55#if !defined(MBEDTLS_CONFIG_FILE)
58#include MBEDTLS_CONFIG_FILE
61#if defined(MBEDTLS_SSL_TLS_C)
63#if defined(MBEDTLS_PLATFORM_C)
67#define mbedtls_calloc calloc
68#define mbedtls_free free
78#if defined(MBEDTLS_X509_CRT_PARSE_C)
88#if defined(MBEDTLS_SSL_PROTO_DTLS)
132#define SSL_DONT_FORCE_FLUSH 0
133#define SSL_FORCE_FLUSH 1
135#if defined(MBEDTLS_SSL_PROTO_DTLS)
151 size_t mtu = ssl_get_current_mtu( ssl );
161 size_t const bytes_written = ssl->
out_left;
162 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
166 if( bytes_written > mtu )
172 return( (
int) ( mtu - bytes_written ) );
178 size_t remaining, expansion;
181#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
196 if( max_len <= ssl->out_left )
202 ret = ssl_get_remaining_space_in_datagram( ssl );
212 if( remaining <= expansion )
215 remaining -= expansion;
216 if( remaining >= max_len )
219 return( (
int) remaining );
230 if( ssl->
handshake->retransmit_timeout >= ssl->
conf->hs_timeout_max )
239 if( ssl->
handshake->retransmit_timeout != ssl->
conf->hs_timeout_min )
245 new_timeout = 2 * ssl->
handshake->retransmit_timeout;
248 if( new_timeout < ssl->handshake->retransmit_timeout ||
249 new_timeout > ssl->
conf->hs_timeout_max )
251 new_timeout = ssl->
conf->hs_timeout_max;
254 ssl->
handshake->retransmit_timeout = new_timeout;
263 ssl->
handshake->retransmit_timeout = ssl->
conf->hs_timeout_min;
269#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
278static unsigned int ssl_mfl_code_to_length(
int mfl )
298#if defined(MBEDTLS_SSL_CLI_C)
304#if defined(MBEDTLS_X509_CRT_PARSE_C)
316 src->peer_cert->raw.len ) ) != 0 )
325#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
340#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
342 const unsigned char *key_enc,
const unsigned char *key_dec,
344 const unsigned char *iv_enc,
const unsigned char *iv_dec,
346 const unsigned char *mac_enc,
const unsigned char *mac_dec,
347 size_t maclen ) =
NULL;
358#if defined(MBEDTLS_SSL_PROTO_SSL3)
359static int ssl3_prf(
const unsigned char *
secret,
size_t slen,
361 const unsigned char *
random,
size_t rlen,
362 unsigned char *dstbuf,
size_t dlen )
369 unsigned char sha1sum[20];
383 for(
i = 0;
i < dlen / 16;
i++ )
419#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
422 const unsigned char *
random,
size_t rlen,
423 unsigned char *dstbuf,
size_t dlen )
427 const unsigned char *
S1, *
S2;
428 unsigned char tmp[128];
429 unsigned char h_i[20];
439 hs = ( slen + 1 ) / 2;
461 for(
i = 0;
i < dlen;
i += 16 )
471 k = (
i + 16 > dlen ) ? dlen % 16 : 16;
473 for(
j = 0;
j <
k;
j++ )
474 dstbuf[
i +
j] = h_i[
j];
492 for(
i = 0;
i < dlen;
i += 20 )
502 k = (
i + 20 > dlen ) ? dlen % 20 : 20;
504 for(
j = 0;
j <
k;
j++ )
505 dstbuf[
i +
j] = (
unsigned char)( dstbuf[
i +
j] ^ h_i[
j] );
517#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
519 const unsigned char *
secret,
size_t slen,
521 const unsigned char *
random,
size_t rlen,
522 unsigned char *dstbuf,
size_t dlen )
525 size_t i,
j,
k, md_len;
526 unsigned char tmp[128];
539 if(
sizeof( tmp ) < md_len +
strlen(
label ) + rlen )
557 for(
i = 0;
i < dlen;
i += md_len )
567 k = (
i + md_len > dlen ) ? dlen % md_len : md_len;
569 for(
j = 0;
j <
k;
j++ )
570 dstbuf[
i +
j] = h_i[
j];
581#if defined(MBEDTLS_SHA256_C)
582static int tls_prf_sha256(
const unsigned char *
secret,
size_t slen,
584 const unsigned char *
random,
size_t rlen,
585 unsigned char *dstbuf,
size_t dlen )
592#if defined(MBEDTLS_SHA512_C)
