SHA256)
464static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
465#endif /* MBEDTLS_MD_CAN_SHA256*/
466
467#if defined(MBEDTLS_MD_CAN_SHA384)
468static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
469#endif /* MBEDTLS_MD_CAN_SHA384*/
470
471int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
472 const unsigned char *secret, size_t slen,
473 const char *label,
474 const unsigned char *random, size_t rlen,
475 unsigned char *dstbuf, size_t dlen)
476{
477 mbedtls_ssl_tls_prf_cb *tls_prf = NULL;
478
479 switch (prf) {
480#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
481#if defined(MBEDTLS_MD_CAN_SHA384)
482 case MBEDTLS_SSL_TLS_PRF_SHA384:
483 tls_prf = tls_prf_sha384;
484 break;
485#endif /* MBEDTLS_MD_CAN_SHA384*/
486#if defined(MBEDTLS_MD_CAN_SHA256)
487 case MBEDTLS_SSL_TLS_PRF_SHA256:
488 tls_prf = tls_prf_sha256;
489 break;
490#endif /* MBEDTLS_MD_CAN_SHA256*/
491#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
492 default:
493 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
494 }
495
496 return tls_prf(secret, slen, label, random, rlen, dstbuf, dlen);
497}
498
499#if defined(MBEDTLS_X509_CRT_PARSE_C)
500static void ssl_clear_peer_cert(mbedtls_ssl_session *session)
501{
502#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
503 if (session->peer_cert != NULL) {
504 mbedtls_x509_crt_free(session->peer_cert);
505 mbedtls_free(session->peer_cert);
506 session->peer_cert = NULL;
507 }
508#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
509 if (session->peer_cert_digest != NULL) {
510 /* Zeroization is not necessary. */
511 mbedtls_free(session->peer_cert_digest);
512 session->peer_cert_digest = NULL;
513 session->peer_cert_digest_type = MBEDTLS_MD_NONE;
514 session->peer_cert_digest_len = 0;
515 }
516#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
517}
518#endif /* MBEDTLS_X509_CRT_PARSE_C */
519
520uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type)
521{
522 switch (extension_type) {
523 case MBEDTLS_TLS_EXT_SERVERNAME:
524 return MBEDTLS_SSL_EXT_ID_SERVERNAME;
525
526 case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
527 return MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH;
528
529 case MBEDTLS_TLS_EXT_STATUS_REQUEST:
530 return MBEDTLS_SSL_EXT_ID_STATUS_REQUEST;
531
532 case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
533 return MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS;
534
535 case MBEDTLS_TLS_EXT_SIG_ALG:
536 return MBEDTLS_SSL_EXT_ID_SIG_ALG;
537
538 case MBEDTLS_TLS_EXT_USE_SRTP:
539 return MBEDTLS_SSL_EXT_ID_USE_SRTP;
540
541 case MBEDTLS_TLS_EXT_HEARTBEAT:
542 return MBEDTLS_SSL_EXT_ID_HEARTBEAT;
543
544 case MBEDTLS_TLS_EXT_ALPN:
545 return MBEDTLS_SSL_EXT_ID_ALPN;
546
547 case MBEDTLS_TLS_EXT_SCT:
548 return MBEDTLS_SSL_EXT_ID_SCT;
549
550 case MBEDTLS_TLS_EXT_CLI_CERT_TYPE:
551 return MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE;
552
553 case MBEDTLS_TLS_EXT_SERV_CERT_TYPE:
554 return MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE;
555
556 case MBEDTLS_TLS_EXT_PADDING:
557 return MBEDTLS_SSL_EXT_ID_PADDING;
558
559 case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
560 return MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY;
561
562 case MBEDTLS_TLS_EXT_EARLY_DATA:
563 return MBEDTLS_SSL_EXT_ID_EARLY_DATA;
564
565 case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
566 return MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS;
567
568 case MBEDTLS_TLS_EXT_COOKIE:
569 return MBEDTLS_SSL_EXT_ID_COOKIE;
570
571 case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
572 return MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES;
573
574 case MBEDTLS_TLS_EXT_CERT_AUTH:
575 return MBEDTLS_SSL_EXT_ID_CERT_AUTH;
576
577 case MBEDTLS_TLS_EXT_OID_FILTERS:
578 return MBEDTLS_SSL_EXT_ID_OID_FILTERS;
579
580 case MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH:
581 return MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH;
582
583 case MBEDTLS_TLS_EXT_SIG_ALG_CERT:
584 return MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT;
585
586 case MBEDTLS_TLS_EXT_KEY_SHARE:
587 return MBEDTLS_SSL_EXT_ID_KEY_SHARE;
588
589 case MBEDTLS_TLS_EXT_TRUNCATED_HMAC:
590 return MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC;
591
592 case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
593 return MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS;
594
595 case MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC:
596 return MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC;
597
598 case MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET:
599 return MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET;
600
601 case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
602 return MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT;
603
604 case MBEDTLS_TLS_EXT_SESSION_TICKET:
605 return MBEDTLS_SSL_EXT_ID_SESSION_TICKET;
606
607 }
608
609 return MBEDTLS_SSL_EXT_ID_UNRECOGNIZED;
610}
611
612uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type)
613{
614 return 1 << mbedtls_ssl_get_extension_id(extension_type);
615}
616
617#if defined(MBEDTLS_DEBUG_C)
618static const char *extension_name_table[] = {
619 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = "unrecognized",
620 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = "server_name",
621 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = "max_fragment_length",
622 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = "status_request",
623 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = "supported_groups",
624 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = "signature_algorithms",
625 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = "use_srtp",
626 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = "heartbeat",
627 [MBEDTLS_SSL_EXT_ID_ALPN] = "application_layer_protocol_negotiation",
628 [MBEDTLS_SSL_EXT_ID_SCT] = "signed_certificate_timestamp",
629 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = "client_certificate_type",
630 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = "server_certificate_type",
631 [MBEDTLS_SSL_EXT_ID_PADDING] = "padding",
632 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = "pre_shared_key",
633 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = "early_data",
634 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = "supported_versions",
635 [MBEDTLS_SSL_EXT_ID_COOKIE] = "cookie",
636 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = "psk_key_exchange_modes",
637 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = "certificate_authorities",
638 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = "oid_filters",
639 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = "post_handshake_auth",
640 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = "signature_algorithms_cert",
641 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = "key_share",
642 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = "truncated_hmac",
643 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = "supported_point_formats",
644 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = "encrypt_then_mac",
645 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = "extended_master_secret",
646 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = "session_ticket",
647 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = "record_size_limit"
648};
649
650static const unsigned int extension_type_table[] = {
651 [MBEDTLS_SSL_EXT_ID_UNRECOGNIZED] = 0xff,
652 [MBEDTLS_SSL_EXT_ID_SERVERNAME] = MBEDTLS_TLS_EXT_SERVERNAME,
653 [MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH] = MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH,
654 [MBEDTLS_SSL_EXT_ID_STATUS_REQUEST] = MBEDTLS_TLS_EXT_STATUS_REQUEST,
655 [MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS] = MBEDTLS_TLS_EXT_SUPPORTED_GROUPS,
656 [MBEDTLS_SSL_EXT_ID_SIG_ALG] = MBEDTLS_TLS_EXT_SIG_ALG,
657 [MBEDTLS_SSL_EXT_ID_USE_SRTP] = MBEDTLS_TLS_EXT_USE_SRTP,
658 [MBEDTLS_SSL_EXT_ID_HEARTBEAT] = MBEDTLS_TLS_EXT_HEARTBEAT,
659 [MBEDTLS_SSL_EXT_ID_ALPN] = MBEDTLS_TLS_EXT_ALPN,
660 [MBEDTLS_SSL_EXT_ID_SCT] = MBEDTLS_TLS_EXT_SCT,
661 [MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE] = MBEDTLS_TLS_EXT_CLI_CERT_TYPE,
662 [MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE] = MBEDTLS_TLS_EXT_SERV_CERT_TYPE,
663 [MBEDTLS_SSL_EXT_ID_PADDING] = MBEDTLS_TLS_EXT_PADDING,
664 [MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY] = MBEDTLS_TLS_EXT_PRE_SHARED_KEY,
665 [MBEDTLS_SSL_EXT_ID_EARLY_DATA] = MBEDTLS_TLS_EXT_EARLY_DATA,
666 [MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS] = MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS,
667 [MBEDTLS_SSL_EXT_ID_COOKIE] = MBEDTLS_TLS_EXT_COOKIE,
668 [MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES] = MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES,
669 [MBEDTLS_SSL_EXT_ID_CERT_AUTH] = MBEDTLS_TLS_EXT_CERT_AUTH,
670 [MBEDTLS_SSL_EXT_ID_OID_FILTERS] = MBEDTLS_TLS_EXT_OID_FILTERS,
671 [MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH] = MBEDTLS_TLS_EXT_POST_HANDSHAKE_AUTH,
672 [MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT] = MBEDTLS_TLS_EXT_SIG_ALG_CERT,
673 [MBEDTLS_SSL_EXT_ID_KEY_SHARE] = MBEDTLS_TLS_EXT_KEY_SHARE,
674 [MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC] = MBEDTLS_TLS_EXT_TRUNCATED_HMAC,
675 [MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS] = MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS,
676 [MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC] = MBEDTLS_TLS_EXT_ENCRYPT_THEN_MAC,
677 [MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET] = MBEDTLS_TLS_EXT_EXTENDED_MASTER_SECRET,
678 [MBEDTLS_SSL_EXT_ID_SESSION_TICKET] = MBEDTLS_TLS_EXT_SESSION_TICKET,
679 [MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT] = MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT
680};
681
682const char *mbedtls_ssl_get_extension_name(unsigned int extension_type)
683{
684 return extension_name_table[
685 mbedtls_ssl_get_extension_id(extension_type)];
686}
687
688const char *mbedtls_ssl_get_hs_msg_name(int hs_msg_type)
689{
690 switch (hs_msg_type) {
691 case MBEDTLS_SSL_HS_CLIENT_HELLO:
692 return "ClientHello";
693 case MBEDTLS_SSL_HS_SERVER_HELLO:
694 return "ServerHello";
695 case MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST:
696 return "HelloRetryRequest";
697 case MBEDTLS_SSL_HS_NEW_SESSION_TICKET:
698 return "NewSessionTicket";
699 case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
700 return "EncryptedExtensions";
701 case MBEDTLS_SSL_HS_CERTIFICATE:
702 return "Certificate";
703 case MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE:
704 return "ServerKeyExchange";
705 case MBEDTLS_SSL_HS_CERTIFICATE_REQUEST:
706 return "CertificateRequest";
707 case MBEDTLS_SSL_HS_CERTIFICATE_VERIFY:
708 return "CertificateVerify";
709 case MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE:
710 return "ClientKeyExchange";
711 case MBEDTLS_SSL_HS_FINISHED:
712 return "Finished";
713 }
714 return "Unknown";
715}
716
717void mbedtls_ssl_print_extension(const mbedtls_ssl_context *ssl,
718 int level, const char *file, int line,
719 int hs_msg_type, unsigned int extension_type,
720 const char *extra_msg0, const char *extra_msg1)
721{
722 const char *extra_msg;
723 if (extra_msg0 && extra_msg1) {
724 mbedtls_debug_print_msg(
725 ssl, level, file, line,
726 "%s: %s(%u) extension %s %s.",
727 mbedtls_ssl_get_hs_msg_name(hs_msg_type),
728 mbedtls_ssl_get_extension_name(extension_type),
729 extension_type,
730 extra_msg0, extra_msg1);
731 return;
732 }
733
734 extra_msg = extra_msg0 ? extra_msg0 : extra_msg1;
735 if (extra_msg) {
736 mbedtls_debug_print_msg(
737 ssl, level, file, line,
738 "%s: %s(%u) extension %s.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
739 mbedtls_ssl_get_extension_name(extension_type), extension_type,
740 extra_msg);
741 return;
742 }
743
744 mbedtls_debug_print_msg(
745 ssl, level, file, line,
746 "%s: %s(%u) extension.", mbedtls_ssl_get_hs_msg_name(hs_msg_type),
747 mbedtls_ssl_get_extension_name(extension_type), extension_type);
748}
749
750void mbedtls_ssl_print_extensions(const mbedtls_ssl_context *ssl,
751 int level, const char *file, int line,
752 int hs_msg_type, uint32_t extensions_mask,
753 const char *extra)
754{
755
756 for (unsigned i = 0;
757 i < sizeof(extension_name_table) / sizeof(extension_name_table[0]);
758 i++) {
759 mbedtls_ssl_print_extension(
760 ssl, level, file, line, hs_msg_type, extension_type_table[i],
761 extensions_mask & (1 << i) ? "exists" : "does not exist", extra);
762 }
763}
764
765#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
766static const char *ticket_flag_name_table[] =
767{
768 [0] = "ALLOW_PSK_RESUMPTION",
769 [2] = "ALLOW_PSK_EPHEMERAL_RESUMPTION",
770 [3] = "ALLOW_EARLY_DATA",
771};
772
773void mbedtls_ssl_print_ticket_flags(const mbedtls_ssl_context *ssl,
774 int level, const char *file, int line,
775 unsigned int flags)
776{
777 size_t i;
778
779 mbedtls_debug_print_msg(ssl, level, file, line,
780 "print ticket_flags (0x%02x)", flags);
781
782 flags = flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK;
783
784 for (i = 0; i < ARRAY_LENGTH(ticket_flag_name_table); i++) {
785 if ((flags & (1 << i))) {
786 mbedtls_debug_print_msg(ssl, level, file, line, "- %s is set.",
787 ticket_flag_name_table[i]);
788 }
789 }
790}
791#endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
792
793#endif /* MBEDTLS_DEBUG_C */
794
795void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
796 const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
797{
798 ((void) ciphersuite_info);
799
800#if defined(MBEDTLS_MD_CAN_SHA384)
801 if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
802 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
803 } else
804#endif
805#if defined(MBEDTLS_MD_CAN_SHA256)
806 if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
807 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
808 } else
809#endif
810 {
811 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
812 return;
813 }
814}
815
816int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
817 unsigned hs_type,
818 size_t total_hs_len)
819{
820 unsigned char hs_hdr[4];
821
822 /* Build HS header for checksum update. */
823 hs_hdr[0] = MBEDTLS_BYTE_0(hs_type);
824 hs_hdr[1] = MBEDTLS_BYTE_2(total_hs_len);
825 hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
826 hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
827
828 return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
829}
830
831int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
832 unsigned hs_type,
833 unsigned char const *msg,
834 size_t msg_len)
835{
836 int ret;
837 ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
838 if (ret != 0) {
839 return ret;
840 }
841 return ssl->handshake->update_checksum(ssl, msg, msg_len);
842}
843
844int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
845{
846#if defined(MBEDTLS_MD_CAN_SHA256) || \
847 defined(MBEDTLS_MD_CAN_SHA384)
848#if defined(MBEDTLS_USE_PSA_CRYPTO)
849 psa_status_t status;
850#else
851 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
852#endif
853#else /* SHA-256 or SHA-384 */
854 ((void) ssl);
855#endif /* SHA-256 or SHA-384 */
856#if defined(MBEDTLS_MD_CAN_SHA256)
857#if defined(MBEDTLS_USE_PSA_CRYPTO)
858 status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
859 if (status != PSA_SUCCESS) {
860 return mbedtls_md_error_from_psa(status);
861 }
862 status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
863 if (status != PSA_SUCCESS) {
864 return mbedtls_md_error_from_psa(status);
865 }
866#else
867 mbedtls_md_free(&ssl->handshake->fin_sha256);
868 mbedtls_md_init(&ssl->handshake->fin_sha256);
869 ret = mbedtls_md_setup(&ssl->handshake->fin_sha256,
870 mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
871 0);
872 if (ret != 0) {
873 return ret;
874 }
875 ret = mbedtls_md_starts(&ssl->handshake->fin_sha256);
876 if (ret != 0) {
877 return ret;
878 }
879#endif
880#endif
881#if defined(MBEDTLS_MD_CAN_SHA384)
882#if defined(MBEDTLS_USE_PSA_CRYPTO)
883 status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
884 if (status != PSA_SUCCESS) {
885 return mbedtls_md_error_from_psa(status);
886 }
887 status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
888 if (status != PSA_SUCCESS) {
889 return mbedtls_md_error_from_psa(status);
890 }
891#else
892 mbedtls_md_free(&ssl->handshake->fin_sha384);
893 mbedtls_md_init(&ssl->handshake->fin_sha384);
894 ret = mbedtls_md_setup(&ssl->handshake->fin_sha384,
895 mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
896 if (ret != 0) {
897 return ret;
898 }
899 ret = mbedtls_md_starts(&ssl->handshake->fin_sha384);
900 if (ret != 0) {
901 return ret;
902 }
903#endif
904#endif
905 return 0;
906}
907
908static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
909 const unsigned char *buf, size_t len)
910{
911#if defined(MBEDTLS_MD_CAN_SHA256) || \
912 defined(MBEDTLS_MD_CAN_SHA384)
913#if defined(MBEDTLS_USE_PSA_CRYPTO)
914 psa_status_t status;
915#else
916 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
917#endif
918#else /* SHA-256 or SHA-384 */
919 ((void) ssl);
920 (void) buf;
921 (void) len;
922#endif /* SHA-256 or SHA-384 */
923#if defined(MBEDTLS_MD_CAN_SHA256)
924#if defined(MBEDTLS_USE_PSA_CRYPTO)
925 status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
926 if (status != PSA_SUCCESS) {
927 return mbedtls_md_error_from_psa(status);
928 }
929#else
930 ret = mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
931 if (ret != 0) {
932 return ret;
933 }
934#endif
935#endif
936#if defined(MBEDTLS_MD_CAN_SHA384)
937#if defined(MBEDTLS_USE_PSA_CRYPTO)
938 status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
939 if (status != PSA_SUCCESS) {
940 return mbedtls_md_error_from_psa(status);
941 }
942#else
943 ret = mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
944 if (ret != 0) {
945 return ret;
946 }
947#endif
948#endif
949 return 0;
950}
951
952#if defined(MBEDTLS_MD_CAN_SHA256)
953static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
954 const unsigned char *buf, size_t len)
955{
956#if defined(MBEDTLS_USE_PSA_CRYPTO)
957 return mbedtls_md_error_from_psa(psa_hash_update(
958 &ssl->handshake->fin_sha256_psa, buf, len));
959#else
960 return mbedtls_md_update(&ssl->handshake->fin_sha256, buf, len);
961#endif
962}
963#endif
964
965#if defined(MBEDTLS_MD_CAN_SHA384)
966static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
967 const unsigned char *buf, size_t len)
968{
969#if defined(MBEDTLS_USE_PSA_CRYPTO)
970 return mbedtls_md_error_from_psa(psa_hash_update(
971 &ssl->handshake->fin_sha384_psa, buf, len));
972#else
973 return mbedtls_md_update(&ssl->handshake->fin_sha384, buf, len);
974#endif
975}
976#endif
977
978static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
979{
980 memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
981
982#if defined(MBEDTLS_MD_CAN_SHA256)
983#if defined(MBEDTLS_USE_PSA_CRYPTO)
984 handshake->fin_sha256_psa = psa_hash_operation_init();
985#else
986 mbedtls_md_init(&handshake->fin_sha256);
987#endif
988#endif
989#if defined(MBEDTLS_MD_CAN_SHA384)
990#if defined(MBEDTLS_USE_PSA_CRYPTO)
991 handshake->fin_sha384_psa = psa_hash_operation_init();
992#else
993 mbedtls_md_init(&handshake->fin_sha384);
994#endif
995#endif
996
997 handshake->update_checksum = ssl_update_checksum_start;
998
999#if defined(MBEDTLS_DHM_C)
1000 mbedtls_dhm_init(&handshake->dhm_ctx);
1001#endif
1002#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
1003 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
1004 mbedtls_ecdh_init(&handshake->ecdh_ctx);
1005#endif
1006#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1007#if defined(MBEDTLS_USE_PSA_CRYPTO)
1008 handshake->psa_pake_ctx = psa_pake_operation_init();
1009 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
1010#else
1011 mbedtls_ecjpake_init(&handshake->ecjpake_ctx);
1012#endif /* MBEDTLS_USE_PSA_CRYPTO */
1013#if defined(MBEDTLS_SSL_CLI_C)
1014 handshake->ecjpake_cache = NULL;
1015 handshake->ecjpake_cache_len = 0;
1016#endif
1017#endif
1018
1019#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
1020 mbedtls_x509_crt_restart_init(&handshake->ecrs_ctx);
1021#endif
1022
1023#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1024 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
1025#endif
1026
1027#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
1028 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
1029 mbedtls_pk_init(&handshake->peer_pubkey);
1030#endif
1031}
1032
1033void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform)
1034{
1035 memset(transform, 0, sizeof(mbedtls_ssl_transform));
1036
1037#if defined(MBEDTLS_USE_PSA_CRYPTO)
1038 transform->psa_key_enc = MBEDTLS_SVC_KEY_ID_INIT;
1039 transform->psa_key_dec = MBEDTLS_SVC_KEY_ID_INIT;
1040#else
1041 mbedtls_cipher_init(&transform->cipher_ctx_enc);
1042 mbedtls_cipher_init(&transform->cipher_ctx_dec);
1043#endif
1044
1045#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1046#if defined(MBEDTLS_USE_PSA_CRYPTO)
1047 transform->psa_mac_enc = MBEDTLS_SVC_KEY_ID_INIT;
1048 transform->psa_mac_dec = MBEDTLS_SVC_KEY_ID_INIT;
1049#else
1050 mbedtls_md_init(&transform->md_ctx_enc);
1051 mbedtls_md_init(&transform->md_ctx_dec);
1052#endif
1053#endif
1054}
1055
1056void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
1057{
1058 memset(session, 0, sizeof(mbedtls_ssl_session));
1059 /* Set verify_result to -1u to indicate 'result not available'. */
1060 session->verify_result = 0xFFFFFFFF;
1061}
1062
1063MBEDTLS_CHECK_RETURN_CRITICAL
1064static int ssl_handshake_init(mbedtls_ssl_context *ssl)
1065{
1066 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1067
1068 /* Clear old handshake information if present */
1069#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1070 if (ssl->transform_negotiate) {
1071 mbedtls_ssl_transform_free(ssl->transform_negotiate);
1072 }
1073#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1074 if (ssl->session_negotiate) {
1075 mbedtls_ssl_session_free(ssl->session_negotiate);
1076 }
1077 if (ssl->handshake) {
1078 mbedtls_ssl_handshake_free(ssl);
1079 }
1080
1081#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1082 /*
1083 * Either the pointers are now NULL or cleared properly and can be freed.
1084 * Now allocate missing structures.
1085 */
1086 if (ssl->transform_negotiate == NULL) {
1087 ssl->transform_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_transform));
1088 }
1089#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1090
1091 if (ssl->session_negotiate == NULL) {
1092 ssl->session_negotiate = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
1093 }
1094
1095 if (ssl->handshake == NULL) {
1096 ssl->handshake = mbedtls_calloc(1, sizeof(mbedtls_ssl_handshake_params));
1097 }
1098#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1099 /* If the buffers are too small - reallocate */
1100
1101 handle_buffer_resizing(ssl, 0, MBEDTLS_SSL_IN_BUFFER_LEN,
1102 MBEDTLS_SSL_OUT_BUFFER_LEN);
1103#endif
1104
1105 /* All pointers should exist and can be directly freed without issue */
1106 if (ssl->handshake == NULL ||
1107#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1108 ssl->transform_negotiate == NULL ||
1109#endif
1110 ssl->session_negotiate == NULL) {
1111 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc() of ssl sub-contexts failed"));
1112
1113 mbedtls_free(ssl->handshake);
1114 ssl->handshake = NULL;
1115
1116#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1117 mbedtls_free(ssl->transform_negotiate);
1118 ssl->transform_negotiate = NULL;
1119#endif
1120
1121 mbedtls_free(ssl->session_negotiate);
1122 ssl->session_negotiate = NULL;
1123
1124 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1125 }
1126
1127#if defined(MBEDTLS_SSL_EARLY_DATA)
1128#if defined(MBEDTLS_SSL_CLI_C)
1129 ssl->early_data_state = MBEDTLS_SSL_EARLY_DATA_STATE_IDLE;
1130#endif
1131#if defined(MBEDTLS_SSL_SRV_C)
1132 ssl->discard_early_data_record = MBEDTLS_SSL_EARLY_DATA_NO_DISCARD;
1133#endif
1134 ssl->total_early_data_size = 0;
1135#endif /* MBEDTLS_SSL_EARLY_DATA */
1136
1137 /* Initialize structures */
1138 mbedtls_ssl_session_init(ssl->session_negotiate);
1139 ssl_handshake_params_init(ssl->handshake);
1140
1141#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1142 mbedtls_ssl_transform_init(ssl->transform_negotiate);
1143#endif
1144
1145 /* Setup handshake checksums */
1146 ret = mbedtls_ssl_reset_checksum(ssl);
1147 if (ret != 0) {
1148 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
1149 return ret;
1150 }
1151
1152#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
1153 defined(MBEDTLS_SSL_SRV_C) && \
1154 defined(MBEDTLS_SSL_SESSION_TICKETS)
1155 ssl->handshake->new_session_tickets_count =
1156 ssl->conf->new_session_tickets_count;
1157#endif
1158
1159#if defined(MBEDTLS_SSL_PROTO_DTLS)
1160 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1161 ssl->handshake->alt_transform_out = ssl->transform_out;
1162
1163 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
1164 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
1165 } else {
1166 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
1167 }
1168
1169 mbedtls_ssl_set_timer(ssl, 0);
1170 }
1171#endif
1172
1173/*
1174 * curve_list is translated to IANA TLS group identifiers here because
1175 * mbedtls_ssl_conf_curves returns void and so can't return
1176 * any error codes.
1177 */
1178#if defined(MBEDTLS_ECP_C)
1179#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1180 /* Heap allocate and translate curve_list from internal to IANA group ids */
1181 if (ssl->conf->curve_list != NULL) {
1182 size_t length;
1183 const mbedtls_ecp_group_id *curve_list = ssl->conf->curve_list;
1184
1185 for (length = 0; (curve_list[length] != MBEDTLS_ECP_DP_NONE); length++) {
1186 }
1187
1188 /* Leave room for zero termination */
1189 uint16_t *group_list = mbedtls_calloc(length + 1, sizeof(uint16_t));
1190 if (group_list == NULL) {
1191 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1192 }
1193
1194 for (size_t i = 0; i < length; i++) {
1195 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(
1196 curve_list[i]);
1197 if (tls_id == 0) {
1198 mbedtls_free(group_list);
1199 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1200 }
1201 group_list[i] = tls_id;
1202 }
1203
1204 group_list[length] = 0;
1205
1206 ssl->handshake->group_list = group_list;
1207 ssl->handshake->group_list_heap_allocated = 1;
1208 } else {
1209 ssl->handshake->group_list = ssl->conf->group_list;
1210 ssl->handshake->group_list_heap_allocated = 0;
1211 }
1212#endif /* MBEDTLS_DEPRECATED_REMOVED */
1213#endif /* MBEDTLS_ECP_C */
1214
1215#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1216#if !defined(MBEDTLS_DEPRECATED_REMOVED)
1217#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1218 /* Heap allocate and translate sig_hashes from internal hash identifiers to
1219 signature algorithms IANA identifiers. */
1220 if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) &&
1221 ssl->conf->sig_hashes != NULL) {
1222 const int *md;
1223 const int *sig_hashes = ssl->conf->sig_hashes;
1224 size_t sig_algs_len = 0;
1225 uint16_t *p;
1226
1227 MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN
1228 <= (SIZE_MAX - (2 * sizeof(uint16_t))),
1229 "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big");
1230
1231 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1232 if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
1233 continue;
1234 }
1235#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1236 sig_algs_len += sizeof(uint16_t);
1237#endif
1238
1239#if defined(MBEDTLS_RSA_C)
1240 sig_algs_len += sizeof(uint16_t);
1241#endif
1242 if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) {
1243 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1244 }
1245 }
1246
1247 if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) {
1248 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1249 }
1250
1251 ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len +
1252 sizeof(uint16_t));
1253 if (ssl->handshake->sig_algs == NULL) {
1254 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1255 }
1256
1257 p = (uint16_t *) ssl->handshake->sig_algs;
1258 for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) {
1259 unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md);
1260 if (hash == MBEDTLS_SSL_HASH_NONE) {
1261 continue;
1262 }
1263#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
1264 *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
1265 p++;
1266#endif
1267#if defined(MBEDTLS_RSA_C)
1268 *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA);
1269 p++;
1270#endif
1271 }
1272 *p = MBEDTLS_TLS_SIG_NONE;
1273 ssl->handshake->sig_algs_heap_allocated = 1;
1274 } else
1275#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1276 {
1277 ssl->handshake->sig_algs_heap_allocated = 0;
1278 }
1279#endif /* !MBEDTLS_DEPRECATED_REMOVED */
1280#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1281 return 0;
1282}
1283
1284#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1285/* Dummy cookie callbacks for defaults */
1286MBEDTLS_CHECK_RETURN_CRITICAL
1287static int ssl_cookie_write_dummy(void *ctx,
1288 unsigned char **p, unsigned char *end,
1289 const unsigned char *cli_id, size_t cli_id_len)
1290{
1291 ((void) ctx);
1292 ((void) p);
1293 ((void) end);
1294 ((void) cli_id);
1295 ((void) cli_id_len);
1296
1297 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1298}
1299
1300MBEDTLS_CHECK_RETURN_CRITICAL
1301static int ssl_cookie_check_dummy(void *ctx,
1302 const unsigned char *cookie, size_t cookie_len,
1303 const unsigned char *cli_id, size_t cli_id_len)
1304{
1305 ((void) ctx);
1306 ((void) cookie);
1307 ((void) cookie_len);
1308 ((void) cli_id);
1309 ((void) cli_id_len);
1310
1311 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1312}
1313#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
1314
1315/*
1316 * Initialize an SSL context
1317 */
1318void mbedtls_ssl_init(mbedtls_ssl_context *ssl)
1319{
1320 memset(ssl, 0, sizeof(mbedtls_ssl_context));
1321}
1322
1323MBEDTLS_CHECK_RETURN_CRITICAL
1324static int ssl_conf_version_check(const mbedtls_ssl_context *ssl)
1325{
1326 const mbedtls_ssl_config *conf = ssl->conf;
1327
1328#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1329 if (mbedtls_ssl_conf_is_tls13_only(conf)) {
1330 if (conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1331 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS 1.3 is not yet supported."));
1332 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1333 }
1334
1335 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls13 only."));
1336 return 0;
1337 }
1338#endif
1339
1340#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1341 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
1342 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is tls12 only."));
1343 return 0;
1344 }
1345#endif
1346
1347#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
1348 if (mbedtls_ssl_conf_is_hybrid_tls12_tls13(conf)) {
1349 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1350 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS not yet supported in Hybrid TLS 1.3 + TLS 1.2"));
1351 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1352 }
1353
1354 MBEDTLS_SSL_DEBUG_MSG(4, ("The SSL configuration is TLS 1.3 or TLS 1.2."));
1355 return 0;
1356 }
1357#endif
1358
1359 MBEDTLS_SSL_DEBUG_MSG(1, ("The SSL configuration is invalid."));
1360 return MBEDTLS_ERR_SSL_BAD_CONFIG;
1361}
1362
1363MBEDTLS_CHECK_RETURN_CRITICAL
1364static int ssl_conf_check(const mbedtls_ssl_context *ssl)
1365{
1366 int ret;
1367 ret = ssl_conf_version_check(ssl);
1368 if (ret != 0) {
1369 return ret;
1370 }
1371
1372 if (ssl->conf->f_rng == NULL) {
1373 MBEDTLS_SSL_DEBUG_MSG(1, ("no RNG provided"));
1374 return MBEDTLS_ERR_SSL_NO_RNG;
1375 }
1376
1377 /* Space for further checks */
1378
1379 return 0;
1380}
1381
1382/*
1383 * Setup an SSL context
1384 */
1385
1386int mbedtls_ssl_setup(mbedtls_ssl_context *ssl,
1387 const mbedtls_ssl_config *conf)
1388{
1389 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1390 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1391 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1392
1393 ssl->conf = conf;
1394
1395 if ((ret = ssl_conf_check(ssl)) != 0) {
1396 return ret;
1397 }
1398 ssl->tls_version = ssl->conf->max_tls_version;
1399
1400 /*
1401 * Prepare base structures
1402 */
1403
1404 /* Set to NULL in case of an error condition */
1405 ssl->out_buf = NULL;
1406
1407#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1408 ssl->in_buf_len = in_buf_len;
1409#endif
1410 ssl->in_buf = mbedtls_calloc(1, in_buf_len);
1411 if (ssl->in_buf == NULL) {
1412 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", in_buf_len));
1413 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1414 goto error;
1415 }
1416
1417#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1418 ssl->out_buf_len = out_buf_len;
1419#endif
1420 ssl->out_buf = mbedtls_calloc(1, out_buf_len);
1421 if (ssl->out_buf == NULL) {
1422 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed", out_buf_len));
1423 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
1424 goto error;
1425 }
1426
1427 mbedtls_ssl_reset_in_pointers(ssl);
1428 mbedtls_ssl_reset_out_pointers(ssl);
1429
1430#if defined(MBEDTLS_SSL_DTLS_SRTP)
1431 memset(&ssl->dtls_srtp_info, 0, sizeof(ssl->dtls_srtp_info));
1432#endif
1433
1434 if ((ret = ssl_handshake_init(ssl)) != 0) {
1435 goto error;
1436 }
1437
1438 return 0;
1439
1440error:
1441 mbedtls_free(ssl->in_buf);
1442 mbedtls_free(ssl->out_buf);
1443
1444 ssl->conf = NULL;
1445
1446#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1447 ssl->in_buf_len = 0;
1448 ssl->out_buf_len = 0;
1449#endif
1450 ssl->in_buf = NULL;
1451 ssl->out_buf = NULL;
1452
1453 ssl->in_hdr = NULL;
1454 ssl->in_ctr = NULL;
1455 ssl->in_len = NULL;
1456 ssl->in_iv = NULL;
1457 ssl->in_msg = NULL;
1458
1459 ssl->out_hdr = NULL;
1460 ssl->out_ctr = NULL;
1461 ssl->out_len = NULL;
1462 ssl->out_iv = NULL;
1463 ssl->out_msg = NULL;
1464
1465 return ret;
1466}
1467
1468/*
1469 * Reset an initialized and used SSL context for re-use while retaining
1470 * all application-set variables, function pointers and data.
1471 *
1472 * If partial is non-zero, keep data in the input buffer and client ID.
1473 * (Use when a DTLS client reconnects from the same port.)
1474 */
1475void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1476 int partial)
1477{
1478#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1479 size_t in_buf_len = ssl->in_buf_len;
1480 size_t out_buf_len = ssl->out_buf_len;
1481#else
1482 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1483 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
1484#endif
1485
1486#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || !defined(MBEDTLS_SSL_SRV_C)
1487 partial = 0;
1488#endif
1489
1490 /* Cancel any possibly running timer */
1491 mbedtls_ssl_set_timer(ssl, 0);
1492
1493 mbedtls_ssl_reset_in_pointers(ssl);
1494 mbedtls_ssl_reset_out_pointers(ssl);
1495
1496 /* Reset incoming message parsing */
1497 ssl->in_offt = NULL;
1498 ssl->nb_zero = 0;
1499 ssl->in_msgtype = 0;
1500 ssl->in_msglen = 0;
1501 ssl->in_hslen = 0;
1502 ssl->keep_current_message = 0;
1503 ssl->transform_in = NULL;
1504
1505 /* TLS: reset in_hsfraglen, which is part of message parsing.
1506 * DTLS: on a client reconnect, don't reset badmac_seen. */
1507 if (!partial) {
1508 ssl->badmac_seen_or_in_hsfraglen = 0;
1509 }
1510
1511#if defined(MBEDTLS_SSL_PROTO_DTLS)
1512 ssl->next_record_offset = 0;
1513 ssl->in_epoch = 0;
1514#endif
1515
1516 /* Keep current datagram if partial == 1 */
1517 if (partial == 0) {
1518 ssl->in_left = 0;
1519 memset(ssl->in_buf, 0, in_buf_len);
1520 }
1521
1522 ssl->send_alert = 0;
1523
1524 /* Reset outgoing message writing */
1525 ssl->out_msgtype = 0;
1526 ssl->out_msglen = 0;
1527 ssl->out_left = 0;
1528 memset(ssl->out_buf, 0, out_buf_len);
1529 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
1530 ssl->transform_out = NULL;
1531
1532#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1533 mbedtls_ssl_dtls_replay_reset(ssl);
1534#endif
1535
1536#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1537 if (ssl->transform) {
1538 mbedtls_ssl_transform_free(ssl->transform);
1539 mbedtls_free(ssl->transform);
1540 ssl->transform = NULL;
1541 }
1542#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1543
1544#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1545 mbedtls_ssl_transform_free(ssl->transform_application);
1546 mbedtls_free(ssl->transform_application);
1547 ssl->transform_application = NULL;
1548
1549 if (ssl->handshake != NULL) {
1550#if defined(MBEDTLS_SSL_EARLY_DATA)
1551 mbedtls_ssl_transform_free(ssl->handshake->transform_earlydata);
1552 mbedtls_free(ssl->handshake->transform_earlydata);
1553 ssl->handshake->transform_earlydata = NULL;
1554#endif
1555
1556 mbedtls_ssl_transform_free(ssl->handshake->transform_handshake);
1557 mbedtls_free(ssl->handshake->transform_handshake);
1558 ssl->handshake->transform_handshake = NULL;
1559 }
1560
1561#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1562}
1563
1564int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial)
1565{
1566 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1567
1568 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
1569 ssl->tls_version = ssl->conf->max_tls_version;
1570
1571 mbedtls_ssl_session_reset_msg_layer(ssl, partial);
1572
1573 /* Reset renegotiation state */
1574#if defined(MBEDTLS_SSL_RENEGOTIATION)
1575 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
1576 ssl->renego_records_seen = 0;
1577
1578 ssl->verify_data_len = 0;
1579 memset(ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1580 memset(ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN);
1581#endif
1582 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
1583
1584 ssl->session_in = NULL;
1585 ssl->session_out = NULL;
1586 if (ssl->session) {
1587 mbedtls_ssl_session_free(ssl->session);
1588 mbedtls_free(ssl->session);
1589 ssl->session = NULL;
1590 }
1591
1592#if defined(MBEDTLS_SSL_ALPN)
1593 ssl->alpn_chosen = NULL;
1594#endif
1595
1596#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
1597 int free_cli_id = 1;
1598#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
1599 free_cli_id = (partial == 0);
1600#endif
1601 if (free_cli_id) {
1602 mbedtls_free(ssl->cli_id);
1603 ssl->cli_id = NULL;
1604 ssl->cli_id_len = 0;
1605 }
1606#endif
1607
1608 if ((ret = ssl_handshake_init(ssl)) != 0) {
1609 return ret;
1610 }
1611
1612 return 0;
1613}
1614
1615/*
1616 * Reset an initialized and used SSL context for re-use while retaining
1617 * all application-set variables, function pointers and data.
