2 * SSLv3/TLSv1 shared functions
4 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
5 * SPDX-License-Identifier: GPL-2.0
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation; either version 2 of the License, or
10 * (at your option) any later version.
12 * This program is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 * GNU General Public License for more details.
17 * You should have received a copy of the GNU General Public License along
18 * with this program; if not, write to the Free Software Foundation, Inc.,
19 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
21 * This file is part of mbed TLS (https://tls.mbed.org)
24 * The SSL 3.0 specification was drafted by Netscape in 1996,
25 * and became an IETF standard in 1999.
27 * http://wp.netscape.com/eng/ssl3/
28 * http://www.ietf.org/rfc/rfc2246.txt
29 * http://www.ietf.org/rfc/rfc4346.txt
32 #if !defined(MBEDTLS_CONFIG_FILE)
33 #include "mbedtls/config.h"
35 #include MBEDTLS_CONFIG_FILE
38 #if defined(MBEDTLS_SSL_TLS_C)
40 #if defined(MBEDTLS_PLATFORM_C)
41 #include "mbedtls/platform.h"
44 #define mbedtls_calloc calloc
45 #define mbedtls_free free
48 #include "mbedtls/debug.h"
49 #include "mbedtls/ssl.h"
50 #include "mbedtls/ssl_internal.h"
54 #if defined(MBEDTLS_X509_CRT_PARSE_C)
55 #include "mbedtls/oid.h"
58 /* Implementation that should never be optimized out by the compiler */
59 static void mbedtls_zeroize( void *v
, size_t n
) {
60 volatile unsigned char *p
= v
; while( n
-- ) *p
++ = 0;
63 /* Length of the "epoch" field in the record header */
64 static inline size_t ssl_ep_len( const mbedtls_ssl_context
*ssl
)
66 #if defined(MBEDTLS_SSL_PROTO_DTLS)
67 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
77 * Passing millisecs = 0 cancels a running timer.
79 static void ssl_set_timer( mbedtls_ssl_context
*ssl
, uint32_t millisecs
)
81 if( ssl
->f_set_timer
== NULL
)
84 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs
) );
85 ssl
->f_set_timer( ssl
->p_timer
, millisecs
/ 4, millisecs
);
89 * Return -1 is timer is expired, 0 if it isn't.
91 static int ssl_check_timer( mbedtls_ssl_context
*ssl
)
93 if( ssl
->f_get_timer
== NULL
)
96 if( ssl
->f_get_timer( ssl
->p_timer
) == 2 )
98 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
105 #if defined(MBEDTLS_SSL_PROTO_DTLS)
107 * Double the retransmit timeout value, within the allowed range,
108 * returning -1 if the maximum value has already been reached.
110 static int ssl_double_retransmit_timeout( mbedtls_ssl_context
*ssl
)
112 uint32_t new_timeout
;
114 if( ssl
->handshake
->retransmit_timeout
>= ssl
->conf
->hs_timeout_max
)
117 new_timeout
= 2 * ssl
->handshake
->retransmit_timeout
;
119 /* Avoid arithmetic overflow and range overflow */
120 if( new_timeout
< ssl
->handshake
->retransmit_timeout
||
121 new_timeout
> ssl
->conf
->hs_timeout_max
)
123 new_timeout
= ssl
->conf
->hs_timeout_max
;
126 ssl
->handshake
->retransmit_timeout
= new_timeout
;
127 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
128 ssl
->handshake
->retransmit_timeout
) );
133 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context
*ssl
)
135 ssl
->handshake
->retransmit_timeout
= ssl
->conf
->hs_timeout_min
;
136 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
137 ssl
->handshake
->retransmit_timeout
) );
139 #endif /* MBEDTLS_SSL_PROTO_DTLS */
141 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
143 * Convert max_fragment_length codes to length.
146 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
147 * } MaxFragmentLength;
148 * and we add 0 -> extension unused
150 static unsigned int mfl_code_to_length
[MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
] =
152 MBEDTLS_SSL_MAX_CONTENT_LEN
, /* MBEDTLS_SSL_MAX_FRAG_LEN_NONE */
153 512, /* MBEDTLS_SSL_MAX_FRAG_LEN_512 */
154 1024, /* MBEDTLS_SSL_MAX_FRAG_LEN_1024 */
155 2048, /* MBEDTLS_SSL_MAX_FRAG_LEN_2048 */
156 4096, /* MBEDTLS_SSL_MAX_FRAG_LEN_4096 */
158 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
160 #if defined(MBEDTLS_SSL_CLI_C)
161 static int ssl_session_copy( mbedtls_ssl_session
*dst
, const mbedtls_ssl_session
*src
)
163 mbedtls_ssl_session_free( dst
);
164 memcpy( dst
, src
, sizeof( mbedtls_ssl_session
) );
166 #if defined(MBEDTLS_X509_CRT_PARSE_C)
167 if( src
->peer_cert
!= NULL
)
171 dst
->peer_cert
= mbedtls_calloc( 1, sizeof(mbedtls_x509_crt
) );
172 if( dst
->peer_cert
== NULL
)
173 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
175 mbedtls_x509_crt_init( dst
->peer_cert
);
177 if( ( ret
= mbedtls_x509_crt_parse_der( dst
->peer_cert
, src
->peer_cert
->raw
.p
,
178 src
->peer_cert
->raw
.len
) ) != 0 )
180 mbedtls_free( dst
->peer_cert
);
181 dst
->peer_cert
= NULL
;
185 #endif /* MBEDTLS_X509_CRT_PARSE_C */
187 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
188 if( src
->ticket
!= NULL
)
190 dst
->ticket
= mbedtls_calloc( 1, src
->ticket_len
);
191 if( dst
->ticket
== NULL
)
192 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
194 memcpy( dst
->ticket
, src
->ticket
, src
->ticket_len
);
196 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
200 #endif /* MBEDTLS_SSL_CLI_C */
202 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
203 int (*mbedtls_ssl_hw_record_init
)( mbedtls_ssl_context
*ssl
,
204 const unsigned char *key_enc
, const unsigned char *key_dec
,
206 const unsigned char *iv_enc
, const unsigned char *iv_dec
,
208 const unsigned char *mac_enc
, const unsigned char *mac_dec
,
209 size_t maclen
) = NULL
;
210 int (*mbedtls_ssl_hw_record_activate
)( mbedtls_ssl_context
*ssl
, int direction
) = NULL
;
211 int (*mbedtls_ssl_hw_record_reset
)( mbedtls_ssl_context
*ssl
) = NULL
;
212 int (*mbedtls_ssl_hw_record_write
)( mbedtls_ssl_context
*ssl
) = NULL
;
213 int (*mbedtls_ssl_hw_record_read
)( mbedtls_ssl_context
*ssl
) = NULL
;
214 int (*mbedtls_ssl_hw_record_finish
)( mbedtls_ssl_context
*ssl
) = NULL
;
215 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
218 * Key material generation
220 #if defined(MBEDTLS_SSL_PROTO_SSL3)
221 static int ssl3_prf( const unsigned char *secret
, size_t slen
,
223 const unsigned char *random
, size_t rlen
,
224 unsigned char *dstbuf
, size_t dlen
)
227 mbedtls_md5_context md5
;
228 mbedtls_sha1_context sha1
;
229 unsigned char padding
[16];
230 unsigned char sha1sum
[20];
233 mbedtls_md5_init( &md5
);
234 mbedtls_sha1_init( &sha1
);
239 * MD5( secret + SHA1( 'A' + secret + random ) ) +
240 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
241 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
244 for( i
= 0; i
< dlen
/ 16; i
++ )
246 memset( padding
, (unsigned char) ('A' + i
), 1 + i
);
248 mbedtls_sha1_starts( &sha1
);
249 mbedtls_sha1_update( &sha1
, padding
, 1 + i
);
250 mbedtls_sha1_update( &sha1
, secret
, slen
);
251 mbedtls_sha1_update( &sha1
, random
, rlen
);
252 mbedtls_sha1_finish( &sha1
, sha1sum
);
254 mbedtls_md5_starts( &md5
);
255 mbedtls_md5_update( &md5
, secret
, slen
);
256 mbedtls_md5_update( &md5
, sha1sum
, 20 );
257 mbedtls_md5_finish( &md5
, dstbuf
+ i
* 16 );
260 mbedtls_md5_free( &md5
);
261 mbedtls_sha1_free( &sha1
);
263 mbedtls_zeroize( padding
, sizeof( padding
) );
264 mbedtls_zeroize( sha1sum
, sizeof( sha1sum
) );
268 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
270 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
271 static int tls1_prf( const unsigned char *secret
, size_t slen
,
273 const unsigned char *random
, size_t rlen
,
274 unsigned char *dstbuf
, size_t dlen
)
278 const unsigned char *S1
, *S2
;
279 unsigned char tmp
[128];
280 unsigned char h_i
[20];
281 const mbedtls_md_info_t
*md_info
;
282 mbedtls_md_context_t md_ctx
;
285 mbedtls_md_init( &md_ctx
);
287 if( sizeof( tmp
) < 20 + strlen( label
) + rlen
)
288 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
290 hs
= ( slen
+ 1 ) / 2;
292 S2
= secret
+ slen
- hs
;
294 nb
= strlen( label
);
295 memcpy( tmp
+ 20, label
, nb
);
296 memcpy( tmp
+ 20 + nb
, random
, rlen
);
300 * First compute P_md5(secret,label+random)[0..dlen]
302 if( ( md_info
= mbedtls_md_info_from_type( MBEDTLS_MD_MD5
) ) == NULL
)
303 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
305 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 1 ) ) != 0 )
308 mbedtls_md_hmac_starts( &md_ctx
, S1
, hs
);
309 mbedtls_md_hmac_update( &md_ctx
, tmp
+ 20, nb
);
310 mbedtls_md_hmac_finish( &md_ctx
, 4 + tmp
);
312 for( i
= 0; i
< dlen
; i
+= 16 )
314 mbedtls_md_hmac_reset ( &md_ctx
);
315 mbedtls_md_hmac_update( &md_ctx
, 4 + tmp
, 16 + nb
);
316 mbedtls_md_hmac_finish( &md_ctx
, h_i
);
318 mbedtls_md_hmac_reset ( &md_ctx
);
319 mbedtls_md_hmac_update( &md_ctx
, 4 + tmp
, 16 );
320 mbedtls_md_hmac_finish( &md_ctx
, 4 + tmp
);
322 k
= ( i
+ 16 > dlen
) ? dlen
% 16 : 16;
324 for( j
= 0; j
< k
; j
++ )
325 dstbuf
[i
+ j
] = h_i
[j
];
328 mbedtls_md_free( &md_ctx
);
331 * XOR out with P_sha1(secret,label+random)[0..dlen]
333 if( ( md_info
= mbedtls_md_info_from_type( MBEDTLS_MD_SHA1
) ) == NULL
)
334 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
336 if( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 1 ) ) != 0 )
339 mbedtls_md_hmac_starts( &md_ctx
, S2
, hs
);
340 mbedtls_md_hmac_update( &md_ctx
, tmp
+ 20, nb
);
341 mbedtls_md_hmac_finish( &md_ctx
, tmp
);
343 for( i
= 0; i
< dlen
; i
+= 20 )
345 mbedtls_md_hmac_reset ( &md_ctx
);
346 mbedtls_md_hmac_update( &md_ctx
, tmp
, 20 + nb
);
347 mbedtls_md_hmac_finish( &md_ctx
, h_i
);
349 mbedtls_md_hmac_reset ( &md_ctx
);
350 mbedtls_md_hmac_update( &md_ctx
, tmp
, 20 );
351 mbedtls_md_hmac_finish( &md_ctx
, tmp
);
353 k
= ( i
+ 20 > dlen
) ? dlen
% 20 : 20;
355 for( j
= 0; j
< k
; j
++ )
356 dstbuf
[i
+ j
] = (unsigned char)( dstbuf
[i
+ j
] ^ h_i
[j
] );
359 mbedtls_md_free( &md_ctx
);
361 mbedtls_zeroize( tmp
, sizeof( tmp
) );
362 mbedtls_zeroize( h_i
, sizeof( h_i
) );
366 #endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
368 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
369 static int tls_prf_generic( mbedtls_md_type_t md_type
,
370 const unsigned char *secret
, size_t slen
,
372 const unsigned char *random
, size_t rlen
,
373 unsigned char *dstbuf
, size_t dlen
)
376 size_t i
, j
, k
, md_len
;
377 unsigned char tmp
[128];
378 unsigned char h_i
[MBEDTLS_MD_MAX_SIZE
];
379 const mbedtls_md_info_t
*md_info
;
380 mbedtls_md_context_t md_ctx
;
383 mbedtls_md_init( &md_ctx
);
385 if( ( md_info
= mbedtls_md_info_from_type( md_type
) ) == NULL
)
386 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
388 md_len
= mbedtls_md_get_size( md_info
);
390 if( sizeof( tmp
) < md_len
+ strlen( label
) + rlen
)
391 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
393 nb
= strlen( label
);
394 memcpy( tmp
+ md_len
, label
, nb
);
395 memcpy( tmp
+ md_len
+ nb
, random
, rlen
);
399 * Compute P_<hash>(secret, label + random)[0..dlen]
401 if ( ( ret
= mbedtls_md_setup( &md_ctx
, md_info
, 1 ) ) != 0 )
404 mbedtls_md_hmac_starts( &md_ctx
, secret
, slen
);
405 mbedtls_md_hmac_update( &md_ctx
, tmp
+ md_len
, nb
);
406 mbedtls_md_hmac_finish( &md_ctx
, tmp
);
408 for( i
= 0; i
< dlen
; i
+= md_len
)
410 mbedtls_md_hmac_reset ( &md_ctx
);
411 mbedtls_md_hmac_update( &md_ctx
, tmp
, md_len
+ nb
);
412 mbedtls_md_hmac_finish( &md_ctx
, h_i
);
414 mbedtls_md_hmac_reset ( &md_ctx
);
415 mbedtls_md_hmac_update( &md_ctx
, tmp
, md_len
);
416 mbedtls_md_hmac_finish( &md_ctx
, tmp
);
418 k
= ( i
+ md_len
> dlen
) ? dlen
% md_len
: md_len
;
420 for( j
= 0; j
< k
; j
++ )
421 dstbuf
[i
+ j
] = h_i
[j
];
424 mbedtls_md_free( &md_ctx
);
426 mbedtls_zeroize( tmp
, sizeof( tmp
) );
427 mbedtls_zeroize( h_i
, sizeof( h_i
) );
432 #if defined(MBEDTLS_SHA256_C)
433 static int tls_prf_sha256( const unsigned char *secret
, size_t slen
,
435 const unsigned char *random
, size_t rlen
,
436 unsigned char *dstbuf
, size_t dlen
)
438 return( tls_prf_generic( MBEDTLS_MD_SHA256
, secret
, slen
,
439 label
, random
, rlen
, dstbuf
, dlen
) );
441 #endif /* MBEDTLS_SHA256_C */
443 #if defined(MBEDTLS_SHA512_C)
444 static int tls_prf_sha384( const unsigned char *secret
, size_t slen
,
446 const unsigned char *random
, size_t rlen
,
447 unsigned char *dstbuf
, size_t dlen
)
449 return( tls_prf_generic( MBEDTLS_MD_SHA384
, secret
, slen
,
450 label
, random
, rlen
, dstbuf
, dlen
) );
452 #endif /* MBEDTLS_SHA512_C */
453 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
455 static void ssl_update_checksum_start( mbedtls_ssl_context
*, const unsigned char *, size_t );
457 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
458 defined(MBEDTLS_SSL_PROTO_TLS1_1)
459 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context
*, const unsigned char *, size_t );
462 #if defined(MBEDTLS_SSL_PROTO_SSL3)
463 static void ssl_calc_verify_ssl( mbedtls_ssl_context
*, unsigned char * );
464 static void ssl_calc_finished_ssl( mbedtls_ssl_context
*, unsigned char *, int );
467 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
468 static void ssl_calc_verify_tls( mbedtls_ssl_context
*, unsigned char * );
469 static void ssl_calc_finished_tls( mbedtls_ssl_context
*, unsigned char *, int );
472 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
473 #if defined(MBEDTLS_SHA256_C)
474 static void ssl_update_checksum_sha256( mbedtls_ssl_context
*, const unsigned char *, size_t );
475 static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context
*,unsigned char * );
476 static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context
*,unsigned char *, int );
479 #if defined(MBEDTLS_SHA512_C)
480 static void ssl_update_checksum_sha384( mbedtls_ssl_context
*, const unsigned char *, size_t );
481 static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context
*, unsigned char * );
482 static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context
*, unsigned char *, int );
484 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
486 int mbedtls_ssl_derive_keys( mbedtls_ssl_context
*ssl
)
489 unsigned char tmp
[64];
490 unsigned char keyblk
[256];
493 unsigned char *mac_enc
;
494 unsigned char *mac_dec
;
496 const mbedtls_cipher_info_t
*cipher_info
;
497 const mbedtls_md_info_t
*md_info
;
499 mbedtls_ssl_session
*session
= ssl
->session_negotiate
;
500 mbedtls_ssl_transform
*transform
= ssl
->transform_negotiate
;
501 mbedtls_ssl_handshake_params
*handshake
= ssl
->handshake
;
503 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
505 cipher_info
= mbedtls_cipher_info_from_type( transform
->ciphersuite_info
->cipher
);
506 if( cipher_info
== NULL
)
508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
509 transform
->ciphersuite_info
->cipher
) );
510 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
513 md_info
= mbedtls_md_info_from_type( transform
->ciphersuite_info
->mac
);
514 if( md_info
== NULL
)
516 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
517 transform
->ciphersuite_info
->mac
) );
518 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
522 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
524 #if defined(MBEDTLS_SSL_PROTO_SSL3)
525 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
527 handshake
->tls_prf
= ssl3_prf
;
528 handshake
->calc_verify
= ssl_calc_verify_ssl
;
529 handshake
->calc_finished
= ssl_calc_finished_ssl
;
533 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
534 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_3
)
536 handshake
->tls_prf
= tls1_prf
;
537 handshake
->calc_verify
= ssl_calc_verify_tls
;
538 handshake
->calc_finished
= ssl_calc_finished_tls
;
542 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
543 #if defined(MBEDTLS_SHA512_C)
544 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
&&
545 transform
->ciphersuite_info
->mac
== MBEDTLS_MD_SHA384
)
547 handshake
->tls_prf
= tls_prf_sha384
;
548 handshake
->calc_verify
= ssl_calc_verify_tls_sha384
;
549 handshake
->calc_finished
= ssl_calc_finished_tls_sha384
;
553 #if defined(MBEDTLS_SHA256_C)
554 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
556 handshake
->tls_prf
= tls_prf_sha256
;
557 handshake
->calc_verify
= ssl_calc_verify_tls_sha256
;
558 handshake
->calc_finished
= ssl_calc_finished_tls_sha256
;
562 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
564 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
565 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
571 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
572 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
573 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
576 * master = PRF( premaster, "master secret", randbytes )[0..47]
578 if( handshake
->resume
== 0 )
580 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake
->premaster
,
583 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
584 if( ssl
->handshake
->extended_ms
== MBEDTLS_SSL_EXTENDED_MS_ENABLED
)
586 unsigned char session_hash
[48];
589 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
591 ssl
->handshake
->calc_verify( ssl
, session_hash
);
593 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
594 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
596 #if defined(MBEDTLS_SHA512_C)
597 if( ssl
->transform_negotiate
->ciphersuite_info
->mac
==
607 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
610 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash
, hash_len
);
612 ret
= handshake
->tls_prf( handshake
->premaster
, handshake
->pmslen
,
613 "extended master secret",
614 session_hash
, hash_len
,
615 session
->master
, 48 );
618 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret
);
625 ret
= handshake
->tls_prf( handshake
->premaster
, handshake
->pmslen
,
627 handshake
->randbytes
, 64,
628 session
->master
, 48 );
631 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret
);
635 mbedtls_zeroize( handshake
->premaster
, sizeof(handshake
->premaster
) );
638 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
641 * Swap the client and server random values.
643 memcpy( tmp
, handshake
->randbytes
, 64 );
644 memcpy( handshake
->randbytes
, tmp
+ 32, 32 );
645 memcpy( handshake
->randbytes
+ 32, tmp
, 32 );
646 mbedtls_zeroize( tmp
, sizeof( tmp
) );
651 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
652 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
653 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
654 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
658 * key block = PRF( master, "key expansion", randbytes )
660 ret
= handshake
->tls_prf( session
->master
, 48, "key expansion",
661 handshake
->randbytes
, 64, keyblk
, 256 );
664 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret
);
668 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
669 mbedtls_ssl_get_ciphersuite_name( session
->ciphersuite
) ) );
670 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session
->master
, 48 );
671 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake
->randbytes
, 64 );
672 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk
, 256 );
674 mbedtls_zeroize( handshake
->randbytes
, sizeof( handshake
->randbytes
) );
677 * Determine the appropriate key, IV and MAC length.
680 transform
->keylen
= cipher_info
->key_bitlen
/ 8;
682 if( cipher_info
->mode
== MBEDTLS_MODE_GCM
||
683 cipher_info
->mode
== MBEDTLS_MODE_CCM
)
685 transform
->maclen
= 0;
687 transform
->ivlen
= 12;
688 transform
->fixed_ivlen
= 4;
690 /* Minimum length is expicit IV + tag */
691 transform
->minlen
= transform
->ivlen
- transform
->fixed_ivlen
692 + ( transform
->ciphersuite_info
->flags
&
693 MBEDTLS_CIPHERSUITE_SHORT_TAG
? 8 : 16 );
697 /* Initialize HMAC contexts */
698 if( ( ret
= mbedtls_md_setup( &transform
->md_ctx_enc
, md_info
, 1 ) ) != 0 ||
699 ( ret
= mbedtls_md_setup( &transform
->md_ctx_dec
, md_info
, 1 ) ) != 0 )
701 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret
);
706 transform
->maclen
= mbedtls_md_get_size( md_info
);
708 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
710 * If HMAC is to be truncated, we shall keep the leftmost bytes,
711 * (rfc 6066 page 13 or rfc 2104 section 4),
712 * so we only need to adjust the length here.
714 if( session
->trunc_hmac
== MBEDTLS_SSL_TRUNC_HMAC_ENABLED
)
715 transform
->maclen
= MBEDTLS_SSL_TRUNCATED_HMAC_LEN
;
716 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
719 transform
->ivlen
= cipher_info
->iv_size
;
722 if( cipher_info
->mode
== MBEDTLS_MODE_STREAM
)
723 transform
->minlen
= transform
->maclen
;
727 * GenericBlockCipher:
728 * 1. if EtM is in use: one block plus MAC
729 * otherwise: * first multiple of blocklen greater than maclen
730 * 2. IV except for SSL3 and TLS 1.0
732 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
733 if( session
->encrypt_then_mac
== MBEDTLS_SSL_ETM_ENABLED
)
735 transform
->minlen
= transform
->maclen
736 + cipher_info
->block_size
;
741 transform
->minlen
= transform
->maclen
742 + cipher_info
->block_size
743 - transform
->maclen
% cipher_info
->block_size
;
746 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
747 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
||
748 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_1
)
749 ; /* No need to adjust minlen */
752 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
753 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_2
||
754 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_3
)
756 transform
->minlen
+= transform
->ivlen
;
761 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
762 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
767 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
768 transform
->keylen
, transform
->minlen
, transform
->ivlen
,
769 transform
->maclen
) );
772 * Finally setup the cipher contexts, IVs and MAC secrets.
774 #if defined(MBEDTLS_SSL_CLI_C)
775 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
777 key1
= keyblk
+ transform
->maclen
* 2;
778 key2
= keyblk
+ transform
->maclen
* 2 + transform
->keylen
;
781 mac_dec
= keyblk
+ transform
->maclen
;
784 * This is not used in TLS v1.1.
786 iv_copy_len
= ( transform
->fixed_ivlen
) ?
787 transform
->fixed_ivlen
: transform
->ivlen
;
788 memcpy( transform
->iv_enc
, key2
+ transform
->keylen
, iv_copy_len
);
789 memcpy( transform
->iv_dec
, key2
+ transform
->keylen
+ iv_copy_len
,
793 #endif /* MBEDTLS_SSL_CLI_C */
794 #if defined(MBEDTLS_SSL_SRV_C)
795 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
797 key1
= keyblk
+ transform
->maclen
* 2 + transform
->keylen
;
798 key2
= keyblk
+ transform
->maclen
* 2;
800 mac_enc
= keyblk
+ transform
->maclen
;
804 * This is not used in TLS v1.1.
806 iv_copy_len
= ( transform
->fixed_ivlen
) ?