593static int tls_prf_sha384(
const unsigned char *
secret,
size_t slen,
595 const unsigned char *
random,
size_t rlen,
596 unsigned char *dstbuf,
size_t dlen )
604static void ssl_update_checksum_start(
mbedtls_ssl_context *,
const unsigned char *,
size_t );
606#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
607 defined(MBEDTLS_SSL_PROTO_TLS1_1)
608static void ssl_update_checksum_md5sha1(
mbedtls_ssl_context *,
const unsigned char *,
size_t );
611#if defined(MBEDTLS_SSL_PROTO_SSL3)
616#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
621#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
622#if defined(MBEDTLS_SHA256_C)
623static void ssl_update_checksum_sha256(
mbedtls_ssl_context *,
const unsigned char *,
size_t );
628#if defined(MBEDTLS_SHA512_C)
629static void ssl_update_checksum_sha384(
mbedtls_ssl_context *,
const unsigned char *,
size_t );
638 unsigned char tmp[64];
639 unsigned char keyblk[256];
642 unsigned char *mac_enc;
643 unsigned char *mac_dec;
656 if( cipher_info ==
NULL )
664 if( md_info ==
NULL )
674#if defined(MBEDTLS_SSL_PROTO_SSL3)
683#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
692#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
693#if defined(MBEDTLS_SHA512_C)
697 handshake->
tls_prf = tls_prf_sha384;
698 handshake->
calc_verify = ssl_calc_verify_tls_sha384;
703#if defined(MBEDTLS_SHA256_C)
706 handshake->
tls_prf = tls_prf_sha256;
707 handshake->
calc_verify = ssl_calc_verify_tls_sha256;
728 if( handshake->
resume == 0 )
733#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
736 unsigned char session_hash[48];
743#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
746#if defined(MBEDTLS_SHA512_C)
763 "extended master secret",
764 session_hash, hash_len,
838 size_t taglen, explicit_ivlen;
854 taglen =
transform->ciphersuite_info->flags &
860 transform->minlen = explicit_ivlen + taglen;
876#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
886#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
909#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
923#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
929#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
951#if defined(MBEDTLS_SSL_CLI_C)
954 key1 = keyblk + mac_key_len * 2;
955 key2 = keyblk + mac_key_len * 2 +
transform->keylen;
958 mac_dec = keyblk + mac_key_len;
963 iv_copy_len = (
transform->fixed_ivlen ) ?
971#if defined(MBEDTLS_SSL_SRV_C)
975 key2 = keyblk + mac_key_len * 2;
977 mac_enc = keyblk + mac_key_len;
983 iv_copy_len = (
transform->fixed_ivlen ) ?
996#if defined(MBEDTLS_SSL_PROTO_SSL3)
999 if( mac_key_len >
sizeof transform->mac_enc )
1010#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1011 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1016 if( mac_key_len != 0 )
1029#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
1030 if( mbedtls_ssl_hw_record_init !=
NULL )
1034 if( (
ret = mbedtls_ssl_hw_record_init( ssl,
key1, key2,
transform->keylen,
1038 mac_key_len ) ) != 0 )
1046#if defined(MBEDTLS_SSL_EXPORT_KEYS)
1047 if( ssl->
conf->f_export_keys !=
NULL )
1049 ssl->
conf->f_export_keys( ssl->
conf->p_export_keys,
1057 cipher_info ) ) != 0 )
1064 cipher_info ) ) != 0 )
1086#if defined(MBEDTLS_CIPHER_MODE_CBC)
1107#if defined(MBEDTLS_ZLIB_SUPPORT)
1112 if( ssl->compress_buf ==
NULL )
1115 ssl->compress_buf =
mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
1116 if( ssl->compress_buf ==
NULL )
1119 MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
