ReactOS 0.4.15-dev-7924-g5949c20
ssl_tls.c
Go to the documentation of this file.
1/*
2 * SSLv3/TLSv1 shared functions
3 *
4 * Copyright The Mbed TLS Contributors
5 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
6 *
7 * This file is provided under the Apache License 2.0, or the
8 * GNU General Public License v2.0 or later.
9 *
10 * **********
11 * Apache License 2.0:
12 *
13 * Licensed under the Apache License, Version 2.0 (the "License"); you may
14 * not use this file except in compliance with the License.
15 * You may obtain a copy of the License at
16 *
17 * http://www.apache.org/licenses/LICENSE-2.0
18 *
19 * Unless required by applicable law or agreed to in writing, software
20 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
21 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
22 * See the License for the specific language governing permissions and
23 * limitations under the License.
24 *
25 * **********
26 *
27 * **********
28 * GNU General Public License v2.0 or later:
29 *
30 * This program is free software; you can redistribute it and/or modify
31 * it under the terms of the GNU General Public License as published by
32 * the Free Software Foundation; either version 2 of the License, or
33 * (at your option) any later version.
34 *
35 * This program is distributed in the hope that it will be useful,
36 * but WITHOUT ANY WARRANTY; without even the implied warranty of
37 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
38 * GNU General Public License for more details.
39 *
40 * You should have received a copy of the GNU General Public License along
41 * with this program; if not, write to the Free Software Foundation, Inc.,
42 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
43 *
44 * **********
45 */
46/*
47 * The SSL 3.0 specification was drafted by Netscape in 1996,
48 * and became an IETF standard in 1999.
49 *
50 * http://wp.netscape.com/eng/ssl3/
51 * http://www.ietf.org/rfc/rfc2246.txt
52 * http://www.ietf.org/rfc/rfc4346.txt
53 */
54
55#if !defined(MBEDTLS_CONFIG_FILE)
56#include "mbedtls/config.h"
57#else
58#include MBEDTLS_CONFIG_FILE
59#endif
60
61#if defined(MBEDTLS_SSL_TLS_C)
62
63#if defined(MBEDTLS_PLATFORM_C)
64#include "mbedtls/platform.h"
65#else
66#include <stdlib.h>
67#define mbedtls_calloc calloc
68#define mbedtls_free free
69#endif
70
71#include "mbedtls/debug.h"
72#include "mbedtls/ssl.h"
73#include "mbedtls/ssl_internal.h"
74#include "mbedtls/platform_util.h"
75
76#include <string.h>
77
78#if defined(MBEDTLS_X509_CRT_PARSE_C)
79#include "mbedtls/oid.h"
80#endif
81
82static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
83static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
84
85/* Length of the "epoch" field in the record header */
86static inline size_t ssl_ep_len( const mbedtls_ssl_context *ssl )
87{
88#if defined(MBEDTLS_SSL_PROTO_DTLS)
89 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
90 return( 2 );
91#else
92 ((void) ssl);
93#endif
94 return( 0 );
95}
96
97/*
98 * Start a timer.
99 * Passing millisecs = 0 cancels a running timer.
100 */
101static void ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
102{
103 if( ssl->f_set_timer == NULL )
104 return;
105
106 MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
107 ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
108}
109
110/*
111 * Return -1 is timer is expired, 0 if it isn't.
112 */
113static int ssl_check_timer( mbedtls_ssl_context *ssl )
114{
115 if( ssl->f_get_timer == NULL )
116 return( 0 );
117
118 if( ssl->f_get_timer( ssl->p_timer ) == 2 )
119 {
120 MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
121 return( -1 );
122 }
123
124 return( 0 );
125}
126
127static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
128 mbedtls_ssl_transform *transform );
129static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
130 mbedtls_ssl_transform *transform );
131
132#define SSL_DONT_FORCE_FLUSH 0
133#define SSL_FORCE_FLUSH 1
134
135#if defined(MBEDTLS_SSL_PROTO_DTLS)
136
137/* Forward declarations for functions related to message buffering. */
138static void ssl_buffering_free( mbedtls_ssl_context *ssl );
139static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
140 uint8_t slot );
141static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
142static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
143static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
144static int ssl_buffer_message( mbedtls_ssl_context *ssl );
145static int ssl_buffer_future_record( mbedtls_ssl_context *ssl );
146static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
147
148static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
149static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
150{
151 size_t mtu = ssl_get_current_mtu( ssl );
152
153 if( mtu != 0 && mtu < MBEDTLS_SSL_OUT_BUFFER_LEN )
154 return( mtu );
155
156 return( MBEDTLS_SSL_OUT_BUFFER_LEN );
157}
158
159static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
160{
161 size_t const bytes_written = ssl->out_left;
162 size_t const mtu = ssl_get_maximum_datagram_size( ssl );
163
164 /* Double-check that the write-index hasn't gone
165 * past what we can transmit in a single datagram. */
166 if( bytes_written > mtu )
167 {
168 /* Should never happen... */
169 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
170 }
171
172 return( (int) ( mtu - bytes_written ) );
173}
174
175static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
176{
177 int ret;
178 size_t remaining, expansion;
179 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
180
181#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
182 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
183
184 if( max_len > mfl )
185 max_len = mfl;
186
187 /* By the standard (RFC 6066 Sect. 4), the MFL extension
188 * only limits the maximum record payload size, so in theory
189 * we would be allowed to pack multiple records of payload size
190 * MFL into a single datagram. However, this would mean that there's
191 * no way to explicitly communicate MTU restrictions to the peer.
192 *
193 * The following reduction of max_len makes sure that we never
194 * write datagrams larger than MFL + Record Expansion Overhead.
195 */
196 if( max_len <= ssl->out_left )
197 return( 0 );
198
199 max_len -= ssl->out_left;
200#endif
201
202 ret = ssl_get_remaining_space_in_datagram( ssl );
203 if( ret < 0 )
204 return( ret );
205 remaining = (size_t) ret;
206
207 ret = mbedtls_ssl_get_record_expansion( ssl );
208 if( ret < 0 )
209 return( ret );
210 expansion = (size_t) ret;
211
212 if( remaining <= expansion )
213 return( 0 );
214
215 remaining -= expansion;
216 if( remaining >= max_len )
217 remaining = max_len;
218
219 return( (int) remaining );
220}
221
222/*
223 * Double the retransmit timeout value, within the allowed range,
224 * returning -1 if the maximum value has already been reached.
225 */
226static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
227{
228 uint32_t new_timeout;
229
230 if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
231 return( -1 );
232
233 /* Implement the final paragraph of RFC 6347 section 4.1.1.1
234 * in the following way: after the initial transmission and a first
235 * retransmission, back off to a temporary estimated MTU of 508 bytes.
236 * This value is guaranteed to be deliverable (if not guaranteed to be
237 * delivered) of any compliant IPv4 (and IPv6) network, and should work
238 * on most non-IP stacks too. */
239 if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
240 {
241 ssl->handshake->mtu = 508;
242 MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
243 }
244
245 new_timeout = 2 * ssl->handshake->retransmit_timeout;
246
247 /* Avoid arithmetic overflow and range overflow */
248 if( new_timeout < ssl->handshake->retransmit_timeout ||
249 new_timeout > ssl->conf->hs_timeout_max )
250 {
251 new_timeout = ssl->conf->hs_timeout_max;
252 }
253
254 ssl->handshake->retransmit_timeout = new_timeout;
255 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
256 ssl->handshake->retransmit_timeout ) );
257
258 return( 0 );
259}
260
261static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
262{
263 ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
264 MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %d millisecs",
265 ssl->handshake->retransmit_timeout ) );
266}
267#endif /* MBEDTLS_SSL_PROTO_DTLS */
268
269#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
270/*
271 * Convert max_fragment_length codes to length.
272 * RFC 6066 says:
273 * enum{
274 * 2^9(1), 2^10(2), 2^11(3), 2^12(4), (255)
275 * } MaxFragmentLength;
276 * and we add 0 -> extension unused
277 */
278static unsigned int ssl_mfl_code_to_length( int mfl )
279{
280 switch( mfl )
281 {
282 case MBEDTLS_SSL_MAX_FRAG_LEN_NONE:
283 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
284 case MBEDTLS_SSL_MAX_FRAG_LEN_512:
285 return 512;
286 case MBEDTLS_SSL_MAX_FRAG_LEN_1024:
287 return 1024;
288 case MBEDTLS_SSL_MAX_FRAG_LEN_2048:
289 return 2048;
290 case MBEDTLS_SSL_MAX_FRAG_LEN_4096:
291 return 4096;
292 default:
293 return ( MBEDTLS_TLS_EXT_ADV_CONTENT_LEN );
294 }
295}
296#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
297
298#if defined(MBEDTLS_SSL_CLI_C)
299static int ssl_session_copy( mbedtls_ssl_session *dst, const mbedtls_ssl_session *src )
300{
301 mbedtls_ssl_session_free( dst );
302 memcpy( dst, src, sizeof( mbedtls_ssl_session ) );
303
304#if defined(MBEDTLS_X509_CRT_PARSE_C)
305 if( src->peer_cert != NULL )
306 {
307 int ret;
308
309 dst->peer_cert = mbedtls_calloc( 1, sizeof(mbedtls_x509_crt) );
310 if( dst->peer_cert == NULL )
311 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
312
313 mbedtls_x509_crt_init( dst->peer_cert );
314
315 if( ( ret = mbedtls_x509_crt_parse_der( dst->peer_cert, src->peer_cert->raw.p,
316 src->peer_cert->raw.len ) ) != 0 )
317 {
318 mbedtls_free( dst->peer_cert );
319 dst->peer_cert = NULL;
320 return( ret );
321 }
322 }
323#endif /* MBEDTLS_X509_CRT_PARSE_C */
324
325#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
326 if( src->ticket != NULL )
327 {
328 dst->ticket = mbedtls_calloc( 1, src->ticket_len );
329 if( dst->ticket == NULL )
330 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
331
332 memcpy( dst->ticket, src->ticket, src->ticket_len );
333 }
334#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
335
336 return( 0 );
337}
338#endif /* MBEDTLS_SSL_CLI_C */
339
340#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
341int (*mbedtls_ssl_hw_record_init)( mbedtls_ssl_context *ssl,
342 const unsigned char *key_enc, const unsigned char *key_dec,
343 size_t keylen,
344 const unsigned char *iv_enc, const unsigned char *iv_dec,
345 size_t ivlen,
346 const unsigned char *mac_enc, const unsigned char *mac_dec,
347 size_t maclen ) = NULL;
348int (*mbedtls_ssl_hw_record_activate)( mbedtls_ssl_context *ssl, int direction) = NULL;
349int (*mbedtls_ssl_hw_record_reset)( mbedtls_ssl_context *ssl ) = NULL;
350int (*mbedtls_ssl_hw_record_write)( mbedtls_ssl_context *ssl ) = NULL;
351int (*mbedtls_ssl_hw_record_read)( mbedtls_ssl_context *ssl ) = NULL;
352int (*mbedtls_ssl_hw_record_finish)( mbedtls_ssl_context *ssl ) = NULL;
353#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
354
355/*
356 * Key material generation
357 */
358#if defined(MBEDTLS_SSL_PROTO_SSL3)
359static int ssl3_prf( const unsigned char *secret, size_t slen,
360 const char *label,
361 const unsigned char *random, size_t rlen,
362 unsigned char *dstbuf, size_t dlen )
363{
364 int ret = 0;
365 size_t i;
366 mbedtls_md5_context md5;
367 mbedtls_sha1_context sha1;
368 unsigned char padding[16];
369 unsigned char sha1sum[20];
370 ((void)label);
371
372 mbedtls_md5_init( &md5 );
373 mbedtls_sha1_init( &sha1 );
374
375 /*
376 * SSLv3:
377 * block =
378 * MD5( secret + SHA1( 'A' + secret + random ) ) +
379 * MD5( secret + SHA1( 'BB' + secret + random ) ) +
380 * MD5( secret + SHA1( 'CCC' + secret + random ) ) +
381 * ...
382 */
383 for( i = 0; i < dlen / 16; i++ )
384 {
385 memset( padding, (unsigned char) ('A' + i), 1 + i );
386
387 if( ( ret = mbedtls_sha1_starts_ret( &sha1 ) ) != 0 )
388 goto exit;
389 if( ( ret = mbedtls_sha1_update_ret( &sha1, padding, 1 + i ) ) != 0 )
390 goto exit;
391 if( ( ret = mbedtls_sha1_update_ret( &sha1, secret, slen ) ) != 0 )
392 goto exit;
393 if( ( ret = mbedtls_sha1_update_ret( &sha1, random, rlen ) ) != 0 )
394 goto exit;
395 if( ( ret = mbedtls_sha1_finish_ret( &sha1, sha1sum ) ) != 0 )
396 goto exit;
397
398 if( ( ret = mbedtls_md5_starts_ret( &md5 ) ) != 0 )
399 goto exit;
400 if( ( ret = mbedtls_md5_update_ret( &md5, secret, slen ) ) != 0 )
401 goto exit;
402 if( ( ret = mbedtls_md5_update_ret( &md5, sha1sum, 20 ) ) != 0 )
403 goto exit;
404 if( ( ret = mbedtls_md5_finish_ret( &md5, dstbuf + i * 16 ) ) != 0 )
405 goto exit;
406 }
407
408exit:
409 mbedtls_md5_free( &md5 );
410 mbedtls_sha1_free( &sha1 );
411
412 mbedtls_platform_zeroize( padding, sizeof( padding ) );
413 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
414
415 return( ret );
416}
417#endif /* MBEDTLS_SSL_PROTO_SSL3 */
418
419#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
420static int tls1_prf( const unsigned char *secret, size_t slen,
421 const char *label,
422 const unsigned char *random, size_t rlen,
423 unsigned char *dstbuf, size_t dlen )
424{
425 size_t nb, hs;
426 size_t i, j, k;
427 const unsigned char *S1, *S2;
428 unsigned char tmp[128];
429 unsigned char h_i[20];
430 const mbedtls_md_info_t *md_info;
431 mbedtls_md_context_t md_ctx;
432 int ret;
433
434 mbedtls_md_init( &md_ctx );
435
436 if( sizeof( tmp ) < 20 + strlen( label ) + rlen )
437 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
438
439 hs = ( slen + 1 ) / 2;
440 S1 = secret;
441 S2 = secret + slen - hs;
442
443 nb = strlen( label );
444 memcpy( tmp + 20, label, nb );
445 memcpy( tmp + 20 + nb, random, rlen );
446 nb += rlen;
447
448 /*
449 * First compute P_md5(secret,label+random)[0..dlen]
450 */
451 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_MD5 ) ) == NULL )
452 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
453
454 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
455 return( ret );
456
457 mbedtls_md_hmac_starts( &md_ctx, S1, hs );
458 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
459 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
460
461 for( i = 0; i < dlen; i += 16 )
462 {
463 mbedtls_md_hmac_reset ( &md_ctx );
464 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 + nb );
465 mbedtls_md_hmac_finish( &md_ctx, h_i );
466
467 mbedtls_md_hmac_reset ( &md_ctx );
468 mbedtls_md_hmac_update( &md_ctx, 4 + tmp, 16 );
469 mbedtls_md_hmac_finish( &md_ctx, 4 + tmp );
470
471 k = ( i + 16 > dlen ) ? dlen % 16 : 16;
472
473 for( j = 0; j < k; j++ )
474 dstbuf[i + j] = h_i[j];
475 }
476
477 mbedtls_md_free( &md_ctx );
478
479 /*
480 * XOR out with P_sha1(secret,label+random)[0..dlen]
481 */
482 if( ( md_info = mbedtls_md_info_from_type( MBEDTLS_MD_SHA1 ) ) == NULL )
483 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
484
485 if( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
486 return( ret );
487
488 mbedtls_md_hmac_starts( &md_ctx, S2, hs );
489 mbedtls_md_hmac_update( &md_ctx, tmp + 20, nb );
490 mbedtls_md_hmac_finish( &md_ctx, tmp );
491
492 for( i = 0; i < dlen; i += 20 )
493 {
494 mbedtls_md_hmac_reset ( &md_ctx );
495 mbedtls_md_hmac_update( &md_ctx, tmp, 20 + nb );
496 mbedtls_md_hmac_finish( &md_ctx, h_i );
497
498 mbedtls_md_hmac_reset ( &md_ctx );
499 mbedtls_md_hmac_update( &md_ctx, tmp, 20 );
500 mbedtls_md_hmac_finish( &md_ctx, tmp );
501
502 k = ( i + 20 > dlen ) ? dlen % 20 : 20;
503
504 for( j = 0; j < k; j++ )
505 dstbuf[i + j] = (unsigned char)( dstbuf[i + j] ^ h_i[j] );
506 }
507
508 mbedtls_md_free( &md_ctx );
509
510 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
511 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
512
513 return( 0 );
514}
515#endif /* MBEDTLS_SSL_PROTO_TLS1) || MBEDTLS_SSL_PROTO_TLS1_1 */
516
517#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
518static int tls_prf_generic( mbedtls_md_type_t md_type,
519 const unsigned char *secret, size_t slen,
520 const char *label,
521 const unsigned char *random, size_t rlen,
522 unsigned char *dstbuf, size_t dlen )
523{
524 size_t nb;
525 size_t i, j, k, md_len;
526 unsigned char tmp[128];
527 unsigned char h_i[MBEDTLS_MD_MAX_SIZE];
528 const mbedtls_md_info_t *md_info;
529 mbedtls_md_context_t md_ctx;
530 int ret;
531
532 mbedtls_md_init( &md_ctx );
533
534 if( ( md_info = mbedtls_md_info_from_type( md_type ) ) == NULL )
535 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
536
537 md_len = mbedtls_md_get_size( md_info );
538
539 if( sizeof( tmp ) < md_len + strlen( label ) + rlen )
540 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
541
542 nb = strlen( label );
543 memcpy( tmp + md_len, label, nb );
544 memcpy( tmp + md_len + nb, random, rlen );
545 nb += rlen;
546
547 /*
548 * Compute P_<hash>(secret, label + random)[0..dlen]
549 */
550 if ( ( ret = mbedtls_md_setup( &md_ctx, md_info, 1 ) ) != 0 )
551 return( ret );
552
553 mbedtls_md_hmac_starts( &md_ctx, secret, slen );
554 mbedtls_md_hmac_update( &md_ctx, tmp + md_len, nb );
555 mbedtls_md_hmac_finish( &md_ctx, tmp );
556
557 for( i = 0; i < dlen; i += md_len )
558 {
559 mbedtls_md_hmac_reset ( &md_ctx );
560 mbedtls_md_hmac_update( &md_ctx, tmp, md_len + nb );
561 mbedtls_md_hmac_finish( &md_ctx, h_i );
562
563 mbedtls_md_hmac_reset ( &md_ctx );
564 mbedtls_md_hmac_update( &md_ctx, tmp, md_len );
565 mbedtls_md_hmac_finish( &md_ctx, tmp );
566
567 k = ( i + md_len > dlen ) ? dlen % md_len : md_len;
568
569 for( j = 0; j < k; j++ )
570 dstbuf[i + j] = h_i[j];
571 }
572
573 mbedtls_md_free( &md_ctx );
574
575 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
576 mbedtls_platform_zeroize( h_i, sizeof( h_i ) );
577
578 return( 0 );
579}
580
581#if defined(MBEDTLS_SHA256_C)
582static int tls_prf_sha256( const unsigned char *secret, size_t slen,
583 const char *label,
584 const unsigned char *random, size_t rlen,
585 unsigned char *dstbuf, size_t dlen )
586{
587 return( tls_prf_generic( MBEDTLS_MD_SHA256, secret, slen,
588 label, random, rlen, dstbuf, dlen ) );
589}
590#endif /* MBEDTLS_SHA256_C */
591
592#if defined(MBEDTLS_SHA512_C)
593static int tls_prf_sha384( const unsigned char *secret, size_t slen,
594 const char *label,
595 const unsigned char *random, size_t rlen,
596 unsigned char *dstbuf, size_t dlen )
597{
598 return( tls_prf_generic( MBEDTLS_MD_SHA384, secret, slen,
599 label, random, rlen, dstbuf, dlen ) );
600}
601#endif /* MBEDTLS_SHA512_C */
602#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
603
604static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
605
606#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
607 defined(MBEDTLS_SSL_PROTO_TLS1_1)
608static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *, const unsigned char *, size_t );
609#endif
610
611#if defined(MBEDTLS_SSL_PROTO_SSL3)
612static void ssl_calc_verify_ssl( mbedtls_ssl_context *, unsigned char * );
613static void ssl_calc_finished_ssl( mbedtls_ssl_context *, unsigned char *, int );
614#endif
615
616#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
617static void ssl_calc_verify_tls( mbedtls_ssl_context *, unsigned char * );
618static void ssl_calc_finished_tls( mbedtls_ssl_context *, unsigned char *, int );
619#endif
620
621#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
622#if defined(MBEDTLS_SHA256_C)
623static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
624static void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *, unsigned char * );
625static void ssl_calc_finished_tls_sha256( mbedtls_ssl_context *,unsigned char *, int );
626#endif
627
628#if defined(MBEDTLS_SHA512_C)
629static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned char *, size_t );
630static void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *, unsigned char * );
631static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
632#endif
633#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
634
635int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
636{
637 int ret = 0;
638 unsigned char tmp[64];
639 unsigned char keyblk[256];
640 unsigned char *key1;
641 unsigned char *key2;
642 unsigned char *mac_enc;
643 unsigned char *mac_dec;
644 size_t mac_key_len;
645 size_t iv_copy_len;
646 const mbedtls_cipher_info_t *cipher_info;
647 const mbedtls_md_info_t *md_info;
648
649 mbedtls_ssl_session *session = ssl->session_negotiate;
650 mbedtls_ssl_transform *transform = ssl->transform_negotiate;
651 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
652
653 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
654
655 cipher_info = mbedtls_cipher_info_from_type( transform->ciphersuite_info->cipher );
656 if( cipher_info == NULL )
657 {
658 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
659 transform->ciphersuite_info->cipher ) );
660 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
661 }
662
663 md_info = mbedtls_md_info_from_type( transform->ciphersuite_info->mac );
664 if( md_info == NULL )
665 {
666 MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
667 transform->ciphersuite_info->mac ) );
668 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
669 }
670
671 /*
672 * Set appropriate PRF function and other SSL / TLS / TLS1.2 functions
673 */
674#if defined(MBEDTLS_SSL_PROTO_SSL3)
675 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
676 {
677 handshake->tls_prf = ssl3_prf;
678 handshake->calc_verify = ssl_calc_verify_ssl;
679 handshake->calc_finished = ssl_calc_finished_ssl;
680 }
681 else
682#endif
683#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
684 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
685 {
686 handshake->tls_prf = tls1_prf;
687 handshake->calc_verify = ssl_calc_verify_tls;
688 handshake->calc_finished = ssl_calc_finished_tls;
689 }
690 else
691#endif
692#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
693#if defined(MBEDTLS_SHA512_C)
694 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
695 transform->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
696 {
697 handshake->tls_prf = tls_prf_sha384;
698 handshake->calc_verify = ssl_calc_verify_tls_sha384;
699 handshake->calc_finished = ssl_calc_finished_tls_sha384;
700 }
701 else
702#endif
703#if defined(MBEDTLS_SHA256_C)
704 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
705 {
706 handshake->tls_prf = tls_prf_sha256;
707 handshake->calc_verify = ssl_calc_verify_tls_sha256;
708 handshake->calc_finished = ssl_calc_finished_tls_sha256;
709 }
710 else
711#endif
712#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
713 {
714 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
715 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
716 }
717
718 /*
719 * SSLv3:
720 * master =
721 * MD5( premaster + SHA1( 'A' + premaster + randbytes ) ) +
722 * MD5( premaster + SHA1( 'BB' + premaster + randbytes ) ) +
723 * MD5( premaster + SHA1( 'CCC' + premaster + randbytes ) )
724 *
725 * TLSv1+:
726 * master = PRF( premaster, "master secret", randbytes )[0..47]
727 */
728 if( handshake->resume == 0 )
729 {
730 MBEDTLS_SSL_DEBUG_BUF( 3, "premaster secret", handshake->premaster,
731 handshake->pmslen );
732
733#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
734 if( ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED )
735 {
736 unsigned char session_hash[48];
737 size_t hash_len;
738
739 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using extended master secret" ) );
740
741 ssl->handshake->calc_verify( ssl, session_hash );
742
743#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
744 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
745 {
746#if defined(MBEDTLS_SHA512_C)
747 if( ssl->transform_negotiate->ciphersuite_info->mac ==
748 MBEDTLS_MD_SHA384 )
749 {
750 hash_len = 48;
751 }
752 else
753#endif
754 hash_len = 32;
755 }
756 else
757#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
758 hash_len = 36;
759
760 MBEDTLS_SSL_DEBUG_BUF( 3, "session hash", session_hash, hash_len );
761
762 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
763 "extended master secret",
764 session_hash, hash_len,
765 session->master, 48 );
766 if( ret != 0 )
767 {
768 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
769 return( ret );
770 }
771
772 }
773 else
774#endif
775 ret = handshake->tls_prf( handshake->premaster, handshake->pmslen,
776 "master secret",
777 handshake->randbytes, 64,
778 session->master, 48 );
779 if( ret != 0 )
780 {
781 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
782 return( ret );
783 }
784
785 mbedtls_platform_zeroize( handshake->premaster,
786 sizeof(handshake->premaster) );
787 }
788 else
789 MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
790
791 /*
792 * Swap the client and server random values.
793 */
794 memcpy( tmp, handshake->randbytes, 64 );
795 memcpy( handshake->randbytes, tmp + 32, 32 );
796 memcpy( handshake->randbytes + 32, tmp, 32 );
797 mbedtls_platform_zeroize( tmp, sizeof( tmp ) );
798
799 /*
800 * SSLv3:
801 * key block =
802 * MD5( master + SHA1( 'A' + master + randbytes ) ) +
803 * MD5( master + SHA1( 'BB' + master + randbytes ) ) +
804 * MD5( master + SHA1( 'CCC' + master + randbytes ) ) +
805 * MD5( master + SHA1( 'DDDD' + master + randbytes ) ) +
806 * ...
807 *
808 * TLSv1:
809 * key block = PRF( master, "key expansion", randbytes )
810 */
811 ret = handshake->tls_prf( session->master, 48, "key expansion",
812 handshake->randbytes, 64, keyblk, 256 );
813 if( ret != 0 )
814 {
815 MBEDTLS_SSL_DEBUG_RET( 1, "prf", ret );
816 return( ret );
817 }
818
819 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite = %s",
820 mbedtls_ssl_get_ciphersuite_name( session->ciphersuite ) ) );
821 MBEDTLS_SSL_DEBUG_BUF( 3, "master secret", session->master, 48 );
822 MBEDTLS_SSL_DEBUG_BUF( 4, "random bytes", handshake->randbytes, 64 );
823 MBEDTLS_SSL_DEBUG_BUF( 4, "key block", keyblk, 256 );
824
825 mbedtls_platform_zeroize( handshake->randbytes,
826 sizeof( handshake->randbytes ) );
827
828 /*
829 * Determine the appropriate key, IV and MAC length.