807 transform
->fixed_ivlen
: transform
->ivlen
;
808 memcpy( transform
->iv_dec
, key1
+ transform
->keylen
, iv_copy_len
);
809 memcpy( transform
->iv_enc
, key1
+ transform
->keylen
+ iv_copy_len
,
813 #endif /* MBEDTLS_SSL_SRV_C */
815 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
816 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
819 #if defined(MBEDTLS_SSL_PROTO_SSL3)
820 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
822 if( transform
->maclen
> sizeof transform
->mac_enc
)
824 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
825 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
828 memcpy( transform
->mac_enc
, mac_enc
, transform
->maclen
);
829 memcpy( transform
->mac_dec
, mac_dec
, transform
->maclen
);
832 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
833 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
834 defined(MBEDTLS_SSL_PROTO_TLS1_2)
835 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_1
)
837 mbedtls_md_hmac_starts( &transform
->md_ctx_enc
, mac_enc
, transform
->maclen
);
838 mbedtls_md_hmac_starts( &transform
->md_ctx_dec
, mac_dec
, transform
->maclen
);
843 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
844 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
847 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
848 if( mbedtls_ssl_hw_record_init
!= NULL
)
852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
854 if( ( ret
= mbedtls_ssl_hw_record_init( ssl
, key1
, key2
, transform
->keylen
,
855 transform
->iv_enc
, transform
->iv_dec
,
858 transform
->maclen
) ) != 0 )
860 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret
);
861 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
864 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
866 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
867 if( ssl
->conf
->f_export_keys
!= NULL
)
869 ssl
->conf
->f_export_keys( ssl
->conf
->p_export_keys
,
870 session
->master
, keyblk
,
871 transform
->maclen
, transform
->keylen
,
876 if( ( ret
= mbedtls_cipher_setup( &transform
->cipher_ctx_enc
,
877 cipher_info
) ) != 0 )
879 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret
);
883 if( ( ret
= mbedtls_cipher_setup( &transform
->cipher_ctx_dec
,
884 cipher_info
) ) != 0 )
886 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret
);
890 if( ( ret
= mbedtls_cipher_setkey( &transform
->cipher_ctx_enc
, key1
,
891 cipher_info
->key_bitlen
,
892 MBEDTLS_ENCRYPT
) ) != 0 )
894 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret
);
898 if( ( ret
= mbedtls_cipher_setkey( &transform
->cipher_ctx_dec
, key2
,
899 cipher_info
->key_bitlen
,
900 MBEDTLS_DECRYPT
) ) != 0 )
902 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret
);
906 #if defined(MBEDTLS_CIPHER_MODE_CBC)
907 if( cipher_info
->mode
== MBEDTLS_MODE_CBC
)
909 if( ( ret
= mbedtls_cipher_set_padding_mode( &transform
->cipher_ctx_enc
,
910 MBEDTLS_PADDING_NONE
) ) != 0 )
912 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret
);
916 if( ( ret
= mbedtls_cipher_set_padding_mode( &transform
->cipher_ctx_dec
,
917 MBEDTLS_PADDING_NONE
) ) != 0 )
919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret
);
923 #endif /* MBEDTLS_CIPHER_MODE_CBC */
925 mbedtls_zeroize( keyblk
, sizeof( keyblk
) );
927 #if defined(MBEDTLS_ZLIB_SUPPORT)
928 // Initialize compression
930 if( session
->compression
== MBEDTLS_SSL_COMPRESS_DEFLATE
)
932 if( ssl
->compress_buf
== NULL
)
934 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
935 ssl
->compress_buf
= mbedtls_calloc( 1, MBEDTLS_SSL_BUFFER_LEN
);
936 if( ssl
->compress_buf
== NULL
)
938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
939 MBEDTLS_SSL_BUFFER_LEN
) );
940 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
946 memset( &transform
->ctx_deflate
, 0, sizeof( transform
->ctx_deflate
) );
947 memset( &transform
->ctx_inflate
, 0, sizeof( transform
->ctx_inflate
) );
949 if( deflateInit( &transform
->ctx_deflate
,
950 Z_DEFAULT_COMPRESSION
) != Z_OK
||
951 inflateInit( &transform
->ctx_inflate
) != Z_OK
)
953 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
954 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED
);
957 #endif /* MBEDTLS_ZLIB_SUPPORT */
959 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
964 #if defined(MBEDTLS_SSL_PROTO_SSL3)
965 void ssl_calc_verify_ssl( mbedtls_ssl_context
*ssl
, unsigned char hash
[36] )
967 mbedtls_md5_context md5
;
968 mbedtls_sha1_context sha1
;
969 unsigned char pad_1
[48];
970 unsigned char pad_2
[48];
972 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
974 mbedtls_md5_init( &md5
);
975 mbedtls_sha1_init( &sha1
);
977 mbedtls_md5_clone( &md5
, &ssl
->handshake
->fin_md5
);
978 mbedtls_sha1_clone( &sha1
, &ssl
->handshake
->fin_sha1
);
980 memset( pad_1
, 0x36, 48 );
981 memset( pad_2
, 0x5C, 48 );
983 mbedtls_md5_update( &md5
, ssl
->session_negotiate
->master
, 48 );
984 mbedtls_md5_update( &md5
, pad_1
, 48 );
985 mbedtls_md5_finish( &md5
, hash
);
987 mbedtls_md5_starts( &md5
);
988 mbedtls_md5_update( &md5
, ssl
->session_negotiate
->master
, 48 );
989 mbedtls_md5_update( &md5
, pad_2
, 48 );
990 mbedtls_md5_update( &md5
, hash
, 16 );
991 mbedtls_md5_finish( &md5
, hash
);
993 mbedtls_sha1_update( &sha1
, ssl
->session_negotiate
->master
, 48 );
994 mbedtls_sha1_update( &sha1
, pad_1
, 40 );
995 mbedtls_sha1_finish( &sha1
, hash
+ 16 );
997 mbedtls_sha1_starts( &sha1
);
998 mbedtls_sha1_update( &sha1
, ssl
->session_negotiate
->master
, 48 );
999 mbedtls_sha1_update( &sha1
, pad_2
, 40 );
1000 mbedtls_sha1_update( &sha1
, hash
+ 16, 20 );
1001 mbedtls_sha1_finish( &sha1
, hash
+ 16 );
1003 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash
, 36 );
1004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1006 mbedtls_md5_free( &md5
);
1007 mbedtls_sha1_free( &sha1
);
1011 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
1013 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1014 void ssl_calc_verify_tls( mbedtls_ssl_context
*ssl
, unsigned char hash
[36] )
1016 mbedtls_md5_context md5
;
1017 mbedtls_sha1_context sha1
;
1019 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
1021 mbedtls_md5_init( &md5
);
1022 mbedtls_sha1_init( &sha1
);
1024 mbedtls_md5_clone( &md5
, &ssl
->handshake
->fin_md5
);
1025 mbedtls_sha1_clone( &sha1
, &ssl
->handshake
->fin_sha1
);
1027 mbedtls_md5_finish( &md5
, hash
);
1028 mbedtls_sha1_finish( &sha1
, hash
+ 16 );
1030 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash
, 36 );
1031 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1033 mbedtls_md5_free( &md5
);
1034 mbedtls_sha1_free( &sha1
);
1038 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
1040 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1041 #if defined(MBEDTLS_SHA256_C)
1042 void ssl_calc_verify_tls_sha256( mbedtls_ssl_context
*ssl
, unsigned char hash
[32] )
1044 mbedtls_sha256_context sha256
;
1046 mbedtls_sha256_init( &sha256
);
1048 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
1050 mbedtls_sha256_clone( &sha256
, &ssl
->handshake
->fin_sha256
);
1051 mbedtls_sha256_finish( &sha256
, hash
);
1053 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash
, 32 );
1054 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1056 mbedtls_sha256_free( &sha256
);
1060 #endif /* MBEDTLS_SHA256_C */
1062 #if defined(MBEDTLS_SHA512_C)
1063 void ssl_calc_verify_tls_sha384( mbedtls_ssl_context
*ssl
, unsigned char hash
[48] )
1065 mbedtls_sha512_context sha512
;
1067 mbedtls_sha512_init( &sha512
);
1069 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
1071 mbedtls_sha512_clone( &sha512
, &ssl
->handshake
->fin_sha512
);
1072 mbedtls_sha512_finish( &sha512
, hash
);
1074 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash
, 48 );
1075 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1077 mbedtls_sha512_free( &sha512
);
1081 #endif /* MBEDTLS_SHA512_C */
1082 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1084 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1085 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context
*ssl
, mbedtls_key_exchange_type_t key_ex
)
1087 unsigned char *p
= ssl
->handshake
->premaster
;
1088 unsigned char *end
= p
+ sizeof( ssl
->handshake
->premaster
);
1089 const unsigned char *psk
= ssl
->conf
->psk
;
1090 size_t psk_len
= ssl
->conf
->psk_len
;
1092 /* If the psk callback was called, use its result */
1093 if( ssl
->handshake
->psk
!= NULL
)
1095 psk
= ssl
->handshake
->psk
;
1096 psk_len
= ssl
->handshake
->psk_len
;
1101 * opaque other_secret<0..2^16-1>;
1102 * opaque psk<0..2^16-1>;
1104 * with "other_secret" depending on the particular key exchange
1106 #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1107 if( key_ex
== MBEDTLS_KEY_EXCHANGE_PSK
)
1110 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
1112 *(p
++) = (unsigned char)( psk_len
>> 8 );
1113 *(p
++) = (unsigned char)( psk_len
);
1115 if( end
< p
|| (size_t)( end
- p
) < psk_len
)
1116 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
1118 memset( p
, 0, psk_len
);
1122 #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1123 #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1124 if( key_ex
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
1127 * other_secret already set by the ClientKeyExchange message,
1128 * and is 48 bytes long
1135 #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1136 #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1137 if( key_ex
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
)
1142 /* Write length only when we know the actual value */
1143 if( ( ret
= mbedtls_dhm_calc_secret( &ssl
->handshake
->dhm_ctx
,
1144 p
+ 2, end
- ( p
+ 2 ), &len
,
1145 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
1147 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret
);
1150 *(p
++) = (unsigned char)( len
>> 8 );
1151 *(p
++) = (unsigned char)( len
);
1154 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl
->handshake
->dhm_ctx
.K
);
1157 #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1158 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1159 if( key_ex
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
)
1164 if( ( ret
= mbedtls_ecdh_calc_secret( &ssl
->handshake
->ecdh_ctx
, &zlen
,
1165 p
+ 2, end
- ( p
+ 2 ),
1166 ssl
->conf
->f_rng
, ssl
->conf
->p_rng
) ) != 0 )
1168 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret
);
1172 *(p
++) = (unsigned char)( zlen
>> 8 );
1173 *(p
++) = (unsigned char)( zlen
);
1176 MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl
->handshake
->ecdh_ctx
.z
);
1179 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1181 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1182 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1185 /* opaque psk<0..2^16-1>; */
1187 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
1189 *(p
++) = (unsigned char)( psk_len
>> 8 );
1190 *(p
++) = (unsigned char)( psk_len
);
1192 if( end
< p
|| (size_t)( end
- p
) < psk_len
)
1193 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
1195 memcpy( p
, psk
, psk_len
);
1198 ssl
->handshake
->pmslen
= p
- ssl
->handshake
->premaster
;
1202 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1204 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1206 * SSLv3.0 MAC functions
1208 static void ssl_mac( mbedtls_md_context_t
*md_ctx
, unsigned char *secret
,
1209 unsigned char *buf
, size_t len
,
1210 unsigned char *ctr
, int type
)
1212 unsigned char header
[11];
1213 unsigned char padding
[48];
1215 int md_size
= mbedtls_md_get_size( md_ctx
->md_info
);
1216 int md_type
= mbedtls_md_get_type( md_ctx
->md_info
);
1218 /* Only MD5 and SHA-1 supported */
1219 if( md_type
== MBEDTLS_MD_MD5
)
1224 memcpy( header
, ctr
, 8 );
1225 header
[ 8] = (unsigned char) type
;
1226 header
[ 9] = (unsigned char)( len
>> 8 );
1227 header
[10] = (unsigned char)( len
);
1229 memset( padding
, 0x36, padlen
);
1230 mbedtls_md_starts( md_ctx
);
1231 mbedtls_md_update( md_ctx
, secret
, md_size
);
1232 mbedtls_md_update( md_ctx
, padding
, padlen
);
1233 mbedtls_md_update( md_ctx
, header
, 11 );
1234 mbedtls_md_update( md_ctx
, buf
, len
);
1235 mbedtls_md_finish( md_ctx
, buf
+ len
);
1237 memset( padding
, 0x5C, padlen
);
1238 mbedtls_md_starts( md_ctx
);
1239 mbedtls_md_update( md_ctx
, secret
, md_size
);
1240 mbedtls_md_update( md_ctx
, padding
, padlen
);
1241 mbedtls_md_update( md_ctx
, buf
+ len
, md_size
);
1242 mbedtls_md_finish( md_ctx
, buf
+ len
);
1244 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
1246 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
1247 ( defined(MBEDTLS_CIPHER_MODE_CBC) && \
1248 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) ) )
1249 #define SSL_SOME_MODES_USE_MAC
1253 * Encryption/decryption functions
1255 static int ssl_encrypt_buf( mbedtls_ssl_context
*ssl
)
1257 mbedtls_cipher_mode_t mode
;
1260 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1262 if( ssl
->session_out
== NULL
|| ssl
->transform_out
== NULL
)
1264 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1265 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1268 mode
= mbedtls_cipher_get_cipher_mode( &ssl
->transform_out
->cipher_ctx_enc
);
1270 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1271 ssl
->out_msg
, ssl
->out_msglen
);
1274 * Add MAC before if needed
1276 #if defined(SSL_SOME_MODES_USE_MAC)
1277 if( mode
== MBEDTLS_MODE_STREAM
||
1278 ( mode
== MBEDTLS_MODE_CBC
1279 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1280 && ssl
->session_out
->encrypt_then_mac
== MBEDTLS_SSL_ETM_DISABLED
1284 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1285 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1287 ssl_mac( &ssl
->transform_out
->md_ctx_enc
,
1288 ssl
->transform_out
->mac_enc
,
1289 ssl
->out_msg
, ssl
->out_msglen
,
1290 ssl
->out_ctr
, ssl
->out_msgtype
);
1294 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1295 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1296 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_1
)
1298 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
, ssl
->out_ctr
, 8 );
1299 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
, ssl
->out_hdr
, 3 );
1300 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
, ssl
->out_len
, 2 );
1301 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
,
1302 ssl
->out_msg
, ssl
->out_msglen
);
1303 mbedtls_md_hmac_finish( &ssl
->transform_out
->md_ctx_enc
,
1304 ssl
->out_msg
+ ssl
->out_msglen
);
1305 mbedtls_md_hmac_reset( &ssl
->transform_out
->md_ctx_enc
);
1310 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1311 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1314 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
1315 ssl
->out_msg
+ ssl
->out_msglen
,
1316 ssl
->transform_out
->maclen
);
1318 ssl
->out_msglen
+= ssl
->transform_out
->maclen
;
1321 #endif /* AEAD not the only option */
1326 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1327 if( mode
== MBEDTLS_MODE_STREAM
)
1332 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1333 "including %d bytes of padding",
1334 ssl
->out_msglen
, 0 ) );
1336 if( ( ret
= mbedtls_cipher_crypt( &ssl
->transform_out
->cipher_ctx_enc
,
1337 ssl
->transform_out
->iv_enc
,
1338 ssl
->transform_out
->ivlen
,
1339 ssl
->out_msg
, ssl
->out_msglen
,
1340 ssl
->out_msg
, &olen
) ) != 0 )
1342 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret
);
1346 if( ssl
->out_msglen
!= olen
)
1348 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1349 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1353 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1354 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
1355 if( mode
== MBEDTLS_MODE_GCM
||
1356 mode
== MBEDTLS_MODE_CCM
)
1359 size_t enc_msglen
, olen
;
1360 unsigned char *enc_msg
;
1361 unsigned char add_data
[13];
1362 unsigned char taglen
= ssl
->transform_out
->ciphersuite_info
->flags
&
1363 MBEDTLS_CIPHERSUITE_SHORT_TAG
? 8 : 16;
1365 memcpy( add_data
, ssl
->out_ctr
, 8 );
1366 add_data
[8] = ssl
->out_msgtype
;
1367 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
1368 ssl
->conf
->transport
, add_data
+ 9 );
1369 add_data
[11] = ( ssl
->out_msglen
>> 8 ) & 0xFF;
1370 add_data
[12] = ssl
->out_msglen
& 0xFF;
1372 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1378 if( ssl
->transform_out
->ivlen
- ssl
->transform_out
->fixed_ivlen
!= 8 )
1380 /* Reminder if we ever add an AEAD mode with a different size */
1381 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1382 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1385 memcpy( ssl
->transform_out
->iv_enc
+ ssl
->transform_out
->fixed_ivlen
,
1387 memcpy( ssl
->out_iv
, ssl
->out_ctr
, 8 );
1389 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl
->out_iv
,
1390 ssl
->transform_out
->ivlen
- ssl
->transform_out
->fixed_ivlen
);
1393 * Fix pointer positions and message length with added IV
1395 enc_msg
= ssl
->out_msg
;
1396 enc_msglen
= ssl
->out_msglen
;
1397 ssl
->out_msglen
+= ssl
->transform_out
->ivlen
-
1398 ssl
->transform_out
->fixed_ivlen
;
1400 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1401 "including %d bytes of padding",
1402 ssl
->out_msglen
, 0 ) );
1405 * Encrypt and authenticate
1407 if( ( ret
= mbedtls_cipher_auth_encrypt( &ssl
->transform_out
->cipher_ctx_enc
,
1408 ssl
->transform_out
->iv_enc
,
1409 ssl
->transform_out
->ivlen
,
1411 enc_msg
, enc_msglen
,
1413 enc_msg
+ enc_msglen
, taglen
) ) != 0 )
1415 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret
);
1419 if( olen
!= enc_msglen
)
1421 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1422 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1425 ssl
->out_msglen
+= taglen
;
1428 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg
+ enc_msglen
, taglen
);
1431 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1432 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
1433 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
1434 if( mode
== MBEDTLS_MODE_CBC
)
1437 unsigned char *enc_msg
;
1438 size_t enc_msglen
, padlen
, olen
= 0, i
;
1440 padlen
= ssl
->transform_out
->ivlen
- ( ssl
->out_msglen
+ 1 ) %
1441 ssl
->transform_out
->ivlen
;
1442 if( padlen
== ssl
->transform_out
->ivlen
)
1445 for( i
= 0; i
<= padlen
; i
++ )
1446 ssl
->out_msg
[ssl
->out_msglen
+ i
] = (unsigned char) padlen
;
1448 ssl
->out_msglen
+= padlen
+ 1;
1450 enc_msglen
= ssl
->out_msglen
;
1451 enc_msg
= ssl
->out_msg
;
1453 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1455 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1456 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1458 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
1463 ret
= ssl
->conf
->f_rng( ssl
->conf
->p_rng
, ssl
->transform_out
->iv_enc
,
1464 ssl
->transform_out
->ivlen
);
1468 memcpy( ssl
->out_iv
, ssl
->transform_out
->iv_enc
,
1469 ssl
->transform_out
->ivlen
);
1472 * Fix pointer positions and message length with added IV
1474 enc_msg
= ssl
->out_msg
;
1475 enc_msglen
= ssl
->out_msglen
;
1476 ssl
->out_msglen
+= ssl
->transform_out
->ivlen
;
1478 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
1480 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1481 "including %d bytes of IV and %d bytes of padding",
1482 ssl
->out_msglen
, ssl
->transform_out
->ivlen
,
1485 if( ( ret
= mbedtls_cipher_crypt( &ssl
->transform_out
->cipher_ctx_enc
,
1486 ssl
->transform_out
->iv_enc
,
1487 ssl
->transform_out
->ivlen
,
1488 enc_msg
, enc_msglen
,
1489 enc_msg
, &olen
) ) != 0 )
1491 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret
);
1495 if( enc_msglen
!= olen
)
1497 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1498 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1501 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1502 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_2
)
1505 * Save IV in SSL3 and TLS1
1507 memcpy( ssl
->transform_out
->iv_enc
,
1508 ssl
->transform_out
->cipher_ctx_enc
.iv
,
1509 ssl
->transform_out
->ivlen
);
1513 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1514 if( auth_done
== 0 )
1517 * MAC(MAC_write_key, seq_num +
1518 * TLSCipherText.type +
1519 * TLSCipherText.version +
1520 * length_of( (IV +) ENC(...) ) +
1521 * IV + // except for TLS 1.0
1522 * ENC(content + padding + padding_length));
1524 unsigned char pseudo_hdr
[13];
1526 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1528 memcpy( pseudo_hdr
+ 0, ssl
->out_ctr
, 8 );
1529 memcpy( pseudo_hdr
+ 8, ssl
->out_hdr
, 3 );
1530 pseudo_hdr
[11] = (unsigned char)( ( ssl
->out_msglen
>> 8 ) & 0xFF );
1531 pseudo_hdr
[12] = (unsigned char)( ( ssl
->out_msglen
) & 0xFF );
1533 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr
, 13 );
1535 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
, pseudo_hdr
, 13 );
1536 mbedtls_md_hmac_update( &ssl
->transform_out
->md_ctx_enc
,
1537 ssl
->out_iv
, ssl
->out_msglen
);
1538 mbedtls_md_hmac_finish( &ssl
->transform_out
->md_ctx_enc
,
1539 ssl
->out_iv
+ ssl
->out_msglen
);
1540 mbedtls_md_hmac_reset( &ssl
->transform_out
->md_ctx_enc
);
1542 ssl
->out_msglen
+= ssl
->transform_out
->maclen
;
1545 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1548 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
1549 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
1551 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1552 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1555 /* Make extra sure authentication was performed, exactly once */
1556 if( auth_done
!= 1 )
1558 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1559 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1562 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1567 #define SSL_MAX_MAC_SIZE 48
1569 static int ssl_decrypt_buf( mbedtls_ssl_context
*ssl
)
1572 mbedtls_cipher_mode_t mode
;
1574 #if defined(SSL_SOME_MODES_USE_MAC)
1575 size_t padlen
= 0, correct
= 1;
1578 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1580 if( ssl
->session_in
== NULL
|| ssl
->transform_in
== NULL
)
1582 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1583 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1586 mode
= mbedtls_cipher_get_cipher_mode( &ssl
->transform_in
->cipher_ctx_dec
);
1588 if( ssl
->in_msglen
< ssl
->transform_in
->minlen
)
1590 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1591 ssl
->in_msglen
, ssl
->transform_in
->minlen
) );
1592 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1595 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1596 if( mode
== MBEDTLS_MODE_STREAM
)
1603 if( ( ret
= mbedtls_cipher_crypt( &ssl
->transform_in
->cipher_ctx_dec
,
1604 ssl
->transform_in
->iv_dec
,
1605 ssl
->transform_in
->ivlen
,
1606 ssl
->in_msg
, ssl
->in_msglen
,
1607 ssl
->in_msg
, &olen
) ) != 0 )
1609 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret
);
1613 if( ssl
->in_msglen
!= olen
)
1615 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1616 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1620 #endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1621 #if defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)
1622 if( mode
== MBEDTLS_MODE_GCM
||
1623 mode
== MBEDTLS_MODE_CCM
)
1626 size_t dec_msglen
, olen
;
1627 unsigned char *dec_msg
;
1628 unsigned char *dec_msg_result
;
1629 unsigned char add_data
[13];
1630 unsigned char taglen
= ssl
->transform_in
->ciphersuite_info
->flags
&
1631 MBEDTLS_CIPHERSUITE_SHORT_TAG
? 8 : 16;
1632 size_t explicit_iv_len
= ssl
->transform_in
->ivlen
-
1633 ssl
->transform_in
->fixed_ivlen
;
1635 if( ssl
->in_msglen
< explicit_iv_len
+ taglen
)
1637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
1638 "+ taglen (%d)", ssl
->in_msglen
,
1639 explicit_iv_len
, taglen
) );
1640 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1642 dec_msglen
= ssl
->in_msglen
- explicit_iv_len
- taglen
;
1644 dec_msg
= ssl
->in_msg
;
1645 dec_msg_result
= ssl
->in_msg
;
1646 ssl
->in_msglen
= dec_msglen
;
1648 memcpy( add_data
, ssl
->in_ctr
, 8 );
1649 add_data
[8] = ssl
->in_msgtype
;
1650 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
1651 ssl
->conf
->transport
, add_data
+ 9 );
1652 add_data
[11] = ( ssl
->in_msglen
>> 8 ) & 0xFF;
1653 add_data
[12] = ssl
->in_msglen
& 0xFF;
1655 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1658 memcpy( ssl
->transform_in
->iv_dec
+ ssl
->transform_in
->fixed_ivlen
,
1660 ssl
->transform_in
->ivlen
- ssl
->transform_in
->fixed_ivlen
);
1662 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", ssl
->transform_in
->iv_dec
,
1663 ssl
->transform_in
->ivlen
);
1664 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg
+ dec_msglen
, taglen
);
1667 * Decrypt and authenticate
1669 if( ( ret
= mbedtls_cipher_auth_decrypt( &ssl
->transform_in
->cipher_ctx_dec
,
1670 ssl
->transform_in
->iv_dec
,
1671 ssl
->transform_in
->ivlen
,
1673 dec_msg
, dec_msglen
,
1674 dec_msg_result
, &olen
,
1675 dec_msg
+ dec_msglen
, taglen
) ) != 0 )
1677 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret
);
1679 if( ret
== MBEDTLS_ERR_CIPHER_AUTH_FAILED
)
1680 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1686 if( olen
!= dec_msglen
)
1688 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1689 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1693 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1694 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
1695 ( defined(MBEDTLS_AES_C) || defined(MBEDTLS_CAMELLIA_C) )
1696 if( mode
== MBEDTLS_MODE_CBC
)
1699 * Decrypt and check the padding
1702 unsigned char *dec_msg
;
1703 unsigned char *dec_msg_result
;
1709 * Check immediate ciphertext sanity
1711 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1712 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
1713 minlen
+= ssl
->transform_in
->ivlen
;
1716 if( ssl
->in_msglen
< minlen
+ ssl
->transform_in
->ivlen
||
1717 ssl
->in_msglen
< minlen
+ ssl
->transform_in
->maclen
+ 1 )
1719 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
1720 "+ 1 ) ( + expl IV )", ssl
->in_msglen
,
1721 ssl
->transform_in
->ivlen
,
1722 ssl
->transform_in
->maclen
) );
1723 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1726 dec_msglen
= ssl
->in_msglen
;
1727 dec_msg
= ssl
->in_msg
;
1728 dec_msg_result
= ssl
->in_msg
;
1731 * Authenticate before decrypt if enabled
1733 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1734 if( ssl
->session_in
->encrypt_then_mac
== MBEDTLS_SSL_ETM_ENABLED
)
1736 unsigned char computed_mac
[SSL_MAX_MAC_SIZE
];
1737 unsigned char pseudo_hdr
[13];
1739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1741 dec_msglen
-= ssl
->transform_in
->maclen
;
1742 ssl
->in_msglen
-= ssl
->transform_in
->maclen
;
1744 memcpy( pseudo_hdr
+ 0, ssl
->in_ctr
, 8 );
1745 memcpy( pseudo_hdr
+ 8, ssl
->in_hdr
, 3 );
1746 pseudo_hdr
[11] = (unsigned char)( ( ssl
->in_msglen
>> 8 ) & 0xFF );
1747 pseudo_hdr
[12] = (unsigned char)( ( ssl
->in_msglen
) & 0xFF );
1749 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr
, 13 );
1751 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
, pseudo_hdr
, 13 );
1752 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
,
1753 ssl
->in_iv
, ssl
->in_msglen
);
1754 mbedtls_md_hmac_finish( &ssl
->transform_in
->md_ctx_dec
, computed_mac
);
1755 mbedtls_md_hmac_reset( &ssl
->transform_in
->md_ctx_dec
);
1757 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl
->in_iv
+ ssl
->in_msglen
,
1758 ssl
->transform_in
->maclen
);
1759 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", computed_mac
,
1760 ssl
->transform_in
->maclen
);
1762 if( mbedtls_ssl_safer_memcmp( ssl
->in_iv
+ ssl
->in_msglen
, computed_mac
,
1763 ssl
->transform_in
->maclen
) != 0 )
1765 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1767 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1771 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1774 * Check length sanity
1776 if( ssl
->in_msglen
% ssl
->transform_in
->ivlen
!= 0 )
1778 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
1779 ssl
->in_msglen
, ssl
->transform_in
->ivlen
) );
1780 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
1783 #if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1785 * Initialize for prepended IV for block cipher in TLS v1.1 and up
1787 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
1789 dec_msglen
-= ssl
->transform_in
->ivlen
;
1790 ssl
->in_msglen
-= ssl
->transform_in
->ivlen
;
1792 for( i
= 0; i
< ssl
->transform_in
->ivlen
; i
++ )
1793 ssl
->transform_in
->iv_dec
[i
] = ssl
->in_iv
[i
];
1795 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
1797 if( ( ret
= mbedtls_cipher_crypt( &ssl
->transform_in
->cipher_ctx_dec
,
1798 ssl
->transform_in
->iv_dec
,
1799 ssl
->transform_in
->ivlen
,
1800 dec_msg
, dec_msglen
,
1801 dec_msg_result
, &olen
) ) != 0 )
1803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret
);
1807 if( dec_msglen
!= olen
)
1809 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1810 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1813 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1814 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_2
)
1817 * Save IV in SSL3 and TLS1
1819 memcpy( ssl
->transform_in
->iv_dec
,
1820 ssl
->transform_in
->cipher_ctx_dec
.iv
,
1821 ssl
->transform_in
->ivlen
);
1825 padlen
= 1 + ssl
->in_msg
[ssl
->in_msglen
- 1];
1827 if( ssl
->in_msglen
< ssl
->transform_in
->maclen
+ padlen
&&
1830 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1831 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
1832 ssl
->in_msglen
, ssl
->transform_in
->maclen
, padlen
) );
1838 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1839 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1841 if( padlen
> ssl
->transform_in
->ivlen
)
1843 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1844 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
1845 "should be no more than %d",
1846 padlen
, ssl
->transform_in
->ivlen
) );
1852 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
1853 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1854 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1855 if( ssl
->minor_ver
> MBEDTLS_SSL_MINOR_VERSION_0
)
1858 * TLSv1+: always check the padding up to the first failure
1859 * and fake check up to 256 bytes of padding
1861 size_t pad_count
= 0, real_count
= 1;
1862 size_t padding_idx
= ssl
->in_msglen
- padlen
- 1;
1865 * Padding is guaranteed to be incorrect if:
1866 * 1. padlen >= ssl->in_msglen
1868 * 2. padding_idx >= MBEDTLS_SSL_MAX_CONTENT_LEN +
1869 * ssl->transform_in->maclen
1871 * In both cases we reset padding_idx to a safe value (0) to
1872 * prevent out-of-buffer reads.