1144#if defined(MBEDTLS_SSL_PROTO_SSL3)
1149 unsigned char pad_1[48];
1150 unsigned char pad_2[48];
1160 memset( pad_1, 0x36, 48 );
1161 memset( pad_2, 0x5C, 48 );
1193#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1220#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1221#if defined(MBEDTLS_SHA256_C)
1242#if defined(MBEDTLS_SHA512_C)
1264#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1269 const unsigned char *psk = ssl->
conf->psk;
1270 size_t psk_len = ssl->
conf->psk_len;
1286#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1292 *(
p++) = (
unsigned char)( psk_len >> 8 );
1293 *(
p++) = (
unsigned char)( psk_len );
1295 if(
end <
p || (
size_t)(
end -
p ) < psk_len )
1303#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1319#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1333 *(
p++) = (
unsigned char)(
len >> 8 );
1334 *(
p++) = (
unsigned char)(
len );
1341#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1348 p + 2,
end - (
p + 2 ),
1355 *(
p++) = (
unsigned char)( zlen >> 8 );
1356 *(
p++) = (
unsigned char)( zlen );
1373 *(
p++) = (
unsigned char)( psk_len >> 8 );
1374 *(
p++) = (
unsigned char)( psk_len );
1376 if(
end <
p || (
size_t)(
end -
p ) < psk_len )
1388#if defined(MBEDTLS_SSL_PROTO_SSL3)
1392#define SSL_MAC_MAX_BYTES 20
1394 const unsigned char *
secret,
1395 const unsigned char *
buf,
size_t len,
1396 const unsigned char *ctr,
int type,
1397 unsigned char out[SSL_MAC_MAX_BYTES] )
1399 unsigned char header[11];
1433#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
1434 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1435#define SSL_SOME_MODES_USE_MAC
1462#if defined(SSL_SOME_MODES_USE_MAC)
1470#if defined(MBEDTLS_SSL_PROTO_SSL3)
1473 unsigned char mac[SSL_MAC_MAX_BYTES];
1485#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1486 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1520#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1527 "including %d bytes of padding",
1534 ssl->
out_msg, &olen ) ) != 0 )
1548#if defined(MBEDTLS_GCM_C) || \
1549 defined(MBEDTLS_CCM_C) || \
1550 defined(MBEDTLS_CHACHAPOLY_C)
1556 size_t enc_msglen, olen;
1557 unsigned char *enc_msg;
1559 unsigned char iv[12];
1595 for(
i = 0;
i < 8;
i++ )
1608 ssl->
out_iv, explicit_ivlen );
1618 "including 0 bytes of padding",
1627 enc_msg, enc_msglen,
1629 enc_msg + enc_msglen, taglen ) ) != 0 )
1635 if( olen != enc_msglen )
1648#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1652 unsigned char *enc_msg;
1653 size_t enc_msglen, padlen, olen = 0,
i;
1660 for(
i = 0;
i <= padlen;
i++ )
1668#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1696 "including %d bytes of IV and %d bytes of padding",
1703 enc_msg, enc_msglen,
1704 enc_msg, &olen ) ) != 0 )
1710 if( enc_msglen != olen )
1716#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1728#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1729 if( auth_done == 0 )
1741 unsigned char pseudo_hdr[13];
1747 pseudo_hdr[11] = (
unsigned char)( ( ssl->
out_msglen >> 8 ) & 0xFF );
1774 if( auth_done != 1 )
1785#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
1795static void mbedtls_ssl_cf_memcpy_if_eq(
unsigned char *
dst,
1796 const unsigned char *
src,
1798 size_t c1,
size_t c2 )
1801 const size_t diff = c1 ^ c2;
1805#if defined(_MSC_VER)
1806#pragma warning( push )
1807#pragma warning( disable : 4146 )
1811 const size_t diff_msb = ( diff | -diff );
1814 const size_t diff1 = diff_msb >> (
sizeof( diff_msb ) * 8 - 1 );