830 */
831
832 transform->keylen = cipher_info->key_bitlen / 8;
833
834 if( cipher_info->mode == MBEDTLS_MODE_GCM ||
835 cipher_info->mode == MBEDTLS_MODE_CCM ||
836 cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
837 {
838 size_t taglen, explicit_ivlen;
839
840 transform->maclen = 0;
841 mac_key_len = 0;
842
843 /* All modes haves 96-bit IVs;
844 * GCM and CCM has 4 implicit and 8 explicit bytes
845 * ChachaPoly has all 12 bytes implicit
846 */
847 transform->ivlen = 12;
848 if( cipher_info->mode == MBEDTLS_MODE_CHACHAPOLY )
849 transform->fixed_ivlen = 12;
850 else
851 transform->fixed_ivlen = 4;
852
853 /* All modes have 128-bit tags, except CCM_8 (ciphersuite flag) */
854 taglen = transform->ciphersuite_info->flags &
855 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
856
857
858 /* Minimum length of encrypted record */
859 explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
860 transform->minlen = explicit_ivlen + taglen;
861 }
862 else
863 {
864 /* Initialize HMAC contexts */
865 if( ( ret = mbedtls_md_setup( &transform->md_ctx_enc, md_info, 1 ) ) != 0 ||
866 ( ret = mbedtls_md_setup( &transform->md_ctx_dec, md_info, 1 ) ) != 0 )
867 {
868 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
869 return( ret );
870 }
871
872 /* Get MAC length */
873 mac_key_len = mbedtls_md_get_size( md_info );
874 transform->maclen = mac_key_len;
875
876#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
877 /*
878 * If HMAC is to be truncated, we shall keep the leftmost bytes,
879 * (rfc 6066 page 13 or rfc 2104 section 4),
880 * so we only need to adjust the length here.
881 */
882 if( session->trunc_hmac == MBEDTLS_SSL_TRUNC_HMAC_ENABLED )
883 {
884 transform->maclen = MBEDTLS_SSL_TRUNCATED_HMAC_LEN;
885
886#if defined(MBEDTLS_SSL_TRUNCATED_HMAC_COMPAT)
887 /* Fall back to old, non-compliant version of the truncated
888 * HMAC implementation which also truncates the key
889 * (Mbed TLS versions from 1.3 to 2.6.0) */
890 mac_key_len = transform->maclen;
891#endif
892 }
893#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
894
895 /* IV length */
896 transform->ivlen = cipher_info->iv_size;
897
898 /* Minimum length */
899 if( cipher_info->mode == MBEDTLS_MODE_STREAM )
900 transform->minlen = transform->maclen;
901 else
902 {
903 /*
904 * GenericBlockCipher:
905 * 1. if EtM is in use: one block plus MAC
906 * otherwise: * first multiple of blocklen greater than maclen
907 * 2. IV except for SSL3 and TLS 1.0
908 */
909#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
910 if( session->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
911 {
912 transform->minlen = transform->maclen
913 + cipher_info->block_size;
914 }
915 else
916#endif
917 {
918 transform->minlen = transform->maclen
919 + cipher_info->block_size
920 - transform->maclen % cipher_info->block_size;
921 }
922
923#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
924 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
925 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_1 )
926 ; /* No need to adjust minlen */
927 else
928#endif
929#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
930 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_2 ||
931 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
932 {
933 transform->minlen += transform->ivlen;
934 }
935 else
936#endif
937 {
938 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
939 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
940 }
941 }
942 }
943
944 MBEDTLS_SSL_DEBUG_MSG( 3, ( "keylen: %d, minlen: %d, ivlen: %d, maclen: %d",
945 transform->keylen, transform->minlen, transform->ivlen,
946 transform->maclen ) );
947
948 /*
949 * Finally setup the cipher contexts, IVs and MAC secrets.
950 */
951#if defined(MBEDTLS_SSL_CLI_C)
952 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
953 {
954 key1 = keyblk + mac_key_len * 2;
955 key2 = keyblk + mac_key_len * 2 + transform->keylen;
956
957 mac_enc = keyblk;
958 mac_dec = keyblk + mac_key_len;
959
960 /*
961 * This is not used in TLS v1.1.
962 */
963 iv_copy_len = ( transform->fixed_ivlen ) ?
964 transform->fixed_ivlen : transform->ivlen;
965 memcpy( transform->iv_enc, key2 + transform->keylen, iv_copy_len );
966 memcpy( transform->iv_dec, key2 + transform->keylen + iv_copy_len,
967 iv_copy_len );
968 }
969 else
970#endif /* MBEDTLS_SSL_CLI_C */
971#if defined(MBEDTLS_SSL_SRV_C)
972 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
973 {
974 key1 = keyblk + mac_key_len * 2 + transform->keylen;
975 key2 = keyblk + mac_key_len * 2;
976
977 mac_enc = keyblk + mac_key_len;
978 mac_dec = keyblk;
979
980 /*
981 * This is not used in TLS v1.1.
982 */
983 iv_copy_len = ( transform->fixed_ivlen ) ?
984 transform->fixed_ivlen : transform->ivlen;
985 memcpy( transform->iv_dec, key1 + transform->keylen, iv_copy_len );
986 memcpy( transform->iv_enc, key1 + transform->keylen + iv_copy_len,
987 iv_copy_len );
988 }
989 else
990#endif /* MBEDTLS_SSL_SRV_C */
991 {
992 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
993 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
994 }
995
996#if defined(MBEDTLS_SSL_PROTO_SSL3)
997 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
998 {
999 if( mac_key_len > sizeof transform->mac_enc )
1000 {
1001 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1002 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1003 }
1004
1005 memcpy( transform->mac_enc, mac_enc, mac_key_len );
1006 memcpy( transform->mac_dec, mac_dec, mac_key_len );
1007 }
1008 else
1009#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1010#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1011 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1012 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
1013 {
1014 /* For HMAC-based ciphersuites, initialize the HMAC transforms.
1015 For AEAD-based ciphersuites, there is nothing to do here. */
1016 if( mac_key_len != 0 )
1017 {
1018 mbedtls_md_hmac_starts( &transform->md_ctx_enc, mac_enc, mac_key_len );
1019 mbedtls_md_hmac_starts( &transform->md_ctx_dec, mac_dec, mac_key_len );
1020 }
1021 }
1022 else
1023#endif
1024 {
1025 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1026 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1027 }
1028
1029#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
1030 if( mbedtls_ssl_hw_record_init != NULL )
1031 {
1032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_init()" ) );
1033
1034 if( ( ret = mbedtls_ssl_hw_record_init( ssl, key1, key2, transform->keylen,
1035 transform->iv_enc, transform->iv_dec,
1036 iv_copy_len,
1037 mac_enc, mac_dec,
1038 mac_key_len ) ) != 0 )
1039 {
1040 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_init", ret );
1041 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
1042 }
1043 }
1044#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
1045
1046#if defined(MBEDTLS_SSL_EXPORT_KEYS)
1047 if( ssl->conf->f_export_keys != NULL )
1048 {
1049 ssl->conf->f_export_keys( ssl->conf->p_export_keys,
1050 session->master, keyblk,
1051 mac_key_len, transform->keylen,
1052 iv_copy_len );
1053 }
1054#endif
1055
1056 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_enc,
1057 cipher_info ) ) != 0 )
1058 {
1059 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
1060 return( ret );
1061 }
1062
1063 if( ( ret = mbedtls_cipher_setup( &transform->cipher_ctx_dec,
1064 cipher_info ) ) != 0 )
1065 {
1066 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setup", ret );
1067 return( ret );
1068 }
1069
1070 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_enc, key1,
1071 cipher_info->key_bitlen,
1072 MBEDTLS_ENCRYPT ) ) != 0 )
1073 {
1074 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
1075 return( ret );
1076 }
1077
1078 if( ( ret = mbedtls_cipher_setkey( &transform->cipher_ctx_dec, key2,
1079 cipher_info->key_bitlen,
1080 MBEDTLS_DECRYPT ) ) != 0 )
1081 {
1082 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_setkey", ret );
1083 return( ret );
1084 }
1085
1086#if defined(MBEDTLS_CIPHER_MODE_CBC)
1087 if( cipher_info->mode == MBEDTLS_MODE_CBC )
1088 {
1089 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_enc,
1090 MBEDTLS_PADDING_NONE ) ) != 0 )
1091 {
1092 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
1093 return( ret );
1094 }
1095
1096 if( ( ret = mbedtls_cipher_set_padding_mode( &transform->cipher_ctx_dec,
1097 MBEDTLS_PADDING_NONE ) ) != 0 )
1098 {
1099 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_set_padding_mode", ret );
1100 return( ret );
1101 }
1102 }
1103#endif /* MBEDTLS_CIPHER_MODE_CBC */
1104
1105 mbedtls_platform_zeroize( keyblk, sizeof( keyblk ) );
1106
1107#if defined(MBEDTLS_ZLIB_SUPPORT)
1108 // Initialize compression
1109 //
1110 if( session->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
1111 {
1112 if( ssl->compress_buf == NULL )
1113 {
1114 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Allocating compression buffer" ) );
1115 ssl->compress_buf = mbedtls_calloc( 1, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
1116 if( ssl->compress_buf == NULL )
1117 {
1118 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
1119 MBEDTLS_SSL_COMPRESS_BUFFER_LEN ) );
1120 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
1121 }
1122 }
1123
1124 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Initializing zlib states" ) );
1125
1126 memset( &transform->ctx_deflate, 0, sizeof( transform->ctx_deflate ) );
1127 memset( &transform->ctx_inflate, 0, sizeof( transform->ctx_inflate ) );
1128
1129 if( deflateInit( &transform->ctx_deflate,
1130 Z_DEFAULT_COMPRESSION ) != Z_OK ||
1131 inflateInit( &transform->ctx_inflate ) != Z_OK )
1132 {
1133 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Failed to initialize compression" ) );
1134 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
1135 }
1136 }
1137#endif /* MBEDTLS_ZLIB_SUPPORT */
1138
1139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= derive keys" ) );
1140
1141 return( 0 );
1142}
1143
1144#if defined(MBEDTLS_SSL_PROTO_SSL3)
1145void ssl_calc_verify_ssl( mbedtls_ssl_context *ssl, unsigned char *hash )
1146{
1147 mbedtls_md5_context md5;
1148 mbedtls_sha1_context sha1;
1149 unsigned char pad_1[48];
1150 unsigned char pad_2[48];
1151
1152 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify ssl" ) );
1153
1154 mbedtls_md5_init( &md5 );
1155 mbedtls_sha1_init( &sha1 );
1156
1157 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1158 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
1159
1160 memset( pad_1, 0x36, 48 );
1161 memset( pad_2, 0x5C, 48 );
1162
1163 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1164 mbedtls_md5_update_ret( &md5, pad_1, 48 );
1165 mbedtls_md5_finish_ret( &md5, hash );
1166
1167 mbedtls_md5_starts_ret( &md5 );
1168 mbedtls_md5_update_ret( &md5, ssl->session_negotiate->master, 48 );
1169 mbedtls_md5_update_ret( &md5, pad_2, 48 );
1170 mbedtls_md5_update_ret( &md5, hash, 16 );
1171 mbedtls_md5_finish_ret( &md5, hash );
1172
1173 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1174 mbedtls_sha1_update_ret( &sha1, pad_1, 40 );
1175 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
1176
1177 mbedtls_sha1_starts_ret( &sha1 );
1178 mbedtls_sha1_update_ret( &sha1, ssl->session_negotiate->master, 48 );
1179 mbedtls_sha1_update_ret( &sha1, pad_2, 40 );
1180 mbedtls_sha1_update_ret( &sha1, hash + 16, 20 );
1181 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
1182
1183 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1184 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1185
1186 mbedtls_md5_free( &md5 );
1187 mbedtls_sha1_free( &sha1 );
1188
1189 return;
1190}
1191#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1192
1193#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
1194void ssl_calc_verify_tls( mbedtls_ssl_context *ssl, unsigned char *hash )
1195{
1196 mbedtls_md5_context md5;
1197 mbedtls_sha1_context sha1;
1198
1199 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify tls" ) );
1200
1201 mbedtls_md5_init( &md5 );
1202 mbedtls_sha1_init( &sha1 );
1203
1204 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
1205 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
1206
1207 mbedtls_md5_finish_ret( &md5, hash );
1208 mbedtls_sha1_finish_ret( &sha1, hash + 16 );
1209
1210 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 36 );
1211 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1212
1213 mbedtls_md5_free( &md5 );
1214 mbedtls_sha1_free( &sha1 );
1215
1216 return;
1217}
1218#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
1219
1220#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1221#if defined(MBEDTLS_SHA256_C)
1222void ssl_calc_verify_tls_sha256( mbedtls_ssl_context *ssl, unsigned char *hash )
1223{
1224 mbedtls_sha256_context sha256;
1225
1226 mbedtls_sha256_init( &sha256 );
1227
1228 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha256" ) );
1229
1230 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
1231 mbedtls_sha256_finish_ret( &sha256, hash );
1232
1233 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 32 );
1234 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1235
1236 mbedtls_sha256_free( &sha256 );
1237
1238 return;
1239}
1240#endif /* MBEDTLS_SHA256_C */
1241
1242#if defined(MBEDTLS_SHA512_C)
1243void ssl_calc_verify_tls_sha384( mbedtls_ssl_context *ssl, unsigned char *hash )
1244{
1245 mbedtls_sha512_context sha512;
1246
1247 mbedtls_sha512_init( &sha512 );
1248
1249 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc verify sha384" ) );
1250
1251 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
1252 mbedtls_sha512_finish_ret( &sha512, hash );
1253
1254 MBEDTLS_SSL_DEBUG_BUF( 3, "calculated verify result", hash, 48 );
1255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc verify" ) );
1256
1257 mbedtls_sha512_free( &sha512 );
1258
1259 return;
1260}
1261#endif /* MBEDTLS_SHA512_C */
1262#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1263
1264#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
1265int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
1266{
1267 unsigned char *p = ssl->handshake->premaster;
1268 unsigned char *end = p + sizeof( ssl->handshake->premaster );
1269 const unsigned char *psk = ssl->conf->psk;
1270 size_t psk_len = ssl->conf->psk_len;
1271
1272 /* If the psk callback was called, use its result */
1273 if( ssl->handshake->psk != NULL )
1274 {
1275 psk = ssl->handshake->psk;
1276 psk_len = ssl->handshake->psk_len;
1277 }
1278
1279 /*
1280 * PMS = struct {
1281 * opaque other_secret<0..2^16-1>;
1282 * opaque psk<0..2^16-1>;
1283 * };
1284 * with "other_secret" depending on the particular key exchange
1285 */
1286#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
1287 if( key_ex == MBEDTLS_KEY_EXCHANGE_PSK )
1288 {
1289 if( end - p < 2 )
1290 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1291
1292 *(p++) = (unsigned char)( psk_len >> 8 );
1293 *(p++) = (unsigned char)( psk_len );
1294
1295 if( end < p || (size_t)( end - p ) < psk_len )
1296 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1297
1298 memset( p, 0, psk_len );
1299 p += psk_len;
1300 }
1301 else
1302#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
1303#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
1304 if( key_ex == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
1305 {
1306 /*
1307 * other_secret already set by the ClientKeyExchange message,
1308 * and is 48 bytes long
1309 */
1310 if( end - p < 2 )
1311 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1312
1313 *p++ = 0;
1314 *p++ = 48;
1315 p += 48;
1316 }
1317 else
1318#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
1319#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
1320 if( key_ex == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
1321 {
1322 int ret;
1323 size_t len;
1324
1325 /* Write length only when we know the actual value */
1326 if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx,
1327 p + 2, end - ( p + 2 ), &len,
1328 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1329 {
1330 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret );
1331 return( ret );
1332 }
1333 *(p++) = (unsigned char)( len >> 8 );
1334 *(p++) = (unsigned char)( len );
1335 p += len;
1336
1337 MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K );
1338 }
1339 else
1340#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
1341#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
1342 if( key_ex == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
1343 {
1344 int ret;
1345 size_t zlen;
1346
1347 if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, &zlen,
1348 p + 2, end - ( p + 2 ),
1349 ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
1350 {
1351 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret );
1352 return( ret );
1353 }
1354
1355 *(p++) = (unsigned char)( zlen >> 8 );
1356 *(p++) = (unsigned char)( zlen );
1357 p += zlen;
1358
1359 MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
1360 MBEDTLS_DEBUG_ECDH_Z );
1361 }
1362 else
1363#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
1364 {
1365 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1366 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1367 }
1368
1369 /* opaque psk<0..2^16-1>; */
1370 if( end - p < 2 )
1371 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1372
1373 *(p++) = (unsigned char)( psk_len >> 8 );
1374 *(p++) = (unsigned char)( psk_len );
1375
1376 if( end < p || (size_t)( end - p ) < psk_len )
1377 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1378
1379 memcpy( p, psk, psk_len );
1380 p += psk_len;
1381
1382 ssl->handshake->pmslen = p - ssl->handshake->premaster;
1383
1384 return( 0 );
1385}
1386#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
1387
1388#if defined(MBEDTLS_SSL_PROTO_SSL3)
1389/*
1390 * SSLv3.0 MAC functions
1391 */
1392#define SSL_MAC_MAX_BYTES 20 /* MD-5 or SHA-1 */
1393static void ssl_mac( mbedtls_md_context_t *md_ctx,
1394 const unsigned char *secret,
1395 const unsigned char *buf, size_t len,
1396 const unsigned char *ctr, int type,
1397 unsigned char out[SSL_MAC_MAX_BYTES] )
1398{
1399 unsigned char header[11];
1400 unsigned char padding[48];
1401 int padlen;
1402 int md_size = mbedtls_md_get_size( md_ctx->md_info );
1403 int md_type = mbedtls_md_get_type( md_ctx->md_info );
1404
1405 /* Only MD5 and SHA-1 supported */
1406 if( md_type == MBEDTLS_MD_MD5 )
1407 padlen = 48;
1408 else
1409 padlen = 40;
1410
1411 memcpy( header, ctr, 8 );
1412 header[ 8] = (unsigned char) type;
1413 header[ 9] = (unsigned char)( len >> 8 );
1414 header[10] = (unsigned char)( len );
1415
1416 memset( padding, 0x36, padlen );
1417 mbedtls_md_starts( md_ctx );
1418 mbedtls_md_update( md_ctx, secret, md_size );
1419 mbedtls_md_update( md_ctx, padding, padlen );
1420 mbedtls_md_update( md_ctx, header, 11 );
1421 mbedtls_md_update( md_ctx, buf, len );
1422 mbedtls_md_finish( md_ctx, out );
1423
1424 memset( padding, 0x5C, padlen );
1425 mbedtls_md_starts( md_ctx );
1426 mbedtls_md_update( md_ctx, secret, md_size );
1427 mbedtls_md_update( md_ctx, padding, padlen );
1428 mbedtls_md_update( md_ctx, out, md_size );
1429 mbedtls_md_finish( md_ctx, out );
1430}
1431#endif /* MBEDTLS_SSL_PROTO_SSL3 */
1432
1433#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
1434 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1435#define SSL_SOME_MODES_USE_MAC
1436#endif
1437
1438/*
1439 * Encryption/decryption functions
1440 */
1441static int ssl_encrypt_buf( mbedtls_ssl_context *ssl )
1442{
1443 mbedtls_cipher_mode_t mode;
1444 int auth_done = 0;
1445
1446 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
1447
1448 if( ssl->session_out == NULL || ssl->transform_out == NULL )
1449 {
1450 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1451 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1452 }
1453
1454 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc );
1455
1456 MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
1457 ssl->out_msg, ssl->out_msglen );
1458
1459 /*
1460 * Add MAC before if needed
1461 */
1462#if defined(SSL_SOME_MODES_USE_MAC)
1463 if( mode == MBEDTLS_MODE_STREAM ||
1464 ( mode == MBEDTLS_MODE_CBC
1465#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1466 && ssl->session_out->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
1467#endif
1468 ) )
1469 {
1470#if defined(MBEDTLS_SSL_PROTO_SSL3)
1471 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
1472 {
1473 unsigned char mac[SSL_MAC_MAX_BYTES];
1474
1475 ssl_mac( &ssl->transform_out->md_ctx_enc,
1476 ssl->transform_out->mac_enc,
1477 ssl->out_msg, ssl->out_msglen,
1478 ssl->out_ctr, ssl->out_msgtype,
1479 mac );
1480
1481 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
1482 }
1483 else
1484#endif
1485#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1486 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1487 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
1488 {
1489 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1490
1491 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_ctr, 8 );
1492 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_hdr, 3 );
1493 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, ssl->out_len, 2 );
1494 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
1495 ssl->out_msg, ssl->out_msglen );
1496 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
1497 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1498
1499 memcpy( ssl->out_msg + ssl->out_msglen, mac, ssl->transform_out->maclen );
1500 }
1501 else
1502#endif
1503 {
1504 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1505 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1506 }
1507
1508 MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac",
1509 ssl->out_msg + ssl->out_msglen,
1510 ssl->transform_out->maclen );
1511
1512 ssl->out_msglen += ssl->transform_out->maclen;
1513 auth_done++;
1514 }
1515#endif /* AEAD not the only option */
1516
1517 /*
1518 * Encrypt
1519 */
1520#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1521 if( mode == MBEDTLS_MODE_STREAM )
1522 {
1523 int ret;
1524 size_t olen = 0;
1525
1526 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1527 "including %d bytes of padding",
1528 ssl->out_msglen, 0 ) );
1529
1530 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1531 ssl->transform_out->iv_enc,
1532 ssl->transform_out->ivlen,
1533 ssl->out_msg, ssl->out_msglen,
1534 ssl->out_msg, &olen ) ) != 0 )
1535 {
1536 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1537 return( ret );
1538 }
1539
1540 if( ssl->out_msglen != olen )
1541 {
1542 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1543 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1544 }
1545 }
1546 else
1547#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1548#if defined(MBEDTLS_GCM_C) || \
1549 defined(MBEDTLS_CCM_C) || \
1550 defined(MBEDTLS_CHACHAPOLY_C)
1551 if( mode == MBEDTLS_MODE_GCM ||
1552 mode == MBEDTLS_MODE_CCM ||
1553 mode == MBEDTLS_MODE_CHACHAPOLY )
1554 {
1555 int ret;
1556 size_t enc_msglen, olen;
1557 unsigned char *enc_msg;
1558 unsigned char add_data[13];
1559 unsigned char iv[12];
1560 mbedtls_ssl_transform *transform = ssl->transform_out;
1561 unsigned char taglen = transform->ciphersuite_info->flags &
1562 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
1563 size_t explicit_ivlen = transform->ivlen - transform->fixed_ivlen;
1564
1565 /*
1566 * Prepare additional authenticated data
1567 */
1568 memcpy( add_data, ssl->out_ctr, 8 );
1569 add_data[8] = ssl->out_msgtype;
1570 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
1571 ssl->conf->transport, add_data + 9 );
1572 add_data[11] = ( ssl->out_msglen >> 8 ) & 0xFF;
1573 add_data[12] = ssl->out_msglen & 0xFF;
1574
1575 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
1576
1577 /*
1578 * Generate IV
1579 */
1580 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
1581 {
1582 /* GCM and CCM: fixed || explicit (=seqnum) */
1583 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1584 memcpy( iv + transform->fixed_ivlen, ssl->out_ctr, 8 );
1585 memcpy( ssl->out_iv, ssl->out_ctr, 8 );
1586
1587 }
1588 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
1589 {
1590 /* ChachaPoly: fixed XOR sequence number */
1591 unsigned char i;
1592
1593 memcpy( iv, transform->iv_enc, transform->fixed_ivlen );
1594
1595 for( i = 0; i < 8; i++ )
1596 iv[i+4] ^= ssl->out_ctr[i];
1597 }
1598 else
1599 {
1600 /* Reminder if we ever add an AEAD mode with a different size */
1601 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1602 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1603 }
1604
1605 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
1606 iv, transform->ivlen );
1607 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
1608 ssl->out_iv, explicit_ivlen );
1609
1610 /*
1611 * Fix message length with added IV
1612 */
1613 enc_msg = ssl->out_msg;
1614 enc_msglen = ssl->out_msglen;
1615 ssl->out_msglen += explicit_ivlen;
1616
1617 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1618 "including 0 bytes of padding",
1619 ssl->out_msglen ) );
1620
1621 /*
1622 * Encrypt and authenticate
1623 */
1624 if( ( ret = mbedtls_cipher_auth_encrypt( &transform->cipher_ctx_enc,
1625 iv, transform->ivlen,
1626 add_data, 13,
1627 enc_msg, enc_msglen,
1628 enc_msg, &olen,
1629 enc_msg + enc_msglen, taglen ) ) != 0 )
1630 {
1631 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt", ret );
1632 return( ret );
1633 }
1634
1635 if( olen != enc_msglen )
1636 {
1637 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1638 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1639 }
1640
1641 ssl->out_msglen += taglen;
1642 auth_done++;
1643
1644 MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag", enc_msg + enc_msglen, taglen );
1645 }
1646 else
1647#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1648#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1649 if( mode == MBEDTLS_MODE_CBC )
1650 {
1651 int ret;
1652 unsigned char *enc_msg;
1653 size_t enc_msglen, padlen, olen = 0, i;
1654
1655 padlen = ssl->transform_out->ivlen - ( ssl->out_msglen + 1 ) %
1656 ssl->transform_out->ivlen;
1657 if( padlen == ssl->transform_out->ivlen )
1658 padlen = 0;
1659
1660 for( i = 0; i <= padlen; i++ )
1661 ssl->out_msg[ssl->out_msglen + i] = (unsigned char) padlen;
1662
1663 ssl->out_msglen += padlen + 1;
1664
1665 enc_msglen = ssl->out_msglen;
1666 enc_msg = ssl->out_msg;
1667
1668#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
1669 /*
1670 * Prepend per-record IV for block cipher in TLS v1.1 and up as per
1671 * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
1672 */
1673 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
1674 {
1675 /*
1676 * Generate IV
1677 */
1678 ret = ssl->conf->f_rng( ssl->conf->p_rng, ssl->transform_out->iv_enc,
1679 ssl->transform_out->ivlen );
1680 if( ret != 0 )
1681 return( ret );
1682
1683 memcpy( ssl->out_iv, ssl->transform_out->iv_enc,
1684 ssl->transform_out->ivlen );
1685
1686 /*
1687 * Fix pointer positions and message length with added IV
1688 */
1689 enc_msg = ssl->out_msg;
1690 enc_msglen = ssl->out_msglen;
1691 ssl->out_msglen += ssl->transform_out->ivlen;
1692 }
1693#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
1694
1695 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %d, "
1696 "including %d bytes of IV and %d bytes of padding",
1697 ssl->out_msglen, ssl->transform_out->ivlen,
1698 padlen + 1 ) );
1699
1700 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_out->cipher_ctx_enc,
1701 ssl->transform_out->iv_enc,
1702 ssl->transform_out->ivlen,
1703 enc_msg, enc_msglen,
1704 enc_msg, &olen ) ) != 0 )
1705 {
1706 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1707 return( ret );
1708 }
1709
1710 if( enc_msglen != olen )
1711 {
1712 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1713 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1714 }
1715
1716#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
1717 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
1718 {
1719 /*
1720 * Save IV in SSL3 and TLS1
1721 */
1722 memcpy( ssl->transform_out->iv_enc,
1723 ssl->transform_out->cipher_ctx_enc.iv,
1724 ssl->transform_out->ivlen );
1725 }
1726#endif
1727
1728#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1729 if( auth_done == 0 )
1730 {
1731 unsigned char mac[MBEDTLS_SSL_MAC_ADD];
1732
1733 /*
1734 * MAC(MAC_write_key, seq_num +
1735 * TLSCipherText.type +
1736 * TLSCipherText.version +
1737 * length_of( (IV +) ENC(...) ) +
1738 * IV + // except for TLS 1.0
1739 * ENC(content + padding + padding_length));
1740 */
1741 unsigned char pseudo_hdr[13];
1742
1743 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1744
1745 memcpy( pseudo_hdr + 0, ssl->out_ctr, 8 );
1746 memcpy( pseudo_hdr + 8, ssl->out_hdr, 3 );
1747 pseudo_hdr[11] = (unsigned char)( ( ssl->out_msglen >> 8 ) & 0xFF );
1748 pseudo_hdr[12] = (unsigned char)( ( ssl->out_msglen ) & 0xFF );
1749
1750 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
1751
1752 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc, pseudo_hdr, 13 );
1753 mbedtls_md_hmac_update( &ssl->transform_out->md_ctx_enc,
1754 ssl->out_iv, ssl->out_msglen );
1755 mbedtls_md_hmac_finish( &ssl->transform_out->md_ctx_enc, mac );
1756 mbedtls_md_hmac_reset( &ssl->transform_out->md_ctx_enc );
1757
1758 memcpy( ssl->out_iv + ssl->out_msglen, mac,
1759 ssl->transform_out->maclen );
1760
1761 ssl->out_msglen += ssl->transform_out->maclen;
1762 auth_done++;
1763 }
1764#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1765 }
1766 else
1767#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
1768 {
1769 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1770 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1771 }
1772
1773 /* Make extra sure authentication was performed, exactly once */
1774 if( auth_done != 1 )
1775 {
1776 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1777 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1778 }
1779
1780 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
1781
1782 return( 0 );
1783}
1784
1785#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
1786/*
1787 * Constant-flow conditional memcpy:
1788 * - if c1 == c2, equivalent to memcpy(dst, src, len),
1789 * - otherwise, a no-op,
1790 * but with execution flow independent of the values of c1 and c2.