1874 correct
&= ( ssl
->in_msglen
>= padlen
+ 1 );
1875 correct
&= ( padding_idx
< MBEDTLS_SSL_MAX_CONTENT_LEN
+
1876 ssl
->transform_in
->maclen
);
1878 padding_idx
*= correct
;
1880 for( i
= 1; i
<= 256; i
++ )
1882 real_count
&= ( i
<= padlen
);
1883 pad_count
+= real_count
*
1884 ( ssl
->in_msg
[padding_idx
+ i
] == padlen
- 1 );
1887 correct
&= ( pad_count
== padlen
); /* Only 1 on correct padding */
1889 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1890 if( padlen
> 0 && correct
== 0 )
1891 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1893 padlen
&= correct
* 0x1FF;
1896 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1897 MBEDTLS_SSL_PROTO_TLS1_2 */
1899 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1900 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1903 ssl
->in_msglen
-= padlen
;
1906 #endif /* MBEDTLS_CIPHER_MODE_CBC &&
1907 ( MBEDTLS_AES_C || MBEDTLS_CAMELLIA_C ) */
1909 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1910 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1913 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1914 ssl
->in_msg
, ssl
->in_msglen
);
1917 * Authenticate if not done yet.
1918 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1920 #if defined(SSL_SOME_MODES_USE_MAC)
1921 if( auth_done
== 0 )
1923 unsigned char tmp
[SSL_MAX_MAC_SIZE
];
1925 ssl
->in_msglen
-= ssl
->transform_in
->maclen
;
1927 ssl
->in_len
[0] = (unsigned char)( ssl
->in_msglen
>> 8 );
1928 ssl
->in_len
[1] = (unsigned char)( ssl
->in_msglen
);
1930 memcpy( tmp
, ssl
->in_msg
+ ssl
->in_msglen
, ssl
->transform_in
->maclen
);
1932 #if defined(MBEDTLS_SSL_PROTO_SSL3)
1933 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
1935 ssl_mac( &ssl
->transform_in
->md_ctx_dec
,
1936 ssl
->transform_in
->mac_dec
,
1937 ssl
->in_msg
, ssl
->in_msglen
,
1938 ssl
->in_ctr
, ssl
->in_msgtype
);
1941 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
1942 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1943 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1944 if( ssl
->minor_ver
> MBEDTLS_SSL_MINOR_VERSION_0
)
1947 * Process MAC and always update for padlen afterwards to make
1948 * total time independent of padlen
1950 * extra_run compensates MAC check for padlen
1952 * Known timing attacks:
1953 * - Lucky Thirteen (http://www.isg.rhul.ac.uk/tls/TLStiming.pdf)
1955 * We use ( ( Lx + 8 ) / 64 ) to handle 'negative Lx' values
1956 * correctly. (We round down instead of up, so -56 is the correct
1957 * value for our calculations instead of -55)
1959 size_t j
, extra_run
= 0;
1960 extra_run
= ( 13 + ssl
->in_msglen
+ padlen
+ 8 ) / 64 -
1961 ( 13 + ssl
->in_msglen
+ 8 ) / 64;
1963 extra_run
&= correct
* 0xFF;
1965 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
, ssl
->in_ctr
, 8 );
1966 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
, ssl
->in_hdr
, 3 );
1967 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
, ssl
->in_len
, 2 );
1968 mbedtls_md_hmac_update( &ssl
->transform_in
->md_ctx_dec
, ssl
->in_msg
,
1970 mbedtls_md_hmac_finish( &ssl
->transform_in
->md_ctx_dec
,
1971 ssl
->in_msg
+ ssl
->in_msglen
);
1972 /* Call mbedtls_md_process at least once due to cache attacks */
1973 for( j
= 0; j
< extra_run
+ 1; j
++ )
1974 mbedtls_md_process( &ssl
->transform_in
->md_ctx_dec
, ssl
->in_msg
);
1976 mbedtls_md_hmac_reset( &ssl
->transform_in
->md_ctx_dec
);
1979 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1980 MBEDTLS_SSL_PROTO_TLS1_2 */
1982 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1983 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
1986 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", tmp
, ssl
->transform_in
->maclen
);
1987 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", ssl
->in_msg
+ ssl
->in_msglen
,
1988 ssl
->transform_in
->maclen
);
1990 if( mbedtls_ssl_safer_memcmp( tmp
, ssl
->in_msg
+ ssl
->in_msglen
,
1991 ssl
->transform_in
->maclen
) != 0 )
1993 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
2001 * Finally check the correct flag
2004 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
2006 #endif /* SSL_SOME_MODES_USE_MAC */
2008 /* Make extra sure authentication was performed, exactly once */
2009 if( auth_done
!= 1 )
2011 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2012 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2015 if( ssl
->in_msglen
== 0 )
2020 * Three or more empty messages may be a DoS attack
2021 * (excessive CPU consumption).
2023 if( ssl
->nb_zero
> 3 )
2025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
2026 "messages, possible DoS attack" ) );
2027 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
2033 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2034 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
2036 ; /* in_ctr read from peer, not maintained internally */
2041 for( i
= 8; i
> ssl_ep_len( ssl
); i
-- )
2042 if( ++ssl
->in_ctr
[i
- 1] != 0 )
2045 /* The loop goes to its end iff the counter is wrapping */
2046 if( i
== ssl_ep_len( ssl
) )
2048 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
2049 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING
);
2053 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
2059 #undef MAC_PLAINTEXT
2060 #undef MAC_CIPHERTEXT
2062 #if defined(MBEDTLS_ZLIB_SUPPORT)
2064 * Compression/decompression functions
2066 static int ssl_compress_buf( mbedtls_ssl_context
*ssl
)
2069 unsigned char *msg_post
= ssl
->out_msg
;
2070 size_t len_pre
= ssl
->out_msglen
;
2071 unsigned char *msg_pre
= ssl
->compress_buf
;
2073 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
2078 memcpy( msg_pre
, ssl
->out_msg
, len_pre
);
2080 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
2081 ssl
->out_msglen
) );
2083 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
2084 ssl
->out_msg
, ssl
->out_msglen
);
2086 ssl
->transform_out
->ctx_deflate
.next_in
= msg_pre
;
2087 ssl
->transform_out
->ctx_deflate
.avail_in
= len_pre
;
2088 ssl
->transform_out
->ctx_deflate
.next_out
= msg_post
;
2089 ssl
->transform_out
->ctx_deflate
.avail_out
= MBEDTLS_SSL_BUFFER_LEN
;
2091 ret
= deflate( &ssl
->transform_out
->ctx_deflate
, Z_SYNC_FLUSH
);
2094 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret
) );
2095 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED
);
2098 ssl
->out_msglen
= MBEDTLS_SSL_BUFFER_LEN
-
2099 ssl
->transform_out
->ctx_deflate
.avail_out
;
2101 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
2102 ssl
->out_msglen
) );
2104 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
2105 ssl
->out_msg
, ssl
->out_msglen
);
2107 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
2112 static int ssl_decompress_buf( mbedtls_ssl_context
*ssl
)
2115 unsigned char *msg_post
= ssl
->in_msg
;
2116 size_t len_pre
= ssl
->in_msglen
;
2117 unsigned char *msg_pre
= ssl
->compress_buf
;
2119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
2124 memcpy( msg_pre
, ssl
->in_msg
, len_pre
);
2126 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
2129 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
2130 ssl
->in_msg
, ssl
->in_msglen
);
2132 ssl
->transform_in
->ctx_inflate
.next_in
= msg_pre
;
2133 ssl
->transform_in
->ctx_inflate
.avail_in
= len_pre
;
2134 ssl
->transform_in
->ctx_inflate
.next_out
= msg_post
;
2135 ssl
->transform_in
->ctx_inflate
.avail_out
= MBEDTLS_SSL_MAX_CONTENT_LEN
;
2137 ret
= inflate( &ssl
->transform_in
->ctx_inflate
, Z_SYNC_FLUSH
);
2140 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret
) );
2141 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED
);
2144 ssl
->in_msglen
= MBEDTLS_SSL_MAX_CONTENT_LEN
-
2145 ssl
->transform_in
->ctx_inflate
.avail_out
;
2147 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
2150 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
2151 ssl
->in_msg
, ssl
->in_msglen
);
2153 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
2157 #endif /* MBEDTLS_ZLIB_SUPPORT */
2159 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2160 static int ssl_write_hello_request( mbedtls_ssl_context
*ssl
);
2162 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2163 static int ssl_resend_hello_request( mbedtls_ssl_context
*ssl
)
2165 /* If renegotiation is not enforced, retransmit until we would reach max
2166 * timeout if we were using the usual handshake doubling scheme */
2167 if( ssl
->conf
->renego_max_records
< 0 )
2169 uint32_t ratio
= ssl
->conf
->hs_timeout_max
/ ssl
->conf
->hs_timeout_min
+ 1;
2170 unsigned char doublings
= 1;
2178 if( ++ssl
->renego_records_seen
> doublings
)
2180 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
2185 return( ssl_write_hello_request( ssl
) );
2188 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2191 * Fill the input message buffer by appending data to it.
2192 * The amount of data already fetched is in ssl->in_left.
2194 * If we return 0, is it guaranteed that (at least) nb_want bytes are
2195 * available (from this read and/or a previous one). Otherwise, an error code
2196 * is returned (possibly EOF or WANT_READ).
2198 * With stream transport (TLS) on success ssl->in_left == nb_want, but
2199 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2200 * since we always read a whole datagram at once.
2202 * For DTLS, it is up to the caller to set ssl->next_record_offset when
2203 * they're done reading a record.
2205 int mbedtls_ssl_fetch_input( mbedtls_ssl_context
*ssl
, size_t nb_want
)
2210 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2212 if( ssl
->f_recv
== NULL
&& ssl
->f_recv_timeout
== NULL
)
2214 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2215 "or mbedtls_ssl_set_bio()" ) );
2216 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2219 if( nb_want
> MBEDTLS_SSL_BUFFER_LEN
- (size_t)( ssl
->in_hdr
- ssl
->in_buf
) )
2221 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2222 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2225 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2226 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
2230 /* Just to be sure */
2231 if( ssl
->f_set_timer
== NULL
|| ssl
->f_get_timer
== NULL
)
2233 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2234 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2235 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2239 * The point is, we need to always read a full datagram at once, so we
2240 * sometimes read more then requested, and handle the additional data.
2241 * It could be the rest of the current record (while fetching the
2242 * header) and/or some other records in the same datagram.
2246 * Move to the next record in the already read datagram if applicable
2248 if( ssl
->next_record_offset
!= 0 )
2250 if( ssl
->in_left
< ssl
->next_record_offset
)
2252 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2253 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2256 ssl
->in_left
-= ssl
->next_record_offset
;
2258 if( ssl
->in_left
!= 0 )
2260 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
2261 ssl
->next_record_offset
) );
2262 memmove( ssl
->in_hdr
,
2263 ssl
->in_hdr
+ ssl
->next_record_offset
,
2267 ssl
->next_record_offset
= 0;
2270 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2271 ssl
->in_left
, nb_want
) );
2274 * Done if we already have enough data.
2276 if( nb_want
<= ssl
->in_left
)
2278 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2283 * A record can't be split accross datagrams. If we need to read but
2284 * are not at the beginning of a new record, the caller did something
2287 if( ssl
->in_left
!= 0 )
2289 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2290 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2294 * Don't even try to read if time's out already.
2295 * This avoids by-passing the timer when repeatedly receiving messages
2296 * that will end up being dropped.
2298 if( ssl_check_timer( ssl
) != 0 )
2299 ret
= MBEDTLS_ERR_SSL_TIMEOUT
;
2302 len
= MBEDTLS_SSL_BUFFER_LEN
- ( ssl
->in_hdr
- ssl
->in_buf
);
2304 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
2305 timeout
= ssl
->handshake
->retransmit_timeout
;
2307 timeout
= ssl
->conf
->read_timeout
;
2309 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout
) );
2311 if( ssl
->f_recv_timeout
!= NULL
)
2312 ret
= ssl
->f_recv_timeout( ssl
->p_bio
, ssl
->in_hdr
, len
,
2315 ret
= ssl
->f_recv( ssl
->p_bio
, ssl
->in_hdr
, len
);
2317 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret
);
2320 return( MBEDTLS_ERR_SSL_CONN_EOF
);
2323 if( ret
== MBEDTLS_ERR_SSL_TIMEOUT
)
2325 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
2326 ssl_set_timer( ssl
, 0 );
2328 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
2330 if( ssl_double_retransmit_timeout( ssl
) != 0 )
2332 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
2333 return( MBEDTLS_ERR_SSL_TIMEOUT
);
2336 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
2338 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret
);
2342 return( MBEDTLS_ERR_SSL_WANT_READ
);
2344 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2345 else if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
2346 ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_PENDING
)
2348 if( ( ret
= ssl_resend_hello_request( ssl
) ) != 0 )
2350 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret
);
2354 return( MBEDTLS_ERR_SSL_WANT_READ
);
2356 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2367 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2368 ssl
->in_left
, nb_want
) );
2370 while( ssl
->in_left
< nb_want
)
2372 len
= nb_want
- ssl
->in_left
;
2374 if( ssl_check_timer( ssl
) != 0 )
2375 ret
= MBEDTLS_ERR_SSL_TIMEOUT
;
2378 if( ssl
->f_recv_timeout
!= NULL
)
2380 ret
= ssl
->f_recv_timeout( ssl
->p_bio
,
2381 ssl
->in_hdr
+ ssl
->in_left
, len
,
2382 ssl
->conf
->read_timeout
);
2386 ret
= ssl
->f_recv( ssl
->p_bio
,
2387 ssl
->in_hdr
+ ssl
->in_left
, len
);
2391 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2392 ssl
->in_left
, nb_want
) );
2393 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret
);
2396 return( MBEDTLS_ERR_SSL_CONN_EOF
);
2401 ssl
->in_left
+= ret
;
2405 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2411 * Flush any data not yet written
2413 int mbedtls_ssl_flush_output( mbedtls_ssl_context
*ssl
)
2416 unsigned char *buf
, i
;
2418 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2420 if( ssl
->f_send
== NULL
)
2422 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2423 "or mbedtls_ssl_set_bio()" ) );
2424 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
2427 /* Avoid incrementing counter if data is flushed */
2428 if( ssl
->out_left
== 0 )
2430 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2434 while( ssl
->out_left
> 0 )
2436 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
2437 mbedtls_ssl_hdr_len( ssl
) + ssl
->out_msglen
, ssl
->out_left
) );
2439 buf
= ssl
->out_hdr
+ mbedtls_ssl_hdr_len( ssl
) +
2440 ssl
->out_msglen
- ssl
->out_left
;
2441 ret
= ssl
->f_send( ssl
->p_bio
, buf
, ssl
->out_left
);
2443 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret
);
2448 ssl
->out_left
-= ret
;
2451 for( i
= 8; i
> ssl_ep_len( ssl
); i
-- )
2452 if( ++ssl
->out_ctr
[i
- 1] != 0 )
2455 /* The loop goes to its end iff the counter is wrapping */
2456 if( i
== ssl_ep_len( ssl
) )
2458 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2459 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING
);
2462 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2468 * Functions to handle the DTLS retransmission state machine
2470 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2472 * Append current handshake message to current outgoing flight
2474 static int ssl_flight_append( mbedtls_ssl_context
*ssl
)
2476 mbedtls_ssl_flight_item
*msg
;
2478 /* Allocate space for current message */
2479 if( ( msg
= mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item
) ) ) == NULL
)
2481 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
2482 sizeof( mbedtls_ssl_flight_item
) ) );
2483 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
2486 if( ( msg
->p
= mbedtls_calloc( 1, ssl
->out_msglen
) ) == NULL
)
2488 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl
->out_msglen
) );
2489 mbedtls_free( msg
);
2490 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
2493 /* Copy current handshake message with headers */
2494 memcpy( msg
->p
, ssl
->out_msg
, ssl
->out_msglen
);
2495 msg
->len
= ssl
->out_msglen
;
2496 msg
->type
= ssl
->out_msgtype
;
2499 /* Append to the current flight */
2500 if( ssl
->handshake
->flight
== NULL
)
2501 ssl
->handshake
->flight
= msg
;
2504 mbedtls_ssl_flight_item
*cur
= ssl
->handshake
->flight
;
2505 while( cur
->next
!= NULL
)
2514 * Free the current flight of handshake messages
2516 static void ssl_flight_free( mbedtls_ssl_flight_item
*flight
)
2518 mbedtls_ssl_flight_item
*cur
= flight
;
2519 mbedtls_ssl_flight_item
*next
;
2521 while( cur
!= NULL
)
2525 mbedtls_free( cur
->p
);
2526 mbedtls_free( cur
);
2532 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2533 static void ssl_dtls_replay_reset( mbedtls_ssl_context
*ssl
);
2537 * Swap transform_out and out_ctr with the alternative ones
2539 static void ssl_swap_epochs( mbedtls_ssl_context
*ssl
)
2541 mbedtls_ssl_transform
*tmp_transform
;
2542 unsigned char tmp_out_ctr
[8];
2544 if( ssl
->transform_out
== ssl
->handshake
->alt_transform_out
)
2546 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2550 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2552 /* Swap transforms */
2553 tmp_transform
= ssl
->transform_out
;
2554 ssl
->transform_out
= ssl
->handshake
->alt_transform_out
;
2555 ssl
->handshake
->alt_transform_out
= tmp_transform
;
2557 /* Swap epoch + sequence_number */
2558 memcpy( tmp_out_ctr
, ssl
->out_ctr
, 8 );
2559 memcpy( ssl
->out_ctr
, ssl
->handshake
->alt_out_ctr
, 8 );
2560 memcpy( ssl
->handshake
->alt_out_ctr
, tmp_out_ctr
, 8 );
2562 /* Adjust to the newly activated transform */
2563 if( ssl
->transform_out
!= NULL
&&
2564 ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
2566 ssl
->out_msg
= ssl
->out_iv
+ ssl
->transform_out
->ivlen
-
2567 ssl
->transform_out
->fixed_ivlen
;
2570 ssl
->out_msg
= ssl
->out_iv
;
2572 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2573 if( mbedtls_ssl_hw_record_activate
!= NULL
)
2575 if( ( ret
= mbedtls_ssl_hw_record_activate( ssl
, MBEDTLS_SSL_CHANNEL_OUTBOUND
) ) != 0 )
2577 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret
);
2578 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
2585 * Retransmit the current flight of messages.
2587 * Need to remember the current message in case flush_output returns
2588 * WANT_WRITE, causing us to exit this function and come back later.
2589 * This function must be called until state is no longer SENDING.
2591 int mbedtls_ssl_resend( mbedtls_ssl_context
*ssl
)
2593 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2595 if( ssl
->handshake
->retransmit_state
!= MBEDTLS_SSL_RETRANS_SENDING
)
2597 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise resending" ) );
2599 ssl
->handshake
->cur_msg
= ssl
->handshake
->flight
;
2600 ssl_swap_epochs( ssl
);
2602 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_SENDING
;
2605 while( ssl
->handshake
->cur_msg
!= NULL
)
2608 mbedtls_ssl_flight_item
*cur
= ssl
->handshake
->cur_msg
;
2610 /* Swap epochs before sending Finished: we can't do it after
2611 * sending ChangeCipherSpec, in case write returns WANT_READ.
2612 * Must be done before copying, may change out_msg pointer */
2613 if( cur
->type
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
2614 cur
->p
[0] == MBEDTLS_SSL_HS_FINISHED
)
2616 ssl_swap_epochs( ssl
);
2619 memcpy( ssl
->out_msg
, cur
->p
, cur
->len
);
2620 ssl
->out_msglen
= cur
->len
;
2621 ssl
->out_msgtype
= cur
->type
;
2623 ssl
->handshake
->cur_msg
= cur
->next
;
2625 MBEDTLS_SSL_DEBUG_BUF( 3, "resent handshake message header", ssl
->out_msg
, 12 );
2627 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
2629 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
2634 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
)
2635 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_FINISHED
;
2638 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_WAITING
;
2639 ssl_set_timer( ssl
, ssl
->handshake
->retransmit_timeout
);
2642 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2648 * To be called when the last message of an incoming flight is received.
2650 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context
*ssl
)
2652 /* We won't need to resend that one any more */
2653 ssl_flight_free( ssl
->handshake
->flight
);
2654 ssl
->handshake
->flight
= NULL
;
2655 ssl
->handshake
->cur_msg
= NULL
;
2657 /* The next incoming flight will start with this msg_seq */
2658 ssl
->handshake
->in_flight_start_seq
= ssl
->handshake
->in_msg_seq
;
2661 ssl_set_timer( ssl
, 0 );
2663 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
2664 ssl
->in_msg
[0] == MBEDTLS_SSL_HS_FINISHED
)
2666 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_FINISHED
;
2669 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_PREPARING
;
2673 * To be called when the last message of an outgoing flight is send.
2675 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context
*ssl
)
2677 ssl_reset_retransmit_timeout( ssl
);
2678 ssl_set_timer( ssl
, ssl
->handshake
->retransmit_timeout
);
2680 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
2681 ssl
->in_msg
[0] == MBEDTLS_SSL_HS_FINISHED
)
2683 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_FINISHED
;
2686 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_WAITING
;
2688 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2691 * Record layer functions
2695 * Write current record.
2696 * Uses ssl->out_msgtype, ssl->out_msglen and bytes at ssl->out_msg.