1618 */
1619int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
1620{
1621 return mbedtls_ssl_session_reset_int(ssl, 0);
1622}
1623
1624/*
1625 * SSL set accessors
1626 */
1627void mbedtls_ssl_conf_endpoint(mbedtls_ssl_config *conf, int endpoint)
1628{
1629 conf->endpoint = endpoint;
1630}
1631
1632void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
1633{
1634 conf->transport = transport;
1635}
1636
1637#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1638void mbedtls_ssl_conf_dtls_anti_replay(mbedtls_ssl_config *conf, char mode)
1639{
1640 conf->anti_replay = mode;
1641}
1642#endif
1643
1644void mbedtls_ssl_conf_dtls_badmac_limit(mbedtls_ssl_config *conf, unsigned limit)
1645{
1646 conf->badmac_limit = limit;
1647}
1648
1649#if defined(MBEDTLS_SSL_PROTO_DTLS)
1650
1651void mbedtls_ssl_set_datagram_packing(mbedtls_ssl_context *ssl,
1652 unsigned allow_packing)
1653{
1654 ssl->disable_datagram_packing = !allow_packing;
1655}
1656
1657void mbedtls_ssl_conf_handshake_timeout(mbedtls_ssl_config *conf,
1658 uint32_t min, uint32_t max)
1659{
1660 conf->hs_timeout_min = min;
1661 conf->hs_timeout_max = max;
1662}
1663#endif
1664
1665void mbedtls_ssl_conf_authmode(mbedtls_ssl_config *conf, int authmode)
1666{
1667 conf->authmode = authmode;
1668}
1669
1670#if defined(MBEDTLS_X509_CRT_PARSE_C)
1671void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf,
1672 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1673 void *p_vrfy)
1674{
1675 conf->f_vrfy = f_vrfy;
1676 conf->p_vrfy = p_vrfy;
1677}
1678#endif /* MBEDTLS_X509_CRT_PARSE_C */
1679
1680void mbedtls_ssl_conf_rng(mbedtls_ssl_config *conf,
1681 int (*f_rng)(void *, unsigned char *, size_t),
1682 void *p_rng)
1683{
1684 conf->f_rng = f_rng;
1685 conf->p_rng = p_rng;
1686}
1687
1688void mbedtls_ssl_conf_dbg(mbedtls_ssl_config *conf,
1689 void (*f_dbg)(void *, int, const char *, int, const char *),
1690 void *p_dbg)
1691{
1692 conf->f_dbg = f_dbg;
1693 conf->p_dbg = p_dbg;
1694}
1695
1696void mbedtls_ssl_set_bio(mbedtls_ssl_context *ssl,
1697 void *p_bio,
1698 mbedtls_ssl_send_t *f_send,
1699 mbedtls_ssl_recv_t *f_recv,
1700 mbedtls_ssl_recv_timeout_t *f_recv_timeout)
1701{
1702 ssl->p_bio = p_bio;
1703 ssl->f_send = f_send;
1704 ssl->f_recv = f_recv;
1705 ssl->f_recv_timeout = f_recv_timeout;
1706}
1707
1708#if defined(MBEDTLS_SSL_PROTO_DTLS)
1709void mbedtls_ssl_set_mtu(mbedtls_ssl_context *ssl, uint16_t mtu)
1710{
1711 ssl->mtu = mtu;
1712}
1713#endif
1714
1715void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
1716{
1717 conf->read_timeout = timeout;
1718}
1719
1720void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl,
1721 void *p_timer,
1722 mbedtls_ssl_set_timer_t *f_set_timer,
1723 mbedtls_ssl_get_timer_t *f_get_timer)
1724{
1725 ssl->p_timer = p_timer;
1726 ssl->f_set_timer = f_set_timer;
1727 ssl->f_get_timer = f_get_timer;
1728
1729 /* Make sure we start with no timer running */
1730 mbedtls_ssl_set_timer(ssl, 0);
1731}
1732
1733#if defined(MBEDTLS_SSL_SRV_C)
1734void mbedtls_ssl_conf_session_cache(mbedtls_ssl_config *conf,
1735 void *p_cache,
1736 mbedtls_ssl_cache_get_t *f_get_cache,
1737 mbedtls_ssl_cache_set_t *f_set_cache)
1738{
1739 conf->p_cache = p_cache;
1740 conf->f_get_cache = f_get_cache;
1741 conf->f_set_cache = f_set_cache;
1742}
1743#endif /* MBEDTLS_SSL_SRV_C */
1744
1745#if defined(MBEDTLS_SSL_CLI_C)
1746int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
1747{
1748 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1749
1750 if (ssl == NULL ||
1751 session == NULL ||
1752 ssl->session_negotiate == NULL ||
1753 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
1754 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1755 }
1756
1757 if (ssl->handshake->resume == 1) {
1758 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
1759 }
1760
1761#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1762 if (session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
1763#if defined(MBEDTLS_SSL_SESSION_TICKETS)
1764 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
1765 mbedtls_ssl_ciphersuite_from_id(session->ciphersuite);
1766
1767 if (mbedtls_ssl_validate_ciphersuite(
1768 ssl, ciphersuite_info, MBEDTLS_SSL_VERSION_TLS1_3,
1769 MBEDTLS_SSL_VERSION_TLS1_3) != 0) {
1770 MBEDTLS_SSL_DEBUG_MSG(4, ("%d is not a valid TLS 1.3 ciphersuite.",
1771 session->ciphersuite));
1772 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1773 }
1774#else
1775 /*
1776 * If session tickets are not enabled, it is not possible to resume a
1777 * TLS 1.3 session, thus do not make any change to the SSL context in
1778 * the first place.
1779 */
1780 return 0;
1781#endif
1782 }
1783#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1784
1785 if ((ret = mbedtls_ssl_session_copy(ssl->session_negotiate,
1786 session)) != 0) {
1787 return ret;
1788 }
1789
1790 ssl->handshake->resume = 1;
1791
1792 return 0;
1793}
1794#endif /* MBEDTLS_SSL_CLI_C */
1795
1796void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf,
1797 const int *ciphersuites)
1798{
1799 conf->ciphersuite_list = ciphersuites;
1800}
1801
1802#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1803void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf,
1804 const int kex_modes)
1805{
1806 conf->tls13_kex_modes = kex_modes & MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1807}
1808
1809#if defined(MBEDTLS_SSL_EARLY_DATA)
1810void mbedtls_ssl_conf_early_data(mbedtls_ssl_config *conf,
1811 int early_data_enabled)
1812{
1813 conf->early_data_enabled = early_data_enabled;
1814}
1815
1816#if defined(MBEDTLS_SSL_SRV_C)
1817void mbedtls_ssl_conf_max_early_data_size(
1818 mbedtls_ssl_config *conf, uint32_t max_early_data_size)
1819{
1820 conf->max_early_data_size = max_early_data_size;
1821}
1822#endif /* MBEDTLS_SSL_SRV_C */
1823
1824#endif /* MBEDTLS_SSL_EARLY_DATA */
1825#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1826
1827#if defined(MBEDTLS_X509_CRT_PARSE_C)
1828void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf,
1829 const mbedtls_x509_crt_profile *profile)
1830{
1831 conf->cert_profile = profile;
1832}
1833
1834static void ssl_key_cert_free(mbedtls_ssl_key_cert *key_cert)
1835{
1836 mbedtls_ssl_key_cert *cur = key_cert, *next;
1837
1838 while (cur != NULL) {
1839 next = cur->next;
1840 mbedtls_free(cur);
1841 cur = next;
1842 }
1843}
1844
1845/* Append a new keycert entry to a (possibly empty) list */
1846MBEDTLS_CHECK_RETURN_CRITICAL
1847static int ssl_append_key_cert(mbedtls_ssl_key_cert **head,
1848 mbedtls_x509_crt *cert,
1849 mbedtls_pk_context *key)
1850{
1851 mbedtls_ssl_key_cert *new_cert;
1852
1853 if (cert == NULL) {
1854 /* Free list if cert is null */
1855 ssl_key_cert_free(*head);
1856 *head = NULL;
1857 return 0;
1858 }
1859
1860 new_cert = mbedtls_calloc(1, sizeof(mbedtls_ssl_key_cert));
1861 if (new_cert == NULL) {
1862 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1863 }
1864
1865 new_cert->cert = cert;
1866 new_cert->key = key;
1867 new_cert->next = NULL;
1868
1869 /* Update head if the list was null, else add to the end */
1870 if (*head == NULL) {
1871 *head = new_cert;
1872 } else {
1873 mbedtls_ssl_key_cert *cur = *head;
1874 while (cur->next != NULL) {
1875 cur = cur->next;
1876 }
1877 cur->next = new_cert;
1878 }
1879
1880 return 0;
1881}
1882
1883int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf,
1884 mbedtls_x509_crt *own_cert,
1885 mbedtls_pk_context *pk_key)
1886{
1887 return ssl_append_key_cert(&conf->key_cert, own_cert, pk_key);
1888}
1889
1890void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf,
1891 mbedtls_x509_crt *ca_chain,
1892 mbedtls_x509_crl *ca_crl)
1893{
1894 conf->ca_chain = ca_chain;
1895 conf->ca_crl = ca_crl;
1896
1897#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1898 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1899 * cannot be used together. */
1900 conf->f_ca_cb = NULL;
1901 conf->p_ca_cb = NULL;
1902#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1903}
1904
1905#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1906void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf,
1907 mbedtls_x509_crt_ca_cb_t f_ca_cb,
1908 void *p_ca_cb)
1909{
1910 conf->f_ca_cb = f_ca_cb;
1911 conf->p_ca_cb = p_ca_cb;
1912
1913 /* mbedtls_ssl_conf_ca_chain() and mbedtls_ssl_conf_ca_cb()
1914 * cannot be used together. */
1915 conf->ca_chain = NULL;
1916 conf->ca_crl = NULL;
1917}
1918#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
1919#endif /* MBEDTLS_X509_CRT_PARSE_C */
1920
1921#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1922const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl,
1923 size_t *name_len)
1924{
1925 *name_len = ssl->handshake->sni_name_len;
1926 return ssl->handshake->sni_name;
1927}
1928
1929int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl,
1930 mbedtls_x509_crt *own_cert,
1931 mbedtls_pk_context *pk_key)
1932{
1933 return ssl_append_key_cert(&ssl->handshake->sni_key_cert,
1934 own_cert, pk_key);
1935}
1936
1937void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl,
1938 mbedtls_x509_crt *ca_chain,
1939 mbedtls_x509_crl *ca_crl)
1940{
1941 ssl->handshake->sni_ca_chain = ca_chain;
1942 ssl->handshake->sni_ca_crl = ca_crl;
1943}
1944
1945#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1946void mbedtls_ssl_set_hs_dn_hints(mbedtls_ssl_context *ssl,
1947 const mbedtls_x509_crt *crt)
1948{
1949 ssl->handshake->dn_hints = crt;
1950}
1951#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
1952
1953void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl,
1954 int authmode)
1955{
1956 ssl->handshake->sni_authmode = authmode;
1957}
1958#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1959
1960#if defined(MBEDTLS_X509_CRT_PARSE_C)
1961void mbedtls_ssl_set_verify(mbedtls_ssl_context *ssl,
1962 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
1963 void *p_vrfy)
1964{
1965 ssl->f_vrfy = f_vrfy;
1966 ssl->p_vrfy = p_vrfy;
1967}
1968#endif
1969
1970#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
1971
1972#if defined(MBEDTLS_USE_PSA_CRYPTO)
1973static const uint8_t jpake_server_id[] = { 's', 'e', 'r', 'v', 'e', 'r' };
1974static const uint8_t jpake_client_id[] = { 'c', 'l', 'i', 'e', 'n', 't' };
1975
1976static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common(
1977 mbedtls_ssl_context *ssl,
1978 mbedtls_svc_key_id_t pwd)
1979{
1980 psa_status_t status;
1981 psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init();
1982 const uint8_t *user = NULL;
1983 size_t user_len = 0;
1984 const uint8_t *peer = NULL;
1985 size_t peer_len = 0;
1986 psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE);
1987 psa_pake_cs_set_primitive(&cipher_suite,
1988 PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC,
1989 PSA_ECC_FAMILY_SECP_R1,
1990 256));
1991 psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256);
1992
1993 status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite);
1994 if (status != PSA_SUCCESS) {
1995 return status;
1996 }
1997
1998 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
1999 user = jpake_server_id;
2000 user_len = sizeof(jpake_server_id);
2001 peer = jpake_client_id;
2002 peer_len = sizeof(jpake_client_id);
2003 } else {
2004 user = jpake_client_id;
2005 user_len = sizeof(jpake_client_id);
2006 peer = jpake_server_id;
2007 peer_len = sizeof(jpake_server_id);
2008 }
2009
2010 status = psa_pake_set_user(&ssl->handshake->psa_pake_ctx, user, user_len);
2011 if (status != PSA_SUCCESS) {
2012 return status;
2013 }
2014
2015 status = psa_pake_set_peer(&ssl->handshake->psa_pake_ctx, peer, peer_len);
2016 if (status != PSA_SUCCESS) {
2017 return status;
2018 }
2019
2020 status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd);
2021 if (status != PSA_SUCCESS) {
2022 return status;
2023 }
2024
2025 ssl->handshake->psa_pake_ctx_is_ok = 1;
2026
2027 return PSA_SUCCESS;
2028}
2029
2030int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2031 const unsigned char *pw,
2032 size_t pw_len)
2033{
2034 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
2035 psa_status_t status;
2036
2037 if (ssl->handshake == NULL || ssl->conf == NULL) {
2038 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2039 }
2040
2041 /* Empty password is not valid */
2042 if ((pw == NULL) || (pw_len == 0)) {
2043 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2044 }
2045
2046 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
2047 psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
2048 psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
2049
2050 status = psa_import_key(&attributes, pw, pw_len,
2051 &ssl->handshake->psa_pake_password);
2052 if (status != PSA_SUCCESS) {
2053 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2054 }
2055
2056 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl,
2057 ssl->handshake->psa_pake_password);
2058 if (status != PSA_SUCCESS) {
2059 psa_destroy_key(ssl->handshake->psa_pake_password);
2060 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2061 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2062 }
2063
2064 return 0;
2065}
2066
2067int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl,
2068 mbedtls_svc_key_id_t pwd)
2069{
2070 psa_status_t status;
2071
2072 if (ssl->handshake == NULL || ssl->conf == NULL) {
2073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2074 }
2075
2076 if (mbedtls_svc_key_id_is_null(pwd)) {
2077 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2078 }
2079
2080 status = mbedtls_ssl_set_hs_ecjpake_password_common(ssl, pwd);
2081 if (status != PSA_SUCCESS) {
2082 psa_pake_abort(&ssl->handshake->psa_pake_ctx);
2083 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2084 }
2085
2086 return 0;
2087}
2088#else /* MBEDTLS_USE_PSA_CRYPTO */
2089int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl,
2090 const unsigned char *pw,
2091 size_t pw_len)
2092{
2093 mbedtls_ecjpake_role role;
2094
2095 if (ssl->handshake == NULL || ssl->conf == NULL) {
2096 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2097 }
2098
2099 /* Empty password is not valid */
2100 if ((pw == NULL) || (pw_len == 0)) {
2101 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2102 }
2103
2104 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
2105 role = MBEDTLS_ECJPAKE_SERVER;
2106 } else {
2107 role = MBEDTLS_ECJPAKE_CLIENT;
2108 }
2109
2110 return mbedtls_ecjpake_setup(&ssl->handshake->ecjpake_ctx,
2111 role,
2112 MBEDTLS_MD_SHA256,
2113 MBEDTLS_ECP_DP_SECP256R1,
2114 pw, pw_len);
2115}
2116#endif /* MBEDTLS_USE_PSA_CRYPTO */
2117#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2118
2119#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
2120int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf)
2121{
2122 if (conf->psk_identity == NULL ||
2123 conf->psk_identity_len == 0) {
2124 return 0;
2125 }
2126
2127#if defined(MBEDTLS_USE_PSA_CRYPTO)
2128 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2129 return 1;
2130 }
2131#endif /* MBEDTLS_USE_PSA_CRYPTO */
2132
2133 if (conf->psk != NULL && conf->psk_len != 0) {
2134 return 1;
2135 }
2136
2137 return 0;
2138}
2139
2140static void ssl_conf_remove_psk(mbedtls_ssl_config *conf)
2141{
2142 /* Remove reference to existing PSK, if any. */
2143#if defined(MBEDTLS_USE_PSA_CRYPTO)
2144 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
2145 /* The maintenance of the PSK key slot is the
2146 * user's responsibility. */
2147 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2148 }
2149#endif /* MBEDTLS_USE_PSA_CRYPTO */
2150 if (conf->psk != NULL) {
2151 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
2152 conf->psk = NULL;
2153 conf->psk_len = 0;
2154 }
2155
2156 /* Remove reference to PSK identity, if any. */
2157 if (conf->psk_identity != NULL) {
2158 mbedtls_free(conf->psk_identity);
2159 conf->psk_identity = NULL;
2160 conf->psk_identity_len = 0;
2161 }
2162}
2163
2164/* This function assumes that PSK identity in the SSL config is unset.
2165 * It checks that the provided identity is well-formed and attempts
2166 * to make a copy of it in the SSL config.
2167 * On failure, the PSK identity in the config remains unset. */
2168MBEDTLS_CHECK_RETURN_CRITICAL
2169static int ssl_conf_set_psk_identity(mbedtls_ssl_config *conf,
2170 unsigned char const *psk_identity,
2171 size_t psk_identity_len)
2172{
2173 /* Identity len will be encoded on two bytes */
2174 if (psk_identity == NULL ||
2175 psk_identity_len == 0 ||
2176 (psk_identity_len >> 16) != 0 ||
2177 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN) {
2178 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2179 }
2180
2181 conf->psk_identity = mbedtls_calloc(1, psk_identity_len);
2182 if (conf->psk_identity == NULL) {
2183 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2184 }
2185
2186 conf->psk_identity_len = psk_identity_len;
2187 memcpy(conf->psk_identity, psk_identity, conf->psk_identity_len);
2188
2189 return 0;
2190}
2191
2192int mbedtls_ssl_conf_psk(mbedtls_ssl_config *conf,
2193 const unsigned char *psk, size_t psk_len,
2194 const unsigned char *psk_identity, size_t psk_identity_len)
2195{
2196 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2197
2198 /* We currently only support one PSK, raw or opaque. */
2199 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2200 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2201 }
2202
2203 /* Check and set raw PSK */
2204 if (psk == NULL) {
2205 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2206 }
2207 if (psk_len == 0) {
2208 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2209 }
2210 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2211 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2212 }
2213
2214 if ((conf->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2215 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2216 }
2217 conf->psk_len = psk_len;
2218 memcpy(conf->psk, psk, conf->psk_len);
2219
2220 /* Check and set PSK Identity */
2221 ret = ssl_conf_set_psk_identity(conf, psk_identity, psk_identity_len);
2222 if (ret != 0) {
2223 ssl_conf_remove_psk(conf);
2224 }
2225
2226 return ret;
2227}
2228
2229static void ssl_remove_psk(mbedtls_ssl_context *ssl)
2230{
2231#if defined(MBEDTLS_USE_PSA_CRYPTO)
2232 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
2233 /* The maintenance of the external PSK key slot is the
2234 * user's responsibility. */
2235 if (ssl->handshake->psk_opaque_is_internal) {
2236 psa_destroy_key(ssl->handshake->psk_opaque);
2237 ssl->handshake->psk_opaque_is_internal = 0;
2238 }
2239 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
2240 }
2241#else
2242 if (ssl->handshake->psk != NULL) {
2243 mbedtls_zeroize_and_free(ssl->handshake->psk,
2244 ssl->handshake->psk_len);
2245 ssl->handshake->psk_len = 0;
2246 ssl->handshake->psk = NULL;
2247 }
2248#endif /* MBEDTLS_USE_PSA_CRYPTO */
2249}
2250
2251int mbedtls_ssl_set_hs_psk(mbedtls_ssl_context *ssl,
2252 const unsigned char *psk, size_t psk_len)
2253{
2254#if defined(MBEDTLS_USE_PSA_CRYPTO)
2255 psa_key_attributes_t key_attributes = psa_key_attributes_init();
2256 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
2257 psa_algorithm_t alg = PSA_ALG_NONE;
2258 mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
2259#endif /* MBEDTLS_USE_PSA_CRYPTO */
2260
2261 if (psk == NULL || ssl->handshake == NULL) {
2262 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2263 }
2264
2265 if (psk_len > MBEDTLS_PSK_MAX_LEN) {
2266 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2267 }
2268
2269 ssl_remove_psk(ssl);
2270
2271#if defined(MBEDTLS_USE_PSA_CRYPTO)
2272#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2273 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2274 if (ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2275 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2276 } else {
2277 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2278 }
2279 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
2280 }
2281#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2282
2283#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2284 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2285 alg = PSA_ALG_HKDF_EXTRACT(PSA_ALG_ANY_HASH);
2286 psa_set_key_usage_flags(&key_attributes,
2287 PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT);
2288 }
2289#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2290
2291 psa_set_key_algorithm(&key_attributes, alg);
2292 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
2293
2294 status = psa_import_key(&key_attributes, psk, psk_len, &key);
2295 if (status != PSA_SUCCESS) {
2296 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
2297 }
2298
2299 /* Allow calling psa_destroy_key() on psk remove */
2300 ssl->handshake->psk_opaque_is_internal = 1;
2301 return mbedtls_ssl_set_hs_psk_opaque(ssl, key);
2302#else
2303 if ((ssl->handshake->psk = mbedtls_calloc(1, psk_len)) == NULL) {
2304 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2305 }
2306
2307 ssl->handshake->psk_len = psk_len;
2308 memcpy(ssl->handshake->psk, psk, ssl->handshake->psk_len);
2309
2310 return 0;
2311#endif /* MBEDTLS_USE_PSA_CRYPTO */
2312}
2313
2314#if defined(MBEDTLS_USE_PSA_CRYPTO)
2315int mbedtls_ssl_conf_psk_opaque(mbedtls_ssl_config *conf,
2316 mbedtls_svc_key_id_t psk,
2317 const unsigned char *psk_identity,
2318 size_t psk_identity_len)
2319{
2320 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2321
2322 /* We currently only support one PSK, raw or opaque. */
2323 if (mbedtls_ssl_conf_has_static_psk(conf)) {
2324 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2325 }
2326
2327 /* Check and set opaque PSK */
2328 if (mbedtls_svc_key_id_is_null(psk)) {
2329 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2330 }
2331 conf->psk_opaque = psk;
2332
2333 /* Check and set PSK Identity */
2334 ret = ssl_conf_set_psk_identity(conf, psk_identity,
2335 psk_identity_len);
2336 if (ret != 0) {
2337 ssl_conf_remove_psk(conf);
2338 }
2339
2340 return ret;
2341}
2342
2343int mbedtls_ssl_set_hs_psk_opaque(mbedtls_ssl_context *ssl,
2344 mbedtls_svc_key_id_t psk)
2345{
2346 if ((mbedtls_svc_key_id_is_null(psk)) ||
2347 (ssl->handshake == NULL)) {
2348 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2349 }
2350
2351 ssl_remove_psk(ssl);
2352 ssl->handshake->psk_opaque = psk;
2353 return 0;
2354}
2355#endif /* MBEDTLS_USE_PSA_CRYPTO */
2356
2357#if defined(MBEDTLS_SSL_SRV_C)
2358void mbedtls_ssl_conf_psk_cb(mbedtls_ssl_config *conf,
2359 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
2360 size_t),
2361 void *p_psk)
2362{
2363 conf->f_psk = f_psk;
2364 conf->p_psk = p_psk;
2365}
2366#endif /* MBEDTLS_SSL_SRV_C */
2367
2368#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2369
2370#if defined(MBEDTLS_USE_PSA_CRYPTO)
2371static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2372 psa_algorithm_t alg)
2373{
2374#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2375 if (alg == PSA_ALG_CBC_NO_PADDING) {
2376 return MBEDTLS_SSL_MODE_CBC;
2377 }
2378#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2379 if (PSA_ALG_IS_AEAD(alg)) {
2380 return MBEDTLS_SSL_MODE_AEAD;
2381 }
2382 return MBEDTLS_SSL_MODE_STREAM;
2383}
2384
2385#else /* MBEDTLS_USE_PSA_CRYPTO */
2386
2387static mbedtls_ssl_mode_t mbedtls_ssl_get_base_mode(
2388 mbedtls_cipher_mode_t mode)
2389{
2390#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2391 if (mode == MBEDTLS_MODE_CBC) {
2392 return MBEDTLS_SSL_MODE_CBC;
2393 }
2394#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
2395
2396#if defined(MBEDTLS_GCM_C) || \
2397 defined(MBEDTLS_CCM_C) || \
2398 defined(MBEDTLS_CHACHAPOLY_C)
2399 if (mode == MBEDTLS_MODE_GCM ||
2400 mode == MBEDTLS_MODE_CCM ||
2401 mode == MBEDTLS_MODE_CHACHAPOLY) {
2402 return MBEDTLS_SSL_MODE_AEAD;
2403 }
2404#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
2405
2406 return MBEDTLS_SSL_MODE_STREAM;
2407}
2408#endif /* MBEDTLS_USE_PSA_CRYPTO */
2409
2410static mbedtls_ssl_mode_t mbedtls_ssl_get_actual_mode(
2411 mbedtls_ssl_mode_t base_mode,
2412 int encrypt_then_mac)
2413{
2414#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2415 if (encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
2416 base_mode == MBEDTLS_SSL_MODE_CBC) {
2417 return MBEDTLS_SSL_MODE_CBC_ETM;
2418 }
2419#else
2420 (void) encrypt_then_mac;
2421#endif
2422 return base_mode;
2423}
2424
2425mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2426 const mbedtls_ssl_transform *transform)
2427{
2428 mbedtls_ssl_mode_t base_mode = mbedtls_ssl_get_base_mode(
2429#if defined(MBEDTLS_USE_PSA_CRYPTO)
2430 transform->psa_alg
2431#else
2432 mbedtls_cipher_get_cipher_mode(&transform->cipher_ctx_enc)
2433#endif
2434 );
2435
2436 int encrypt_then_mac = 0;
2437#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2438 encrypt_then_mac = transform->encrypt_then_mac;
2439#endif
2440 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2441}
2442
2443mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2444#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2445 int encrypt_then_mac,
2446#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2447 const mbedtls_ssl_ciphersuite_t *suite)
2448{
2449 mbedtls_ssl_mode_t base_mode = MBEDTLS_SSL_MODE_STREAM;
2450
2451#if defined(MBEDTLS_USE_PSA_CRYPTO)
2452 psa_status_t status;
2453 psa_algorithm_t alg;
2454 psa_key_type_t type;
2455 size_t size;
2456 status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) suite->cipher,
2457 0, &alg, &type, &size);
2458 if (status == PSA_SUCCESS) {
2459 base_mode = mbedtls_ssl_get_base_mode(alg);
2460 }
2461#else
2462 const mbedtls_cipher_info_t *cipher =
2463 mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) suite->cipher);
2464 if (cipher != NULL) {
2465 base_mode =
2466 mbedtls_ssl_get_base_mode(
2467 mbedtls_cipher_info_get_mode(cipher));
2468 }
2469#endif /* MBEDTLS_USE_PSA_CRYPTO */
2470
2471#if !defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2472 int encrypt_then_mac = 0;
2473#endif
2474 return mbedtls_ssl_get_actual_mode(base_mode, encrypt_then_mac);
2475}
2476
2477#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2478
2479psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2480 size_t taglen,
2481 psa_algorithm_t *alg,
2482 psa_key_type_t *key_type,
2483 size_t *key_size)
2484{
2485#if !defined(MBEDTLS_SSL_HAVE_CCM)
2486 (void) taglen;
2487#endif
2488 switch (mbedtls_cipher_type) {
2489#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2490 case MBEDTLS_CIPHER_AES_128_CBC:
2491 *alg = PSA_ALG_CBC_NO_PADDING;
2492 *key_type = PSA_KEY_TYPE_AES;
2493 *key_size = 128;
2494 break;
2495#endif
2496#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2497 case MBEDTLS_CIPHER_AES_128_CCM:
2498 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2499 *key_type = PSA_KEY_TYPE_AES;
2500 *key_size = 128;
2501 break;
2502#endif
2503#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2504 case MBEDTLS_CIPHER_AES_128_GCM:
2505 *alg = PSA_ALG_GCM;
2506 *key_type = PSA_KEY_TYPE_AES;
2507 *key_size = 128;
2508 break;
2509#endif
2510#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2511 case MBEDTLS_CIPHER_AES_192_CCM:
2512 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2513 *key_type = PSA_KEY_TYPE_AES;
2514 *key_size = 192;
2515 break;
2516#endif
2517#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2518 case MBEDTLS_CIPHER_AES_192_GCM:
2519 *alg = PSA_ALG_GCM;
2520 *key_type = PSA_KEY_TYPE_AES;
2521 *key_size = 192;
2522 break;
2523#endif
2524#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
2525 case MBEDTLS_CIPHER_AES_256_CBC:
2526 *alg = PSA_ALG_CBC_NO_PADDING;
2527 *key_type = PSA_KEY_TYPE_AES;
2528 *key_size = 256;
2529 break;
2530#endif
2531#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
2532 case MBEDTLS_CIPHER_AES_256_CCM:
2533 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2534 *key_type = PSA_KEY_TYPE_AES;
2535 *key_size = 256;
2536 break;
2537#endif
2538#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
2539 case MBEDTLS_CIPHER_AES_256_GCM:
2540 *alg = PSA_ALG_GCM;
2541 *key_type = PSA_KEY_TYPE_AES;
2542 *key_size = 256;
2543 break;
2544#endif
2545#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2546 case MBEDTLS_CIPHER_ARIA_128_CBC:
2547 *alg = PSA_ALG_CBC_NO_PADDING;
2548 *key_type = PSA_KEY_TYPE_ARIA;
2549 *key_size = 128;
2550 break;
2551#endif
2552#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2553 case MBEDTLS_CIPHER_ARIA_128_CCM:
2554 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2555 *key_type = PSA_KEY_TYPE_ARIA;
2556 *key_size = 128;
2557 break;
2558#endif
2559#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2560 case MBEDTLS_CIPHER_ARIA_128_GCM:
2561 *alg = PSA_ALG_GCM;
2562 *key_type = PSA_KEY_TYPE_ARIA;
2563 *key_size = 128;
2564 break;
2565#endif
2566#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2567 case MBEDTLS_CIPHER_ARIA_192_CCM:
2568 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2569 *key_type = PSA_KEY_TYPE_ARIA;
2570 *key_size = 192;
2571 break;
2572#endif
2573#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2574 case MBEDTLS_CIPHER_ARIA_192_GCM:
2575 *alg = PSA_ALG_GCM;
2576 *key_type = PSA_KEY_TYPE_ARIA;
2577 *key_size = 192;
2578 break;
2579#endif
2580#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2581 case MBEDTLS_CIPHER_ARIA_256_CBC:
2582 *alg = PSA_ALG_CBC_NO_PADDING;
2583 *key_type = PSA_KEY_TYPE_ARIA;
2584 *key_size = 256;
2585 break;
2586#endif
2587#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2588 case MBEDTLS_CIPHER_ARIA_256_CCM:
2589 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2590 *key_type = PSA_KEY_TYPE_ARIA;
2591 *key_size = 256;
2592 break;
2593#endif
2594#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2595 case MBEDTLS_CIPHER_ARIA_256_GCM:
2596 *alg = PSA_ALG_GCM;
2597 *key_type = PSA_KEY_TYPE_ARIA;
2598 *key_size = 256;
2599 break;
2600#endif
2601#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2602 case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
2603 *alg = PSA_ALG_CBC_NO_PADDING;
2604 *key_type = PSA_KEY_TYPE_CAMELLIA;
2605 *key_size = 128;
2606 break;
2607#endif
2608#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2609 case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
2610 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2611 *key_type = PSA_KEY_TYPE_CAMELLIA;
2612 *key_size = 128;
2613 break;
2614#endif
2615#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2616 case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
2617 *alg = PSA_ALG_GCM;
2618 *key_type = PSA_KEY_TYPE_CAMELLIA;
2619 *key_size = 128;
2620 break;
2621#endif
2622#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2623 case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
2624 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2625 *key_type = PSA_KEY_TYPE_CAMELLIA;
2626 *key_size = 192;
2627 break;
2628#endif
2629#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2630 case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
2631 *alg = PSA_ALG_GCM;
2632 *key_type = PSA_KEY_TYPE_CAMELLIA;
2633 *key_size = 192;
2634 break;
2635#endif
2636#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
2637 case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
2638 *alg = PSA_ALG_CBC_NO_PADDING;
2639 *key_type = PSA_KEY_TYPE_CAMELLIA;
2640 *key_size = 256;
2641 break;
2642#endif
2643#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
2644 case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
2645 *alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
2646 *key_type = PSA_KEY_TYPE_CAMELLIA;
2647 *key_size = 256;
2648 break;
2649#endif
2650#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
2651 case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
2652 *alg = PSA_ALG_GCM;
2653 *key_type = PSA_KEY_TYPE_CAMELLIA;
2654 *key_size = 256;
2655 break;
2656#endif
2657#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
2658 case MBEDTLS_CIPHER_CHACHA20_POLY1305:
2659 *alg = PSA_ALG_CHACHA20_POLY1305;
2660 *key_type = PSA_KEY_TYPE_CHACHA20;
2661 *key_size = 256;
2662 break;
2663#endif
2664 case MBEDTLS_CIPHER_NULL:
2665 *alg = MBEDTLS_SSL_NULL_CIPHER;
2666 *key_type = 0;
2667 *key_size = 0;
2668 break;
2669 default:
2670 return PSA_ERROR_NOT_SUPPORTED;
2671 }
2672
2673 return PSA_SUCCESS;
2674}
2675#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2676
2677#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
2678int mbedtls_ssl_conf_dh_param_bin(mbedtls_ssl_config *conf,
2679 const unsigned char *dhm_P, size_t P_len,
2680 const unsigned char *dhm_G, size_t G_len)
2681{
2682 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2683
2684 mbedtls_mpi_free(&conf->dhm_P);
2685 mbedtls_mpi_free(&conf->dhm_G);
2686
2687 if ((ret = mbedtls_mpi_read_binary(&conf->dhm_P, dhm_P, P_len)) != 0 ||
2688 (ret = mbedtls_mpi_read_binary(&conf->dhm_G, dhm_G, G_len)) != 0) {
2689 mbedtls_mpi_free(&conf->dhm_P);
2690 mbedtls_mpi_free(&conf->dhm_G);
2691 return ret;
2692 }
2693
2694 return 0;
2695}
2696
2697int mbedtls_ssl_conf_dh_param_ctx(mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx)
2698{
2699 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2700
2701 mbedtls_mpi_free(&conf->dhm_P);
2702 mbedtls_mpi_free(&conf->dhm_G);
2703
2704 if ((ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_P,
2705 &conf->dhm_P)) != 0 ||
2706 (ret = mbedtls_dhm_get_value(dhm_ctx, MBEDTLS_DHM_PARAM_G,
2707 &conf->dhm_G)) != 0) {
2708 mbedtls_mpi_free(&conf->dhm_P);
2709 mbedtls_mpi_free(&conf->dhm_G);
2710 return ret;
2711 }
2712
2713 return 0;
2714}
2715#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
2716
2717#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
2718/*
2719 * Set the minimum length for Diffie-Hellman parameters
2720 */
2721void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf,
2722 unsigned int bitlen)
2723{
2724 conf->dhm_min_bitlen = bitlen;
2725}
2726#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
2727
2728#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2729#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
2730/*
2731 * Set allowed/preferred hashes for handshake signatures
2732 */
2733void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf,
2734 const int *hashes)
2735{
2736 conf->sig_hashes = hashes;
2737}
2738#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */
2739
2740/* Configure allowed signature algorithms for handshake */
2741void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf,
2742 const uint16_t *sig_algs)
2743{
2744#if !defined(MBEDTLS_DEPRECATED_REMOVED)
2745 conf->sig_hashes = NULL;
2746#endif /* !MBEDTLS_DEPRECATED_REMOVED */
2747 conf->sig_algs = sig_algs;
2748}
2749#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2750
2751#if defined(MBEDTLS_ECP_C)
2752#if !defined(MBEDTLS_DEPRECATED_REMOVED)
2753/*
2754 * Set the allowed elliptic curves
2755 *
2756 * mbedtls_ssl_setup() takes the provided list
2757 * and translates it to a list of IANA TLS group identifiers,
2758 * stored in ssl->handshake->group_list.
2759 *
2760 */
2761void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf,
2762 const mbedtls_ecp_group_id *curve_list)
2763{
2764 conf->curve_list = curve_list;
2765 conf->group_list = NULL;
2766}
2767#endif /* MBEDTLS_DEPRECATED_REMOVED */
2768#endif /* MBEDTLS_ECP_C */
2769
2770/*
2771 * Set the allowed groups
2772 */
2773void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf,
2774 const uint16_t *group_list)
2775{
2776#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
2777 conf->curve_list = NULL;
2778#endif
2779 conf->group_list = group_list;
2780}
2781
2782#if defined(MBEDTLS_X509_CRT_PARSE_C)
2783
2784/* A magic value for `ssl->hostname` indicating that
2785 * mbedtls_ssl_set_hostname() has been called with `NULL`.
2786 * If mbedtls_ssl_set_hostname() has never been called on `ssl`, then
2787 * `ssl->hostname == NULL`. */
2788static const char *const ssl_hostname_skip_cn_verification = "";
2789
2790#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2791/** Whether mbedtls_ssl_set_hostname() has been called.
2792 *
2793 * \param[in] ssl SSL context
2794 *
2795 * \return \c 1 if mbedtls_ssl_set_hostname() has been called on \p ssl
2796 * (including `mbedtls_ssl_set_hostname(ssl, NULL)`),
2797 * otherwise \c 0.
2798 */
2799static int mbedtls_ssl_has_set_hostname_been_called(
2800 const mbedtls_ssl_context *ssl)
2801{
2802 return ssl->hostname != NULL;
2803}
2804#endif
2805
2806/* Micro-optimization: don't export this function if it isn't needed outside
2807 * of this source file. */
2808#if !defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2809static
2810#endif
2811const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl)
2812{
2813 if (ssl->hostname == ssl_hostname_skip_cn_verification) {
2814 return NULL;
2815 }
2816 return ssl->hostname;
2817}
2818
2819static void mbedtls_ssl_free_hostname(mbedtls_ssl_context *ssl)
2820{
2821 if (ssl->hostname != NULL &&
2822 ssl->hostname != ssl_hostname_skip_cn_verification) {
2823 mbedtls_zeroize_and_free(ssl->hostname, strlen(ssl->hostname));
2824 }
2825 ssl->hostname = NULL;
2826}
2827
2828int mbedtls_ssl_set_hostname(mbedtls_ssl_context *ssl, const char *hostname)
2829{
2830 /* Initialize to suppress unnecessary compiler warning */
2831 size_t hostname_len = 0;
2832
2833 /* Check if new hostname is valid before
2834 * making any change to current one */
2835 if (hostname != NULL) {
2836 hostname_len = strlen(hostname);
2837
2838 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
2839 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2840 }
2841 }
2842
2843 /* Now it's clear that we will overwrite the old hostname,
2844 * so we can free it safely */
2845 mbedtls_ssl_free_hostname(ssl);
2846
2847 if (hostname == NULL) {
2848 /* Passing NULL as hostname clears the old one, but leaves a
2849 * special marker to indicate that mbedtls_ssl_set_hostname()
2850 * has been called. */
2851 /* ssl->hostname should be const, but isn't. We won't actually
2852 * write to the buffer, so it's ok to cast away the const. */
2853 ssl->hostname = (char *) ssl_hostname_skip_cn_verification;
2854 } else {
2855 ssl->hostname = mbedtls_calloc(1, hostname_len + 1);
2856 if (ssl->hostname == NULL) {
2857 /* mbedtls_ssl_set_hostname() has been called, but unsuccessfully.