1791 *
1792 * Use only bit operations to avoid branches that could be used by some
1793 * compilers on some platforms to translate comparison operators.
1794 */
1795static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
1796 const unsigned char *src,
1797 size_t len,
1798 size_t c1, size_t c2 )
1799{
1800 /* diff = 0 if c1 == c2, non-zero otherwise */
1801 const size_t diff = c1 ^ c2;
1802
1803 /* MSVC has a warning about unary minus on unsigned integer types,
1804 * but this is well-defined and precisely what we want to do here. */
1805#if defined(_MSC_VER)
1806#pragma warning( push )
1807#pragma warning( disable : 4146 )
1808#endif
1809
1810 /* diff_msb's most significant bit is equal to c1 != c2 */
1811 const size_t diff_msb = ( diff | -diff );
1812
1813 /* diff1 = c1 != c2 */
1814 const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
1815
1816 /* mask = c1 != c2 ? 0xff : 0x00 */
1817 const unsigned char mask = (unsigned char) -diff1;
1818
1819#if defined(_MSC_VER)
1820#pragma warning( pop )
1821#endif
1822
1823 /* dst[i] = c1 != c2 ? dst[i] : src[i] */
1824 size_t i;
1825 for( i = 0; i < len; i++ )
1826 dst[i] = ( dst[i] & mask ) | ( src[i] & ~mask );
1827}
1828
1829/*
1830 * Compute HMAC of variable-length data with constant flow.
1831 *
1832 * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
1833 * (Otherwise, computation of block_size needs to be adapted.)
1834 */
1835int mbedtls_ssl_cf_hmac(
1836 mbedtls_md_context_t *ctx,
1837 const unsigned char *add_data, size_t add_data_len,
1838 const unsigned char *data, size_t data_len_secret,
1839 size_t min_data_len, size_t max_data_len,
1840 unsigned char *output )
1841{
1842 /*
1843 * This function breaks the HMAC abstraction and uses the md_clone()
1844 * extension to the MD API in order to get constant-flow behaviour.
1845 *
1846 * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
1847 * concatenation, and okey/ikey are the XOR of the key with some fixed bit
1848 * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
1849 *
1850 * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
1851 * minlen, then cloning the context, and for each byte up to maxlen
1852 * finishing up the hash computation, keeping only the correct result.
1853 *
1854 * Then we only need to compute HASH(okey + inner_hash) and we're done.
1855 */
1856 const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
1857 /* TLS 1.0-1.2 only support SHA-384, SHA-256, SHA-1, MD-5,
1858 * all of which have the same block size except SHA-384. */
1859 const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
1860 const unsigned char * const ikey = ctx->hmac_ctx;
1861 const unsigned char * const okey = ikey + block_size;
1862 const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
1863
1864 unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
1865 mbedtls_md_context_t aux;
1866 size_t offset;
1867 int ret;
1868
1869 mbedtls_md_init( &aux );
1870
1871#define MD_CHK( func_call ) \
1872 do { \
1873 ret = (func_call); \
1874 if( ret != 0 ) \
1875 goto cleanup; \
1876 } while( 0 )
1877
1878 MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
1879
1880 /* After hmac_start() of hmac_reset(), ikey has already been hashed,
1881 * so we can start directly with the message */
1882 MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
1883 MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
1884
1885 /* For each possible length, compute the hash up to that point */
1886 for( offset = min_data_len; offset <= max_data_len; offset++ )
1887 {
1888 MD_CHK( mbedtls_md_clone( &aux, ctx ) );
1889 MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
1890 /* Keep only the correct inner_hash in the output buffer */
1891 mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
1892 offset, data_len_secret );
1893
1894 if( offset < max_data_len )
1895 MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
1896 }
1897
1898 /* The context needs to finish() before it starts() again */
1899 MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
1900
1901 /* Now compute HASH(okey + inner_hash) */
1902 MD_CHK( mbedtls_md_starts( ctx ) );
1903 MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
1904 MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
1905 MD_CHK( mbedtls_md_finish( ctx, output ) );
1906
1907 /* Done, get ready for next time */
1908 MD_CHK( mbedtls_md_hmac_reset( ctx ) );
1909
1910#undef MD_CHK
1911
1912cleanup:
1913 mbedtls_md_free( &aux );
1914 return( ret );
1915}
1916
1917/*
1918 * Constant-flow memcpy from variable position in buffer.
1919 * - functionally equivalent to memcpy(dst, src + offset_secret, len)
1920 * - but with execution flow independent from the value of offset_secret.
1921 */
1922void mbedtls_ssl_cf_memcpy_offset( unsigned char *dst,
1923 const unsigned char *src_base,
1924 size_t offset_secret,
1925 size_t offset_min, size_t offset_max,
1926 size_t len )
1927{
1928 size_t offset;
1929
1930 for( offset = offset_min; offset <= offset_max; offset++ )
1931 {
1932 mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
1933 offset, offset_secret );
1934 }
1935}
1936#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
1937
1938static int ssl_decrypt_buf( mbedtls_ssl_context *ssl )
1939{
1940 mbedtls_cipher_mode_t mode;
1941 int auth_done = 0;
1942#if defined(SSL_SOME_MODES_USE_MAC)
1943 size_t padlen = 0, correct = 1;
1944#endif
1945
1946 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1947
1948 if( ssl->session_in == NULL || ssl->transform_in == NULL )
1949 {
1950 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1951 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1952 }
1953
1954 mode = mbedtls_cipher_get_cipher_mode( &ssl->transform_in->cipher_ctx_dec );
1955
1956 if( ssl->in_msglen < ssl->transform_in->minlen )
1957 {
1958 MBEDTLS_SSL_DEBUG_MSG( 1, ( "in_msglen (%d) < minlen (%d)",
1959 ssl->in_msglen, ssl->transform_in->minlen ) );
1960 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1961 }
1962
1963#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER)
1964 if( mode == MBEDTLS_MODE_STREAM )
1965 {
1966 int ret;
1967 size_t olen = 0;
1968
1969 padlen = 0;
1970
1971 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
1972 ssl->transform_in->iv_dec,
1973 ssl->transform_in->ivlen,
1974 ssl->in_msg, ssl->in_msglen,
1975 ssl->in_msg, &olen ) ) != 0 )
1976 {
1977 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1978 return( ret );
1979 }
1980
1981 if( ssl->in_msglen != olen )
1982 {
1983 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1984 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1985 }
1986 }
1987 else
1988#endif /* MBEDTLS_ARC4_C || MBEDTLS_CIPHER_NULL_CIPHER */
1989#if defined(MBEDTLS_GCM_C) || \
1990 defined(MBEDTLS_CCM_C) || \
1991 defined(MBEDTLS_CHACHAPOLY_C)
1992 if( mode == MBEDTLS_MODE_GCM ||
1993 mode == MBEDTLS_MODE_CCM ||
1994 mode == MBEDTLS_MODE_CHACHAPOLY )
1995 {
1996 int ret;
1997 size_t dec_msglen, olen;
1998 unsigned char *dec_msg;
1999 unsigned char *dec_msg_result;
2000 unsigned char add_data[13];
2001 unsigned char iv[12];
2002 mbedtls_ssl_transform *transform = ssl->transform_in;
2003 unsigned char taglen = transform->ciphersuite_info->flags &
2004 MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
2005 size_t explicit_iv_len = transform->ivlen - transform->fixed_ivlen;
2006
2007 /*
2008 * Compute and update sizes
2009 */
2010 if( ssl->in_msglen < explicit_iv_len + taglen )
2011 {
2012 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < explicit_iv_len (%d) "
2013 "+ taglen (%d)", ssl->in_msglen,
2014 explicit_iv_len, taglen ) );
2015 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2016 }
2017 dec_msglen = ssl->in_msglen - explicit_iv_len - taglen;
2018
2019 dec_msg = ssl->in_msg;
2020 dec_msg_result = ssl->in_msg;
2021 ssl->in_msglen = dec_msglen;
2022
2023 /*
2024 * Prepare additional authenticated data
2025 */
2026 memcpy( add_data, ssl->in_ctr, 8 );
2027 add_data[8] = ssl->in_msgtype;
2028 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
2029 ssl->conf->transport, add_data + 9 );
2030 add_data[11] = ( ssl->in_msglen >> 8 ) & 0xFF;
2031 add_data[12] = ssl->in_msglen & 0xFF;
2032
2033 MBEDTLS_SSL_DEBUG_BUF( 4, "additional data for AEAD", add_data, 13 );
2034
2035 /*
2036 * Prepare IV
2037 */
2038 if( transform->ivlen == 12 && transform->fixed_ivlen == 4 )
2039 {
2040 /* GCM and CCM: fixed || explicit (transmitted) */
2041 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2042 memcpy( iv + transform->fixed_ivlen, ssl->in_iv, 8 );
2043
2044 }
2045 else if( transform->ivlen == 12 && transform->fixed_ivlen == 12 )
2046 {
2047 /* ChachaPoly: fixed XOR sequence number */
2048 unsigned char i;
2049
2050 memcpy( iv, transform->iv_dec, transform->fixed_ivlen );
2051
2052 for( i = 0; i < 8; i++ )
2053 iv[i+4] ^= ssl->in_ctr[i];
2054 }
2055 else
2056 {
2057 /* Reminder if we ever add an AEAD mode with a different size */
2058 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2059 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2060 }
2061
2062 MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
2063 MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", dec_msg + dec_msglen, taglen );
2064
2065 /*
2066 * Decrypt and authenticate
2067 */
2068 if( ( ret = mbedtls_cipher_auth_decrypt( &ssl->transform_in->cipher_ctx_dec,
2069 iv, transform->ivlen,
2070 add_data, 13,
2071 dec_msg, dec_msglen,
2072 dec_msg_result, &olen,
2073 dec_msg + dec_msglen, taglen ) ) != 0 )
2074 {
2075 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt", ret );
2076
2077 if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
2078 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2079
2080 return( ret );
2081 }
2082 auth_done++;
2083
2084 if( olen != dec_msglen )
2085 {
2086 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2087 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2088 }
2089 }
2090 else
2091#endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
2092#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
2093 if( mode == MBEDTLS_MODE_CBC )
2094 {
2095 /*
2096 * Decrypt and check the padding
2097 */
2098 int ret;
2099 unsigned char *dec_msg;
2100 unsigned char *dec_msg_result;
2101 size_t dec_msglen;
2102 size_t minlen = 0;
2103 size_t olen = 0;
2104
2105 /*
2106 * Check immediate ciphertext sanity
2107 */
2108#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2109 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
2110 minlen += ssl->transform_in->ivlen;
2111#endif
2112
2113 if( ssl->in_msglen < minlen + ssl->transform_in->ivlen ||
2114 ssl->in_msglen < minlen + ssl->transform_in->maclen + 1 )
2115 {
2116 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < max( ivlen(%d), maclen (%d) "
2117 "+ 1 ) ( + expl IV )", ssl->in_msglen,
2118 ssl->transform_in->ivlen,
2119 ssl->transform_in->maclen ) );
2120 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2121 }
2122
2123 dec_msglen = ssl->in_msglen;
2124 dec_msg = ssl->in_msg;
2125 dec_msg_result = ssl->in_msg;
2126
2127 /*
2128 * Authenticate before decrypt if enabled
2129 */
2130#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2131 if( ssl->session_in->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
2132 {
2133 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
2134 unsigned char pseudo_hdr[13];
2135
2136 MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
2137
2138 dec_msglen -= ssl->transform_in->maclen;
2139 ssl->in_msglen -= ssl->transform_in->maclen;
2140
2141 memcpy( pseudo_hdr + 0, ssl->in_ctr, 8 );
2142 memcpy( pseudo_hdr + 8, ssl->in_hdr, 3 );
2143 pseudo_hdr[11] = (unsigned char)( ( ssl->in_msglen >> 8 ) & 0xFF );
2144 pseudo_hdr[12] = (unsigned char)( ( ssl->in_msglen ) & 0xFF );
2145
2146 MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", pseudo_hdr, 13 );
2147
2148 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec, pseudo_hdr, 13 );
2149 mbedtls_md_hmac_update( &ssl->transform_in->md_ctx_dec,
2150 ssl->in_iv, ssl->in_msglen );
2151 mbedtls_md_hmac_finish( &ssl->transform_in->md_ctx_dec, mac_expect );
2152 mbedtls_md_hmac_reset( &ssl->transform_in->md_ctx_dec );
2153
2154 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", ssl->in_iv + ssl->in_msglen,
2155 ssl->transform_in->maclen );
2156 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
2157 ssl->transform_in->maclen );
2158
2159 if( mbedtls_ssl_safer_memcmp( ssl->in_iv + ssl->in_msglen, mac_expect,
2160 ssl->transform_in->maclen ) != 0 )
2161 {
2162 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
2163
2164 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2165 }
2166 auth_done++;
2167 }
2168#endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
2169
2170 /*
2171 * Check length sanity
2172 */
2173 if( ssl->in_msglen % ssl->transform_in->ivlen != 0 )
2174 {
2175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) %% ivlen (%d) != 0",
2176 ssl->in_msglen, ssl->transform_in->ivlen ) );
2177 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2178 }
2179
2180#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
2181 /*
2182 * Initialize for prepended IV for block cipher in TLS v1.1 and up
2183 */
2184 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
2185 {
2186 unsigned char i;
2187 dec_msglen -= ssl->transform_in->ivlen;
2188 ssl->in_msglen -= ssl->transform_in->ivlen;
2189
2190 for( i = 0; i < ssl->transform_in->ivlen; i++ )
2191 ssl->transform_in->iv_dec[i] = ssl->in_iv[i];
2192 }
2193#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
2194
2195 if( ( ret = mbedtls_cipher_crypt( &ssl->transform_in->cipher_ctx_dec,
2196 ssl->transform_in->iv_dec,
2197 ssl->transform_in->ivlen,
2198 dec_msg, dec_msglen,
2199 dec_msg_result, &olen ) ) != 0 )
2200 {
2201 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
2202 return( ret );
2203 }
2204
2205 if( dec_msglen != olen )
2206 {
2207 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2208 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2209 }
2210
2211#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
2212 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
2213 {
2214 /*
2215 * Save IV in SSL3 and TLS1
2216 */
2217 memcpy( ssl->transform_in->iv_dec,
2218 ssl->transform_in->cipher_ctx_dec.iv,
2219 ssl->transform_in->ivlen );
2220 }
2221#endif
2222
2223 padlen = 1 + ssl->in_msg[ssl->in_msglen - 1];
2224
2225 if( ssl->in_msglen < ssl->transform_in->maclen + padlen &&
2226 auth_done == 0 )
2227 {
2228#if defined(MBEDTLS_SSL_DEBUG_ALL)
2229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%d) < maclen (%d) + padlen (%d)",
2230 ssl->in_msglen, ssl->transform_in->maclen, padlen ) );
2231#endif
2232 padlen = 0;
2233 correct = 0;
2234 }
2235
2236#if defined(MBEDTLS_SSL_PROTO_SSL3)
2237 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2238 {
2239 if( padlen > ssl->transform_in->ivlen )
2240 {
2241#if defined(MBEDTLS_SSL_DEBUG_ALL)
2242 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding length: is %d, "
2243 "should be no more than %d",
2244 padlen, ssl->transform_in->ivlen ) );
2245#endif
2246 correct = 0;
2247 }
2248 }
2249 else
2250#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2251#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2252 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2253 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
2254 {
2255 /*
2256 * TLSv1+: always check the padding up to the first failure
2257 * and fake check up to 256 bytes of padding
2258 */
2259 size_t pad_count = 0, real_count = 1;
2260 size_t padding_idx = ssl->in_msglen - padlen;
2261 size_t i;
2262
2263 /*
2264 * Padding is guaranteed to be incorrect if:
2265 * 1. padlen > ssl->in_msglen
2266 *
2267 * 2. padding_idx > MBEDTLS_SSL_IN_CONTENT_LEN +
2268 * ssl->transform_in->maclen
2269 *
2270 * In both cases we reset padding_idx to a safe value (0) to
2271 * prevent out-of-buffer reads.
2272 */
2273 correct &= ( padlen <= ssl->in_msglen );
2274 correct &= ( padding_idx <= MBEDTLS_SSL_IN_CONTENT_LEN +
2275 ssl->transform_in->maclen );
2276
2277 padding_idx *= correct;
2278
2279 for( i = 0; i < 256; i++ )
2280 {
2281 real_count &= ( i < padlen );
2282 pad_count += real_count *
2283 ( ssl->in_msg[padding_idx + i] == padlen - 1 );
2284 }
2285
2286 correct &= ( pad_count == padlen ); /* Only 1 on correct padding */
2287
2288#if defined(MBEDTLS_SSL_DEBUG_ALL)
2289 if( padlen > 0 && correct == 0 )
2290 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
2291#endif
2292 padlen &= correct * 0x1FF;
2293 }
2294 else
2295#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2296 MBEDTLS_SSL_PROTO_TLS1_2 */
2297 {
2298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2299 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2300 }
2301
2302 ssl->in_msglen -= padlen;
2303 }
2304 else
2305#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
2306 {
2307 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2308 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2309 }
2310
2311#if defined(MBEDTLS_SSL_DEBUG_ALL)
2312 MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
2313 ssl->in_msg, ssl->in_msglen );
2314#endif
2315
2316 /*
2317 * Authenticate if not done yet.
2318 * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
2319 */
2320#if defined(SSL_SOME_MODES_USE_MAC)
2321 if( auth_done == 0 )
2322 {
2323 unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
2324 unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
2325
2326 ssl->in_msglen -= ssl->transform_in->maclen;
2327
2328 ssl->in_len[0] = (unsigned char)( ssl->in_msglen >> 8 );
2329 ssl->in_len[1] = (unsigned char)( ssl->in_msglen );
2330
2331#if defined(MBEDTLS_SSL_PROTO_SSL3)
2332 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
2333 {
2334 ssl_mac( &ssl->transform_in->md_ctx_dec,
2335 ssl->transform_in->mac_dec,
2336 ssl->in_msg, ssl->in_msglen,
2337 ssl->in_ctr, ssl->in_msgtype,
2338 mac_expect );
2339 memcpy( mac_peer, ssl->in_msg + ssl->in_msglen,
2340 ssl->transform_in->maclen );
2341 }
2342 else
2343#endif /* MBEDTLS_SSL_PROTO_SSL3 */
2344#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
2345 defined(MBEDTLS_SSL_PROTO_TLS1_2)
2346 if( ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
2347 {
2348 int ret;
2349 unsigned char add_data[13];
2350
2351 /*
2352 * The next two sizes are the minimum and maximum values of
2353 * in_msglen over all padlen values.
2354 *
2355 * They're independent of padlen, since we previously did
2356 * in_msglen -= padlen.
2357 *
2358 * Note that max_len + maclen is never more than the buffer
2359 * length, as we previously did in_msglen -= maclen too.
2360 */
2361 const size_t max_len = ssl->in_msglen + padlen;
2362 const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
2363
2364 memcpy( add_data + 0, ssl->in_ctr, 8 );
2365 memcpy( add_data + 8, ssl->in_hdr, 3 );
2366 memcpy( add_data + 11, ssl->in_len, 2 );
2367
2368 ret = mbedtls_ssl_cf_hmac( &ssl->transform_in->md_ctx_dec,
2369 add_data, sizeof( add_data ),
2370 ssl->in_msg, ssl->in_msglen,
2371 min_len, max_len,
2372 mac_expect );
2373 if( ret != 0 )
2374 {
2375 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
2376 return( ret );
2377 }
2378
2379 mbedtls_ssl_cf_memcpy_offset( mac_peer, ssl->in_msg,
2380 ssl->in_msglen,
2381 min_len, max_len,
2382 ssl->transform_in->maclen );
2383 }
2384 else
2385#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
2386 MBEDTLS_SSL_PROTO_TLS1_2 */
2387 {
2388 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2389 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2390 }
2391
2392#if defined(MBEDTLS_SSL_DEBUG_ALL)
2393 MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, ssl->transform_in->maclen );
2394 MBEDTLS_SSL_DEBUG_BUF( 4, "message mac", mac_peer, ssl->transform_in->maclen );
2395#endif
2396
2397 if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
2398 ssl->transform_in->maclen ) != 0 )
2399 {
2400#if defined(MBEDTLS_SSL_DEBUG_ALL)
2401 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
2402#endif
2403 correct = 0;
2404 }
2405 auth_done++;
2406 }
2407
2408 /*
2409 * Finally check the correct flag
2410 */
2411 if( correct == 0 )
2412 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2413#endif /* SSL_SOME_MODES_USE_MAC */
2414
2415 /* Make extra sure authentication was performed, exactly once */
2416 if( auth_done != 1 )
2417 {
2418 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2419 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2420 }
2421
2422 if( ssl->in_msglen == 0 )
2423 {
2424#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2425 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
2426 && ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
2427 {
2428 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
2429 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
2430 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2431 }
2432#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2433
2434 ssl->nb_zero++;
2435
2436 /*
2437 * Three or more empty messages may be a DoS attack
2438 * (excessive CPU consumption).
2439 */
2440 if( ssl->nb_zero > 3 )
2441 {
2442 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
2443 "messages, possible DoS attack" ) );
2444 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2445 }
2446 }
2447 else
2448 ssl->nb_zero = 0;
2449
2450#if defined(MBEDTLS_SSL_PROTO_DTLS)
2451 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2452 {
2453 ; /* in_ctr read from peer, not maintained internally */
2454 }
2455 else
2456#endif
2457 {
2458 unsigned char i;
2459 for( i = 8; i > ssl_ep_len( ssl ); i-- )
2460 if( ++ssl->in_ctr[i - 1] != 0 )
2461 break;
2462
2463 /* The loop goes to its end iff the counter is wrapping */
2464 if( i == ssl_ep_len( ssl ) )
2465 {
2466 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
2467 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2468 }
2469 }
2470
2471 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
2472
2473 return( 0 );
2474}
2475
2476#undef MAC_NONE
2477#undef MAC_PLAINTEXT
2478#undef MAC_CIPHERTEXT
2479
2480#if defined(MBEDTLS_ZLIB_SUPPORT)
2481/*
2482 * Compression/decompression functions
2483 */
2484static int ssl_compress_buf( mbedtls_ssl_context *ssl )
2485{
2486 int ret;
2487 unsigned char *msg_post = ssl->out_msg;
2488 ptrdiff_t bytes_written = ssl->out_msg - ssl->out_buf;
2489 size_t len_pre = ssl->out_msglen;
2490 unsigned char *msg_pre = ssl->compress_buf;
2491
2492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> compress buf" ) );
2493
2494 if( len_pre == 0 )
2495 return( 0 );
2496
2497 memcpy( msg_pre, ssl->out_msg, len_pre );
2498
2499 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before compression: msglen = %d, ",
2500 ssl->out_msglen ) );
2501
2502 MBEDTLS_SSL_DEBUG_BUF( 4, "before compression: output payload",
2503 ssl->out_msg, ssl->out_msglen );
2504
2505 ssl->transform_out->ctx_deflate.next_in = msg_pre;
2506 ssl->transform_out->ctx_deflate.avail_in = len_pre;
2507 ssl->transform_out->ctx_deflate.next_out = msg_post;
2508 ssl->transform_out->ctx_deflate.avail_out = MBEDTLS_SSL_OUT_BUFFER_LEN - bytes_written;
2509
2510 ret = deflate( &ssl->transform_out->ctx_deflate, Z_SYNC_FLUSH );
2511 if( ret != Z_OK )
2512 {
2513 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform compression (%d)", ret ) );
2514 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
2515 }
2516
2517 ssl->out_msglen = MBEDTLS_SSL_OUT_BUFFER_LEN -
2518 ssl->transform_out->ctx_deflate.avail_out - bytes_written;
2519
2520 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after compression: msglen = %d, ",
2521 ssl->out_msglen ) );
2522
2523 MBEDTLS_SSL_DEBUG_BUF( 4, "after compression: output payload",
2524 ssl->out_msg, ssl->out_msglen );
2525
2526 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= compress buf" ) );
2527
2528 return( 0 );
2529}
2530
2531static int ssl_decompress_buf( mbedtls_ssl_context *ssl )
2532{
2533 int ret;
2534 unsigned char *msg_post = ssl->in_msg;
2535 ptrdiff_t header_bytes = ssl->in_msg - ssl->in_buf;
2536 size_t len_pre = ssl->in_msglen;
2537 unsigned char *msg_pre = ssl->compress_buf;
2538
2539 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decompress buf" ) );
2540
2541 if( len_pre == 0 )
2542 return( 0 );
2543
2544 memcpy( msg_pre, ssl->in_msg, len_pre );
2545
2546 MBEDTLS_SSL_DEBUG_MSG( 3, ( "before decompression: msglen = %d, ",
2547 ssl->in_msglen ) );
2548
2549 MBEDTLS_SSL_DEBUG_BUF( 4, "before decompression: input payload",
2550 ssl->in_msg, ssl->in_msglen );
2551
2552 ssl->transform_in->ctx_inflate.next_in = msg_pre;
2553 ssl->transform_in->ctx_inflate.avail_in = len_pre;
2554 ssl->transform_in->ctx_inflate.next_out = msg_post;
2555 ssl->transform_in->ctx_inflate.avail_out = MBEDTLS_SSL_IN_BUFFER_LEN -
2556 header_bytes;
2557
2558 ret = inflate( &ssl->transform_in->ctx_inflate, Z_SYNC_FLUSH );
2559 if( ret != Z_OK )
2560 {
2561 MBEDTLS_SSL_DEBUG_MSG( 1, ( "failed to perform decompression (%d)", ret ) );
2562 return( MBEDTLS_ERR_SSL_COMPRESSION_FAILED );
2563 }
2564
2565 ssl->in_msglen = MBEDTLS_SSL_IN_BUFFER_LEN -
2566 ssl->transform_in->ctx_inflate.avail_out - header_bytes;
2567
2568 MBEDTLS_SSL_DEBUG_MSG( 3, ( "after decompression: msglen = %d, ",
2569 ssl->in_msglen ) );
2570
2571 MBEDTLS_SSL_DEBUG_BUF( 4, "after decompression: input payload",
2572 ssl->in_msg, ssl->in_msglen );
2573
2574 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decompress buf" ) );
2575
2576 return( 0 );
2577}
2578#endif /* MBEDTLS_ZLIB_SUPPORT */
2579
2580#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2581static int ssl_write_hello_request( mbedtls_ssl_context *ssl );
2582
2583#if defined(MBEDTLS_SSL_PROTO_DTLS)
2584static int ssl_resend_hello_request( mbedtls_ssl_context *ssl )
2585{
2586 /* If renegotiation is not enforced, retransmit until we would reach max
2587 * timeout if we were using the usual handshake doubling scheme */
2588 if( ssl->conf->renego_max_records < 0 )
2589 {
2590 uint32_t ratio = ssl->conf->hs_timeout_max / ssl->conf->hs_timeout_min + 1;
2591 unsigned char doublings = 1;
2592
2593 while( ratio != 0 )
2594 {
2595 ++doublings;
2596 ratio >>= 1;
2597 }
2598
2599 if( ++ssl->renego_records_seen > doublings )
2600 {
2601 MBEDTLS_SSL_DEBUG_MSG( 2, ( "no longer retransmitting hello request" ) );
2602 return( 0 );
2603 }
2604 }
2605
2606 return( ssl_write_hello_request( ssl ) );
2607}
2608#endif
2609#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2610
2611/*
2612 * Fill the input message buffer by appending data to it.