1817 const unsigned char mask = (
unsigned char) -diff1;
1819#if defined(_MSC_VER)
1820#pragma warning( pop )
1825 for(
i = 0;
i <
len;
i++ )
1837 const unsigned char *
add_data,
size_t add_data_len,
1838 const unsigned char *
data,
size_t data_len_secret,
1839 size_t min_data_len,
size_t max_data_len,
1840 unsigned char *output )
1860 const unsigned char *
const ikey =
ctx->hmac_ctx;
1861 const unsigned char *
const okey = ikey +
block_size;
1871#define MD_CHK( func_call ) \
1873 ret = (func_call); \
1891 mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
1892 offset, data_len_secret );
1894 if(
offset < max_data_len )
1923 const unsigned char *src_base,
1924 size_t offset_secret,
1925 size_t offset_min,
size_t offset_max,
1932 mbedtls_ssl_cf_memcpy_if_eq(
dst, src_base +
offset,
len,
1942#if defined(SSL_SOME_MODES_USE_MAC)
1943 size_t padlen = 0, correct = 1;
1963#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1975 ssl->
in_msg, &olen ) ) != 0 )
1989#if defined(MBEDTLS_GCM_C) || \
1990 defined(MBEDTLS_CCM_C) || \
1991 defined(MBEDTLS_CHACHAPOLY_C)
1997 size_t dec_msglen, olen;
1998 unsigned char *dec_msg;
1999 unsigned char *dec_msg_result;
2001 unsigned char iv[12];
2010 if( ssl->
in_msglen < explicit_iv_len + taglen )
2014 explicit_iv_len, taglen ) );
2017 dec_msglen = ssl->
in_msglen - explicit_iv_len - taglen;
2020 dec_msg_result = ssl->
in_msg;
2052 for(
i = 0;
i < 8;
i++ )
2071 dec_msg, dec_msglen,
2072 dec_msg_result, &olen,
2073 dec_msg + dec_msglen, taglen ) ) != 0 )
2084 if( olen != dec_msglen )
2092#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
2099 unsigned char *dec_msg;
2100 unsigned char *dec_msg_result;
2108#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2125 dec_msg_result = ssl->
in_msg;
2130#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2134 unsigned char pseudo_hdr[13];
2143 pseudo_hdr[11] = (
unsigned char)( ( ssl->
in_msglen >> 8 ) & 0xFF );
2144 pseudo_hdr[12] = (
unsigned char)( ( ssl->
in_msglen ) & 0xFF );
2180#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2198 dec_msg, dec_msglen,
2199 dec_msg_result, &olen ) ) != 0 )
2205 if( dec_msglen != olen )
2211#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2228#if defined(MBEDTLS_SSL_DEBUG_ALL)
2236#if defined(MBEDTLS_SSL_PROTO_SSL3)
2241#if defined(MBEDTLS_SSL_DEBUG_ALL)
2243 "should be no more than %d",
2251#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2252 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2259 size_t pad_count = 0, real_count = 1;
2260 size_t padding_idx = ssl->
in_msglen - padlen;
2273 correct &= ( padlen <= ssl->
in_msglen );
2277 padding_idx *= correct;
2279 for(
i = 0;
i < 256;
i++ )
2281 real_count &= (
i < padlen );
2282 pad_count += real_count *
2283 ( ssl->
in_msg[padding_idx +
i] == padlen - 1 );
2286 correct &= ( pad_count == padlen );
2288#if defined(MBEDTLS_SSL_DEBUG_ALL)
2289 if( padlen > 0 && correct == 0 )
2292 padlen &= correct * 0x1FF;
2311#if defined(MBEDTLS_SSL_DEBUG_ALL)
2320#if defined(SSL_SOME_MODES_USE_MAC)
2321 if( auth_done == 0 )
2331#if defined(MBEDTLS_SSL_PROTO_SSL3)
2344#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2345 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2361 const size_t max_len = ssl->
in_msglen + padlen;
2362 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
2392#if defined(MBEDTLS_SSL_DEBUG_ALL)
2400#if defined(MBEDTLS_SSL_DEBUG_ALL)
2416 if( auth_done != 1 )