2698 int mbedtls_ssl_write_record( mbedtls_ssl_context
*ssl
)
2700 int ret
, done
= 0, out_msg_type
;
2701 size_t len
= ssl
->out_msglen
;
2703 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2705 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2706 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
2707 ssl
->handshake
!= NULL
&&
2708 ssl
->handshake
->retransmit_state
== MBEDTLS_SSL_RETRANS_SENDING
)
2710 ; /* Skip special handshake treatment when resending */
2714 if( ssl
->out_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
)
2716 out_msg_type
= ssl
->out_msg
[0];
2718 if( out_msg_type
!= MBEDTLS_SSL_HS_HELLO_REQUEST
&&
2719 ssl
->handshake
== NULL
)
2721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2722 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
2725 ssl
->out_msg
[1] = (unsigned char)( ( len
- 4 ) >> 16 );
2726 ssl
->out_msg
[2] = (unsigned char)( ( len
- 4 ) >> 8 );
2727 ssl
->out_msg
[3] = (unsigned char)( ( len
- 4 ) );
2730 * DTLS has additional fields in the Handshake layer,
2731 * between the length field and the actual payload:
2732 * uint16 message_seq;
2733 * uint24 fragment_offset;
2734 * uint24 fragment_length;
2736 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2737 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
2739 /* Make room for the additional DTLS fields */
2740 memmove( ssl
->out_msg
+ 12, ssl
->out_msg
+ 4, len
- 4 );
2741 ssl
->out_msglen
+= 8;
2744 /* Write message_seq and update it, except for HelloRequest */
2745 if( out_msg_type
!= MBEDTLS_SSL_HS_HELLO_REQUEST
)
2747 ssl
->out_msg
[4] = ( ssl
->handshake
->out_msg_seq
>> 8 ) & 0xFF;
2748 ssl
->out_msg
[5] = ( ssl
->handshake
->out_msg_seq
) & 0xFF;
2749 ++( ssl
->handshake
->out_msg_seq
);
2753 ssl
->out_msg
[4] = 0;
2754 ssl
->out_msg
[5] = 0;
2757 /* We don't fragment, so frag_offset = 0 and frag_len = len */
2758 memset( ssl
->out_msg
+ 6, 0x00, 3 );
2759 memcpy( ssl
->out_msg
+ 9, ssl
->out_msg
+ 1, 3 );
2761 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2763 if( out_msg_type
!= MBEDTLS_SSL_HS_HELLO_REQUEST
)
2764 ssl
->handshake
->update_checksum( ssl
, ssl
->out_msg
, len
);
2767 /* Save handshake and CCS messages for resending */
2768 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2769 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
2770 ssl
->handshake
!= NULL
&&
2771 ssl
->handshake
->retransmit_state
!= MBEDTLS_SSL_RETRANS_SENDING
&&
2772 ( ssl
->out_msgtype
== MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
||
2773 ssl
->out_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
) )
2775 if( ( ret
= ssl_flight_append( ssl
) ) != 0 )
2777 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret
);
2783 #if defined(MBEDTLS_ZLIB_SUPPORT)
2784 if( ssl
->transform_out
!= NULL
&&
2785 ssl
->session_out
->compression
== MBEDTLS_SSL_COMPRESS_DEFLATE
)
2787 if( ( ret
= ssl_compress_buf( ssl
) ) != 0 )
2789 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret
);
2793 len
= ssl
->out_msglen
;
2795 #endif /*MBEDTLS_ZLIB_SUPPORT */
2797 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2798 if( mbedtls_ssl_hw_record_write
!= NULL
)
2800 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
2802 ret
= mbedtls_ssl_hw_record_write( ssl
);
2803 if( ret
!= 0 && ret
!= MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
)
2805 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret
);
2806 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
2812 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
2815 ssl
->out_hdr
[0] = (unsigned char) ssl
->out_msgtype
;
2816 mbedtls_ssl_write_version( ssl
->major_ver
, ssl
->minor_ver
,
2817 ssl
->conf
->transport
, ssl
->out_hdr
+ 1 );
2819 ssl
->out_len
[0] = (unsigned char)( len
>> 8 );
2820 ssl
->out_len
[1] = (unsigned char)( len
);
2822 if( ssl
->transform_out
!= NULL
)
2824 if( ( ret
= ssl_encrypt_buf( ssl
) ) != 0 )
2826 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret
);
2830 len
= ssl
->out_msglen
;
2831 ssl
->out_len
[0] = (unsigned char)( len
>> 8 );
2832 ssl
->out_len
[1] = (unsigned char)( len
);
2835 ssl
->out_left
= mbedtls_ssl_hdr_len( ssl
) + ssl
->out_msglen
;
2837 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
2838 "version = [%d:%d], msglen = %d",
2839 ssl
->out_hdr
[0], ssl
->out_hdr
[1], ssl
->out_hdr
[2],
2840 ( ssl
->out_len
[0] << 8 ) | ssl
->out_len
[1] ) );
2842 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2843 ssl
->out_hdr
, mbedtls_ssl_hdr_len( ssl
) + ssl
->out_msglen
);
2846 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
2848 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret
);
2852 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2857 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2859 * Mark bits in bitmask (used for DTLS HS reassembly)
2861 static void ssl_bitmask_set( unsigned char *mask
, size_t offset
, size_t len
)
2863 unsigned int start_bits
, end_bits
;
2865 start_bits
= 8 - ( offset
% 8 );
2866 if( start_bits
!= 8 )
2868 size_t first_byte_idx
= offset
/ 8;
2871 if( len
<= start_bits
)
2873 for( ; len
!= 0; len
-- )
2874 mask
[first_byte_idx
] |= 1 << ( start_bits
- len
);
2876 /* Avoid potential issues with offset or len becoming invalid */
2880 offset
+= start_bits
; /* Now offset % 8 == 0 */
2883 for( ; start_bits
!= 0; start_bits
-- )
2884 mask
[first_byte_idx
] |= 1 << ( start_bits
- 1 );
2890 size_t last_byte_idx
= ( offset
+ len
) / 8;
2892 len
-= end_bits
; /* Now len % 8 == 0 */
2894 for( ; end_bits
!= 0; end_bits
-- )
2895 mask
[last_byte_idx
] |= 1 << ( 8 - end_bits
);
2898 memset( mask
+ offset
/ 8, 0xFF, len
/ 8 );
2902 * Check that bitmask is full
2904 static int ssl_bitmask_check( unsigned char *mask
, size_t len
)
2908 for( i
= 0; i
< len
/ 8; i
++ )
2909 if( mask
[i
] != 0xFF )
2912 for( i
= 0; i
< len
% 8; i
++ )
2913 if( ( mask
[len
/ 8] & ( 1 << ( 7 - i
) ) ) == 0 )
2920 * Reassemble fragmented DTLS handshake messages.
2922 * Use a temporary buffer for reassembly, divided in two parts:
2923 * - the first holds the reassembled message (including handshake header),
2924 * - the second holds a bitmask indicating which parts of the message
2925 * (excluding headers) have been received so far.
2927 static int ssl_reassemble_dtls_handshake( mbedtls_ssl_context
*ssl
)
2929 unsigned char *msg
, *bitmask
;
2930 size_t frag_len
, frag_off
;
2931 size_t msg_len
= ssl
->in_hslen
- 12; /* Without headers */
2933 if( ssl
->handshake
== NULL
)
2935 MBEDTLS_SSL_DEBUG_MSG( 1, ( "not supported outside handshake (for now)" ) );
2936 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
2940 * For first fragment, check size and allocate buffer
2942 if( ssl
->handshake
->hs_msg
== NULL
)
2946 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
2949 if( ssl
->in_hslen
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
2951 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too large" ) );
2952 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
2955 /* The bitmask needs one bit per byte of message excluding header */
2956 alloc_len
= 12 + msg_len
+ msg_len
/ 8 + ( msg_len
% 8 != 0 );
2958 ssl
->handshake
->hs_msg
= mbedtls_calloc( 1, alloc_len
);
2959 if( ssl
->handshake
->hs_msg
== NULL
)
2961 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc failed (%d bytes)", alloc_len
) );
2962 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
2965 /* Prepare final header: copy msg_type, length and message_seq,
2966 * then add standardised fragment_offset and fragment_length */
2967 memcpy( ssl
->handshake
->hs_msg
, ssl
->in_msg
, 6 );
2968 memset( ssl
->handshake
->hs_msg
+ 6, 0, 3 );
2969 memcpy( ssl
->handshake
->hs_msg
+ 9,
2970 ssl
->handshake
->hs_msg
+ 1, 3 );
2974 /* Make sure msg_type and length are consistent */
2975 if( memcmp( ssl
->handshake
->hs_msg
, ssl
->in_msg
, 4 ) != 0 )
2977 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment header mismatch" ) );
2978 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
2982 msg
= ssl
->handshake
->hs_msg
+ 12;
2983 bitmask
= msg
+ msg_len
;
2986 * Check and copy current fragment
2988 frag_off
= ( ssl
->in_msg
[6] << 16 ) |
2989 ( ssl
->in_msg
[7] << 8 ) |
2991 frag_len
= ( ssl
->in_msg
[9] << 16 ) |
2992 ( ssl
->in_msg
[10] << 8 ) |
2995 if( frag_off
+ frag_len
> msg_len
)
2997 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment offset/len: %d + %d > %d",
2998 frag_off
, frag_len
, msg_len
) );
2999 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3002 if( frag_len
+ 12 > ssl
->in_msglen
)
3004 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid fragment length: %d + 12 > %d",
3005 frag_len
, ssl
->in_msglen
) );
3006 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3009 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
3010 frag_off
, frag_len
) );
3012 memcpy( msg
+ frag_off
, ssl
->in_msg
+ 12, frag_len
);
3013 ssl_bitmask_set( bitmask
, frag_off
, frag_len
);
3016 * Do we have the complete message by now?
3017 * If yes, finalize it, else ask to read the next record.
3019 if( ssl_bitmask_check( bitmask
, msg_len
) != 0 )
3021 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message is not complete yet" ) );
3022 return( MBEDTLS_ERR_SSL_WANT_READ
);
3025 MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake message completed" ) );
3027 if( frag_len
+ 12 < ssl
->in_msglen
)
3030 * We'got more handshake messages in the same record.
3031 * This case is not handled now because no know implementation does
3032 * that and it's hard to test, so we prefer to fail cleanly for now.
3034 MBEDTLS_SSL_DEBUG_MSG( 1, ( "last fragment not alone in its record" ) );
3035 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
3038 if( ssl
->in_left
> ssl
->next_record_offset
)
3041 * We've got more data in the buffer after the current record,
3042 * that we don't want to overwrite. Move it before writing the
3043 * reassembled message, and adjust in_left and next_record_offset.
3045 unsigned char *cur_remain
= ssl
->in_hdr
+ ssl
->next_record_offset
;
3046 unsigned char *new_remain
= ssl
->in_msg
+ ssl
->in_hslen
;
3047 size_t remain_len
= ssl
->in_left
- ssl
->next_record_offset
;
3049 /* First compute and check new lengths */
3050 ssl
->next_record_offset
= new_remain
- ssl
->in_hdr
;
3051 ssl
->in_left
= ssl
->next_record_offset
+ remain_len
;
3053 if( ssl
->in_left
> MBEDTLS_SSL_BUFFER_LEN
-
3054 (size_t)( ssl
->in_hdr
- ssl
->in_buf
) )
3056 MBEDTLS_SSL_DEBUG_MSG( 1, ( "reassembled message too large for buffer" ) );
3057 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
);
3060 memmove( new_remain
, cur_remain
, remain_len
);
3063 memcpy( ssl
->in_msg
, ssl
->handshake
->hs_msg
, ssl
->in_hslen
);
3065 mbedtls_free( ssl
->handshake
->hs_msg
);
3066 ssl
->handshake
->hs_msg
= NULL
;
3068 MBEDTLS_SSL_DEBUG_BUF( 3, "reassembled handshake message",
3069 ssl
->in_msg
, ssl
->in_hslen
);
3073 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3075 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context
*ssl
)
3077 if( ssl
->in_msglen
< mbedtls_ssl_hs_hdr_len( ssl
) )
3079 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
3081 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3084 ssl
->in_hslen
= mbedtls_ssl_hs_hdr_len( ssl
) + (
3085 ( ssl
->in_msg
[1] << 16 ) |
3086 ( ssl
->in_msg
[2] << 8 ) |
3089 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
3090 " %d, type = %d, hslen = %d",
3091 ssl
->in_msglen
, ssl
->in_msg
[0], ssl
->in_hslen
) );
3093 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3094 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3097 unsigned int recv_msg_seq
= ( ssl
->in_msg
[4] << 8 ) | ssl
->in_msg
[5];
3099 /* ssl->handshake is NULL when receiving ClientHello for renego */
3100 if( ssl
->handshake
!= NULL
&&
3101 recv_msg_seq
!= ssl
->handshake
->in_msg_seq
)
3103 /* Retransmit only on last message from previous flight, to avoid
3104 * too many retransmissions.
3105 * Besides, No sane server ever retransmits HelloVerifyRequest */
3106 if( recv_msg_seq
== ssl
->handshake
->in_flight_start_seq
- 1 &&
3107 ssl
->in_msg
[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
)
3109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
3110 "message_seq = %d, start_of_flight = %d",
3112 ssl
->handshake
->in_flight_start_seq
) );
3114 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
3116 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret
);
3122 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
3123 "message_seq = %d, expected = %d",
3125 ssl
->handshake
->in_msg_seq
) );
3128 return( MBEDTLS_ERR_SSL_WANT_READ
);
3130 /* Wait until message completion to increment in_msg_seq */
3132 /* Reassemble if current message is fragmented or reassembly is
3133 * already in progress */
3134 if( ssl
->in_msglen
< ssl
->in_hslen
||
3135 memcmp( ssl
->in_msg
+ 6, "\0\0\0", 3 ) != 0 ||
3136 memcmp( ssl
->in_msg
+ 9, ssl
->in_msg
+ 1, 3 ) != 0 ||
3137 ( ssl
->handshake
!= NULL
&& ssl
->handshake
->hs_msg
!= NULL
) )
3139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
3141 if( ( ret
= ssl_reassemble_dtls_handshake( ssl
) ) != 0 )
3143 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_reassemble_dtls_handshake", ret
);
3149 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3150 /* With TLS we don't handle fragmentation (for now) */
3151 if( ssl
->in_msglen
< ssl
->in_hslen
)
3153 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
3154 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
3160 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context
*ssl
)
3163 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
&&
3164 ssl
->handshake
!= NULL
)
3166 ssl
->handshake
->update_checksum( ssl
, ssl
->in_msg
, ssl
->in_hslen
);
3169 /* Handshake message is complete, increment counter */
3170 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3171 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
3172 ssl
->handshake
!= NULL
)
3174 ssl
->handshake
->in_msg_seq
++;
3180 * DTLS anti-replay: RFC 6347 4.1.2.6
3182 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3183 * Bit n is set iff record number in_window_top - n has been seen.
3185 * Usually, in_window_top is the last record number seen and the lsb of
3186 * in_window is set. The only exception is the initial state (record number 0
3189 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3190 static void ssl_dtls_replay_reset( mbedtls_ssl_context
*ssl
)
3192 ssl
->in_window_top
= 0;
3196 static inline uint64_t ssl_load_six_bytes( unsigned char *buf
)
3198 return( ( (uint64_t) buf
[0] << 40 ) |
3199 ( (uint64_t) buf
[1] << 32 ) |
3200 ( (uint64_t) buf
[2] << 24 ) |
3201 ( (uint64_t) buf
[3] << 16 ) |
3202 ( (uint64_t) buf
[4] << 8 ) |
3203 ( (uint64_t) buf
[5] ) );
3207 * Return 0 if sequence number is acceptable, -1 otherwise
3209 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context
*ssl
)
3211 uint64_t rec_seqnum
= ssl_load_six_bytes( ssl
->in_ctr
+ 2 );
3214 if( ssl
->conf
->anti_replay
== MBEDTLS_SSL_ANTI_REPLAY_DISABLED
)
3217 if( rec_seqnum
> ssl
->in_window_top
)
3220 bit
= ssl
->in_window_top
- rec_seqnum
;
3225 if( ( ssl
->in_window
& ( (uint64_t) 1 << bit
) ) != 0 )
3232 * Update replay window on new validated record
3234 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context
*ssl
)
3236 uint64_t rec_seqnum
= ssl_load_six_bytes( ssl
->in_ctr
+ 2 );
3238 if( ssl
->conf
->anti_replay
== MBEDTLS_SSL_ANTI_REPLAY_DISABLED
)
3241 if( rec_seqnum
> ssl
->in_window_top
)
3243 /* Update window_top and the contents of the window */
3244 uint64_t shift
= rec_seqnum
- ssl
->in_window_top
;
3250 ssl
->in_window
<<= shift
;
3251 ssl
->in_window
|= 1;
3254 ssl
->in_window_top
= rec_seqnum
;
3258 /* Mark that number as seen in the current window */
3259 uint64_t bit
= ssl
->in_window_top
- rec_seqnum
;
3261 if( bit
< 64 ) /* Always true, but be extra sure */
3262 ssl
->in_window
|= (uint64_t) 1 << bit
;
3265 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3267 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3268 /* Forward declaration */
3269 static int ssl_session_reset_int( mbedtls_ssl_context
*ssl
, int partial
);
3272 * Without any SSL context, check if a datagram looks like a ClientHello with
3273 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3274 * Both input and output include full DTLS headers.
3276 * - if cookie is valid, return 0
3277 * - if ClientHello looks superficially valid but cookie is not,
3278 * fill obuf and set olen, then
3279 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3280 * - otherwise return a specific error code
3282 static int ssl_check_dtls_clihlo_cookie(
3283 mbedtls_ssl_cookie_write_t
*f_cookie_write
,
3284 mbedtls_ssl_cookie_check_t
*f_cookie_check
,
3286 const unsigned char *cli_id
, size_t cli_id_len
,
3287 const unsigned char *in
, size_t in_len
,
3288 unsigned char *obuf
, size_t buf_len
, size_t *olen
)
3290 size_t sid_len
, cookie_len
;
3293 if( f_cookie_write
== NULL
|| f_cookie_check
== NULL
)
3294 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
3297 * Structure of ClientHello with record and handshake headers,
3298 * and expected values. We don't need to check a lot, more checks will be
3299 * done when actually parsing the ClientHello - skipping those checks
3300 * avoids code duplication and does not make cookie forging any easier.
3302 * 0-0 ContentType type; copied, must be handshake
3303 * 1-2 ProtocolVersion version; copied
3304 * 3-4 uint16 epoch; copied, must be 0
3305 * 5-10 uint48 sequence_number; copied
3306 * 11-12 uint16 length; (ignored)
3308 * 13-13 HandshakeType msg_type; (ignored)
3309 * 14-16 uint24 length; (ignored)
3310 * 17-18 uint16 message_seq; copied
3311 * 19-21 uint24 fragment_offset; copied, must be 0
3312 * 22-24 uint24 fragment_length; (ignored)
3314 * 25-26 ProtocolVersion client_version; (ignored)
3315 * 27-58 Random random; (ignored)
3316 * 59-xx SessionID session_id; 1 byte len + sid_len content
3317 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3320 * Minimum length is 61 bytes.
3323 in
[0] != MBEDTLS_SSL_MSG_HANDSHAKE
||
3324 in
[3] != 0 || in
[4] != 0 ||
3325 in
[19] != 0 || in
[20] != 0 || in
[21] != 0 )
3327 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
3331 if( sid_len
> in_len
- 61 )
3332 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
3334 cookie_len
= in
[60 + sid_len
];
3335 if( cookie_len
> in_len
- 60 )
3336 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
);
3338 if( f_cookie_check( p_cookie
, in
+ sid_len
+ 61, cookie_len
,
3339 cli_id
, cli_id_len
) == 0 )
3346 * If we get here, we've got an invalid cookie, let's prepare HVR.
3348 * 0-0 ContentType type; copied
3349 * 1-2 ProtocolVersion version; copied
3350 * 3-4 uint16 epoch; copied
3351 * 5-10 uint48 sequence_number; copied
3352 * 11-12 uint16 length; olen - 13
3354 * 13-13 HandshakeType msg_type; hello_verify_request
3355 * 14-16 uint24 length; olen - 25
3356 * 17-18 uint16 message_seq; copied
3357 * 19-21 uint24 fragment_offset; copied
3358 * 22-24 uint24 fragment_length; olen - 25
3360 * 25-26 ProtocolVersion server_version; 0xfe 0xff
3361 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
3363 * Minimum length is 28.
3366 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
);
3368 /* Copy most fields and adapt others */
3369 memcpy( obuf
, in
, 25 );
3370 obuf
[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
;
3374 /* Generate and write actual cookie */
3376 if( f_cookie_write( p_cookie
,
3377 &p
, obuf
+ buf_len
, cli_id
, cli_id_len
) != 0 )
3379 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
3384 /* Go back and fill length fields */
3385 obuf
[27] = (unsigned char)( *olen
- 28 );
3387 obuf
[14] = obuf
[22] = (unsigned char)( ( *olen
- 25 ) >> 16 );
3388 obuf
[15] = obuf
[23] = (unsigned char)( ( *olen
- 25 ) >> 8 );
3389 obuf
[16] = obuf
[24] = (unsigned char)( ( *olen
- 25 ) );
3391 obuf
[11] = (unsigned char)( ( *olen
- 13 ) >> 8 );
3392 obuf
[12] = (unsigned char)( ( *olen
- 13 ) );
3394 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
);
3398 * Handle possible client reconnect with the same UDP quadruplet
3399 * (RFC 6347 Section 4.2.8).
3401 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3402 * that looks like a ClientHello.
3404 * - if the input looks like a ClientHello without cookies,
3405 * send back HelloVerifyRequest, then
3406 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3407 * - if the input looks like a ClientHello with a valid cookie,
3408 * reset the session of the current context, and
3409 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3410 * - if anything goes wrong, return a specific error code
3412 * mbedtls_ssl_read_record() will ignore the record if anything else than
3413 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
3414 * cannot not return 0.
3416 static int ssl_handle_possible_reconnect( mbedtls_ssl_context
*ssl
)
3421 ret
= ssl_check_dtls_clihlo_cookie(
3422 ssl
->conf
->f_cookie_write
,
3423 ssl
->conf
->f_cookie_check
,
3424 ssl
->conf
->p_cookie
,
3425 ssl
->cli_id
, ssl
->cli_id_len
,
3426 ssl
->in_buf
, ssl
->in_left
,
3427 ssl
->out_buf
, MBEDTLS_SSL_MAX_CONTENT_LEN
, &len
);
3429 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret
);
3431 if( ret
== MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
)
3433 /* Don't check write errors as we can't do anything here.
3434 * If the error is permanent we'll catch it later,
3435 * if it's not, then hopefully it'll work next time. */
3436 (void) ssl
->f_send( ssl
->p_bio
, ssl
->out_buf
, len
);
3438 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
);
3443 /* Got a valid cookie, partially reset context */
3444 if( ( ret
= ssl_session_reset_int( ssl
, 1 ) ) != 0 )
3446 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret
);
3450 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT
);
3455 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3459 * ProtocolVersion version;
3460 * uint16 epoch; // DTLS only
3461 * uint48 sequence_number; // DTLS only
3464 * Return 0 if header looks sane (and, for DTLS, the record is expected)
3465 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3466 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3468 * With DTLS, mbedtls_ssl_read_record() will:
3469 * 1. proceed with the record if this function returns 0
3470 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3471 * 3. return CLIENT_RECONNECT if this function return that value
3472 * 4. drop the whole datagram if this function returns anything else.
3473 * Point 2 is needed when the peer is resending, and we have already received
3474 * the first record from a datagram but are still waiting for the others.
3476 static int ssl_parse_record_header( mbedtls_ssl_context
*ssl
)
3479 int major_ver
, minor_ver
;
3481 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl
->in_hdr
, mbedtls_ssl_hdr_len( ssl
) );
3483 ssl
->in_msgtype
= ssl
->in_hdr
[0];
3484 ssl
->in_msglen
= ( ssl
->in_len
[0] << 8 ) | ssl
->in_len
[1];
3485 mbedtls_ssl_read_version( &major_ver
, &minor_ver
, ssl
->conf
->transport
, ssl
->in_hdr
+ 1 );
3487 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
3488 "version = [%d:%d], msglen = %d",
3490 major_ver
, minor_ver
, ssl
->in_msglen
) );
3492 /* Check record type */
3493 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
&&
3494 ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_ALERT
&&
3495 ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
&&
3496 ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_APPLICATION_DATA
)
3498 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3500 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
3501 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3502 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
) ) != 0 )
3507 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3511 if( major_ver
!= ssl
->major_ver
)
3513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3514 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3517 if( minor_ver
> ssl
->conf
->max_minor_ver
)
3519 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3520 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3523 /* Check length against the size of our buffer */
3524 if( ssl
->in_msglen
> MBEDTLS_SSL_BUFFER_LEN
3525 - (size_t)( ssl
->in_msg
- ssl
->in_buf
) )
3527 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3528 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3531 /* Check length against bounds of the current transform and version */
3532 if( ssl
->transform_in
== NULL
)
3534 if( ssl
->in_msglen
< 1 ||
3535 ssl
->in_msglen
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
3537 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3538 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3543 if( ssl
->in_msglen
< ssl
->transform_in
->minlen
)
3545 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3546 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3549 #if defined(MBEDTLS_SSL_PROTO_SSL3)
3550 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
&&
3551 ssl
->in_msglen
> ssl
->transform_in
->minlen
+ MBEDTLS_SSL_MAX_CONTENT_LEN
)
3553 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3554 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3557 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
3558 defined(MBEDTLS_SSL_PROTO_TLS1_2)
3560 * TLS encrypted messages can have up to 256 bytes of padding
3562 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_1
&&
3563 ssl
->in_msglen
> ssl
->transform_in
->minlen
+
3564 MBEDTLS_SSL_MAX_CONTENT_LEN
+ 256 )
3566 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3567 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3573 * DTLS-related tests done last, because most of them may result in
3574 * silently dropping the record (but not the whole datagram), and we only
3575 * want to consider that after ensuring that the "basic" fields (type,
3576 * version, length) are sane.
3578 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3579 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3581 unsigned int rec_epoch
= ( ssl
->in_ctr
[0] << 8 ) | ssl
->in_ctr
[1];
3583 /* Drop unexpected ChangeCipherSpec messages */
3584 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
&&
3585 ssl
->state
!= MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
&&
3586 ssl
->state
!= MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
)
3588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ChangeCipherSpec" ) );
3589 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
);
3592 /* Drop unexpected ApplicationData records,
3593 * except at the beginning of renegotiations */
3594 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_APPLICATION_DATA
&&
3595 ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
3596 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3597 && ! ( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
&&
3598 ssl
->state
== MBEDTLS_SSL_SERVER_HELLO
)
3602 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
3603 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
);
3606 /* Check epoch (and sequence number) with DTLS */
3607 if( rec_epoch
!= ssl
->in_epoch
)
3609 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3610 "expected %d, received %d",
3611 ssl
->in_epoch
, rec_epoch
) );
3613 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3615 * Check for an epoch 0 ClientHello. We can't use in_msg here to
3616 * access the first byte of record content (handshake type), as we
3617 * have an active transform (possibly iv_len != 0), so use the
3618 * fact that the record header len is 13 instead.