2613 * The amount of data already fetched is in ssl->in_left.
2614 *
2615 * If we return 0, is it guaranteed that (at least) nb_want bytes are
2616 * available (from this read and/or a previous one). Otherwise, an error code
2617 * is returned (possibly EOF or WANT_READ).
2618 *
2619 * With stream transport (TLS) on success ssl->in_left == nb_want, but
2620 * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
2621 * since we always read a whole datagram at once.
2622 *
2623 * For DTLS, it is up to the caller to set ssl->next_record_offset when
2624 * they're done reading a record.
2625 */
2626int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
2627{
2628 int ret;
2629 size_t len;
2630
2631 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
2632
2633 if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
2634 {
2635 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2636 "or mbedtls_ssl_set_bio()" ) );
2637 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2638 }
2639
2640 if( nb_want > MBEDTLS_SSL_IN_BUFFER_LEN - (size_t)( ssl->in_hdr - ssl->in_buf ) )
2641 {
2642 MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
2643 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2644 }
2645
2646#if defined(MBEDTLS_SSL_PROTO_DTLS)
2647 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2648 {
2649 uint32_t timeout;
2650
2651 /* Just to be sure */
2652 if( ssl->f_set_timer == NULL || ssl->f_get_timer == NULL )
2653 {
2654 MBEDTLS_SSL_DEBUG_MSG( 1, ( "You must use "
2655 "mbedtls_ssl_set_timer_cb() for DTLS" ) );
2656 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2657 }
2658
2659 /*
2660 * The point is, we need to always read a full datagram at once, so we
2661 * sometimes read more then requested, and handle the additional data.
2662 * It could be the rest of the current record (while fetching the
2663 * header) and/or some other records in the same datagram.
2664 */
2665
2666 /*
2667 * Move to the next record in the already read datagram if applicable
2668 */
2669 if( ssl->next_record_offset != 0 )
2670 {
2671 if( ssl->in_left < ssl->next_record_offset )
2672 {
2673 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2674 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2675 }
2676
2677 ssl->in_left -= ssl->next_record_offset;
2678
2679 if( ssl->in_left != 0 )
2680 {
2681 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %d",
2682 ssl->next_record_offset ) );
2683 memmove( ssl->in_hdr,
2684 ssl->in_hdr + ssl->next_record_offset,
2685 ssl->in_left );
2686 }
2687
2688 ssl->next_record_offset = 0;
2689 }
2690
2691 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2692 ssl->in_left, nb_want ) );
2693
2694 /*
2695 * Done if we already have enough data.
2696 */
2697 if( nb_want <= ssl->in_left)
2698 {
2699 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2700 return( 0 );
2701 }
2702
2703 /*
2704 * A record can't be split across datagrams. If we need to read but
2705 * are not at the beginning of a new record, the caller did something
2706 * wrong.
2707 */
2708 if( ssl->in_left != 0 )
2709 {
2710 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2711 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2712 }
2713
2714 /*
2715 * Don't even try to read if time's out already.
2716 * This avoids by-passing the timer when repeatedly receiving messages
2717 * that will end up being dropped.
2718 */
2719 if( ssl_check_timer( ssl ) != 0 )
2720 {
2721 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
2722 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2723 }
2724 else
2725 {
2726 len = MBEDTLS_SSL_IN_BUFFER_LEN - ( ssl->in_hdr - ssl->in_buf );
2727
2728 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2729 timeout = ssl->handshake->retransmit_timeout;
2730 else
2731 timeout = ssl->conf->read_timeout;
2732
2733 MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %u ms", timeout ) );
2734
2735 if( ssl->f_recv_timeout != NULL )
2736 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
2737 timeout );
2738 else
2739 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
2740
2741 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2742
2743 if( ret == 0 )
2744 return( MBEDTLS_ERR_SSL_CONN_EOF );
2745 }
2746
2747 if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
2748 {
2749 MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
2750 ssl_set_timer( ssl, 0 );
2751
2752 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
2753 {
2754 if( ssl_double_retransmit_timeout( ssl ) != 0 )
2755 {
2756 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
2757 return( MBEDTLS_ERR_SSL_TIMEOUT );
2758 }
2759
2760 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2761 {
2762 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2763 return( ret );
2764 }
2765
2766 return( MBEDTLS_ERR_SSL_WANT_READ );
2767 }
2768#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
2769 else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
2770 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
2771 {
2772 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
2773 {
2774 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
2775 return( ret );
2776 }
2777
2778 return( MBEDTLS_ERR_SSL_WANT_READ );
2779 }
2780#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
2781 }
2782
2783 if( ret < 0 )
2784 return( ret );
2785
2786 ssl->in_left = ret;
2787 }
2788 else
2789#endif
2790 {
2791 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2792 ssl->in_left, nb_want ) );
2793
2794 while( ssl->in_left < nb_want )
2795 {
2796 len = nb_want - ssl->in_left;
2797
2798 if( ssl_check_timer( ssl ) != 0 )
2799 ret = MBEDTLS_ERR_SSL_TIMEOUT;
2800 else
2801 {
2802 if( ssl->f_recv_timeout != NULL )
2803 {
2804 ret = ssl->f_recv_timeout( ssl->p_bio,
2805 ssl->in_hdr + ssl->in_left, len,
2806 ssl->conf->read_timeout );
2807 }
2808 else
2809 {
2810 ret = ssl->f_recv( ssl->p_bio,
2811 ssl->in_hdr + ssl->in_left, len );
2812 }
2813 }
2814
2815 MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %d, nb_want: %d",
2816 ssl->in_left, nb_want ) );
2817 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
2818
2819 if( ret == 0 )
2820 return( MBEDTLS_ERR_SSL_CONN_EOF );
2821
2822 if( ret < 0 )
2823 return( ret );
2824
2825 if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
2826 {
2827 MBEDTLS_SSL_DEBUG_MSG( 1,
2828 ( "f_recv returned %d bytes but only %lu were requested",
2829 ret, (unsigned long)len ) );
2830 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2831 }
2832
2833 ssl->in_left += ret;
2834 }
2835 }
2836
2837 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
2838
2839 return( 0 );
2840}
2841
2842/*
2843 * Flush any data not yet written
2844 */
2845int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
2846{
2847 int ret;
2848 unsigned char *buf;
2849
2850 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
2851
2852 if( ssl->f_send == NULL )
2853 {
2854 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
2855 "or mbedtls_ssl_set_bio()" ) );
2856 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2857 }
2858
2859 /* Avoid incrementing counter if data is flushed */
2860 if( ssl->out_left == 0 )
2861 {
2862 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2863 return( 0 );
2864 }
2865
2866 while( ssl->out_left > 0 )
2867 {
2868 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %d, out_left: %d",
2869 mbedtls_ssl_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
2870
2871 buf = ssl->out_hdr - ssl->out_left;
2872 ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
2873
2874 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
2875
2876 if( ret <= 0 )
2877 return( ret );
2878
2879 if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
2880 {
2881 MBEDTLS_SSL_DEBUG_MSG( 1,
2882 ( "f_send returned %d bytes but only %lu bytes were sent",
2883 ret, (unsigned long)ssl->out_left ) );
2884 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2885 }
2886
2887 ssl->out_left -= ret;
2888 }
2889
2890#if defined(MBEDTLS_SSL_PROTO_DTLS)
2891 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2892 {
2893 ssl->out_hdr = ssl->out_buf;
2894 }
2895 else
2896#endif
2897 {
2898 ssl->out_hdr = ssl->out_buf + 8;
2899 }
2900 ssl_update_out_pointers( ssl, ssl->transform_out );
2901
2902 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2903
2904 return( 0 );
2905}
2906
2907/*
2908 * Functions to handle the DTLS retransmission state machine
2909 */
2910#if defined(MBEDTLS_SSL_PROTO_DTLS)
2911/*
2912 * Append current handshake message to current outgoing flight
2913 */
2914static int ssl_flight_append( mbedtls_ssl_context *ssl )
2915{
2916 mbedtls_ssl_flight_item *msg;
2917 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2918 MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2919 ssl->out_msg, ssl->out_msglen );
2920
2921 /* Allocate space for current message */
2922 if( ( msg = mbedtls_calloc( 1, sizeof( mbedtls_ssl_flight_item ) ) ) == NULL )
2923 {
2924 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed",
2925 sizeof( mbedtls_ssl_flight_item ) ) );
2926 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2927 }
2928
2929 if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2930 {
2931 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %d bytes failed", ssl->out_msglen ) );
2932 mbedtls_free( msg );
2933 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2934 }
2935
2936 /* Copy current handshake message with headers */
2937 memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2938 msg->len = ssl->out_msglen;
2939 msg->type = ssl->out_msgtype;
2940 msg->next = NULL;
2941
2942 /* Append to the current flight */
2943 if( ssl->handshake->flight == NULL )
2944 ssl->handshake->flight = msg;
2945 else
2946 {
2947 mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2948 while( cur->next != NULL )
2949 cur = cur->next;
2950 cur->next = msg;
2951 }
2952
2953 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
2954 return( 0 );
2955}
2956
2957/*
2958 * Free the current flight of handshake messages
2959 */
2960static void ssl_flight_free( mbedtls_ssl_flight_item *flight )
2961{
2962 mbedtls_ssl_flight_item *cur = flight;
2963 mbedtls_ssl_flight_item *next;
2964
2965 while( cur != NULL )
2966 {
2967 next = cur->next;
2968
2969 mbedtls_free( cur->p );
2970 mbedtls_free( cur );
2971
2972 cur = next;
2973 }
2974}
2975
2976#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
2977static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
2978#endif
2979
2980/*
2981 * Swap transform_out and out_ctr with the alternative ones
2982 */
2983static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
2984{
2985 mbedtls_ssl_transform *tmp_transform;
2986 unsigned char tmp_out_ctr[8];
2987#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
2988 int ret;
2989#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
2990
2991 if( ssl->transform_out == ssl->handshake->alt_transform_out )
2992 {
2993 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2994 return( 0 );
2995 }
2996
2997 MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2998
2999 /* Swap transforms */
3000 tmp_transform = ssl->transform_out;
3001 ssl->transform_out = ssl->handshake->alt_transform_out;
3002 ssl->handshake->alt_transform_out = tmp_transform;
3003
3004 /* Swap epoch + sequence_number */
3005 memcpy( tmp_out_ctr, ssl->cur_out_ctr, 8 );
3006 memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr, 8 );
3007 memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr, 8 );
3008
3009 /* Adjust to the newly activated transform */
3010 ssl_update_out_pointers( ssl, ssl->transform_out );
3011
3012#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3013 if( mbedtls_ssl_hw_record_activate != NULL )
3014 {
3015 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
3016 {
3017 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
3018 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3019 }
3020 }
3021#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3022
3023 return( 0 );
3024}
3025
3026/*
3027 * Retransmit the current flight of messages.
3028 */
3029int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
3030{
3031 int ret = 0;
3032
3033 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
3034
3035 ret = mbedtls_ssl_flight_transmit( ssl );
3036
3037 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
3038
3039 return( ret );
3040}
3041
3042/*
3043 * Transmit or retransmit the current flight of messages.
3044 *
3045 * Need to remember the current message in case flush_output returns
3046 * WANT_WRITE, causing us to exit this function and come back later.
3047 * This function must be called until state is no longer SENDING.
3048 */
3049int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
3050{
3051 int ret;
3052 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
3053
3054 if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
3055 {
3056 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
3057
3058 ssl->handshake->cur_msg = ssl->handshake->flight;
3059 ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
3060 if( ( ret = ssl_swap_epochs( ssl ) ) != 0 )
3061 return( ret );
3062
3063 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
3064 }
3065
3066 while( ssl->handshake->cur_msg != NULL )
3067 {
3068 size_t max_frag_len;
3069 const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
3070
3071 int const is_finished =
3072 ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
3073 cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
3074
3075 uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
3076 SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
3077
3078 /* Swap epochs before sending Finished: we can't do it after
3079 * sending ChangeCipherSpec, in case write returns WANT_READ.
3080 * Must be done before copying, may change out_msg pointer */
3081 if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
3082 {
3083 MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
3084 if( ( ret = ssl_swap_epochs( ssl ) ) != 0 )
3085 return( ret );
3086 }
3087
3088 ret = ssl_get_remaining_payload_in_datagram( ssl );
3089 if( ret < 0 )
3090 return( ret );
3091 max_frag_len = (size_t) ret;
3092
3093 /* CCS is copied as is, while HS messages may need fragmentation */
3094 if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3095 {
3096 if( max_frag_len == 0 )
3097 {
3098 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3099 return( ret );
3100
3101 continue;
3102 }
3103
3104 memcpy( ssl->out_msg, cur->p, cur->len );
3105 ssl->out_msglen = cur->len;
3106 ssl->out_msgtype = cur->type;
3107
3108 /* Update position inside current message */
3109 ssl->handshake->cur_msg_p += cur->len;
3110 }
3111 else
3112 {
3113 const unsigned char * const p = ssl->handshake->cur_msg_p;
3114 const size_t hs_len = cur->len - 12;
3115 const size_t frag_off = p - ( cur->p + 12 );
3116 const size_t rem_len = hs_len - frag_off;
3117 size_t cur_hs_frag_len, max_hs_frag_len;
3118
3119 if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
3120 {
3121 if( is_finished )
3122 {
3123 if( ( ret = ssl_swap_epochs( ssl ) ) != 0 )
3124 return( ret );
3125 }
3126
3127 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3128 return( ret );
3129
3130 continue;
3131 }
3132 max_hs_frag_len = max_frag_len - 12;
3133
3134 cur_hs_frag_len = rem_len > max_hs_frag_len ?
3135 max_hs_frag_len : rem_len;
3136
3137 if( frag_off == 0 && cur_hs_frag_len != hs_len )
3138 {
3139 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
3140 (unsigned) cur_hs_frag_len,
3141 (unsigned) max_hs_frag_len ) );
3142 }
3143
3144 /* Messages are stored with handshake headers as if not fragmented,
3145 * copy beginning of headers then fill fragmentation fields.
3146 * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
3147 memcpy( ssl->out_msg, cur->p, 6 );
3148
3149 ssl->out_msg[6] = ( ( frag_off >> 16 ) & 0xff );
3150 ssl->out_msg[7] = ( ( frag_off >> 8 ) & 0xff );
3151 ssl->out_msg[8] = ( ( frag_off ) & 0xff );
3152
3153 ssl->out_msg[ 9] = ( ( cur_hs_frag_len >> 16 ) & 0xff );
3154 ssl->out_msg[10] = ( ( cur_hs_frag_len >> 8 ) & 0xff );
3155 ssl->out_msg[11] = ( ( cur_hs_frag_len ) & 0xff );
3156
3157 MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
3158
3159 /* Copy the handshake message content and set records fields */
3160 memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
3161 ssl->out_msglen = cur_hs_frag_len + 12;
3162 ssl->out_msgtype = cur->type;
3163
3164 /* Update position inside current message */
3165 ssl->handshake->cur_msg_p += cur_hs_frag_len;
3166 }
3167
3168 /* If done with the current message move to the next one if any */
3169 if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
3170 {
3171 if( cur->next != NULL )
3172 {
3173 ssl->handshake->cur_msg = cur->next;
3174 ssl->handshake->cur_msg_p = cur->next->p + 12;
3175 }
3176 else
3177 {
3178 ssl->handshake->cur_msg = NULL;
3179 ssl->handshake->cur_msg_p = NULL;
3180 }
3181 }
3182
3183 /* Actually send the message out */
3184 if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
3185 {
3186 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
3187 return( ret );
3188 }
3189 }
3190
3191 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3192 return( ret );
3193
3194 /* Update state and set timer */
3195 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
3196 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
3197 else
3198 {
3199 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
3200 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
3201 }
3202
3203 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
3204
3205 return( 0 );
3206}
3207
3208/*
3209 * To be called when the last message of an incoming flight is received.
3210 */
3211void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
3212{
3213 /* We won't need to resend that one any more */
3214 ssl_flight_free( ssl->handshake->flight );
3215 ssl->handshake->flight = NULL;
3216 ssl->handshake->cur_msg = NULL;
3217
3218 /* The next incoming flight will start with this msg_seq */
3219 ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
3220
3221 /* We don't want to remember CCS's across flight boundaries. */
3222 ssl->handshake->buffering.seen_ccs = 0;
3223
3224 /* Clear future message buffering structure. */
3225 ssl_buffering_free( ssl );
3226
3227 /* Cancel timer */
3228 ssl_set_timer( ssl, 0 );
3229
3230 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3231 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
3232 {
3233 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
3234 }
3235 else
3236 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
3237}
3238
3239/*
3240 * To be called when the last message of an outgoing flight is send.
3241 */
3242void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
3243{
3244 ssl_reset_retransmit_timeout( ssl );
3245 ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
3246
3247 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3248 ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
3249 {
3250 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
3251 }
3252 else
3253 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
3254}
3255#endif /* MBEDTLS_SSL_PROTO_DTLS */
3256
3257/*
3258 * Handshake layer functions
3259 */
3260
3261/*
3262 * Write (DTLS: or queue) current handshake (including CCS) message.
3263 *
3264 * - fill in handshake headers
3265 * - update handshake checksum
3266 * - DTLS: save message for resending
3267 * - then pass to the record layer
3268 *
3269 * DTLS: except for HelloRequest, messages are only queued, and will only be
3270 * actually sent when calling flight_transmit() or resend().
3271 *
3272 * Inputs:
3273 * - ssl->out_msglen: 4 + actual handshake message len
3274 * (4 is the size of handshake headers for TLS)
3275 * - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
3276 * - ssl->out_msg + 4: the handshake message body
3277 *
3278 * Outputs, ie state before passing to flight_append() or write_record():
3279 * - ssl->out_msglen: the length of the record contents
3280 * (including handshake headers but excluding record headers)
3281 * - ssl->out_msg: the record contents (handshake headers + content)
3282 */
3283int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
3284{
3285 int ret;
3286 const size_t hs_len = ssl->out_msglen - 4;
3287 const unsigned char hs_type = ssl->out_msg[0];
3288
3289 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
3290
3291 /*
3292 * Sanity checks
3293 */
3294 if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
3295 ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
3296 {
3297 /* In SSLv3, the client might send a NoCertificate alert. */
3298#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
3299 if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
3300 ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
3301 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) )
3302#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
3303 {
3304 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3305 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3306 }
3307 }
3308
3309 /* Whenever we send anything different from a
3310 * HelloRequest we should be in a handshake - double check. */
3311 if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3312 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
3313 ssl->handshake == NULL )
3314 {
3315 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3316 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3317 }
3318
3319#if defined(MBEDTLS_SSL_PROTO_DTLS)
3320 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3321 ssl->handshake != NULL &&
3322 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
3323 {
3324 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3325 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3326 }
3327#endif
3328
3329 /* Double-check that we did not exceed the bounds
3330 * of the outgoing record buffer.
3331 * This should never fail as the various message
3332 * writing functions must obey the bounds of the
3333 * outgoing record buffer, but better be safe.
3334 *
3335 * Note: We deliberately do not check for the MTU or MFL here.
3336 */
3337 if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
3338 {
3339 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
3340 "size %u, maximum %u",
3341 (unsigned) ssl->out_msglen,
3342 (unsigned) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
3343 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3344 }
3345
3346 /*
3347 * Fill handshake headers
3348 */
3349 if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
3350 {
3351 ssl->out_msg[1] = (unsigned char)( hs_len >> 16 );
3352 ssl->out_msg[2] = (unsigned char)( hs_len >> 8 );
3353 ssl->out_msg[3] = (unsigned char)( hs_len );
3354
3355 /*
3356 * DTLS has additional fields in the Handshake layer,
3357 * between the length field and the actual payload:
3358 * uint16 message_seq;
3359 * uint24 fragment_offset;
3360 * uint24 fragment_length;
3361 */
3362#if defined(MBEDTLS_SSL_PROTO_DTLS)
3363 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3364 {
3365 /* Make room for the additional DTLS fields */
3366 if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
3367 {
3368 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
3369 "size %u, maximum %u",
3370 (unsigned) ( hs_len ),
3371 (unsigned) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
3372 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3373 }
3374
3375 memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
3376 ssl->out_msglen += 8;
3377
3378 /* Write message_seq and update it, except for HelloRequest */
3379 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
3380 {
3381 ssl->out_msg[4] = ( ssl->handshake->out_msg_seq >> 8 ) & 0xFF;
3382 ssl->out_msg[5] = ( ssl->handshake->out_msg_seq ) & 0xFF;
3383 ++( ssl->handshake->out_msg_seq );
3384 }
3385 else
3386 {
3387 ssl->out_msg[4] = 0;
3388 ssl->out_msg[5] = 0;
3389 }
3390
3391 /* Handshake hashes are computed without fragmentation,
3392 * so set frag_offset = 0 and frag_len = hs_len for now */
3393 memset( ssl->out_msg + 6, 0x00, 3 );
3394 memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
3395 }
3396#endif /* MBEDTLS_SSL_PROTO_DTLS */
3397
3398 /* Update running hashes of handshake messages seen */
3399 if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
3400 ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
3401 }
3402
3403 /* Either send now, or just save to be sent (and resent) later */
3404#if defined(MBEDTLS_SSL_PROTO_DTLS)
3405 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3406 ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3407 hs_type == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
3408 {
3409 if( ( ret = ssl_flight_append( ssl ) ) != 0 )
3410 {
3411 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
3412 return( ret );
3413 }
3414 }
3415 else
3416#endif
3417 {
3418 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
3419 {
3420 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
3421 return( ret );
3422 }
3423 }
3424
3425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
3426
3427 return( 0 );
3428}
3429
3430/*
3431 * Record layer functions
3432 */
3433
3434/*
3435 * Write current record.