2424#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2443 "messages, possible DoS attack" ) );
2450#if defined(MBEDTLS_SSL_PROTO_DTLS)
2459 for(
i = 8;
i > ssl_ep_len( ssl );
i-- )
2460 if( ++ssl->
in_ctr[
i - 1] != 0 )
2464 if(
i == ssl_ep_len( ssl ) )
2478#undef MAC_CIPHERTEXT
2480#if defined(MBEDTLS_ZLIB_SUPPORT)
2487 unsigned char *msg_post = ssl->
out_msg;
2490 unsigned char *msg_pre = ssl->compress_buf;
2534 unsigned char *msg_post = ssl->
in_msg;
2537 unsigned char *msg_pre = ssl->compress_buf;
2566 ssl->
transform_in->ctx_inflate.avail_out - header_bytes;
2580#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2583#if defined(MBEDTLS_SSL_PROTO_DTLS)
2590 uint32_t ratio = ssl->
conf->hs_timeout_max / ssl->
conf->hs_timeout_min + 1;
2591 unsigned char doublings = 1;
2606 return( ssl_write_hello_request( ssl ) );
2636 "or mbedtls_ssl_set_bio()" ) );
2646#if defined(MBEDTLS_SSL_PROTO_DTLS)
2655 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2669 if( ssl->next_record_offset != 0 )
2671 if( ssl->
in_left < ssl->next_record_offset )
2677 ssl->
in_left -= ssl->next_record_offset;
2682 ssl->next_record_offset ) );
2684 ssl->
in_hdr + ssl->next_record_offset,
2688 ssl->next_record_offset = 0;
2697 if( nb_want <= ssl->in_left)
2719 if( ssl_check_timer( ssl ) != 0 )
2750 ssl_set_timer( ssl, 0 );
2754 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2760 if( (
ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2768#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2772 if( (
ret = ssl_resend_hello_request( ssl ) ) != 0 )
2794 while( ssl->
in_left < nb_want )
2798 if( ssl_check_timer( ssl ) != 0 )
2828 (
"f_recv returned %d bytes but only %lu were requested",
2829 ret, (
unsigned long)
len ) );
2855 "or mbedtls_ssl_set_bio()" ) );
2882 (
"f_send returned %d bytes but only %lu bytes were sent",
2890#if defined(MBEDTLS_SSL_PROTO_DTLS)
2910#if defined(MBEDTLS_SSL_PROTO_DTLS)
2916 mbedtls_ssl_flight_item *
msg;
2925 sizeof( mbedtls_ssl_flight_item ) ) );
2960static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
2962 mbedtls_ssl_flight_item *
cur = flight;
2963 mbedtls_ssl_flight_item *
next;
2976#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2986 unsigned char tmp_out_ctr[8];
2987#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3002 ssl->
handshake->alt_transform_out = tmp_transform;
3012#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3013 if( mbedtls_ssl_hw_record_activate !=
NULL )
3015 if( (
ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
3035 ret = mbedtls_ssl_flight_transmit( ssl );
3060 if( (
ret = ssl_swap_epochs( ssl ) ) != 0 )
3068 size_t max_frag_len;
3069 const mbedtls_ssl_flight_item *
const cur = ssl->
handshake->cur_msg;
3071 int const is_finished =
3075 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
3076 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
3081 if( is_finished && ssl->
handshake->cur_msg_p == (
cur->p + 12 ) )
3084 if( (
ret = ssl_swap_epochs( ssl ) ) != 0 )
3088 ret = ssl_get_remaining_payload_in_datagram( ssl );
3096 if( max_frag_len == 0 )
3113 const unsigned char *
const p = ssl->
handshake->cur_msg_p;
3114 const size_t hs_len =
cur->len - 12;
3115 const size_t frag_off =
p - (
cur->p + 12 );
3116 const size_t rem_len = hs_len - frag_off;
3117 size_t cur_hs_frag_len, max_hs_frag_len;
3119 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
3123 if( (
ret = ssl_swap_epochs( ssl ) ) != 0 )
3132 max_hs_frag_len = max_frag_len - 12;
3134 cur_hs_frag_len = rem_len > max_hs_frag_len ?