2858 * Leave ssl->hostname in the same state as if the function had
2859 * not been called, i.e. a null pointer. */
2860 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2861 }
2862
2863 memcpy(ssl->hostname, hostname, hostname_len);
2864
2865 ssl->hostname[hostname_len] = '\0';
2866 }
2867
2868 return 0;
2869}
2870#endif /* MBEDTLS_X509_CRT_PARSE_C */
2871
2872#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2873void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf,
2874 int (*f_sni)(void *, mbedtls_ssl_context *,
2875 const unsigned char *, size_t),
2876 void *p_sni)
2877{
2878 conf->f_sni = f_sni;
2879 conf->p_sni = p_sni;
2880}
2881#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2882
2883#if defined(MBEDTLS_SSL_ALPN)
2884int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
2885{
2886 size_t cur_len, tot_len;
2887 const char **p;
2888
2889 /*
2890 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
2891 * MUST NOT be truncated."
2892 * We check lengths now rather than later.
2893 */
2894 tot_len = 0;
2895 for (p = protos; *p != NULL; p++) {
2896 cur_len = strlen(*p);
2897 tot_len += cur_len;
2898
2899 if ((cur_len == 0) ||
2900 (cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) ||
2901 (tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN)) {
2902 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2903 }
2904 }
2905
2906 conf->alpn_list = protos;
2907
2908 return 0;
2909}
2910
2911const char *mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
2912{
2913 return ssl->alpn_chosen;
2914}
2915#endif /* MBEDTLS_SSL_ALPN */
2916
2917#if defined(MBEDTLS_SSL_DTLS_SRTP)
2918void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf,
2919 int support_mki_value)
2920{
2921 conf->dtls_srtp_mki_support = support_mki_value;
2922}
2923
2924int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl,
2925 unsigned char *mki_value,
2926 uint16_t mki_len)
2927{
2928 if (mki_len > MBEDTLS_TLS_SRTP_MAX_MKI_LENGTH) {
2929 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2930 }
2931
2932 if (ssl->conf->dtls_srtp_mki_support == MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED) {
2933 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2934 }
2935
2936 memcpy(ssl->dtls_srtp_info.mki_value, mki_value, mki_len);
2937 ssl->dtls_srtp_info.mki_len = mki_len;
2938 return 0;
2939}
2940
2941int mbedtls_ssl_conf_dtls_srtp_protection_profiles(mbedtls_ssl_config *conf,
2942 const mbedtls_ssl_srtp_profile *profiles)
2943{
2944 const mbedtls_ssl_srtp_profile *p;
2945 size_t list_size = 0;
2946
2947 /* check the profiles list: all entry must be valid,
2948 * its size cannot be more than the total number of supported profiles, currently 4 */
2949 for (p = profiles; *p != MBEDTLS_TLS_SRTP_UNSET &&
2950 list_size <= MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH;
2951 p++) {
2952 if (mbedtls_ssl_check_srtp_profile_value(*p) != MBEDTLS_TLS_SRTP_UNSET) {
2953 list_size++;
2954 } else {
2955 /* unsupported value, stop parsing and set the size to an error value */
2956 list_size = MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH + 1;
2957 }
2958 }
2959
2960 if (list_size > MBEDTLS_TLS_SRTP_MAX_PROFILE_LIST_LENGTH) {
2961 conf->dtls_srtp_profile_list = NULL;
2962 conf->dtls_srtp_profile_list_len = 0;
2963 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2964 }
2965
2966 conf->dtls_srtp_profile_list = profiles;
2967 conf->dtls_srtp_profile_list_len = list_size;
2968
2969 return 0;
2970}
2971
2972void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl,
2973 mbedtls_dtls_srtp_info *dtls_srtp_info)
2974{
2975 dtls_srtp_info->chosen_dtls_srtp_profile = ssl->dtls_srtp_info.chosen_dtls_srtp_profile;
2976 /* do not copy the mki value if there is no chosen profile */
2977 if (dtls_srtp_info->chosen_dtls_srtp_profile == MBEDTLS_TLS_SRTP_UNSET) {
2978 dtls_srtp_info->mki_len = 0;
2979 } else {
2980 dtls_srtp_info->mki_len = ssl->dtls_srtp_info.mki_len;
2981 memcpy(dtls_srtp_info->mki_value, ssl->dtls_srtp_info.mki_value,
2982 ssl->dtls_srtp_info.mki_len);
2983 }
2984}
2985#endif /* MBEDTLS_SSL_DTLS_SRTP */
2986
2987#if !defined(MBEDTLS_DEPRECATED_REMOVED)
2988void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor)
2989{
2990 conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2991}
2992
2993void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor)
2994{
2995 conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor);
2996}
2997#endif /* MBEDTLS_DEPRECATED_REMOVED */
2998
2999#if defined(MBEDTLS_SSL_SRV_C)
3000void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf,
3001 char cert_req_ca_list)
3002{
3003 conf->cert_req_ca_list = cert_req_ca_list;
3004}
3005#endif
3006
3007#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3008void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
3009{
3010 conf->encrypt_then_mac = etm;
3011}
3012#endif
3013
3014#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
3015void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
3016{
3017 conf->extended_ms = ems;
3018}
3019#endif
3020
3021#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3022int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
3023{
3024 if (mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
3025 ssl_mfl_code_to_length(mfl_code) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN) {
3026 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3027 }
3028
3029 conf->mfl_code = mfl_code;
3030
3031 return 0;
3032}
3033#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3034
3035void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
3036{
3037 conf->allow_legacy_renegotiation = allow_legacy;
3038}
3039
3040#if defined(MBEDTLS_SSL_RENEGOTIATION)
3041void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
3042{
3043 conf->disable_renegotiation = renegotiation;
3044}
3045
3046void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
3047{
3048 conf->renego_max_records = max_records;
3049}
3050
3051void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf,
3052 const unsigned char period[8])
3053{
3054 memcpy(conf->renego_period, period, 8);
3055}
3056#endif /* MBEDTLS_SSL_RENEGOTIATION */
3057
3058#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3059#if defined(MBEDTLS_SSL_CLI_C)
3060
3061void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
3062{
3063 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK;
3064 conf->session_tickets |= (use_tickets != 0) <<
3065 MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT;
3066}
3067
3068#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3069void mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
3070 mbedtls_ssl_config *conf, int signal_new_session_tickets)
3071{
3072 conf->session_tickets &= ~MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK;
3073 conf->session_tickets |= (signal_new_session_tickets != 0) <<
3074 MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT;
3075}
3076#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3077#endif /* MBEDTLS_SSL_CLI_C */
3078
3079#if defined(MBEDTLS_SSL_SRV_C)
3080
3081#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
3082void mbedtls_ssl_conf_new_session_tickets(mbedtls_ssl_config *conf,
3083 uint16_t num_tickets)
3084{
3085 conf->new_session_tickets_count = num_tickets;
3086}
3087#endif
3088
3089void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf,
3090 mbedtls_ssl_ticket_write_t *f_ticket_write,
3091 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
3092 void *p_ticket)
3093{
3094 conf->f_ticket_write = f_ticket_write;
3095 conf->f_ticket_parse = f_ticket_parse;
3096 conf->p_ticket = p_ticket;
3097}
3098#endif
3099#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3100
3101void mbedtls_ssl_set_export_keys_cb(mbedtls_ssl_context *ssl,
3102 mbedtls_ssl_export_keys_t *f_export_keys,
3103 void *p_export_keys)
3104{
3105 ssl->f_export_keys = f_export_keys;
3106 ssl->p_export_keys = p_export_keys;
3107}
3108
3109#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3110void mbedtls_ssl_conf_async_private_cb(
3111 mbedtls_ssl_config *conf,
3112 mbedtls_ssl_async_sign_t *f_async_sign,
3113 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
3114 mbedtls_ssl_async_resume_t *f_async_resume,
3115 mbedtls_ssl_async_cancel_t *f_async_cancel,
3116 void *async_config_data)
3117{
3118 conf->f_async_sign_start = f_async_sign;
3119 conf->f_async_decrypt_start = f_async_decrypt;
3120 conf->f_async_resume = f_async_resume;
3121 conf->f_async_cancel = f_async_cancel;
3122 conf->p_async_config_data = async_config_data;
3123}
3124
3125void *mbedtls_ssl_conf_get_async_config_data(const mbedtls_ssl_config *conf)
3126{
3127 return conf->p_async_config_data;
3128}
3129
3130void *mbedtls_ssl_get_async_operation_data(const mbedtls_ssl_context *ssl)
3131{
3132 if (ssl->handshake == NULL) {
3133 return NULL;
3134 } else {
3135 return ssl->handshake->user_async_ctx;
3136 }
3137}
3138
3139void mbedtls_ssl_set_async_operation_data(mbedtls_ssl_context *ssl,
3140 void *ctx)
3141{
3142 if (ssl->handshake != NULL) {
3143 ssl->handshake->user_async_ctx = ctx;
3144 }
3145}
3146#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3147
3148/*
3149 * SSL get accessors
3150 */
3151uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
3152{
3153 if (ssl->session != NULL) {
3154 return ssl->session->verify_result;
3155 }
3156
3157 if (ssl->session_negotiate != NULL) {
3158 return ssl->session_negotiate->verify_result;
3159 }
3160
3161 return 0xFFFFFFFF;
3162}
3163
3164int mbedtls_ssl_get_ciphersuite_id_from_ssl(const mbedtls_ssl_context *ssl)
3165{
3166 if (ssl == NULL || ssl->session == NULL) {
3167 return 0;
3168 }
3169
3170 return ssl->session->ciphersuite;
3171}
3172
3173const char *mbedtls_ssl_get_ciphersuite(const mbedtls_ssl_context *ssl)
3174{
3175 if (ssl == NULL || ssl->session == NULL) {
3176 return NULL;
3177 }
3178
3179 return mbedtls_ssl_get_ciphersuite_name(ssl->session->ciphersuite);
3180}
3181
3182const char *mbedtls_ssl_get_version(const mbedtls_ssl_context *ssl)
3183{
3184#if defined(MBEDTLS_SSL_PROTO_DTLS)
3185 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3186 switch (ssl->tls_version) {
3187 case MBEDTLS_SSL_VERSION_TLS1_2:
3188 return "DTLSv1.2";
3189 default:
3190 return "unknown (DTLS)";
3191 }
3192 }
3193#endif
3194
3195 switch (ssl->tls_version) {
3196 case MBEDTLS_SSL_VERSION_TLS1_2:
3197 return "TLSv1.2";
3198 case MBEDTLS_SSL_VERSION_TLS1_3:
3199 return "TLSv1.3";
3200 default:
3201 return "unknown";
3202 }
3203}
3204
3205#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3206
3207size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl)
3208{
3209 const size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3210 size_t record_size_limit = max_len;
3211
3212 if (ssl->session != NULL &&
3213 ssl->session->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3214 ssl->session->record_size_limit < max_len) {
3215 record_size_limit = ssl->session->record_size_limit;
3216 }
3217
3218 // TODO: this is currently untested
3219 /* During a handshake, use the value being negotiated */
3220 if (ssl->session_negotiate != NULL &&
3221 ssl->session_negotiate->record_size_limit >= MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN &&
3222 ssl->session_negotiate->record_size_limit < max_len) {
3223 record_size_limit = ssl->session_negotiate->record_size_limit;
3224 }
3225
3226 return record_size_limit;
3227}
3228#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3229
3230#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3231size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl)
3232{
3233 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3234 size_t read_mfl;
3235
3236#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3237 /* Use the configured MFL for the client if we're past SERVER_HELLO_DONE */
3238 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
3239 ssl->state >= MBEDTLS_SSL_SERVER_HELLO_DONE) {
3240 return ssl_mfl_code_to_length(ssl->conf->mfl_code);
3241 }
3242#endif
3243
3244 /* Check if a smaller max length was negotiated */
3245 if (ssl->session_out != NULL) {
3246 read_mfl = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3247 if (read_mfl < max_len) {
3248 max_len = read_mfl;
3249 }
3250 }
3251
3252 /* During a handshake, use the value being negotiated */
3253 if (ssl->session_negotiate != NULL) {
3254 read_mfl = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3255 if (read_mfl < max_len) {
3256 max_len = read_mfl;
3257 }
3258 }
3259
3260 return max_len;
3261}
3262
3263size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl)
3264{
3265 size_t max_len;
3266
3267 /*
3268 * Assume mfl_code is correct since it was checked when set
3269 */
3270 max_len = ssl_mfl_code_to_length(ssl->conf->mfl_code);
3271
3272 /* Check if a smaller max length was negotiated */
3273 if (ssl->session_out != NULL &&
3274 ssl_mfl_code_to_length(ssl->session_out->mfl_code) < max_len) {
3275 max_len = ssl_mfl_code_to_length(ssl->session_out->mfl_code);
3276 }
3277
3278 /* During a handshake, use the value being negotiated */
3279 if (ssl->session_negotiate != NULL &&
3280 ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code) < max_len) {
3281 max_len = ssl_mfl_code_to_length(ssl->session_negotiate->mfl_code);
3282 }
3283
3284 return max_len;
3285}
3286#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
3287
3288#if defined(MBEDTLS_SSL_PROTO_DTLS)
3289size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl)
3290{
3291 if (ssl->handshake == NULL || ssl->handshake->mtu == 0) {
3292 return ssl->mtu;
3293 }
3294
3295 if (ssl->mtu == 0) {
3296 return ssl->handshake->mtu;
3297 }
3298
3299 return ssl->mtu < ssl->handshake->mtu ?
3300 ssl->mtu : ssl->handshake->mtu;
3301}
3302#endif /* MBEDTLS_SSL_PROTO_DTLS */
3303
3304int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
3305{
3306 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
3307
3308#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3309 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) && \
3310 !defined(MBEDTLS_SSL_PROTO_DTLS)
3311 (void) ssl;
3312#endif
3313
3314#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3315 const size_t mfl = mbedtls_ssl_get_output_max_frag_len(ssl);
3316
3317 if (max_len > mfl) {
3318 max_len = mfl;
3319 }
3320#endif
3321
3322#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3323 const size_t record_size_limit = mbedtls_ssl_get_output_record_size_limit(ssl);
3324
3325 if (max_len > record_size_limit) {
3326 max_len = record_size_limit;
3327 }
3328#endif
3329
3330 if (ssl->transform_out != NULL &&
3331 ssl->transform_out->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
3332 /*
3333 * In TLS 1.3 case, when records are protected, `max_len` as computed
3334 * above is the maximum length of the TLSInnerPlaintext structure that
3335 * along the plaintext payload contains the inner content type (one byte)
3336 * and some zero padding. Given the algorithm used for padding
3337 * in mbedtls_ssl_encrypt_buf(), compute the maximum length for
3338 * the plaintext payload. Round down to a multiple of
3339 * MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY and
3340 * subtract 1.
3341 */
3342 max_len = ((max_len / MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) *
3343 MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY) - 1;
3344 }
3345
3346#if defined(MBEDTLS_SSL_PROTO_DTLS)
3347 if (mbedtls_ssl_get_current_mtu(ssl) != 0) {
3348 const size_t mtu = mbedtls_ssl_get_current_mtu(ssl);
3349 const int ret = mbedtls_ssl_get_record_expansion(ssl);
3350 const size_t overhead = (size_t) ret;
3351
3352 if (ret < 0) {
3353 return ret;
3354 }
3355
3356 if (mtu <= overhead) {
3357 MBEDTLS_SSL_DEBUG_MSG(1, ("MTU too low for record expansion"));
3358 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3359 }
3360
3361 if (max_len > mtu - overhead) {
3362 max_len = mtu - overhead;
3363 }
3364 }
3365#endif /* MBEDTLS_SSL_PROTO_DTLS */
3366
3367#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
3368 !defined(MBEDTLS_SSL_PROTO_DTLS) && \
3369 !defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3370 ((void) ssl);
3371#endif
3372
3373 return (int) max_len;
3374}
3375
3376int mbedtls_ssl_get_max_in_record_payload(const mbedtls_ssl_context *ssl)
3377{
3378 size_t max_len = MBEDTLS_SSL_IN_CONTENT_LEN;
3379
3380#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3381 (void) ssl;
3382#endif
3383
3384#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3385 const size_t mfl = mbedtls_ssl_get_input_max_frag_len(ssl);
3386
3387 if (max_len > mfl) {
3388 max_len = mfl;
3389 }
3390#endif
3391
3392 return (int) max_len;
3393}
3394
3395#if defined(MBEDTLS_X509_CRT_PARSE_C)
3396const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert(const mbedtls_ssl_context *ssl)
3397{
3398 if (ssl == NULL || ssl->session == NULL) {
3399 return NULL;
3400 }
3401
3402#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3403 return ssl->session->peer_cert;
3404#else
3405 return NULL;
3406#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3407}
3408#endif /* MBEDTLS_X509_CRT_PARSE_C */
3409
3410#if defined(MBEDTLS_SSL_CLI_C)
3411int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl,
3412 mbedtls_ssl_session *dst)
3413{
3414 int ret;
3415
3416 if (ssl == NULL ||
3417 dst == NULL ||
3418 ssl->session == NULL ||
3419 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT) {
3420 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3421 }
3422
3423 /* Since Mbed TLS 3.0, mbedtls_ssl_get_session() is no longer
3424 * idempotent: Each session can only be exported once.
3425 *
3426 * (This is in preparation for TLS 1.3 support where we will
3427 * need the ability to export multiple sessions (aka tickets),
3428 * which will be achieved by calling mbedtls_ssl_get_session()
3429 * multiple times until it fails.)
3430 *
3431 * Check whether we have already exported the current session,
3432 * and fail if so.
3433 */
3434 if (ssl->session->exported == 1) {
3435 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
3436 }
3437
3438 ret = mbedtls_ssl_session_copy(dst, ssl->session);
3439 if (ret != 0) {
3440 return ret;
3441 }
3442
3443 /* Remember that we've exported the session. */
3444 ssl->session->exported = 1;
3445 return 0;
3446}
3447#endif /* MBEDTLS_SSL_CLI_C */
3448
3449#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3450
3451/* Serialization of TLS 1.2 sessions
3452 *
3453 * For more detail, see the description of ssl_session_save().
3454 */
3455static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
3456 unsigned char *buf,
3457 size_t buf_len)
3458{
3459 unsigned char *p = buf;
3460 size_t used = 0;
3461
3462#if defined(MBEDTLS_HAVE_TIME)
3463 uint64_t start;
3464#endif
3465#if defined(MBEDTLS_X509_CRT_PARSE_C)
3466#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3467 size_t cert_len;
3468#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3469#endif /* MBEDTLS_X509_CRT_PARSE_C */
3470
3471 /*
3472 * Time
3473 */
3474#if defined(MBEDTLS_HAVE_TIME)
3475 used += 8;
3476
3477 if (used <= buf_len) {
3478 start = (uint64_t) session->start;
3479
3480 MBEDTLS_PUT_UINT64_BE(start, p, 0);
3481 p += 8;
3482 }
3483#endif /* MBEDTLS_HAVE_TIME */
3484
3485 /*
3486 * Basic mandatory fields
3487 */
3488 used += 1 /* id_len */
3489 + sizeof(session->id)
3490 + sizeof(session->master)
3491 + 4; /* verify_result */
3492
3493 if (used <= buf_len) {
3494 *p++ = MBEDTLS_BYTE_0(session->id_len);
3495 memcpy(p, session->id, 32);
3496 p += 32;
3497
3498 memcpy(p, session->master, 48);
3499 p += 48;
3500
3501 MBEDTLS_PUT_UINT32_BE(session->verify_result, p, 0);
3502 p += 4;
3503 }
3504
3505 /*
3506 * Peer's end-entity certificate
3507 */
3508#if defined(MBEDTLS_X509_CRT_PARSE_C)
3509#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3510 if (session->peer_cert == NULL) {
3511 cert_len = 0;
3512 } else {
3513 cert_len = session->peer_cert->raw.len;
3514 }
3515
3516 used += 3 + cert_len;
3517
3518 if (used <= buf_len) {
3519 *p++ = MBEDTLS_BYTE_2(cert_len);
3520 *p++ = MBEDTLS_BYTE_1(cert_len);
3521 *p++ = MBEDTLS_BYTE_0(cert_len);
3522
3523 if (session->peer_cert != NULL) {
3524 memcpy(p, session->peer_cert->raw.p, cert_len);
3525 p += cert_len;
3526 }
3527 }
3528#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3529 if (session->peer_cert_digest != NULL) {
3530 used += 1 /* type */ + 1 /* length */ + session->peer_cert_digest_len;
3531 if (used <= buf_len) {
3532 *p++ = (unsigned char) session->peer_cert_digest_type;
3533 *p++ = (unsigned char) session->peer_cert_digest_len;
3534 memcpy(p, session->peer_cert_digest,
3535 session->peer_cert_digest_len);
3536 p += session->peer_cert_digest_len;
3537 }
3538 } else {
3539 used += 2;
3540 if (used <= buf_len) {
3541 *p++ = (unsigned char) MBEDTLS_MD_NONE;
3542 *p++ = 0;
3543 }
3544 }
3545#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3546#endif /* MBEDTLS_X509_CRT_PARSE_C */
3547
3548 /*
3549 * Session ticket if any, plus associated data
3550 */
3551#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3552#if defined(MBEDTLS_SSL_CLI_C)
3553 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3554 used += 3 + session->ticket_len + 4; /* len + ticket + lifetime */
3555
3556 if (used <= buf_len) {
3557 *p++ = MBEDTLS_BYTE_2(session->ticket_len);
3558 *p++ = MBEDTLS_BYTE_1(session->ticket_len);
3559 *p++ = MBEDTLS_BYTE_0(session->ticket_len);
3560
3561 if (session->ticket != NULL) {
3562 memcpy(p, session->ticket, session->ticket_len);
3563 p += session->ticket_len;
3564 }
3565
3566 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3567 p += 4;
3568 }
3569 }
3570#endif /* MBEDTLS_SSL_CLI_C */
3571#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3572 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3573 used += 8;
3574
3575 if (used <= buf_len) {
3576 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3577 p += 8;
3578 }
3579 }
3580#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3581#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3582
3583 /*
3584 * Misc extension-related info
3585 */
3586#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3587 used += 1;
3588
3589 if (used <= buf_len) {
3590 *p++ = session->mfl_code;
3591 }
3592#endif
3593
3594#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3595 used += 1;
3596
3597 if (used <= buf_len) {
3598 *p++ = MBEDTLS_BYTE_0(session->encrypt_then_mac);
3599 }
3600#endif
3601
3602 return used;
3603}
3604
3605MBEDTLS_CHECK_RETURN_CRITICAL
3606static int ssl_tls12_session_load(mbedtls_ssl_session *session,
3607 const unsigned char *buf,
3608 size_t len)
3609{
3610#if defined(MBEDTLS_HAVE_TIME)
3611 uint64_t start;
3612#endif
3613#if defined(MBEDTLS_X509_CRT_PARSE_C)
3614#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3615 size_t cert_len;
3616#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3617#endif /* MBEDTLS_X509_CRT_PARSE_C */
3618
3619 const unsigned char *p = buf;
3620 const unsigned char * const end = buf + len;
3621
3622 /*
3623 * Time
3624 */
3625#if defined(MBEDTLS_HAVE_TIME)
3626 if (8 > (size_t) (end - p)) {
3627 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3628 }
3629
3630 start = MBEDTLS_GET_UINT64_BE(p, 0);
3631 p += 8;
3632
3633 session->start = (mbedtls_time_t) start;
3634#endif /* MBEDTLS_HAVE_TIME */
3635
3636 /*
3637 * Basic mandatory fields
3638 */
3639 if (1 + 32 + 48 + 4 > (size_t) (end - p)) {
3640 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3641 }
3642
3643 session->id_len = *p++;
3644 memcpy(session->id, p, 32);
3645 p += 32;
3646
3647 memcpy(session->master, p, 48);
3648 p += 48;
3649
3650 session->verify_result = MBEDTLS_GET_UINT32_BE(p, 0);
3651 p += 4;
3652
3653 /* Immediately clear invalid pointer values that have been read, in case
3654 * we exit early before we replaced them with valid ones. */
3655#if defined(MBEDTLS_X509_CRT_PARSE_C)
3656#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3657 session->peer_cert = NULL;
3658#else
3659 session->peer_cert_digest = NULL;
3660#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3661#endif /* MBEDTLS_X509_CRT_PARSE_C */
3662#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3663 session->ticket = NULL;
3664#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3665
3666 /*
3667 * Peer certificate
3668 */
3669#if defined(MBEDTLS_X509_CRT_PARSE_C)
3670#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
3671 /* Deserialize CRT from the end of the ticket. */
3672 if (3 > (size_t) (end - p)) {
3673 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3674 }
3675
3676 cert_len = MBEDTLS_GET_UINT24_BE(p, 0);
3677 p += 3;
3678
3679 if (cert_len != 0) {
3680 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3681
3682 if (cert_len > (size_t) (end - p)) {
3683 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3684 }
3685
3686 session->peer_cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
3687
3688 if (session->peer_cert == NULL) {
3689 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3690 }
3691
3692 mbedtls_x509_crt_init(session->peer_cert);
3693
3694 if ((ret = mbedtls_x509_crt_parse_der(session->peer_cert,
3695 p, cert_len)) != 0) {
3696 mbedtls_x509_crt_free(session->peer_cert);
3697 mbedtls_free(session->peer_cert);
3698 session->peer_cert = NULL;
3699 return ret;
3700 }
3701
3702 p += cert_len;
3703 }
3704#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3705 /* Deserialize CRT digest from the end of the ticket. */
3706 if (2 > (size_t) (end - p)) {
3707 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3708 }
3709
3710 session->peer_cert_digest_type = (mbedtls_md_type_t) *p++;
3711 session->peer_cert_digest_len = (size_t) *p++;
3712
3713 if (session->peer_cert_digest_len != 0) {
3714 const mbedtls_md_info_t *md_info =
3715 mbedtls_md_info_from_type(session->peer_cert_digest_type);
3716 if (md_info == NULL) {
3717 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3718 }
3719 if (session->peer_cert_digest_len != mbedtls_md_get_size(md_info)) {
3720 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3721 }
3722
3723 if (session->peer_cert_digest_len > (size_t) (end - p)) {
3724 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3725 }
3726
3727 session->peer_cert_digest =
3728 mbedtls_calloc(1, session->peer_cert_digest_len);
3729 if (session->peer_cert_digest == NULL) {
3730 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3731 }
3732
3733 memcpy(session->peer_cert_digest, p,
3734 session->peer_cert_digest_len);
3735 p += session->peer_cert_digest_len;
3736 }
3737#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
3738#endif /* MBEDTLS_X509_CRT_PARSE_C */
3739
3740 /*
3741 * Session ticket and associated data
3742 */
3743#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3744#if defined(MBEDTLS_SSL_CLI_C)
3745 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3746 if (3 > (size_t) (end - p)) {
3747 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3748 }
3749
3750 session->ticket_len = MBEDTLS_GET_UINT24_BE(p, 0);
3751 p += 3;
3752
3753 if (session->ticket_len != 0) {
3754 if (session->ticket_len > (size_t) (end - p)) {
3755 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3756 }
3757
3758 session->ticket = mbedtls_calloc(1, session->ticket_len);
3759 if (session->ticket == NULL) {
3760 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
3761 }
3762
3763 memcpy(session->ticket, p, session->ticket_len);
3764 p += session->ticket_len;
3765 }
3766
3767 if (4 > (size_t) (end - p)) {
3768 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3769 }
3770
3771 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
3772 p += 4;
3773 }
3774#endif /* MBEDTLS_SSL_CLI_C */
3775#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
3776 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3777 if (8 > (size_t) (end - p)) {
3778 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3779 }
3780 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
3781 p += 8;
3782 }
3783#endif /* MBEDTLS_HAVE_TIME && MBEDTLS_SSL_SRV_C */
3784#endif /* MBEDTLS_SSL_SESSION_TICKETS */
3785
3786 /*
3787 * Misc extension-related info
3788 */
3789#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3790 if (1 > (size_t) (end - p)) {
3791 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3792 }
3793
3794 session->mfl_code = *p++;
3795#endif
3796
3797#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
3798 if (1 > (size_t) (end - p)) {
3799 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3800 }
3801
3802 session->encrypt_then_mac = *p++;
3803#endif
3804
3805 /* Done, should have consumed entire buffer */
3806 if (p != end) {
3807 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3808 }
3809
3810 return 0;
3811}
3812
3813#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3814
3815#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3816/* Serialization of TLS 1.3 sessions:
3817 *
3818 * For more detail, see the description of ssl_session_save().
3819 */
3820#if defined(MBEDTLS_SSL_SESSION_TICKETS)
3821MBEDTLS_CHECK_RETURN_CRITICAL
3822static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
3823 unsigned char *buf,
3824 size_t buf_len,
3825 size_t *olen)
3826{
3827 unsigned char *p = buf;
3828#if defined(MBEDTLS_SSL_CLI_C) && \
3829 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3830 size_t hostname_len = (session->hostname == NULL) ?
3831 0 : strlen(session->hostname) + 1;
3832#endif
3833
3834#if defined(MBEDTLS_SSL_SRV_C) && \
3835 defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3836 const size_t alpn_len = (session->ticket_alpn == NULL) ?
3837 0 : strlen(session->ticket_alpn) + 1;
3838#endif
3839 size_t needed = 4 /* ticket_age_add */
3840 + 1 /* ticket_flags */
3841 + 1; /* resumption_key length */
3842
3843 *olen = 0;
3844
3845 if (session->resumption_key_len > MBEDTLS_SSL_TLS1_3_TICKET_RESUMPTION_KEY_LEN) {
3846 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3847 }
3848 needed += session->resumption_key_len; /* resumption_key */
3849
3850#if defined(MBEDTLS_SSL_EARLY_DATA)
3851 needed += 4; /* max_early_data_size */
3852#endif
3853#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3854 needed += 2; /* record_size_limit */
3855#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3856
3857#if defined(MBEDTLS_HAVE_TIME)
3858 needed += 8; /* ticket_creation_time or ticket_reception_time */
3859#endif
3860
3861#if defined(MBEDTLS_SSL_SRV_C)
3862 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3863#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3864 needed += 2 /* alpn_len */
3865 + alpn_len; /* alpn */
3866#endif
3867 }
3868#endif /* MBEDTLS_SSL_SRV_C */
3869
3870#if defined(MBEDTLS_SSL_CLI_C)
3871 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3872#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3873 needed += 2 /* hostname_len */
3874 + hostname_len; /* hostname */
3875#endif
3876
3877 needed += 4 /* ticket_lifetime */
3878 + 2; /* ticket_len */
3879
3880 /* Check size_t overflow */
3881 if (session->ticket_len > SIZE_MAX - needed) {
3882 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3883 }
3884
3885 needed += session->ticket_len; /* ticket */
3886 }
3887#endif /* MBEDTLS_SSL_CLI_C */
3888
3889 *olen = needed;
3890 if (needed > buf_len) {
3891 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
3892 }
3893
3894 MBEDTLS_PUT_UINT32_BE(session->ticket_age_add, p, 0);
3895 p[4] = session->ticket_flags;
3896
3897 /* save resumption_key */
3898 p[5] = session->resumption_key_len;
3899 p += 6;
3900 memcpy(p, session->resumption_key, session->resumption_key_len);
3901 p += session->resumption_key_len;
3902
3903#if defined(MBEDTLS_SSL_EARLY_DATA)
3904 MBEDTLS_PUT_UINT32_BE(session->max_early_data_size, p, 0);
3905 p += 4;
3906#endif
3907#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3908 MBEDTLS_PUT_UINT16_BE(session->record_size_limit, p, 0);
3909 p += 2;
3910#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
3911
3912#if defined(MBEDTLS_SSL_SRV_C)
3913 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
3914#if defined(MBEDTLS_HAVE_TIME)
3915 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_creation_time, p, 0);
3916 p += 8;
3917#endif /* MBEDTLS_HAVE_TIME */
3918
3919#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
3920 MBEDTLS_PUT_UINT16_BE(alpn_len, p, 0);
3921 p += 2;
3922
3923 if (alpn_len > 0) {
3924 /* save chosen alpn */
3925 memcpy(p, session->ticket_alpn, alpn_len);
3926 p += alpn_len;
3927 }
3928#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
3929 }
3930#endif /* MBEDTLS_SSL_SRV_C */
3931
3932#if defined(MBEDTLS_SSL_CLI_C)
3933 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
3934#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3935 MBEDTLS_PUT_UINT16_BE(hostname_len, p, 0);
3936 p += 2;
3937 if (hostname_len > 0) {
3938 /* save host name */
3939 memcpy(p, session->hostname, hostname_len);
3940 p += hostname_len;
3941 }
3942#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
3943
3944#if defined(MBEDTLS_HAVE_TIME)
3945 MBEDTLS_PUT_UINT64_BE((uint64_t) session->ticket_reception_time, p, 0);
3946 p += 8;
3947#endif
3948 MBEDTLS_PUT_UINT32_BE(session->ticket_lifetime, p, 0);
3949 p += 4;
3950
3951 MBEDTLS_PUT_UINT16_BE(session->ticket_len, p, 0);
3952 p += 2;
3953
3954 if (session->ticket != NULL && session->ticket_len > 0) {
3955 memcpy(p, session->ticket, session->ticket_len);
3956 p += session->ticket_len;
3957 }
3958 }
3959#endif /* MBEDTLS_SSL_CLI_C */
3960 return 0;
3961}
3962
3963MBEDTLS_CHECK_RETURN_CRITICAL
3964static int ssl_tls13_session_load(mbedtls_ssl_session *session,
3965 const unsigned char *buf,
3966 size_t len)
3967{
3968 const unsigned char *p = buf;
3969 const unsigned char *end = buf + len;
3970
3971 if (end - p < 6) {
3972 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3973 }
3974 session->ticket_age_add = MBEDTLS_GET_UINT32_BE(p, 0);
3975 session->ticket_flags = p[4];
3976
3977 /* load resumption_key */
3978 session->resumption_key_len = p[5];
3979 p += 6;
3980
3981 if (end - p < session->resumption_key_len) {
3982 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3983 }
3984
3985 if (sizeof(session->resumption_key) < session->resumption_key_len) {
3986 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3987 }
3988 memcpy(session->resumption_key, p, session->resumption_key_len);
3989 p += session->resumption_key_len;
3990
3991#if defined(MBEDTLS_SSL_EARLY_DATA)
3992 if (end - p < 4) {
3993 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
3994 }
3995 session->max_early_data_size = MBEDTLS_GET_UINT32_BE(p, 0);
3996 p += 4;
3997#endif
3998#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
3999 if (end - p < 2) {
4000 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4001 }
4002 session->record_size_limit = MBEDTLS_GET_UINT16_BE(p, 0);
4003 p += 2;
4004#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4005
4006#if defined(MBEDTLS_SSL_SRV_C)
4007 if (session->endpoint == MBEDTLS_SSL_IS_SERVER) {
4008#if defined(MBEDTLS_HAVE_TIME)
4009 if (end - p < 8) {
4010 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4011 }
4012 session->ticket_creation_time = MBEDTLS_GET_UINT64_BE(p, 0);
4013 p += 8;
4014#endif /* MBEDTLS_HAVE_TIME */
4015
4016#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4017 size_t alpn_len;
4018
4019 if (end - p < 2) {
4020 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4021 }
4022
4023 alpn_len = MBEDTLS_GET_UINT16_BE(p, 0);
4024 p += 2;
4025
4026 if (end - p < (long int) alpn_len) {
4027 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4028 }
4029
4030 if (alpn_len > 0) {
4031 int ret = mbedtls_ssl_session_set_ticket_alpn(session, (char *) p);
4032 if (ret != 0) {
4033 return ret;
4034 }
4035 p += alpn_len;
4036 }
4037#endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
4038 }
4039#endif /* MBEDTLS_SSL_SRV_C */
4040
4041#if defined(MBEDTLS_SSL_CLI_C)
4042 if (session->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4043#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4044 size_t hostname_len;
4045 /* load host name */
4046 if (end - p < 2) {
4047 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4048 }
4049 hostname_len = MBEDTLS_GET_UINT16_BE(p, 0);
4050 p += 2;
4051
4052 if (end - p < (long int) hostname_len) {
4053 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4054 }
4055 if (hostname_len > 0) {
4056 session->hostname = mbedtls_calloc(1, hostname_len);
4057 if (session->hostname == NULL) {
4058 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4059 }
4060 memcpy(session->hostname, p, hostname_len);
4061 p += hostname_len;
4062 }
4063#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4064
4065#if defined(MBEDTLS_HAVE_TIME)
4066 if (end - p < 8) {
4067 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4068 }
4069 session->ticket_reception_time = MBEDTLS_GET_UINT64_BE(p, 0);
4070 p += 8;
4071#endif
4072 if (end - p < 4) {
4073 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4074 }
4075 session->ticket_lifetime = MBEDTLS_GET_UINT32_BE(p, 0);
4076 p += 4;
4077
4078 if (end - p < 2) {
4079 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4080 }
4081 session->ticket_len = MBEDTLS_GET_UINT16_BE(p, 0);
4082 p += 2;
4083
4084 if (end - p < (long int) session->ticket_len) {
4085 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4086 }
4087 if (session->ticket_len > 0) {
4088 session->ticket = mbedtls_calloc(1, session->ticket_len);
4089 if (session->ticket == NULL) {
4090 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
4091 }
4092 memcpy(session->ticket, p, session->ticket_len);
4093 p += session->ticket_len;
4094 }
4095 }
4096#endif /* MBEDTLS_SSL_CLI_C */
4097
4098 return 0;
4099
4100}
4101#else /* MBEDTLS_SSL_SESSION_TICKETS */
4102MBEDTLS_CHECK_RETURN_CRITICAL
4103static int ssl_tls13_session_save(const mbedtls_ssl_session *session,
4104 unsigned char *buf,
4105 size_t buf_len,
4106 size_t *olen)
4107{
4108 ((void) session);
4109 ((void) buf);
4110 ((void) buf_len);
4111 *olen = 0;
4112 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4113}
4114
4115static int ssl_tls13_session_load(const mbedtls_ssl_session *session,
4116 const unsigned char *buf,
4117 size_t buf_len)
4118{
4119 ((void) session);
4120 ((void) buf);
4121 ((void) buf_len);
4122 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4123}
4124#endif /* !MBEDTLS_SSL_SESSION_TICKETS */
4125#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4126
4127/*
4128 * Define ticket header determining Mbed TLS version
4129 * and structure of the ticket.
4130 */
4131
4132/*
4133 * Define bitflag determining compile-time settings influencing
4134 * structure of serialized SSL sessions.