3436 *
3437 * Uses:
3438 * - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
3439 * - ssl->out_msglen: length of the record content (excl headers)
3440 * - ssl->out_msg: record content
3441 */
3442int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
3443{
3444 int ret, done = 0;
3445 size_t len = ssl->out_msglen;
3446 uint8_t flush = force_flush;
3447
3448 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
3449
3450#if defined(MBEDTLS_ZLIB_SUPPORT)
3451 if( ssl->transform_out != NULL &&
3452 ssl->session_out->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
3453 {
3454 if( ( ret = ssl_compress_buf( ssl ) ) != 0 )
3455 {
3456 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_compress_buf", ret );
3457 return( ret );
3458 }
3459
3460 len = ssl->out_msglen;
3461 }
3462#endif /*MBEDTLS_ZLIB_SUPPORT */
3463
3464#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
3465 if( mbedtls_ssl_hw_record_write != NULL )
3466 {
3467 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_write()" ) );
3468
3469 ret = mbedtls_ssl_hw_record_write( ssl );
3470 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
3471 {
3472 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_write", ret );
3473 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
3474 }
3475
3476 if( ret == 0 )
3477 done = 1;
3478 }
3479#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
3480 if( !done )
3481 {
3482 unsigned i;
3483 size_t protected_record_size;
3484
3485 ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
3486 mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
3487 ssl->conf->transport, ssl->out_hdr + 1 );
3488
3489 memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
3490 ssl->out_len[0] = (unsigned char)( len >> 8 );
3491 ssl->out_len[1] = (unsigned char)( len );
3492
3493 if( ssl->transform_out != NULL )
3494 {
3495 if( ( ret = ssl_encrypt_buf( ssl ) ) != 0 )
3496 {
3497 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
3498 return( ret );
3499 }
3500
3501 len = ssl->out_msglen;
3502 ssl->out_len[0] = (unsigned char)( len >> 8 );
3503 ssl->out_len[1] = (unsigned char)( len );
3504 }
3505
3506 protected_record_size = len + mbedtls_ssl_hdr_len( ssl );
3507
3508#if defined(MBEDTLS_SSL_PROTO_DTLS)
3509 /* In case of DTLS, double-check that we don't exceed
3510 * the remaining space in the datagram. */
3511 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3512 {
3513 ret = ssl_get_remaining_space_in_datagram( ssl );
3514 if( ret < 0 )
3515 return( ret );
3516
3517 if( protected_record_size > (size_t) ret )
3518 {
3519 /* Should never happen */
3520 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3521 }
3522 }
3523#endif /* MBEDTLS_SSL_PROTO_DTLS */
3524
3525 MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %d, "
3526 "version = [%d:%d], msglen = %d",
3527 ssl->out_hdr[0], ssl->out_hdr[1],
3528 ssl->out_hdr[2], len ) );
3529
3530 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3531 ssl->out_hdr, protected_record_size );
3532
3533 ssl->out_left += protected_record_size;
3534 ssl->out_hdr += protected_record_size;
3535 ssl_update_out_pointers( ssl, ssl->transform_out );
3536
3537 for( i = 8; i > ssl_ep_len( ssl ); i-- )
3538 if( ++ssl->cur_out_ctr[i - 1] != 0 )
3539 break;
3540
3541 /* The loop goes to its end iff the counter is wrapping */
3542 if( i == ssl_ep_len( ssl ) )
3543 {
3544 MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
3545 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3546 }
3547 }
3548
3549#if defined(MBEDTLS_SSL_PROTO_DTLS)
3550 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3551 flush == SSL_DONT_FORCE_FLUSH )
3552 {
3553 size_t remaining;
3554 ret = ssl_get_remaining_payload_in_datagram( ssl );
3555 if( ret < 0 )
3556 {
3557 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
3558 ret );
3559 return( ret );
3560 }
3561
3562 remaining = (size_t) ret;
3563 if( remaining == 0 )
3564 {
3565 flush = SSL_FORCE_FLUSH;
3566 }
3567 else
3568 {
3569 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
3570 }
3571 }
3572#endif /* MBEDTLS_SSL_PROTO_DTLS */
3573
3574 if( ( flush == SSL_FORCE_FLUSH ) &&
3575 ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
3576 {
3577 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
3578 return( ret );
3579 }
3580
3581 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
3582
3583 return( 0 );
3584}
3585
3586#if defined(MBEDTLS_SSL_PROTO_DTLS)
3587
3588static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
3589{
3590 if( ssl->in_msglen < ssl->in_hslen ||
3591 memcmp( ssl->in_msg + 6, "\0\0\0", 3 ) != 0 ||
3592 memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
3593 {
3594 return( 1 );
3595 }
3596 return( 0 );
3597}
3598
3599static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
3600{
3601 return( ( ssl->in_msg[9] << 16 ) |
3602 ( ssl->in_msg[10] << 8 ) |
3603 ssl->in_msg[11] );
3604}
3605
3606static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
3607{
3608 return( ( ssl->in_msg[6] << 16 ) |
3609 ( ssl->in_msg[7] << 8 ) |
3610 ssl->in_msg[8] );
3611}
3612
3613static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
3614{
3615 uint32_t msg_len, frag_off, frag_len;
3616
3617 msg_len = ssl_get_hs_total_len( ssl );
3618 frag_off = ssl_get_hs_frag_off( ssl );
3619 frag_len = ssl_get_hs_frag_len( ssl );
3620
3621 if( frag_off > msg_len )
3622 return( -1 );
3623
3624 if( frag_len > msg_len - frag_off )
3625 return( -1 );
3626
3627 if( frag_len + 12 > ssl->in_msglen )
3628 return( -1 );
3629
3630 return( 0 );
3631}
3632
3633/*
3634 * Mark bits in bitmask (used for DTLS HS reassembly)
3635 */
3636static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
3637{
3638 unsigned int start_bits, end_bits;
3639
3640 start_bits = 8 - ( offset % 8 );
3641 if( start_bits != 8 )
3642 {
3643 size_t first_byte_idx = offset / 8;
3644
3645 /* Special case */
3646 if( len <= start_bits )
3647 {
3648 for( ; len != 0; len-- )
3649 mask[first_byte_idx] |= 1 << ( start_bits - len );
3650
3651 /* Avoid potential issues with offset or len becoming invalid */
3652 return;
3653 }
3654
3655 offset += start_bits; /* Now offset % 8 == 0 */
3656 len -= start_bits;
3657
3658 for( ; start_bits != 0; start_bits-- )
3659 mask[first_byte_idx] |= 1 << ( start_bits - 1 );
3660 }
3661
3662 end_bits = len % 8;
3663 if( end_bits != 0 )
3664 {
3665 size_t last_byte_idx = ( offset + len ) / 8;
3666
3667 len -= end_bits; /* Now len % 8 == 0 */
3668
3669 for( ; end_bits != 0; end_bits-- )
3670 mask[last_byte_idx] |= 1 << ( 8 - end_bits );
3671 }
3672
3673 memset( mask + offset / 8, 0xFF, len / 8 );
3674}
3675
3676/*
3677 * Check that bitmask is full
3678 */
3679static int ssl_bitmask_check( unsigned char *mask, size_t len )
3680{
3681 size_t i;
3682
3683 for( i = 0; i < len / 8; i++ )
3684 if( mask[i] != 0xFF )
3685 return( -1 );
3686
3687 for( i = 0; i < len % 8; i++ )
3688 if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
3689 return( -1 );
3690
3691 return( 0 );
3692}
3693
3694/* msg_len does not include the handshake header */
3695static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
3696 unsigned add_bitmap )
3697{
3698 size_t alloc_len;
3699
3700 alloc_len = 12; /* Handshake header */
3701 alloc_len += msg_len; /* Content buffer */
3702
3703 if( add_bitmap )
3704 alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap */
3705
3706 return( alloc_len );
3707}
3708
3709#endif /* MBEDTLS_SSL_PROTO_DTLS */
3710
3711static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
3712{
3713 return( ( ssl->in_msg[1] << 16 ) |
3714 ( ssl->in_msg[2] << 8 ) |
3715 ssl->in_msg[3] );
3716}
3717
3718int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
3719{
3720 if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
3721 {
3722 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %d",
3723 ssl->in_msglen ) );
3724 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3725 }
3726
3727 ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
3728
3729 MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
3730 " %d, type = %d, hslen = %d",
3731 ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
3732
3733#if defined(MBEDTLS_SSL_PROTO_DTLS)
3734 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3735 {
3736 int ret;
3737 unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3738
3739 if( ssl_check_hs_header( ssl ) != 0 )
3740 {
3741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
3742 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3743 }
3744
3745 if( ssl->handshake != NULL &&
3746 ( ( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER &&
3747 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
3748 ( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3749 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
3750 {
3751 if( recv_msg_seq > ssl->handshake->in_msg_seq )
3752 {
3753 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
3754 recv_msg_seq,
3755 ssl->handshake->in_msg_seq ) );
3756 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3757 }
3758
3759 /* Retransmit only on last message from previous flight, to avoid
3760 * too many retransmissions.
3761 * Besides, No sane server ever retransmits HelloVerifyRequest */
3762 if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
3763 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
3764 {
3765 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
3766 "message_seq = %d, start_of_flight = %d",
3767 recv_msg_seq,
3768 ssl->handshake->in_flight_start_seq ) );
3769
3770 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
3771 {
3772 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
3773 return( ret );
3774 }
3775 }
3776 else
3777 {
3778 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
3779 "message_seq = %d, expected = %d",
3780 recv_msg_seq,
3781 ssl->handshake->in_msg_seq ) );
3782 }
3783
3784 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
3785 }
3786 /* Wait until message completion to increment in_msg_seq */
3787
3788 /* Message reassembly is handled alongside buffering of future
3789 * messages; the commonality is that both handshake fragments and
3790 * future messages cannot be forwarded immediately to the
3791 * handshake logic layer. */
3792 if( ssl_hs_is_proper_fragment( ssl ) == 1 )
3793 {
3794 MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
3795 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3796 }
3797 }
3798 else
3799#endif /* MBEDTLS_SSL_PROTO_DTLS */
3800 /* With TLS we don't handle fragmentation (for now) */
3801 if( ssl->in_msglen < ssl->in_hslen )
3802 {
3803 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
3804 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
3805 }
3806
3807 return( 0 );
3808}
3809
3810void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
3811{
3812 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3813
3814 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
3815 {
3816 ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
3817 }
3818
3819 /* Handshake message is complete, increment counter */
3820#if defined(MBEDTLS_SSL_PROTO_DTLS)
3821 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3822 ssl->handshake != NULL )
3823 {
3824 unsigned offset;
3825 mbedtls_ssl_hs_buffer *hs_buf;
3826
3827 /* Increment handshake sequence number */
3828 hs->in_msg_seq++;
3829
3830 /*
3831 * Clear up handshake buffering and reassembly structure.
3832 */
3833
3834 /* Free first entry */
3835 ssl_buffering_free_slot( ssl, 0 );
3836
3837 /* Shift all other entries */
3838 for( offset = 0, hs_buf = &hs->buffering.hs[0];
3839 offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
3840 offset++, hs_buf++ )
3841 {
3842 *hs_buf = *(hs_buf + 1);
3843 }
3844
3845 /* Create a fresh last entry */
3846 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
3847 }
3848#endif
3849}
3850
3851/*
3852 * DTLS anti-replay: RFC 6347 4.1.2.6
3853 *
3854 * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
3855 * Bit n is set iff record number in_window_top - n has been seen.
3856 *
3857 * Usually, in_window_top is the last record number seen and the lsb of
3858 * in_window is set. The only exception is the initial state (record number 0
3859 * not seen yet).
3860 */
3861#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3862static void ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
3863{
3864 ssl->in_window_top = 0;
3865 ssl->in_window = 0;
3866}
3867
3868static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
3869{
3870 return( ( (uint64_t) buf[0] << 40 ) |
3871 ( (uint64_t) buf[1] << 32 ) |
3872 ( (uint64_t) buf[2] << 24 ) |
3873 ( (uint64_t) buf[3] << 16 ) |
3874 ( (uint64_t) buf[4] << 8 ) |
3875 ( (uint64_t) buf[5] ) );
3876}
3877
3878/*
3879 * Return 0 if sequence number is acceptable, -1 otherwise
3880 */
3881int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl )
3882{
3883 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3884 uint64_t bit;
3885
3886 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3887 return( 0 );
3888
3889 if( rec_seqnum > ssl->in_window_top )
3890 return( 0 );
3891
3892 bit = ssl->in_window_top - rec_seqnum;
3893
3894 if( bit >= 64 )
3895 return( -1 );
3896
3897 if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3898 return( -1 );
3899
3900 return( 0 );
3901}
3902
3903/*
3904 * Update replay window on new validated record
3905 */
3906void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3907{
3908 uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3909
3910 if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3911 return;
3912
3913 if( rec_seqnum > ssl->in_window_top )
3914 {
3915 /* Update window_top and the contents of the window */
3916 uint64_t shift = rec_seqnum - ssl->in_window_top;
3917
3918 if( shift >= 64 )
3919 ssl->in_window = 1;
3920 else
3921 {
3922 ssl->in_window <<= shift;
3923 ssl->in_window |= 1;
3924 }
3925
3926 ssl->in_window_top = rec_seqnum;
3927 }
3928 else
3929 {
3930 /* Mark that number as seen in the current window */
3931 uint64_t bit = ssl->in_window_top - rec_seqnum;
3932
3933 if( bit < 64 ) /* Always true, but be extra sure */
3934 ssl->in_window |= (uint64_t) 1 << bit;
3935 }
3936}
3937#endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3938
3939#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3940/* Forward declaration */
3941static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
3942
3943/*
3944 * Without any SSL context, check if a datagram looks like a ClientHello with
3945 * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3946 * Both input and output include full DTLS headers.
3947 *
3948 * - if cookie is valid, return 0
3949 * - if ClientHello looks superficially valid but cookie is not,
3950 * fill obuf and set olen, then
3951 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3952 * - otherwise return a specific error code
3953 */
3954static int ssl_check_dtls_clihlo_cookie(
3955 mbedtls_ssl_cookie_write_t *f_cookie_write,
3956 mbedtls_ssl_cookie_check_t *f_cookie_check,
3957 void *p_cookie,
3958 const unsigned char *cli_id, size_t cli_id_len,
3959 const unsigned char *in, size_t in_len,
3960 unsigned char *obuf, size_t buf_len, size_t *olen )
3961{
3962 size_t sid_len, cookie_len;
3963 unsigned char *p;
3964
3965 if( f_cookie_write == NULL || f_cookie_check == NULL )
3966 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
3967
3968 /*
3969 * Structure of ClientHello with record and handshake headers,
3970 * and expected values. We don't need to check a lot, more checks will be
3971 * done when actually parsing the ClientHello - skipping those checks
3972 * avoids code duplication and does not make cookie forging any easier.
3973 *
3974 * 0-0 ContentType type; copied, must be handshake
3975 * 1-2 ProtocolVersion version; copied
3976 * 3-4 uint16 epoch; copied, must be 0
3977 * 5-10 uint48 sequence_number; copied
3978 * 11-12 uint16 length; (ignored)
3979 *
3980 * 13-13 HandshakeType msg_type; (ignored)
3981 * 14-16 uint24 length; (ignored)
3982 * 17-18 uint16 message_seq; copied
3983 * 19-21 uint24 fragment_offset; copied, must be 0
3984 * 22-24 uint24 fragment_length; (ignored)
3985 *
3986 * 25-26 ProtocolVersion client_version; (ignored)
3987 * 27-58 Random random; (ignored)
3988 * 59-xx SessionID session_id; 1 byte len + sid_len content
3989 * 60+ opaque cookie<0..2^8-1>; 1 byte len + content
3990 * ...
3991 *
3992 * Minimum length is 61 bytes.
3993 */
3994 if( in_len < 61 ||
3995 in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3996 in[3] != 0 || in[4] != 0 ||
3997 in[19] != 0 || in[20] != 0 || in[21] != 0 )
3998 {
3999 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4000 }
4001
4002 sid_len = in[59];
4003 if( sid_len > in_len - 61 )
4004 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4005
4006 cookie_len = in[60 + sid_len];
4007 if( cookie_len > in_len - 60 )
4008 return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
4009
4010 if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
4011 cli_id, cli_id_len ) == 0 )
4012 {
4013 /* Valid cookie */
4014 return( 0 );
4015 }
4016
4017 /*
4018 * If we get here, we've got an invalid cookie, let's prepare HVR.
4019 *
4020 * 0-0 ContentType type; copied
4021 * 1-2 ProtocolVersion version; copied
4022 * 3-4 uint16 epoch; copied
4023 * 5-10 uint48 sequence_number; copied
4024 * 11-12 uint16 length; olen - 13
4025 *
4026 * 13-13 HandshakeType msg_type; hello_verify_request
4027 * 14-16 uint24 length; olen - 25
4028 * 17-18 uint16 message_seq; copied
4029 * 19-21 uint24 fragment_offset; copied
4030 * 22-24 uint24 fragment_length; olen - 25
4031 *
4032 * 25-26 ProtocolVersion server_version; 0xfe 0xff
4033 * 27-27 opaque cookie<0..2^8-1>; cookie_len = olen - 27, cookie
4034 *
4035 * Minimum length is 28.
4036 */
4037 if( buf_len < 28 )
4038 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
4039
4040 /* Copy most fields and adapt others */
4041 memcpy( obuf, in, 25 );
4042 obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
4043 obuf[25] = 0xfe;
4044 obuf[26] = 0xff;
4045
4046 /* Generate and write actual cookie */
4047 p = obuf + 28;
4048 if( f_cookie_write( p_cookie,
4049 &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
4050 {
4051 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4052 }
4053
4054 *olen = p - obuf;
4055
4056 /* Go back and fill length fields */
4057 obuf[27] = (unsigned char)( *olen - 28 );
4058
4059 obuf[14] = obuf[22] = (unsigned char)( ( *olen - 25 ) >> 16 );
4060 obuf[15] = obuf[23] = (unsigned char)( ( *olen - 25 ) >> 8 );
4061 obuf[16] = obuf[24] = (unsigned char)( ( *olen - 25 ) );
4062
4063 obuf[11] = (unsigned char)( ( *olen - 13 ) >> 8 );
4064 obuf[12] = (unsigned char)( ( *olen - 13 ) );
4065
4066 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4067}
4068
4069/*
4070 * Handle possible client reconnect with the same UDP quadruplet
4071 * (RFC 6347 Section 4.2.8).
4072 *
4073 * Called by ssl_parse_record_header() in case we receive an epoch 0 record
4074 * that looks like a ClientHello.
4075 *
4076 * - if the input looks like a ClientHello without cookies,
4077 * send back HelloVerifyRequest, then
4078 * return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
4079 * - if the input looks like a ClientHello with a valid cookie,
4080 * reset the session of the current context, and
4081 * return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
4082 * - if anything goes wrong, return a specific error code
4083 *
4084 * mbedtls_ssl_read_record() will ignore the record if anything else than
4085 * MBEDTLS_ERR_SSL_CLIENT_RECONNECT or 0 is returned, although this function
4086 * cannot not return 0.
4087 */
4088static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
4089{
4090 int ret;
4091 size_t len;
4092
4093 ret = ssl_check_dtls_clihlo_cookie(
4094 ssl->conf->f_cookie_write,
4095 ssl->conf->f_cookie_check,
4096 ssl->conf->p_cookie,
4097 ssl->cli_id, ssl->cli_id_len,
4098 ssl->in_buf, ssl->in_left,
4099 ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
4100
4101 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
4102
4103 if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
4104 {
4105 int send_ret;
4106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
4107 MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
4108 ssl->out_buf, len );
4109 /* Don't check write errors as we can't do anything here.
4110 * If the error is permanent we'll catch it later,
4111 * if it's not, then hopefully it'll work next time. */
4112 send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
4113 MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
4114 (void) send_ret;
4115
4116 return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
4117 }
4118
4119 if( ret == 0 )
4120 {
4121 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
4122 if( ( ret = ssl_session_reset_int( ssl, 1 ) ) != 0 )
4123 {
4124 MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
4125 return( ret );
4126 }
4127
4128 return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
4129 }
4130
4131 return( ret );
4132}
4133#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
4134
4135/*
4136 * ContentType type;
4137 * ProtocolVersion version;
4138 * uint16 epoch; // DTLS only
4139 * uint48 sequence_number; // DTLS only
4140 * uint16 length;
4141 *
4142 * Return 0 if header looks sane (and, for DTLS, the record is expected)
4143 * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
4144 * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
4145 *
4146 * With DTLS, mbedtls_ssl_read_record() will:
4147 * 1. proceed with the record if this function returns 0
4148 * 2. drop only the current record if this function returns UNEXPECTED_RECORD
4149 * 3. return CLIENT_RECONNECT if this function return that value
4150 * 4. drop the whole datagram if this function returns anything else.
4151 * Point 2 is needed when the peer is resending, and we have already received
4152 * the first record from a datagram but are still waiting for the others.
4153 */
4154static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
4155{
4156 int major_ver, minor_ver;
4157
4158 MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) );
4159
4160 ssl->in_msgtype = ssl->in_hdr[0];
4161 ssl->in_msglen = ( ssl->in_len[0] << 8 ) | ssl->in_len[1];
4162 mbedtls_ssl_read_version( &major_ver, &minor_ver, ssl->conf->transport, ssl->in_hdr + 1 );
4163
4164 MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %d, "
4165 "version = [%d:%d], msglen = %d",
4166 ssl->in_msgtype,
4167 major_ver, minor_ver, ssl->in_msglen ) );
4168
4169 /* Check record type */
4170 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE &&
4171 ssl->in_msgtype != MBEDTLS_SSL_MSG_ALERT &&
4172 ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
4173 ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
4174 {
4175 MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
4176
4177#if defined(MBEDTLS_SSL_PROTO_DTLS)
4178 /* Silently ignore invalid DTLS records as recommended by RFC 6347
4179 * Section 4.1.2.7 */
4180 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4181#endif /* MBEDTLS_SSL_PROTO_DTLS */
4182 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4183 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4184
4185 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4186 }
4187
4188 /* Check version */
4189 if( major_ver != ssl->major_ver )
4190 {
4191 MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
4192 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4193 }
4194
4195 if( minor_ver > ssl->conf->max_minor_ver )
4196 {
4197 MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
4198 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4199 }
4200
4201 /* Check length against the size of our buffer */
4202 if( ssl->in_msglen > MBEDTLS_SSL_IN_BUFFER_LEN
4203 - (size_t)( ssl->in_msg - ssl->in_buf ) )
4204 {
4205 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4206 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4207 }
4208
4209 /*
4210 * DTLS-related tests.
4211 * Check epoch before checking length constraint because
4212 * the latter varies with the epoch. E.g., if a ChangeCipherSpec
4213 * message gets duplicated before the corresponding Finished message,
4214 * the second ChangeCipherSpec should be discarded because it belongs
4215 * to an old epoch, but not because its length is shorter than
4216 * the minimum record length for packets using the new record transform.
4217 * Note that these two kinds of failures are handled differently,
4218 * as an unexpected record is silently skipped but an invalid
4219 * record leads to the entire datagram being dropped.
4220 */
4221#if defined(MBEDTLS_SSL_PROTO_DTLS)
4222 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4223 {
4224 unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
4225
4226 /* Check epoch (and sequence number) with DTLS */
4227 if( rec_epoch != ssl->in_epoch )
4228 {
4229 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
4230 "expected %d, received %d",
4231 ssl->in_epoch, rec_epoch ) );
4232
4233#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4234 /*
4235 * Check for an epoch 0 ClientHello. We can't use in_msg here to
4236 * access the first byte of record content (handshake type), as we
4237 * have an active transform (possibly iv_len != 0), so use the
4238 * fact that the record header len is 13 instead.
4239 */
4240 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
4241 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
4242 rec_epoch == 0 &&
4243 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4244 ssl->in_left > 13 &&
4245 ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
4246 {
4247 MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
4248 "from the same port" ) );
4249 return( ssl_handle_possible_reconnect( ssl ) );
4250 }
4251 else
4252#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
4253 {
4254 /* Consider buffering the record. */
4255 if( rec_epoch == (unsigned int) ssl->in_epoch + 1 )
4256 {
4257 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
4258 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4259 }
4260
4261 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4262 }
4263 }
4264
4265#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4266 /* Replay detection only works for the current epoch */
4267 if( rec_epoch == ssl->in_epoch &&
4268 mbedtls_ssl_dtls_replay_check( ssl ) != 0 )
4269 {
4270 MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
4271 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4272 }
4273#endif
4274
4275 /* Drop unexpected ApplicationData records,
4276 * except at the beginning of renegotiations */
4277 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4278 ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4279#if defined(MBEDTLS_SSL_RENEGOTIATION)
4280 && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4281 ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4282#endif
4283 )
4284 {
4285 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4286 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4287 }
4288 }
4289#endif /* MBEDTLS_SSL_PROTO_DTLS */
4290
4291
4292 /* Check length against bounds of the current transform and version */
4293 if( ssl->transform_in == NULL )
4294 {
4295 if( ssl->in_msglen < 1 ||
4296 ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4297 {
4298 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4299 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4300 }
4301 }
4302 else
4303 {
4304 if( ssl->in_msglen < ssl->transform_in->minlen )
4305 {
4306 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4307 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4308 }
4309
4310#if defined(MBEDTLS_SSL_PROTO_SSL3)
4311 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
4312 ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
4313 {
4314 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4315 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4316 }
4317#endif
4318#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
4319 defined(MBEDTLS_SSL_PROTO_TLS1_2)
4320 /*
4321 * TLS encrypted messages can have up to 256 bytes of padding
4322 */
4323 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
4324 ssl->in_msglen > ssl->transform_in->minlen +
4325 MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
4326 {
4327 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4328 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4329 }
4330#endif
4331 }
4332
4333 return( 0 );
4334}
4335
4336/*
4337 * If applicable, decrypt (and decompress) record content
4338 */
4339static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
4340{
4341 int ret, done = 0;
4342
4343 MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
4344 ssl->in_hdr, mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen );
4345
4346#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
4347 if( mbedtls_ssl_hw_record_read != NULL )
4348 {
4349 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_read()" ) );
4350
4351 ret = mbedtls_ssl_hw_record_read( ssl );
4352 if( ret != 0 && ret != MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH )
4353 {
4354 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_read", ret );
4355 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
4356 }
4357
4358 if( ret == 0 )
4359 done = 1;
4360 }
4361#endif /* MBEDTLS_SSL_HW_RECORD_ACCEL */
4362 if( !done && ssl->transform_in != NULL )
4363 {
4364 if( ( ret = ssl_decrypt_buf( ssl ) ) != 0 )
4365 {
4366 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
4367 return( ret );
4368 }
4369
4370 MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
4371 ssl->in_msg, ssl->in_msglen );
4372
4373 if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
4374 {
4375 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
4376 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4377 }
4378 }
4379
4380#if defined(MBEDTLS_ZLIB_SUPPORT)
4381 if( ssl->transform_in != NULL &&
4382 ssl->session_in->compression == MBEDTLS_SSL_COMPRESS_DEFLATE )
4383 {
4384 if( ( ret = ssl_decompress_buf( ssl ) ) != 0 )
4385 {
4386 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decompress_buf", ret );
4387 return( ret );
4388 }
4389 }
4390#endif /* MBEDTLS_ZLIB_SUPPORT */
4391
4392#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4393 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4394 {
4395 mbedtls_ssl_dtls_replay_update( ssl );
4396 }
4397#endif
4398
4399 return( 0 );
4400}
4401
4402static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
4403
4404/*
4405 * Read a record.
4406 *
4407 * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
4408 * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
4409 *
4410 */
4411
4412/* Helper functions for mbedtls_ssl_read_record(). */
4413static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
4414static int ssl_get_next_record( mbedtls_ssl_context *ssl );
4415static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
4416
4417int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
4418 unsigned update_hs_digest )
4419{
4420 int ret;
4421
4422 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
4423
4424 if( ssl->keep_current_message == 0 )
4425 {
4426 do {
4427
4428 ret = ssl_consume_current_message( ssl );
4429 if( ret != 0 )
4430 return( ret );
4431
4432 if( ssl_record_is_in_progress( ssl ) == 0 )
4433 {
4434#if defined(MBEDTLS_SSL_PROTO_DTLS)
4435 int have_buffered = 0;
4436
4437 /* We only check for buffered messages if the
4438 * current datagram is fully consumed. */
4439 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4440 ssl_next_record_is_in_datagram( ssl ) == 0 )
4441 {
4442 if( ssl_load_buffered_message( ssl ) == 0 )
4443 have_buffered = 1;
4444 }
4445
4446 if( have_buffered == 0 )
4447#endif /* MBEDTLS_SSL_PROTO_DTLS */
4448 {
4449 ret = ssl_get_next_record( ssl );
4450 if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
4451 continue;
4452
4453 if( ret != 0 )
4454 {
4455 MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
4456 return( ret );
4457 }
4458 }
4459 }
4460
4461 ret = mbedtls_ssl_handle_message_type( ssl );
4462
4463#if defined(MBEDTLS_SSL_PROTO_DTLS)
4464 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4465 {
4466 /* Buffer future message */
4467 ret = ssl_buffer_message( ssl );
4468 if( ret != 0 )
4469 return( ret );
4470
4471 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
4472 }
4473#endif /* MBEDTLS_SSL_PROTO_DTLS */
4474
4475 } while( MBEDTLS_ERR_SSL_NON_FATAL == ret ||
4476 MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
4477
4478 if( 0 != ret )
4479 {
4480 MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
4481 return( ret );
4482 }
4483
4484 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
4485 update_hs_digest == 1 )
4486 {
4487 mbedtls_ssl_update_handshake_status( ssl );
4488 }
4489 }
4490 else
4491 {
4492 MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
4493 ssl->keep_current_message = 0;
4494 }
4495
4496 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
4497
4498 return( 0 );
4499}
4500
4501#if defined(MBEDTLS_SSL_PROTO_DTLS)
4502static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
4503{
4504 if( ssl->in_left > ssl->next_record_offset )
4505 return( 1 );
4506
4507 return( 0 );
4508}
4509
4510static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
4511{
4512 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4513 mbedtls_ssl_hs_buffer * hs_buf;
4514 int ret = 0;
4515
4516 if( hs == NULL )
4517 return( -1 );
4518
4519 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
4520
4521 if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
4522 ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4523 {
4524 /* Check if we have seen a ChangeCipherSpec before.