3135 max_hs_frag_len : rem_len;
3137 if( frag_off == 0 && cur_hs_frag_len != hs_len )
3140 (
unsigned) cur_hs_frag_len,
3141 (
unsigned) max_hs_frag_len ) );
3149 ssl->
out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
3150 ssl->
out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
3151 ssl->
out_msg[8] = ( ( frag_off ) & 0xff );
3153 ssl->
out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
3154 ssl->
out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
3155 ssl->
out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
3165 ssl->
handshake->cur_msg_p += cur_hs_frag_len;
3200 ssl_set_timer( ssl, ssl->
handshake->retransmit_timeout );
3214 ssl_flight_free( ssl->
handshake->flight );
3225 ssl_buffering_free( ssl );
3228 ssl_set_timer( ssl, 0 );
3244 ssl_reset_retransmit_timeout( ssl );
3245 ssl_set_timer( ssl, ssl->
handshake->retransmit_timeout );
3287 const unsigned char hs_type = ssl->
out_msg[0];
3298#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
3319#if defined(MBEDTLS_SSL_PROTO_DTLS)
3340 "size %u, maximum %u",
3351 ssl->
out_msg[1] = (
unsigned char)( hs_len >> 16 );
3362#if defined(MBEDTLS_SSL_PROTO_DTLS)
3369 "size %u, maximum %u",
3370 (
unsigned) ( hs_len ),
3404#if defined(MBEDTLS_SSL_PROTO_DTLS)
3409 if( (
ret = ssl_flight_append( ssl ) ) != 0 )
3450#if defined(MBEDTLS_ZLIB_SUPPORT)
3454 if( (
ret = ssl_compress_buf( ssl ) ) != 0 )
3464#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3465 if( mbedtls_ssl_hw_record_write !=
NULL )
3469 ret = mbedtls_ssl_hw_record_write( ssl );
3483 size_t protected_record_size;
3495 if( (
ret = ssl_encrypt_buf( ssl ) ) != 0 )
3508#if defined(MBEDTLS_SSL_PROTO_DTLS)
3513 ret = ssl_get_remaining_space_in_datagram( ssl );
3517 if( protected_record_size > (
size_t)
ret )
3526 "version = [%d:%d], msglen = %d",
3531 ssl->
out_hdr, protected_record_size );
3533 ssl->
out_left += protected_record_size;
3534 ssl->
out_hdr += protected_record_size;
3537 for(
i = 8;
i > ssl_ep_len( ssl );
i-- )
3542 if(
i == ssl_ep_len( ssl ) )
3549#if defined(MBEDTLS_SSL_PROTO_DTLS)
3551 flush == SSL_DONT_FORCE_FLUSH )
3554 ret = ssl_get_remaining_payload_in_datagram( ssl );
3563 if( remaining == 0 )
3565 flush = SSL_FORCE_FLUSH;
3569 MBEDTLS_SSL_DEBUG_MSG( 2, (
"Still %u bytes available in current datagram", (
unsigned) remaining ) );
3574 if( ( flush == SSL_FORCE_FLUSH ) &&
3586#if defined(MBEDTLS_SSL_PROTO_DTLS)
3601 return( ( ssl->
in_msg[9] << 16 ) |
3602 ( ssl->
in_msg[10] << 8 ) |
3608 return( ( ssl->
in_msg[6] << 16 ) |
3609 ( ssl->
in_msg[7] << 8 ) |
3615 uint32_t msg_len, frag_off, frag_len;
3617 msg_len = ssl_get_hs_total_len( ssl );
3618 frag_off = ssl_get_hs_frag_off( ssl );
3619 frag_len = ssl_get_hs_frag_len( ssl );
3621 if( frag_off > msg_len )
3624 if( frag_len > msg_len - frag_off )
3636static void ssl_bitmask_set(
unsigned char *
mask,
size_t offset,
size_t len )
3638 unsigned int start_bits, end_bits;
3640 start_bits = 8 - (
offset % 8 );
3641 if( start_bits != 8 )
3643 size_t first_byte_idx =
offset / 8;
3646 if(
len <= start_bits )
3649 mask[first_byte_idx] |= 1 << ( start_bits -
len );
3658 for( ; start_bits != 0; start_bits-- )
3659 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3665 size_t last_byte_idx = (
offset +
len ) / 8;
3669 for( ; end_bits != 0; end_bits-- )
3670 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3679static int ssl_bitmask_check(
unsigned char *
mask,
size_t len )
3683 for(
i = 0;
i <
len / 8;
i++ )
3684 if(
mask[
i] != 0xFF )
3687 for(
i = 0;
i <
len % 8;
i++ )
3688 if( (
mask[
len / 8] & ( 1 << ( 7 -
i ) ) ) == 0 )
3695static size_t ssl_get_reassembly_buffer_size(
size_t msg_len,