4135 */
4136
4137#if defined(MBEDTLS_HAVE_TIME)
4138#define SSL_SERIALIZED_SESSION_CONFIG_TIME 1
4139#else
4140#define SSL_SERIALIZED_SESSION_CONFIG_TIME 0
4141#endif /* MBEDTLS_HAVE_TIME */
4142
4143#if defined(MBEDTLS_X509_CRT_PARSE_C)
4144#define SSL_SERIALIZED_SESSION_CONFIG_CRT 1
4145#else
4146#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
4147#endif /* MBEDTLS_X509_CRT_PARSE_C */
4148
4149#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4150#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
4151#else
4152#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
4153#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4154
4155#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
4156#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
4157#else
4158#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 0
4159#endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_SESSION_TICKETS */
4160
4161#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4162#define SSL_SERIALIZED_SESSION_CONFIG_MFL 1
4163#else
4164#define SSL_SERIALIZED_SESSION_CONFIG_MFL 0
4165#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
4166
4167#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4168#define SSL_SERIALIZED_SESSION_CONFIG_ETM 1
4169#else
4170#define SSL_SERIALIZED_SESSION_CONFIG_ETM 0
4171#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
4172
4173#if defined(MBEDTLS_SSL_SESSION_TICKETS)
4174#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 1
4175#else
4176#define SSL_SERIALIZED_SESSION_CONFIG_TICKET 0
4177#endif /* MBEDTLS_SSL_SESSION_TICKETS */
4178
4179#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4180#define SSL_SERIALIZED_SESSION_CONFIG_SNI 1
4181#else
4182#define SSL_SERIALIZED_SESSION_CONFIG_SNI 0
4183#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
4184
4185#if defined(MBEDTLS_SSL_EARLY_DATA)
4186#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 1
4187#else
4188#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA 0
4189#endif /* MBEDTLS_SSL_EARLY_DATA */
4190
4191#if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4192#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 1
4193#else
4194#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE 0
4195#endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
4196
4197#if defined(MBEDTLS_SSL_ALPN) && defined(MBEDTLS_SSL_SRV_C) && \
4198 defined(MBEDTLS_SSL_EARLY_DATA)
4199#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 1
4200#else
4201#define SSL_SERIALIZED_SESSION_CONFIG_ALPN 0
4202#endif /* MBEDTLS_SSL_ALPN */
4203
4204#define SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT 0
4205#define SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT 1
4206#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT 2
4207#define SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT 3
4208#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 4
4209#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 5
4210#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 6
4211#define SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT 7
4212#define SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT 8
4213#define SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT 9
4214#define SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT 10
4215
4216#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
4217 ((uint16_t) ( \
4218 (SSL_SERIALIZED_SESSION_CONFIG_TIME << SSL_SERIALIZED_SESSION_CONFIG_TIME_BIT) | \
4219 (SSL_SERIALIZED_SESSION_CONFIG_CRT << SSL_SERIALIZED_SESSION_CONFIG_CRT_BIT) | \
4220 (SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET << \
4221 SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET_BIT) | \
4222 (SSL_SERIALIZED_SESSION_CONFIG_MFL << SSL_SERIALIZED_SESSION_CONFIG_MFL_BIT) | \
4223 (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
4224 (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
4225 (SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
4226 SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT) | \
4227 (SSL_SERIALIZED_SESSION_CONFIG_SNI << SSL_SERIALIZED_SESSION_CONFIG_SNI_BIT) | \
4228 (SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA << \
4229 SSL_SERIALIZED_SESSION_CONFIG_EARLY_DATA_BIT) | \
4230 (SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE << \
4231 SSL_SERIALIZED_SESSION_CONFIG_RECORD_SIZE_BIT) | \
4232 (SSL_SERIALIZED_SESSION_CONFIG_ALPN << \
4233 SSL_SERIALIZED_SESSION_CONFIG_ALPN_BIT)))
4234
4235static const unsigned char ssl_serialized_session_header[] = {
4236 MBEDTLS_VERSION_MAJOR,
4237 MBEDTLS_VERSION_MINOR,
4238 MBEDTLS_VERSION_PATCH,
4239 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4240 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
4241};
4242
4243/*
4244 * Serialize a session in the following format:
4245 * (in the presentation language of TLS, RFC 8446 section 3)
4246 *
4247 * TLS 1.2 session:
4248 *
4249 * struct {
4250 * #if defined(MBEDTLS_SSL_SESSION_TICKETS)
4251 * opaque ticket<0..2^24-1>; // length 0 means no ticket
4252 * uint32 ticket_lifetime;
4253 * #endif
4254 * } ClientOnlyData;
4255 *
4256 * struct {
4257 * #if defined(MBEDTLS_HAVE_TIME)
4258 * uint64 start_time;
4259 * #endif
4260 * uint8 session_id_len; // at most 32
4261 * opaque session_id[32];
4262 * opaque master[48]; // fixed length in the standard
4263 * uint32 verify_result;
4264 * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
4265 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
4266 * #else
4267 * uint8 peer_cert_digest_type;
4268 * opaque peer_cert_digest<0..2^8-1>
4269 * #endif
4270 * select (endpoint) {
4271 * case client: ClientOnlyData;
4272 * case server: uint64 ticket_creation_time;
4273 * };
4274 * #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
4275 * uint8 mfl_code; // up to 255 according to standard
4276 * #endif
4277 * #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4278 * uint8 encrypt_then_mac; // 0 or 1
4279 * #endif
4280 * } serialized_session_tls12;
4281 *
4282 *
4283 * TLS 1.3 Session:
4284 *
4285 * struct {
4286 * #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4287 * opaque hostname<0..2^16-1>;
4288 * #endif
4289 * #if defined(MBEDTLS_HAVE_TIME)
4290 * uint64 ticket_reception_time;
4291 * #endif
4292 * uint32 ticket_lifetime;
4293 * opaque ticket<1..2^16-1>;
4294 * } ClientOnlyData;
4295 *
4296 * struct {
4297 * uint32 ticket_age_add;
4298 * uint8 ticket_flags;
4299 * opaque resumption_key<0..255>;
4300 * #if defined(MBEDTLS_SSL_EARLY_DATA)
4301 * uint32 max_early_data_size;
4302 * #endif
4303 * #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
4304 * uint16 record_size_limit;
4305 * #endif
4306 * select ( endpoint ) {
4307 * case client: ClientOnlyData;
4308 * case server:
4309 * #if defined(MBEDTLS_HAVE_TIME)
4310 * uint64 ticket_creation_time;
4311 * #endif
4312 * #if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN)
4313 * opaque ticket_alpn<0..256>;
4314 * #endif
4315 * };
4316 * } serialized_session_tls13;
4317 *
4318 *
4319 * SSL session:
4320 *
4321 * struct {
4322 *
4323 * opaque mbedtls_version[3]; // library version: major, minor, patch
4324 * opaque session_format[2]; // library-version specific 16-bit field
4325 * // determining the format of the remaining
4326 * // serialized data.
4327 *
4328 * Note: When updating the format, remember to keep
4329 * these version+format bytes.
4330 *
4331 * // In this version, `session_format` determines
4332 * // the setting of those compile-time
4333 * // configuration options which influence
4334 * // the structure of mbedtls_ssl_session.
4335 *
4336 * uint8_t minor_ver; // Protocol minor version. Possible values:
4337 * // - TLS 1.2 (0x0303)
4338 * // - TLS 1.3 (0x0304)
4339 * uint8_t endpoint;
4340 * uint16_t ciphersuite;
4341 *
4342 * select (serialized_session.tls_version) {
4343 *
4344 * case MBEDTLS_SSL_VERSION_TLS1_2:
4345 * serialized_session_tls12 data;
4346 * case MBEDTLS_SSL_VERSION_TLS1_3:
4347 * serialized_session_tls13 data;
4348 *
4349 * };
4350 *
4351 * } serialized_session;
4352 *
4353 */
4354
4355MBEDTLS_CHECK_RETURN_CRITICAL
4356static int ssl_session_save(const mbedtls_ssl_session *session,
4357 unsigned char omit_header,
4358 unsigned char *buf,
4359 size_t buf_len,
4360 size_t *olen)
4361{
4362 unsigned char *p = buf;
4363 size_t used = 0;
4364 size_t remaining_len;
4365#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4366 size_t out_len;
4367 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4368#endif
4369 if (session == NULL) {
4370 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4371 }
4372
4373 if (!omit_header) {
4374 /*
4375 * Add Mbed TLS version identifier
4376 */
4377 used += sizeof(ssl_serialized_session_header);
4378
4379 if (used <= buf_len) {
4380 memcpy(p, ssl_serialized_session_header,
4381 sizeof(ssl_serialized_session_header));
4382 p += sizeof(ssl_serialized_session_header);
4383 }
4384 }
4385
4386 /*
4387 * TLS version identifier, endpoint, ciphersuite
4388 */
4389 used += 1 /* TLS version */
4390 + 1 /* endpoint */
4391 + 2; /* ciphersuite */
4392 if (used <= buf_len) {
4393 *p++ = MBEDTLS_BYTE_0(session->tls_version);
4394 *p++ = session->endpoint;
4395 MBEDTLS_PUT_UINT16_BE(session->ciphersuite, p, 0);
4396 p += 2;
4397 }
4398
4399 /* Forward to version-specific serialization routine. */
4400 remaining_len = (buf_len >= used) ? buf_len - used : 0;
4401 switch (session->tls_version) {
4402#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4403 case MBEDTLS_SSL_VERSION_TLS1_2:
4404 used += ssl_tls12_session_save(session, p, remaining_len);
4405 break;
4406#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4407
4408#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4409 case MBEDTLS_SSL_VERSION_TLS1_3:
4410 ret = ssl_tls13_session_save(session, p, remaining_len, &out_len);
4411 if (ret != 0 && ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
4412 return ret;
4413 }
4414 used += out_len;
4415 break;
4416#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4417
4418 default:
4419 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4420 }
4421
4422 *olen = used;
4423 if (used > buf_len) {
4424 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4425 }
4426
4427 return 0;
4428}
4429
4430/*
4431 * Public wrapper for ssl_session_save()
4432 */
4433int mbedtls_ssl_session_save(const mbedtls_ssl_session *session,
4434 unsigned char *buf,
4435 size_t buf_len,
4436 size_t *olen)
4437{
4438 return ssl_session_save(session, 0, buf, buf_len, olen);
4439}
4440
4441/*
4442 * Deserialize session, see mbedtls_ssl_session_save() for format.
4443 *
4444 * This internal version is wrapped by a public function that cleans up in
4445 * case of error, and has an extra option omit_header.
4446 */
4447MBEDTLS_CHECK_RETURN_CRITICAL
4448static int ssl_session_load(mbedtls_ssl_session *session,
4449 unsigned char omit_header,
4450 const unsigned char *buf,
4451 size_t len)
4452{
4453 const unsigned char *p = buf;
4454 const unsigned char * const end = buf + len;
4455 size_t remaining_len;
4456
4457
4458 if (session == NULL) {
4459 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
4460 }
4461
4462 if (!omit_header) {
4463 /*
4464 * Check Mbed TLS version identifier
4465 */
4466
4467 if ((size_t) (end - p) < sizeof(ssl_serialized_session_header)) {
4468 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4469 }
4470
4471 if (memcmp(p, ssl_serialized_session_header,
4472 sizeof(ssl_serialized_session_header)) != 0) {
4473 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
4474 }
4475 p += sizeof(ssl_serialized_session_header);
4476 }
4477
4478 /*
4479 * TLS version identifier, endpoint, ciphersuite
4480 */
4481 if (4 > (size_t) (end - p)) {
4482 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4483 }
4484 session->tls_version = (mbedtls_ssl_protocol_version) (0x0300 | *p++);
4485 session->endpoint = *p++;
4486 session->ciphersuite = MBEDTLS_GET_UINT16_BE(p, 0);
4487 p += 2;
4488
4489 /* Dispatch according to TLS version. */
4490 remaining_len = (size_t) (end - p);
4491 switch (session->tls_version) {
4492#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4493 case MBEDTLS_SSL_VERSION_TLS1_2:
4494 return ssl_tls12_session_load(session, p, remaining_len);
4495#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4496
4497#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4498 case MBEDTLS_SSL_VERSION_TLS1_3:
4499 return ssl_tls13_session_load(session, p, remaining_len);
4500#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4501
4502 default:
4503 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4504 }
4505}
4506
4507/*
4508 * Deserialize session: public wrapper for error cleaning
4509 */
4510int mbedtls_ssl_session_load(mbedtls_ssl_session *session,
4511 const unsigned char *buf,
4512 size_t len)
4513{
4514 int ret = ssl_session_load(session, 0, buf, len);
4515
4516 if (ret != 0) {
4517 mbedtls_ssl_session_free(session);
4518 }
4519
4520 return ret;
4521}
4522
4523/*
4524 * Perform a single step of the SSL handshake
4525 */
4526MBEDTLS_CHECK_RETURN_CRITICAL
4527static int ssl_prepare_handshake_step(mbedtls_ssl_context *ssl)
4528{
4529 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4530
4531 /*
4532 * We may have not been able to send to the peer all the handshake data
4533 * that were written into the output buffer by the previous handshake step,
4534 * if the write to the network callback returned with the
4535 * #MBEDTLS_ERR_SSL_WANT_WRITE error code.
4536 * We proceed to the next handshake step only when all data from the
4537 * previous one have been sent to the peer, thus we make sure that this is
4538 * the case here by calling `mbedtls_ssl_flush_output()`. The function may
4539 * return with the #MBEDTLS_ERR_SSL_WANT_WRITE error code in which case
4540 * we have to wait before to go ahead.
4541 * In the case of TLS 1.3, handshake step handlers do not send data to the
4542 * peer. Data are only sent here and through
4543 * `mbedtls_ssl_handle_pending_alert` in case an error that triggered an
4544 * alert occurred.
4545 */
4546 if ((ret = mbedtls_ssl_flush_output(ssl)) != 0) {
4547 return ret;
4548 }
4549
4550#if defined(MBEDTLS_SSL_PROTO_DTLS)
4551 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4552 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING) {
4553 if ((ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
4554 return ret;
4555 }
4556 }
4557#endif /* MBEDTLS_SSL_PROTO_DTLS */
4558
4559 return ret;
4560}
4561
4562int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
4563{
4564 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4565
4566 if (ssl == NULL) return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4567 if (ssl->conf == NULL ||
4568 ssl->handshake == NULL ||
4569 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER) {
4570 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4571 }
4572
4573 ret = ssl_prepare_handshake_step(ssl);
4574 if (ret != 0) {
4575 return ret;
4576 }
4577
4578 ret = mbedtls_ssl_handle_pending_alert(ssl);
4579 if (ret != 0) {
4580 goto cleanup;
4581 }
4582
4583 /* If ssl->conf->endpoint is not one of MBEDTLS_SSL_IS_CLIENT or
4584 * MBEDTLS_SSL_IS_SERVER, this is the return code we give */
4585 ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4586
4587#if defined(MBEDTLS_SSL_CLI_C)
4588 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
4589 MBEDTLS_SSL_DEBUG_MSG(2, ("client state: %s",
4590 mbedtls_ssl_states_str((mbedtls_ssl_states) ssl->state)));
4591
4592 switch (ssl->state) {
4593 case MBEDTLS_SSL_HELLO_REQUEST:
4594 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
4595 ret = 0;
4596 break;
4597
4598 case MBEDTLS_SSL_CLIENT_HELLO:
4599 ret = mbedtls_ssl_write_client_hello(ssl);
4600 break;
4601
4602 default:
4603#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4604 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4605 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4606 } else {
4607 ret = mbedtls_ssl_handshake_client_step(ssl);
4608 }
4609#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4610 ret = mbedtls_ssl_handshake_client_step(ssl);
4611#else
4612 ret = mbedtls_ssl_tls13_handshake_client_step(ssl);
4613#endif
4614 }
4615 }
4616#endif /* MBEDTLS_SSL_CLI_C */
4617
4618#if defined(MBEDTLS_SSL_SRV_C)
4619 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4620#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
4621 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
4622 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4623 } else {
4624 ret = mbedtls_ssl_handshake_server_step(ssl);
4625 }
4626#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
4627 ret = mbedtls_ssl_handshake_server_step(ssl);
4628#else
4629 ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
4630#endif
4631 }
4632#endif /* MBEDTLS_SSL_SRV_C */
4633
4634 if (ret != 0) {
4635 /* handshake_step return error. And it is same
4636 * with alert_reason.
4637 */
4638 if (ssl->send_alert) {
4639 ret = mbedtls_ssl_handle_pending_alert(ssl);
4640 goto cleanup;
4641 }
4642 }
4643
4644cleanup:
4645 return ret;
4646}
4647
4648/*
4649 * Perform the SSL handshake
4650 */
4651int mbedtls_ssl_handshake(mbedtls_ssl_context *ssl)
4652{
4653 int ret = 0;
4654
4655 /* Sanity checks */
4656 if (ssl == NULL) return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4657 if (ssl->conf == NULL) return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4658
4659#if defined(MBEDTLS_SSL_PROTO_DTLS)
4660 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4661 (ssl->f_set_timer == NULL || ssl->f_get_timer == NULL)) {
4662 MBEDTLS_SSL_DEBUG_MSG(1, ("You must use "
4663 "mbedtls_ssl_set_timer_cb() for DTLS"));
4664 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4665 }
4666#endif /* MBEDTLS_SSL_PROTO_DTLS */
4667
4668 MBEDTLS_SSL_DEBUG_MSG(2, ("=> handshake"));
4669
4670 /* Main handshake loop */
4671 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
4672 ret = mbedtls_ssl_handshake_step(ssl);
4673
4674 if (ret != 0) {
4675 break;
4676 }
4677 }
4678
4679 MBEDTLS_SSL_DEBUG_MSG(2, ("<= handshake"));
4680
4681 return ret;
4682}
4683
4684#if defined(MBEDTLS_SSL_RENEGOTIATION)
4685#if defined(MBEDTLS_SSL_SRV_C)
4686/*
4687 * Write HelloRequest to request renegotiation on server
4688 */
4689MBEDTLS_CHECK_RETURN_CRITICAL
4690static int ssl_write_hello_request(mbedtls_ssl_context *ssl)
4691{
4692 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4693
4694 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write hello request"));
4695
4696 ssl->out_msglen = 4;
4697 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4698 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
4699
4700 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
4701 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
4702 return ret;
4703 }
4704
4705 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write hello request"));
4706
4707 return 0;
4708}
4709#endif /* MBEDTLS_SSL_SRV_C */
4710
4711/*
4712 * Actually renegotiate current connection, triggered by either:
4713 * - any side: calling mbedtls_ssl_renegotiate(),
4714 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
4715 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
4716 * the initial handshake is completed.
4717 * If the handshake doesn't complete due to waiting for I/O, it will continue
4718 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
4719 */
4720int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl)
4721{
4722 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4723
4724 MBEDTLS_SSL_DEBUG_MSG(2, ("=> renegotiate"));
4725
4726 if ((ret = ssl_handshake_init(ssl)) != 0) {
4727 return ret;
4728 }
4729
4730 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
4731 * the ServerHello will have message_seq = 1" */
4732#if defined(MBEDTLS_SSL_PROTO_DTLS)
4733 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4734 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING) {
4735 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4736 ssl->handshake->out_msg_seq = 1;
4737 } else {
4738 ssl->handshake->in_msg_seq = 1;
4739 }
4740 }
4741#endif
4742
4743 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HELLO_REQUEST);
4744 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
4745
4746 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4747 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4748 return ret;
4749 }
4750
4751 MBEDTLS_SSL_DEBUG_MSG(2, ("<= renegotiate"));
4752
4753 return 0;
4754}
4755
4756/*
4757 * Renegotiate current connection on client,
4758 * or request renegotiation on server
4759 */
4760int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
4761{
4762 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
4763
4764 if (ssl == NULL || ssl->conf == NULL) {
4765 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4766 }
4767
4768#if defined(MBEDTLS_SSL_SRV_C)
4769 /* On server, just send the request */
4770 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
4771 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4772 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4773 }
4774
4775 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
4776
4777 /* Did we already try/start sending HelloRequest? */
4778 if (ssl->out_left != 0) {
4779 return mbedtls_ssl_flush_output(ssl);
4780 }
4781
4782 return ssl_write_hello_request(ssl);
4783 }
4784#endif /* MBEDTLS_SSL_SRV_C */
4785
4786#if defined(MBEDTLS_SSL_CLI_C)
4787 /*
4788 * On client, either start the renegotiation process or,
4789 * if already in progress, continue the handshake
4790 */
4791 if (ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
4792 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
4793 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
4794 }
4795
4796 if ((ret = mbedtls_ssl_start_renegotiation(ssl)) != 0) {
4797 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_start_renegotiation", ret);
4798 return ret;
4799 }
4800 } else {
4801 if ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
4802 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
4803 return ret;
4804 }
4805 }
4806#endif /* MBEDTLS_SSL_CLI_C */
4807
4808 return ret;
4809}
4810#endif /* MBEDTLS_SSL_RENEGOTIATION */
4811
4812void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
4813{
4814 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
4815
4816 if (handshake == NULL) {
4817 return;
4818 }
4819
4820#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
4821#if !defined(MBEDTLS_DEPRECATED_REMOVED)
4822 if (ssl->handshake->group_list_heap_allocated) {
4823 mbedtls_free((void *) handshake->group_list);
4824 }
4825 handshake->group_list = NULL;
4826#endif /* MBEDTLS_DEPRECATED_REMOVED */
4827#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
4828
4829#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4830#if !defined(MBEDTLS_DEPRECATED_REMOVED)
4831 if (ssl->handshake->sig_algs_heap_allocated) {
4832 mbedtls_free((void *) handshake->sig_algs);
4833 }
4834 handshake->sig_algs = NULL;
4835#endif /* MBEDTLS_DEPRECATED_REMOVED */
4836#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4837 if (ssl->handshake->certificate_request_context) {
4838 mbedtls_free((void *) handshake->certificate_request_context);
4839 }
4840#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4841#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
4842
4843#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4844 if (ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0) {
4845 ssl->conf->f_async_cancel(ssl);
4846 handshake->async_in_progress = 0;
4847 }
4848#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
4849
4850#if defined(MBEDTLS_MD_CAN_SHA256)
4851#if defined(MBEDTLS_USE_PSA_CRYPTO)
4852 psa_hash_abort(&handshake->fin_sha256_psa);
4853#else
4854 mbedtls_md_free(&handshake->fin_sha256);
4855#endif
4856#endif
4857#if defined(MBEDTLS_MD_CAN_SHA384)
4858#if defined(MBEDTLS_USE_PSA_CRYPTO)
4859 psa_hash_abort(&handshake->fin_sha384_psa);
4860#else
4861 mbedtls_md_free(&handshake->fin_sha384);
4862#endif
4863#endif
4864
4865#if defined(MBEDTLS_DHM_C)
4866 mbedtls_dhm_free(&handshake->dhm_ctx);
4867#endif
4868#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
4869 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
4870 mbedtls_ecdh_free(&handshake->ecdh_ctx);
4871#endif
4872
4873#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4874#if defined(MBEDTLS_USE_PSA_CRYPTO)
4875 psa_pake_abort(&handshake->psa_pake_ctx);
4876 /*
4877 * Opaque keys are not stored in the handshake's data and it's the user
4878 * responsibility to destroy them. Clear ones, instead, are created by
4879 * the TLS library and should be destroyed at the same level
4880 */
4881 if (!mbedtls_svc_key_id_is_null(handshake->psa_pake_password)) {
4882 psa_destroy_key(handshake->psa_pake_password);
4883 }
4884 handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT;
4885#else
4886 mbedtls_ecjpake_free(&handshake->ecjpake_ctx);
4887#endif /* MBEDTLS_USE_PSA_CRYPTO */
4888#if defined(MBEDTLS_SSL_CLI_C)
4889 mbedtls_free(handshake->ecjpake_cache);
4890 handshake->ecjpake_cache = NULL;
4891 handshake->ecjpake_cache_len = 0;
4892#endif
4893#endif
4894
4895#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
4896 defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
4897 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
4898 /* explicit void pointer cast for buggy MS compiler */
4899 mbedtls_free((void *) handshake->curves_tls_id);
4900#endif
4901
4902#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4903#if defined(MBEDTLS_USE_PSA_CRYPTO)
4904 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
4905 /* The maintenance of the external PSK key slot is the
4906 * user's responsibility. */
4907 if (ssl->handshake->psk_opaque_is_internal) {
4908 psa_destroy_key(ssl->handshake->psk_opaque);
4909 ssl->handshake->psk_opaque_is_internal = 0;
4910 }
4911 ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
4912 }
4913#else
4914 if (handshake->psk != NULL) {
4915 mbedtls_zeroize_and_free(handshake->psk, handshake->psk_len);
4916 }
4917#endif /* MBEDTLS_USE_PSA_CRYPTO */
4918#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
4919
4920#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4921 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4922 /*
4923 * Free only the linked list wrapper, not the keys themselves
4924 * since the belong to the SNI callback
4925 */
4926 ssl_key_cert_free(handshake->sni_key_cert);
4927#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
4928
4929#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
4930 mbedtls_x509_crt_restart_free(&handshake->ecrs_ctx);
4931 if (handshake->ecrs_peer_cert != NULL) {
4932 mbedtls_x509_crt_free(handshake->ecrs_peer_cert);
4933 mbedtls_free(handshake->ecrs_peer_cert);
4934 }
4935#endif
4936
4937#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
4938 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
4939 mbedtls_pk_free(&handshake->peer_pubkey);
4940#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
4941
4942#if defined(MBEDTLS_SSL_CLI_C) && \
4943 (defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3))
4944 mbedtls_free(handshake->cookie);
4945#endif /* MBEDTLS_SSL_CLI_C &&
4946 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
4947
4948#if defined(MBEDTLS_SSL_PROTO_DTLS)
4949 mbedtls_ssl_flight_free(handshake->flight);
4950 mbedtls_ssl_buffering_free(ssl);
4951#endif /* MBEDTLS_SSL_PROTO_DTLS */
4952
4953#if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
4954 if (handshake->xxdh_psa_privkey_is_external == 0) {
4955 psa_destroy_key(handshake->xxdh_psa_privkey);
4956 }
4957#endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
4958
4959#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
4960 mbedtls_ssl_transform_free(handshake->transform_handshake);
4961 mbedtls_free(handshake->transform_handshake);
4962#if defined(MBEDTLS_SSL_EARLY_DATA)
4963 mbedtls_ssl_transform_free(handshake->transform_earlydata);
4964 mbedtls_free(handshake->transform_earlydata);
4965#endif
4966#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
4967
4968
4969#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4970 /* If the buffers are too big - reallocate. Because of the way Mbed TLS
4971 * processes datagrams and the fact that a datagram is allowed to have
4972 * several records in it, it is possible that the I/O buffers are not
4973 * empty at this stage */
4974 handle_buffer_resizing(ssl, 1, mbedtls_ssl_get_input_buflen(ssl),
4975 mbedtls_ssl_get_output_buflen(ssl));
4976#endif
4977
4978 /* mbedtls_platform_zeroize MUST be last one in this function */
4979 mbedtls_platform_zeroize(handshake,
4980 sizeof(mbedtls_ssl_handshake_params));
4981}
4982
4983void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
4984{
4985 if (session == NULL) {
4986 return;
4987 }
4988
4989#if defined(MBEDTLS_X509_CRT_PARSE_C)
4990 ssl_clear_peer_cert(session);
4991#endif
4992
4993#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
4994#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
4995 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4996 mbedtls_free(session->hostname);
4997#endif
4998 mbedtls_free(session->ticket);
4999#endif
5000
5001#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_ALPN) && \
5002 defined(MBEDTLS_SSL_SRV_C)
5003 mbedtls_free(session->ticket_alpn);
5004#endif
5005
5006 mbedtls_platform_zeroize(session, sizeof(mbedtls_ssl_session));
5007
5008 /* Set verify_result to -1u to indicate 'result not available'. */
5009 session->verify_result = 0xFFFFFFFF;
5010}
5011
5012#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
5013
5014#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5015#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 1u
5016#else
5017#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID 0u
5018#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5019
5020#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT 1u
5021
5022#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5023#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 1u
5024#else
5025#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY 0u
5026#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5027
5028#if defined(MBEDTLS_SSL_ALPN)
5029#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 1u
5030#else
5031#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN 0u
5032#endif /* MBEDTLS_SSL_ALPN */
5033
5034#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT 0
5035#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT 1
5036#define SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT 2
5037#define SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT 3
5038
5039#define SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG \
5040 ((uint32_t) ( \
5041 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID << \
5042 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_CONNECTION_ID_BIT) | \
5043 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT << \
5044 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_BADMAC_LIMIT_BIT) | \
5045 (SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY << \
5046 SSL_SERIALIZED_CONTEXT_CONFIG_DTLS_ANTI_REPLAY_BIT) | \
5047 (SSL_SERIALIZED_CONTEXT_CONFIG_ALPN << SSL_SERIALIZED_CONTEXT_CONFIG_ALPN_BIT) | \
5048 0u))
5049
5050static const unsigned char ssl_serialized_context_header[] = {
5051 MBEDTLS_VERSION_MAJOR,
5052 MBEDTLS_VERSION_MINOR,
5053 MBEDTLS_VERSION_PATCH,
5054 MBEDTLS_BYTE_1(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5055 MBEDTLS_BYTE_0(SSL_SERIALIZED_SESSION_CONFIG_BITFLAG),
5056 MBEDTLS_BYTE_2(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5057 MBEDTLS_BYTE_1(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5058 MBEDTLS_BYTE_0(SSL_SERIALIZED_CONTEXT_CONFIG_BITFLAG),
5059};
5060
5061/*
5062 * Serialize a full SSL context
5063 *
5064 * The format of the serialized data is:
5065 * (in the presentation language of TLS, RFC 8446 section 3)
5066 *
5067 * // header
5068 * opaque mbedtls_version[3]; // major, minor, patch
5069 * opaque context_format[5]; // version-specific field determining
5070 * // the format of the remaining
5071 * // serialized data.
5072 * Note: When updating the format, remember to keep these
5073 * version+format bytes. (We may make their size part of the API.)
5074 *
5075 * // session sub-structure
5076 * opaque session<1..2^32-1>; // see mbedtls_ssl_session_save()
5077 * // transform sub-structure
5078 * uint8 random[64]; // ServerHello.random+ClientHello.random
5079 * uint8 in_cid<0..2^8-1> // Connection ID: expected incoming value
5080 * uint8 out_cid<0..2^8-1> // Connection ID: outgoing value to use
5081 * // fields from ssl_context
5082 * uint32 badmac_seen_or_in_hsfraglen; // DTLS: number of records with failing MAC
5083 * uint64 in_window_top; // DTLS: last validated record seq_num
5084 * uint64 in_window; // DTLS: bitmask for replay protection
5085 * uint8 disable_datagram_packing; // DTLS: only one record per datagram
5086 * uint64 cur_out_ctr; // Record layer: outgoing sequence number
5087 * uint16 mtu; // DTLS: path mtu (max outgoing fragment size)
5088 * uint8 alpn_chosen<0..2^8-1> // ALPN: negotiated application protocol
5089 *
5090 * Note that many fields of the ssl_context or sub-structures are not
5091 * serialized, as they fall in one of the following categories:
5092 *
5093 * 1. forced value (eg in_left must be 0)
5094 * 2. pointer to dynamically-allocated memory (eg session, transform)
5095 * 3. value can be re-derived from other data (eg session keys from MS)
5096 * 4. value was temporary (eg content of input buffer)
5097 * 5. value will be provided by the user again (eg I/O callbacks and context)
5098 */
5099int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl,
5100 unsigned char *buf,
5101 size_t buf_len,
5102 size_t *olen)
5103{
5104 unsigned char *p = buf;
5105 size_t used = 0;
5106 size_t session_len;
5107 int ret = 0;
5108
5109 /*
5110 * Enforce usage restrictions, see "return BAD_INPUT_DATA" in
5111 * this function's documentation.
5112 *
5113 * These are due to assumptions/limitations in the implementation. Some of
5114 * them are likely to stay (no handshake in progress) some might go away
5115 * (only DTLS) but are currently used to simplify the implementation.
5116 */
5117 /* The initial handshake must be over */
5118 if (mbedtls_ssl_is_handshake_over(ssl) == 0) {
5119 MBEDTLS_SSL_DEBUG_MSG(1, ("Initial handshake isn't over"));
5120 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5121 }
5122 if (ssl->handshake != NULL) {
5123 MBEDTLS_SSL_DEBUG_MSG(1, ("Handshake isn't completed"));
5124 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5125 }
5126 /* Double-check that sub-structures are indeed ready */
5127 if (ssl->transform == NULL || ssl->session == NULL) {
5128 MBEDTLS_SSL_DEBUG_MSG(1, ("Serialised structures aren't ready"));
5129 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5130 }
5131 /* There must be no pending incoming or outgoing data */
5132 if (mbedtls_ssl_check_pending(ssl) != 0) {
5133 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending incoming data"));
5134 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5135 }
5136 if (ssl->out_left != 0) {
5137 MBEDTLS_SSL_DEBUG_MSG(1, ("There is pending outgoing data"));
5138 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5139 }
5140 /* Protocol must be DTLS, not TLS */
5141 if (ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
5142 MBEDTLS_SSL_DEBUG_MSG(1, ("Only DTLS is supported"));
5143 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5144 }
5145 /* Version must be 1.2 */
5146 if (ssl->tls_version != MBEDTLS_SSL_VERSION_TLS1_2) {
5147 MBEDTLS_SSL_DEBUG_MSG(1, ("Only version 1.2 supported"));
5148 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5149 }
5150 /* We must be using an AEAD ciphersuite */
5151 if (mbedtls_ssl_transform_uses_aead(ssl->transform) != 1) {
5152 MBEDTLS_SSL_DEBUG_MSG(1, ("Only AEAD ciphersuites supported"));
5153 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5154 }
5155 /* Renegotiation must not be enabled */
5156#if defined(MBEDTLS_SSL_RENEGOTIATION)
5157 if (ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED) {
5158 MBEDTLS_SSL_DEBUG_MSG(1, ("Renegotiation must not be enabled"));
5159 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5160 }
5161#endif
5162
5163 /*
5164 * Version and format identifier
5165 */
5166 used += sizeof(ssl_serialized_context_header);
5167
5168 if (used <= buf_len) {
5169 memcpy(p, ssl_serialized_context_header,
5170 sizeof(ssl_serialized_context_header));
5171 p += sizeof(ssl_serialized_context_header);
5172 }
5173
5174 /*
5175 * Session (length + data)
5176 */
5177 ret = ssl_session_save(ssl->session, 1, NULL, 0, &session_len);
5178 if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
5179 return ret;
5180 }
5181
5182 used += 4 + session_len;
5183 if (used <= buf_len) {
5184 MBEDTLS_PUT_UINT32_BE(session_len, p, 0);
5185 p += 4;
5186
5187 ret = ssl_session_save(ssl->session, 1,
5188 p, session_len, &session_len);
5189 if (ret != 0) {
5190 return ret;
5191 }
5192
5193 p += session_len;
5194 }
5195
5196 /*
5197 * Transform
5198 */
5199 used += sizeof(ssl->transform->randbytes);
5200 if (used <= buf_len) {
5201 memcpy(p, ssl->transform->randbytes,
5202 sizeof(ssl->transform->randbytes));
5203 p += sizeof(ssl->transform->randbytes);
5204 }
5205
5206#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5207 used += 2U + ssl->transform->in_cid_len + ssl->transform->out_cid_len;
5208 if (used <= buf_len) {
5209 *p++ = ssl->transform->in_cid_len;
5210 memcpy(p, ssl->transform->in_cid, ssl->transform->in_cid_len);
5211 p += ssl->transform->in_cid_len;
5212
5213 *p++ = ssl->transform->out_cid_len;
5214 memcpy(p, ssl->transform->out_cid, ssl->transform->out_cid_len);
5215 p += ssl->transform->out_cid_len;
5216 }
5217#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5218
5219 /*
5220 * Saved fields from top-level ssl_context structure
5221 */
5222 used += 4;
5223 if (used <= buf_len) {
5224 MBEDTLS_PUT_UINT32_BE(ssl->badmac_seen_or_in_hsfraglen, p, 0);
5225 p += 4;
5226 }
5227
5228#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5229 used += 16;
5230 if (used <= buf_len) {
5231 MBEDTLS_PUT_UINT64_BE(ssl->in_window_top, p, 0);
5232 p += 8;
5233
5234 MBEDTLS_PUT_UINT64_BE(ssl->in_window, p, 0);
5235 p += 8;
5236 }
5237#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5238
5239#if defined(MBEDTLS_SSL_PROTO_DTLS)
5240 used += 1;
5241 if (used <= buf_len) {
5242 *p++ = ssl->disable_datagram_packing;
5243 }
5244#endif /* MBEDTLS_SSL_PROTO_DTLS */
5245
5246 used += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5247 if (used <= buf_len) {
5248 memcpy(p, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN);
5249 p += MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
5250 }
5251
5252#if defined(MBEDTLS_SSL_PROTO_DTLS)
5253 used += 2;
5254 if (used <= buf_len) {
5255 MBEDTLS_PUT_UINT16_BE(ssl->mtu, p, 0);
5256 p += 2;
5257 }
5258#endif /* MBEDTLS_SSL_PROTO_DTLS */
5259
5260#if defined(MBEDTLS_SSL_ALPN)
5261 {
5262 const uint8_t alpn_len = ssl->alpn_chosen
5263 ? (uint8_t) strlen(ssl->alpn_chosen)
5264 : 0;
5265
5266 used += 1 + alpn_len;
5267 if (used <= buf_len) {
5268 *p++ = alpn_len;
5269
5270 if (ssl->alpn_chosen != NULL) {
5271 memcpy(p, ssl->alpn_chosen, alpn_len);
5272 p += alpn_len;
5273 }
5274 }
5275 }
5276#endif /* MBEDTLS_SSL_ALPN */
5277
5278 /*
5279 * Done
5280 */
5281 *olen = used;
5282
5283 if (used > buf_len) {
5284 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
5285 }
5286
5287 MBEDTLS_SSL_DEBUG_BUF(4, "saved context", buf, used);
5288
5289 return mbedtls_ssl_session_reset_int(ssl, 0);
5290}
5291
5292/*
5293 * Deserialize context, see mbedtls_ssl_context_save() for format.
5294 *
5295 * This internal version is wrapped by a public function that cleans up in
5296 * case of error.
5297 */
5298MBEDTLS_CHECK_RETURN_CRITICAL
5299static int ssl_context_load(mbedtls_ssl_context *ssl,
5300 const unsigned char *buf,
5301 size_t len)
5302{
5303 const unsigned char *p = buf;
5304 const unsigned char * const end = buf + len;
5305 size_t session_len;
5306 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5307#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5308 tls_prf_fn prf_func = NULL;
5309#endif
5310
5311 /*
5312 * The context should have been freshly setup or reset.
5313 * Give the user an error in case of obvious misuse.
5314 * (Checking session is useful because it won't be NULL if we're
5315 * renegotiating, or if the user mistakenly loaded a session first.)
5316 */
5317 if (ssl->state != MBEDTLS_SSL_HELLO_REQUEST ||
5318 ssl->session != NULL) {
5319 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5320 }
5321
5322 /*
5323 * We can't check that the config matches the initial one, but we can at
5324 * least check it matches the requirements for serializing.