4525 * If yes, synthesize a CCS record. */
4526 if( !hs->buffering.seen_ccs )
4527 {
4528 MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
4529 ret = -1;
4530 goto exit;
4531 }
4532
4533 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
4534 ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4535 ssl->in_msglen = 1;
4536 ssl->in_msg[0] = 1;
4537
4538 /* As long as they are equal, the exact value doesn't matter. */
4539 ssl->in_left = 0;
4540 ssl->next_record_offset = 0;
4541
4542 hs->buffering.seen_ccs = 0;
4543 goto exit;
4544 }
4545
4546#if defined(MBEDTLS_DEBUG_C)
4547 /* Debug only */
4548 {
4549 unsigned offset;
4550 for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
4551 {
4552 hs_buf = &hs->buffering.hs[offset];
4553 if( hs_buf->is_valid == 1 )
4554 {
4555 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
4556 hs->in_msg_seq + offset,
4557 hs_buf->is_complete ? "fully" : "partially" ) );
4558 }
4559 }
4560 }
4561#endif /* MBEDTLS_DEBUG_C */
4562
4563 /* Check if we have buffered and/or fully reassembled the
4564 * next handshake message. */
4565 hs_buf = &hs->buffering.hs[0];
4566 if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
4567 {
4568 /* Synthesize a record containing the buffered HS message. */
4569 size_t msg_len = ( hs_buf->data[1] << 16 ) |
4570 ( hs_buf->data[2] << 8 ) |
4571 hs_buf->data[3];
4572
4573 /* Double-check that we haven't accidentally buffered
4574 * a message that doesn't fit into the input buffer. */
4575 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4576 {
4577 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4578 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4579 }
4580
4581 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
4582 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
4583 hs_buf->data, msg_len + 12 );
4584
4585 ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
4586 ssl->in_hslen = msg_len + 12;
4587 ssl->in_msglen = msg_len + 12;
4588 memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
4589
4590 ret = 0;
4591 goto exit;
4592 }
4593 else
4594 {
4595 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
4596 hs->in_msg_seq ) );
4597 }
4598
4599 ret = -1;
4600
4601exit:
4602
4603 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
4604 return( ret );
4605}
4606
4607static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
4608 size_t desired )
4609{
4610 int offset;
4611 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4612 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
4613 (unsigned) desired ) );
4614
4615 /* Get rid of future records epoch first, if such exist. */
4616 ssl_free_buffered_record( ssl );
4617
4618 /* Check if we have enough space available now. */
4619 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4620 hs->buffering.total_bytes_buffered ) )
4621 {
4622 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
4623 return( 0 );
4624 }
4625
4626 /* We don't have enough space to buffer the next expected handshake
4627 * message. Remove buffers used for future messages to gain space,
4628 * starting with the most distant one. */
4629 for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
4630 offset >= 0; offset-- )
4631 {
4632 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
4633 offset ) );
4634
4635 ssl_buffering_free_slot( ssl, (uint8_t) offset );
4636
4637 /* Check if we have enough space available now. */
4638 if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4639 hs->buffering.total_bytes_buffered ) )
4640 {
4641 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
4642 return( 0 );
4643 }
4644 }
4645
4646 return( -1 );
4647}
4648
4649static int ssl_buffer_message( mbedtls_ssl_context *ssl )
4650{
4651 int ret = 0;
4652 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4653
4654 if( hs == NULL )
4655 return( 0 );
4656
4657 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
4658
4659 switch( ssl->in_msgtype )
4660 {
4661 case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
4662 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
4663
4664 hs->buffering.seen_ccs = 1;
4665 break;
4666
4667 case MBEDTLS_SSL_MSG_HANDSHAKE:
4668 {
4669 unsigned recv_msg_seq_offset;
4670 unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
4671 mbedtls_ssl_hs_buffer *hs_buf;
4672 size_t msg_len = ssl->in_hslen - 12;
4673
4674 /* We should never receive an old handshake
4675 * message - double-check nonetheless. */
4676 if( recv_msg_seq < ssl->handshake->in_msg_seq )
4677 {
4678 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4679 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4680 }
4681
4682 recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
4683 if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
4684 {
4685 /* Silently ignore -- message too far in the future */
4686 MBEDTLS_SSL_DEBUG_MSG( 2,
4687 ( "Ignore future HS message with sequence number %u, "
4688 "buffering window %u - %u",
4689 recv_msg_seq, ssl->handshake->in_msg_seq,
4690 ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
4691
4692 goto exit;
4693 }
4694
4695 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
4696 recv_msg_seq, recv_msg_seq_offset ) );
4697
4698 hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
4699
4700 /* Check if the buffering for this seq nr has already commenced. */
4701 if( !hs_buf->is_valid )
4702 {
4703 size_t reassembly_buf_sz;
4704
4705 hs_buf->is_fragmented =
4706 ( ssl_hs_is_proper_fragment( ssl ) == 1 );
4707
4708 /* We copy the message back into the input buffer
4709 * after reassembly, so check that it's not too large.
4710 * This is an implementation-specific limitation
4711 * and not one from the standard, hence it is not
4712 * checked in ssl_check_hs_header(). */
4713 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4714 {
4715 /* Ignore message */
4716 goto exit;
4717 }
4718
4719 /* Check if we have enough space to buffer the message. */
4720 if( hs->buffering.total_bytes_buffered >
4721 MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4722 {
4723 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4724 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4725 }
4726
4727 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4728 hs_buf->is_fragmented );
4729
4730 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4731 hs->buffering.total_bytes_buffered ) )
4732 {
4733 if( recv_msg_seq_offset > 0 )
4734 {
4735 /* If we can't buffer a future message because
4736 * of space limitations -- ignore. */
4737 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
4738 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4739 (unsigned) hs->buffering.total_bytes_buffered ) );
4740 goto exit;
4741 }
4742 else
4743 {
4744 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4745 (unsigned) msg_len, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4746 (unsigned) hs->buffering.total_bytes_buffered ) );
4747 }
4748
4749 if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4750 {
4751 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %u (%u with bitmap) would exceed the compile-time limit %u (already %u bytes buffered) -- fail\n",
4752 (unsigned) msg_len,
4753 (unsigned) reassembly_buf_sz,
4754 MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4755 (unsigned) hs->buffering.total_bytes_buffered ) );
4756 ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4757 goto exit;
4758 }
4759 }
4760
4761 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %d",
4762 msg_len ) );
4763
4764 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4765 if( hs_buf->data == NULL )
4766 {
4767 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
4768 goto exit;
4769 }
4770 hs_buf->data_len = reassembly_buf_sz;
4771
4772 /* Prepare final header: copy msg_type, length and message_seq,
4773 * then add standardised fragment_offset and fragment_length */
4774 memcpy( hs_buf->data, ssl->in_msg, 6 );
4775 memset( hs_buf->data + 6, 0, 3 );
4776 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4777
4778 hs_buf->is_valid = 1;
4779
4780 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4781 }
4782 else
4783 {
4784 /* Make sure msg_type and length are consistent */
4785 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4786 {
4787 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4788 /* Ignore */
4789 goto exit;
4790 }
4791 }
4792
4793 if( !hs_buf->is_complete )
4794 {
4795 size_t frag_len, frag_off;
4796 unsigned char * const msg = hs_buf->data + 12;
4797
4798 /*
4799 * Check and copy current fragment
4800 */
4801
4802 /* Validation of header fields already done in
4803 * mbedtls_ssl_prepare_handshake_record(). */
4804 frag_off = ssl_get_hs_frag_off( ssl );
4805 frag_len = ssl_get_hs_frag_len( ssl );
4806
4807 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %d, length = %d",
4808 frag_off, frag_len ) );
4809 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4810
4811 if( hs_buf->is_fragmented )
4812 {
4813 unsigned char * const bitmask = msg + msg_len;
4814 ssl_bitmask_set( bitmask, frag_off, frag_len );
4815 hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4816 msg_len ) == 0 );
4817 }
4818 else
4819 {
4820 hs_buf->is_complete = 1;
4821 }
4822
4823 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4824 hs_buf->is_complete ? "" : "not yet " ) );
4825 }
4826
4827 break;
4828 }
4829
4830 default:
4831 /* We don't buffer other types of messages. */
4832 break;
4833 }
4834
4835exit:
4836
4837 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4838 return( ret );
4839}
4840#endif /* MBEDTLS_SSL_PROTO_DTLS */
4841
4842static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
4843{
4844 /*
4845 * Consume last content-layer message and potentially
4846 * update in_msglen which keeps track of the contents'
4847 * consumption state.
4848 *
4849 * (1) Handshake messages:
4850 * Remove last handshake message, move content
4851 * and adapt in_msglen.
4852 *
4853 * (2) Alert messages:
4854 * Consume whole record content, in_msglen = 0.
4855 *
4856 * (3) Change cipher spec:
4857 * Consume whole record content, in_msglen = 0.
4858 *
4859 * (4) Application data:
4860 * Don't do anything - the record layer provides
4861 * the application data as a stream transport
4862 * and consumes through mbedtls_ssl_read only.
4863 *
4864 */
4865
4866 /* Case (1): Handshake messages */
4867 if( ssl->in_hslen != 0 )
4868 {
4869 /* Hard assertion to be sure that no application data
4870 * is in flight, as corrupting ssl->in_msglen during
4871 * ssl->in_offt != NULL is fatal. */
4872 if( ssl->in_offt != NULL )
4873 {
4874 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4875 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4876 }
4877
4878 /*
4879 * Get next Handshake message in the current record
4880 */
4881
4882 /* Notes:
4883 * (1) in_hslen is not necessarily the size of the
4884 * current handshake content: If DTLS handshake
4885 * fragmentation is used, that's the fragment
4886 * size instead. Using the total handshake message
4887 * size here is faulty and should be changed at
4888 * some point.
4889 * (2) While it doesn't seem to cause problems, one
4890 * has to be very careful not to assume that in_hslen
4891 * is always <= in_msglen in a sensible communication.
4892 * Again, it's wrong for DTLS handshake fragmentation.
4893 * The following check is therefore mandatory, and
4894 * should not be treated as a silently corrected assertion.
4895 * Additionally, ssl->in_hslen might be arbitrarily out of
4896 * bounds after handling a DTLS message with an unexpected
4897 * sequence number, see mbedtls_ssl_prepare_handshake_record.
4898 */
4899 if( ssl->in_hslen < ssl->in_msglen )
4900 {
4901 ssl->in_msglen -= ssl->in_hslen;
4902 memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4903 ssl->in_msglen );
4904
4905 MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4906 ssl->in_msg, ssl->in_msglen );
4907 }
4908 else
4909 {
4910 ssl->in_msglen = 0;
4911 }
4912
4913 ssl->in_hslen = 0;
4914 }
4915 /* Case (4): Application data */
4916 else if( ssl->in_offt != NULL )
4917 {
4918 return( 0 );
4919 }
4920 /* Everything else (CCS & Alerts) */
4921 else
4922 {
4923 ssl->in_msglen = 0;
4924 }
4925
4926 return( 0 );
4927}
4928
4929static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4930{
4931 if( ssl->in_msglen > 0 )
4932 return( 1 );
4933
4934 return( 0 );
4935}
4936
4937#if defined(MBEDTLS_SSL_PROTO_DTLS)
4938
4939static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4940{
4941 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4942 if( hs == NULL )
4943 return;
4944
4945 if( hs->buffering.future_record.data != NULL )
4946 {
4947 hs->buffering.total_bytes_buffered -=
4948 hs->buffering.future_record.len;
4949
4950 mbedtls_free( hs->buffering.future_record.data );
4951 hs->buffering.future_record.data = NULL;
4952 }
4953}
4954
4955static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4956{
4957 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4958 unsigned char * rec;
4959 size_t rec_len;
4960 unsigned rec_epoch;
4961
4962 if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4963 return( 0 );
4964
4965 if( hs == NULL )
4966 return( 0 );
4967
4968 rec = hs->buffering.future_record.data;
4969 rec_len = hs->buffering.future_record.len;
4970 rec_epoch = hs->buffering.future_record.epoch;
4971
4972 if( rec == NULL )
4973 return( 0 );
4974
4975 /* Only consider loading future records if the
4976 * input buffer is empty. */
4977 if( ssl_next_record_is_in_datagram( ssl ) == 1 )
4978 return( 0 );
4979
4980 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4981
4982 if( rec_epoch != ssl->in_epoch )
4983 {
4984 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4985 goto exit;
4986 }
4987
4988 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4989
4990 /* Double-check that the record is not too large */
4991 if( rec_len > MBEDTLS_SSL_IN_BUFFER_LEN -
4992 (size_t)( ssl->in_hdr - ssl->in_buf ) )
4993 {
4994 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4995 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4996 }
4997
4998 memcpy( ssl->in_hdr, rec, rec_len );
4999 ssl->in_left = rec_len;
5000 ssl->next_record_offset = 0;
5001
5002 ssl_free_buffered_record( ssl );
5003
5004exit:
5005 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
5006 return( 0 );
5007}
5008
5009static int ssl_buffer_future_record( mbedtls_ssl_context *ssl )
5010{
5011 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5012 size_t const rec_hdr_len = 13;
5013 size_t const total_buf_sz = rec_hdr_len + ssl->in_msglen;
5014
5015 /* Don't buffer future records outside handshakes. */
5016 if( hs == NULL )
5017 return( 0 );
5018
5019 /* Only buffer handshake records (we are only interested
5020 * in Finished messages). */
5021 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5022 return( 0 );
5023
5024 /* Don't buffer more than one future epoch record. */
5025 if( hs->buffering.future_record.data != NULL )
5026 return( 0 );
5027
5028 /* Don't buffer record if there's not enough buffering space remaining. */
5029 if( total_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
5030 hs->buffering.total_bytes_buffered ) )
5031 {
5032 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %u would exceed the compile-time limit %u (already %u bytes buffered) -- ignore\n",
5033 (unsigned) total_buf_sz, MBEDTLS_SSL_DTLS_MAX_BUFFERING,
5034 (unsigned) hs->buffering.total_bytes_buffered ) );
5035 return( 0 );
5036 }
5037
5038 /* Buffer record */
5039 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
5040 ssl->in_epoch + 1 ) );
5041 MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", ssl->in_hdr,
5042 rec_hdr_len + ssl->in_msglen );
5043
5044 /* ssl_parse_record_header() only considers records
5045 * of the next epoch as candidates for buffering. */
5046 hs->buffering.future_record.epoch = ssl->in_epoch + 1;
5047 hs->buffering.future_record.len = total_buf_sz;
5048
5049 hs->buffering.future_record.data =
5050 mbedtls_calloc( 1, hs->buffering.future_record.len );
5051 if( hs->buffering.future_record.data == NULL )
5052 {
5053 /* If we run out of RAM trying to buffer a
5054 * record from the next epoch, just ignore. */
5055 return( 0 );
5056 }
5057
5058 memcpy( hs->buffering.future_record.data, ssl->in_hdr, total_buf_sz );
5059
5060 hs->buffering.total_bytes_buffered += total_buf_sz;
5061 return( 0 );
5062}
5063
5064#endif /* MBEDTLS_SSL_PROTO_DTLS */
5065
5066static int ssl_get_next_record( mbedtls_ssl_context *ssl )
5067{
5068 int ret;
5069
5070#if defined(MBEDTLS_SSL_PROTO_DTLS)
5071 /* We might have buffered a future record; if so,
5072 * and if the epoch matches now, load it.
5073 * On success, this call will set ssl->in_left to
5074 * the length of the buffered record, so that
5075 * the calls to ssl_fetch_input() below will
5076 * essentially be no-ops. */
5077 ret = ssl_load_buffered_record( ssl );
5078 if( ret != 0 )
5079 return( ret );
5080#endif /* MBEDTLS_SSL_PROTO_DTLS */
5081
5082 if( ( ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_hdr_len( ssl ) ) ) != 0 )
5083 {
5084 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
5085 return( ret );
5086 }
5087
5088 if( ( ret = ssl_parse_record_header( ssl ) ) != 0 )
5089 {
5090#if defined(MBEDTLS_SSL_PROTO_DTLS)
5091 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5092 ret != MBEDTLS_ERR_SSL_CLIENT_RECONNECT )
5093 {
5094 if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
5095 {
5096 ret = ssl_buffer_future_record( ssl );
5097 if( ret != 0 )
5098 return( ret );
5099
5100 /* Fall through to handling of unexpected records */
5101 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
5102 }
5103
5104 if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
5105 {
5106 /* Skip unexpected record (but not whole datagram) */
5107 ssl->next_record_offset = ssl->in_msglen
5108 + mbedtls_ssl_hdr_len( ssl );
5109
5110 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
5111 "(header)" ) );
5112 }
5113 else
5114 {
5115 /* Skip invalid record and the rest of the datagram */
5116 ssl->next_record_offset = 0;
5117 ssl->in_left = 0;
5118
5119 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
5120 "(header)" ) );
5121 }
5122
5123 /* Get next record */
5124 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
5125 }
5126#endif
5127 return( ret );
5128 }
5129
5130 /*
5131 * Read and optionally decrypt the message contents
5132 */
5133 if( ( ret = mbedtls_ssl_fetch_input( ssl,
5134 mbedtls_ssl_hdr_len( ssl ) + ssl->in_msglen ) ) != 0 )
5135 {
5136 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
5137 return( ret );
5138 }
5139
5140 /* Done reading this record, get ready for the next one */
5141#if defined(MBEDTLS_SSL_PROTO_DTLS)
5142 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5143 {
5144 ssl->next_record_offset = ssl->in_msglen + mbedtls_ssl_hdr_len( ssl );
5145 if( ssl->next_record_offset < ssl->in_left )
5146 {
5147 MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
5148 }
5149 }
5150 else
5151#endif
5152 ssl->in_left = 0;
5153
5154 if( ( ret = ssl_prepare_record_content( ssl ) ) != 0 )
5155 {
5156#if defined(MBEDTLS_SSL_PROTO_DTLS)
5157 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5158 {
5159 /* Silently discard invalid records */
5160 if( ret == MBEDTLS_ERR_SSL_INVALID_RECORD ||
5161 ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5162 {
5163 /* Except when waiting for Finished as a bad mac here
5164 * probably means something went wrong in the handshake
5165 * (eg wrong psk used, mitm downgrade attempt, etc.) */
5166 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
5167 ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
5168 {
5169#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5170 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5171 {
5172 mbedtls_ssl_send_alert_message( ssl,
5173 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5174 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
5175 }
5176#endif
5177 return( ret );
5178 }
5179
5180#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
5181 if( ssl->conf->badmac_limit != 0 &&
5182 ++ssl->badmac_seen >= ssl->conf->badmac_limit )
5183 {
5184 MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
5185 return( MBEDTLS_ERR_SSL_INVALID_MAC );
5186 }
5187#endif
5188
5189 /* As above, invalid records cause
5190 * dismissal of the whole datagram. */
5191
5192 ssl->next_record_offset = 0;
5193 ssl->in_left = 0;
5194
5195 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
5196 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
5197 }
5198
5199 return( ret );
5200 }
5201 else
5202#endif
5203 {
5204 /* Error out (and send alert) on invalid records */
5205#if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
5206 if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
5207 {
5208 mbedtls_ssl_send_alert_message( ssl,
5209 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5210 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
5211 }
5212#endif
5213 return( ret );
5214 }
5215 }
5216
5217 return( 0 );
5218}
5219
5220int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
5221{
5222 int ret;
5223
5224 /*
5225 * Handle particular types of records
5226 */
5227 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
5228 {
5229 if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
5230 {
5231 return( ret );
5232 }
5233 }
5234
5235 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
5236 {
5237 if( ssl->in_msglen != 1 )
5238 {
5239 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %d",
5240 ssl->in_msglen ) );
5241 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5242 }
5243
5244 if( ssl->in_msg[0] != 1 )
5245 {
5246 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
5247 ssl->in_msg[0] ) );
5248 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5249 }
5250
5251#if defined(MBEDTLS_SSL_PROTO_DTLS)
5252 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5253 ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC &&
5254 ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
5255 {
5256 if( ssl->handshake == NULL )
5257 {
5258 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
5259 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
5260 }
5261
5262 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
5263 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
5264 }
5265#endif
5266 }
5267
5268 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
5269 {
5270 if( ssl->in_msglen != 2 )
5271 {
5272 /* Note: Standard allows for more than one 2 byte alert
5273 to be packed in a single message, but Mbed TLS doesn't
5274 currently support this. */
5275 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %d",
5276 ssl->in_msglen ) );
5277 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
5278 }
5279
5280 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%d:%d]",
5281 ssl->in_msg[0], ssl->in_msg[1] ) );
5282
5283 /*
5284 * Ignore non-fatal alerts, except close_notify and no_renegotiation
5285 */
5286 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
5287 {
5288 MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
5289 ssl->in_msg[1] ) );
5290 return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
5291 }
5292
5293 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5294 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
5295 {
5296 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
5297 return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
5298 }
5299
5300#if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
5301 if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5302 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
5303 {
5304 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no renegotiation alert" ) );
5305 /* Will be handled when trying to parse ServerHello */
5306 return( 0 );
5307 }
5308#endif
5309
5310#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
5311 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
5312 ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5313 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5314 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5315 {
5316 MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a SSLv3 no_cert" ) );
5317 /* Will be handled in mbedtls_ssl_parse_certificate() */
5318 return( 0 );
5319 }
5320#endif /* MBEDTLS_SSL_PROTO_SSL3 && MBEDTLS_SSL_SRV_C */
5321
5322 /* Silently ignore: fetch new message */
5323 return MBEDTLS_ERR_SSL_NON_FATAL;
5324 }
5325
5326#if defined(MBEDTLS_SSL_PROTO_DTLS)
5327 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5328 ssl->handshake != NULL &&
5329 ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5330 {
5331 ssl_handshake_wrapup_free_hs_transform( ssl );
5332 }
5333#endif
5334
5335 return( 0 );
5336}
5337
5338int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
5339{
5340 int ret;
5341
5342 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5343 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5344 MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) ) != 0 )
5345 {
5346 return( ret );
5347 }
5348
5349 return( 0 );
5350}
5351
5352int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
5353 unsigned char level,
5354 unsigned char message )
5355{
5356 int ret;
5357
5358 if( ssl == NULL || ssl->conf == NULL )
5359 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5360
5361 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
5362 MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
5363
5364 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5365 ssl->out_msglen = 2;
5366 ssl->out_msg[0] = level;
5367 ssl->out_msg[1] = message;
5368
5369 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5370 {
5371 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5372 return( ret );
5373 }
5374 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
5375
5376 return( 0 );
5377}
5378
5379/*
5380 * Handshake functions
5381 */
5382#if !defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) && \
5383 !defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
5384 !defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
5385 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
5386 !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
5387 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \
5388 !defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
5389/* No certificate support -> dummy functions */
5390int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
5391{
5392 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
5393
5394 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
5395
5396 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5397 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
5398 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5399 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
5400 {
5401 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
5402 ssl->state++;
5403 return( 0 );
5404 }
5405
5406 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5407 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5408}
5409
5410int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
5411{
5412 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
5413
5414 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
5415
5416 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5417 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
5418 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5419 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
5420 {
5421 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
5422 ssl->state++;
5423 return( 0 );
5424 }
5425
5426 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5427 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5428}
5429
5430#else
5431/* Some certificate support -> implement write and parse */
5432
5433int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
5434{
5435 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
5436 size_t i, n;
5437 const mbedtls_x509_crt *crt;
5438 const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
5439
5440 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
5441
5442 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5443 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
5444 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5445 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
5446 {
5447 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
5448 ssl->state++;
5449 return( 0 );
5450 }
5451
5452#if defined(MBEDTLS_SSL_CLI_C)
5453 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5454 {
5455 if( ssl->client_auth == 0 )
5456 {
5457 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
5458 ssl->state++;
5459 return( 0 );
5460 }
5461
5462#if defined(MBEDTLS_SSL_PROTO_SSL3)
5463 /*
5464 * If using SSLv3 and got no cert, send an Alert message
5465 * (otherwise an empty Certificate message will be sent).
5466 */
5467 if( mbedtls_ssl_own_cert( ssl ) == NULL &&
5468 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5469 {
5470 ssl->out_msglen = 2;
5471 ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
5472 ssl->out_msg[0] = MBEDTLS_SSL_ALERT_LEVEL_WARNING;
5473 ssl->out_msg[1] = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
5474
5475 MBEDTLS_SSL_DEBUG_MSG( 2, ( "got no certificate to send" ) );
5476 goto write_msg;
5477 }
5478#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5479 }
5480#endif /* MBEDTLS_SSL_CLI_C */
5481#if defined(MBEDTLS_SSL_SRV_C)
5482 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
5483 {
5484 if( mbedtls_ssl_own_cert( ssl ) == NULL )
5485 {
5486 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate to send" ) );
5487 return( MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED );
5488 }
5489 }
5490#endif
5491
5492 MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", mbedtls_ssl_own_cert( ssl ) );
5493
5494 /*
5495 * 0 . 0 handshake type
5496 * 1 . 3 handshake length
5497 * 4 . 6 length of all certs
5498 * 7 . 9 length of cert. 1
5499 * 10 . n-1 peer certificate
5500 * n . n+2 length of cert. 2
5501 * n+3 . ... upper level cert, etc.