3696 unsigned add_bitmap )
3701 alloc_len += msg_len;
3704 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 );
3706 return( alloc_len );
3713 return( ( ssl->
in_msg[1] << 16 ) |
3714 ( ssl->
in_msg[2] << 8 ) |
3730 " %d, type = %d, hslen = %d",
3733#if defined(MBEDTLS_SSL_PROTO_DTLS)
3737 unsigned int recv_msg_seq = ( ssl->
in_msg[4] << 8 ) | ssl->
in_msg[5];
3739 if( ssl_check_hs_header( ssl ) != 0 )
3747 recv_msg_seq != ssl->
handshake->in_msg_seq ) ||
3751 if( recv_msg_seq > ssl->
handshake->in_msg_seq )
3762 if( recv_msg_seq == ssl->
handshake->in_flight_start_seq - 1 &&
3766 "message_seq = %d, start_of_flight = %d",
3768 ssl->
handshake->in_flight_start_seq ) );
3770 if( (
ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3779 "message_seq = %d, expected = %d",
3792 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
3820#if defined(MBEDTLS_SSL_PROTO_DTLS)
3835 ssl_buffering_free_slot( ssl, 0 );
3838 for(
offset = 0, hs_buf = &hs->buffering.hs[0];
3842 *hs_buf = *(hs_buf + 1);
3861#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3864 ssl->in_window_top = 0;
3868static inline uint64_t ssl_load_six_bytes(
unsigned char *
buf )
3889 if( rec_seqnum > ssl->in_window_top )
3892 bit = ssl->in_window_top - rec_seqnum;
3897 if( ( ssl->in_window & ( (
uint64_t) 1 << bit ) ) != 0 )
3913 if( rec_seqnum > ssl->in_window_top )
3922 ssl->in_window <<=
shift;
3923 ssl->in_window |= 1;
3926 ssl->in_window_top = rec_seqnum;
3931 uint64_t bit = ssl->in_window_top - rec_seqnum;
3934 ssl->in_window |= (
uint64_t) 1 << bit;
3939#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3954static int ssl_check_dtls_clihlo_cookie(
3958 const unsigned char *cli_id,
size_t cli_id_len,
3959 const unsigned char *
in,
size_t in_len,
3960 unsigned char *
obuf,
size_t buf_len,
size_t *olen )
3962 size_t sid_len, cookie_len;
3965 if( f_cookie_write ==
NULL || f_cookie_check ==
NULL )
3996 in[3] != 0 ||
in[4] != 0 ||
3997 in[19] != 0 ||
in[20] != 0 ||
in[21] != 0 )
4003 if( sid_len > in_len - 61 )
4006 cookie_len =
in[60 + sid_len];
4007 if( cookie_len > in_len - 60 )
4010 if( f_cookie_check( p_cookie,
in + sid_len + 61, cookie_len,
4011 cli_id, cli_id_len ) == 0 )
4048 if( f_cookie_write( p_cookie,
4049 &
p,
obuf + buf_len, cli_id, cli_id_len ) != 0 )
4057 obuf[27] = (
unsigned char)( *olen - 28 );
4059 obuf[14] =
obuf[22] = (
unsigned char)( ( *olen - 25 ) >> 16 );
4060 obuf[15] =
obuf[23] = (
unsigned char)( ( *olen - 25 ) >> 8 );
4061 obuf[16] =
obuf[24] = (
unsigned char)( ( *olen - 25 ) );
4063 obuf[11] = (
unsigned char)( ( *olen - 13 ) >> 8 );
4064 obuf[12] = (
unsigned char)( ( *olen - 13 ) );
4093 ret = ssl_check_dtls_clihlo_cookie(
4094 ssl->
conf->f_cookie_write,
4095 ssl->
conf->f_cookie_check,
4096 ssl->
conf->p_cookie,
4097 ssl->cli_id, ssl->cli_id_len,
4122 if( (
ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
4156 int major_ver, minor_ver;
4165 "version = [%d:%d], msglen = %d",
4167 major_ver, minor_ver, ssl->
in_msglen ) );
4177#if defined(MBEDTLS_SSL_PROTO_DTLS)
4221#if defined(MBEDTLS_SSL_PROTO_DTLS)
4224 unsigned int rec_epoch = ( ssl->
in_ctr[0] << 8 ) | ssl->
in_ctr[1];
4227 if( rec_epoch != ssl->in_epoch )
4230 "expected %d, received %d",
4231 ssl->in_epoch, rec_epoch ) );
4233#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4248 "from the same port" ) );
4249 return( ssl_handle_possible_reconnect( ssl ) );
4255 if( rec_epoch == (
unsigned int) ssl->in_epoch + 1 )
4265#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4267 if( rec_epoch == ssl->in_epoch &&
4268 mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
4310#if defined(MBEDTLS_SSL_PROTO_SSL3)