5325 */
5326 if (
5327#if defined(MBEDTLS_SSL_RENEGOTIATION)
5328 ssl->conf->disable_renegotiation != MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5329#endif
5330 ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
5331 ssl->conf->max_tls_version < MBEDTLS_SSL_VERSION_TLS1_2 ||
5332 ssl->conf->min_tls_version > MBEDTLS_SSL_VERSION_TLS1_2
5333 ) {
5334 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5335 }
5336
5337 MBEDTLS_SSL_DEBUG_BUF(4, "context to load", buf, len);
5338
5339 /*
5340 * Check version identifier
5341 */
5342 if ((size_t) (end - p) < sizeof(ssl_serialized_context_header)) {
5343 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5344 }
5345
5346 if (memcmp(p, ssl_serialized_context_header,
5347 sizeof(ssl_serialized_context_header)) != 0) {
5348 return MBEDTLS_ERR_SSL_VERSION_MISMATCH;
5349 }
5350 p += sizeof(ssl_serialized_context_header);
5351
5352 /*
5353 * Session
5354 */
5355 if ((size_t) (end - p) < 4) {
5356 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5357 }
5358
5359 session_len = MBEDTLS_GET_UINT32_BE(p, 0);
5360 p += 4;
5361
5362 /* This has been allocated by ssl_handshake_init(), called by
5363 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5364 ssl->session = ssl->session_negotiate;
5365 ssl->session_in = ssl->session;
5366 ssl->session_out = ssl->session;
5367 ssl->session_negotiate = NULL;
5368
5369 if ((size_t) (end - p) < session_len) {
5370 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5371 }
5372
5373 ret = ssl_session_load(ssl->session, 1, p, session_len);
5374 if (ret != 0) {
5375 mbedtls_ssl_session_free(ssl->session);
5376 return ret;
5377 }
5378
5379 p += session_len;
5380
5381 /*
5382 * Transform
5383 */
5384
5385 /* This has been allocated by ssl_handshake_init(), called by
5386 * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
5387#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5388 ssl->transform = ssl->transform_negotiate;
5389 ssl->transform_in = ssl->transform;
5390 ssl->transform_out = ssl->transform;
5391 ssl->transform_negotiate = NULL;
5392#endif
5393
5394#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5395 prf_func = ssl_tls12prf_from_cs(ssl->session->ciphersuite);
5396 if (prf_func == NULL) {
5397 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5398 }
5399
5400 /* Read random bytes and populate structure */
5401 if ((size_t) (end - p) < sizeof(ssl->transform->randbytes)) {
5402 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5403 }
5404
5405 ret = ssl_tls12_populate_transform(ssl->transform,
5406 ssl->session->ciphersuite,
5407 ssl->session->master,
5408#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
5409 ssl->session->encrypt_then_mac,
5410#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
5411 prf_func,
5412 p, /* currently pointing to randbytes */
5413 MBEDTLS_SSL_VERSION_TLS1_2, /* (D)TLS 1.2 is forced */
5414 ssl->conf->endpoint,
5415 ssl);
5416 if (ret != 0) {
5417 return ret;
5418 }
5419#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5420 p += sizeof(ssl->transform->randbytes);
5421
5422#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5423 /* Read connection IDs and store them */
5424 if ((size_t) (end - p) < 1) {
5425 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5426 }
5427
5428 ssl->transform->in_cid_len = *p++;
5429
5430 if ((size_t) (end - p) < ssl->transform->in_cid_len + 1u) {
5431 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5432 }
5433
5434 memcpy(ssl->transform->in_cid, p, ssl->transform->in_cid_len);
5435 p += ssl->transform->in_cid_len;
5436
5437 ssl->transform->out_cid_len = *p++;
5438
5439 if ((size_t) (end - p) < ssl->transform->out_cid_len) {
5440 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5441 }
5442
5443 memcpy(ssl->transform->out_cid, p, ssl->transform->out_cid_len);
5444 p += ssl->transform->out_cid_len;
5445#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5446
5447 /*
5448 * Saved fields from top-level ssl_context structure
5449 */
5450 if ((size_t) (end - p) < 4) {
5451 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5452 }
5453
5454 ssl->badmac_seen_or_in_hsfraglen = MBEDTLS_GET_UINT32_BE(p, 0);
5455 p += 4;
5456
5457#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5458 if ((size_t) (end - p) < 16) {
5459 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5460 }
5461
5462 ssl->in_window_top = MBEDTLS_GET_UINT64_BE(p, 0);
5463 p += 8;
5464
5465 ssl->in_window = MBEDTLS_GET_UINT64_BE(p, 0);
5466 p += 8;
5467#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
5468
5469#if defined(MBEDTLS_SSL_PROTO_DTLS)
5470 if ((size_t) (end - p) < 1) {
5471 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5472 }
5473
5474 ssl->disable_datagram_packing = *p++;
5475#endif /* MBEDTLS_SSL_PROTO_DTLS */
5476
5477 if ((size_t) (end - p) < sizeof(ssl->cur_out_ctr)) {
5478 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5479 }
5480 memcpy(ssl->cur_out_ctr, p, sizeof(ssl->cur_out_ctr));
5481 p += sizeof(ssl->cur_out_ctr);
5482
5483#if defined(MBEDTLS_SSL_PROTO_DTLS)
5484 if ((size_t) (end - p) < 2) {
5485 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5486 }
5487
5488 ssl->mtu = MBEDTLS_GET_UINT16_BE(p, 0);
5489 p += 2;
5490#endif /* MBEDTLS_SSL_PROTO_DTLS */
5491
5492#if defined(MBEDTLS_SSL_ALPN)
5493 {
5494 uint8_t alpn_len;
5495 const char **cur;
5496
5497 if ((size_t) (end - p) < 1) {
5498 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5499 }
5500
5501 alpn_len = *p++;
5502
5503 if (alpn_len != 0 && ssl->conf->alpn_list != NULL) {
5504 /* alpn_chosen should point to an item in the configured list */
5505 for (cur = ssl->conf->alpn_list; *cur != NULL; cur++) {
5506 if (strlen(*cur) == alpn_len &&
5507 memcmp(p, *cur, alpn_len) == 0) {
5508 ssl->alpn_chosen = *cur;
5509 break;
5510 }
5511 }
5512 }
5513
5514 /* can only happen on conf mismatch */
5515 if (alpn_len != 0 && ssl->alpn_chosen == NULL) {
5516 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5517 }
5518
5519 p += alpn_len;
5520 }
5521#endif /* MBEDTLS_SSL_ALPN */
5522
5523 /*
5524 * Forced fields from top-level ssl_context structure
5525 *
5526 * Most of them already set to the correct value by mbedtls_ssl_init() and
5527 * mbedtls_ssl_reset(), so we only need to set the remaining ones.
5528 */
5529 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
5530 ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
5531
5532 /* Adjust pointers for header fields of outgoing records to
5533 * the given transform, accounting for explicit IV and CID. */
5534 mbedtls_ssl_update_out_pointers(ssl, ssl->transform);
5535
5536#if defined(MBEDTLS_SSL_PROTO_DTLS)
5537 ssl->in_epoch = 1;
5538#endif
5539
5540 /* mbedtls_ssl_reset() leaves the handshake sub-structure allocated,
5541 * which we don't want - otherwise we'd end up freeing the wrong transform
5542 * by calling mbedtls_ssl_handshake_wrapup_free_hs_transform()
5543 * inappropriately. */
5544 if (ssl->handshake != NULL) {
5545 mbedtls_ssl_handshake_free(ssl);
5546 mbedtls_free(ssl->handshake);
5547 ssl->handshake = NULL;
5548 }
5549
5550 /*
5551 * Done - should have consumed entire buffer
5552 */
5553 if (p != end) {
5554 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
5555 }
5556
5557 return 0;
5558}
5559
5560/*
5561 * Deserialize context: public wrapper for error cleaning
5562 */
5563int mbedtls_ssl_context_load(mbedtls_ssl_context *context,
5564 const unsigned char *buf,
5565 size_t len)
5566{
5567 int ret = ssl_context_load(context, buf, len);
5568
5569 if (ret != 0) {
5570 mbedtls_ssl_free(context);
5571 }
5572
5573 return ret;
5574}
5575#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
5576
5577/*
5578 * Free an SSL context
5579 */
5580void mbedtls_ssl_free(mbedtls_ssl_context *ssl)
5581{
5582 if (ssl == NULL) {
5583 return;
5584 }
5585
5586 MBEDTLS_SSL_DEBUG_MSG(2, ("=> free"));
5587
5588 if (ssl->out_buf != NULL) {
5589#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5590 size_t out_buf_len = ssl->out_buf_len;
5591#else
5592 size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
5593#endif
5594
5595 mbedtls_zeroize_and_free(ssl->out_buf, out_buf_len);
5596 ssl->out_buf = NULL;
5597 }
5598
5599 if (ssl->in_buf != NULL) {
5600#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
5601 size_t in_buf_len = ssl->in_buf_len;
5602#else
5603 size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
5604#endif
5605
5606 mbedtls_zeroize_and_free(ssl->in_buf, in_buf_len);
5607 ssl->in_buf = NULL;
5608 }
5609
5610 if (ssl->transform) {
5611 mbedtls_ssl_transform_free(ssl->transform);
5612 mbedtls_free(ssl->transform);
5613 }
5614
5615 if (ssl->handshake) {
5616 mbedtls_ssl_handshake_free(ssl);
5617 mbedtls_free(ssl->handshake);
5618
5619#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5620 mbedtls_ssl_transform_free(ssl->transform_negotiate);
5621 mbedtls_free(ssl->transform_negotiate);
5622#endif
5623
5624 mbedtls_ssl_session_free(ssl->session_negotiate);
5625 mbedtls_free(ssl->session_negotiate);
5626 }
5627
5628#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5629 mbedtls_ssl_transform_free(ssl->transform_application);
5630 mbedtls_free(ssl->transform_application);
5631#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
5632
5633 if (ssl->session) {
5634 mbedtls_ssl_session_free(ssl->session);
5635 mbedtls_free(ssl->session);
5636 }
5637
5638#if defined(MBEDTLS_X509_CRT_PARSE_C)
5639 mbedtls_ssl_free_hostname(ssl);
5640#endif
5641
5642#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5643 mbedtls_free(ssl->cli_id);
5644#endif
5645
5646 MBEDTLS_SSL_DEBUG_MSG(2, ("<= free"));
5647
5648 /* Actually clear after last debug message */
5649 mbedtls_platform_zeroize(ssl, sizeof(mbedtls_ssl_context));
5650}
5651
5652/*
5653 * Initialize mbedtls_ssl_config
5654 */
5655void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
5656{
5657 memset(conf, 0, sizeof(mbedtls_ssl_config));
5658}
5659
5660/* The selection should be the same as mbedtls_x509_crt_profile_default in
5661 * x509_crt.c, plus Montgomery curves for ECDHE. Here, the order matters:
5662 * curves with a lower resource usage come first.
5663 * See the documentation of mbedtls_ssl_conf_curves() for what we promise
5664 * about this list.
5665 */
5666static const uint16_t ssl_preset_default_groups[] = {
5667#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
5668 MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
5669#endif
5670#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5671 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5672#endif
5673#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5674 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5675#endif
5676#if defined(MBEDTLS_ECP_HAVE_CURVE448)
5677 MBEDTLS_SSL_IANA_TLS_GROUP_X448,
5678#endif
5679#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
5680 MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
5681#endif
5682#if defined(MBEDTLS_ECP_HAVE_BP256R1)
5683 MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
5684#endif
5685#if defined(MBEDTLS_ECP_HAVE_BP384R1)
5686 MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
5687#endif
5688#if defined(MBEDTLS_ECP_HAVE_BP512R1)
5689 MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
5690#endif
5691#if defined(PSA_WANT_ALG_FFDH)
5692 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048,
5693 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE3072,
5694 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE4096,
5695 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE6144,
5696 MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192,
5697#endif
5698 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5699};
5700
5701static const int ssl_preset_suiteb_ciphersuites[] = {
5702 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
5703 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
5704 0
5705};
5706
5707#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5708
5709/* NOTICE:
5710 * For ssl_preset_*_sig_algs and ssl_tls12_preset_*_sig_algs, the following
5711 * rules SHOULD be upheld.
5712 * - No duplicate entries.
5713 * - But if there is a good reason, do not change the order of the algorithms.
5714 * - ssl_tls12_preset* is for TLS 1.2 use only.
5715 * - ssl_preset_* is for TLS 1.3 only or hybrid TLS 1.3/1.2 handshakes.
5716 */
5717static const uint16_t ssl_preset_default_sig_algs[] = {
5718
5719#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5720 defined(MBEDTLS_MD_CAN_SHA256) && \
5721 defined(PSA_WANT_ECC_SECP_R1_256)
5722 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5723 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5724#endif
5725
5726#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5727 defined(MBEDTLS_MD_CAN_SHA384) && \
5728 defined(PSA_WANT_ECC_SECP_R1_384)
5729 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5730 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5731#endif
5732
5733#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5734 defined(MBEDTLS_MD_CAN_SHA512) && \
5735 defined(PSA_WANT_ECC_SECP_R1_521)
5736 MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
5737 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
5738#endif
5739
5740#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA512)
5741 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5742#endif
5743
5744#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA384)
5745 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5746#endif
5747
5748#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
5749 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5750#endif
5751
5752#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA512)
5753 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512,
5754#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA512 */
5755
5756#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA384)
5757 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
5758#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA384 */
5759
5760#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
5761 MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
5762#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
5763
5764 MBEDTLS_TLS_SIG_NONE
5765};
5766
5767/* NOTICE: see above */
5768#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5769static const uint16_t ssl_tls12_preset_default_sig_algs[] = {
5770
5771#if defined(MBEDTLS_MD_CAN_SHA512)
5772#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5773 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
5774#endif
5775#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5776 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512,
5777#endif
5778#if defined(MBEDTLS_RSA_C)
5779 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA512),
5780#endif
5781#endif /* MBEDTLS_MD_CAN_SHA512 */
5782
5783#if defined(MBEDTLS_MD_CAN_SHA384)
5784#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5785 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5786#endif
5787#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5788 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
5789#endif
5790#if defined(MBEDTLS_RSA_C)
5791 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA384),
5792#endif
5793#endif /* MBEDTLS_MD_CAN_SHA384 */
5794
5795#if defined(MBEDTLS_MD_CAN_SHA256)
5796#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5797 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5798#endif
5799#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
5800 MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
5801#endif
5802#if defined(MBEDTLS_RSA_C)
5803 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
5804#endif
5805#endif /* MBEDTLS_MD_CAN_SHA256 */
5806
5807 MBEDTLS_TLS_SIG_NONE
5808};
5809#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5810
5811/* NOTICE: see above */
5812static const uint16_t ssl_preset_suiteb_sig_algs[] = {
5813
5814#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5815 defined(MBEDTLS_MD_CAN_SHA256) && \
5816 defined(MBEDTLS_ECP_HAVE_SECP256R1)
5817 MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
5818 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
5819#endif
5820
5821#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
5822 defined(MBEDTLS_MD_CAN_SHA384) && \
5823 defined(MBEDTLS_ECP_HAVE_SECP384R1)
5824 MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
5825 // == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
5826#endif
5827
5828 MBEDTLS_TLS_SIG_NONE
5829};
5830
5831/* NOTICE: see above */
5832#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5833static const uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
5834
5835#if defined(MBEDTLS_MD_CAN_SHA256)
5836#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5837 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
5838#endif
5839#endif /* MBEDTLS_MD_CAN_SHA256 */
5840
5841#if defined(MBEDTLS_MD_CAN_SHA384)
5842#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
5843 MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
5844#endif
5845#endif /* MBEDTLS_MD_CAN_SHA384 */
5846
5847 MBEDTLS_TLS_SIG_NONE
5848};
5849#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5850
5851#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5852
5853static const uint16_t ssl_preset_suiteb_groups[] = {
5854#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
5855 MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
5856#endif
5857#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
5858 MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
5859#endif
5860 MBEDTLS_SSL_IANA_TLS_GROUP_NONE
5861};
5862
5863#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5864/* Function for checking `ssl_preset_*_sig_algs` and `ssl_tls12_preset_*_sig_algs`
5865 * to make sure there are no duplicated signature algorithm entries. */
5866MBEDTLS_CHECK_RETURN_CRITICAL
5867static int ssl_check_no_sig_alg_duplication(const uint16_t *sig_algs)
5868{
5869 size_t i, j;
5870 int ret = 0;
5871
5872 for (i = 0; sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
5873 for (j = 0; j < i; j++) {
5874 if (sig_algs[i] != sig_algs[j]) {
5875 continue;
5876 }
5877 mbedtls_printf(" entry(%04x,%" MBEDTLS_PRINTF_SIZET
5878 ") is duplicated at %" MBEDTLS_PRINTF_SIZET "\n",
5879 sig_algs[i], j, i);
5880 ret = -1;
5881 }
5882 }
5883 return ret;
5884}
5885
5886#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5887
5888/*
5889 * Load default in mbedtls_ssl_config
5890 */
5891int mbedtls_ssl_config_defaults(mbedtls_ssl_config *conf,
5892 int endpoint, int transport, int preset)
5893{
5894#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5895 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5896#endif
5897
5898#if defined(MBEDTLS_DEBUG_C) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
5899 if (ssl_check_no_sig_alg_duplication(ssl_preset_suiteb_sig_algs)) {
5900 mbedtls_printf("ssl_preset_suiteb_sig_algs has duplicated entries\n");
5901 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5902 }
5903
5904 if (ssl_check_no_sig_alg_duplication(ssl_preset_default_sig_algs)) {
5905 mbedtls_printf("ssl_preset_default_sig_algs has duplicated entries\n");
5906 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5907 }
5908
5909#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5910 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_suiteb_sig_algs)) {
5911 mbedtls_printf("ssl_tls12_preset_suiteb_sig_algs has duplicated entries\n");
5912 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5913 }
5914
5915 if (ssl_check_no_sig_alg_duplication(ssl_tls12_preset_default_sig_algs)) {
5916 mbedtls_printf("ssl_tls12_preset_default_sig_algs has duplicated entries\n");
5917 return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5918 }
5919#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5920#endif /* MBEDTLS_DEBUG_C && MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
5921
5922 /* Use the functions here so that they are covered in tests,
5923 * but otherwise access member directly for efficiency */
5924 mbedtls_ssl_conf_endpoint(conf, endpoint);
5925 mbedtls_ssl_conf_transport(conf, transport);
5926
5927 /*
5928 * Things that are common to all presets
5929 */
5930#if defined(MBEDTLS_SSL_CLI_C)
5931 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
5932 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
5933#if defined(MBEDTLS_SSL_SESSION_TICKETS)
5934 mbedtls_ssl_conf_session_tickets(conf, MBEDTLS_SSL_SESSION_TICKETS_ENABLED);
5935#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
5936 /* Contrary to TLS 1.2 tickets, TLS 1.3 NewSessionTicket message
5937 * handling is disabled by default in Mbed TLS 3.6.x for backward
5938 * compatibility with client applications developed using Mbed TLS 3.5
5939 * or earlier with the default configuration.
5940 *
5941 * Up to Mbed TLS 3.5, in the default configuration TLS 1.3 was
5942 * disabled, and a Mbed TLS client with the default configuration would
5943 * establish a TLS 1.2 connection with a TLS 1.2 and TLS 1.3 capable
5944 * server.
5945 *
5946 * Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled by default, and thus
5947 * an Mbed TLS client with the default configuration establishes a
5948 * TLS 1.3 connection with a TLS 1.2 and TLS 1.3 capable server. If
5949 * following the handshake the TLS 1.3 server sends NewSessionTicket
5950 * messages and the Mbed TLS client processes them, this results in
5951 * Mbed TLS high level APIs (mbedtls_ssl_read(),
5952 * mbedtls_ssl_handshake(), ...) to eventually return an
5953 * #MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET non fatal error code
5954 * (see the documentation of mbedtls_ssl_read() for more information on
5955 * that error code). Applications unaware of that TLS 1.3 specific non
5956 * fatal error code are then failing.
5957 */
5958 mbedtls_ssl_conf_tls13_enable_signal_new_session_tickets(
5959 conf, MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED);
5960#endif
5961#endif
5962 }
5963#endif
5964
5965#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
5966 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
5967#endif
5968
5969#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
5970 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
5971#endif
5972
5973#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5974 conf->f_cookie_write = ssl_cookie_write_dummy;
5975 conf->f_cookie_check = ssl_cookie_check_dummy;
5976#endif
5977
5978#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5979 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
5980#endif
5981
5982#if defined(MBEDTLS_SSL_SRV_C)
5983 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
5984 conf->respect_cli_pref = MBEDTLS_SSL_SRV_CIPHERSUITE_ORDER_SERVER;
5985#endif
5986
5987#if defined(MBEDTLS_SSL_PROTO_DTLS)
5988 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
5989 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
5990#endif
5991
5992#if defined(MBEDTLS_SSL_RENEGOTIATION)
5993 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
5994 memset(conf->renego_period, 0x00, 2);
5995 memset(conf->renego_period + 2, 0xFF, 6);
5996#endif
5997
5998#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5999 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
6000 const unsigned char dhm_p[] =
6001 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
6002 const unsigned char dhm_g[] =
6003 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
6004
6005 if ((ret = mbedtls_ssl_conf_dh_param_bin(conf,
6006 dhm_p, sizeof(dhm_p),
6007 dhm_g, sizeof(dhm_g))) != 0) {
6008 return ret;
6009 }
6010 }
6011#endif
6012
6013#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
6014
6015#if defined(MBEDTLS_SSL_EARLY_DATA)
6016 mbedtls_ssl_conf_early_data(conf, MBEDTLS_SSL_EARLY_DATA_DISABLED);
6017#if defined(MBEDTLS_SSL_SRV_C)
6018 mbedtls_ssl_conf_max_early_data_size(conf, MBEDTLS_SSL_MAX_EARLY_DATA_SIZE);
6019#endif
6020#endif /* MBEDTLS_SSL_EARLY_DATA */
6021
6022#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
6023 mbedtls_ssl_conf_new_session_tickets(
6024 conf, MBEDTLS_SSL_TLS1_3_DEFAULT_NEW_SESSION_TICKETS);
6025#endif
6026 /*
6027 * Allow all TLS 1.3 key exchange modes by default.
6028 */
6029 conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
6030#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
6031
6032 if (transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
6033#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6034 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6035 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6036#else
6037 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6038#endif
6039 } else {
6040#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
6041 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6042 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6043#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
6044 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6045 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
6046#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
6047 conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6048 conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
6049#else
6050 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
6051#endif
6052 }
6053
6054 /*
6055 * Preset-specific defaults
6056 */
6057 switch (preset) {
6058 /*
6059 * NSA Suite B
6060 */
6061 case MBEDTLS_SSL_PRESET_SUITEB:
6062
6063 conf->ciphersuite_list = ssl_preset_suiteb_ciphersuites;
6064
6065#if defined(MBEDTLS_X509_CRT_PARSE_C)
6066 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
6067#endif
6068
6069#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6070#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6071 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6072 conf->sig_algs = ssl_tls12_preset_suiteb_sig_algs;
6073 } else
6074#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6075 conf->sig_algs = ssl_preset_suiteb_sig_algs;
6076#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6077
6078#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6079 conf->curve_list = NULL;
6080#endif
6081 conf->group_list = ssl_preset_suiteb_groups;
6082 break;
6083
6084 /*
6085 * Default
6086 */
6087 default:
6088
6089 conf->ciphersuite_list = mbedtls_ssl_list_ciphersuites();
6090
6091#if defined(MBEDTLS_X509_CRT_PARSE_C)
6092 conf->cert_profile = &mbedtls_x509_crt_profile_default;
6093#endif
6094
6095#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6096#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6097 if (mbedtls_ssl_conf_is_tls12_only(conf)) {
6098 conf->sig_algs = ssl_tls12_preset_default_sig_algs;
6099 } else
6100#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6101 conf->sig_algs = ssl_preset_default_sig_algs;
6102#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6103
6104#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
6105 conf->curve_list = NULL;
6106#endif
6107 conf->group_list = ssl_preset_default_groups;
6108
6109#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
6110 conf->dhm_min_bitlen = 1024;
6111#endif
6112 }
6113
6114 return 0;
6115}
6116
6117/*
6118 * Free mbedtls_ssl_config
6119 */
6120void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
6121{
6122 if (conf == NULL) {
6123 return;
6124 }
6125
6126#if defined(MBEDTLS_DHM_C)
6127 mbedtls_mpi_free(&conf->dhm_P);
6128 mbedtls_mpi_free(&conf->dhm_G);
6129#endif
6130
6131#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
6132#if defined(MBEDTLS_USE_PSA_CRYPTO)
6133 if (!mbedtls_svc_key_id_is_null(conf->psk_opaque)) {
6134 conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
6135 }
6136#endif /* MBEDTLS_USE_PSA_CRYPTO */
6137 if (conf->psk != NULL) {
6138 mbedtls_zeroize_and_free(conf->psk, conf->psk_len);
6139 conf->psk = NULL;
6140 conf->psk_len = 0;
6141 }
6142
6143 if (conf->psk_identity != NULL) {
6144 mbedtls_zeroize_and_free(conf->psk_identity, conf->psk_identity_len);
6145 conf->psk_identity = NULL;
6146 conf->psk_identity_len = 0;
6147 }
6148#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
6149
6150#if defined(MBEDTLS_X509_CRT_PARSE_C)
6151 ssl_key_cert_free(conf->key_cert);
6152#endif
6153
6154 mbedtls_platform_zeroize(conf, sizeof(mbedtls_ssl_config));
6155}
6156
6157#if defined(MBEDTLS_PK_C) && \
6158 (defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
6159/*
6160 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
6161 */
6162unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
6163{
6164#if defined(MBEDTLS_RSA_C)
6165 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) {
6166 return MBEDTLS_SSL_SIG_RSA;
6167 }
6168#endif
6169#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6170 if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
6171 return MBEDTLS_SSL_SIG_ECDSA;
6172 }
6173#endif
6174 return MBEDTLS_SSL_SIG_ANON;
6175}
6176
6177unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
6178{
6179 switch (type) {
6180 case MBEDTLS_PK_RSA:
6181 return MBEDTLS_SSL_SIG_RSA;
6182 case MBEDTLS_PK_ECDSA:
6183 case MBEDTLS_PK_ECKEY:
6184 return MBEDTLS_SSL_SIG_ECDSA;
6185 default:
6186 return MBEDTLS_SSL_SIG_ANON;
6187 }
6188}
6189
6190mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
6191{
6192 switch (sig) {
6193#if defined(MBEDTLS_RSA_C)
6194 case MBEDTLS_SSL_SIG_RSA:
6195 return MBEDTLS_PK_RSA;
6196#endif
6197#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
6198 case MBEDTLS_SSL_SIG_ECDSA:
6199 return MBEDTLS_PK_ECDSA;
6200#endif
6201 default:
6202 return MBEDTLS_PK_NONE;
6203 }
6204}
6205#endif /* MBEDTLS_PK_C &&
6206 ( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
6207
6208/*
6209 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
6210 */
6211mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
6212{
6213 switch (hash) {
6214#if defined(MBEDTLS_MD_CAN_MD5)
6215 case MBEDTLS_SSL_HASH_MD5:
6216 return MBEDTLS_MD_MD5;
6217#endif
6218#if defined(MBEDTLS_MD_CAN_SHA1)
6219 case MBEDTLS_SSL_HASH_SHA1:
6220 return MBEDTLS_MD_SHA1;
6221#endif
6222#if defined(MBEDTLS_MD_CAN_SHA224)
6223 case MBEDTLS_SSL_HASH_SHA224:
6224 return MBEDTLS_MD_SHA224;
6225#endif
6226#if defined(MBEDTLS_MD_CAN_SHA256)
6227 case MBEDTLS_SSL_HASH_SHA256:
6228 return MBEDTLS_MD_SHA256;
6229#endif
6230#if defined(MBEDTLS_MD_CAN_SHA384)
6231 case MBEDTLS_SSL_HASH_SHA384:
6232 return MBEDTLS_MD_SHA384;
6233#endif
6234#if defined(MBEDTLS_MD_CAN_SHA512)
6235 case MBEDTLS_SSL_HASH_SHA512:
6236 return MBEDTLS_MD_SHA512;
6237#endif
6238 default:
6239 return MBEDTLS_MD_NONE;
6240 }
6241}
6242
6243/*
6244 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
6245 */
6246unsigned char mbedtls_ssl_hash_from_md_alg(int md)
6247{
6248 switch (md) {
6249#if defined(MBEDTLS_MD_CAN_MD5)
6250 case MBEDTLS_MD_MD5:
6251 return MBEDTLS_SSL_HASH_MD5;
6252#endif
6253#if defined(MBEDTLS_MD_CAN_SHA1)
6254 case MBEDTLS_MD_SHA1:
6255 return MBEDTLS_SSL_HASH_SHA1;
6256#endif
6257#if defined(MBEDTLS_MD_CAN_SHA224)
6258 case MBEDTLS_MD_SHA224:
6259 return MBEDTLS_SSL_HASH_SHA224;
6260#endif
6261#if defined(MBEDTLS_MD_CAN_SHA256)
6262 case MBEDTLS_MD_SHA256:
6263 return MBEDTLS_SSL_HASH_SHA256;
6264#endif
6265#if defined(MBEDTLS_MD_CAN_SHA384)
6266 case MBEDTLS_MD_SHA384:
6267 return MBEDTLS_SSL_HASH_SHA384;
6268#endif
6269#if defined(MBEDTLS_MD_CAN_SHA512)
6270 case MBEDTLS_MD_SHA512:
6271 return MBEDTLS_SSL_HASH_SHA512;
6272#endif
6273 default:
6274 return MBEDTLS_SSL_HASH_NONE;
6275 }
6276}
6277
6278/*
6279 * Check if a curve proposed by the peer is in our list.
6280 * Return 0 if we're willing to use it, -1 otherwise.
6281 */
6282int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id)
6283{
6284 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
6285
6286 if (group_list == NULL) {
6287 return -1;
6288 }
6289
6290 for (; *group_list != 0; group_list++) {
6291 if (*group_list == tls_id) {
6292 return 0;
6293 }
6294 }
6295
6296 return -1;
6297}
6298
6299#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
6300/*
6301 * Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
6302 */
6303int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
6304{
6305 uint16_t tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id);
6306
6307 if (tls_id == 0) {
6308 return -1;
6309 }
6310
6311 return mbedtls_ssl_check_curve_tls_id(ssl, tls_id);
6312}
6313#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
6314
6315static const struct {
6316 uint16_t tls_id;
6317 mbedtls_ecp_group_id ecp_group_id;
6318 psa_ecc_family_t psa_family;
6319 uint16_t bits;
6320} tls_id_match_table[] =
6321{
6322#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
6323 { 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
6324#endif
6325#if defined(MBEDTLS_ECP_HAVE_BP512R1)
6326 { 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
6327#endif
6328#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
6329 { 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
6330#endif
6331#if defined(MBEDTLS_ECP_HAVE_BP384R1)
6332 { 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
6333#endif
6334#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
6335 { 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
6336#endif
6337#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
6338 { 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
6339#endif
6340#if defined(MBEDTLS_ECP_HAVE_BP256R1)
6341 { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
6342#endif
6343#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
6344 { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
6345#endif
6346#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
6347 { 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
6348#endif
6349#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
6350 { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
6351#endif
6352#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
6353 { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
6354#endif
6355#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
6356 { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
6357#endif
6358#if defined(MBEDTLS_ECP_HAVE_CURVE448)
6359 { 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
6360#endif
6361 { 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
6362};
6363
6364int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
6365 psa_key_type_t *type,
6366 size_t *bits)
6367{
6368 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6369 if (tls_id_match_table[i].tls_id == tls_id) {
6370 if (type != NULL) {
6371 *type = PSA_KEY_TYPE_ECC_KEY_PAIR(tls_id_match_table[i].psa_family);
6372 }
6373 if (bits != NULL) {
6374 *bits = tls_id_match_table[i].bits;
6375 }
6376 return PSA_SUCCESS;
6377 }
6378 }
6379
6380 return PSA_ERROR_NOT_SUPPORTED;
6381}
6382
6383mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id)
6384{
6385 for (int i = 0; tls_id_match_table[i].tls_id != 0; i++) {
6386 if (tls_id_match_table[i].tls_id == tls_id) {
6387 return tls_id_match_table[i].ecp_group_id;
6388 }
6389 }
6390
6391 return MBEDTLS_ECP_DP_NONE;
6392}
6393
6394uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id)
6395{
6396 for (int i = 0; tls_id_match_table[i].ecp_group_id != MBEDTLS_ECP_DP_NONE;
6397 i++) {
6398 if (tls_id_match_table[i].ecp_group_id == grp_id) {
6399 return tls_id_match_table[i].tls_id;
6400 }
6401 }
6402
6403 return 0;
6404}
6405
6406#if defined(MBEDTLS_DEBUG_C)
6407static const struct {
6408 uint16_t tls_id;
6409 const char *name;
6410} tls_id_curve_name_table[] =
6411{
6412 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, "secp521r1" },
6413 { MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1, "brainpoolP512r1" },
6414 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, "secp384r1" },
6415 { MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1, "brainpoolP384r1" },
6416 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" },
6417 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" },
6418 { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" },
6419 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" },
6420 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" },
6421 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" },
6422 { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" },
6423 { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" },
6424 { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" },
6425 { 0, NULL },
6426};
6427
6428const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id)
6429{
6430 for (int i = 0; tls_id_curve_name_table[i].tls_id != 0; i++) {
6431 if (tls_id_curve_name_table[i].tls_id == tls_id) {
6432 return tls_id_curve_name_table[i].name;
6433 }
6434 }
6435
6436 return NULL;
6437}
6438#endif
6439
6440#if defined(MBEDTLS_USE_PSA_CRYPTO)
6441int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6442 const mbedtls_md_type_t md,
6443 unsigned char *dst,
6444 size_t dst_len,
6445 size_t *olen)
6446{
6447 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
6448 psa_hash_operation_t *hash_operation_to_clone;
6449 psa_hash_operation_t hash_operation = psa_hash_operation_init();
6450
6451 *olen = 0;
6452
6453 switch (md) {
6454#if defined(MBEDTLS_MD_CAN_SHA384)
6455 case MBEDTLS_MD_SHA384:
6456 hash_operation_to_clone = &ssl->handshake->fin_sha384_psa;
6457 break;
6458#endif
6459
6460#if defined(MBEDTLS_MD_CAN_SHA256)
6461 case MBEDTLS_MD_SHA256:
6462 hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
6463 break;
6464#endif
6465
6466 default:
6467 goto exit;
6468 }
6469
6470 status = psa_hash_clone(hash_operation_to_clone, &hash_operation);
6471 if (status != PSA_SUCCESS) {
6472 goto exit;
6473 }
6474
6475 status = psa_hash_finish(&hash_operation, dst, dst_len, olen);
6476 if (status != PSA_SUCCESS) {
6477 goto exit;
6478 }
6479
6480exit:
6481#if !defined(MBEDTLS_MD_CAN_SHA384) && \
6482 !defined(MBEDTLS_MD_CAN_SHA256)
6483 (void) ssl;
6484#endif
6485 return PSA_TO_MBEDTLS_ERR(status);
6486}
6487#else /* MBEDTLS_USE_PSA_CRYPTO */
6488
6489#if defined(MBEDTLS_MD_CAN_SHA384)
6490MBEDTLS_CHECK_RETURN_CRITICAL
6491static int ssl_get_handshake_transcript_sha384(mbedtls_ssl_context *ssl,
6492 unsigned char *dst,
6493 size_t dst_len,
6494 size_t *olen)
6495{
6496 int ret;
6497 mbedtls_md_context_t sha384;
6498
6499 if (dst_len < 48) {
6500 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6501 }
6502
6503 mbedtls_md_init(&sha384);
6504 ret = mbedtls_md_setup(&sha384, mbedtls_md_info_from_type(MBEDTLS_MD_SHA384), 0);
6505 if (ret != 0) {
6506 goto exit;
6507 }
6508 ret = mbedtls_md_clone(&sha384, &ssl->handshake->fin_sha384);
6509 if (ret != 0) {
6510 goto exit;
6511 }
6512
6513 if ((ret = mbedtls_md_finish(&sha384, dst)) != 0) {
6514 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6515 goto exit;
6516 }
6517
6518 *olen = 48;
6519
6520exit:
6521
6522 mbedtls_md_free(&sha384);
6523 return ret;
6524}
6525#endif /* MBEDTLS_MD_CAN_SHA384 */
6526
6527#if defined(MBEDTLS_MD_CAN_SHA256)
6528MBEDTLS_CHECK_RETURN_CRITICAL
6529static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
6530 unsigned char *dst,
6531 size_t dst_len,
6532 size_t *olen)
6533{
6534 int ret;
6535 mbedtls_md_context_t sha256;
6536
6537 if (dst_len < 32) {
6538 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6539 }
6540
6541 mbedtls_md_init(&sha256);
6542 ret = mbedtls_md_setup(&sha256, mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), 0);
6543 if (ret != 0) {
6544 goto exit;
6545 }
6546 ret = mbedtls_md_clone(&sha256, &ssl->handshake->fin_sha256);
6547 if (ret != 0) {
6548 goto exit;
6549 }
6550
6551 if ((ret = mbedtls_md_finish(&sha256, dst)) != 0) {
6552 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
6553 goto exit;
6554 }
6555
6556 *olen = 32;
6557
6558exit:
6559
6560 mbedtls_md_free(&sha256);
6561 return ret;
6562}
6563#endif /* MBEDTLS_MD_CAN_SHA256 */
6564
6565int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
6566 const mbedtls_md_type_t md,
6567 unsigned char *dst,
6568 size_t dst_len,
6569 size_t *olen)
6570{
6571 switch (md) {
6572
6573#if defined(MBEDTLS_MD_CAN_SHA384)
6574 case MBEDTLS_MD_SHA384:
6575 return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
6576#endif /* MBEDTLS_MD_CAN_SHA384*/
6577
6578#if defined(MBEDTLS_MD_CAN_SHA256)
6579 case MBEDTLS_MD_SHA256:
6580 return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
6581#endif /* MBEDTLS_MD_CAN_SHA256*/
6582
6583 default:
6584#if !defined(MBEDTLS_MD_CAN_SHA384) && \
6585 !defined(MBEDTLS_MD_CAN_SHA256)
6586 (void) ssl;
6587 (void) dst;
6588 (void) dst_len;
6589 (void) olen;
6590#endif
6591 break;
6592 }
6593 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6594}
6595
6596#endif /* !MBEDTLS_USE_PSA_CRYPTO */
6597
6598#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
6599/* mbedtls_ssl_parse_sig_alg_ext()
6600 *
6601 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
6602 * value (TLS 1.3 RFC8446):
6603 * enum {
6604 * ....
6605 * ecdsa_secp256r1_sha256( 0x0403 ),
6606 * ecdsa_secp384r1_sha384( 0x0503 ),
6607 * ecdsa_secp521r1_sha512( 0x0603 ),
6608 * ....
6609 * } SignatureScheme;
6610 *
6611 * struct {
6612 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
6613 * } SignatureSchemeList;
6614 *
6615 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
6616 * value (TLS 1.2 RFC5246):
6617 * enum {
6618 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
6619 * sha512(6), (255)
6620 * } HashAlgorithm;
6621 *
6622 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
6623 * SignatureAlgorithm;
6624 *
6625 * struct {
6626 * HashAlgorithm hash;
6627 * SignatureAlgorithm signature;
6628 * } SignatureAndHashAlgorithm;
6629 *
6630 * SignatureAndHashAlgorithm
6631 * supported_signature_algorithms<2..2^16-2>;
6632 *
6633 * The TLS 1.3 signature algorithm extension was defined to be a compatible
6634 * generalization of the TLS 1.2 signature algorithm extension.