3620 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
3621 ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
&&
3623 ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
3624 ssl
->in_left
> 13 &&
3625 ssl
->in_buf
[13] == MBEDTLS_SSL_HS_CLIENT_HELLO
)
3627 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3628 "from the same port" ) );
3629 return( ssl_handle_possible_reconnect( ssl
) );
3632 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3633 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
);
3636 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3637 /* Replay detection only works for the current epoch */
3638 if( rec_epoch
== ssl
->in_epoch
&&
3639 mbedtls_ssl_dtls_replay_check( ssl
) != 0 )
3641 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3642 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
);
3646 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3652 * If applicable, decrypt (and decompress) record content
3654 static int ssl_prepare_record_content( mbedtls_ssl_context
*ssl
)
3658 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3659 ssl
->in_hdr
, mbedtls_ssl_hdr_len( ssl
) + ssl
->in_msglen
);
3661 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3662 if( mbedtls_ssl_hw_record_read
!= NULL
)
3664 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
3666 ret
= mbedtls_ssl_hw_record_read( ssl
);
3667 if( ret
!= 0 && ret
!= MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
)
3669 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret
);
3670 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
3676 #endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3677 if( !done
&& ssl
->transform_in
!= NULL
)
3679 if( ( ret
= ssl_decrypt_buf( ssl
) ) != 0 )
3681 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret
);
3685 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3686 ssl
->in_msg
, ssl
->in_msglen
);
3688 if( ssl
->in_msglen
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
3690 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3691 return( MBEDTLS_ERR_SSL_INVALID_RECORD
);
3695 #if defined(MBEDTLS_ZLIB_SUPPORT)
3696 if( ssl
->transform_in
!= NULL
&&
3697 ssl
->session_in
->compression
== MBEDTLS_SSL_COMPRESS_DEFLATE
)
3699 if( ( ret
= ssl_decompress_buf( ssl
) ) != 0 )
3701 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret
);
3705 #endif /* MBEDTLS_ZLIB_SUPPORT */
3707 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3708 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3710 mbedtls_ssl_dtls_replay_update( ssl
);
3717 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context
*ssl
);
3722 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3723 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3726 int mbedtls_ssl_read_record( mbedtls_ssl_context
*ssl
)
3730 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
3734 if( ( ret
= mbedtls_ssl_read_record_layer( ssl
) ) != 0 )
3736 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_read_record_layer" ), ret
);
3740 ret
= mbedtls_ssl_handle_message_type( ssl
);
3742 } while( MBEDTLS_ERR_SSL_NON_FATAL
== ret
);
3746 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret
);
3750 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
)
3752 mbedtls_ssl_update_handshake_status( ssl
);
3755 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3760 int mbedtls_ssl_read_record_layer( mbedtls_ssl_context
*ssl
)
3764 if( ssl
->in_hslen
!= 0 && ssl
->in_hslen
< ssl
->in_msglen
)
3767 * Get next Handshake message in the current record
3769 ssl
->in_msglen
-= ssl
->in_hslen
;
3771 memmove( ssl
->in_msg
, ssl
->in_msg
+ ssl
->in_hslen
,
3774 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
3775 ssl
->in_msg
, ssl
->in_msglen
);
3783 * Read the record header and parse it
3785 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3789 if( ( ret
= mbedtls_ssl_fetch_input( ssl
, mbedtls_ssl_hdr_len( ssl
) ) ) != 0 )
3791 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
3795 if( ( ret
= ssl_parse_record_header( ssl
) ) != 0 )
3797 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3798 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
3799 ret
!= MBEDTLS_ERR_SSL_CLIENT_RECONNECT
)
3801 if( ret
== MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
)
3803 /* Skip unexpected record (but not whole datagram) */
3804 ssl
->next_record_offset
= ssl
->in_msglen
3805 + mbedtls_ssl_hdr_len( ssl
);
3807 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
3812 /* Skip invalid record and the rest of the datagram */
3813 ssl
->next_record_offset
= 0;
3816 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
3820 /* Get next record */
3821 goto read_record_header
;
3828 * Read and optionally decrypt the message contents
3830 if( ( ret
= mbedtls_ssl_fetch_input( ssl
,
3831 mbedtls_ssl_hdr_len( ssl
) + ssl
->in_msglen
) ) != 0 )
3833 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret
);
3837 /* Done reading this record, get ready for the next one */
3838 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3839 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3840 ssl
->next_record_offset
= ssl
->in_msglen
+ mbedtls_ssl_hdr_len( ssl
);
3845 if( ( ret
= ssl_prepare_record_content( ssl
) ) != 0 )
3847 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3848 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
3850 /* Silently discard invalid records */
3851 if( ret
== MBEDTLS_ERR_SSL_INVALID_RECORD
||
3852 ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
3854 /* Except when waiting for Finished as a bad mac here
3855 * probably means something went wrong in the handshake
3856 * (eg wrong psk used, mitm downgrade attempt, etc.) */
3857 if( ssl
->state
== MBEDTLS_SSL_CLIENT_FINISHED
||
3858 ssl
->state
== MBEDTLS_SSL_SERVER_FINISHED
)
3860 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
3861 if( ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
3863 mbedtls_ssl_send_alert_message( ssl
,
3864 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3865 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
);
3871 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
3872 if( ssl
->conf
->badmac_limit
!= 0 &&
3873 ++ssl
->badmac_seen
>= ssl
->conf
->badmac_limit
)
3875 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
3876 return( MBEDTLS_ERR_SSL_INVALID_MAC
);
3880 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
3881 goto read_record_header
;
3889 /* Error out (and send alert) on invalid records */
3890 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
3891 if( ret
== MBEDTLS_ERR_SSL_INVALID_MAC
)
3893 mbedtls_ssl_send_alert_message( ssl
,
3894 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
3895 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
);
3903 * When we sent the last flight of the handshake, we MUST respond to a
3904 * retransmit of the peer's previous flight with a retransmit. (In
3905 * practice, only the Finished message will make it, other messages
3906 * including CCS use the old transform so they're dropped as invalid.)
3908 * If the record we received is not a handshake message, however, it
3909 * means the peer received our last flight so we can clean up
3912 * This check needs to be done before prepare_handshake() due to an edge
3913 * case: if the client immediately requests renegotiation, this
3914 * finishes the current handshake first, avoiding the new ClientHello
3915 * being mistaken for an ancient message in the current handshake.
3917 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3918 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
3919 ssl
->handshake
!= NULL
&&
3920 ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
)
3922 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
3923 ssl
->in_msg
[0] == MBEDTLS_SSL_HS_FINISHED
)
3925 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received retransmit of last flight" ) );
3927 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
3929 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret
);
3933 return( MBEDTLS_ERR_SSL_WANT_READ
);
3937 ssl_handshake_wrapup_free_hs_transform( ssl
);
3945 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context
*ssl
)
3950 * Handle particular types of records
3952 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
)
3954 if( ( ret
= mbedtls_ssl_prepare_handshake_record( ssl
) ) != 0 )
3960 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_ALERT
)
3962 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
3963 ssl
->in_msg
[0], ssl
->in_msg
[1] ) );
3966 * Ignore non-fatal alerts, except close_notify and no_renegotiation
3968 if( ssl
->in_msg
[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL
)
3970 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
3972 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
);
3975 if( ssl
->in_msg
[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING
&&
3976 ssl
->in_msg
[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
)
3978 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
3979 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
);
3982 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
3983 if( ssl
->in_msg
[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING
&&
3984 ssl
->in_msg
[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
)
3986 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
3987 /* Will be handled when trying to parse ServerHello */
3992 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
3993 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
&&
3994 ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
3995 ssl
->in_msg
[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING
&&
3996 ssl
->in_msg
[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT
)
3998 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
3999 /* Will be handled in mbedtls_ssl_parse_certificate() */
4002 #endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
4004 /* Silently ignore: fetch new message */
4005 return MBEDTLS_ERR_SSL_NON_FATAL
;
4011 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context
*ssl
)
4015 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
4016 MBEDTLS_SSL_ALERT_LEVEL_FATAL
,
4017 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
) ) != 0 )
4025 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context
*ssl
,
4026 unsigned char level
,
4027 unsigned char message
)
4031 if( ssl
== NULL
|| ssl
->conf
== NULL
)
4032 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
4034 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
4036 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_ALERT
;
4037 ssl
->out_msglen
= 2;
4038 ssl
->out_msg
[0] = level
;
4039 ssl
->out_msg
[1] = message
;
4041 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
4043 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
4047 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
4053 * Handshake functions
4055 #if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
4056 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
4057 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
4058 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
4059 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
4060 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
4061 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
4062 int mbedtls_ssl_write_certificate( mbedtls_ssl_context
*ssl
)
4064 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
4066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
4068 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
4069 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
4070 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
4071 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
4073 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4078 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4079 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
4082 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context
*ssl
)
4084 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
4086 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
4088 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
4089 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
4090 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
4091 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
4093 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4098 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4099 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
4102 int mbedtls_ssl_write_certificate( mbedtls_ssl_context
*ssl
)
4104 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
4106 const mbedtls_x509_crt
*crt
;
4107 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
4109 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
4111 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
4112 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
4113 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
4114 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
4116 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4121 #if defined(MBEDTLS_SSL_CLI_C)
4122 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
4124 if( ssl
->client_auth
== 0 )
4126 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
4131 #if defined(MBEDTLS_SSL_PROTO_SSL3)
4133 * If using SSLv3 and got no cert, send an Alert message
4134 * (otherwise an empty Certificate message will be sent).
4136 if( mbedtls_ssl_own_cert( ssl
) == NULL
&&
4137 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
4139 ssl
->out_msglen
= 2;
4140 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_ALERT
;
4141 ssl
->out_msg
[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING
;
4142 ssl
->out_msg
[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT
;
4144 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
4147 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
4149 #endif /* MBEDTLS_SSL_CLI_C */
4150 #if defined(MBEDTLS_SSL_SRV_C)
4151 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
4153 if( mbedtls_ssl_own_cert( ssl
) == NULL
)
4155 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
4156 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
);
4161 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl
) );
4164 * 0 . 0 handshake type
4165 * 1 . 3 handshake length
4166 * 4 . 6 length of all certs
4167 * 7 . 9 length of cert. 1
4168 * 10 . n-1 peer certificate
4169 * n . n+2 length of cert. 2
4170 * n+3 . ... upper level cert, etc.
4173 crt
= mbedtls_ssl_own_cert( ssl
);
4175 while( crt
!= NULL
)
4178 if( n
> MBEDTLS_SSL_MAX_CONTENT_LEN
- 3 - i
)
4180 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
4181 i
+ 3 + n
, MBEDTLS_SSL_MAX_CONTENT_LEN
) );
4182 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
);
4185 ssl
->out_msg
[i
] = (unsigned char)( n
>> 16 );
4186 ssl
->out_msg
[i
+ 1] = (unsigned char)( n
>> 8 );
4187 ssl
->out_msg
[i
+ 2] = (unsigned char)( n
);
4189 i
+= 3; memcpy( ssl
->out_msg
+ i
, crt
->raw
.p
, n
);
4190 i
+= n
; crt
= crt
->next
;
4193 ssl
->out_msg
[4] = (unsigned char)( ( i
- 7 ) >> 16 );
4194 ssl
->out_msg
[5] = (unsigned char)( ( i
- 7 ) >> 8 );
4195 ssl
->out_msg
[6] = (unsigned char)( ( i
- 7 ) );
4197 ssl
->out_msglen
= i
;
4198 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
4199 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_CERTIFICATE
;
4201 #if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
4207 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
4209 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
4213 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
4218 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context
*ssl
)
4220 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
4222 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
= ssl
->transform_negotiate
->ciphersuite_info
;
4223 int authmode
= ssl
->conf
->authmode
;
4225 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
4227 if( ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_PSK
||
4228 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_DHE_PSK
||
4229 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
||
4230 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_ECJPAKE
)
4232 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4237 #if defined(MBEDTLS_SSL_SRV_C)
4238 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
4239 ciphersuite_info
->key_exchange
== MBEDTLS_KEY_EXCHANGE_RSA_PSK
)
4241 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4246 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4247 if( ssl
->handshake
->sni_authmode
!= MBEDTLS_SSL_VERIFY_UNSET
)
4248 authmode
= ssl
->handshake
->sni_authmode
;
4251 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
4252 authmode
== MBEDTLS_SSL_VERIFY_NONE
)
4254 ssl
->session_negotiate
->verify_result
= MBEDTLS_X509_BADCERT_SKIP_VERIFY
;
4255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
4261 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
4263 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
4269 #if defined(MBEDTLS_SSL_SRV_C)
4270 #if defined(MBEDTLS_SSL_PROTO_SSL3)
4272 * Check if the client sent an empty certificate
4274 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
4275 ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
4277 if( ssl
->in_msglen
== 2 &&
4278 ssl
->in_msgtype
== MBEDTLS_SSL_MSG_ALERT
&&
4279 ssl
->in_msg
[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING
&&
4280 ssl
->in_msg
[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT
)
4282 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
4284 ssl
->session_negotiate
->verify_result
= MBEDTLS_X509_BADCERT_MISSING
;
4285 if( authmode
== MBEDTLS_SSL_VERIFY_OPTIONAL
)
4288 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
);
4291 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
4293 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4294 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4295 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
4296 ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_0
)
4298 if( ssl
->in_hslen
== 3 + mbedtls_ssl_hs_hdr_len( ssl
) &&
4299 ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
&&
4300 ssl
->in_msg
[0] == MBEDTLS_SSL_HS_CERTIFICATE
&&
4301 memcmp( ssl
->in_msg
+ mbedtls_ssl_hs_hdr_len( ssl
), "\0\0\0", 3 ) == 0 )
4303 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
4305 ssl
->session_negotiate
->verify_result
= MBEDTLS_X509_BADCERT_MISSING
;
4306 if( authmode
== MBEDTLS_SSL_VERIFY_OPTIONAL
)
4309 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
);
4312 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
4313 MBEDTLS_SSL_PROTO_TLS1_2 */
4314 #endif /* MBEDTLS_SSL_SRV_C */
4316 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
)
4318 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4319 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
4322 if( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CERTIFICATE
||
4323 ssl
->in_hslen
< mbedtls_ssl_hs_hdr_len( ssl
) + 3 + 3 )
4325 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4326 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4329 i
= mbedtls_ssl_hs_hdr_len( ssl
);
4332 * Same message structure as in mbedtls_ssl_write_certificate()
4334 n
= ( ssl
->in_msg
[i
+1] << 8 ) | ssl
->in_msg
[i
+2];
4336 if( ssl
->in_msg
[i
] != 0 ||
4337 ssl
->in_hslen
!= n
+ 3 + mbedtls_ssl_hs_hdr_len( ssl
) )
4339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4340 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4343 /* In case we tried to reuse a session but it failed */
4344 if( ssl
->session_negotiate
->peer_cert
!= NULL
)
4346 mbedtls_x509_crt_free( ssl
->session_negotiate
->peer_cert
);
4347 mbedtls_free( ssl
->session_negotiate
->peer_cert
);
4350 if( ( ssl
->session_negotiate
->peer_cert
= mbedtls_calloc( 1,
4351 sizeof( mbedtls_x509_crt
) ) ) == NULL
)
4353 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
4354 sizeof( mbedtls_x509_crt
) ) );
4355 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
4358 mbedtls_x509_crt_init( ssl
->session_negotiate
->peer_cert
);
4362 while( i
< ssl
->in_hslen
)
4364 if( ssl
->in_msg
[i
] != 0 )
4366 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4367 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4370 n
= ( (unsigned int) ssl
->in_msg
[i
+ 1] << 8 )
4371 | (unsigned int) ssl
->in_msg
[i
+ 2];
4374 if( n
< 128 || i
+ n
> ssl
->in_hslen
)
4376 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
4377 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4380 ret
= mbedtls_x509_crt_parse_der( ssl
->session_negotiate
->peer_cert
,
4381 ssl
->in_msg
+ i
, n
);
4382 if( 0 != ret
&& ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
+ MBEDTLS_ERR_OID_NOT_FOUND
) != ret
)
4384 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret
);
4391 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl
->session_negotiate
->peer_cert
);
4394 * On client, make sure the server cert doesn't change during renego to
4395 * avoid "triple handshake" attack: https://secure-resumption.com/
4397 #if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
4398 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
&&
4399 ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
4401 if( ssl
->session
->peer_cert
== NULL
)
4403 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
4404 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4407 if( ssl
->session
->peer_cert
->raw
.len
!=
4408 ssl
->session_negotiate
->peer_cert
->raw
.len
||
4409 memcmp( ssl
->session
->peer_cert
->raw
.p
,
4410 ssl
->session_negotiate
->peer_cert
->raw
.p
,
4411 ssl
->session
->peer_cert
->raw
.len
) != 0 )
4413 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
4414 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
);
4417 #endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
4419 if( authmode
!= MBEDTLS_SSL_VERIFY_NONE
)
4421 mbedtls_x509_crt
*ca_chain
;
4422 mbedtls_x509_crl
*ca_crl
;
4424 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
4425 if( ssl
->handshake
->sni_ca_chain
!= NULL
)
4427 ca_chain
= ssl
->handshake
->sni_ca_chain
;
4428 ca_crl
= ssl
->handshake
->sni_ca_crl
;
4433 ca_chain
= ssl
->conf
->ca_chain
;
4434 ca_crl
= ssl
->conf
->ca_crl
;
4437 if( ca_chain
== NULL
)
4439 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
4440 return( MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
);
4444 * Main check: verify certificate
4446 ret
= mbedtls_x509_crt_verify_with_profile(
4447 ssl
->session_negotiate
->peer_cert
,
4449 ssl
->conf
->cert_profile
,
4451 &ssl
->session_negotiate
->verify_result
,
4452 ssl
->conf
->f_vrfy
, ssl
->conf
->p_vrfy
);
4456 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret
);
4460 * Secondary checks: always done, but change 'ret' only if it was 0
4463 #if defined(MBEDTLS_ECP_C)
4465 const mbedtls_pk_context
*pk
= &ssl
->session_negotiate
->peer_cert
->pk
;
4467 /* If certificate uses an EC key, make sure the curve is OK */
4468 if( mbedtls_pk_can_do( pk
, MBEDTLS_PK_ECKEY
) &&
4469 mbedtls_ssl_check_curve( ssl
, mbedtls_pk_ec( *pk
)->grp
.id
) != 0 )
4471 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
4473 ret
= MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
;
4476 #endif /* MBEDTLS_ECP_C */
4478 if( mbedtls_ssl_check_cert_usage( ssl
->session_negotiate
->peer_cert
,
4480 ! ssl
->conf
->endpoint
,
4481 &ssl
->session_negotiate
->verify_result
) != 0 )
4483 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
4485 ret
= MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
;
4488 if( authmode
== MBEDTLS_SSL_VERIFY_OPTIONAL
)
4492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
4496 #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
4497 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
4498 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
4499 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
4500 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
4501 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
4502 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
4504 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context
*ssl
)
4508 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
4510 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
;
4511 ssl
->out_msglen
= 1;
4512 ssl
->out_msg
[0] = 1;
4516 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
4518 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
4522 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
4527 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context
*ssl
)
4531 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
4533 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
4535 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
4539 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
)
4541 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4542 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
4545 if( ssl
->in_msglen
!= 1 || ssl
->in_msg
[0] != 1 )
4547 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4548 return( MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC
);
4552 * Switch to our negotiated transform and session parameters for inbound
4555 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
4556 ssl
->transform_in
= ssl
->transform_negotiate
;
4557 ssl
->session_in
= ssl
->session_negotiate
;
4559 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4560 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
4562 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4563 ssl_dtls_replay_reset( ssl
);
4566 /* Increment epoch */
4567 if( ++ssl
->in_epoch
== 0 )
4569 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
4570 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING
);
4574 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4575 memset( ssl
->in_ctr
, 0, 8 );
4578 * Set the in_msg pointer to the correct location based on IV length
4580 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
4582 ssl
->in_msg
= ssl
->in_iv
+ ssl
->transform_negotiate
->ivlen
-
4583 ssl
->transform_negotiate
->fixed_ivlen
;
4586 ssl
->in_msg
= ssl
->in_iv
;
4588 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4589 if( mbedtls_ssl_hw_record_activate
!= NULL
)
4591 if( ( ret
= mbedtls_ssl_hw_record_activate( ssl
, MBEDTLS_SSL_CHANNEL_INBOUND