5502 */
5503 i = 7;
5504 crt = mbedtls_ssl_own_cert( ssl );
5505
5506 while( crt != NULL )
5507 {
5508 n = crt->raw.len;
5509 if( n > MBEDTLS_SSL_OUT_CONTENT_LEN - 3 - i )
5510 {
5511 MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate too large, %d > %d",
5512 i + 3 + n, MBEDTLS_SSL_OUT_CONTENT_LEN ) );
5513 return( MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE );
5514 }
5515
5516 ssl->out_msg[i ] = (unsigned char)( n >> 16 );
5517 ssl->out_msg[i + 1] = (unsigned char)( n >> 8 );
5518 ssl->out_msg[i + 2] = (unsigned char)( n );
5519
5520 i += 3; memcpy( ssl->out_msg + i, crt->raw.p, n );
5521 i += n; crt = crt->next;
5522 }
5523
5524 ssl->out_msg[4] = (unsigned char)( ( i - 7 ) >> 16 );
5525 ssl->out_msg[5] = (unsigned char)( ( i - 7 ) >> 8 );
5526 ssl->out_msg[6] = (unsigned char)( ( i - 7 ) );
5527
5528 ssl->out_msglen = i;
5529 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
5530 ssl->out_msg[0] = MBEDTLS_SSL_HS_CERTIFICATE;
5531
5532#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
5533write_msg:
5534#endif
5535
5536 ssl->state++;
5537
5538 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
5539 {
5540 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
5541 return( ret );
5542 }
5543
5544 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate" ) );
5545
5546 return( ret );
5547}
5548
5549/*
5550 * Once the certificate message is read, parse it into a cert chain and
5551 * perform basic checks, but leave actual verification to the caller
5552 */
5553static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
5554{
5555 int ret;
5556 size_t i, n;
5557 uint8_t alert;
5558
5559#if defined(MBEDTLS_SSL_SRV_C)
5560#if defined(MBEDTLS_SSL_PROTO_SSL3)
5561 /*
5562 * Check if the client sent an empty certificate
5563 */
5564 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5565 ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
5566 {
5567 if( ssl->in_msglen == 2 &&
5568 ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
5569 ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
5570 ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_CERT )
5571 {
5572 MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
5573
5574 /* The client was asked for a certificate but didn't send
5575 one. The client should know what's going on, so we
5576 don't send an alert. */
5577 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
5578 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
5579 }
5580 }
5581#endif /* MBEDTLS_SSL_PROTO_SSL3 */
5582
5583#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
5584 defined(MBEDTLS_SSL_PROTO_TLS1_2)
5585 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5586 ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
5587 {
5588 if( ssl->in_hslen == 3 + mbedtls_ssl_hs_hdr_len( ssl ) &&
5589 ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
5590 ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE &&
5591 memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ), "\0\0\0", 3 ) == 0 )
5592 {
5593 MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
5594
5595 /* The client was asked for a certificate but didn't send
5596 one. The client should know what's going on, so we
5597 don't send an alert. */
5598 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
5599 return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE );
5600 }
5601 }
5602#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
5603 MBEDTLS_SSL_PROTO_TLS1_2 */
5604#endif /* MBEDTLS_SSL_SRV_C */
5605
5606 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
5607 {
5608 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5609 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5610 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
5611 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5612 }
5613
5614 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_CERTIFICATE ||
5615 ssl->in_hslen < mbedtls_ssl_hs_hdr_len( ssl ) + 3 + 3 )
5616 {
5617 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5618 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5619 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5620 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5621 }
5622
5623 i = mbedtls_ssl_hs_hdr_len( ssl );
5624
5625 /*
5626 * Same message structure as in mbedtls_ssl_write_certificate()
5627 */
5628 n = ( ssl->in_msg[i+1] << 8 ) | ssl->in_msg[i+2];
5629
5630 if( ssl->in_msg[i] != 0 ||
5631 ssl->in_hslen != n + 3 + mbedtls_ssl_hs_hdr_len( ssl ) )
5632 {
5633 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5634 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5635 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5636 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5637 }
5638
5639 /* In case we tried to reuse a session but it failed */
5640 if( ssl->session_negotiate->peer_cert != NULL )
5641 {
5642 mbedtls_x509_crt_free( ssl->session_negotiate->peer_cert );
5643 mbedtls_free( ssl->session_negotiate->peer_cert );
5644 }
5645
5646 if( ( ssl->session_negotiate->peer_cert = mbedtls_calloc( 1,
5647 sizeof( mbedtls_x509_crt ) ) ) == NULL )
5648 {
5649 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
5650 sizeof( mbedtls_x509_crt ) ) );
5651 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5652 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
5653 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
5654 }
5655
5656 mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
5657
5658 i += 3;
5659
5660 while( i < ssl->in_hslen )
5661 {
5662 if ( i + 3 > ssl->in_hslen ) {
5663 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5664 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5665 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5666 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5667 }
5668 if( ssl->in_msg[i] != 0 )
5669 {
5670 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5671 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5672 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5673 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5674 }
5675
5676 n = ( (unsigned int) ssl->in_msg[i + 1] << 8 )
5677 | (unsigned int) ssl->in_msg[i + 2];
5678 i += 3;
5679
5680 if( n < 128 || i + n > ssl->in_hslen )
5681 {
5682 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
5683 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5684 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
5685 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5686 }
5687
5688 ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
5689 ssl->in_msg + i, n );
5690 switch( ret )
5691 {
5692 case 0: /*ok*/
5693 case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND:
5694 /* Ignore certificate with an unknown algorithm: maybe a
5695 prior certificate was already trusted. */
5696 break;
5697
5698 case MBEDTLS_ERR_X509_ALLOC_FAILED:
5699 alert = MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR;
5700 goto crt_parse_der_failed;
5701
5702 case MBEDTLS_ERR_X509_UNKNOWN_VERSION:
5703 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5704 goto crt_parse_der_failed;
5705
5706 default:
5707 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
5708 crt_parse_der_failed:
5709 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, alert );
5710 MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
5711 return( ret );
5712 }
5713
5714 i += n;
5715 }
5716
5717 MBEDTLS_SSL_DEBUG_CRT( 3, "peer certificate", ssl->session_negotiate->peer_cert );
5718
5719 /*
5720 * On client, make sure the server cert doesn't change during renego to
5721 * avoid "triple handshake" attack: https://secure-resumption.com/
5722 */
5723#if defined(MBEDTLS_SSL_RENEGOTIATION) && defined(MBEDTLS_SSL_CLI_C)
5724 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5725 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
5726 {
5727 if( ssl->session->peer_cert == NULL )
5728 {
5729 MBEDTLS_SSL_DEBUG_MSG( 1, ( "new server cert during renegotiation" ) );
5730 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5731 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
5732 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5733 }
5734
5735 if( ssl->session->peer_cert->raw.len !=
5736 ssl->session_negotiate->peer_cert->raw.len ||
5737 memcmp( ssl->session->peer_cert->raw.p,
5738 ssl->session_negotiate->peer_cert->raw.p,
5739 ssl->session->peer_cert->raw.len ) != 0 )
5740 {
5741 MBEDTLS_SSL_DEBUG_MSG( 1, ( "server cert changed during renegotiation" ) );
5742 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5743 MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED );
5744 return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE );
5745 }
5746 }
5747#endif /* MBEDTLS_SSL_RENEGOTIATION && MBEDTLS_SSL_CLI_C */
5748
5749 return( 0 );
5750}
5751
5752int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
5753{
5754 int ret;
5755 const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
5756 ssl->transform_negotiate->ciphersuite_info;
5757#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5758 const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
5759 ? ssl->handshake->sni_authmode
5760 : ssl->conf->authmode;
5761#else
5762 const int authmode = ssl->conf->authmode;
5763#endif
5764 void *rs_ctx = NULL;
5765
5766 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
5767
5768 if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
5769 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
5770 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
5771 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
5772 {
5773 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
5774 ssl->state++;
5775 return( 0 );
5776 }
5777
5778#if defined(MBEDTLS_SSL_SRV_C)
5779 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5780 ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
5781 {
5782 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
5783 ssl->state++;
5784 return( 0 );
5785 }
5786
5787 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5788 authmode == MBEDTLS_SSL_VERIFY_NONE )
5789 {
5790 ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
5791 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
5792
5793 ssl->state++;
5794 return( 0 );
5795 }
5796#endif
5797
5798#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
5799 if( ssl->handshake->ecrs_enabled &&
5800 ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
5801 {
5802 goto crt_verify;
5803 }
5804#endif
5805
5806 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5807 {
5808 /* mbedtls_ssl_read_record may have sent an alert already. We
5809 let it decide whether to alert. */
5810 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5811 return( ret );
5812 }
5813
5814 if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
5815 {
5816#if defined(MBEDTLS_SSL_SRV_C)
5817 if( ret == MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE &&
5818 authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
5819 {
5820 ret = 0;
5821 }
5822#endif
5823
5824 ssl->state++;
5825 return( ret );
5826 }
5827
5828#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
5829 if( ssl->handshake->ecrs_enabled)
5830 ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
5831
5832crt_verify:
5833 if( ssl->handshake->ecrs_enabled)
5834 rs_ctx = &ssl->handshake->ecrs_ctx;
5835#endif
5836
5837 if( authmode != MBEDTLS_SSL_VERIFY_NONE )
5838 {
5839 mbedtls_x509_crt *ca_chain;
5840 mbedtls_x509_crl *ca_crl;
5841
5842#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
5843 if( ssl->handshake->sni_ca_chain != NULL )
5844 {
5845 ca_chain = ssl->handshake->sni_ca_chain;
5846 ca_crl = ssl->handshake->sni_ca_crl;
5847 }
5848 else
5849#endif
5850 {
5851 ca_chain = ssl->conf->ca_chain;
5852 ca_crl = ssl->conf->ca_crl;
5853 }
5854
5855 /*
5856 * Main check: verify certificate
5857 */
5858 ret = mbedtls_x509_crt_verify_restartable(
5859 ssl->session_negotiate->peer_cert,
5860 ca_chain, ca_crl,
5861 ssl->conf->cert_profile,
5862 ssl->hostname,
5863 &ssl->session_negotiate->verify_result,
5864 ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
5865
5866 if( ret != 0 )
5867 {
5868 MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
5869 }
5870
5871#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
5872 if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
5873 return( MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS );
5874#endif
5875
5876 /*
5877 * Secondary checks: always done, but change 'ret' only if it was 0
5878 */
5879
5880#if defined(MBEDTLS_ECP_C)
5881 {
5882 const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
5883
5884 /* If certificate uses an EC key, make sure the curve is OK */
5885 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
5886 mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
5887 {
5888 ssl->session_negotiate->verify_result |= MBEDTLS_X509_BADCERT_BAD_KEY;
5889
5890 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
5891 if( ret == 0 )
5892 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
5893 }
5894 }
5895#endif /* MBEDTLS_ECP_C */
5896
5897 if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
5898 ciphersuite_info,
5899 ! ssl->conf->endpoint,
5900 &ssl->session_negotiate->verify_result ) != 0 )
5901 {
5902 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
5903 if( ret == 0 )
5904 ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
5905 }
5906
5907 /* mbedtls_x509_crt_verify_with_profile is supposed to report a
5908 * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
5909 * with details encoded in the verification flags. All other kinds
5910 * of error codes, including those from the user provided f_vrfy
5911 * functions, are treated as fatal and lead to a failure of
5912 * ssl_parse_certificate even if verification was optional. */
5913 if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
5914 ( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
5915 ret == MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE ) )
5916 {
5917 ret = 0;
5918 }
5919
5920 if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
5921 {
5922 MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
5923 ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
5924 }
5925
5926 if( ret != 0 )
5927 {
5928 uint8_t alert;
5929
5930 /* The certificate may have been rejected for several reasons.
5931 Pick one and send the corresponding alert. Which alert to send
5932 may be a subject of debate in some cases. */
5933 if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_OTHER )
5934 alert = MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED;
5935 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH )
5936 alert = MBEDTLS_SSL_ALERT_MSG_BAD_CERT;
5937 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_KEY_USAGE )
5938 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5939 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE )
5940 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5941 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NS_CERT_TYPE )
5942 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5943 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_PK )
5944 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5945 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_BAD_KEY )
5946 alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT;
5947 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_EXPIRED )
5948 alert = MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED;
5949 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_REVOKED )
5950 alert = MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED;
5951 else if( ssl->session_negotiate->verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
5952 alert = MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA;
5953 else
5954 alert = MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN;
5955 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5956 alert );
5957 }
5958
5959#if defined(MBEDTLS_DEBUG_C)
5960 if( ssl->session_negotiate->verify_result != 0 )
5961 {
5962 MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
5963 ssl->session_negotiate->verify_result ) );
5964 }
5965 else
5966 {
5967 MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
5968 }
5969#endif /* MBEDTLS_DEBUG_C */
5970 }
5971
5972 ssl->state++;
5973
5974 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
5975
5976 return( ret );
5977}
5978#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
5979 !MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
5980 !MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
5981 !MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
5982 !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
5983 !MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
5984 !MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
5985
5986int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
5987{
5988 int ret;
5989
5990 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
5991
5992 ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
5993 ssl->out_msglen = 1;
5994 ssl->out_msg[0] = 1;
5995
5996 ssl->state++;
5997
5998 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
5999 {
6000 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
6001 return( ret );
6002 }
6003
6004 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
6005
6006 return( 0 );
6007}
6008
6009int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
6010{
6011 int ret;
6012
6013 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
6014
6015 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
6016 {
6017 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
6018 return( ret );
6019 }
6020
6021 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
6022 {
6023 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
6024 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6025 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
6026 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6027 }
6028
6029 /* CCS records are only accepted if they have length 1 and content '1',
6030 * so we don't need to check this here. */
6031
6032 /*
6033 * Switch to our negotiated transform and session parameters for inbound
6034 * data.
6035 */
6036 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
6037 ssl->transform_in = ssl->transform_negotiate;
6038 ssl->session_in = ssl->session_negotiate;
6039
6040#if defined(MBEDTLS_SSL_PROTO_DTLS)
6041 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6042 {
6043#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
6044 ssl_dtls_replay_reset( ssl );
6045#endif
6046
6047 /* Increment epoch */
6048 if( ++ssl->in_epoch == 0 )
6049 {
6050 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
6051 /* This is highly unlikely to happen for legitimate reasons, so
6052 treat it as an attack and don't send an alert. */
6053 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
6054 }
6055 }
6056 else
6057#endif /* MBEDTLS_SSL_PROTO_DTLS */
6058 memset( ssl->in_ctr, 0, 8 );
6059
6060 ssl_update_in_pointers( ssl, ssl->transform_negotiate );
6061
6062#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6063 if( mbedtls_ssl_hw_record_activate != NULL )
6064 {
6065 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_INBOUND ) ) != 0 )
6066 {
6067 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
6068 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6069 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
6070 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
6071 }
6072 }
6073#endif
6074
6075 ssl->state++;
6076
6077 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
6078
6079 return( 0 );
6080}
6081
6082void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
6083 const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
6084{
6085 ((void) ciphersuite_info);
6086
6087#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6088 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6089 if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
6090 ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
6091 else
6092#endif
6093#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6094#if defined(MBEDTLS_SHA512_C)
6095 if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
6096 ssl->handshake->update_checksum = ssl_update_checksum_sha384;
6097 else
6098#endif
6099#if defined(MBEDTLS_SHA256_C)
6100 if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
6101 ssl->handshake->update_checksum = ssl_update_checksum_sha256;
6102 else
6103#endif
6104#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6105 {
6106 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
6107 return;
6108 }
6109}
6110
6111void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
6112{
6113#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6114 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6115 mbedtls_md5_starts_ret( &ssl->handshake->fin_md5 );
6116 mbedtls_sha1_starts_ret( &ssl->handshake->fin_sha1 );
6117#endif
6118#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6119#if defined(MBEDTLS_SHA256_C)
6120 mbedtls_sha256_starts_ret( &ssl->handshake->fin_sha256, 0 );
6121#endif
6122#if defined(MBEDTLS_SHA512_C)
6123 mbedtls_sha512_starts_ret( &ssl->handshake->fin_sha512, 1 );
6124#endif
6125#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6126}
6127
6128static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
6129 const unsigned char *buf, size_t len )
6130{
6131#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6132 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6133 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6134 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
6135#endif
6136#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6137#if defined(MBEDTLS_SHA256_C)
6138 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
6139#endif
6140#if defined(MBEDTLS_SHA512_C)
6141 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
6142#endif
6143#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6144}
6145
6146#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6147 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6148static void ssl_update_checksum_md5sha1( mbedtls_ssl_context *ssl,
6149 const unsigned char *buf, size_t len )
6150{
6151 mbedtls_md5_update_ret( &ssl->handshake->fin_md5 , buf, len );
6152 mbedtls_sha1_update_ret( &ssl->handshake->fin_sha1, buf, len );
6153}
6154#endif
6155
6156#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6157#if defined(MBEDTLS_SHA256_C)
6158static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
6159 const unsigned char *buf, size_t len )
6160{
6161 mbedtls_sha256_update_ret( &ssl->handshake->fin_sha256, buf, len );
6162}
6163#endif
6164
6165#if defined(MBEDTLS_SHA512_C)
6166static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
6167 const unsigned char *buf, size_t len )
6168{
6169 mbedtls_sha512_update_ret( &ssl->handshake->fin_sha512, buf, len );
6170}
6171#endif
6172#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6173
6174#if defined(MBEDTLS_SSL_PROTO_SSL3)
6175static void ssl_calc_finished_ssl(
6176 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
6177{
6178 const char *sender;
6179 mbedtls_md5_context md5;
6180 mbedtls_sha1_context sha1;
6181
6182 unsigned char padbuf[48];
6183 unsigned char md5sum[16];
6184 unsigned char sha1sum[20];
6185
6186 mbedtls_ssl_session *session = ssl->session_negotiate;
6187 if( !session )
6188 session = ssl->session;
6189
6190 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished ssl" ) );
6191
6192 mbedtls_md5_init( &md5 );
6193 mbedtls_sha1_init( &sha1 );
6194
6195 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6196 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
6197
6198 /*
6199 * SSLv3:
6200 * hash =
6201 * MD5( master + pad2 +
6202 * MD5( handshake + sender + master + pad1 ) )
6203 * + SHA1( master + pad2 +
6204 * SHA1( handshake + sender + master + pad1 ) )
6205 */
6206
6207#if !defined(MBEDTLS_MD5_ALT)
6208 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6209 md5.state, sizeof( md5.state ) );
6210#endif
6211
6212#if !defined(MBEDTLS_SHA1_ALT)
6213 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6214 sha1.state, sizeof( sha1.state ) );
6215#endif
6216
6217 sender = ( from == MBEDTLS_SSL_IS_CLIENT ) ? "CLNT"
6218 : "SRVR";
6219
6220 memset( padbuf, 0x36, 48 );
6221
6222 mbedtls_md5_update_ret( &md5, (const unsigned char *) sender, 4 );
6223 mbedtls_md5_update_ret( &md5, session->master, 48 );
6224 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6225 mbedtls_md5_finish_ret( &md5, md5sum );
6226
6227 mbedtls_sha1_update_ret( &sha1, (const unsigned char *) sender, 4 );
6228 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6229 mbedtls_sha1_update_ret( &sha1, padbuf, 40 );
6230 mbedtls_sha1_finish_ret( &sha1, sha1sum );
6231
6232 memset( padbuf, 0x5C, 48 );
6233
6234 mbedtls_md5_starts_ret( &md5 );
6235 mbedtls_md5_update_ret( &md5, session->master, 48 );
6236 mbedtls_md5_update_ret( &md5, padbuf, 48 );
6237 mbedtls_md5_update_ret( &md5, md5sum, 16 );
6238 mbedtls_md5_finish_ret( &md5, buf );
6239
6240 mbedtls_sha1_starts_ret( &sha1 );
6241 mbedtls_sha1_update_ret( &sha1, session->master, 48 );
6242 mbedtls_sha1_update_ret( &sha1, padbuf , 40 );
6243 mbedtls_sha1_update_ret( &sha1, sha1sum, 20 );
6244 mbedtls_sha1_finish_ret( &sha1, buf + 16 );
6245
6246 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, 36 );
6247
6248 mbedtls_md5_free( &md5 );
6249 mbedtls_sha1_free( &sha1 );
6250
6251 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6252 mbedtls_platform_zeroize( md5sum, sizeof( md5sum ) );
6253 mbedtls_platform_zeroize( sha1sum, sizeof( sha1sum ) );
6254
6255 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
6256}
6257#endif /* MBEDTLS_SSL_PROTO_SSL3 */
6258
6259#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
6260static void ssl_calc_finished_tls(
6261 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
6262{
6263 int len = 12;
6264 const char *sender;
6265 mbedtls_md5_context md5;
6266 mbedtls_sha1_context sha1;
6267 unsigned char padbuf[36];
6268
6269 mbedtls_ssl_session *session = ssl->session_negotiate;
6270 if( !session )
6271 session = ssl->session;
6272
6273 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls" ) );
6274
6275 mbedtls_md5_init( &md5 );
6276 mbedtls_sha1_init( &sha1 );
6277
6278 mbedtls_md5_clone( &md5, &ssl->handshake->fin_md5 );
6279 mbedtls_sha1_clone( &sha1, &ssl->handshake->fin_sha1 );
6280
6281 /*
6282 * TLSv1:
6283 * hash = PRF( master, finished_label,
6284 * MD5( handshake ) + SHA1( handshake ) )[0..11]
6285 */
6286
6287#if !defined(MBEDTLS_MD5_ALT)
6288 MBEDTLS_SSL_DEBUG_BUF( 4, "finished md5 state", (unsigned char *)
6289 md5.state, sizeof( md5.state ) );
6290#endif
6291
6292#if !defined(MBEDTLS_SHA1_ALT)
6293 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha1 state", (unsigned char *)
6294 sha1.state, sizeof( sha1.state ) );
6295#endif
6296
6297 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6298 ? "client finished"
6299 : "server finished";
6300
6301 mbedtls_md5_finish_ret( &md5, padbuf );
6302 mbedtls_sha1_finish_ret( &sha1, padbuf + 16 );
6303
6304 ssl->handshake->tls_prf( session->master, 48, sender,
6305 padbuf, 36, buf, len );
6306
6307 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
6308
6309 mbedtls_md5_free( &md5 );
6310 mbedtls_sha1_free( &sha1 );
6311
6312 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6313
6314 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
6315}
6316#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
6317
6318#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6319#if defined(MBEDTLS_SHA256_C)
6320static void ssl_calc_finished_tls_sha256(
6321 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
6322{
6323 int len = 12;
6324 const char *sender;
6325 mbedtls_sha256_context sha256;
6326 unsigned char padbuf[32];
6327
6328 mbedtls_ssl_session *session = ssl->session_negotiate;
6329 if( !session )
6330 session = ssl->session;
6331
6332 mbedtls_sha256_init( &sha256 );
6333
6334 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha256" ) );
6335
6336 mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
6337
6338 /*
6339 * TLSv1.2:
6340 * hash = PRF( master, finished_label,
6341 * Hash( handshake ) )[0.11]
6342 */
6343
6344#if !defined(MBEDTLS_SHA256_ALT)
6345 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha2 state", (unsigned char *)
6346 sha256.state, sizeof( sha256.state ) );
6347#endif
6348
6349 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6350 ? "client finished"
6351 : "server finished";
6352
6353 mbedtls_sha256_finish_ret( &sha256, padbuf );
6354
6355 ssl->handshake->tls_prf( session->master, 48, sender,
6356 padbuf, 32, buf, len );
6357
6358 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
6359
6360 mbedtls_sha256_free( &sha256 );
6361
6362 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6363
6364 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
6365}
6366#endif /* MBEDTLS_SHA256_C */
6367
6368#if defined(MBEDTLS_SHA512_C)
6369
6370static void ssl_calc_finished_tls_sha384(
6371 mbedtls_ssl_context *ssl, unsigned char *buf, int from )
6372{
6373 int len = 12;
6374 const char *sender;
6375 mbedtls_sha512_context sha512;
6376 unsigned char padbuf[48];
6377
6378 mbedtls_ssl_session *session = ssl->session_negotiate;
6379 if( !session )
6380 session = ssl->session;
6381
6382 mbedtls_sha512_init( &sha512 );
6383
6384 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> calc finished tls sha384" ) );
6385
6386 mbedtls_sha512_clone( &sha512, &ssl->handshake->fin_sha512 );
6387
6388 /*
6389 * TLSv1.2:
6390 * hash = PRF( master, finished_label,
6391 * Hash( handshake ) )[0.11]
6392 */
6393
6394#if !defined(MBEDTLS_SHA512_ALT)
6395 MBEDTLS_SSL_DEBUG_BUF( 4, "finished sha512 state", (unsigned char *)
6396 sha512.state, sizeof( sha512.state ) );
6397#endif
6398
6399 sender = ( from == MBEDTLS_SSL_IS_CLIENT )
6400 ? "client finished"
6401 : "server finished";
6402 /* mbedtls_sha512_finish_ret's output parameter is declared as a
6403 * 64-byte buffer, but sice we're using SHA-384, we know that the
6404 * output fits in 48 bytes. This is correct C, but GCC 11.1 warns
6405 * about it.
6406 */
6407#if defined(__GNUC__) && __GNUC__ >= 11
6408#pragma GCC diagnostic push
6409#pragma GCC diagnostic ignored "-Wstringop-overflow"
6410#endif
6411 mbedtls_sha512_finish_ret( &sha512, padbuf );
6412#if defined(__GNUC__) && __GNUC__ >= 11
6413#pragma GCC diagnostic pop
6414#endif
6415
6416 ssl->handshake->tls_prf( session->master, 48, sender,
6417 padbuf, 48, buf, len );
6418
6419 MBEDTLS_SSL_DEBUG_BUF( 3, "calc finished result", buf, len );
6420
6421 mbedtls_sha512_free( &sha512 );
6422
6423 mbedtls_platform_zeroize( padbuf, sizeof( padbuf ) );
6424
6425 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
6426}
6427#endif /* MBEDTLS_SHA512_C */
6428#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6429
6430static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
6431{
6432 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup: final free" ) );
6433
6434 /*
6435 * Free our handshake params
6436 */
6437 mbedtls_ssl_handshake_free( ssl );
6438 mbedtls_free( ssl->handshake );
6439 ssl->handshake = NULL;
6440
6441 /*
6442 * Free the previous transform and swith in the current one
6443 */
6444 if( ssl->transform )
6445 {
6446 mbedtls_ssl_transform_free( ssl->transform );
6447 mbedtls_free( ssl->transform );
6448 }
6449 ssl->transform = ssl->transform_negotiate;
6450 ssl->transform_negotiate = NULL;
6451
6452 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
6453}
6454
6455void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
6456{
6457 int resume = ssl->handshake->resume;
6458
6459 MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
6460
6461#if defined(MBEDTLS_SSL_RENEGOTIATION)
6462 if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
6463 {
6464 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_DONE;
6465 ssl->renego_records_seen = 0;
6466 }
6467#endif
6468
6469 /*
6470 * Free the previous session and switch in the current one
6471 */
6472 if( ssl->session )
6473 {
6474#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
6475 /* RFC 7366 3.1: keep the EtM state */
6476 ssl->session_negotiate->encrypt_then_mac =
6477 ssl->session->encrypt_then_mac;
6478#endif
6479
6480 mbedtls_ssl_session_free( ssl->session );
6481 mbedtls_free( ssl->session );
6482 }
6483 ssl->session = ssl->session_negotiate;
6484 ssl->session_negotiate = NULL;
6485
6486 /*
6487 * Add cache entry
6488 */
6489 if( ssl->conf->f_set_cache != NULL &&
6490 ssl->session->id_len != 0 &&
6491 resume == 0 )
6492 {
6493 if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
6494 MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
6495 }
6496
6497#if defined(MBEDTLS_SSL_PROTO_DTLS)
6498 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
6499 ssl->handshake->flight != NULL )
6500 {
6501 /* Cancel handshake timer */
6502 ssl_set_timer( ssl, 0 );
6503
6504 /* Keep last flight around in case we need to resend it:
6505 * we need the handshake and transform structures for that */
6506 MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip freeing handshake and transform" ) );
6507 }
6508 else
6509#endif
6510 ssl_handshake_wrapup_free_hs_transform( ssl );
6511
6512 ssl->state++;
6513
6514 MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
6515}
6516
6517int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
6518{
6519 int ret, hash_len;
6520
6521 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write finished" ) );
6522
6523 ssl_update_out_pointers( ssl, ssl->transform_negotiate );
6524
6525 ssl->handshake->calc_finished( ssl, ssl->out_msg + 4, ssl->conf->endpoint );
6526
6527 /*
6528 * RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
6529 * may define some other value. Currently (early 2016), no defined
6530 * ciphersuite does this (and this is unlikely to change as activity has
6531 * moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
6532 */
6533 hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
6534
6535#if defined(MBEDTLS_SSL_RENEGOTIATION)
6536 ssl->verify_data_len = hash_len;
6537 memcpy( ssl->own_verify_data, ssl->out_msg + 4, hash_len );
6538#endif
6539
6540 ssl->out_msglen = 4 + hash_len;
6541 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
6542 ssl->out_msg[0] = MBEDTLS_SSL_HS_FINISHED;
6543
6544 /*
6545 * In case of session resuming, invert the client and server
6546 * ChangeCipherSpec messages order.
6547 */
6548 if( ssl->handshake->resume != 0 )
6549 {
6550#if defined(MBEDTLS_SSL_CLI_C)
6551 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
6552 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
6553#endif
6554#if defined(MBEDTLS_SSL_SRV_C)
6555 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6556 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
6557#endif
6558 }
6559 else
6560 ssl->state++;
6561
6562 /*
6563 * Switch to our negotiated transform and session parameters for outbound
6564 * data.