6635 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
6636 * `SignatureScheme` field of TLS 1.3
6637 *
6638 */
6639int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
6640 const unsigned char *buf,
6641 const unsigned char *end)
6642{
6643 const unsigned char *p = buf;
6644 size_t supported_sig_algs_len = 0;
6645 const unsigned char *supported_sig_algs_end;
6646 uint16_t sig_alg;
6647 uint32_t common_idx = 0;
6648
6649 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
6650 supported_sig_algs_len = MBEDTLS_GET_UINT16_BE(p, 0);
6651 p += 2;
6652
6653 memset(ssl->handshake->received_sig_algs, 0,
6654 sizeof(ssl->handshake->received_sig_algs));
6655
6656 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, supported_sig_algs_len);
6657 supported_sig_algs_end = p + supported_sig_algs_len;
6658 while (p < supported_sig_algs_end) {
6659 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, supported_sig_algs_end, 2);
6660 sig_alg = MBEDTLS_GET_UINT16_BE(p, 0);
6661 p += 2;
6662 MBEDTLS_SSL_DEBUG_MSG(4, ("received signature algorithm: 0x%x %s",
6663 sig_alg,
6664 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6665#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6666 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
6667 (!(mbedtls_ssl_sig_alg_is_supported(ssl, sig_alg) &&
6668 mbedtls_ssl_sig_alg_is_offered(ssl, sig_alg)))) {
6669 continue;
6670 }
6671#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6672
6673 MBEDTLS_SSL_DEBUG_MSG(4, ("valid signature algorithm: %s",
6674 mbedtls_ssl_sig_alg_to_str(sig_alg)));
6675
6676 if (common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE) {
6677 ssl->handshake->received_sig_algs[common_idx] = sig_alg;
6678 common_idx += 1;
6679 }
6680 }
6681 /* Check that we consumed all the message. */
6682 if (p != end) {
6683 MBEDTLS_SSL_DEBUG_MSG(1,
6684 ("Signature algorithms extension length misaligned"));
6685 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
6686 MBEDTLS_ERR_SSL_DECODE_ERROR);
6687 return MBEDTLS_ERR_SSL_DECODE_ERROR;
6688 }
6689
6690 if (common_idx == 0) {
6691 MBEDTLS_SSL_DEBUG_MSG(3, ("no signature algorithm in common"));
6692 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
6693 MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
6694 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
6695 }
6696
6697 ssl->handshake->received_sig_algs[common_idx] = MBEDTLS_TLS_SIG_NONE;
6698 return 0;
6699}
6700
6701#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
6702
6703#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6704
6705#if defined(MBEDTLS_USE_PSA_CRYPTO)
6706
6707static psa_status_t setup_psa_key_derivation(psa_key_derivation_operation_t *derivation,
6708 mbedtls_svc_key_id_t key,
6709 psa_algorithm_t alg,
6710 const unsigned char *raw_psk, size_t raw_psk_length,
6711 const unsigned char *seed, size_t seed_length,
6712 const unsigned char *label, size_t label_length,
6713 const unsigned char *other_secret,
6714 size_t other_secret_length,
6715 size_t capacity)
6716{
6717 psa_status_t status;
6718
6719 status = psa_key_derivation_setup(derivation, alg);
6720 if (status != PSA_SUCCESS) {
6721 return status;
6722 }
6723
6724 if (PSA_ALG_IS_TLS12_PRF(alg) || PSA_ALG_IS_TLS12_PSK_TO_MS(alg)) {
6725 status = psa_key_derivation_input_bytes(derivation,
6726 PSA_KEY_DERIVATION_INPUT_SEED,
6727 seed, seed_length);
6728 if (status != PSA_SUCCESS) {
6729 return status;
6730 }
6731
6732 if (other_secret != NULL) {
6733 status = psa_key_derivation_input_bytes(derivation,
6734 PSA_KEY_DERIVATION_INPUT_OTHER_SECRET,
6735 other_secret, other_secret_length);
6736 if (status != PSA_SUCCESS) {
6737 return status;
6738 }
6739 }
6740
6741 if (mbedtls_svc_key_id_is_null(key)) {
6742 status = psa_key_derivation_input_bytes(
6743 derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
6744 raw_psk, raw_psk_length);
6745 } else {
6746 status = psa_key_derivation_input_key(
6747 derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key);
6748 }
6749 if (status != PSA_SUCCESS) {
6750 return status;
6751 }
6752
6753 status = psa_key_derivation_input_bytes(derivation,
6754 PSA_KEY_DERIVATION_INPUT_LABEL,
6755 label, label_length);
6756 if (status != PSA_SUCCESS) {
6757 return status;
6758 }
6759 } else {
6760 return PSA_ERROR_NOT_SUPPORTED;
6761 }
6762
6763 status = psa_key_derivation_set_capacity(derivation, capacity);
6764 if (status != PSA_SUCCESS) {
6765 return status;
6766 }
6767
6768 return PSA_SUCCESS;
6769}
6770
6771#if defined(PSA_WANT_ALG_SHA_384) || \
6772 defined(PSA_WANT_ALG_SHA_256)
6773MBEDTLS_CHECK_RETURN_CRITICAL
6774static int tls_prf_generic(mbedtls_md_type_t md_type,
6775 const unsigned char *secret, size_t slen,
6776 const char *label, size_t label_len,
6777 const unsigned char *random, size_t rlen,
6778 unsigned char *dstbuf, size_t dlen)
6779{
6780 psa_status_t status;
6781 psa_algorithm_t alg;
6782 mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
6783 psa_key_derivation_operation_t derivation =
6784 PSA_KEY_DERIVATION_OPERATION_INIT;
6785
6786 if (md_type == MBEDTLS_MD_SHA384) {
6787 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
6788 } else {
6789 alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
6790 }
6791
6792 /* Normally a "secret" should be long enough to be impossible to
6793 * find by brute force, and in particular should not be empty. But
6794 * this PRF is also used to derive an IV, in particular in EAP-TLS,
6795 * and for this use case it makes sense to have a 0-length "secret".
6796 * Since the key API doesn't allow importing a key of length 0,
6797 * keep master_key=0, which setup_psa_key_derivation() understands
6798 * to mean a 0-length "secret" input. */
6799 if (slen != 0) {
6800 psa_key_attributes_t key_attributes = psa_key_attributes_init();
6801 psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
6802 psa_set_key_algorithm(&key_attributes, alg);
6803 psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
6804
6805 status = psa_import_key(&key_attributes, secret, slen, &master_key);
6806 if (status != PSA_SUCCESS) {
6807 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6808 }
6809 }
6810
6811 status = setup_psa_key_derivation(&derivation,
6812 master_key, alg,
6813 NULL, 0,
6814 random, rlen,
6815 (unsigned char const *) label,
6816 label_len,
6817 NULL, 0,
6818 dlen);
6819 if (status != PSA_SUCCESS) {
6820 psa_key_derivation_abort(&derivation);
6821 psa_destroy_key(master_key);
6822 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6823 }
6824
6825 status = psa_key_derivation_output_bytes(&derivation, dstbuf, dlen);
6826 if (status != PSA_SUCCESS) {
6827 psa_key_derivation_abort(&derivation);
6828 psa_destroy_key(master_key);
6829 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6830 }
6831
6832 status = psa_key_derivation_abort(&derivation);
6833 if (status != PSA_SUCCESS) {
6834 psa_destroy_key(master_key);
6835 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6836 }
6837
6838 if (!mbedtls_svc_key_id_is_null(master_key)) {
6839 status = psa_destroy_key(master_key);
6840 }
6841 if (status != PSA_SUCCESS) {
6842 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
6843 }
6844
6845 return 0;
6846}
6847#endif /* PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 */
6848#else /* MBEDTLS_USE_PSA_CRYPTO */
6849
6850#if defined(MBEDTLS_MD_C) && \
6851 (defined(MBEDTLS_MD_CAN_SHA256) || \
6852 defined(MBEDTLS_MD_CAN_SHA384))
6853MBEDTLS_CHECK_RETURN_CRITICAL
6854static int tls_prf_generic(mbedtls_md_type_t md_type,
6855 const unsigned char *secret, size_t slen,
6856 const char *label, size_t label_len,
6857 const unsigned char *random, size_t rlen,
6858 unsigned char *dstbuf, size_t dlen)
6859{
6860 size_t nb;
6861 size_t i, j, k, md_len;
6862 unsigned char *tmp;
6863 size_t tmp_len = 0;
6864 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
6865 const mbedtls_md_info_t *md_info;
6866 mbedtls_md_context_t md_ctx;
6867 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
6868
6869 mbedtls_md_init(&md_ctx);
6870
6871 if ((md_info = mbedtls_md_info_from_type(md_type)) == NULL) {
6872 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
6873 }
6874
6875 md_len = mbedtls_md_get_size(md_info);
6876
6877 tmp_len = md_len + label_len + rlen;
6878 tmp = mbedtls_calloc(1, tmp_len);
6879 if (tmp == NULL) {
6880 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
6881 goto exit;
6882 }
6883
6884 nb = label_len;
6885 memcpy(tmp + md_len, label, nb);
6886 memcpy(tmp + md_len + nb, random, rlen);
6887 nb += rlen;
6888
6889 /*
6890 * Compute P_<hash>(secret, label + random)[0..dlen]
6891 */
6892 if ((ret = mbedtls_md_setup(&md_ctx, md_info, 1)) != 0) {
6893 goto exit;
6894 }
6895
6896 ret = mbedtls_md_hmac_starts(&md_ctx, secret, slen);
6897 if (ret != 0) {
6898 goto exit;
6899 }
6900 ret = mbedtls_md_hmac_update(&md_ctx, tmp + md_len, nb);
6901 if (ret != 0) {
6902 goto exit;
6903 }
6904 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6905 if (ret != 0) {
6906 goto exit;
6907 }
6908
6909 for (i = 0; i < dlen; i += md_len) {
6910 ret = mbedtls_md_hmac_reset(&md_ctx);
6911 if (ret != 0) {
6912 goto exit;
6913 }
6914 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len + nb);
6915 if (ret != 0) {
6916 goto exit;
6917 }
6918 ret = mbedtls_md_hmac_finish(&md_ctx, h_i);
6919 if (ret != 0) {
6920 goto exit;
6921 }
6922
6923 ret = mbedtls_md_hmac_reset(&md_ctx);
6924 if (ret != 0) {
6925 goto exit;
6926 }
6927 ret = mbedtls_md_hmac_update(&md_ctx, tmp, md_len);
6928 if (ret != 0) {
6929 goto exit;
6930 }
6931 ret = mbedtls_md_hmac_finish(&md_ctx, tmp);
6932 if (ret != 0) {
6933 goto exit;
6934 }
6935
6936 k = (i + md_len > dlen) ? dlen % md_len : md_len;
6937
6938 for (j = 0; j < k; j++) {
6939 dstbuf[i + j] = h_i[j];
6940 }
6941 }
6942
6943exit:
6944 mbedtls_md_free(&md_ctx);
6945
6946 if (tmp != NULL) {
6947 mbedtls_platform_zeroize(tmp, tmp_len);
6948 }
6949
6950 mbedtls_platform_zeroize(h_i, sizeof(h_i));
6951
6952 mbedtls_free(tmp);
6953
6954 return ret;
6955}
6956#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || MBEDTLS_MD_CAN_SHA384 ) */
6957#endif /* MBEDTLS_USE_PSA_CRYPTO */
6958
6959#if defined(MBEDTLS_MD_CAN_SHA256)
6960MBEDTLS_CHECK_RETURN_CRITICAL
6961static int tls_prf_sha256(const unsigned char *secret, size_t slen,
6962 const char *label,
6963 const unsigned char *random, size_t rlen,
6964 unsigned char *dstbuf, size_t dlen)
6965{
6966 return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
6967 label, strlen(label), random, rlen, dstbuf, dlen);
6968}
6969#endif /* MBEDTLS_MD_CAN_SHA256*/
6970
6971#if defined(MBEDTLS_MD_CAN_SHA384)
6972MBEDTLS_CHECK_RETURN_CRITICAL
6973static int tls_prf_sha384(const unsigned char *secret, size_t slen,
6974 const char *label,
6975 const unsigned char *random, size_t rlen,
6976 unsigned char *dstbuf, size_t dlen)
6977{
6978 return tls_prf_generic(MBEDTLS_MD_SHA384, secret, slen,
6979 label, strlen(label), random, rlen, dstbuf, dlen);
6980}
6981#endif /* MBEDTLS_MD_CAN_SHA384*/
6982
6983/*
6984 * Set appropriate PRF function and other SSL / TLS1.2 functions
6985 *
6986 * Inputs:
6987 * - hash associated with the ciphersuite (only used by TLS 1.2)
6988 *
6989 * Outputs:
6990 * - the tls_prf, calc_verify and calc_finished members of handshake structure
6991 */
6992MBEDTLS_CHECK_RETURN_CRITICAL
6993static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
6994 mbedtls_md_type_t hash)
6995{
6996#if defined(MBEDTLS_MD_CAN_SHA384)
6997 if (hash == MBEDTLS_MD_SHA384) {
6998 handshake->tls_prf = tls_prf_sha384;
6999 handshake->calc_verify = ssl_calc_verify_tls_sha384;
7000 handshake->calc_finished = ssl_calc_finished_tls_sha384;
7001 } else
7002#endif
7003#if defined(MBEDTLS_MD_CAN_SHA256)
7004 {
7005 (void) hash;
7006 handshake->tls_prf = tls_prf_sha256;
7007 handshake->calc_verify = ssl_calc_verify_tls_sha256;
7008 handshake->calc_finished = ssl_calc_finished_tls_sha256;
7009 }
7010#else
7011 {
7012 (void) handshake;
7013 (void) hash;
7014 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7015 }
7016#endif
7017
7018 return 0;
7019}
7020
7021/*
7022 * Compute master secret if needed
7023 *
7024 * Parameters:
7025 * [in/out] handshake
7026 * [in] resume, premaster, extended_ms, calc_verify, tls_prf
7027 * (PSA-PSK) ciphersuite_info, psk_opaque
7028 * [out] premaster (cleared)
7029 * [out] master
7030 * [in] ssl: optionally used for debugging, EMS and PSA-PSK
7031 * debug: conf->f_dbg, conf->p_dbg
7032 * EMS: passed to calc_verify (debug + session_negotiate)
7033 * PSA-PSA: conf
7034 */
7035MBEDTLS_CHECK_RETURN_CRITICAL
7036static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake,
7037 unsigned char *master,
7038 const mbedtls_ssl_context *ssl)
7039{
7040 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7041
7042 /* cf. RFC 5246, Section 8.1:
7043 * "The master secret is always exactly 48 bytes in length." */
7044 size_t const master_secret_len = 48;
7045
7046#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7047 unsigned char session_hash[48];
7048#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7049
7050 /* The label for the KDF used for key expansion.
7051 * This is either "master secret" or "extended master secret"
7052 * depending on whether the Extended Master Secret extension
7053 * is used. */
7054 char const *lbl = "master secret";
7055
7056 /* The seed for the KDF used for key expansion.
7057 * - If the Extended Master Secret extension is not used,
7058 * this is ClientHello.Random + ServerHello.Random
7059 * (see Sect. 8.1 in RFC 5246).
7060 * - If the Extended Master Secret extension is used,
7061 * this is the transcript of the handshake so far.
7062 * (see Sect. 4 in RFC 7627). */
7063 unsigned char const *seed = handshake->randbytes;
7064 size_t seed_len = 64;
7065
7066#if !defined(MBEDTLS_DEBUG_C) && \
7067 !defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) && \
7068 !(defined(MBEDTLS_USE_PSA_CRYPTO) && \
7069 defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED))
7070 ssl = NULL; /* make sure we don't use it except for those cases */
7071 (void) ssl;
7072#endif
7073
7074 if (handshake->resume != 0) {
7075 MBEDTLS_SSL_DEBUG_MSG(3, ("no premaster (session resumed)"));
7076 return 0;
7077 }
7078
7079#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7080 if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
7081 lbl = "extended master secret";
7082 seed = session_hash;
7083 ret = handshake->calc_verify(ssl, session_hash, &seed_len);
7084 if (ret != 0) {
7085 MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
7086 }
7087
7088 MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
7089 session_hash, seed_len);
7090 }
7091#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
7092
7093#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7094 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
7095 if (mbedtls_ssl_ciphersuite_uses_psk(handshake->ciphersuite_info) == 1) {
7096 /* Perform PSK-to-MS expansion in a single step. */
7097 psa_status_t status;
7098 psa_algorithm_t alg;
7099 mbedtls_svc_key_id_t psk;
7100 psa_key_derivation_operation_t derivation =
7101 PSA_KEY_DERIVATION_OPERATION_INIT;
7102 mbedtls_md_type_t hash_alg = (mbedtls_md_type_t) handshake->ciphersuite_info->mac;
7103
7104 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PSK-to-MS expansion"));
7105
7106 psk = mbedtls_ssl_get_opaque_psk(ssl);
7107
7108 if (hash_alg == MBEDTLS_MD_SHA384) {
7109 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
7110 } else {
7111 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
7112 }
7113
7114 size_t other_secret_len = 0;
7115 unsigned char *other_secret = NULL;
7116
7117 switch (handshake->ciphersuite_info->key_exchange) {
7118 /* Provide other secret.
7119 * Other secret is stored in premaster, where first 2 bytes hold the
7120 * length of the other key.
7121 */
7122 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
7123 /* For RSA-PSK other key length is always 48 bytes. */
7124 other_secret_len = 48;
7125 other_secret = handshake->premaster + 2;
7126 break;
7127 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
7128 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
7129 other_secret_len = MBEDTLS_GET_UINT16_BE(handshake->premaster, 0);
7130 other_secret = handshake->premaster + 2;
7131 break;
7132 default:
7133 break;
7134 }
7135
7136 status = setup_psa_key_derivation(&derivation, psk, alg,
7137 ssl->conf->psk, ssl->conf->psk_len,
7138 seed, seed_len,
7139 (unsigned char const *) lbl,
7140 (size_t) strlen(lbl),
7141 other_secret, other_secret_len,
7142 master_secret_len);
7143 if (status != PSA_SUCCESS) {
7144 psa_key_derivation_abort(&derivation);
7145 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7146 }
7147
7148 status = psa_key_derivation_output_bytes(&derivation,
7149 master,
7150 master_secret_len);
7151 if (status != PSA_SUCCESS) {
7152 psa_key_derivation_abort(&derivation);
7153 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7154 }
7155
7156 status = psa_key_derivation_abort(&derivation);
7157 if (status != PSA_SUCCESS) {
7158 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7159 }
7160 } else
7161#endif
7162 {
7163#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
7164 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7165 if (handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE) {
7166 psa_status_t status;
7167 psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS;
7168 psa_key_derivation_operation_t derivation =
7169 PSA_KEY_DERIVATION_OPERATION_INIT;
7170
7171 MBEDTLS_SSL_DEBUG_MSG(2, ("perform PSA-based PMS KDF for ECJPAKE"));
7172
7173 handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE;
7174
7175 status = psa_key_derivation_setup(&derivation, alg);
7176 if (status != PSA_SUCCESS) {
7177 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7178 }
7179
7180 status = psa_key_derivation_set_capacity(&derivation,
7181 PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE);
7182 if (status != PSA_SUCCESS) {
7183 psa_key_derivation_abort(&derivation);
7184 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7185 }
7186
7187 status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx,
7188 &derivation);
7189 if (status != PSA_SUCCESS) {
7190 psa_key_derivation_abort(&derivation);
7191 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7192 }
7193
7194 status = psa_key_derivation_output_bytes(&derivation,
7195 handshake->premaster,
7196 handshake->pmslen);
7197 if (status != PSA_SUCCESS) {
7198 psa_key_derivation_abort(&derivation);
7199 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7200 }
7201
7202 status = psa_key_derivation_abort(&derivation);
7203 if (status != PSA_SUCCESS) {
7204 return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
7205 }
7206 }
7207#endif
7208 ret = handshake->tls_prf(handshake->premaster, handshake->pmslen,
7209 lbl, seed, seed_len,
7210 master,
7211 master_secret_len);
7212 if (ret != 0) {
7213 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
7214 return ret;
7215 }
7216
7217 MBEDTLS_SSL_DEBUG_BUF(3, "premaster secret",
7218 handshake->premaster,
7219 handshake->pmslen);
7220
7221 mbedtls_platform_zeroize(handshake->premaster,
7222 sizeof(handshake->premaster));
7223 }
7224
7225 return 0;
7226}
7227
7228int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
7229{
7230 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7231 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
7232 ssl->handshake->ciphersuite_info;
7233
7234 MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive keys"));
7235
7236 /* Set PRF, calc_verify and calc_finished function pointers */
7237 ret = ssl_set_handshake_prfs(ssl->handshake,
7238 (mbedtls_md_type_t) ciphersuite_info->mac);
7239 if (ret != 0) {
7240 MBEDTLS_SSL_DEBUG_RET(1, "ssl_set_handshake_prfs", ret);
7241 return ret;
7242 }
7243
7244 /* Compute master secret if needed */
7245 ret = ssl_compute_master(ssl->handshake,
7246 ssl->session_negotiate->master,
7247 ssl);
7248 if (ret != 0) {
7249 MBEDTLS_SSL_DEBUG_RET(1, "ssl_compute_master", ret);
7250 return ret;
7251 }
7252
7253 /* Swap the client and server random values:
7254 * - MS derivation wanted client+server (RFC 5246 8.1)
7255 * - key derivation wants server+client (RFC 5246 6.3) */
7256 {
7257 unsigned char tmp[64];
7258 memcpy(tmp, ssl->handshake->randbytes, 64);
7259 memcpy(ssl->handshake->randbytes, tmp + 32, 32);
7260 memcpy(ssl->handshake->randbytes + 32, tmp, 32);
7261 mbedtls_platform_zeroize(tmp, sizeof(tmp));
7262 }
7263
7264 /* Populate transform structure */
7265 ret = ssl_tls12_populate_transform(ssl->transform_negotiate,
7266 ssl->session_negotiate->ciphersuite,
7267 ssl->session_negotiate->master,
7268#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
7269 ssl->session_negotiate->encrypt_then_mac,
7270#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
7271 ssl->handshake->tls_prf,
7272 ssl->handshake->randbytes,
7273 ssl->tls_version,
7274 ssl->conf->endpoint,
7275 ssl);
7276 if (ret != 0) {
7277 MBEDTLS_SSL_DEBUG_RET(1, "ssl_tls12_populate_transform", ret);
7278 return ret;
7279 }
7280
7281 /* We no longer need Server/ClientHello.random values */
7282 mbedtls_platform_zeroize(ssl->handshake->randbytes,
7283 sizeof(ssl->handshake->randbytes));
7284
7285 MBEDTLS_SSL_DEBUG_MSG(2, ("<= derive keys"));
7286
7287 return 0;
7288}
7289
7290int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
7291{
7292 switch (md) {
7293#if defined(MBEDTLS_MD_CAN_SHA384)
7294 case MBEDTLS_SSL_HASH_SHA384:
7295 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
7296 break;
7297#endif
7298#if defined(MBEDTLS_MD_CAN_SHA256)
7299 case MBEDTLS_SSL_HASH_SHA256:
7300 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
7301 break;
7302#endif
7303 default:
7304 return -1;
7305 }
7306#if !defined(MBEDTLS_MD_CAN_SHA384) && \
7307 !defined(MBEDTLS_MD_CAN_SHA256)
7308 (void) ssl;
7309#endif
7310 return 0;
7311}
7312
7313#if defined(MBEDTLS_USE_PSA_CRYPTO)
7314static int ssl_calc_verify_tls_psa(const mbedtls_ssl_context *ssl,
7315 const psa_hash_operation_t *hs_op,
7316 size_t buffer_size,
7317 unsigned char *hash,
7318 size_t *hlen)
7319{
7320 psa_status_t status;
7321 psa_hash_operation_t cloned_op = psa_hash_operation_init();
7322
7323#if !defined(MBEDTLS_DEBUG_C)
7324 (void) ssl;
7325#endif
7326 MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify"));
7327 status = psa_hash_clone(hs_op, &cloned_op);
7328 if (status != PSA_SUCCESS) {
7329 goto exit;
7330 }
7331
7332 status = psa_hash_finish(&cloned_op, hash, buffer_size, hlen);
7333 if (status != PSA_SUCCESS) {
7334 goto exit;
7335 }
7336
7337 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
7338 MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
7339
7340exit:
7341 psa_hash_abort(&cloned_op);
7342 return mbedtls_md_error_from_psa(status);
7343}
7344#else
7345static int ssl_calc_verify_tls_legacy(const mbedtls_ssl_context *ssl,
7346 const mbedtls_md_context_t *hs_ctx,
7347 unsigned char *hash,
7348 size_t *hlen)
7349{
7350 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7351 mbedtls_md_context_t cloned_ctx;
7352
7353 mbedtls_md_init(&cloned_ctx);
7354
7355#if !defined(MBEDTLS_DEBUG_C)
7356 (void) ssl;
7357#endif
7358 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify"));
7359
7360 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
7361 if (ret != 0) {
7362 goto exit;
7363 }
7364 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
7365 if (ret != 0) {
7366 goto exit;
7367 }
7368
7369 ret = mbedtls_md_finish(&cloned_ctx, hash);
7370 if (ret != 0) {
7371 goto exit;
7372 }
7373
7374 *hlen = mbedtls_md_get_size(mbedtls_md_info_from_ctx(hs_ctx));
7375
7376 MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
7377 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
7378
7379exit:
7380 mbedtls_md_free(&cloned_ctx);
7381 return ret;
7382}
7383#endif /* MBEDTLS_USE_PSA_CRYPTO */
7384
7385#if defined(MBEDTLS_MD_CAN_SHA256)
7386int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
7387 unsigned char *hash,
7388 size_t *hlen)
7389{
7390#if defined(MBEDTLS_USE_PSA_CRYPTO)
7391 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha256_psa, 32,
7392 hash, hlen);
7393#else
7394 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha256,
7395 hash, hlen);
7396#endif /* MBEDTLS_USE_PSA_CRYPTO */
7397}
7398#endif /* MBEDTLS_MD_CAN_SHA256 */
7399
7400#if defined(MBEDTLS_MD_CAN_SHA384)
7401int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
7402 unsigned char *hash,
7403 size_t *hlen)
7404{
7405#if defined(MBEDTLS_USE_PSA_CRYPTO)
7406 return ssl_calc_verify_tls_psa(ssl, &ssl->handshake->fin_sha384_psa, 48,
7407 hash, hlen);
7408#else
7409 return ssl_calc_verify_tls_legacy(ssl, &ssl->handshake->fin_sha384,
7410 hash, hlen);
7411#endif /* MBEDTLS_USE_PSA_CRYPTO */
7412}
7413#endif /* MBEDTLS_MD_CAN_SHA384 */
7414
7415#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
7416 defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
7417int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex)
7418{
7419 unsigned char *p = ssl->handshake->premaster;
7420 unsigned char *end = p + sizeof(ssl->handshake->premaster);
7421 const unsigned char *psk = NULL;
7422 size_t psk_len = 0;
7423 int psk_ret = mbedtls_ssl_get_psk(ssl, &psk, &psk_len);
7424
7425 if (psk_ret == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) {
7426 /*
7427 * This should never happen because the existence of a PSK is always
7428 * checked before calling this function.
7429 *
7430 * The exception is opaque DHE-PSK. For DHE-PSK fill premaster with
7431 * the shared secret without PSK.
7432 */
7433 if (key_ex != MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7434 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7435 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7436 }
7437 }
7438
7439 /*
7440 * PMS = struct {
7441 * opaque other_secret<0..2^16-1>;
7442 * opaque psk<0..2^16-1>;
7443 * };
7444 * with "other_secret" depending on the particular key exchange
7445 */
7446#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
7447 if (key_ex == MBEDTLS_KEY_EXCHANGE_PSK) {
7448 if (end - p < 2) {
7449 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7450 }
7451
7452 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7453 p += 2;
7454
7455 if (end < p || (size_t) (end - p) < psk_len) {
7456 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7457 }
7458
7459 memset(p, 0, psk_len);
7460 p += psk_len;
7461 } else
7462#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
7463#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
7464 if (key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7465 /*
7466 * other_secret already set by the ClientKeyExchange message,
7467 * and is 48 bytes long
7468 */
7469 if (end - p < 2) {
7470 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7471 }
7472
7473 *p++ = 0;
7474 *p++ = 48;
7475 p += 48;
7476 } else
7477#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
7478#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
7479 if (key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK) {
7480 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7481 size_t len;
7482
7483 /* Write length only when we know the actual value */
7484 if ((ret = mbedtls_dhm_calc_secret(&ssl->handshake->dhm_ctx,
7485 p + 2, (size_t) (end - (p + 2)), &len,
7486 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7487 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_dhm_calc_secret", ret);
7488 return ret;
7489 }
7490 MBEDTLS_PUT_UINT16_BE(len, p, 0);
7491 p += 2 + len;
7492
7493 MBEDTLS_SSL_DEBUG_MPI(3, "DHM: K ", &ssl->handshake->dhm_ctx.K);
7494 } else
7495#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
7496#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
7497 if (key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) {
7498 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7499 size_t zlen;
7500
7501 if ((ret = mbedtls_ecdh_calc_secret(&ssl->handshake->ecdh_ctx, &zlen,
7502 p + 2, (size_t) (end - (p + 2)),
7503 ssl->conf->f_rng, ssl->conf->p_rng)) != 0) {
7504 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ecdh_calc_secret", ret);
7505 return ret;
7506 }
7507
7508 MBEDTLS_PUT_UINT16_BE(zlen, p, 0);
7509 p += 2 + zlen;
7510
7511 MBEDTLS_SSL_DEBUG_ECDH(3, &ssl->handshake->ecdh_ctx,
7512 MBEDTLS_DEBUG_ECDH_Z);
7513 } else
7514#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
7515 {
7516 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7517 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7518 }
7519
7520 /* opaque psk<0..2^16-1>; */
7521 if (end - p < 2) {
7522 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7523 }
7524
7525 MBEDTLS_PUT_UINT16_BE(psk_len, p, 0);
7526 p += 2;
7527
7528 if (end < p || (size_t) (end - p) < psk_len) {
7529 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
7530 }
7531
7532 memcpy(p, psk, psk_len);
7533 p += psk_len;
7534
7535 ssl->handshake->pmslen = (size_t) (p - ssl->handshake->premaster);
7536
7537 return 0;
7538}
7539#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
7540
7541#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
7542MBEDTLS_CHECK_RETURN_CRITICAL
7543static int ssl_write_hello_request(mbedtls_ssl_context *ssl);
7544
7545#if defined(MBEDTLS_SSL_PROTO_DTLS)
7546int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl)
7547{
7548 /* If renegotiation is not enforced, retransmit until we would reach max
7549 * timeout if we were using the usual handshake doubling scheme */
7550 if (ssl->conf->renego_max_records < 0) {
7551 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
7552 unsigned char doublings = 1;
7553
7554 while (ratio != 0) {
7555 ++doublings;
7556 ratio >>= 1;
7557 }
7558
7559 if (++ssl->renego_records_seen > doublings) {
7560 MBEDTLS_SSL_DEBUG_MSG(2, ("no longer retransmitting hello request"));
7561 return 0;
7562 }
7563 }
7564
7565 return ssl_write_hello_request(ssl);
7566}
7567#endif
7568#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
7569
7570/*
7571 * Handshake functions
7572 */
7573#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
7574/* No certificate support -> dummy functions */
7575int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7576{
7577 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7578 ssl->handshake->ciphersuite_info;
7579
7580 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7581
7582 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7583 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7584 mbedtls_ssl_handshake_increment_state(ssl);
7585 return 0;
7586 }
7587
7588 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7589 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7590}
7591
7592int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
7593{
7594 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7595 ssl->handshake->ciphersuite_info;
7596
7597 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
7598
7599 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7600 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
7601 mbedtls_ssl_handshake_increment_state(ssl);
7602 return 0;
7603 }
7604
7605 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
7606 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7607}
7608
7609#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
7610/* Some certificate support -> implement write and parse */
7611
7612int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
7613{
7614 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
7615 size_t i, n;
7616 const mbedtls_x509_crt *crt;
7617 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7618 ssl->handshake->ciphersuite_info;
7619
7620 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
7621
7622 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7623 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7624 mbedtls_ssl_handshake_increment_state(ssl);
7625 return 0;
7626 }
7627
7628#if defined(MBEDTLS_SSL_CLI_C)
7629 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7630 if (ssl->handshake->client_auth == 0) {
7631 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write certificate"));
7632 mbedtls_ssl_handshake_increment_state(ssl);
7633 return 0;
7634 }
7635 }
7636#endif /* MBEDTLS_SSL_CLI_C */
7637#if defined(MBEDTLS_SSL_SRV_C)
7638 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7639 if (mbedtls_ssl_own_cert(ssl) == NULL) {
7640 /* Should never happen because we shouldn't have picked the
7641 * ciphersuite if we don't have a certificate. */
7642 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
7643 }
7644 }
7645#endif
7646
7647 MBEDTLS_SSL_DEBUG_CRT(3, "own certificate", mbedtls_ssl_own_cert(ssl));
7648
7649 /*
7650 * 0 . 0 handshake type
7651 * 1 . 3 handshake length
7652 * 4 . 6 length of all certs
7653 * 7 . 9 length of cert. 1
7654 * 10 . n-1 peer certificate
7655 * n . n+2 length of cert. 2
7656 * n+3 . ... upper level cert, etc.
7657 */
7658 i = 7;
7659 crt = mbedtls_ssl_own_cert(ssl);
7660
7661 while (crt != NULL) {
7662 n = crt->raw.len;
7663 if (n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i) {
7664 MBEDTLS_SSL_DEBUG_MSG(1, ("certificate too large, %" MBEDTLS_PRINTF_SIZET
7665 " > %" MBEDTLS_PRINTF_SIZET,
7666 i + 3 + n, (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN));
7667 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
7668 }
7669
7670 ssl->out_msg[i] = MBEDTLS_BYTE_2(n);
7671 ssl->out_msg[i + 1] = MBEDTLS_BYTE_1(n);
7672 ssl->out_msg[i + 2] = MBEDTLS_BYTE_0(n);
7673
7674 i += 3; memcpy(ssl->out_msg + i, crt->raw.p, n);
7675 i += n; crt = crt->next;
7676 }
7677
7678 ssl->out_msg[4] = MBEDTLS_BYTE_2(i - 7);
7679 ssl->out_msg[5] = MBEDTLS_BYTE_1(i - 7);
7680 ssl->out_msg[6] = MBEDTLS_BYTE_0(i - 7);
7681
7682 ssl->out_msglen = i;
7683 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
7684 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
7685
7686 mbedtls_ssl_handshake_increment_state(ssl);
7687
7688 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
7689 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
7690 return ret;
7691 }
7692
7693 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write certificate"));
7694
7695 return ret;
7696}
7697
7698#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7699
7700#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7701MBEDTLS_CHECK_RETURN_CRITICAL
7702static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7703 unsigned char *crt_buf,
7704 size_t crt_buf_len)
7705{
7706 mbedtls_x509_crt const * const peer_crt = ssl->session->peer_cert;
7707
7708 if (peer_crt == NULL) {
7709 return -1;
7710 }
7711
7712 if (peer_crt->raw.len != crt_buf_len) {
7713 return -1;
7714 }
7715
7716 return memcmp(peer_crt->raw.p, crt_buf, peer_crt->raw.len);
7717}
7718#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7719MBEDTLS_CHECK_RETURN_CRITICAL
7720static int ssl_check_peer_crt_unchanged(mbedtls_ssl_context *ssl,
7721 unsigned char *crt_buf,
7722 size_t crt_buf_len)
7723{
7724 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7725 unsigned char const * const peer_cert_digest =
7726 ssl->session->peer_cert_digest;
7727 mbedtls_md_type_t const peer_cert_digest_type =
7728 ssl->session->peer_cert_digest_type;
7729 mbedtls_md_info_t const * const digest_info =
7730 mbedtls_md_info_from_type(peer_cert_digest_type);
7731 unsigned char tmp_digest[MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN];
7732 size_t digest_len;
7733
7734 if (peer_cert_digest == NULL || digest_info == NULL) {
7735 return -1;
7736 }
7737
7738 digest_len = mbedtls_md_get_size(digest_info);
7739 if (digest_len > MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN) {
7740 return -1;
7741 }
7742
7743 ret = mbedtls_md(digest_info, crt_buf, crt_buf_len, tmp_digest);
7744 if (ret != 0) {
7745 return -1;
7746 }
7747
7748 return memcmp(tmp_digest, peer_cert_digest, digest_len);
7749}
7750#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7751#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7752
7753/*
7754 * Once the certificate message is read, parse it into a cert chain and
7755 * perform basic checks, but leave actual verification to the caller
7756 */
7757MBEDTLS_CHECK_RETURN_CRITICAL
7758static int ssl_parse_certificate_chain(mbedtls_ssl_context *ssl,
7759 mbedtls_x509_crt *chain)
7760{
7761 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7762#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7763 int crt_cnt = 0;
7764#endif
7765 size_t i, n;
7766 uint8_t alert;
7767
7768 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
7769 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7770 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7771 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7772 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7773 }
7774
7775 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE) {
7776 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7777 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
7778 return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
7779 }
7780
7781 if (ssl->in_hslen < mbedtls_ssl_hs_hdr_len(ssl) + 3 + 3) {
7782 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7783 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7784 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7785 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7786 }
7787
7788 i = mbedtls_ssl_hs_hdr_len(ssl);
7789
7790 /*
7791 * Same message structure as in mbedtls_ssl_write_certificate()
7792 */
7793 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7794
7795 if (ssl->in_msg[i] != 0 ||
7796 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len(ssl)) {
7797 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7798 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7799 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7800 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7801 }
7802
7803 /* Make &ssl->in_msg[i] point to the beginning of the CRT chain. */
7804 i += 3;
7805
7806 /* Iterate through and parse the CRTs in the provided chain. */
7807 while (i < ssl->in_hslen) {
7808 /* Check that there's room for the next CRT's length fields. */
7809 if (i + 3 > ssl->in_hslen) {
7810 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7811 mbedtls_ssl_send_alert_message(ssl,
7812 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7813 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7814 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7815 }
7816 /* In theory, the CRT can be up to 2**24 Bytes, but we don't support
7817 * anything beyond 2**16 ~ 64K. */
7818 if (ssl->in_msg[i] != 0) {
7819 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7820 mbedtls_ssl_send_alert_message(ssl,
7821 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7822 MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT);
7823 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7824 }
7825
7826 /* Read length of the next CRT in the chain. */
7827 n = MBEDTLS_GET_UINT16_BE(ssl->in_msg, i + 1);
7828 i += 3;
7829
7830 if (n < 128 || i + n > ssl->in_hslen) {
7831 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate message"));
7832 mbedtls_ssl_send_alert_message(ssl,
7833 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7834 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
7835 return MBEDTLS_ERR_SSL_DECODE_ERROR;
7836 }
7837
7838 /* Check if we're handling the first CRT in the chain. */
7839#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
7840 if (crt_cnt++ == 0 &&
7841 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
7842 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
7843 /* During client-side renegotiation, check that the server's
7844 * end-CRTs hasn't changed compared to the initial handshake,
7845 * mitigating the triple handshake attack. On success, reuse
7846 * the original end-CRT instead of parsing it again. */
7847 MBEDTLS_SSL_DEBUG_MSG(3, ("Check that peer CRT hasn't changed during renegotiation"));
7848 if (ssl_check_peer_crt_unchanged(ssl,
7849 &ssl->in_msg[i],
7850 n) != 0) {
7851 MBEDTLS_SSL_DEBUG_MSG(1, ("new server cert during renegotiation"));
7852 mbedtls_ssl_send_alert_message(ssl,
7853 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7854 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED);
7855 return MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
7856 }
7857
7858 /* Now we can safely free the original chain. */
7859 ssl_clear_peer_cert(ssl->session);
7860 }
7861#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
7862
7863 /* Parse the next certificate in the chain. */
7864#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7865 ret = mbedtls_x509_crt_parse_der(chain, ssl->in_msg + i, n);
7866#else
7867 /* If we don't need to store the CRT chain permanently, parse
7868 * it in-place from the input buffer instead of making a copy. */
7869 ret = mbedtls_x509_crt_parse_der_nocopy(chain, ssl->in_msg + i, n);
7870#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
7871 switch (ret) {
7872 case 0: /*ok*/
7873 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
7874 /* Ignore certificate with an unknown algorithm: maybe a
7875 prior certificate was already trusted. */
7876 break;
7877
7878 case MBEDTLS_ERR_X509_ALLOC_FAILED:
7879 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
7880 goto crt_parse_der_failed;
7881
7882 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
7883 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
7884 goto crt_parse_der_failed;
7885
7886 default:
7887 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
7888crt_parse_der_failed:
7889 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert);
7890 MBEDTLS_SSL_DEBUG_RET(1, " mbedtls_x509_crt_parse_der", ret);
7891 return ret;
7892 }
7893
7894 i += n;
7895 }
7896
7897 MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", chain);
7898 return 0;
7899}
7900
7901#if defined(MBEDTLS_SSL_SRV_C)
7902MBEDTLS_CHECK_RETURN_CRITICAL
7903static int ssl_srv_check_client_no_crt_notification(mbedtls_ssl_context *ssl)
7904{
7905 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
7906 return -1;
7907 }
7908
7909 if (ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len(ssl) &&
7910 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
7911 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
7912 memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl), "\0\0\0", 3) == 0) {
7913 MBEDTLS_SSL_DEBUG_MSG(1, ("peer has no certificate"));
7914 return 0;
7915 }
7916 return -1;
7917}
7918#endif /* MBEDTLS_SSL_SRV_C */
7919
7920/* Check if a certificate message is expected.