4318#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4319 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4346#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4347 if( mbedtls_ssl_hw_record_read !=
NULL )
4351 ret = mbedtls_ssl_hw_record_read( ssl );
4364 if( (
ret = ssl_decrypt_buf( ssl ) ) != 0 )
4380#if defined(MBEDTLS_ZLIB_SUPPORT)
4384 if( (
ret = ssl_decompress_buf( ssl ) ) != 0 )
4392#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4395 mbedtls_ssl_dtls_replay_update( ssl );
4418 unsigned update_hs_digest )
4428 ret = ssl_consume_current_message( ssl );
4432 if( ssl_record_is_in_progress( ssl ) == 0 )
4434#if defined(MBEDTLS_SSL_PROTO_DTLS)
4435 int have_buffered = 0;
4440 ssl_next_record_is_in_datagram( ssl ) == 0 )
4442 if( ssl_load_buffered_message( ssl ) == 0 )
4446 if( have_buffered == 0 )
4449 ret = ssl_get_next_record( ssl );
4463#if defined(MBEDTLS_SSL_PROTO_DTLS)
4467 ret = ssl_buffer_message( ssl );
4485 update_hs_digest == 1 )
4501#if defined(MBEDTLS_SSL_PROTO_DTLS)
4504 if( ssl->
in_left > ssl->next_record_offset )
4526 if( !hs->buffering.seen_ccs )
4540 ssl->next_record_offset = 0;
4542 hs->buffering.seen_ccs = 0;
4546#if defined(MBEDTLS_DEBUG_C)
4552 hs_buf = &hs->buffering.hs[
offset];
4553 if( hs_buf->is_valid == 1 )
4557 hs_buf->is_complete ?
"fully" :
"partially" ) );
4565 hs_buf = &hs->buffering.hs[0];
4566 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4569 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4570 ( hs_buf->data[2] << 8 ) |
4583 hs_buf->data, msg_len + 12 );
4616 ssl_free_buffered_record( ssl );
4620 hs->buffering.total_bytes_buffered ) )
4632 MBEDTLS_SSL_DEBUG_MSG( 2, (
"Free buffering slot %d to make space for reassembly of next handshake message",
4639 hs->buffering.total_bytes_buffered ) )
4664 hs->buffering.seen_ccs = 1;
4669 unsigned recv_msg_seq_offset;
4670 unsigned recv_msg_seq = ( ssl->
in_msg[4] << 8 ) | ssl->
in_msg[5];
4672 size_t msg_len = ssl->
in_hslen - 12;
4676 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4682 recv_msg_seq_offset = recv_msg_seq - ssl->
handshake->in_msg_seq;
4687 (
"Ignore future HS message with sequence number %u, "
4688 "buffering window %u - %u",
4689 recv_msg_seq, ssl->
handshake->in_msg_seq,
4696 recv_msg_seq, recv_msg_seq_offset ) );
4698 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4701 if( !hs_buf->is_valid )
4703 size_t reassembly_buf_sz;
4705 hs_buf->is_fragmented =
4706 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4720 if( hs->buffering.total_bytes_buffered >
4727 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4728 hs_buf->is_fragmented );
4731 hs->buffering.total_bytes_buffered ) )
4733 if( recv_msg_seq_offset > 0 )
4737 MBEDTLS_SSL_DEBUG_MSG( 2, (
"Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4739 (
unsigned) hs->buffering.total_bytes_buffered ) );
4744 MBEDTLS_SSL_DEBUG_MSG( 2, (
"Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4746 (
unsigned) hs->buffering.total_bytes_buffered ) );
4749 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4751 MBEDTLS_SSL_DEBUG_MSG( 2, (
"Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4753 (
unsigned) reassembly_buf_sz,
4755 (
unsigned) hs->buffering.total_bytes_buffered ) );
4765 if( hs_buf->data ==
NULL )
4770 hs_buf->data_len = reassembly_buf_sz;
4775 memset( hs_buf->data + 6, 0, 3 );
4776 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4778 hs_buf->is_valid = 1;
4780 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4793 if( !hs_buf->is_complete )
4795 size_t frag_len, frag_off;
4796 unsigned char *
const msg = hs_buf->data + 12;
4804 frag_off = ssl_get_hs_frag_off( ssl );
4805 frag_len = ssl_get_hs_frag_len( ssl );