) ) != 0 )
4593 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret
);
4594 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
4601 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
4606 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context
*ssl
,
4607 const mbedtls_ssl_ciphersuite_t
*ciphersuite_info
)
4609 ((void) ciphersuite_info
);
4611 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4612 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4613 if( ssl
->minor_ver
< MBEDTLS_SSL_MINOR_VERSION_3
)
4614 ssl
->handshake
->update_checksum
= ssl_update_checksum_md5sha1
;
4617 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4618 #if defined(MBEDTLS_SHA512_C)
4619 if( ciphersuite_info
->mac
== MBEDTLS_MD_SHA384
)
4620 ssl
->handshake
->update_checksum
= ssl_update_checksum_sha384
;
4623 #if defined(MBEDTLS_SHA256_C)
4624 if( ciphersuite_info
->mac
!= MBEDTLS_MD_SHA384
)
4625 ssl
->handshake
->update_checksum
= ssl_update_checksum_sha256
;
4628 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4630 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4635 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context
*ssl
)
4637 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4638 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4639 mbedtls_md5_starts( &ssl
->handshake
->fin_md5
);
4640 mbedtls_sha1_starts( &ssl
->handshake
->fin_sha1
);
4642 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4643 #if defined(MBEDTLS_SHA256_C)
4644 mbedtls_sha256_starts( &ssl
->handshake
->fin_sha256
, 0 );
4646 #if defined(MBEDTLS_SHA512_C)
4647 mbedtls_sha512_starts( &ssl
->handshake
->fin_sha512
, 1 );
4649 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4652 static void ssl_update_checksum_start( mbedtls_ssl_context
*ssl
,
4653 const unsigned char *buf
, size_t len
)
4655 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4656 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4657 mbedtls_md5_update( &ssl
->handshake
->fin_md5
, buf
, len
);
4658 mbedtls_sha1_update( &ssl
->handshake
->fin_sha1
, buf
, len
);
4660 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4661 #if defined(MBEDTLS_SHA256_C)
4662 mbedtls_sha256_update( &ssl
->handshake
->fin_sha256
, buf
, len
);
4664 #if defined(MBEDTLS_SHA512_C)
4665 mbedtls_sha512_update( &ssl
->handshake
->fin_sha512
, buf
, len
);
4667 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4670 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
4671 defined(MBEDTLS_SSL_PROTO_TLS1_1)
4672 static void ssl_update_checksum_md5sha1( mbedtls_ssl_context
*ssl
,
4673 const unsigned char *buf
, size_t len
)
4675 mbedtls_md5_update( &ssl
->handshake
->fin_md5
, buf
, len
);
4676 mbedtls_sha1_update( &ssl
->handshake
->fin_sha1
, buf
, len
);
4680 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4681 #if defined(MBEDTLS_SHA256_C)
4682 static void ssl_update_checksum_sha256( mbedtls_ssl_context
*ssl
,
4683 const unsigned char *buf
, size_t len
)
4685 mbedtls_sha256_update( &ssl
->handshake
->fin_sha256
, buf
, len
);
4689 #if defined(MBEDTLS_SHA512_C)
4690 static void ssl_update_checksum_sha384( mbedtls_ssl_context
*ssl
,
4691 const unsigned char *buf
, size_t len
)
4693 mbedtls_sha512_update( &ssl
->handshake
->fin_sha512
, buf
, len
);
4696 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4698 #if defined(MBEDTLS_SSL_PROTO_SSL3)
4699 static void ssl_calc_finished_ssl(
4700 mbedtls_ssl_context
*ssl
, unsigned char *buf
, int from
)
4703 mbedtls_md5_context md5
;
4704 mbedtls_sha1_context sha1
;
4706 unsigned char padbuf
[48];
4707 unsigned char md5sum
[16];
4708 unsigned char sha1sum
[20];
4710 mbedtls_ssl_session
*session
= ssl
->session_negotiate
;
4712 session
= ssl
->session
;
4714 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
4716 mbedtls_md5_init( &md5
);
4717 mbedtls_sha1_init( &sha1
);
4719 mbedtls_md5_clone( &md5
, &ssl
->handshake
->fin_md5
);
4720 mbedtls_sha1_clone( &sha1
, &ssl
->handshake
->fin_sha1
);
4725 * MD5( master + pad2 +
4726 * MD5( handshake + sender + master + pad1 ) )
4727 * + SHA1( master + pad2 +
4728 * SHA1( handshake + sender + master + pad1 ) )
4731 #if !defined(MBEDTLS_MD5_ALT)
4732 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
4733 md5
.state
, sizeof( md5
.state
) );
4736 #if !defined(MBEDTLS_SHA1_ALT)
4737 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
4738 sha1
.state
, sizeof( sha1
.state
) );
4741 sender
= ( from
== MBEDTLS_SSL_IS_CLIENT
) ? "CLNT"
4744 memset( padbuf
, 0x36, 48 );
4746 mbedtls_md5_update( &md5
, (const unsigned char *) sender
, 4 );
4747 mbedtls_md5_update( &md5
, session
->master
, 48 );
4748 mbedtls_md5_update( &md5
, padbuf
, 48 );
4749 mbedtls_md5_finish( &md5
, md5sum
);
4751 mbedtls_sha1_update( &sha1
, (const unsigned char *) sender
, 4 );
4752 mbedtls_sha1_update( &sha1
, session
->master
, 48 );
4753 mbedtls_sha1_update( &sha1
, padbuf
, 40 );
4754 mbedtls_sha1_finish( &sha1
, sha1sum
);
4756 memset( padbuf
, 0x5C, 48 );
4758 mbedtls_md5_starts( &md5
);
4759 mbedtls_md5_update( &md5
, session
->master
, 48 );
4760 mbedtls_md5_update( &md5
, padbuf
, 48 );
4761 mbedtls_md5_update( &md5
, md5sum
, 16 );
4762 mbedtls_md5_finish( &md5
, buf
);
4764 mbedtls_sha1_starts( &sha1
);
4765 mbedtls_sha1_update( &sha1
, session
->master
, 48 );
4766 mbedtls_sha1_update( &sha1
, padbuf
, 40 );
4767 mbedtls_sha1_update( &sha1
, sha1sum
, 20 );
4768 mbedtls_sha1_finish( &sha1
, buf
+ 16 );
4770 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf
, 36 );
4772 mbedtls_md5_free( &md5
);
4773 mbedtls_sha1_free( &sha1
);
4775 mbedtls_zeroize( padbuf
, sizeof( padbuf
) );
4776 mbedtls_zeroize( md5sum
, sizeof( md5sum
) );
4777 mbedtls_zeroize( sha1sum
, sizeof( sha1sum
) );
4779 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4781 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
4783 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
4784 static void ssl_calc_finished_tls(
4785 mbedtls_ssl_context
*ssl
, unsigned char *buf
, int from
)
4789 mbedtls_md5_context md5
;
4790 mbedtls_sha1_context sha1
;
4791 unsigned char padbuf
[36];
4793 mbedtls_ssl_session
*session
= ssl
->session_negotiate
;
4795 session
= ssl
->session
;
4797 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
4799 mbedtls_md5_init( &md5
);
4800 mbedtls_sha1_init( &sha1
);
4802 mbedtls_md5_clone( &md5
, &ssl
->handshake
->fin_md5
);
4803 mbedtls_sha1_clone( &sha1
, &ssl
->handshake
->fin_sha1
);
4807 * hash = PRF( master, finished_label,
4808 * MD5( handshake ) + SHA1( handshake ) )[0..11]
4811 #if !defined(MBEDTLS_MD5_ALT)
4812 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
4813 md5
.state
, sizeof( md5
.state
) );
4816 #if !defined(MBEDTLS_SHA1_ALT)
4817 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
4818 sha1
.state
, sizeof( sha1
.state
) );
4821 sender
= ( from
== MBEDTLS_SSL_IS_CLIENT
)
4823 : "server finished";
4825 mbedtls_md5_finish( &md5
, padbuf
);
4826 mbedtls_sha1_finish( &sha1
, padbuf
+ 16 );
4828 ssl
->handshake
->tls_prf( session
->master
, 48, sender
,
4829 padbuf
, 36, buf
, len
);
4831 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf
, len
);
4833 mbedtls_md5_free( &md5
);
4834 mbedtls_sha1_free( &sha1
);
4836 mbedtls_zeroize( padbuf
, sizeof( padbuf
) );
4838 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4840 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
4842 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
4843 #if defined(MBEDTLS_SHA256_C)
4844 static void ssl_calc_finished_tls_sha256(
4845 mbedtls_ssl_context
*ssl
, unsigned char *buf
, int from
)
4849 mbedtls_sha256_context sha256
;
4850 unsigned char padbuf
[32];
4852 mbedtls_ssl_session
*session
= ssl
->session_negotiate
;
4854 session
= ssl
->session
;
4856 mbedtls_sha256_init( &sha256
);
4858 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
4860 mbedtls_sha256_clone( &sha256
, &ssl
->handshake
->fin_sha256
);
4864 * hash = PRF( master, finished_label,
4865 * Hash( handshake ) )[0.11]
4868 #if !defined(MBEDTLS_SHA256_ALT)
4869 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
4870 sha256
.state
, sizeof( sha256
.state
) );
4873 sender
= ( from
== MBEDTLS_SSL_IS_CLIENT
)
4875 : "server finished";
4877 mbedtls_sha256_finish( &sha256
, padbuf
);
4879 ssl
->handshake
->tls_prf( session
->master
, 48, sender
,
4880 padbuf
, 32, buf
, len
);
4882 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf
, len
);
4884 mbedtls_sha256_free( &sha256
);
4886 mbedtls_zeroize( padbuf
, sizeof( padbuf
) );
4888 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4890 #endif /* MBEDTLS_SHA256_C */
4892 #if defined(MBEDTLS_SHA512_C)
4893 static void ssl_calc_finished_tls_sha384(
4894 mbedtls_ssl_context
*ssl
, unsigned char *buf
, int from
)
4898 mbedtls_sha512_context sha512
;
4899 unsigned char padbuf
[48];
4901 mbedtls_ssl_session
*session
= ssl
->session_negotiate
;
4903 session
= ssl
->session
;
4905 mbedtls_sha512_init( &sha512
);
4907 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
4909 mbedtls_sha512_clone( &sha512
, &ssl
->handshake
->fin_sha512
);
4913 * hash = PRF( master, finished_label,
4914 * Hash( handshake ) )[0.11]
4917 #if !defined(MBEDTLS_SHA512_ALT)
4918 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
4919 sha512
.state
, sizeof( sha512
.state
) );
4922 sender
= ( from
== MBEDTLS_SSL_IS_CLIENT
)
4924 : "server finished";
4926 mbedtls_sha512_finish( &sha512
, padbuf
);
4928 ssl
->handshake
->tls_prf( session
->master
, 48, sender
,
4929 padbuf
, 48, buf
, len
);
4931 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf
, len
);
4933 mbedtls_sha512_free( &sha512
);
4935 mbedtls_zeroize( padbuf
, sizeof( padbuf
) );
4937 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
4939 #endif /* MBEDTLS_SHA512_C */
4940 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
4942 static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context
*ssl
)
4944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
4947 * Free our handshake params
4949 mbedtls_ssl_handshake_free( ssl
->handshake
);
4950 mbedtls_free( ssl
->handshake
);
4951 ssl
->handshake
= NULL
;
4954 * Free the previous transform and swith in the current one
4956 if( ssl
->transform
)
4958 mbedtls_ssl_transform_free( ssl
->transform
);
4959 mbedtls_free( ssl
->transform
);
4961 ssl
->transform
= ssl
->transform_negotiate
;
4962 ssl
->transform_negotiate
= NULL
;
4964 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
4967 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context
*ssl
)
4969 int resume
= ssl
->handshake
->resume
;
4971 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
4973 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4974 if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
4976 ssl
->renego_status
= MBEDTLS_SSL_RENEGOTIATION_DONE
;
4977 ssl
->renego_records_seen
= 0;
4982 * Free the previous session and switch in the current one
4986 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
4987 /* RFC 7366 3.1: keep the EtM state */
4988 ssl
->session_negotiate
->encrypt_then_mac
=
4989 ssl
->session
->encrypt_then_mac
;
4992 mbedtls_ssl_session_free( ssl
->session
);
4993 mbedtls_free( ssl
->session
);
4995 ssl
->session
= ssl
->session_negotiate
;
4996 ssl
->session_negotiate
= NULL
;
5001 if( ssl
->conf
->f_set_cache
!= NULL
&&
5002 ssl
->session
->id_len
!= 0 &&
5005 if( ssl
->conf
->f_set_cache( ssl
->conf
->p_cache
, ssl
->session
) != 0 )
5006 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
5009 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5010 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
5011 ssl
->handshake
->flight
!= NULL
)
5013 /* Cancel handshake timer */
5014 ssl_set_timer( ssl
, 0 );
5016 /* Keep last flight around in case we need to resend it:
5017 * we need the handshake and transform structures for that */
5018 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
5022 ssl_handshake_wrapup_free_hs_transform( ssl
);
5026 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
5029 int mbedtls_ssl_write_finished( mbedtls_ssl_context
*ssl
)
5033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
5036 * Set the out_msg pointer to the correct location based on IV length
5038 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_2
)
5040 ssl
->out_msg
= ssl
->out_iv
+ ssl
->transform_negotiate
->ivlen
-
5041 ssl
->transform_negotiate
->fixed_ivlen
;
5044 ssl
->out_msg
= ssl
->out_iv
;
5046 ssl
->handshake
->calc_finished( ssl
, ssl
->out_msg
+ 4, ssl
->conf
->endpoint
);
5049 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
5050 * may define some other value. Currently (early 2016), no defined
5051 * ciphersuite does this (and this is unlikely to change as activity has
5052 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
5054 hash_len
= ( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
) ? 36 : 12;
5056 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5057 ssl
->verify_data_len
= hash_len
;
5058 memcpy( ssl
->own_verify_data
, ssl
->out_msg
+ 4, hash_len
);
5061 ssl
->out_msglen
= 4 + hash_len
;
5062 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
5063 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_FINISHED
;
5066 * In case of session resuming, invert the client and server
5067 * ChangeCipherSpec messages order.
5069 if( ssl
->handshake
->resume
!= 0 )
5071 #if defined(MBEDTLS_SSL_CLI_C)
5072 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
5073 ssl
->state
= MBEDTLS_SSL_HANDSHAKE_WRAPUP
;
5075 #if defined(MBEDTLS_SSL_SRV_C)
5076 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
5077 ssl
->state
= MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
;
5084 * Switch to our negotiated transform and session parameters for outbound
5087 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
5089 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5090 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
5094 /* Remember current epoch settings for resending */
5095 ssl
->handshake
->alt_transform_out
= ssl
->transform_out
;
5096 memcpy( ssl
->handshake
->alt_out_ctr
, ssl
->out_ctr
, 8 );
5098 /* Set sequence_number to zero */
5099 memset( ssl
->out_ctr
+ 2, 0, 6 );
5101 /* Increment epoch */
5102 for( i
= 2; i
> 0; i
-- )
5103 if( ++ssl
->out_ctr
[i
- 1] != 0 )
5106 /* The loop goes to its end iff the counter is wrapping */
5109 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
5110 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING
);
5114 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5115 memset( ssl
->out_ctr
, 0, 8 );
5117 ssl
->transform_out
= ssl
->transform_negotiate
;
5118 ssl
->session_out
= ssl
->session_negotiate
;
5120 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
5121 if( mbedtls_ssl_hw_record_activate
!= NULL
)
5123 if( ( ret
= mbedtls_ssl_hw_record_activate( ssl
, MBEDTLS_SSL_CHANNEL_OUTBOUND
) ) != 0 )
5125 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret
);
5126 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
5131 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5132 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
5133 mbedtls_ssl_send_flight_completed( ssl
);
5136 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
5138 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
5142 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
5147 #if defined(MBEDTLS_SSL_PROTO_SSL3)
5148 #define SSL_MAX_HASH_LEN 36
5150 #define SSL_MAX_HASH_LEN 12
5153 int mbedtls_ssl_parse_finished( mbedtls_ssl_context
*ssl
)
5156 unsigned int hash_len
;
5157 unsigned char buf
[SSL_MAX_HASH_LEN
];
5159 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
5161 ssl
->handshake
->calc_finished( ssl
, buf
, ssl
->conf
->endpoint
^ 1 );
5163 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
5165 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
5169 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_HANDSHAKE
)
5171 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5172 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
5175 /* There is currently no ciphersuite using another length with TLS 1.2 */
5176 #if defined(MBEDTLS_SSL_PROTO_SSL3)
5177 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
5183 if( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_FINISHED
||
5184 ssl
->in_hslen
!= mbedtls_ssl_hs_hdr_len( ssl
) + hash_len
)
5186 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5187 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED
);
5190 if( mbedtls_ssl_safer_memcmp( ssl
->in_msg
+ mbedtls_ssl_hs_hdr_len( ssl
),
5191 buf
, hash_len
) != 0 )
5193 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
5194 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED
);
5197 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5198 ssl
->verify_data_len
= hash_len
;
5199 memcpy( ssl
->peer_verify_data
, buf
, hash_len
);
5202 if( ssl
->handshake
->resume
!= 0 )
5204 #if defined(MBEDTLS_SSL_CLI_C)
5205 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
5206 ssl
->state
= MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
;
5208 #if defined(MBEDTLS_SSL_SRV_C)
5209 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
5210 ssl
->state
= MBEDTLS_SSL_HANDSHAKE_WRAPUP
;
5216 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5217 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
5218 mbedtls_ssl_recv_flight_completed( ssl
);
5221 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
5226 static void ssl_handshake_params_init( mbedtls_ssl_handshake_params
*handshake
)
5228 memset( handshake
, 0, sizeof( mbedtls_ssl_handshake_params
) );
5230 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
5231 defined(MBEDTLS_SSL_PROTO_TLS1_1)
5232 mbedtls_md5_init( &handshake
->fin_md5
);
5233 mbedtls_sha1_init( &handshake
->fin_sha1
);
5234 mbedtls_md5_starts( &handshake
->fin_md5
);
5235 mbedtls_sha1_starts( &handshake
->fin_sha1
);
5237 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5238 #if defined(MBEDTLS_SHA256_C)
5239 mbedtls_sha256_init( &handshake
->fin_sha256
);
5240 mbedtls_sha256_starts( &handshake
->fin_sha256
, 0 );
5242 #if defined(MBEDTLS_SHA512_C)
5243 mbedtls_sha512_init( &handshake
->fin_sha512
);
5244 mbedtls_sha512_starts( &handshake
->fin_sha512
, 1 );
5246 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5248 handshake
->update_checksum
= ssl_update_checksum_start
;
5249 handshake
->sig_alg
= MBEDTLS_SSL_HASH_SHA1
;
5251 #if defined(MBEDTLS_DHM_C)
5252 mbedtls_dhm_init( &handshake
->dhm_ctx
);
5254 #if defined(MBEDTLS_ECDH_C)
5255 mbedtls_ecdh_init( &handshake
->ecdh_ctx
);
5257 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5258 mbedtls_ecjpake_init( &handshake
->ecjpake_ctx
);
5259 #if defined(MBEDTLS_SSL_CLI_C)
5260 handshake
->ecjpake_cache
= NULL
;
5261 handshake
->ecjpake_cache_len
= 0;
5265 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5266 handshake
->sni_authmode
= MBEDTLS_SSL_VERIFY_UNSET
;
5270 static void ssl_transform_init( mbedtls_ssl_transform
*transform
)
5272 memset( transform
, 0, sizeof(mbedtls_ssl_transform
) );
5274 mbedtls_cipher_init( &transform
->cipher_ctx_enc
);
5275 mbedtls_cipher_init( &transform
->cipher_ctx_dec
);
5277 mbedtls_md_init( &transform
->md_ctx_enc
);
5278 mbedtls_md_init( &transform
->md_ctx_dec
);
5281 void mbedtls_ssl_session_init( mbedtls_ssl_session
*session
)
5283 memset( session
, 0, sizeof(mbedtls_ssl_session
) );
5286 static int ssl_handshake_init( mbedtls_ssl_context
*ssl
)
5288 /* Clear old handshake information if present */
5289 if( ssl
->transform_negotiate
)
5290 mbedtls_ssl_transform_free( ssl
->transform_negotiate
);
5291 if( ssl
->session_negotiate
)
5292 mbedtls_ssl_session_free( ssl
->session_negotiate
);
5293 if( ssl
->handshake
)
5294 mbedtls_ssl_handshake_free( ssl
->handshake
);
5297 * Either the pointers are now NULL or cleared properly and can be freed.
5298 * Now allocate missing structures.
5300 if( ssl
->transform_negotiate
== NULL
)
5302 ssl
->transform_negotiate
= mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform
) );
5305 if( ssl
->session_negotiate
== NULL
)
5307 ssl
->session_negotiate
= mbedtls_calloc( 1, sizeof(mbedtls_ssl_session
) );
5310 if( ssl
->handshake
== NULL
)
5312 ssl
->handshake
= mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params
) );
5315 /* All pointers should exist and can be directly freed without issue */
5316 if( ssl
->handshake
== NULL
||
5317 ssl
->transform_negotiate
== NULL
||
5318 ssl
->session_negotiate
== NULL
)
5320 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
5322 mbedtls_free( ssl
->handshake
);
5323 mbedtls_free( ssl
->transform_negotiate
);
5324 mbedtls_free( ssl
->session_negotiate
);
5326 ssl
->handshake
= NULL
;
5327 ssl
->transform_negotiate
= NULL
;
5328 ssl
->session_negotiate
= NULL
;
5330 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5333 /* Initialize structures */
5334 mbedtls_ssl_session_init( ssl
->session_negotiate
);
5335 ssl_transform_init( ssl
->transform_negotiate
);
5336 ssl_handshake_params_init( ssl
->handshake
);
5338 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5339 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
5341 ssl
->handshake
->alt_transform_out
= ssl
->transform_out
;
5343 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
5344 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_PREPARING
;
5346 ssl
->handshake
->retransmit_state
= MBEDTLS_SSL_RETRANS_WAITING
;
5348 ssl_set_timer( ssl
, 0 );
5355 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5356 /* Dummy cookie callbacks for defaults */
5357 static int ssl_cookie_write_dummy( void *ctx
,
5358 unsigned char **p
, unsigned char *end
,
5359 const unsigned char *cli_id
, size_t cli_id_len
)
5365 ((void) cli_id_len
);
5367 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
5370 static int ssl_cookie_check_dummy( void *ctx
,
5371 const unsigned char *cookie
, size_t cookie_len
,
5372 const unsigned char *cli_id
, size_t cli_id_len
)
5376 ((void) cookie_len
);
5378 ((void) cli_id_len
);
5380 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
5382 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
5385 * Initialize an SSL context
5387 void mbedtls_ssl_init( mbedtls_ssl_context
*ssl
)
5389 memset( ssl
, 0, sizeof( mbedtls_ssl_context
) );
5393 * Setup an SSL context
5395 int mbedtls_ssl_setup( mbedtls_ssl_context
*ssl
,
5396 const mbedtls_ssl_config
*conf
)
5399 const size_t len
= MBEDTLS_SSL_BUFFER_LEN
;
5404 * Prepare base structures
5406 if( ( ssl
-> in_buf
= mbedtls_calloc( 1, len
) ) == NULL
||
5407 ( ssl
->out_buf
= mbedtls_calloc( 1, len
) ) == NULL
)
5409 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", len
) );
5410 mbedtls_free( ssl
->in_buf
);
5412 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5415 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5416 if( conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
5418 ssl
->out_hdr
= ssl
->out_buf
;
5419 ssl
->out_ctr
= ssl
->out_buf
+ 3;
5420 ssl
->out_len
= ssl
->out_buf
+ 11;
5421 ssl
->out_iv
= ssl
->out_buf
+ 13;
5422 ssl
->out_msg
= ssl
->out_buf
+ 13;
5424 ssl
->in_hdr
= ssl
->in_buf
;
5425 ssl
->in_ctr
= ssl
->in_buf
+ 3;
5426 ssl
->in_len
= ssl
->in_buf
+ 11;
5427 ssl
->in_iv
= ssl
->in_buf
+ 13;
5428 ssl
->in_msg
= ssl
->in_buf
+ 13;
5433 ssl
->out_ctr
= ssl
->out_buf
;
5434 ssl
->out_hdr
= ssl
->out_buf
+ 8;
5435 ssl
->out_len
= ssl
->out_buf
+ 11;
5436 ssl
->out_iv
= ssl
->out_buf
+ 13;
5437 ssl
->out_msg
= ssl
->out_buf
+ 13;
5439 ssl
->in_ctr
= ssl
->in_buf
;
5440 ssl
->in_hdr
= ssl
->in_buf
+ 8;
5441 ssl
->in_len
= ssl
->in_buf
+ 11;
5442 ssl
->in_iv
= ssl
->in_buf
+ 13;
5443 ssl
->in_msg
= ssl
->in_buf
+ 13;
5446 if( ( ret
= ssl_handshake_init( ssl
) ) != 0 )
5453 * Reset an initialized and used SSL context for re-use while retaining
5454 * all application-set variables, function pointers and data.
5456 * If partial is non-zero, keep data in the input buffer and client ID.
5457 * (Use when a DTLS client reconnects from the same port.)
5459 static int ssl_session_reset_int( mbedtls_ssl_context
*ssl
, int partial
)
5463 ssl
->state
= MBEDTLS_SSL_HELLO_REQUEST
;
5465 /* Cancel any possibly running timer */
5466 ssl_set_timer( ssl
, 0 );
5468 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5469 ssl
->renego_status
= MBEDTLS_SSL_INITIAL_HANDSHAKE
;
5470 ssl
->renego_records_seen
= 0;
5472 ssl
->verify_data_len
= 0;
5473 memset( ssl
->own_verify_data
, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
);
5474 memset( ssl
->peer_verify_data
, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
);
5476 ssl
->secure_renegotiation
= MBEDTLS_SSL_LEGACY_RENEGOTIATION
;
5478 ssl
->in_offt
= NULL
;
5480 ssl
->in_msg
= ssl
->in_buf
+ 13;
5481 ssl
->in_msgtype
= 0;
5485 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5486 ssl
->next_record_offset
= 0;
5489 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5490 ssl_dtls_replay_reset( ssl
);
5495 ssl
->record_read
= 0;
5497 ssl
->out_msg
= ssl
->out_buf
+ 13;
5498 ssl
->out_msgtype
= 0;
5499 ssl
->out_msglen
= 0;
5501 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
5502 if( ssl
->split_done
!= MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
)
5503 ssl
->split_done
= 0;
5506 ssl
->transform_in
= NULL
;
5507 ssl
->transform_out
= NULL
;
5509 memset( ssl
->out_buf
, 0, MBEDTLS_SSL_BUFFER_LEN
);
5511 memset( ssl
->in_buf
, 0, MBEDTLS_SSL_BUFFER_LEN
);
5513 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
5514 if( mbedtls_ssl_hw_record_reset
!= NULL
)
5516 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
5517 if( ( ret
= mbedtls_ssl_hw_record_reset( ssl
) ) != 0 )
5519 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret
);
5520 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
);
5525 if( ssl
->transform
)
5527 mbedtls_ssl_transform_free( ssl
->transform
);
5528 mbedtls_free( ssl
->transform
);
5529 ssl
->transform
= NULL
;
5534 mbedtls_ssl_session_free( ssl
->session
);
5535 mbedtls_free( ssl
->session
);
5536 ssl
->session
= NULL
;
5539 #if defined(MBEDTLS_SSL_ALPN)
5540 ssl
->alpn_chosen
= NULL
;
5543 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
5546 mbedtls_free( ssl
->cli_id
);
5548 ssl
->cli_id_len
= 0;
5552 if( ( ret
= ssl_handshake_init( ssl
) ) != 0 )
5559 * Reset an initialized and used SSL context for re-use while retaining
5560 * all application-set variables, function pointers and data.