7921 * Return either
7922 * - SSL_CERTIFICATE_EXPECTED, or
7923 * - SSL_CERTIFICATE_SKIP
7924 * indicating whether a Certificate message is expected or not.
7925 */
7926#define SSL_CERTIFICATE_EXPECTED 0
7927#define SSL_CERTIFICATE_SKIP 1
7928MBEDTLS_CHECK_RETURN_CRITICAL
7929static int ssl_parse_certificate_coordinate(mbedtls_ssl_context *ssl,
7930 int authmode)
7931{
7932 const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
7933 ssl->handshake->ciphersuite_info;
7934
7935 if (!mbedtls_ssl_ciphersuite_uses_srv_cert(ciphersuite_info)) {
7936 ssl->session_negotiate->verify_result = 0;
7937 return SSL_CERTIFICATE_SKIP;
7938 }
7939
7940#if defined(MBEDTLS_SSL_SRV_C)
7941 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
7942 if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK) {
7943 return SSL_CERTIFICATE_SKIP;
7944 }
7945
7946 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
7947 ssl->session_negotiate->verify_result =
7948 MBEDTLS_X509_BADCERT_SKIP_VERIFY;
7949 return SSL_CERTIFICATE_SKIP;
7950 }
7951 }
7952#else
7953 ((void) authmode);
7954#endif /* MBEDTLS_SSL_SRV_C */
7955
7956 return SSL_CERTIFICATE_EXPECTED;
7957}
7958
7959#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
7960MBEDTLS_CHECK_RETURN_CRITICAL
7961static int ssl_remember_peer_crt_digest(mbedtls_ssl_context *ssl,
7962 unsigned char *start, size_t len)
7963{
7964 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7965 /* Remember digest of the peer's end-CRT. */
7966 ssl->session_negotiate->peer_cert_digest =
7967 mbedtls_calloc(1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN);
7968 if (ssl->session_negotiate->peer_cert_digest == NULL) {
7969 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%d bytes) failed",
7970 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN));
7971 mbedtls_ssl_send_alert_message(ssl,
7972 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
7973 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
7974
7975 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
7976 }
7977
7978 ret = mbedtls_md(mbedtls_md_info_from_type(
7979 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
7980 start, len,
7981 ssl->session_negotiate->peer_cert_digest);
7982
7983 ssl->session_negotiate->peer_cert_digest_type =
7984 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
7985 ssl->session_negotiate->peer_cert_digest_len =
7986 MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
7987
7988 return ret;
7989}
7990
7991MBEDTLS_CHECK_RETURN_CRITICAL
7992static int ssl_remember_peer_pubkey(mbedtls_ssl_context *ssl,
7993 unsigned char *start, size_t len)
7994{
7995 unsigned char *end = start + len;
7996 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
7997
7998 /* Make a copy of the peer's raw public key. */
7999 mbedtls_pk_init(&ssl->handshake->peer_pubkey);
8000 ret = mbedtls_pk_parse_subpubkey(&start, end,
8001 &ssl->handshake->peer_pubkey);
8002 if (ret != 0) {
8003 /* We should have parsed the public key before. */
8004 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8005 }
8006
8007 return 0;
8008}
8009#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8010
8011int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
8012{
8013 int ret = 0;
8014 int crt_expected;
8015 /* Authmode: precedence order is SNI if used else configuration */
8016#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
8017 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
8018 ? ssl->handshake->sni_authmode
8019 : ssl->conf->authmode;
8020#else
8021 const int authmode = ssl->conf->authmode;
8022#endif
8023 void *rs_ctx = NULL;
8024 mbedtls_x509_crt *chain = NULL;
8025
8026 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate"));
8027
8028 crt_expected = ssl_parse_certificate_coordinate(ssl, authmode);
8029 if (crt_expected == SSL_CERTIFICATE_SKIP) {
8030 MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse certificate"));
8031 goto exit;
8032 }
8033
8034#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8035 if (ssl->handshake->ecrs_enabled &&
8036 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify) {
8037 chain = ssl->handshake->ecrs_peer_cert;
8038 ssl->handshake->ecrs_peer_cert = NULL;
8039 goto crt_verify;
8040 }
8041#endif
8042
8043 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8044 /* mbedtls_ssl_read_record may have sent an alert already. We
8045 let it decide whether to alert. */
8046 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8047 goto exit;
8048 }
8049
8050#if defined(MBEDTLS_SSL_SRV_C)
8051 if (ssl_srv_check_client_no_crt_notification(ssl) == 0) {
8052 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
8053
8054 if (authmode != MBEDTLS_SSL_VERIFY_OPTIONAL) {
8055 ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
8056 }
8057
8058 goto exit;
8059 }
8060#endif /* MBEDTLS_SSL_SRV_C */
8061
8062 /* Clear existing peer CRT structure in case we tried to
8063 * reuse a session but it failed, and allocate a new one. */
8064 ssl_clear_peer_cert(ssl->session_negotiate);
8065
8066 chain = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
8067 if (chain == NULL) {
8068 MBEDTLS_SSL_DEBUG_MSG(1, ("alloc(%" MBEDTLS_PRINTF_SIZET " bytes) failed",
8069 sizeof(mbedtls_x509_crt)));
8070 mbedtls_ssl_send_alert_message(ssl,
8071 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8072 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
8073
8074 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
8075 goto exit;
8076 }
8077 mbedtls_x509_crt_init(chain);
8078
8079 ret = ssl_parse_certificate_chain(ssl, chain);
8080 if (ret != 0) {
8081 goto exit;
8082 }
8083
8084#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8085 if (ssl->handshake->ecrs_enabled) {
8086 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
8087 }
8088
8089crt_verify:
8090 if (ssl->handshake->ecrs_enabled) {
8091 rs_ctx = &ssl->handshake->ecrs_ctx;
8092 }
8093#endif
8094
8095 ret = mbedtls_ssl_verify_certificate(ssl, authmode, chain,
8096 ssl->handshake->ciphersuite_info,
8097 rs_ctx);
8098 if (ret != 0) {
8099 goto exit;
8100 }
8101
8102#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
8103 {
8104 unsigned char *crt_start, *pk_start;
8105 size_t crt_len, pk_len;
8106
8107 /* We parse the CRT chain without copying, so
8108 * these pointers point into the input buffer,
8109 * and are hence still valid after freeing the
8110 * CRT chain. */
8111
8112 crt_start = chain->raw.p;
8113 crt_len = chain->raw.len;
8114
8115 pk_start = chain->pk_raw.p;
8116 pk_len = chain->pk_raw.len;
8117
8118 /* Free the CRT structures before computing
8119 * digest and copying the peer's public key. */
8120 mbedtls_x509_crt_free(chain);
8121 mbedtls_free(chain);
8122 chain = NULL;
8123
8124 ret = ssl_remember_peer_crt_digest(ssl, crt_start, crt_len);
8125 if (ret != 0) {
8126 goto exit;
8127 }
8128
8129 ret = ssl_remember_peer_pubkey(ssl, pk_start, pk_len);
8130 if (ret != 0) {
8131 goto exit;
8132 }
8133 }
8134#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8135 /* Pass ownership to session structure. */
8136 ssl->session_negotiate->peer_cert = chain;
8137 chain = NULL;
8138#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
8139
8140 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate"));
8141
8142exit:
8143
8144 if (ret == 0) {
8145 mbedtls_ssl_handshake_increment_state(ssl);
8146 }
8147
8148#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
8149 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
8150 ssl->handshake->ecrs_peer_cert = chain;
8151 chain = NULL;
8152 }
8153#endif
8154
8155 if (chain != NULL) {
8156 mbedtls_x509_crt_free(chain);
8157 mbedtls_free(chain);
8158 }
8159
8160 return ret;
8161}
8162#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
8163
8164static int ssl_calc_finished_tls_generic(mbedtls_ssl_context *ssl, void *ctx,
8165 unsigned char *padbuf, size_t hlen,
8166 unsigned char *buf, int from)
8167{
8168 unsigned int len = 12;
8169 const char *sender;
8170#if defined(MBEDTLS_USE_PSA_CRYPTO)
8171 psa_status_t status;
8172 psa_hash_operation_t *hs_op = ctx;
8173 psa_hash_operation_t cloned_op = PSA_HASH_OPERATION_INIT;
8174 size_t hash_size;
8175#else
8176 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8177 mbedtls_md_context_t *hs_ctx = ctx;
8178 mbedtls_md_context_t cloned_ctx;
8179 mbedtls_md_init(&cloned_ctx);
8180#endif
8181
8182 mbedtls_ssl_session *session = ssl->session_negotiate;
8183 if (!session) {
8184 session = ssl->session;
8185 }
8186
8187 sender = (from == MBEDTLS_SSL_IS_CLIENT)
8188 ? "client finished"
8189 : "server finished";
8190
8191#if defined(MBEDTLS_USE_PSA_CRYPTO)
8192 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc PSA finished tls"));
8193
8194 status = psa_hash_clone(hs_op, &cloned_op);
8195 if (status != PSA_SUCCESS) {
8196 goto exit;
8197 }
8198
8199 status = psa_hash_finish(&cloned_op, padbuf, hlen, &hash_size);
8200 if (status != PSA_SUCCESS) {
8201 goto exit;
8202 }
8203 MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, hlen);
8204#else
8205 MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc finished tls"));
8206
8207 ret = mbedtls_md_setup(&cloned_ctx, mbedtls_md_info_from_ctx(hs_ctx), 0);
8208 if (ret != 0) {
8209 goto exit;
8210 }
8211 ret = mbedtls_md_clone(&cloned_ctx, hs_ctx);
8212 if (ret != 0) {
8213 goto exit;
8214 }
8215
8216 ret = mbedtls_md_finish(&cloned_ctx, padbuf);
8217 if (ret != 0) {
8218 goto exit;
8219 }
8220#endif /* MBEDTLS_USE_PSA_CRYPTO */
8221
8222 MBEDTLS_SSL_DEBUG_BUF(4, "finished output", padbuf, hlen);
8223
8224 /*
8225 * TLSv1.2:
8226 * hash = PRF( master, finished_label,
8227 * Hash( handshake ) )[0.11]
8228 */
8229 ssl->handshake->tls_prf(session->master, 48, sender,
8230 padbuf, hlen, buf, len);
8231
8232 MBEDTLS_SSL_DEBUG_BUF(3, "calc finished result", buf, len);
8233
8234 mbedtls_platform_zeroize(padbuf, hlen);
8235
8236 MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
8237
8238exit:
8239#if defined(MBEDTLS_USE_PSA_CRYPTO)
8240 psa_hash_abort(&cloned_op);
8241 return mbedtls_md_error_from_psa(status);
8242#else
8243 mbedtls_md_free(&cloned_ctx);
8244 return ret;
8245#endif /* MBEDTLS_USE_PSA_CRYPTO */
8246}
8247
8248#if defined(MBEDTLS_MD_CAN_SHA256)
8249static int ssl_calc_finished_tls_sha256(
8250 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8251{
8252 unsigned char padbuf[32];
8253 return ssl_calc_finished_tls_generic(ssl,
8254#if defined(MBEDTLS_USE_PSA_CRYPTO)
8255 &ssl->handshake->fin_sha256_psa,
8256#else
8257 &ssl->handshake->fin_sha256,
8258#endif
8259 padbuf, sizeof(padbuf),
8260 buf, from);
8261}
8262#endif /* MBEDTLS_MD_CAN_SHA256*/
8263
8264
8265#if defined(MBEDTLS_MD_CAN_SHA384)
8266static int ssl_calc_finished_tls_sha384(
8267 mbedtls_ssl_context *ssl, unsigned char *buf, int from)
8268{
8269 unsigned char padbuf[48];
8270 return ssl_calc_finished_tls_generic(ssl,
8271#if defined(MBEDTLS_USE_PSA_CRYPTO)
8272 &ssl->handshake->fin_sha384_psa,
8273#else
8274 &ssl->handshake->fin_sha384,
8275#endif
8276 padbuf, sizeof(padbuf),
8277 buf, from);
8278}
8279#endif /* MBEDTLS_MD_CAN_SHA384*/
8280
8281void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl)
8282{
8283 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup: final free"));
8284
8285 /*
8286 * Free our handshake params
8287 */
8288 mbedtls_ssl_handshake_free(ssl);
8289 mbedtls_free(ssl->handshake);
8290 ssl->handshake = NULL;
8291
8292 /*
8293 * Free the previous transform and switch in the current one
8294 */
8295 if (ssl->transform) {
8296 mbedtls_ssl_transform_free(ssl->transform);
8297 mbedtls_free(ssl->transform);
8298 }
8299 ssl->transform = ssl->transform_negotiate;
8300 ssl->transform_negotiate = NULL;
8301
8302 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup: final free"));
8303}
8304
8305void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
8306{
8307 int resume = ssl->handshake->resume;
8308
8309 MBEDTLS_SSL_DEBUG_MSG(3, ("=> handshake wrapup"));
8310
8311#if defined(MBEDTLS_SSL_RENEGOTIATION)
8312 if (ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS) {
8313 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
8314 ssl->renego_records_seen = 0;
8315 }
8316#endif
8317
8318 /*
8319 * Free the previous session and switch in the current one
8320 */
8321 if (ssl->session) {
8322#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8323 /* RFC 7366 3.1: keep the EtM state */
8324 ssl->session_negotiate->encrypt_then_mac =
8325 ssl->session->encrypt_then_mac;
8326#endif
8327
8328 mbedtls_ssl_session_free(ssl->session);
8329 mbedtls_free(ssl->session);
8330 }
8331 ssl->session = ssl->session_negotiate;
8332 ssl->session_negotiate = NULL;
8333
8334 /*
8335 * Add cache entry
8336 */
8337 if (ssl->conf->f_set_cache != NULL &&
8338 ssl->session->id_len != 0 &&
8339 resume == 0) {
8340 if (ssl->conf->f_set_cache(ssl->conf->p_cache,
8341 ssl->session->id,
8342 ssl->session->id_len,
8343 ssl->session) != 0) {
8344 MBEDTLS_SSL_DEBUG_MSG(1, ("cache did not store session"));
8345 }
8346 }
8347
8348#if defined(MBEDTLS_SSL_PROTO_DTLS)
8349 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8350 ssl->handshake->flight != NULL) {
8351 /* Cancel handshake timer */
8352 mbedtls_ssl_set_timer(ssl, 0);
8353
8354 /* Keep last flight around in case we need to resend it:
8355 * we need the handshake and transform structures for that */
8356 MBEDTLS_SSL_DEBUG_MSG(3, ("skip freeing handshake and transform"));
8357 } else
8358#endif
8359 mbedtls_ssl_handshake_wrapup_free_hs_transform(ssl);
8360
8361 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
8362
8363 MBEDTLS_SSL_DEBUG_MSG(3, ("<= handshake wrapup"));
8364}
8365
8366int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
8367{
8368 int ret;
8369 unsigned int hash_len;
8370
8371 MBEDTLS_SSL_DEBUG_MSG(2, ("=> write finished"));
8372
8373 mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
8374
8375 ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
8376 if (ret != 0) {
8377 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8378 return ret;
8379 }
8380
8381 /*
8382 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
8383 * may define some other value. Currently (early 2016), no defined
8384 * ciphersuite does this (and this is unlikely to change as activity has
8385 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
8386 */
8387 hash_len = 12;
8388
8389#if defined(MBEDTLS_SSL_RENEGOTIATION)
8390 ssl->verify_data_len = hash_len;
8391 memcpy(ssl->own_verify_data, ssl->out_msg + 4, hash_len);
8392#endif
8393
8394 ssl->out_msglen = 4 + hash_len;
8395 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8396 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
8397
8398 /*
8399 * In case of session resuming, invert the client and server
8400 * ChangeCipherSpec messages order.
8401 */
8402 if (ssl->handshake->resume != 0) {
8403#if defined(MBEDTLS_SSL_CLI_C)
8404 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8405 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
8406 }
8407#endif
8408#if defined(MBEDTLS_SSL_SRV_C)
8409 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8410 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
8411 }
8412#endif
8413 } else {
8414 mbedtls_ssl_handshake_increment_state(ssl);
8415 }
8416
8417 /*
8418 * Switch to our negotiated transform and session parameters for outbound
8419 * data.
8420 */
8421 MBEDTLS_SSL_DEBUG_MSG(3, ("switching to new transform spec for outbound data"));
8422
8423#if defined(MBEDTLS_SSL_PROTO_DTLS)
8424 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8425 unsigned char i;
8426
8427 /* Remember current epoch settings for resending */
8428 ssl->handshake->alt_transform_out = ssl->transform_out;
8429 memcpy(ssl->handshake->alt_out_ctr, ssl->cur_out_ctr,
8430 sizeof(ssl->handshake->alt_out_ctr));
8431
8432 /* Set sequence_number to zero */
8433 memset(&ssl->cur_out_ctr[2], 0, sizeof(ssl->cur_out_ctr) - 2);
8434
8435
8436 /* Increment epoch */
8437 for (i = 2; i > 0; i--) {
8438 if (++ssl->cur_out_ctr[i - 1] != 0) {
8439 break;
8440 }
8441 }
8442
8443 /* The loop goes to its end iff the counter is wrapping */
8444 if (i == 0) {
8445 MBEDTLS_SSL_DEBUG_MSG(1, ("DTLS epoch would wrap"));
8446 return MBEDTLS_ERR_SSL_COUNTER_WRAPPING;
8447 }
8448 } else
8449#endif /* MBEDTLS_SSL_PROTO_DTLS */
8450 memset(ssl->cur_out_ctr, 0, sizeof(ssl->cur_out_ctr));
8451
8452 ssl->transform_out = ssl->transform_negotiate;
8453 ssl->session_out = ssl->session_negotiate;
8454
8455#if defined(MBEDTLS_SSL_PROTO_DTLS)
8456 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8457 mbedtls_ssl_send_flight_completed(ssl);
8458 }
8459#endif
8460
8461 if ((ret = mbedtls_ssl_write_handshake_msg(ssl)) != 0) {
8462 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_write_handshake_msg", ret);
8463 return ret;
8464 }
8465
8466#if defined(MBEDTLS_SSL_PROTO_DTLS)
8467 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8468 (ret = mbedtls_ssl_flight_transmit(ssl)) != 0) {
8469 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_flight_transmit", ret);
8470 return ret;
8471 }
8472#endif
8473
8474 MBEDTLS_SSL_DEBUG_MSG(2, ("<= write finished"));
8475
8476 return 0;
8477}
8478
8479#define SSL_MAX_HASH_LEN 12
8480
8481int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
8482{
8483 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
8484 unsigned int hash_len = 12;
8485 unsigned char buf[SSL_MAX_HASH_LEN];
8486
8487 MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
8488
8489 ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
8490 if (ret != 0) {
8491 MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
8492 return ret;
8493 }
8494
8495 if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
8496 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
8497 goto exit;
8498 }
8499
8500 if (ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) {
8501 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8502 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8503 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8504 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8505 goto exit;
8506 }
8507
8508 if (ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED) {
8509 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8510 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE);
8511 ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
8512 goto exit;
8513 }
8514
8515 if (ssl->in_hslen != mbedtls_ssl_hs_hdr_len(ssl) + hash_len) {
8516 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8517 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8518 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR);
8519 ret = MBEDTLS_ERR_SSL_DECODE_ERROR;
8520 goto exit;
8521 }
8522
8523 if (mbedtls_ct_memcmp(ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl),
8524 buf, hash_len) != 0) {
8525 MBEDTLS_SSL_DEBUG_MSG(1, ("bad finished message"));
8526 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8527 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR);
8528 ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
8529 goto exit;
8530 }
8531
8532#if defined(MBEDTLS_SSL_RENEGOTIATION)
8533 ssl->verify_data_len = hash_len;
8534 memcpy(ssl->peer_verify_data, buf, hash_len);
8535#endif
8536
8537 if (ssl->handshake->resume != 0) {
8538#if defined(MBEDTLS_SSL_CLI_C)
8539 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
8540 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC);
8541 }
8542#endif
8543#if defined(MBEDTLS_SSL_SRV_C)
8544 if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
8545 mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
8546 }
8547#endif
8548 } else {
8549 mbedtls_ssl_handshake_increment_state(ssl);
8550 }
8551
8552#if defined(MBEDTLS_SSL_PROTO_DTLS)
8553 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
8554 mbedtls_ssl_recv_flight_completed(ssl);
8555 }
8556#endif
8557
8558 MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse finished"));
8559
8560exit:
8561 mbedtls_platform_zeroize(buf, hash_len);
8562 return ret;
8563}
8564
8565#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
8566/*
8567 * Helper to get TLS 1.2 PRF from ciphersuite
8568 * (Duplicates bits of logic from ssl_set_handshake_prfs().)
8569 */
8570static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
8571{
8572 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
8573 mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
8574#if defined(MBEDTLS_MD_CAN_SHA384)
8575 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
8576 return tls_prf_sha384;
8577 } else
8578#endif
8579#if defined(MBEDTLS_MD_CAN_SHA256)
8580 {
8581 if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
8582 return tls_prf_sha256;
8583 }
8584 }
8585#endif
8586#if !defined(MBEDTLS_MD_CAN_SHA384) && \
8587 !defined(MBEDTLS_MD_CAN_SHA256)
8588 (void) ciphersuite_info;
8589#endif
8590
8591 return NULL;
8592}
8593#endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
8594
8595static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
8596{
8597 ((void) tls_prf);
8598#if defined(MBEDTLS_MD_CAN_SHA384)
8599 if (tls_prf == tls_prf_sha384) {
8600 return MBEDTLS_SSL_TLS_PRF_SHA384;
8601 } else
8602#endif
8603#if defined(MBEDTLS_MD_CAN_SHA256)
8604 if (tls_prf == tls_prf_sha256) {
8605 return MBEDTLS_SSL_TLS_PRF_SHA256;
8606 } else
8607#endif
8608 return MBEDTLS_SSL_TLS_PRF_NONE;
8609}
8610
8611/*
8612 * Populate a transform structure with session keys and all the other
8613 * necessary information.
8614 *
8615 * Parameters:
8616 * - [in/out]: transform: structure to populate
8617 * [in] must be just initialised with mbedtls_ssl_transform_init()
8618 * [out] fully populated, ready for use by mbedtls_ssl_{en,de}crypt_buf()
8619 * - [in] ciphersuite
8620 * - [in] master
8621 * - [in] encrypt_then_mac
8622 * - [in] tls_prf: pointer to PRF to use for key derivation
8623 * - [in] randbytes: buffer holding ServerHello.random + ClientHello.random
8624 * - [in] tls_version: TLS version
8625 * - [in] endpoint: client or server
8626 * - [in] ssl: used for:
8627 * - ssl->conf->{f,p}_export_keys
8628 * [in] optionally used for:
8629 * - MBEDTLS_DEBUG_C: ssl->conf->{f,p}_dbg
8630 */
8631MBEDTLS_CHECK_RETURN_CRITICAL
8632static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
8633 int ciphersuite,
8634 const unsigned char master[48],
8635#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8636 int encrypt_then_mac,
8637#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8638 ssl_tls_prf_t tls_prf,
8639 const unsigned char randbytes[64],
8640 mbedtls_ssl_protocol_version tls_version,
8641 unsigned endpoint,
8642 const mbedtls_ssl_context *ssl)
8643{
8644 int ret = 0;
8645 unsigned char keyblk[256];
8646 unsigned char *key1;
8647 unsigned char *key2;
8648 unsigned char *mac_enc;
8649 unsigned char *mac_dec;
8650 size_t mac_key_len = 0;
8651 size_t iv_copy_len;
8652 size_t keylen;
8653 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
8654 mbedtls_ssl_mode_t ssl_mode;
8655#if !defined(MBEDTLS_USE_PSA_CRYPTO)
8656 const mbedtls_cipher_info_t *cipher_info;
8657 const mbedtls_md_info_t *md_info;
8658#endif /* !MBEDTLS_USE_PSA_CRYPTO */
8659
8660#if defined(MBEDTLS_USE_PSA_CRYPTO)
8661 psa_key_type_t key_type;
8662 psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
8663 psa_algorithm_t alg;
8664 psa_algorithm_t mac_alg = 0;
8665 size_t key_bits;
8666 psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
8667#endif
8668
8669 /*
8670 * Some data just needs copying into the structure
8671 */
8672#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8673 transform->encrypt_then_mac = encrypt_then_mac;
8674#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8675 transform->tls_version = tls_version;
8676
8677#if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
8678 memcpy(transform->randbytes, randbytes, sizeof(transform->randbytes));
8679#endif
8680
8681#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
8682 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
8683 /* At the moment, we keep TLS <= 1.2 and TLS 1.3 transform
8684 * generation separate. This should never happen. */
8685 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8686 }
8687#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
8688
8689 /*
8690 * Get various info structures
8691 */
8692 ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(ciphersuite);
8693 if (ciphersuite_info == NULL) {
8694 MBEDTLS_SSL_DEBUG_MSG(1, ("ciphersuite info for %d not found",
8695 ciphersuite));
8696 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8697 }
8698
8699 ssl_mode = mbedtls_ssl_get_mode_from_ciphersuite(
8700#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
8701 encrypt_then_mac,
8702#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
8703 ciphersuite_info);
8704
8705 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8706 transform->taglen =
8707 ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
8708 }
8709
8710#if defined(MBEDTLS_USE_PSA_CRYPTO)
8711 if ((status = mbedtls_ssl_cipher_to_psa((mbedtls_cipher_type_t) ciphersuite_info->cipher,
8712 transform->taglen,
8713 &alg,
8714 &key_type,
8715 &key_bits)) != PSA_SUCCESS) {
8716 ret = PSA_TO_MBEDTLS_ERR(status);
8717 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", ret);
8718 goto end;
8719 }
8720#else
8721 cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) ciphersuite_info->cipher);
8722 if (cipher_info == NULL) {
8723 MBEDTLS_SSL_DEBUG_MSG(1, ("cipher info for %u not found",
8724 ciphersuite_info->cipher));
8725 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8726 }
8727#endif /* MBEDTLS_USE_PSA_CRYPTO */
8728
8729#if defined(MBEDTLS_USE_PSA_CRYPTO)
8730 mac_alg = mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8731 if (mac_alg == 0) {
8732 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md_psa_alg_from_type for %u not found",
8733 (unsigned) ciphersuite_info->mac));
8734 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8735 }
8736#else
8737 md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) ciphersuite_info->mac);
8738 if (md_info == NULL) {
8739 MBEDTLS_SSL_DEBUG_MSG(1, ("mbedtls_md info for %u not found",
8740 (unsigned) ciphersuite_info->mac));
8741 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
8742 }
8743#endif /* MBEDTLS_USE_PSA_CRYPTO */
8744
8745#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
8746 /* Copy own and peer's CID if the use of the CID
8747 * extension has been negotiated. */
8748 if (ssl->handshake->cid_in_use == MBEDTLS_SSL_CID_ENABLED) {
8749 MBEDTLS_SSL_DEBUG_MSG(3, ("Copy CIDs into SSL transform"));
8750
8751 transform->in_cid_len = ssl->own_cid_len;
8752 memcpy(transform->in_cid, ssl->own_cid, ssl->own_cid_len);
8753 MBEDTLS_SSL_DEBUG_BUF(3, "Incoming CID", transform->in_cid,
8754 transform->in_cid_len);
8755
8756 transform->out_cid_len = ssl->handshake->peer_cid_len;
8757 memcpy(transform->out_cid, ssl->handshake->peer_cid,
8758 ssl->handshake->peer_cid_len);
8759 MBEDTLS_SSL_DEBUG_BUF(3, "Outgoing CID", transform->out_cid,
8760 transform->out_cid_len);
8761 }
8762#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
8763
8764 /*
8765 * Compute key block using the PRF
8766 */
8767 ret = tls_prf(master, 48, "key expansion", randbytes, 64, keyblk, 256);
8768 if (ret != 0) {
8769 MBEDTLS_SSL_DEBUG_RET(1, "prf", ret);
8770 return ret;
8771 }
8772
8773 MBEDTLS_SSL_DEBUG_MSG(3, ("ciphersuite = %s",
8774 mbedtls_ssl_get_ciphersuite_name(ciphersuite)));
8775 MBEDTLS_SSL_DEBUG_BUF(3, "master secret", master, 48);
8776 MBEDTLS_SSL_DEBUG_BUF(4, "random bytes", randbytes, 64);
8777 MBEDTLS_SSL_DEBUG_BUF(4, "key block", keyblk, 256);
8778
8779 /*
8780 * Determine the appropriate key, IV and MAC length.
8781 */
8782
8783#if defined(MBEDTLS_USE_PSA_CRYPTO)
8784 keylen = PSA_BITS_TO_BYTES(key_bits);
8785#else
8786 keylen = mbedtls_cipher_info_get_key_bitlen(cipher_info) / 8;
8787#endif
8788
8789#if defined(MBEDTLS_SSL_HAVE_AEAD)
8790 if (ssl_mode == MBEDTLS_SSL_MODE_AEAD) {
8791 size_t explicit_ivlen;
8792
8793 transform->maclen = 0;
8794 mac_key_len = 0;
8795
8796 /* All modes haves 96-bit IVs, but the length of the static parts vary
8797 * with mode and version:
8798 * - For GCM and CCM in TLS 1.2, there's a static IV of 4 Bytes
8799 * (to be concatenated with a dynamically chosen IV of 8 Bytes)
8800 * - For ChaChaPoly in TLS 1.2, and all modes in TLS 1.3, there's
8801 * a static IV of 12 Bytes (to be XOR'ed with the 8 Byte record
8802 * sequence number).
8803 */
8804 transform->ivlen = 12;
8805
8806 int is_chachapoly = 0;
8807#if defined(MBEDTLS_USE_PSA_CRYPTO)
8808 is_chachapoly = (key_type == PSA_KEY_TYPE_CHACHA20);
8809#else
8810 is_chachapoly = (mbedtls_cipher_info_get_mode(cipher_info)
8811 == MBEDTLS_MODE_CHACHAPOLY);
8812#endif /* MBEDTLS_USE_PSA_CRYPTO */
8813
8814 if (is_chachapoly) {
8815 transform->fixed_ivlen = 12;
8816 } else {
8817 transform->fixed_ivlen = 4;
8818 }
8819
8820 /* Minimum length of encrypted record */
8821 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
8822 transform->minlen = explicit_ivlen + transform->taglen;
8823 } else
8824#endif /* MBEDTLS_SSL_HAVE_AEAD */
8825#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
8826 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM ||
8827 ssl_mode == MBEDTLS_SSL_MODE_CBC ||
8828 ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8829#if defined(MBEDTLS_USE_PSA_CRYPTO)
8830 size_t block_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type);
8831#else
8832 size_t block_size = mbedtls_cipher_info_get_block_size(cipher_info);
8833#endif /* MBEDTLS_USE_PSA_CRYPTO */
8834
8835#if defined(MBEDTLS_USE_PSA_CRYPTO)
8836 /* Get MAC length */
8837 mac_key_len = PSA_HASH_LENGTH(mac_alg);
8838#else
8839 /* Initialize HMAC contexts */
8840 if ((ret = mbedtls_md_setup(&transform->md_ctx_enc, md_info, 1)) != 0 ||
8841 (ret = mbedtls_md_setup(&transform->md_ctx_dec, md_info, 1)) != 0) {
8842 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
8843 goto end;
8844 }
8845
8846 /* Get MAC length */
8847 mac_key_len = mbedtls_md_get_size(md_info);
8848#endif /* MBEDTLS_USE_PSA_CRYPTO */
8849 transform->maclen = mac_key_len;
8850
8851 /* IV length */
8852#if defined(MBEDTLS_USE_PSA_CRYPTO)
8853 transform->ivlen = PSA_CIPHER_IV_LENGTH(key_type, alg);
8854#else
8855 transform->ivlen = mbedtls_cipher_info_get_iv_size(cipher_info);
8856#endif /* MBEDTLS_USE_PSA_CRYPTO */
8857
8858 /* Minimum length */
8859 if (ssl_mode == MBEDTLS_SSL_MODE_STREAM) {
8860 transform->minlen = transform->maclen;
8861 } else {
8862 /*
8863 * GenericBlockCipher:
8864 * 1. if EtM is in use: one block plus MAC
8865 * otherwise: * first multiple of blocklen greater than maclen
8866 * 2. IV
8867 */
8868#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
8869 if (ssl_mode == MBEDTLS_SSL_MODE_CBC_ETM) {
8870 transform->minlen = transform->maclen
8871 + block_size;
8872 } else
8873#endif
8874 {
8875 transform->minlen = transform->maclen
8876 + block_size
8877 - transform->maclen % block_size;
8878 }
8879
8880 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
8881 transform->minlen += transform->ivlen;
8882 } else {
8883 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8884 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8885 goto end;
8886 }
8887 }
8888 } else
8889#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
8890 {
8891 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8892 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8893 }
8894
8895 MBEDTLS_SSL_DEBUG_MSG(3, ("keylen: %u, minlen: %u, ivlen: %u, maclen: %u",
8896 (unsigned) keylen,
8897 (unsigned) transform->minlen,
8898 (unsigned) transform->ivlen,
8899 (unsigned) transform->maclen));
8900
8901 /*
8902 * Finally setup the cipher contexts, IVs and MAC secrets.
8903 */
8904#if defined(MBEDTLS_SSL_CLI_C)
8905 if (endpoint == MBEDTLS_SSL_IS_CLIENT) {
8906 key1 = keyblk + mac_key_len * 2;
8907 key2 = keyblk + mac_key_len * 2 + keylen;
8908
8909 mac_enc = keyblk;
8910 mac_dec = keyblk + mac_key_len;
8911
8912 iv_copy_len = (transform->fixed_ivlen) ?
8913 transform->fixed_ivlen : transform->ivlen;
8914 memcpy(transform->iv_enc, key2 + keylen, iv_copy_len);
8915 memcpy(transform->iv_dec, key2 + keylen + iv_copy_len,
8916 iv_copy_len);
8917 } else
8918#endif /* MBEDTLS_SSL_CLI_C */
8919#if defined(MBEDTLS_SSL_SRV_C)
8920 if (endpoint == MBEDTLS_SSL_IS_SERVER) {
8921 key1 = keyblk + mac_key_len * 2 + keylen;
8922 key2 = keyblk + mac_key_len * 2;
8923
8924 mac_enc = keyblk + mac_key_len;
8925 mac_dec = keyblk;
8926
8927 iv_copy_len = (transform->fixed_ivlen) ?
8928 transform->fixed_ivlen : transform->ivlen;
8929 memcpy(transform->iv_dec, key1 + keylen, iv_copy_len);
8930 memcpy(transform->iv_enc, key1 + keylen + iv_copy_len,
8931 iv_copy_len);
8932 } else
8933#endif /* MBEDTLS_SSL_SRV_C */
8934 {
8935 MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
8936 ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
8937 goto end;
8938 }
8939
8940 if (ssl->f_export_keys != NULL) {
8941 ssl->f_export_keys(ssl->p_export_keys,
8942 MBEDTLS_SSL_KEY_EXPORT_TLS12_MASTER_SECRET,
8943 master, 48,
8944 randbytes + 32,
8945 randbytes,
8946 tls_prf_get_type(tls_prf));
8947 }
8948
8949#if defined(MBEDTLS_USE_PSA_CRYPTO)
8950 transform->psa_alg = alg;
8951
8952 if (alg != MBEDTLS_SSL_NULL_CIPHER) {
8953 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT);
8954 psa_set_key_algorithm(&attributes, alg);
8955 psa_set_key_type(&attributes, key_type);
8956
8957 if ((status = psa_import_key(&attributes,
8958 key1,
8959 PSA_BITS_TO_BYTES(key_bits),
8960 &transform->psa_key_enc)) != PSA_SUCCESS) {
8961 MBEDTLS_SSL_DEBUG_RET(3, "psa_import_key", (int) status);
8962 ret = PSA_TO_MBEDTLS_ERR(status);
8963 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8964 goto end;
8965 }
8966
8967 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DECRYPT);
8968
8969 if ((status = psa_import_key(&attributes,
8970 key2,
8971 PSA_BITS_TO_BYTES(key_bits),
8972 &transform->psa_key_dec)) != PSA_SUCCESS) {
8973 ret = PSA_TO_MBEDTLS_ERR(status);
8974 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", ret);
8975 goto end;
8976 }
8977 }
8978#else
8979 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_enc,
8980 cipher_info)) != 0) {
8981 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8982 goto end;
8983 }
8984
8985 if ((ret = mbedtls_cipher_setup(&transform->cipher_ctx_dec,
8986 cipher_info)) != 0) {
8987 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setup", ret);
8988 goto end;
8989 }
8990
8991 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_enc, key1,
8992 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
8993 MBEDTLS_ENCRYPT)) != 0) {
8994 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
8995 goto end;
8996 }
8997
8998 if ((ret = mbedtls_cipher_setkey(&transform->cipher_ctx_dec, key2,
8999 (int) mbedtls_cipher_info_get_key_bitlen(cipher_info),
9000 MBEDTLS_DECRYPT)) != 0) {
9001 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_setkey", ret);
9002 goto end;
9003 }
9004
9005#if defined(MBEDTLS_CIPHER_MODE_CBC)
9006 if (mbedtls_cipher_info_get_mode(cipher_info) == MBEDTLS_MODE_CBC) {
9007 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_enc,
9008 MBEDTLS_PADDING_NONE)) != 0) {
9009 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
9010 goto end;
9011 }
9012
9013 if ((ret = mbedtls_cipher_set_padding_mode(&transform->cipher_ctx_dec,
9014 MBEDTLS_PADDING_NONE)) != 0) {
9015 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_cipher_set_padding_mode", ret);
9016 goto end;
9017 }
9018 }
9019#endif /* MBEDTLS_CIPHER_MODE_CBC */
9020#endif /* MBEDTLS_USE_PSA_CRYPTO */
9021
9022#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
9023 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
9024 For AEAD-based ciphersuites, there is nothing to do here. */
9025 if (mac_key_len != 0) {
9026#if defined(MBEDTLS_USE_PSA_CRYPTO)
9027 transform->psa_mac_alg = PSA_ALG_HMAC(mac_alg);
9028
9029 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_MESSAGE);
9030 psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(mac_alg));
9031 psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
9032
9033 if ((status = psa_import_key(&attributes,
9034 mac_enc, mac_key_len,
9035 &transform->psa_mac_enc)) != PSA_SUCCESS) {
9036 ret = PSA_TO_MBEDTLS_ERR(status);
9037 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
9038 goto end;
9039 }
9040
9041 if ((transform->psa_alg == MBEDTLS_SSL_NULL_CIPHER) ||
9042 ((transform->psa_alg == PSA_ALG_CBC_NO_PADDING)
9043#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
9044 && (transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED)
9045#endif
9046 )) {
9047 /* mbedtls_ct_hmac() requires the key to be exportable */
9048 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT |
9049 PSA_KEY_USAGE_VERIFY_HASH);
9050 } else {
9051 psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
9052 }
9053
9054 if ((status = psa_import_key(&attributes,
9055 mac_dec, mac_key_len,
9056 &transform->psa_mac_dec)) != PSA_SUCCESS) {
9057 ret = PSA_TO_MBEDTLS_ERR(status);
9058 MBEDTLS_SSL_DEBUG_RET(1, "psa_import_mac_key", ret);
9059 goto end;
9060 }
9061#else
9062 ret = mbedtls_md_hmac_starts(&transform->md_ctx_enc, mac_enc, mac_key_len);
9063 if (ret != 0) {
9064 goto end;
9065 }
9066 ret = mbedtls_md_hmac_starts(&transform->md_ctx_dec, mac_dec, mac_key_len);
9067 if (ret != 0) {
9068 goto end;
9069 }
9070#endif /* MBEDTLS_USE_PSA_CRYPTO */
9071 }
9072#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
9073
9074 ((void) mac_dec);
9075 ((void) mac_enc);
9076
9077end:
9078 mbedtls_platform_zeroize(keyblk, sizeof(keyblk));
9079 return ret;
9080}
9081
9082#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
9083 defined(MBEDTLS_USE_PSA_CRYPTO)
9084int mbedtls_psa_ecjpake_read_round(
9085 psa_pake_operation_t *pake_ctx,
9086 const unsigned char *buf,
9087 size_t len, mbedtls_ecjpake_rounds_t round)
9088{
9089 psa_status_t status;
9090 size_t input_offset = 0;
9091 /*
9092 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9093 * At round two perform a single cycle
9094 */
9095 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9096
9097 for (; remaining_steps > 0; remaining_steps--) {
9098 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9099 step <= PSA_PAKE_STEP_ZK_PROOF;
9100 ++step) {
9101 /* Length is stored at the first byte */
9102 size_t length = buf[input_offset];
9103 input_offset += 1;
9104
9105 if (input_offset + length > len) {
9106 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9107 }
9108
9109 status = psa_pake_input(pake_ctx, step,
9110 buf + input_offset, length);
9111 if (status != PSA_SUCCESS) {
9112 return PSA_TO_MBEDTLS_ERR(status);
9113 }
9114
9115 input_offset += length;
9116 }
9117 }
9118
9119 if (input_offset != len) {
9120 return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
9121 }
9122
9123 return 0;
9124}
9125
9126int mbedtls_psa_ecjpake_write_round(
9127 psa_pake_operation_t *pake_ctx,
9128 unsigned char *buf,
9129 size_t len, size_t *olen,
9130 mbedtls_ecjpake_rounds_t round)
9131{
9132 psa_status_t status;
9133 size_t output_offset = 0;
9134 size_t output_len;
9135 /*
9136 * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice
9137 * At round two perform a single cycle
9138 */
9139 unsigned int remaining_steps = (round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1;
9140
9141 for (; remaining_steps > 0; remaining_steps--) {
9142 for (psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE;
9143 step <= PSA_PAKE_STEP_ZK_PROOF;
9144 ++step) {
9145 /*
9146 * For each step, prepend 1 byte with the length of the data as
9147 * given by psa_pake_output().
9148 */
9149 status = psa_pake_output(pake_ctx, step,
9150 buf + output_offset + 1,
9151 len - output_offset - 1,
9152 &output_len);
9153 if (status != PSA_SUCCESS) {
9154 return PSA_TO_MBEDTLS_ERR(status);
9155 }
9156
9157 *(buf + output_offset) = (uint8_t) output_len;
9158
9159 output_offset += output_len + 1;
9160 }
9161 }
9162
9163 *olen = output_offset;
9164
9165 return 0;
9166}
9167#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
9168
9169#if defined(MBEDTLS_USE_PSA_CRYPTO)
9170int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9171 unsigned char *hash, size_t *hashlen,
9172 unsigned char *data, size_t data_len,
9173 mbedtls_md_type_t md_alg)
9174{
9175 psa_status_t status;
9176 psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
9177 psa_algorithm_t hash_alg = mbedtls_md_psa_alg_from_type(md_alg);
9178
9179 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform PSA-based computation of digest of ServerKeyExchange"));
9180
9181 if ((status = psa_hash_setup(&hash_operation,
9182 hash_alg)) != PSA_SUCCESS) {
9183 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_setup", status);
9184 goto exit;
9185 }
9186
9187 if ((status = psa_hash_update(&hash_operation, ssl->handshake->randbytes,
9188 64)) != PSA_SUCCESS) {
9189 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9190 goto exit;
9191 }
9192
9193 if ((status = psa_hash_update(&hash_operation,
9194 data, data_len)) != PSA_SUCCESS) {
9195 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_update", status);
9196 goto exit;
9197 }
9198
9199 if ((status = psa_hash_finish(&hash_operation, hash, PSA_HASH_MAX_SIZE,
9200 hashlen)) != PSA_SUCCESS) {
9201 MBEDTLS_SSL_DEBUG_RET(1, "psa_hash_finish", status);
9202 goto exit;
9203 }
9204
9205exit:
9206 if (status != PSA_SUCCESS) {
9207 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9208 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9209 switch (status) {
9210 case PSA_ERROR_NOT_SUPPORTED:
9211 return MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE;
9212 case PSA_ERROR_BAD_STATE: /* Intentional fallthrough */
9213 case PSA_ERROR_BUFFER_TOO_SMALL:
9214 return MBEDTLS_ERR_MD_BAD_INPUT_DATA;
9215 case PSA_ERROR_INSUFFICIENT_MEMORY:
9216 return MBEDTLS_ERR_MD_ALLOC_FAILED;
9217 default:
9218 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
9219 }
9220 }
9221 return 0;
9222}
9223
9224#else
9225
9226int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
9227 unsigned char *hash, size_t *hashlen,
9228 unsigned char *data, size_t data_len,
9229 mbedtls_md_type_t md_alg)
9230{
9231 int ret = 0;
9232 mbedtls_md_context_t ctx;
9233 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(md_alg);
9234 *hashlen = mbedtls_md_get_size(md_info);
9235
9236 MBEDTLS_SSL_DEBUG_MSG(3, ("Perform mbedtls-based computation of digest of ServerKeyExchange"));
9237
9238 mbedtls_md_init(&ctx);
9239
9240 /*
9241 * digitally-signed struct {
9242 * opaque client_random[32];
9243 * opaque server_random[32];
9244 * ServerDHParams params;
9245 * };
9246 */
9247 if ((ret = mbedtls_md_setup(&ctx, md_info, 0)) != 0) {
9248 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_setup", ret);
9249 goto exit;
9250 }
9251 if ((ret = mbedtls_md_starts(&ctx)) != 0) {
9252 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_starts", ret);
9253 goto exit;
9254 }
9255 if ((ret = mbedtls_md_update(&ctx, ssl->handshake->randbytes, 64)) != 0) {
9256 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9257 goto exit;
9258 }
9259 if ((ret = mbedtls_md_update(&ctx, data, data_len)) != 0) {
9260 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_update", ret);
9261 goto exit;
9262 }
9263 if ((ret = mbedtls_md_finish(&ctx, hash)) != 0) {
9264 MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_md_finish", ret);
9265 goto exit;
9266 }
9267
9268exit:
9269 mbedtls_md_free(&ctx);
9270
9271 if (ret != 0) {
9272 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9273 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR);
9274 }
9275
9276 return ret;
9277}
9278#endif /* MBEDTLS_USE_PSA_CRYPTO */
9279
9280#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
9281
9282/* Find the preferred hash for a given signature algorithm. */
9283unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
9284 mbedtls_ssl_context *ssl,
9285 unsigned int sig_alg)
9286{
9287 unsigned int i;
9288 uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
9289
9290 if (sig_alg == MBEDTLS_SSL_SIG_ANON) {
9291 return MBEDTLS_SSL_HASH_NONE;
9292 }
9293
9294 for (i = 0; received_sig_algs[i] != MBEDTLS_TLS_SIG_NONE; i++) {
9295 unsigned int hash_alg_received =
9296 MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(
9297 received_sig_algs[i]);
9298 unsigned int sig_alg_received =
9299 MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(
9300 received_sig_algs[i]);
9301
9302 mbedtls_md_type_t md_alg =
9303 mbedtls_ssl_md_alg_from_hash((unsigned char) hash_alg_received);
9304 if (md_alg == MBEDTLS_MD_NONE) {
9305 continue;
9306 }
9307
9308 if (sig_alg == sig_alg_received) {
9309#if defined(MBEDTLS_USE_PSA_CRYPTO)
9310 if (ssl->handshake->key_cert && ssl->handshake->key_cert->key) {
9311 psa_algorithm_t psa_hash_alg =
9312 mbedtls_md_psa_alg_from_type(md_alg);
9313
9314 if (sig_alg_received == MBEDTLS_SSL_SIG_ECDSA &&
9315 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9316 PSA_ALG_ECDSA(psa_hash_alg),
9317 PSA_KEY_USAGE_SIGN_HASH)) {
9318 continue;
9319 }
9320
9321 if (sig_alg_received == MBEDTLS_SSL_SIG_RSA &&
9322 !mbedtls_pk_can_do_ext(ssl->handshake->key_cert->key,
9323 PSA_ALG_RSA_PKCS1V15_SIGN(
9324 psa_hash_alg),
9325 PSA_KEY_USAGE_SIGN_HASH)) {
9326 continue;
9327 }
9328 }
9329#endif /* MBEDTLS_USE_PSA_CRYPTO */
9330
9331 return hash_alg_received;
9332 }
9333 }
9334
9335 return MBEDTLS_SSL_HASH_NONE;
9336}
9337
9338#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
9339
9340#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9341
9342int mbedtls_ssl_validate_ciphersuite(
9343 const mbedtls_ssl_context *ssl,
9344 const mbedtls_ssl_ciphersuite_t *suite_info,
9345 mbedtls_ssl_protocol_version min_tls_version,
9346 mbedtls_ssl_protocol_version max_tls_version)
9347{
9348 (void) ssl;
9349
9350 if (suite_info == NULL) {
9351 return -1;
9352 }
9353
9354 if ((suite_info->min_tls_version > max_tls_version) ||
9355 (suite_info->max_tls_version < min_tls_version)) {
9356 return -1;
9357 }
9358
9359#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
9360#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
9361#if defined(MBEDTLS_USE_PSA_CRYPTO)
9362 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9363 ssl->handshake->psa_pake_ctx_is_ok != 1)
9364#else
9365 if (suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
9366 mbedtls_ecjpake_check(&ssl->handshake->ecjpake_ctx) != 0)
9367#endif /* MBEDTLS_USE_PSA_CRYPTO */
9368 {
9369 return -1;
9370 }
9371#endif
9372
9373 /* Don't suggest PSK-based ciphersuite if no PSK is available. */
9374#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
9375 if (mbedtls_ssl_ciphersuite_uses_psk(suite_info) &&
9376 mbedtls_ssl_conf_has_static_psk(ssl->conf) == 0) {
9377 return -1;
9378 }
9379#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
9380#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9381
9382 return 0;
9383}
9384
9385#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9386/*
9387 * Function for writing a signature algorithm extension.
9388 *
9389 * The `extension_data` field of signature algorithm contains a `SignatureSchemeList`
9390 * value (TLS 1.3 RFC8446):
9391 * enum {
9392 * ....
9393 * ecdsa_secp256r1_sha256( 0x0403 ),
9394 * ecdsa_secp384r1_sha384( 0x0503 ),
9395 * ecdsa_secp521r1_sha512( 0x0603 ),
9396 * ....
9397 * } SignatureScheme;
9398 *
9399 * struct {
9400 * SignatureScheme supported_signature_algorithms<2..2^16-2>;
9401 * } SignatureSchemeList;
9402 *
9403 * The `extension_data` field of signature algorithm contains a `SignatureAndHashAlgorithm`
9404 * value (TLS 1.2 RFC5246):
9405 * enum {
9406 * none(0), md5(1), sha1(2), sha224(3), sha256(4), sha384(5),
9407 * sha512(6), (255)
9408 * } HashAlgorithm;
9409 *
9410 * enum { anonymous(0), rsa(1), dsa(2), ecdsa(3), (255) }
9411 * SignatureAlgorithm;
9412 *
9413 * struct {
9414 * HashAlgorithm hash;
9415 * SignatureAlgorithm signature;
9416 * } SignatureAndHashAlgorithm;
9417 *
9418 * SignatureAndHashAlgorithm
9419 * supported_signature_algorithms<2..2^16-2>;
9420 *
9421 * The TLS 1.3 signature algorithm extension was defined to be a compatible
9422 * generalization of the TLS 1.2 signature algorithm extension.
9423 * `SignatureAndHashAlgorithm` field of TLS 1.2 can be represented by
9424 * `SignatureScheme` field of TLS 1.3
9425 *
9426 */
9427int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
9428 const unsigned char *end, size_t *out_len)
9429{
9430 unsigned char *p = buf;
9431 unsigned char *supported_sig_alg; /* Start of supported_signature_algorithms */
9432 size_t supported_sig_alg_len = 0; /* Length of supported_signature_algorithms */
9433
9434 *out_len = 0;
9435
9436 MBEDTLS_SSL_DEBUG_MSG(3, ("adding signature_algorithms extension"));
9437
9438 /* Check if we have space for header and length field:
9439 * - extension_type (2 bytes)
9440 * - extension_data_length (2 bytes)
9441 * - supported_signature_algorithms_length (2 bytes)
9442 */
9443 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 6);
9444 p += 6;
9445
9446 /*
9447 * Write supported_signature_algorithms
9448 */
9449 supported_sig_alg = p;
9450 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
9451 if (sig_alg == NULL) {
9452 return MBEDTLS_ERR_SSL_BAD_CONFIG;
9453 }
9454
9455 for (; *sig_alg != MBEDTLS_TLS1_3_SIG_NONE; sig_alg++) {
9456 MBEDTLS_SSL_DEBUG_MSG(3, ("got signature scheme [%x] %s",
9457 *sig_alg,
9458 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9459 if (!mbedtls_ssl_sig_alg_is_supported(ssl, *sig_alg)) {
9460 continue;
9461 }
9462 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
9463 MBEDTLS_PUT_UINT16_BE(*sig_alg, p, 0);
9464 p += 2;
9465 MBEDTLS_SSL_DEBUG_MSG(3, ("sent signature scheme [%x] %s",
9466 *sig_alg,
9467 mbedtls_ssl_sig_alg_to_str(*sig_alg)));
9468 }
9469
9470 /* Length of supported_signature_algorithms */
9471 supported_sig_alg_len = (size_t) (p - supported_sig_alg);
9472 if (supported_sig_alg_len == 0) {
9473 MBEDTLS_SSL_DEBUG_MSG(1, ("No signature algorithms defined."));
9474 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
9475 }
9476
9477 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_SIG_ALG, buf, 0);
9478 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len + 2, buf, 2);
9479 MBEDTLS_PUT_UINT16_BE(supported_sig_alg_len, buf, 4);
9480
9481 *out_len = (size_t) (p - buf);
9482
9483#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9484 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_SIG_ALG);
9485#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
9486
9487 return 0;
9488}
9489#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
9490
9491#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9492/*
9493 * mbedtls_ssl_parse_server_name_ext
9494 *
9495 * Structure of server_name extension:
9496 *
9497 * enum {
9498 * host_name(0), (255)
9499 * } NameType;
9500 * opaque HostName<1..2^16-1>;
9501 *
9502 * struct {
9503 * NameType name_type;
9504 * select (name_type) {
9505 * case host_name: HostName;
9506 * } name;
9507 * } ServerName;
9508 * struct {
9509 * ServerName server_name_list<1..2^16-1>
9510 * } ServerNameList;
9511 */
9512MBEDTLS_CHECK_RETURN_CRITICAL
9513int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
9514 const unsigned char *buf,
9515 const unsigned char *end)
9516{
9517 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
9518 const unsigned char *p = buf;
9519 size_t server_name_list_len, hostname_len;
9520 const unsigned char *server_name_list_end;
9521
9522 MBEDTLS_SSL_DEBUG_MSG(3, ("parse ServerName extension"));
9523
9524 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 2);
9525 server_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9526 p += 2;
9527
9528 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, server_name_list_len);
9529 server_name_list_end = p + server_name_list_len;
9530 while (p < server_name_list_end) {
9531 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end, 3);
9532 hostname_len = MBEDTLS_GET_UINT16_BE(p, 1);
9533 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, server_name_list_end,
9534 hostname_len + 3);
9535
9536 if (p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME) {
9537 /* sni_name is intended to be used only during the parsing of the
9538 * ClientHello message (it is reset to NULL before the end of
9539 * the message parsing). Thus it is ok to just point to the
9540 * reception buffer and not make a copy of it.
9541 */
9542 ssl->handshake->sni_name = p + 3;
9543 ssl->handshake->sni_name_len = hostname_len;
9544 if (ssl->conf->f_sni == NULL) {
9545 return 0;
9546 }
9547 ret = ssl->conf->f_sni(ssl->conf->p_sni,
9548 ssl, p + 3, hostname_len);
9549 if (ret != 0) {
9550 MBEDTLS_SSL_DEBUG_RET(1, "ssl_sni_wrapper", ret);
9551 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNRECOGNIZED_NAME,
9552 MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME);
9553 return MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME;
9554 }
9555 return 0;
9556 }
9557
9558 p += hostname_len + 3;
9559 }
9560
9561 return 0;
9562}
9563#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
9564
9565#if defined(MBEDTLS_SSL_ALPN)
9566MBEDTLS_CHECK_RETURN_CRITICAL
9567int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
9568 const unsigned char *buf,
9569 const unsigned char *end)
9570{
9571 const unsigned char *p = buf;
9572 size_t protocol_name_list_len;
9573 const unsigned char *protocol_name_list;
9574 const unsigned char *protocol_name_list_end;
9575 size_t protocol_name_len;
9576
9577 /* If ALPN not configured, just ignore the extension */
9578 if (ssl->conf->alpn_list == NULL) {
9579 return 0;
9580 }
9581
9582 /*
9583 * RFC7301, section 3.1
9584 * opaque ProtocolName<1..2^8-1>;
9585 *
9586 * struct {
9587 * ProtocolName protocol_name_list<2..2^16-1>
9588 * } ProtocolNameList;
9589 */
9590
9591 /*
9592 * protocol_name_list_len 2 bytes
9593 * protocol_name_len 1 bytes
9594 * protocol_name >=1 byte
9595 */
9596 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, 4);
9597
9598 protocol_name_list_len = MBEDTLS_GET_UINT16_BE(p, 0);
9599 p += 2;
9600 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, protocol_name_list_len);
9601 protocol_name_list = p;
9602 protocol_name_list_end = p + protocol_name_list_len;
9603
9604 /* Validate peer's list (lengths) */
9605 while (p < protocol_name_list_end) {
9606 protocol_name_len = *p++;
9607 MBEDTLS_SSL_CHK_BUF_READ_PTR(p, protocol_name_list_end,
9608 protocol_name_len);
9609 if (protocol_name_len == 0) {
9610 MBEDTLS_SSL_PEND_FATAL_ALERT(
9611 MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
9612 MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
9613 return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
9614 }
9615
9616 p += protocol_name_len;
9617 }
9618
9619 /* Use our order of preference */
9620 for (const char **alpn = ssl->conf->alpn_list; *alpn != NULL; alpn++) {
9621 size_t const alpn_len = strlen(*alpn);
9622 p = protocol_name_list;
9623 while (p < protocol_name_list_end) {
9624 protocol_name_len = *p++;
9625 if (protocol_name_len == alpn_len &&
9626 memcmp(p, *alpn, alpn_len) == 0) {
9627 ssl->alpn_chosen = *alpn;
9628 return 0;
9629 }
9630
9631 p += protocol_name_len;
9632 }
9633 }
9634
9635 /* If we get here, no match was found */
9636 MBEDTLS_SSL_PEND_FATAL_ALERT(
9637 MBEDTLS_SSL_ALERT_MSG_NO_APPLICATION_PROTOCOL,
9638 MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL);
9639 return MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL;
9640}
9641
9642int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
9643 unsigned char *buf,
9644 unsigned char *end,
9645 size_t *out_len)
9646{
9647 unsigned char *p = buf;
9648 size_t protocol_name_len;
9649 *out_len = 0;
9650
9651 if (ssl->alpn_chosen == NULL) {
9652 return 0;
9653 }
9654
9655 protocol_name_len = strlen(ssl->alpn_chosen);
9656 MBEDTLS_SSL_CHK_BUF_PTR(p, end, 7 + protocol_name_len);
9657
9658 MBEDTLS_SSL_DEBUG_MSG(3, ("server side, adding alpn extension"));
9659 /*
9660 * 0 . 1 ext identifier
9661 * 2 . 3 ext length
9662 * 4 . 5 protocol list length
9663 * 6 . 6 protocol name length
9664 * 7 . 7+n protocol name
9665 */
9666 MBEDTLS_PUT_UINT16_BE(MBEDTLS_TLS_EXT_ALPN, p, 0);
9667
9668 *out_len = 7 + protocol_name_len;
9669
9670 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 3, p, 2);
9671 MBEDTLS_PUT_UINT16_BE(protocol_name_len + 1, p, 4);
9672 /* Note: the length of the chosen protocol has been checked to be less
9673 * than 255 bytes in `mbedtls_ssl_conf_alpn_protocols`.
9674 */
9675 p[6] = MBEDTLS_BYTE_0(protocol_name_len);
9676
9677 memcpy(p + 7, ssl->alpn_chosen, protocol_name_len);
9678
9679#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
9680 mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_ALPN);
9681#endif
9682
9683 return 0;
9684}
9685#endif /* MBEDTLS_SSL_ALPN */
9686
9687#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
9688 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
9689 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
9690 defined(MBEDTLS_SSL_CLI_C)
9691int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
9692 const char *hostname)
9693{
9694 /* Initialize to suppress unnecessary compiler warning */
9695 size_t hostname_len = 0;
9696
9697 /* Check if new hostname is valid before
9698 * making any change to current one */
9699 if (hostname != NULL) {
9700 hostname_len = strlen(hostname);
9701
9702 if (hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN) {
9703 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9704 }
9705 }
9706
9707 /* Now it's clear that we will overwrite the old hostname,
9708 * so we can free it safely */
9709 if (session->hostname != NULL) {
9710 mbedtls_zeroize_and_free(session->hostname,
9711 strlen(session->hostname));
9712 }
9713
9714 /* Passing NULL as hostname shall clear the old one */
9715 if (hostname == NULL) {
9716 session->hostname = NULL;
9717 } else {
9718 session->hostname = mbedtls_calloc(1, hostname_len + 1);
9719 if (session->hostname == NULL) {
9720 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9721 }
9722
9723 memcpy(session->hostname, hostname, hostname_len);
9724 }
9725
9726 return 0;
9727}
9728#endif /* MBEDTLS_SSL_PROTO_TLS1_3 &&
9729 MBEDTLS_SSL_SESSION_TICKETS &&
9730 MBEDTLS_SSL_SERVER_NAME_INDICATION &&
9731 MBEDTLS_SSL_CLI_C */
9732
9733#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
9734 defined(MBEDTLS_SSL_ALPN)
9735int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
9736 const char *alpn)
9737{
9738 size_t alpn_len = 0;
9739
9740 if (alpn != NULL) {
9741 alpn_len = strlen(alpn);
9742
9743 if (alpn_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN) {
9744 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
9745 }
9746 }
9747
9748 if (session->ticket_alpn != NULL) {
9749 mbedtls_zeroize_and_free(session->ticket_alpn,
9750 strlen(session->ticket_alpn));
9751 session->ticket_alpn = NULL;
9752 }
9753
9754 if (alpn != NULL) {
9755 session->ticket_alpn = mbedtls_calloc(alpn_len + 1, 1);
9756 if (session->ticket_alpn == NULL) {
9757 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
9758 }
9759 memcpy(session->ticket_alpn, alpn, alpn_len);
9760 }
9761
9762 return 0;
9763}
9764#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_ALPN */
9765
9766/*
9767 * The following functions are used by 1.2 and 1.3, client and server.
9768 */
9769#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
9770int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
9771 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9772 int recv_endpoint,
9773 mbedtls_ssl_protocol_version tls_version,
9774 uint32_t *flags)
9775{
9776 int ret = 0;
9777 unsigned int usage = 0;
9778 const char *ext_oid;
9779 size_t ext_len;
9780
9781 /*
9782 * keyUsage
9783 */
9784
9785 /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
9786 * to check what a compliant client will think while choosing which cert
9787 * to send to the client. */
9788#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9789 if (tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9790 recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9791 /* TLS 1.2 server part of the key exchange */
9792 switch (ciphersuite->key_exchange) {
9793 case MBEDTLS_KEY_EXCHANGE_RSA:
9794 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9795 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9796 break;
9797
9798 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9799 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9800 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9801 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9802 break;
9803
9804 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9805 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9806 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9807 break;
9808
9809 /* Don't use default: we want warnings when adding new values */
9810 case MBEDTLS_KEY_EXCHANGE_NONE:
9811 case MBEDTLS_KEY_EXCHANGE_PSK:
9812 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9813 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9814 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9815 usage = 0;
9816 }
9817 } else
9818#endif
9819 {
9820 /* This is either TLS 1.3 authentication, which always uses signatures,
9821 * or 1.2 client auth: rsa_sign and mbedtls_ecdsa_sign are the only
9822 * options we implement, both using signatures. */
9823 (void) tls_version;
9824 (void) ciphersuite;
9825 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9826 }
9827
9828 if (mbedtls_x509_crt_check_key_usage(cert, usage) != 0) {
9829 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9830 ret = -1;
9831 }
9832
9833 /*
9834 * extKeyUsage
9835 */
9836
9837 if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
9838 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9839 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
9840 } else {
9841 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9842 ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
9843 }
9844
9845 if (mbedtls_x509_crt_check_extended_key_usage(cert, ext_oid, ext_len) != 0) {
9846 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9847 ret = -1;
9848 }
9849
9850 return ret;
9851}
9852
9853static int get_hostname_for_verification(mbedtls_ssl_context *ssl,
9854 const char **hostname)
9855{
9856 if (!mbedtls_ssl_has_set_hostname_been_called(ssl)) {
9857 MBEDTLS_SSL_DEBUG_MSG(1, ("Certificate verification without having set hostname"));
9858#if !defined(MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME)
9859 if (mbedtls_ssl_conf_get_endpoint(ssl->conf) == MBEDTLS_SSL_IS_CLIENT &&
9860 ssl->conf->authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
9861 return MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME;
9862 }
9863#endif
9864 }
9865
9866 *hostname = mbedtls_ssl_get_hostname_pointer(ssl);
9867 if (*hostname == NULL) {
9868 MBEDTLS_SSL_DEBUG_MSG(2, ("Certificate verification without CN verification"));
9869 }
9870
9871 return 0;
9872}
9873
9874int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
9875 int authmode,
9876 mbedtls_x509_crt *chain,
9877 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
9878 void *rs_ctx)
9879{
9880 if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
9881 ssl->session_negotiate->verify_result = 0;
9882 return 0;
9883 }
9884
9885 /*
9886 * Primary check: use the appropriate X.509 verification function
9887 */
9888 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
9889 void *p_vrfy;
9890 if (ssl->f_vrfy != NULL) {
9891 MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
9892 f_vrfy = ssl->f_vrfy;
9893 p_vrfy = ssl->p_vrfy;
9894 } else {
9895 MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
9896 f_vrfy = ssl->conf->f_vrfy;
9897 p_vrfy = ssl->conf->p_vrfy;
9898 }
9899
9900 const char *hostname = "";
9901 int ret = get_hostname_for_verification(ssl, &hostname);
9902 if (ret != 0) {
9903 MBEDTLS_SSL_DEBUG_RET(1, "get_hostname_for_verification", ret);
9904 return ret;
9905 }
9906
9907 int have_ca_chain_or_callback = 0;
9908#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
9909 if (ssl->conf->f_ca_cb != NULL) {
9910 ((void) rs_ctx);
9911 have_ca_chain_or_callback = 1;
9912
9913 MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
9914 ret = mbedtls_x509_crt_verify_with_ca_cb(
9915 chain,
9916 ssl->conf->f_ca_cb,
9917 ssl->conf->p_ca_cb,
9918 ssl->conf->cert_profile,
9919 hostname,
9920 &ssl->session_negotiate->verify_result,
9921 f_vrfy, p_vrfy);
9922 } else
9923#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
9924 {
9925 mbedtls_x509_crt *ca_chain;
9926 mbedtls_x509_crl *ca_crl;
9927#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9928 if (ssl->handshake->sni_ca_chain != NULL) {
9929 ca_chain = ssl->handshake->sni_ca_chain;
9930 ca_crl = ssl->handshake->sni_ca_crl;
9931 } else
9932#endif
9933 {
9934 ca_chain = ssl->conf->ca_chain;
9935 ca_crl = ssl->conf->ca_crl;
9936 }
9937
9938 if (ca_chain != NULL) {
9939 have_ca_chain_or_callback = 1;
9940 }
9941
9942 ret = mbedtls_x509_crt_verify_restartable(
9943 chain,
9944 ca_chain, ca_crl,
9945 ssl->conf->cert_profile,
9946 hostname,
9947 &ssl->session_negotiate->verify_result,
9948 f_vrfy, p_vrfy, rs_ctx);
9949 }
9950
9951 if (ret != 0) {
9952 MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
9953 }
9954
9955#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
9956 if (ret == MBEDTLS_ERR_ECP_IN_PROGRESS) {
9957 return MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS;
9958 }
9959#endif
9960
9961 /*
9962 * Secondary checks: always done, but change 'ret' only if it was 0
9963 */
9964
9965 /* With TLS 1.2 and ECC certs, check that the curve used by the
9966 * certificate is on our list of acceptable curves.
9967 *
9968 * With TLS 1.3 this is not needed because the curve is part of the
9969 * signature algorithm (eg ecdsa_secp256r1_sha256) which is checked when
9970 * we validate the signature made with the key associated to this cert.
9971 */
9972#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9973 defined(MBEDTLS_PK_HAVE_ECC_KEYS)
9974 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
9975 mbedtls_pk_can_do(&chain->pk, MBEDTLS_PK_ECKEY)) {
9976 if (mbedtls_ssl_check_curve(ssl, mbedtls_pk_get_ec_group_id(&chain->pk)) != 0) {
9977 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (EC key curve)"));
9978 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
9979 if (ret == 0) {
9980 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9981 }
9982 }
9983 }
9984#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_PK_HAVE_ECC_KEYS */
9985
9986 /* Check X.509 usage extensions (keyUsage, extKeyUsage) */
9987 if (mbedtls_ssl_check_cert_usage(chain,
9988 ciphersuite_info,
9989 ssl->conf->endpoint,
9990 ssl->tls_version,
9991 &ssl->session_negotiate->verify_result) != 0) {
9992 MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
9993 if (ret == 0) {
9994 ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
9995 }
9996 }
9997
9998 /* With authmode optional, we want to keep going if the certificate was
9999 * unacceptable, but still fail on other errors (out of memory etc),
10000 * including fatal errors from the f_vrfy callback.
10001 *
10002 * The only acceptable errors are:
10003 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
10004 * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
10005 * Anything else is a fatal error. */
10006 if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
10007 (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
10008 ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
10009 ret = 0;
10010 }
10011
10012 /* Return a specific error as this is a user error: inconsistent
10013 * configuration - can't verify without trust anchors. */
10014 if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
10015 MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
10016 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
10017 }
10018
10019 if (ret != 0) {
10020 uint8_t alert;
10021
10022 /* The certificate may have been rejected for several reasons.
10023 Pick one and send the corresponding alert. Which alert to send
10024 may be a subject of debate in some cases. */
10025 if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER) {
10026 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
10027 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
10028 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
10029 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE) {
10030 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10031 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
10032 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10033 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK) {
10034 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10035 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY) {
10036 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
10037 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
10038 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
10039 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
10040 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
10041 } else if (ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
10042 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
10043 } else {
10044 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
10045 }
10046 mbedtls_ssl_send_alert_message(ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
10047 alert);
10048 }
10049
10050#if defined(MBEDTLS_DEBUG_C)
10051 if (ssl->session_negotiate->verify_result != 0) {
10052 MBEDTLS_SSL_DEBUG_MSG(3, ("! Certificate verification flags %08x",
10053 (unsigned int) ssl->session_negotiate->verify_result));
10054 } else {
10055 MBEDTLS_SSL_DEBUG_MSG(3, ("Certificate verification flags clear"));
10056 }
10057#endif /* MBEDTLS_DEBUG_C */
10058
10059 return ret;
10060}
10061#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
10062
10063#if defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT)
10064
10065#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10066static int mbedtls_ssl_tls12_export_keying_material(const mbedtls_ssl_context *ssl,
10067 const mbedtls_md_type_t hash_alg,
10068 uint8_t *out,
10069 const size_t key_len,
10070 const char *label,
10071 const size_t label_len,
10072 const unsigned char *context,
10073 const size_t context_len,
10074 const int use_context)
10075{
10076 int ret = 0;
10077 unsigned char *prf_input = NULL;
10078
10079 /* The input to the PRF is client_random, then server_random.
10080 * If a context is provided, this is then followed by the context length
10081 * as a 16-bit big-endian integer, and then the context itself. */
10082 const size_t randbytes_len = MBEDTLS_CLIENT_HELLO_RANDOM_LEN + MBEDTLS_SERVER_HELLO_RANDOM_LEN;
10083 size_t prf_input_len = randbytes_len;
10084 if (use_context) {
10085 if (context_len > UINT16_MAX) {
10086 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10087 }
10088
10089 /* This does not overflow a 32-bit size_t because the current value of
10090 * prf_input_len is 64 (length of client_random + server_random) and
10091 * context_len fits into two bytes (checked above). */
10092 prf_input_len += sizeof(uint16_t) + context_len;
10093 }
10094
10095 prf_input = mbedtls_calloc(prf_input_len, sizeof(unsigned char));
10096 if (prf_input == NULL) {
10097 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
10098 }
10099
10100 memcpy(prf_input,
10101 ssl->transform->randbytes + MBEDTLS_SERVER_HELLO_RANDOM_LEN,
10102 MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
10103 memcpy(prf_input + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
10104 ssl->transform->randbytes,
10105 MBEDTLS_SERVER_HELLO_RANDOM_LEN);
10106 if (use_context) {
10107 MBEDTLS_PUT_UINT16_BE(context_len, prf_input, randbytes_len);
10108 memcpy(prf_input + randbytes_len + sizeof(uint16_t), context, context_len);
10109 }
10110 ret = tls_prf_generic(hash_alg, ssl->session->master, sizeof(ssl->session->master),
10111 label, label_len,
10112 prf_input, prf_input_len,
10113 out, key_len);
10114 mbedtls_free(prf_input);
10115 return ret;
10116}
10117#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_2) */
10118
10119#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
10120static int mbedtls_ssl_tls13_export_keying_material(mbedtls_ssl_context *ssl,
10121 const mbedtls_md_type_t hash_alg,
10122 uint8_t *out,
10123 const size_t key_len,
10124 const char *label,
10125 const size_t label_len,
10126 const unsigned char *context,
10127 const size_t context_len)
10128{
10129 const psa_algorithm_t psa_hash_alg = mbedtls_md_psa_alg_from_type(hash_alg);
10130 const size_t hash_len = PSA_HASH_LENGTH(psa_hash_alg);
10131 const unsigned char *secret = ssl->session->app_secrets.exporter_master_secret;
10132
10133 /* The length of the label must be at most 249 bytes to fit into the HkdfLabel
10134 * struct as defined in RFC 8446, Section 7.1.
10135 *
10136 * The length of the context is unlimited even though the context field in the
10137 * struct can only hold up to 255 bytes. This is because we place a *hash* of
10138 * the context in the field. */
10139 if (label_len > 249) {
10140 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10141 }
10142
10143 return mbedtls_ssl_tls13_exporter(psa_hash_alg, secret, hash_len,
10144 (const unsigned char *) label, label_len,
10145 context, context_len, out, key_len);
10146}
10147#endif /* defined(MBEDTLS_SSL_PROTO_TLS1_3) */
10148
10149int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl,
10150 uint8_t *out, const size_t key_len,
10151 const char *label, const size_t label_len,
10152 const unsigned char *context, const size_t context_len,
10153 const int use_context)
10154{
10155 if (!mbedtls_ssl_is_handshake_over(ssl)) {
10156 /* TODO: Change this to a more appropriate error code when one is available. */
10157 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10158 }
10159
10160 if (key_len > MBEDTLS_SSL_EXPORT_MAX_KEY_LEN) {
10161 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
10162 }
10163
10164 int ciphersuite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(ssl);
10165 const mbedtls_ssl_ciphersuite_t *ciphersuite = mbedtls_ssl_ciphersuite_from_id(ciphersuite_id);
10166 const mbedtls_md_type_t hash_alg = ciphersuite->mac;
10167
10168 switch (mbedtls_ssl_get_version_number(ssl)) {
10169#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
10170 case MBEDTLS_SSL_VERSION_TLS1_2:
10171 return mbedtls_ssl_tls12_export_keying_material(ssl, hash_alg, out, key_len,
10172 label, label_len,
10173 context, context_len, use_context);
10174#endif
10175#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
10176 case MBEDTLS_SSL_VERSION_TLS1_3:
10177 return mbedtls_ssl_tls13_export_keying_material(ssl,
10178 hash_alg,
10179 out,
10180 key_len,
10181 label,
10182 label_len,
10183 use_context ? context : NULL,
10184 use_context ? context_len : 0);
10185#endif
10186 default:
10187 return MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
10188 }
10189}
10190
10191#endif /* defined(MBEDTLS_SSL_KEYING_MATERIAL_EXPORT) */
10192
10193#endif /* MBEDTLS_SSL_TLS_C */
10194