5562 int mbedtls_ssl_session_reset( mbedtls_ssl_context
*ssl
)
5564 return( ssl_session_reset_int( ssl
, 0 ) );
5570 void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config
*conf
, int endpoint
)
5572 conf
->endpoint
= endpoint
;
5575 void mbedtls_ssl_conf_transport( mbedtls_ssl_config
*conf
, int transport
)
5577 conf
->transport
= transport
;
5580 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
5581 void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config
*conf
, char mode
)
5583 conf
->anti_replay
= mode
;
5587 #if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
5588 void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config
*conf
, unsigned limit
)
5590 conf
->badmac_limit
= limit
;
5594 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5595 void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config
*conf
, uint32_t min
, uint32_t max
)
5597 conf
->hs_timeout_min
= min
;
5598 conf
->hs_timeout_max
= max
;
5602 void mbedtls_ssl_conf_authmode( mbedtls_ssl_config
*conf
, int authmode
)
5604 conf
->authmode
= authmode
;
5607 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5608 void mbedtls_ssl_conf_verify( mbedtls_ssl_config
*conf
,
5609 int (*f_vrfy
)(void *, mbedtls_x509_crt
*, int, uint32_t *),
5612 conf
->f_vrfy
= f_vrfy
;
5613 conf
->p_vrfy
= p_vrfy
;
5615 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5617 void mbedtls_ssl_conf_rng( mbedtls_ssl_config
*conf
,
5618 int (*f_rng
)(void *, unsigned char *, size_t),
5621 conf
->f_rng
= f_rng
;
5622 conf
->p_rng
= p_rng
;
5625 void mbedtls_ssl_conf_dbg( mbedtls_ssl_config
*conf
,
5626 void (*f_dbg
)(void *, int, const char *, int, const char *),
5629 conf
->f_dbg
= f_dbg
;
5630 conf
->p_dbg
= p_dbg
;
5633 void mbedtls_ssl_set_bio( mbedtls_ssl_context
*ssl
,
5635 mbedtls_ssl_send_t
*f_send
,
5636 mbedtls_ssl_recv_t
*f_recv
,
5637 mbedtls_ssl_recv_timeout_t
*f_recv_timeout
)
5640 ssl
->f_send
= f_send
;
5641 ssl
->f_recv
= f_recv
;
5642 ssl
->f_recv_timeout
= f_recv_timeout
;
5645 void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config
*conf
, uint32_t timeout
)
5647 conf
->read_timeout
= timeout
;
5650 void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context
*ssl
,
5652 mbedtls_ssl_set_timer_t
*f_set_timer
,
5653 mbedtls_ssl_get_timer_t
*f_get_timer
)
5655 ssl
->p_timer
= p_timer
;
5656 ssl
->f_set_timer
= f_set_timer
;
5657 ssl
->f_get_timer
= f_get_timer
;
5659 /* Make sure we start with no timer running */
5660 ssl_set_timer( ssl
, 0 );
5663 #if defined(MBEDTLS_SSL_SRV_C)
5664 void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config
*conf
,
5666 int (*f_get_cache
)(void *, mbedtls_ssl_session
*),
5667 int (*f_set_cache
)(void *, const mbedtls_ssl_session
*) )
5669 conf
->p_cache
= p_cache
;
5670 conf
->f_get_cache
= f_get_cache
;
5671 conf
->f_set_cache
= f_set_cache
;
5673 #endif /* MBEDTLS_SSL_SRV_C */
5675 #if defined(MBEDTLS_SSL_CLI_C)
5676 int mbedtls_ssl_set_session( mbedtls_ssl_context
*ssl
, const mbedtls_ssl_session
*session
)
5682 ssl
->session_negotiate
== NULL
||
5683 ssl
->conf
->endpoint
!= MBEDTLS_SSL_IS_CLIENT
)
5685 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5688 if( ( ret
= ssl_session_copy( ssl
->session_negotiate
, session
) ) != 0 )
5691 ssl
->handshake
->resume
= 1;
5695 #endif /* MBEDTLS_SSL_CLI_C */
5697 void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config
*conf
,
5698 const int *ciphersuites
)
5700 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_0
] = ciphersuites
;
5701 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_1
] = ciphersuites
;
5702 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_2
] = ciphersuites
;
5703 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_3
] = ciphersuites
;
5706 void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config
*conf
,
5707 const int *ciphersuites
,
5708 int major
, int minor
)
5710 if( major
!= MBEDTLS_SSL_MAJOR_VERSION_3
)
5713 if( minor
< MBEDTLS_SSL_MINOR_VERSION_0
|| minor
> MBEDTLS_SSL_MINOR_VERSION_3
)
5716 conf
->ciphersuite_list
[minor
] = ciphersuites
;
5719 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5720 void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config
*conf
,
5721 const mbedtls_x509_crt_profile
*profile
)
5723 conf
->cert_profile
= profile
;
5726 /* Append a new keycert entry to a (possibly empty) list */
5727 static int ssl_append_key_cert( mbedtls_ssl_key_cert
**head
,
5728 mbedtls_x509_crt
*cert
,
5729 mbedtls_pk_context
*key
)
5731 mbedtls_ssl_key_cert
*new;
5733 new = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert
) );
5735 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5741 /* Update head is the list was null, else add to the end */
5748 mbedtls_ssl_key_cert
*cur
= *head
;
5749 while( cur
->next
!= NULL
)
5757 int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config
*conf
,
5758 mbedtls_x509_crt
*own_cert
,
5759 mbedtls_pk_context
*pk_key
)
5761 return( ssl_append_key_cert( &conf
->key_cert
, own_cert
, pk_key
) );
5764 void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config
*conf
,
5765 mbedtls_x509_crt
*ca_chain
,
5766 mbedtls_x509_crl
*ca_crl
)
5768 conf
->ca_chain
= ca_chain
;
5769 conf
->ca_crl
= ca_crl
;
5771 #endif /* MBEDTLS_X509_CRT_PARSE_C */
5773 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5774 int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context
*ssl
,
5775 mbedtls_x509_crt
*own_cert
,
5776 mbedtls_pk_context
*pk_key
)
5778 return( ssl_append_key_cert( &ssl
->handshake
->sni_key_cert
,
5779 own_cert
, pk_key
) );
5782 void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context
*ssl
,
5783 mbedtls_x509_crt
*ca_chain
,
5784 mbedtls_x509_crl
*ca_crl
)
5786 ssl
->handshake
->sni_ca_chain
= ca_chain
;
5787 ssl
->handshake
->sni_ca_crl
= ca_crl
;
5790 void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context
*ssl
,
5793 ssl
->handshake
->sni_authmode
= authmode
;
5795 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
5797 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
5799 * Set EC J-PAKE password for current handshake
5801 int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context
*ssl
,
5802 const unsigned char *pw
,
5805 mbedtls_ecjpake_role role
;
5807 if( ssl
->handshake
== NULL
|| ssl
->conf
== NULL
)
5808 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5810 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
5811 role
= MBEDTLS_ECJPAKE_SERVER
;
5813 role
= MBEDTLS_ECJPAKE_CLIENT
;
5815 return( mbedtls_ecjpake_setup( &ssl
->handshake
->ecjpake_ctx
,
5818 MBEDTLS_ECP_DP_SECP256R1
,
5821 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
5823 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
5824 int mbedtls_ssl_conf_psk( mbedtls_ssl_config
*conf
,
5825 const unsigned char *psk
, size_t psk_len
,
5826 const unsigned char *psk_identity
, size_t psk_identity_len
)
5828 if( psk
== NULL
|| psk_identity
== NULL
)
5829 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5831 if( psk_len
> MBEDTLS_PSK_MAX_LEN
)
5832 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5834 /* Identity len will be encoded on two bytes */
5835 if( ( psk_identity_len
>> 16 ) != 0 ||
5836 psk_identity_len
> MBEDTLS_SSL_MAX_CONTENT_LEN
)
5838 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5841 if( conf
->psk
!= NULL
|| conf
->psk_identity
!= NULL
)
5843 mbedtls_free( conf
->psk
);
5844 mbedtls_free( conf
->psk_identity
);
5846 conf
->psk_identity
= NULL
;
5849 if( ( conf
->psk
= mbedtls_calloc( 1, psk_len
) ) == NULL
||
5850 ( conf
->psk_identity
= mbedtls_calloc( 1, psk_identity_len
) ) == NULL
)
5852 mbedtls_free( conf
->psk
);
5853 mbedtls_free( conf
->psk_identity
);
5855 conf
->psk_identity
= NULL
;
5856 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5859 conf
->psk_len
= psk_len
;
5860 conf
->psk_identity_len
= psk_identity_len
;
5862 memcpy( conf
->psk
, psk
, conf
->psk_len
);
5863 memcpy( conf
->psk_identity
, psk_identity
, conf
->psk_identity_len
);
5868 int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context
*ssl
,
5869 const unsigned char *psk
, size_t psk_len
)
5871 if( psk
== NULL
|| ssl
->handshake
== NULL
)
5872 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5874 if( psk_len
> MBEDTLS_PSK_MAX_LEN
)
5875 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5877 if( ssl
->handshake
->psk
!= NULL
)
5878 mbedtls_free( ssl
->handshake
->psk
);
5880 if( ( ssl
->handshake
->psk
= mbedtls_calloc( 1, psk_len
) ) == NULL
)
5881 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5883 ssl
->handshake
->psk_len
= psk_len
;
5884 memcpy( ssl
->handshake
->psk
, psk
, ssl
->handshake
->psk_len
);
5889 void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config
*conf
,
5890 int (*f_psk
)(void *, mbedtls_ssl_context
*, const unsigned char *,
5894 conf
->f_psk
= f_psk
;
5895 conf
->p_psk
= p_psk
;
5897 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
5899 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
5900 int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config
*conf
, const char *dhm_P
, const char *dhm_G
)
5904 if( ( ret
= mbedtls_mpi_read_string( &conf
->dhm_P
, 16, dhm_P
) ) != 0 ||
5905 ( ret
= mbedtls_mpi_read_string( &conf
->dhm_G
, 16, dhm_G
) ) != 0 )
5907 mbedtls_mpi_free( &conf
->dhm_P
);
5908 mbedtls_mpi_free( &conf
->dhm_G
);
5915 int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config
*conf
, mbedtls_dhm_context
*dhm_ctx
)
5919 if( ( ret
= mbedtls_mpi_copy( &conf
->dhm_P
, &dhm_ctx
->P
) ) != 0 ||
5920 ( ret
= mbedtls_mpi_copy( &conf
->dhm_G
, &dhm_ctx
->G
) ) != 0 )
5922 mbedtls_mpi_free( &conf
->dhm_P
);
5923 mbedtls_mpi_free( &conf
->dhm_G
);
5929 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
5931 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
5933 * Set the minimum length for Diffie-Hellman parameters
5935 void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config
*conf
,
5936 unsigned int bitlen
)
5938 conf
->dhm_min_bitlen
= bitlen
;
5940 #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
5942 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
5944 * Set allowed/preferred hashes for handshake signatures
5946 void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config
*conf
,
5949 conf
->sig_hashes
= hashes
;
5953 #if defined(MBEDTLS_ECP_C)
5955 * Set the allowed elliptic curves
5957 void mbedtls_ssl_conf_curves( mbedtls_ssl_config
*conf
,
5958 const mbedtls_ecp_group_id
*curve_list
)
5960 conf
->curve_list
= curve_list
;
5964 #if defined(MBEDTLS_X509_CRT_PARSE_C)
5965 int mbedtls_ssl_set_hostname( mbedtls_ssl_context
*ssl
, const char *hostname
)
5967 size_t hostname_len
;
5969 if( hostname
== NULL
)
5970 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5972 hostname_len
= strlen( hostname
);
5974 if( hostname_len
+ 1 == 0 )
5975 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5977 if( hostname_len
> MBEDTLS_SSL_MAX_HOST_NAME_LEN
)
5978 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
5980 ssl
->hostname
= mbedtls_calloc( 1, hostname_len
+ 1 );
5982 if( ssl
->hostname
== NULL
)
5983 return( MBEDTLS_ERR_SSL_ALLOC_FAILED
);
5985 memcpy( ssl
->hostname
, hostname
, hostname_len
);
5987 ssl
->hostname
[hostname_len
] = '\0';
5993 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5994 void mbedtls_ssl_conf_sni( mbedtls_ssl_config
*conf
,
5995 int (*f_sni
)(void *, mbedtls_ssl_context
*,
5996 const unsigned char *, size_t),
5999 conf
->f_sni
= f_sni
;
6000 conf
->p_sni
= p_sni
;
6002 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
6004 #if defined(MBEDTLS_SSL_ALPN)
6005 int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config
*conf
, const char **protos
)
6007 size_t cur_len
, tot_len
;
6011 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
6012 * MUST NOT be truncated."
6013 * We check lengths now rather than later.
6016 for( p
= protos
; *p
!= NULL
; p
++ )
6018 cur_len
= strlen( *p
);
6021 if( cur_len
== 0 || cur_len
> 255 || tot_len
> 65535 )
6022 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6025 conf
->alpn_list
= protos
;
6030 const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context
*ssl
)
6032 return( ssl
->alpn_chosen
);
6034 #endif /* MBEDTLS_SSL_ALPN */
6036 void mbedtls_ssl_conf_max_version( mbedtls_ssl_config
*conf
, int major
, int minor
)
6038 conf
->max_major_ver
= major
;
6039 conf
->max_minor_ver
= minor
;
6042 void mbedtls_ssl_conf_min_version( mbedtls_ssl_config
*conf
, int major
, int minor
)
6044 conf
->min_major_ver
= major
;
6045 conf
->min_minor_ver
= minor
;
6048 #if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
6049 void mbedtls_ssl_conf_fallback( mbedtls_ssl_config
*conf
, char fallback
)
6051 conf
->fallback
= fallback
;
6055 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6056 void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config
*conf
, char etm
)
6058 conf
->encrypt_then_mac
= etm
;
6062 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
6063 void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config
*conf
, char ems
)
6065 conf
->extended_ms
= ems
;
6069 #if defined(MBEDTLS_ARC4_C)
6070 void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config
*conf
, char arc4
)
6072 conf
->arc4_disabled
= arc4
;
6076 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6077 int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config
*conf
, unsigned char mfl_code
)
6079 if( mfl_code
>= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
||
6080 mfl_code_to_length
[mfl_code
] > MBEDTLS_SSL_MAX_CONTENT_LEN
)
6082 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6085 conf
->mfl_code
= mfl_code
;
6089 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6091 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
6092 void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config
*conf
, int truncate
)
6094 conf
->trunc_hmac
= truncate
;
6096 #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
6098 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6099 void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config
*conf
, char split
)
6101 conf
->cbc_record_splitting
= split
;
6105 void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config
*conf
, int allow_legacy
)
6107 conf
->allow_legacy_renegotiation
= allow_legacy
;
6110 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6111 void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config
*conf
, int renegotiation
)
6113 conf
->disable_renegotiation
= renegotiation
;
6116 void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config
*conf
, int max_records
)
6118 conf
->renego_max_records
= max_records
;
6121 void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config
*conf
,
6122 const unsigned char period
[8] )
6124 memcpy( conf
->renego_period
, period
, 8 );
6126 #endif /* MBEDTLS_SSL_RENEGOTIATION */
6128 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
6129 #if defined(MBEDTLS_SSL_CLI_C)
6130 void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config
*conf
, int use_tickets
)
6132 conf
->session_tickets
= use_tickets
;
6136 #if defined(MBEDTLS_SSL_SRV_C)
6137 void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config
*conf
,
6138 mbedtls_ssl_ticket_write_t
*f_ticket_write
,
6139 mbedtls_ssl_ticket_parse_t
*f_ticket_parse
,
6142 conf
->f_ticket_write
= f_ticket_write
;
6143 conf
->f_ticket_parse
= f_ticket_parse
;
6144 conf
->p_ticket
= p_ticket
;
6147 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
6149 #if defined(MBEDTLS_SSL_EXPORT_KEYS)
6150 void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config
*conf
,
6151 mbedtls_ssl_export_keys_t
*f_export_keys
,
6152 void *p_export_keys
)
6154 conf
->f_export_keys
= f_export_keys
;
6155 conf
->p_export_keys
= p_export_keys
;
6162 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context
*ssl
)
6164 return( ssl
->in_offt
== NULL
? 0 : ssl
->in_msglen
);
6167 uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context
*ssl
)
6169 if( ssl
->session
!= NULL
)
6170 return( ssl
->session
->verify_result
);
6172 if( ssl
->session_negotiate
!= NULL
)
6173 return( ssl
->session_negotiate
->verify_result
);
6175 return( 0xFFFFFFFF );
6178 const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context
*ssl
)
6180 if( ssl
== NULL
|| ssl
->session
== NULL
)
6183 return mbedtls_ssl_get_ciphersuite_name( ssl
->session
->ciphersuite
);
6186 const char *mbedtls_ssl_get_version( const mbedtls_ssl_context
*ssl
)
6188 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6189 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
6191 switch( ssl
->minor_ver
)
6193 case MBEDTLS_SSL_MINOR_VERSION_2
:
6194 return( "DTLSv1.0" );
6196 case MBEDTLS_SSL_MINOR_VERSION_3
:
6197 return( "DTLSv1.2" );
6200 return( "unknown (DTLS)" );
6205 switch( ssl
->minor_ver
)
6207 case MBEDTLS_SSL_MINOR_VERSION_0
:
6208 return( "SSLv3.0" );
6210 case MBEDTLS_SSL_MINOR_VERSION_1
:
6211 return( "TLSv1.0" );
6213 case MBEDTLS_SSL_MINOR_VERSION_2
:
6214 return( "TLSv1.1" );
6216 case MBEDTLS_SSL_MINOR_VERSION_3
:
6217 return( "TLSv1.2" );
6220 return( "unknown" );
6224 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context
*ssl
)
6226 size_t transform_expansion
;
6227 const mbedtls_ssl_transform
*transform
= ssl
->transform_out
;
6229 #if defined(MBEDTLS_ZLIB_SUPPORT)
6230 if( ssl
->session_out
->compression
!= MBEDTLS_SSL_COMPRESS_NULL
)
6231 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
);
6234 if( transform
== NULL
)
6235 return( (int) mbedtls_ssl_hdr_len( ssl
) );
6237 switch( mbedtls_cipher_get_cipher_mode( &transform
->cipher_ctx_enc
) )
6239 case MBEDTLS_MODE_GCM
:
6240 case MBEDTLS_MODE_CCM
:
6241 case MBEDTLS_MODE_STREAM
:
6242 transform_expansion
= transform
->minlen
;
6245 case MBEDTLS_MODE_CBC
:
6246 transform_expansion
= transform
->maclen
6247 + mbedtls_cipher_get_block_size( &transform
->cipher_ctx_enc
);
6251 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
6252 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
6255 return( (int)( mbedtls_ssl_hdr_len( ssl
) + transform_expansion
) );
6258 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6259 size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context
*ssl
)
6264 * Assume mfl_code is correct since it was checked when set
6266 max_len
= mfl_code_to_length
[ssl
->conf
->mfl_code
];
6269 * Check if a smaller max length was negotiated
6271 if( ssl
->session_out
!= NULL
&&
6272 mfl_code_to_length
[ssl
->session_out
->mfl_code
] < max_len
)
6274 max_len
= mfl_code_to_length
[ssl
->session_out
->mfl_code
];
6279 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6281 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6282 const mbedtls_x509_crt
*mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context
*ssl
)
6284 if( ssl
== NULL
|| ssl
->session
== NULL
)
6287 return( ssl
->session
->peer_cert
);
6289 #endif /* MBEDTLS_X509_CRT_PARSE_C */
6291 #if defined(MBEDTLS_SSL_CLI_C)
6292 int mbedtls_ssl_get_session( const mbedtls_ssl_context
*ssl
, mbedtls_ssl_session
*dst
)
6296 ssl
->session
== NULL
||
6297 ssl
->conf
->endpoint
!= MBEDTLS_SSL_IS_CLIENT
)
6299 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6302 return( ssl_session_copy( dst
, ssl
->session
) );
6304 #endif /* MBEDTLS_SSL_CLI_C */
6307 * Perform a single step of the SSL handshake
6309 int mbedtls_ssl_handshake_step( mbedtls_ssl_context
*ssl
)
6311 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
6313 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6314 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6316 #if defined(MBEDTLS_SSL_CLI_C)
6317 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
6318 ret
= mbedtls_ssl_handshake_client_step( ssl
);
6320 #if defined(MBEDTLS_SSL_SRV_C)
6321 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
6322 ret
= mbedtls_ssl_handshake_server_step( ssl
);
6329 * Perform the SSL handshake
6331 int mbedtls_ssl_handshake( mbedtls_ssl_context
*ssl
)
6335 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6336 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6338 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
6340 while( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
6342 ret
= mbedtls_ssl_handshake_step( ssl
);
6348 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
6353 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6354 #if defined(MBEDTLS_SSL_SRV_C)
6356 * Write HelloRequest to request renegotiation on server
6358 static int ssl_write_hello_request( mbedtls_ssl_context
*ssl
)
6362 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
6364 ssl
->out_msglen
= 4;
6365 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_HANDSHAKE
;
6366 ssl
->out_msg
[0] = MBEDTLS_SSL_HS_HELLO_REQUEST
;
6368 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
6370 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
6374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
6378 #endif /* MBEDTLS_SSL_SRV_C */
6381 * Actually renegotiate current connection, triggered by either:
6382 * - any side: calling mbedtls_ssl_renegotiate(),
6383 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
6384 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
6385 * the initial handshake is completed.
6386 * If the handshake doesn't complete due to waiting for I/O, it will continue
6387 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
6389 static int ssl_start_renegotiation( mbedtls_ssl_context
*ssl
)
6393 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
6395 if( ( ret
= ssl_handshake_init( ssl
) ) != 0 )
6398 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
6399 * the ServerHello will have message_seq = 1" */
6400 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6401 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
6402 ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_PENDING
)
6404 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
6405 ssl
->handshake
->out_msg_seq
= 1;
6407 ssl
->handshake
->in_msg_seq
= 1;
6411 ssl
->state
= MBEDTLS_SSL_HELLO_REQUEST
;
6412 ssl
->renego_status
= MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
;
6414 if( ( ret
= mbedtls_ssl_handshake( ssl
) ) != 0 )
6416 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret
);
6420 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
6426 * Renegotiate current connection on client,
6427 * or request renegotiation on server
6429 int mbedtls_ssl_renegotiate( mbedtls_ssl_context
*ssl
)
6431 int ret
= MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
;
6433 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6434 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6436 #if defined(MBEDTLS_SSL_SRV_C)
6437 /* On server, just send the request */
6438 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
)
6440 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
6441 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6443 ssl
->renego_status
= MBEDTLS_SSL_RENEGOTIATION_PENDING
;
6445 /* Did we already try/start sending HelloRequest? */
6446 if( ssl
->out_left
!= 0 )
6447 return( mbedtls_ssl_flush_output( ssl
) );
6449 return( ssl_write_hello_request( ssl
) );
6451 #endif /* MBEDTLS_SSL_SRV_C */
6453 #if defined(MBEDTLS_SSL_CLI_C)
6455 * On client, either start the renegotiation process or,
6456 * if already in progress, continue the handshake
6458 if( ssl
->renego_status
!= MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
)
6460 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
6461 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6463 if( ( ret
= ssl_start_renegotiation( ssl
) ) != 0 )
6465 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret
);
6471 if( ( ret
= mbedtls_ssl_handshake( ssl
) ) != 0 )
6473 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret
);
6477 #endif /* MBEDTLS_SSL_CLI_C */
6483 * Check record counters and renegotiate if they're above the limit.
6485 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context
*ssl
)
6487 size_t ep_len
= ssl_ep_len( ssl
);
6491 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
||
6492 ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_PENDING
||
6493 ssl
->conf
->disable_renegotiation
== MBEDTLS_SSL_RENEGOTIATION_DISABLED
)
6498 in_ctr_cmp
= memcmp( ssl
->in_ctr
+ ep_len
,
6499 ssl
->conf
->renego_period
+ ep_len
, 8 - ep_len
);
6500 out_ctr_cmp
= memcmp( ssl
->out_ctr
+ ep_len
,
6501 ssl
->conf
->renego_period
+ ep_len
, 8 - ep_len
);
6503 if( in_ctr_cmp
<= 0 && out_ctr_cmp
<= 0 )
6508 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
6509 return( mbedtls_ssl_renegotiate( ssl
) );
6511 #endif /* MBEDTLS_SSL_RENEGOTIATION */
6514 * Receive application data decrypted from the SSL layer
6516 int mbedtls_ssl_read( mbedtls_ssl_context
*ssl
, unsigned char *buf
, size_t len
)
6518 int ret
, record_read
= 0;
6521 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6522 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6524 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
6526 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6527 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
6529 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
6532 if( ssl
->handshake
!= NULL
&&
6533 ssl
->handshake
->retransmit_state
== MBEDTLS_SSL_RETRANS_SENDING
)
6535 if( ( ret
= mbedtls_ssl_resend( ssl
) ) != 0 )
6541 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6542 if( ( ret
= ssl_check_ctr_renegotiate( ssl
) ) != 0 )
6544 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret
);
6549 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
6551 ret
= mbedtls_ssl_handshake( ssl
);
6552 if( ret
== MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
)
6558 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret
);
6563 if( ssl
->in_offt
== NULL
)
6565 /* Start timer if not already running */
6566 if( ssl
->f_get_timer
!= NULL
&&
6567 ssl
->f_get_timer( ssl
->p_timer
) == -1 )
6569 ssl_set_timer( ssl
, ssl
->conf
->read_timeout
);
6574 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
6576 if( ret
== MBEDTLS_ERR_SSL_CONN_EOF
)
6579 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
6584 if( ssl
->in_msglen
== 0 &&
6585 ssl
->in_msgtype
== MBEDTLS_SSL_MSG_APPLICATION_DATA
)
6588 * OpenSSL sends empty messages to randomize the IV
6590 if( ( ret
= mbedtls_ssl_read_record( ssl
) ) != 0 )
6592 if( ret
== MBEDTLS_ERR_SSL_CONN_EOF
)
6595 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret
);
6600 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6601 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_HANDSHAKE
)
6603 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
6605 #if defined(MBEDTLS_SSL_CLI_C)
6606 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
&&
6607 ( ssl
->in_msg
[0] != MBEDTLS_SSL_HS_HELLO_REQUEST
||
6608 ssl
->in_hslen
!= mbedtls_ssl_hs_hdr_len( ssl
) ) )
6610 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
6612 /* With DTLS, drop the packet (probably from last handshake) */
6613 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6614 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
6615 return( MBEDTLS_ERR_SSL_WANT_READ
);
6617 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
6620 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
6621 ssl
->in_msg
[0] != MBEDTLS_SSL_HS_CLIENT_HELLO
)
6623 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
6625 /* With DTLS, drop the packet (probably from last handshake) */
6626 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6627 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
6628 return( MBEDTLS_ERR_SSL_WANT_READ
);
6630 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
6634 if( ssl
->conf
->disable_renegotiation
== MBEDTLS_SSL_RENEGOTIATION_DISABLED
||
6635 ( ssl
->secure_renegotiation
== MBEDTLS_SSL_LEGACY_RENEGOTIATION
&&
6636 ssl
->conf
->allow_legacy_renegotiation
==
6637 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
) )
6639 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
6641 #if defined(MBEDTLS_SSL_PROTO_SSL3)
6642 if( ssl
->minor_ver
== MBEDTLS_SSL_MINOR_VERSION_0
)
6645 * SSLv3 does not have a "no_renegotiation" alert
6647 if( ( ret
= mbedtls_ssl_send_fatal_handshake_failure( ssl
) ) != 0 )
6651 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
6652 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
6653 defined(MBEDTLS_SSL_PROTO_TLS1_2)
6654 if( ssl
->minor_ver
>= MBEDTLS_SSL_MINOR_VERSION_1
)
6656 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
6657 MBEDTLS_SSL_ALERT_LEVEL_WARNING
,
6658 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
) ) != 0 )
6664 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
6665 MBEDTLS_SSL_PROTO_TLS1_2 */
6667 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
6668 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR
);
6673 /* DTLS clients need to know renego is server-initiated */
6674 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6675 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
&&
6676 ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_CLIENT
)
6678 ssl
->renego_status
= MBEDTLS_SSL_RENEGOTIATION_PENDING
;
6681 ret
= ssl_start_renegotiation( ssl
);
6682 if( ret
== MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
)
6688 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret
);
6693 /* If a non-handshake record was read during renego, fallthrough,
6694 * else tell the user they should call mbedtls_ssl_read() again */
6696 return( MBEDTLS_ERR_SSL_WANT_READ
);
6698 else if( ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_PENDING
)
6701 if( ssl
->conf
->renego_max_records
>= 0 )
6703 if( ++ssl
->renego_records_seen
> ssl
->conf
->renego_max_records
)
6705 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
6706 "but not honored by client" ) );
6707 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
6711 #endif /* MBEDTLS_SSL_RENEGOTIATION */
6713 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
6714 if( ssl
->in_msgtype
== MBEDTLS_SSL_MSG_ALERT
)
6716 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
6717 return( MBEDTLS_ERR_SSL_WANT_READ
);
6720 if( ssl
->in_msgtype
!= MBEDTLS_SSL_MSG_APPLICATION_DATA
)
6722 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
6723 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
);
6726 ssl
->in_offt
= ssl
->in_msg
;
6728 /* We're going to return something now, cancel timer,
6729 * except if handshake (renegotiation) is in progress */
6730 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
)
6731 ssl_set_timer( ssl
, 0 );
6733 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6734 /* If we requested renego but received AppData, resend HelloRequest.
6735 * Do it now, after setting in_offt, to avoid taking this branch
6736 * again if ssl_write_hello_request() returns WANT_WRITE */
6737 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
6738 if( ssl
->conf
->endpoint
== MBEDTLS_SSL_IS_SERVER
&&
6739 ssl
->renego_status
== MBEDTLS_SSL_RENEGOTIATION_PENDING
)
6741 if( ( ret
= ssl_resend_hello_request( ssl
) ) != 0 )
6743 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret
);
6747 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
6751 n
= ( len
< ssl
->in_msglen
)
6752 ? len
: ssl
->in_msglen
;
6754 memcpy( buf
, ssl
->in_offt
, n
);
6755 ssl
->in_msglen
-= n
;
6757 if( ssl
->in_msglen
== 0 )
6758 /* all bytes consumed */
6759 ssl
->in_offt
= NULL
;
6761 /* more data available */
6764 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
6770 * Send application data to be encrypted by the SSL layer,
6771 * taking care of max fragment length and buffer size
6773 static int ssl_write_real( mbedtls_ssl_context
*ssl
,
6774 const unsigned char *buf
, size_t len
)
6777 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
6778 size_t max_len
= mbedtls_ssl_get_max_frag_len( ssl
);
6782 #if defined(MBEDTLS_SSL_PROTO_DTLS)
6783 if( ssl
->conf
->transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
6785 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
6786 "maximum fragment length: %d > %d",
6788 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6794 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
6796 if( ssl
->out_left
!= 0 )
6798 if( ( ret
= mbedtls_ssl_flush_output( ssl
) ) != 0 )
6800 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret
);
6806 ssl
->out_msglen
= len
;
6807 ssl
->out_msgtype
= MBEDTLS_SSL_MSG_APPLICATION_DATA
;
6808 memcpy( ssl
->out_msg
, buf
, len
);
6810 if( ( ret
= mbedtls_ssl_write_record( ssl
) ) != 0 )
6812 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret
);
6817 return( (int) len
);
6821 * Write application data, doing 1/n-1 splitting if necessary.
6823 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
6824 * then the caller will call us again with the same arguments, so
6825 * remember wether we already did the split or not.
6827 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6828 static int ssl_write_split( mbedtls_ssl_context
*ssl
,
6829 const unsigned char *buf
, size_t len
)
6833 if( ssl
->conf
->cbc_record_splitting
==
6834 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
||
6836 ssl
->minor_ver
> MBEDTLS_SSL_MINOR_VERSION_1
||
6837 mbedtls_cipher_get_cipher_mode( &ssl
->transform_out
->cipher_ctx_enc
)
6838 != MBEDTLS_MODE_CBC
)
6840 return( ssl_write_real( ssl
, buf
, len
) );
6843 if( ssl
->split_done
== 0 )
6845 if( ( ret
= ssl_write_real( ssl
, buf
, 1 ) ) <= 0 )
6847 ssl
->split_done
= 1;
6850 if( ( ret
= ssl_write_real( ssl
, buf
+ 1, len
- 1 ) ) <= 0 )
6852 ssl
->split_done
= 0;
6856 #endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
6859 * Write application data (public-facing wrapper)
6861 int mbedtls_ssl_write( mbedtls_ssl_context
*ssl
, const unsigned char *buf
, size_t len
)
6865 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
6867 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6868 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6870 #if defined(MBEDTLS_SSL_RENEGOTIATION)
6871 if( ( ret
= ssl_check_ctr_renegotiate( ssl
) ) != 0 )
6873 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret
);
6878 if( ssl
->state
!= MBEDTLS_SSL_HANDSHAKE_OVER
)
6880 if( ( ret
= mbedtls_ssl_handshake( ssl
) ) != 0 )
6882 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret
);
6887 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
6888 ret
= ssl_write_split( ssl
, buf
, len
);
6890 ret
= ssl_write_real( ssl
, buf
, len
);
6893 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
6899 * Notify the peer that the connection is being closed
6901 int mbedtls_ssl_close_notify( mbedtls_ssl_context
*ssl
)
6905 if( ssl
== NULL
|| ssl
->conf
== NULL
)
6906 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA
);
6908 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
6910 if( ssl
->out_left
!= 0 )
6911 return( mbedtls_ssl_flush_output( ssl
) );
6913 if( ssl
->state
== MBEDTLS_SSL_HANDSHAKE_OVER
)
6915 if( ( ret
= mbedtls_ssl_send_alert_message( ssl
,
6916 MBEDTLS_SSL_ALERT_LEVEL_WARNING
,
6917 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
) ) != 0 )
6919 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret
);
6924 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
6929 void mbedtls_ssl_transform_free( mbedtls_ssl_transform
*transform
)
6931 if( transform
== NULL
)
6934 #if defined(MBEDTLS_ZLIB_SUPPORT)
6935 deflateEnd( &transform
->ctx_deflate
);
6936 inflateEnd( &transform
->ctx_inflate
);
6939 mbedtls_cipher_free( &transform
->cipher_ctx_enc
);
6940 mbedtls_cipher_free( &transform
->cipher_ctx_dec
);
6942 mbedtls_md_free( &transform
->md_ctx_enc
);
6943 mbedtls_md_free( &transform
->md_ctx_dec
);
6945 mbedtls_zeroize( transform
, sizeof( mbedtls_ssl_transform
) );
6948 #if defined(MBEDTLS_X509_CRT_PARSE_C)
6949 static void ssl_key_cert_free( mbedtls_ssl_key_cert
*key_cert
)
6951 mbedtls_ssl_key_cert
*cur
= key_cert
, *next
;
6953 while( cur
!= NULL
)
6956 mbedtls_free( cur
);
6960 #endif /* MBEDTLS_X509_CRT_PARSE_C */
6962 void mbedtls_ssl_handshake_free( mbedtls_ssl_handshake_params
*handshake
)
6964 if( handshake
== NULL
)
6967 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6968 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6969 mbedtls_md5_free( &handshake
->fin_md5
);
6970 mbedtls_sha1_free( &handshake
->fin_sha1
);
6972 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6973 #if defined(MBEDTLS_SHA256_C)
6974 mbedtls_sha256_free( &handshake
->fin_sha256
);
6976 #if defined(MBEDTLS_SHA512_C)
6977 mbedtls_sha512_free( &handshake
->fin_sha512
);
6979 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6981 #if defined(MBEDTLS_DHM_C)
6982 mbedtls_dhm_free( &handshake
->dhm_ctx
);
6984 #if defined(MBEDTLS_ECDH_C)
6985 mbedtls_ecdh_free( &handshake
->ecdh_ctx
);
6987 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6988 mbedtls_ecjpake_free( &handshake
->ecjpake_ctx
);
6989 #if defined(MBEDTLS_SSL_CLI_C)
6990 mbedtls_free( handshake
->ecjpake_cache
);
6991 handshake
->ecjpake_cache
= NULL
;
6992 handshake
->ecjpake_cache_len
= 0;
6996 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
6997 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6998 /* explicit void pointer cast for buggy MS compiler */
6999 mbedtls_free( (void *) handshake
->curves
);
7002 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
7003 if( handshake
->psk
!= NULL
)
7005 mbedtls_zeroize( handshake
->psk
, handshake
->psk_len
);
7006 mbedtls_free( handshake
->psk
);
7010 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
7011 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7013 * Free only the linked list wrapper, not the keys themselves
7014 * since the belong to the SNI callback
7016 if( handshake
->sni_key_cert
!= NULL
)
7018 mbedtls_ssl_key_cert
*cur
= handshake
->sni_key_cert
, *next
;
7020 while( cur
!= NULL
)
7023 mbedtls_free( cur
);
7027 #endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
7029 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7030 mbedtls_free( handshake
->verify_cookie
);
7031 mbedtls_free( handshake
->hs_msg
);
7032 ssl_flight_free( handshake
->flight
);
7035 mbedtls_zeroize( handshake
, sizeof( mbedtls_ssl_handshake_params
) );
7038 void mbedtls_ssl_session_free( mbedtls_ssl_session
*session
)
7040 if( session
== NULL
)
7043 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7044 if( session
->peer_cert
!= NULL
)
7046 mbedtls_x509_crt_free( session
->peer_cert
);
7047 mbedtls_free( session
->peer_cert
);
7051 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
7052 mbedtls_free( session
->ticket
);
7055 mbedtls_zeroize( session
, sizeof( mbedtls_ssl_session
) );
7059 * Free an SSL context
7061 void mbedtls_ssl_free( mbedtls_ssl_context
*ssl
)
7066 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
7068 if( ssl
->out_buf
!= NULL
)
7070 mbedtls_zeroize( ssl
->out_buf
, MBEDTLS_SSL_BUFFER_LEN
);
7071 mbedtls_free( ssl
->out_buf
);
7074 if( ssl
->in_buf
!= NULL
)
7076 mbedtls_zeroize( ssl
->in_buf
, MBEDTLS_SSL_BUFFER_LEN
);
7077 mbedtls_free( ssl
->in_buf
);
7080 #if defined(MBEDTLS_ZLIB_SUPPORT)
7081 if( ssl
->compress_buf
!= NULL
)
7083 mbedtls_zeroize( ssl
->compress_buf
, MBEDTLS_SSL_BUFFER_LEN
);
7084 mbedtls_free( ssl
->compress_buf
);
7088 if( ssl
->transform
)
7090 mbedtls_ssl_transform_free( ssl
->transform
);
7091 mbedtls_free( ssl
->transform
);
7094 if( ssl
->handshake
)
7096 mbedtls_ssl_handshake_free( ssl
->handshake
);
7097 mbedtls_ssl_transform_free( ssl
->transform_negotiate
);
7098 mbedtls_ssl_session_free( ssl
->session_negotiate
);
7100 mbedtls_free( ssl
->handshake
);
7101 mbedtls_free( ssl
->transform_negotiate
);
7102 mbedtls_free( ssl
->session_negotiate
);
7107 mbedtls_ssl_session_free( ssl
->session
);
7108 mbedtls_free( ssl
->session
);
7111 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7112 if( ssl
->hostname
!= NULL
)
7114 mbedtls_zeroize( ssl
->hostname
, strlen( ssl
->hostname
) );
7115 mbedtls_free( ssl
->hostname
);
7119 #if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7120 if( mbedtls_ssl_hw_record_finish
!= NULL
)
7122 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
7123 mbedtls_ssl_hw_record_finish( ssl
);
7127 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
7128 mbedtls_free( ssl
->cli_id
);
7131 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
7133 /* Actually clear after last debug message */
7134 mbedtls_zeroize( ssl
, sizeof( mbedtls_ssl_context
) );
7138 * Initialze mbedtls_ssl_config
7140 void mbedtls_ssl_config_init( mbedtls_ssl_config
*conf
)
7142 memset( conf
, 0, sizeof( mbedtls_ssl_config
) );
7145 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7146 static int ssl_preset_default_hashes
[] = {
7147 #if defined(MBEDTLS_SHA512_C)
7151 #if defined(MBEDTLS_SHA256_C)
7155 #if defined(MBEDTLS_SHA1_C)
7162 static int ssl_preset_suiteb_ciphersuites
[] = {
7163 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,
7164 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,
7168 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7169 static int ssl_preset_suiteb_hashes
[] = {
7176 #if defined(MBEDTLS_ECP_C)
7177 static mbedtls_ecp_group_id ssl_preset_suiteb_curves
[] = {
7178 MBEDTLS_ECP_DP_SECP256R1
,
7179 MBEDTLS_ECP_DP_SECP384R1
,
7185 * Load default in mbedtls_ssl_config
7187 int mbedtls_ssl_config_defaults( mbedtls_ssl_config
*conf
,
7188 int endpoint
, int transport
, int preset
)
7190 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
7194 /* Use the functions here so that they are covered in tests,
7195 * but otherwise access member directly for efficiency */
7196 mbedtls_ssl_conf_endpoint( conf
, endpoint
);
7197 mbedtls_ssl_conf_transport( conf
, transport
);
7200 * Things that are common to all presets
7202 #if defined(MBEDTLS_SSL_CLI_C)
7203 if( endpoint
== MBEDTLS_SSL_IS_CLIENT
)
7205 conf
->authmode
= MBEDTLS_SSL_VERIFY_REQUIRED
;
7206 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
7207 conf
->session_tickets
= MBEDTLS_SSL_SESSION_TICKETS_ENABLED
;
7212 #if defined(MBEDTLS_ARC4_C)
7213 conf
->arc4_disabled
= MBEDTLS_SSL_ARC4_DISABLED
;
7216 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7217 conf
->encrypt_then_mac
= MBEDTLS_SSL_ETM_ENABLED
;
7220 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7221 conf
->extended_ms
= MBEDTLS_SSL_EXTENDED_MS_ENABLED
;
7224 #if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7225 conf
->cbc_record_splitting
= MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
;
7228 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
7229 conf
->f_cookie_write
= ssl_cookie_write_dummy
;
7230 conf
->f_cookie_check
= ssl_cookie_check_dummy
;
7233 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
7234 conf
->anti_replay
= MBEDTLS_SSL_ANTI_REPLAY_ENABLED
;
7237 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7238 conf
->hs_timeout_min
= MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
;
7239 conf
->hs_timeout_max
= MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
;
7242 #if defined(MBEDTLS_SSL_RENEGOTIATION)
7243 conf
->renego_max_records
= MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
;
7244 memset( conf
->renego_period
, 0x00, 2 );
7245 memset( conf
->renego_period
+ 2, 0xFF, 6 );
7248 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
7249 if( endpoint
== MBEDTLS_SSL_IS_SERVER
)
7251 if( ( ret
= mbedtls_ssl_conf_dh_param( conf
,
7252 MBEDTLS_DHM_RFC5114_MODP_2048_P
,
7253 MBEDTLS_DHM_RFC5114_MODP_2048_G
) ) != 0 )
7261 * Preset-specific defaults
7268 case MBEDTLS_SSL_PRESET_SUITEB
:
7269 conf
->min_major_ver
= MBEDTLS_SSL_MAJOR_VERSION_3
;
7270 conf
->min_minor_ver
= MBEDTLS_SSL_MINOR_VERSION_3
; /* TLS 1.2 */
7271 conf
->max_major_ver
= MBEDTLS_SSL_MAX_MAJOR_VERSION
;
7272 conf
->max_minor_ver
= MBEDTLS_SSL_MAX_MINOR_VERSION
;
7274 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_0
] =
7275 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_1
] =
7276 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_2
] =
7277 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_3
] =
7278 ssl_preset_suiteb_ciphersuites
;
7280 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7281 conf
->cert_profile
= &mbedtls_x509_crt_profile_suiteb
;
7284 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7285 conf
->sig_hashes
= ssl_preset_suiteb_hashes
;
7288 #if defined(MBEDTLS_ECP_C)
7289 conf
->curve_list
= ssl_preset_suiteb_curves
;
7297 conf
->min_major_ver
= MBEDTLS_SSL_MAJOR_VERSION_3
;
7298 conf
->min_minor_ver
= MBEDTLS_SSL_MINOR_VERSION_1
; /* TLS 1.0 */
7299 conf
->max_major_ver
= MBEDTLS_SSL_MAX_MAJOR_VERSION
;
7300 conf
->max_minor_ver
= MBEDTLS_SSL_MAX_MINOR_VERSION
;
7302 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7303 if( transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
7304 conf
->min_minor_ver
= MBEDTLS_SSL_MINOR_VERSION_2
;
7307 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_0
] =
7308 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_1
] =
7309 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_2
] =
7310 conf
->ciphersuite_list
[MBEDTLS_SSL_MINOR_VERSION_3
] =
7311 mbedtls_ssl_list_ciphersuites();
7313 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7314 conf
->cert_profile
= &mbedtls_x509_crt_profile_default
;
7317 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7318 conf
->sig_hashes
= ssl_preset_default_hashes
;
7321 #if defined(MBEDTLS_ECP_C)
7322 conf
->curve_list
= mbedtls_ecp_grp_id_list();
7325 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
7326 conf
->dhm_min_bitlen
= 1024;
7334 * Free mbedtls_ssl_config
7336 void mbedtls_ssl_config_free( mbedtls_ssl_config
*conf
)
7338 #if defined(MBEDTLS_DHM_C)
7339 mbedtls_mpi_free( &conf
->dhm_P
);
7340 mbedtls_mpi_free( &conf
->dhm_G
);
7343 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
7344 if( conf
->psk
!= NULL
)
7346 mbedtls_zeroize( conf
->psk
, conf
->psk_len
);
7347 mbedtls_zeroize( conf
->psk_identity
, conf
->psk_identity_len
);
7348 mbedtls_free( conf
->psk
);
7349 mbedtls_free( conf
->psk_identity
);
7351 conf
->psk_identity_len
= 0;
7355 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7356 ssl_key_cert_free( conf
->key_cert
);
7359 mbedtls_zeroize( conf
, sizeof( mbedtls_ssl_config
) );
7362 #if defined(MBEDTLS_PK_C) && \
7363 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
7365 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
7367 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context
*pk
)
7369 #if defined(MBEDTLS_RSA_C)
7370 if( mbedtls_pk_can_do( pk
, MBEDTLS_PK_RSA
) )
7371 return( MBEDTLS_SSL_SIG_RSA
);
7373 #if defined(MBEDTLS_ECDSA_C)
7374 if( mbedtls_pk_can_do( pk
, MBEDTLS_PK_ECDSA
) )
7375 return( MBEDTLS_SSL_SIG_ECDSA
);
7377 return( MBEDTLS_SSL_SIG_ANON
);
7380 mbedtls_pk_type_t
mbedtls_ssl_pk_alg_from_sig( unsigned char sig
)
7384 #if defined(MBEDTLS_RSA_C)
7385 case MBEDTLS_SSL_SIG_RSA
:
7386 return( MBEDTLS_PK_RSA
);
7388 #if defined(MBEDTLS_ECDSA_C)
7389 case MBEDTLS_SSL_SIG_ECDSA
:
7390 return( MBEDTLS_PK_ECDSA
);
7393 return( MBEDTLS_PK_NONE
);
7396 #endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
7399 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
7401 mbedtls_md_type_t
mbedtls_ssl_md_alg_from_hash( unsigned char hash
)
7405 #if defined(MBEDTLS_MD5_C)
7406 case MBEDTLS_SSL_HASH_MD5
:
7407 return( MBEDTLS_MD_MD5
);
7409 #if defined(MBEDTLS_SHA1_C)
7410 case MBEDTLS_SSL_HASH_SHA1
:
7411 return( MBEDTLS_MD_SHA1
);
7413 #if defined(MBEDTLS_SHA256_C)
7414 case MBEDTLS_SSL_HASH_SHA224
:
7415 return( MBEDTLS_MD_SHA224
);
7416 case MBEDTLS_SSL_HASH_SHA256
:
7417 return( MBEDTLS_MD_SHA256
);
7419 #if defined(MBEDTLS_SHA512_C)
7420 case MBEDTLS_SSL_HASH_SHA384
:
7421 return( MBEDTLS_MD_SHA384
);
7422 case MBEDTLS_SSL_HASH_SHA512
:
7423 return( MBEDTLS_MD_SHA512
);
7426 return( MBEDTLS_MD_NONE
);
7431 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
7433 unsigned char mbedtls_ssl_hash_from_md_alg( int md
)
7437 #if defined(MBEDTLS_MD5_C)
7438 case MBEDTLS_MD_MD5
:
7439 return( MBEDTLS_SSL_HASH_MD5
);
7441 #if defined(MBEDTLS_SHA1_C)
7442 case MBEDTLS_MD_SHA1
:
7443 return( MBEDTLS_SSL_HASH_SHA1
);
7445 #if defined(MBEDTLS_SHA256_C)
7446 case MBEDTLS_MD_SHA224
:
7447 return( MBEDTLS_SSL_HASH_SHA224
);
7448 case MBEDTLS_MD_SHA256
:
7449 return( MBEDTLS_SSL_HASH_SHA256
);
7451 #if defined(MBEDTLS_SHA512_C)
7452 case MBEDTLS_MD_SHA384
:
7453 return( MBEDTLS_SSL_HASH_SHA384
);
7454 case MBEDTLS_MD_SHA512
:
7455 return( MBEDTLS_SSL_HASH_SHA512
);
7458 return( MBEDTLS_SSL_HASH_NONE
);
7462 #if defined(MBEDTLS_ECP_C)
7464 * Check if a curve proposed by the peer is in our list.
7465 * Return 0 if we're willing to use it, -1 otherwise.
7467 int mbedtls_ssl_check_curve( const mbedtls_ssl_context
*ssl
, mbedtls_ecp_group_id grp_id
)
7469 const mbedtls_ecp_group_id
*gid
;
7471 if( ssl
->conf
->curve_list
== NULL
)
7474 for( gid
= ssl
->conf
->curve_list
; *gid
!= MBEDTLS_ECP_DP_NONE
; gid
++ )
7475 if( *gid
== grp_id
)
7480 #endif /* MBEDTLS_ECP_C */
7482 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7484 * Check if a hash proposed by the peer is in our list.
7485 * Return 0 if we're willing to use it, -1 otherwise.
7487 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context
*ssl
,
7488 mbedtls_md_type_t md
)
7492 if( ssl
->conf
->sig_hashes
== NULL
)
7495 for( cur
= ssl
->conf
->sig_hashes
; *cur
!= MBEDTLS_MD_NONE
; cur
++ )
7496 if( *cur
== (int) md
)
7501 #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
7503 #if defined(MBEDTLS_X509_CRT_PARSE_C)
7504 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt
*cert
,
7505 const mbedtls_ssl_ciphersuite_t
*ciphersuite
,
7510 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
7513 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7514 const char *ext_oid
;
7518 #if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
7519 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7521 ((void) cert_endpoint
);
7525 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
7526 if( cert_endpoint
== MBEDTLS_SSL_IS_SERVER
)
7528 /* Server part of the key exchange */
7529 switch( ciphersuite
->key_exchange
)
7531 case MBEDTLS_KEY_EXCHANGE_RSA
:
7532 case MBEDTLS_KEY_EXCHANGE_RSA_PSK
:
7533 usage
= MBEDTLS_X509_KU_KEY_ENCIPHERMENT
;
7536 case MBEDTLS_KEY_EXCHANGE_DHE_RSA
:
7537 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
:
7538 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
:
7539 usage
= MBEDTLS_X509_KU_DIGITAL_SIGNATURE
;
7542 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA
:
7543 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
:
7544 usage
= MBEDTLS_X509_KU_KEY_AGREEMENT
;
7547 /* Don't use default: we want warnings when adding new values */
7548 case MBEDTLS_KEY_EXCHANGE_NONE
:
7549 case MBEDTLS_KEY_EXCHANGE_PSK
:
7550 case MBEDTLS_KEY_EXCHANGE_DHE_PSK
:
7551 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
:
7552 case MBEDTLS_KEY_EXCHANGE_ECJPAKE
:
7558 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
7559 usage
= MBEDTLS_X509_KU_DIGITAL_SIGNATURE
;
7562 if( mbedtls_x509_crt_check_key_usage( cert
, usage
) != 0 )
7564 *flags
|= MBEDTLS_X509_BADCERT_KEY_USAGE
;
7568 ((void) ciphersuite
);
7569 #endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
7571 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
7572 if( cert_endpoint
== MBEDTLS_SSL_IS_SERVER
)
7574 ext_oid
= MBEDTLS_OID_SERVER_AUTH
;
7575 ext_len
= MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH
);
7579 ext_oid
= MBEDTLS_OID_CLIENT_AUTH
;
7580 ext_len
= MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH
);
7583 if( mbedtls_x509_crt_check_extended_key_usage( cert
, ext_oid
, ext_len
) != 0 )
7585 *flags
|= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE
;
7588 #endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
7592 #endif /* MBEDTLS_X509_CRT_PARSE_C */
7595 * Convert version numbers to/from wire format
7596 * and, for DTLS, to/from TLS equivalent.
7598 * For TLS this is the identity.
7599 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
7600 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
7601 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
7603 void mbedtls_ssl_write_version( int major
, int minor
, int transport
,
7604 unsigned char ver
[2] )
7606 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7607 if( transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
7609 if( minor
== MBEDTLS_SSL_MINOR_VERSION_2
)
7610 --minor
; /* DTLS 1.0 stored as TLS 1.1 internally */
7612 ver
[0] = (unsigned char)( 255 - ( major
- 2 ) );
7613 ver
[1] = (unsigned char)( 255 - ( minor
- 1 ) );
7620 ver
[0] = (unsigned char) major
;
7621 ver
[1] = (unsigned char) minor
;
7625 void mbedtls_ssl_read_version( int *major
, int *minor
, int transport
,
7626 const unsigned char ver
[2] )
7628 #if defined(MBEDTLS_SSL_PROTO_DTLS)
7629 if( transport
== MBEDTLS_SSL_TRANSPORT_DATAGRAM
)
7631 *major
= 255 - ver
[0] + 2;
7632 *minor
= 255 - ver
[1] + 1;
7634 if( *minor
== MBEDTLS_SSL_MINOR_VERSION_1
)
7635 ++*minor
; /* DTLS 1.0 stored as TLS 1.1 internally */
7647 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context
*ssl
, int md
)
7649 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
7650 if( ssl
->minor_ver
!= MBEDTLS_SSL_MINOR_VERSION_3
)
7651 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
;
7655 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
7656 #if defined(MBEDTLS_MD5_C)
7657 case MBEDTLS_SSL_HASH_MD5
:
7658 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
;
7660 #if defined(MBEDTLS_SHA1_C)
7661 case MBEDTLS_SSL_HASH_SHA1
:
7662 ssl
->handshake
->calc_verify
= ssl_calc_verify_tls
;
7665 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
7666 #if defined(MBEDTLS_SHA512_C)
7667 case MBEDTLS_SSL_HASH_SHA384
:
7668 ssl
->handshake
->calc_verify
= ssl_calc_verify_tls_sha384
;
7671 #if defined(MBEDTLS_SHA256_C)
7672 case MBEDTLS_SSL_HASH_SHA256
:
7673 ssl
->handshake
->calc_verify
= ssl_calc_verify_tls_sha256
;
7677 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
;
7681 #else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
7685 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
;
7686 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
7689 #endif /* MBEDTLS_SSL_TLS_C */