6565 */
6566 MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for outbound data" ) );
6567
6568#if defined(MBEDTLS_SSL_PROTO_DTLS)
6569 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6570 {
6571 unsigned char i;
6572
6573 /* Remember current epoch settings for resending */
6574 ssl->handshake->alt_transform_out = ssl->transform_out;
6575 memcpy( ssl->handshake->alt_out_ctr, ssl->cur_out_ctr, 8 );
6576
6577 /* Set sequence_number to zero */
6578 memset( ssl->cur_out_ctr + 2, 0, 6 );
6579
6580 /* Increment epoch */
6581 for( i = 2; i > 0; i-- )
6582 if( ++ssl->cur_out_ctr[i - 1] != 0 )
6583 break;
6584
6585 /* The loop goes to its end iff the counter is wrapping */
6586 if( i == 0 )
6587 {
6588 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
6589 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
6590 }
6591 }
6592 else
6593#endif /* MBEDTLS_SSL_PROTO_DTLS */
6594 memset( ssl->cur_out_ctr, 0, 8 );
6595
6596 ssl->transform_out = ssl->transform_negotiate;
6597 ssl->session_out = ssl->session_negotiate;
6598
6599#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
6600 if( mbedtls_ssl_hw_record_activate != NULL )
6601 {
6602 if( ( ret = mbedtls_ssl_hw_record_activate( ssl, MBEDTLS_SSL_CHANNEL_OUTBOUND ) ) != 0 )
6603 {
6604 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_activate", ret );
6605 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
6606 }
6607 }
6608#endif
6609
6610#if defined(MBEDTLS_SSL_PROTO_DTLS)
6611 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6612 mbedtls_ssl_send_flight_completed( ssl );
6613#endif
6614
6615 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
6616 {
6617 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
6618 return( ret );
6619 }
6620
6621#if defined(MBEDTLS_SSL_PROTO_DTLS)
6622 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
6623 ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
6624 {
6625 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flight_transmit", ret );
6626 return( ret );
6627 }
6628#endif
6629
6630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write finished" ) );
6631
6632 return( 0 );
6633}
6634
6635#if defined(MBEDTLS_SSL_PROTO_SSL3)
6636#define SSL_MAX_HASH_LEN 36
6637#else
6638#define SSL_MAX_HASH_LEN 12
6639#endif
6640
6641int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
6642{
6643 int ret;
6644 unsigned int hash_len;
6645 unsigned char buf[SSL_MAX_HASH_LEN];
6646
6647 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse finished" ) );
6648
6649 ssl->handshake->calc_finished( ssl, buf, ssl->conf->endpoint ^ 1 );
6650
6651 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
6652 {
6653 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
6654 return( ret );
6655 }
6656
6657 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
6658 {
6659 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
6660 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6661 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
6662 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
6663 }
6664
6665 /* There is currently no ciphersuite using another length with TLS 1.2 */
6666#if defined(MBEDTLS_SSL_PROTO_SSL3)
6667 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
6668 hash_len = 36;
6669 else
6670#endif
6671 hash_len = 12;
6672
6673 if( ssl->in_msg[0] != MBEDTLS_SSL_HS_FINISHED ||
6674 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) + hash_len )
6675 {
6676 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
6677 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6678 MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
6679 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
6680 }
6681
6682 if( mbedtls_ssl_safer_memcmp( ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ),
6683 buf, hash_len ) != 0 )
6684 {
6685 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad finished message" ) );
6686 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
6687 MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR );
6688 return( MBEDTLS_ERR_SSL_BAD_HS_FINISHED );
6689 }
6690
6691#if defined(MBEDTLS_SSL_RENEGOTIATION)
6692 ssl->verify_data_len = hash_len;
6693 memcpy( ssl->peer_verify_data, buf, hash_len );
6694#endif
6695
6696 if( ssl->handshake->resume != 0 )
6697 {
6698#if defined(MBEDTLS_SSL_CLI_C)
6699 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
6700 ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
6701#endif
6702#if defined(MBEDTLS_SSL_SRV_C)
6703 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
6704 ssl->state = MBEDTLS_SSL_HANDSHAKE_WRAPUP;
6705#endif
6706 }
6707 else
6708 ssl->state++;
6709
6710#if defined(MBEDTLS_SSL_PROTO_DTLS)
6711 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6712 mbedtls_ssl_recv_flight_completed( ssl );
6713#endif
6714
6715 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse finished" ) );
6716
6717 return( 0 );
6718}
6719
6720static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
6721{
6722 memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
6723
6724#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
6725 defined(MBEDTLS_SSL_PROTO_TLS1_1)
6726 mbedtls_md5_init( &handshake->fin_md5 );
6727 mbedtls_sha1_init( &handshake->fin_sha1 );
6728 mbedtls_md5_starts_ret( &handshake->fin_md5 );
6729 mbedtls_sha1_starts_ret( &handshake->fin_sha1 );
6730#endif
6731#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
6732#if defined(MBEDTLS_SHA256_C)
6733 mbedtls_sha256_init( &handshake->fin_sha256 );
6734 mbedtls_sha256_starts_ret( &handshake->fin_sha256, 0 );
6735#endif
6736#if defined(MBEDTLS_SHA512_C)
6737 mbedtls_sha512_init( &handshake->fin_sha512 );
6738 mbedtls_sha512_starts_ret( &handshake->fin_sha512, 1 );
6739#endif
6740#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
6741
6742 handshake->update_checksum = ssl_update_checksum_start;
6743
6744#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
6745 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
6746 mbedtls_ssl_sig_hash_set_init( &handshake->hash_algs );
6747#endif
6748
6749#if defined(MBEDTLS_DHM_C)
6750 mbedtls_dhm_init( &handshake->dhm_ctx );
6751#endif
6752#if defined(MBEDTLS_ECDH_C)
6753 mbedtls_ecdh_init( &handshake->ecdh_ctx );
6754#endif
6755#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
6756 mbedtls_ecjpake_init( &handshake->ecjpake_ctx );
6757#if defined(MBEDTLS_SSL_CLI_C)
6758 handshake->ecjpake_cache = NULL;
6759 handshake->ecjpake_cache_len = 0;
6760#endif
6761#endif
6762
6763#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
6764 mbedtls_x509_crt_restart_init( &handshake->ecrs_ctx );
6765#endif
6766
6767#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
6768 handshake->sni_authmode = MBEDTLS_SSL_VERIFY_UNSET;
6769#endif
6770}
6771
6772static void ssl_transform_init( mbedtls_ssl_transform *transform )
6773{
6774 memset( transform, 0, sizeof(mbedtls_ssl_transform) );
6775
6776 mbedtls_cipher_init( &transform->cipher_ctx_enc );
6777 mbedtls_cipher_init( &transform->cipher_ctx_dec );
6778
6779 mbedtls_md_init( &transform->md_ctx_enc );
6780 mbedtls_md_init( &transform->md_ctx_dec );
6781}
6782
6783void mbedtls_ssl_session_init( mbedtls_ssl_session *session )
6784{
6785 memset( session, 0, sizeof(mbedtls_ssl_session) );
6786}
6787
6788static int ssl_handshake_init( mbedtls_ssl_context *ssl )
6789{
6790 /* Clear old handshake information if present */
6791 if( ssl->transform_negotiate )
6792 mbedtls_ssl_transform_free( ssl->transform_negotiate );
6793 if( ssl->session_negotiate )
6794 mbedtls_ssl_session_free( ssl->session_negotiate );
6795 if( ssl->handshake )
6796 mbedtls_ssl_handshake_free( ssl );
6797
6798 /*
6799 * Either the pointers are now NULL or cleared properly and can be freed.
6800 * Now allocate missing structures.
6801 */
6802 if( ssl->transform_negotiate == NULL )
6803 {
6804 ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
6805 }
6806
6807 if( ssl->session_negotiate == NULL )
6808 {
6809 ssl->session_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_session) );
6810 }
6811
6812 if( ssl->handshake == NULL )
6813 {
6814 ssl->handshake = mbedtls_calloc( 1, sizeof(mbedtls_ssl_handshake_params) );
6815 }
6816
6817 /* All pointers should exist and can be directly freed without issue */
6818 if( ssl->handshake == NULL ||
6819 ssl->transform_negotiate == NULL ||
6820 ssl->session_negotiate == NULL )
6821 {
6822 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
6823
6824 mbedtls_free( ssl->handshake );
6825 mbedtls_free( ssl->transform_negotiate );
6826 mbedtls_free( ssl->session_negotiate );
6827
6828 ssl->handshake = NULL;
6829 ssl->transform_negotiate = NULL;
6830 ssl->session_negotiate = NULL;
6831
6832 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
6833 }
6834
6835 /* Initialize structures */
6836 mbedtls_ssl_session_init( ssl->session_negotiate );
6837 ssl_transform_init( ssl->transform_negotiate );
6838 ssl_handshake_params_init( ssl->handshake );
6839
6840#if defined(MBEDTLS_SSL_PROTO_DTLS)
6841 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6842 {
6843 ssl->handshake->alt_transform_out = ssl->transform_out;
6844
6845 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
6846 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
6847 else
6848 ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
6849
6850 ssl_set_timer( ssl, 0 );
6851 }
6852#endif
6853
6854 return( 0 );
6855}
6856
6857#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
6858/* Dummy cookie callbacks for defaults */
6859static int ssl_cookie_write_dummy( void *ctx,
6860 unsigned char **p, unsigned char *end,
6861 const unsigned char *cli_id, size_t cli_id_len )
6862{
6863 ((void) ctx);
6864 ((void) p);
6865 ((void) end);
6866 ((void) cli_id);
6867 ((void) cli_id_len);
6868
6869 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
6870}
6871
6872static int ssl_cookie_check_dummy( void *ctx,
6873 const unsigned char *cookie, size_t cookie_len,
6874 const unsigned char *cli_id, size_t cli_id_len )
6875{
6876 ((void) ctx);
6877 ((void) cookie);
6878 ((void) cookie_len);
6879 ((void) cli_id);
6880 ((void) cli_id_len);
6881
6882 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
6883}
6884#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY && MBEDTLS_SSL_SRV_C */
6885
6886/* Once ssl->out_hdr as the address of the beginning of the
6887 * next outgoing record is set, deduce the other pointers.
6888 *
6889 * Note: For TLS, we save the implicit record sequence number
6890 * (entering MAC computation) in the 8 bytes before ssl->out_hdr,
6891 * and the caller has to make sure there's space for this.
6892 */
6893
6894static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
6895 mbedtls_ssl_transform *transform )
6896{
6897#if defined(MBEDTLS_SSL_PROTO_DTLS)
6898 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6899 {
6900 ssl->out_ctr = ssl->out_hdr + 3;
6901 ssl->out_len = ssl->out_hdr + 11;
6902 ssl->out_iv = ssl->out_hdr + 13;
6903 }
6904 else
6905#endif
6906 {
6907 ssl->out_ctr = ssl->out_hdr - 8;
6908 ssl->out_len = ssl->out_hdr + 3;
6909 ssl->out_iv = ssl->out_hdr + 5;
6910 }
6911
6912 /* Adjust out_msg to make space for explicit IV, if used. */
6913 if( transform != NULL &&
6914 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
6915 {
6916 ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
6917 }
6918 else
6919 ssl->out_msg = ssl->out_iv;
6920}
6921
6922/* Once ssl->in_hdr as the address of the beginning of the
6923 * next incoming record is set, deduce the other pointers.
6924 *
6925 * Note: For TLS, we save the implicit record sequence number
6926 * (entering MAC computation) in the 8 bytes before ssl->in_hdr,
6927 * and the caller has to make sure there's space for this.
6928 */
6929
6930static void ssl_update_in_pointers( mbedtls_ssl_context *ssl,
6931 mbedtls_ssl_transform *transform )
6932{
6933#if defined(MBEDTLS_SSL_PROTO_DTLS)
6934 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6935 {
6936 ssl->in_ctr = ssl->in_hdr + 3;
6937 ssl->in_len = ssl->in_hdr + 11;
6938 ssl->in_iv = ssl->in_hdr + 13;
6939 }
6940 else
6941#endif
6942 {
6943 ssl->in_ctr = ssl->in_hdr - 8;
6944 ssl->in_len = ssl->in_hdr + 3;
6945 ssl->in_iv = ssl->in_hdr + 5;
6946 }
6947
6948 /* Offset in_msg from in_iv to allow space for explicit IV, if used. */
6949 if( transform != NULL &&
6950 ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
6951 {
6952 ssl->in_msg = ssl->in_iv + transform->ivlen - transform->fixed_ivlen;
6953 }
6954 else
6955 ssl->in_msg = ssl->in_iv;
6956}
6957
6958/*
6959 * Initialize an SSL context
6960 */
6961void mbedtls_ssl_init( mbedtls_ssl_context *ssl )
6962{
6963 memset( ssl, 0, sizeof( mbedtls_ssl_context ) );
6964}
6965
6966/*
6967 * Setup an SSL context
6968 */
6969
6970static void ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
6971{
6972 /* Set the incoming and outgoing record pointers. */
6973#if defined(MBEDTLS_SSL_PROTO_DTLS)
6974 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
6975 {
6976 ssl->out_hdr = ssl->out_buf;
6977 ssl->in_hdr = ssl->in_buf;
6978 }
6979 else
6980#endif /* MBEDTLS_SSL_PROTO_DTLS */
6981 {
6982 ssl->out_hdr = ssl->out_buf + 8;
6983 ssl->in_hdr = ssl->in_buf + 8;
6984 }
6985
6986 /* Derive other internal pointers. */
6987 ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
6988 ssl_update_in_pointers ( ssl, NULL /* no transform enabled */ );
6989}
6990
6991int mbedtls_ssl_setup( mbedtls_ssl_context *ssl,
6992 const mbedtls_ssl_config *conf )
6993{
6994 int ret;
6995
6996 ssl->conf = conf;
6997
6998 /*
6999 * Prepare base structures
7000 */
7001
7002 /* Set to NULL in case of an error condition */
7003 ssl->out_buf = NULL;
7004
7005 ssl->in_buf = mbedtls_calloc( 1, MBEDTLS_SSL_IN_BUFFER_LEN );
7006 if( ssl->in_buf == NULL )
7007 {
7008 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_IN_BUFFER_LEN) );
7009 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7010 goto error;
7011 }
7012
7013 ssl->out_buf = mbedtls_calloc( 1, MBEDTLS_SSL_OUT_BUFFER_LEN );
7014 if( ssl->out_buf == NULL )
7015 {
7016 MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed", MBEDTLS_SSL_OUT_BUFFER_LEN) );
7017 ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
7018 goto error;
7019 }
7020
7021 ssl_reset_in_out_pointers( ssl );
7022
7023 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
7024 goto error;
7025
7026 return( 0 );
7027
7028error:
7029 mbedtls_free( ssl->in_buf );
7030 mbedtls_free( ssl->out_buf );
7031
7032 ssl->conf = NULL;
7033
7034 ssl->in_buf = NULL;
7035 ssl->out_buf = NULL;
7036
7037 ssl->in_hdr = NULL;
7038 ssl->in_ctr = NULL;
7039 ssl->in_len = NULL;
7040 ssl->in_iv = NULL;
7041 ssl->in_msg = NULL;
7042
7043 ssl->out_hdr = NULL;
7044 ssl->out_ctr = NULL;
7045 ssl->out_len = NULL;
7046 ssl->out_iv = NULL;
7047 ssl->out_msg = NULL;
7048
7049 return( ret );
7050}
7051
7052/*
7053 * Reset an initialized and used SSL context for re-use while retaining
7054 * all application-set variables, function pointers and data.
7055 *
7056 * If partial is non-zero, keep data in the input buffer and client ID.
7057 * (Use when a DTLS client reconnects from the same port.)
7058 */
7059static int ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
7060{
7061 int ret;
7062
7063#if !defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) || \
7064 !defined(MBEDTLS_SSL_SRV_C)
7065 ((void) partial);
7066#endif
7067
7068 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
7069
7070 /* Cancel any possibly running timer */
7071 ssl_set_timer( ssl, 0 );
7072
7073#if defined(MBEDTLS_SSL_RENEGOTIATION)
7074 ssl->renego_status = MBEDTLS_SSL_INITIAL_HANDSHAKE;
7075 ssl->renego_records_seen = 0;
7076
7077 ssl->verify_data_len = 0;
7078 memset( ssl->own_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
7079 memset( ssl->peer_verify_data, 0, MBEDTLS_SSL_VERIFY_DATA_MAX_LEN );
7080#endif
7081 ssl->secure_renegotiation = MBEDTLS_SSL_LEGACY_RENEGOTIATION;
7082
7083 ssl->in_offt = NULL;
7084 ssl_reset_in_out_pointers( ssl );
7085
7086 ssl->in_msgtype = 0;
7087 ssl->in_msglen = 0;
7088#if defined(MBEDTLS_SSL_PROTO_DTLS)
7089 ssl->next_record_offset = 0;
7090 ssl->in_epoch = 0;
7091#endif
7092#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
7093 ssl_dtls_replay_reset( ssl );
7094#endif
7095
7096 ssl->in_hslen = 0;
7097 ssl->nb_zero = 0;
7098
7099 ssl->keep_current_message = 0;
7100
7101 ssl->out_msgtype = 0;
7102 ssl->out_msglen = 0;
7103 ssl->out_left = 0;
7104#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7105 if( ssl->split_done != MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED )
7106 ssl->split_done = 0;
7107#endif
7108
7109 memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
7110
7111 ssl->transform_in = NULL;
7112 ssl->transform_out = NULL;
7113
7114 ssl->session_in = NULL;
7115 ssl->session_out = NULL;
7116
7117 memset( ssl->out_buf, 0, MBEDTLS_SSL_OUT_BUFFER_LEN );
7118
7119#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
7120 if( partial == 0 )
7121#endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
7122 {
7123 ssl->in_left = 0;
7124 memset( ssl->in_buf, 0, MBEDTLS_SSL_IN_BUFFER_LEN );
7125 }
7126
7127#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
7128 if( mbedtls_ssl_hw_record_reset != NULL )
7129 {
7130 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_reset()" ) );
7131 if( ( ret = mbedtls_ssl_hw_record_reset( ssl ) ) != 0 )
7132 {
7133 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_hw_record_reset", ret );
7134 return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
7135 }
7136 }
7137#endif
7138
7139 if( ssl->transform )
7140 {
7141 mbedtls_ssl_transform_free( ssl->transform );
7142 mbedtls_free( ssl->transform );
7143 ssl->transform = NULL;
7144 }
7145
7146 if( ssl->session )
7147 {
7148 mbedtls_ssl_session_free( ssl->session );
7149 mbedtls_free( ssl->session );
7150 ssl->session = NULL;
7151 }
7152
7153#if defined(MBEDTLS_SSL_ALPN)
7154 ssl->alpn_chosen = NULL;
7155#endif
7156
7157#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
7158#if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE)
7159 if( partial == 0 )
7160#endif
7161 {
7162 mbedtls_free( ssl->cli_id );
7163 ssl->cli_id = NULL;
7164 ssl->cli_id_len = 0;
7165 }
7166#endif
7167
7168 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
7169 return( ret );
7170
7171 return( 0 );
7172}
7173
7174/*
7175 * Reset an initialized and used SSL context for re-use while retaining
7176 * all application-set variables, function pointers and data.
7177 */
7178int mbedtls_ssl_session_reset( mbedtls_ssl_context *ssl )
7179{
7180 return( ssl_session_reset_int( ssl, 0 ) );
7181}
7182
7183/*
7184 * SSL set accessors
7185 */
7186void mbedtls_ssl_conf_endpoint( mbedtls_ssl_config *conf, int endpoint )
7187{
7188 conf->endpoint = endpoint;
7189}
7190
7191void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport )
7192{
7193 conf->transport = transport;
7194}
7195
7196#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
7197void mbedtls_ssl_conf_dtls_anti_replay( mbedtls_ssl_config *conf, char mode )
7198{
7199 conf->anti_replay = mode;
7200}
7201#endif
7202
7203#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
7204void mbedtls_ssl_conf_dtls_badmac_limit( mbedtls_ssl_config *conf, unsigned limit )
7205{
7206 conf->badmac_limit = limit;
7207}
7208#endif
7209
7210#if defined(MBEDTLS_SSL_PROTO_DTLS)
7211
7212void mbedtls_ssl_set_datagram_packing( mbedtls_ssl_context *ssl,
7213 unsigned allow_packing )
7214{
7215 ssl->disable_datagram_packing = !allow_packing;
7216}
7217
7218void mbedtls_ssl_conf_handshake_timeout( mbedtls_ssl_config *conf,
7219 uint32_t min, uint32_t max )
7220{
7221 conf->hs_timeout_min = min;
7222 conf->hs_timeout_max = max;
7223}
7224#endif
7225
7226void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
7227{
7228 conf->authmode = authmode;
7229}
7230
7231#if defined(MBEDTLS_X509_CRT_PARSE_C)
7232void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
7233 int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
7234 void *p_vrfy )
7235{
7236 conf->f_vrfy = f_vrfy;
7237 conf->p_vrfy = p_vrfy;
7238}
7239#endif /* MBEDTLS_X509_CRT_PARSE_C */
7240
7241void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,
7242 int (*f_rng)(void *, unsigned char *, size_t),
7243 void *p_rng )
7244{
7245 conf->f_rng = f_rng;
7246 conf->p_rng = p_rng;
7247}
7248
7249void mbedtls_ssl_conf_dbg( mbedtls_ssl_config *conf,
7250 void (*f_dbg)(void *, int, const char *, int, const char *),
7251 void *p_dbg )
7252{
7253 conf->f_dbg = f_dbg;
7254 conf->p_dbg = p_dbg;
7255}
7256
7257void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
7258 void *p_bio,
7259 mbedtls_ssl_send_t *f_send,
7260 mbedtls_ssl_recv_t *f_recv,
7261 mbedtls_ssl_recv_timeout_t *f_recv_timeout )
7262{
7263 ssl->p_bio = p_bio;
7264 ssl->f_send = f_send;
7265 ssl->f_recv = f_recv;
7266 ssl->f_recv_timeout = f_recv_timeout;
7267}
7268
7269#if defined(MBEDTLS_SSL_PROTO_DTLS)
7270void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu )
7271{
7272 ssl->mtu = mtu;
7273}
7274#endif
7275
7276void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout )
7277{
7278 conf->read_timeout = timeout;
7279}
7280
7281void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
7282 void *p_timer,
7283 mbedtls_ssl_set_timer_t *f_set_timer,
7284 mbedtls_ssl_get_timer_t *f_get_timer )
7285{
7286 ssl->p_timer = p_timer;
7287 ssl->f_set_timer = f_set_timer;
7288 ssl->f_get_timer = f_get_timer;
7289
7290 /* Make sure we start with no timer running */
7291 ssl_set_timer( ssl, 0 );
7292}
7293
7294#if defined(MBEDTLS_SSL_SRV_C)
7295void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
7296 void *p_cache,
7297 int (*f_get_cache)(void *, mbedtls_ssl_session *),
7298 int (*f_set_cache)(void *, const mbedtls_ssl_session *) )
7299{
7300 conf->p_cache = p_cache;
7301 conf->f_get_cache = f_get_cache;
7302 conf->f_set_cache = f_set_cache;
7303}
7304#endif /* MBEDTLS_SSL_SRV_C */
7305
7306#if defined(MBEDTLS_SSL_CLI_C)
7307int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
7308{
7309 int ret;
7310
7311 if( ssl == NULL ||
7312 session == NULL ||
7313 ssl->session_negotiate == NULL ||
7314 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
7315 {
7316 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7317 }
7318
7319 if( ( ret = ssl_session_copy( ssl->session_negotiate, session ) ) != 0 )
7320 return( ret );
7321
7322 ssl->handshake->resume = 1;
7323
7324 return( 0 );
7325}
7326#endif /* MBEDTLS_SSL_CLI_C */
7327
7328void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
7329 const int *ciphersuites )
7330{
7331 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] = ciphersuites;
7332 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] = ciphersuites;
7333 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] = ciphersuites;
7334 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] = ciphersuites;
7335}
7336
7337void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
7338 const int *ciphersuites,
7339 int major, int minor )
7340{
7341 if( major != MBEDTLS_SSL_MAJOR_VERSION_3 )
7342 return;
7343
7344 if( minor < MBEDTLS_SSL_MINOR_VERSION_0 || minor > MBEDTLS_SSL_MINOR_VERSION_3 )
7345 return;
7346
7347 conf->ciphersuite_list[minor] = ciphersuites;
7348}
7349
7350#if defined(MBEDTLS_X509_CRT_PARSE_C)
7351void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
7352 const mbedtls_x509_crt_profile *profile )
7353{
7354 conf->cert_profile = profile;
7355}
7356
7357/* Append a new keycert entry to a (possibly empty) list */
7358static int ssl_append_key_cert( mbedtls_ssl_key_cert **head,
7359 mbedtls_x509_crt *cert,
7360 mbedtls_pk_context *key )
7361{
7362 mbedtls_ssl_key_cert *new_cert;
7363
7364 new_cert = mbedtls_calloc( 1, sizeof( mbedtls_ssl_key_cert ) );
7365 if( new_cert == NULL )
7366 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
7367
7368 new_cert->cert = cert;
7369 new_cert->key = key;
7370 new_cert->next = NULL;
7371
7372 /* Update head is the list was null, else add to the end */
7373 if( *head == NULL )
7374 {
7375 *head = new_cert;
7376 }
7377 else
7378 {
7379 mbedtls_ssl_key_cert *cur = *head;
7380 while( cur->next != NULL )
7381 cur = cur->next;
7382 cur->next = new_cert;
7383 }
7384
7385 return( 0 );
7386}
7387
7388int mbedtls_ssl_conf_own_cert( mbedtls_ssl_config *conf,
7389 mbedtls_x509_crt *own_cert,
7390 mbedtls_pk_context *pk_key )
7391{
7392 return( ssl_append_key_cert( &conf->key_cert, own_cert, pk_key ) );
7393}
7394
7395void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
7396 mbedtls_x509_crt *ca_chain,
7397 mbedtls_x509_crl *ca_crl )
7398{
7399 conf->ca_chain = ca_chain;
7400 conf->ca_crl = ca_crl;
7401}
7402#endif /* MBEDTLS_X509_CRT_PARSE_C */
7403
7404#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7405int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
7406 mbedtls_x509_crt *own_cert,
7407 mbedtls_pk_context *pk_key )
7408{
7409 return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
7410 own_cert, pk_key ) );
7411}
7412
7413void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
7414 mbedtls_x509_crt *ca_chain,
7415 mbedtls_x509_crl *ca_crl )
7416{
7417 ssl->handshake->sni_ca_chain = ca_chain;
7418 ssl->handshake->sni_ca_crl = ca_crl;
7419}
7420
7421void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
7422 int authmode )
7423{
7424 ssl->handshake->sni_authmode = authmode;
7425}
7426#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
7427
7428#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
7429/*
7430 * Set EC J-PAKE password for current handshake
7431 */
7432int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl,
7433 const unsigned char *pw,
7434 size_t pw_len )
7435{
7436 mbedtls_ecjpake_role role;
7437
7438 if( ssl->handshake == NULL || ssl->conf == NULL )
7439 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7440
7441 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
7442 role = MBEDTLS_ECJPAKE_SERVER;
7443 else
7444 role = MBEDTLS_ECJPAKE_CLIENT;
7445
7446 return( mbedtls_ecjpake_setup( &ssl->handshake->ecjpake_ctx,
7447 role,
7448 MBEDTLS_MD_SHA256,
7449 MBEDTLS_ECP_DP_SECP256R1,
7450 pw, pw_len ) );
7451}
7452#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
7453
7454#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
7455int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
7456 const unsigned char *psk, size_t psk_len,
7457 const unsigned char *psk_identity, size_t psk_identity_len )
7458{
7459 if( psk == NULL || psk_identity == NULL )
7460 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7461
7462 if( psk_len > MBEDTLS_PSK_MAX_LEN )
7463 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7464
7465 /* Identity len will be encoded on two bytes */
7466 if( ( psk_identity_len >> 16 ) != 0 ||
7467 psk_identity_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
7468 {
7469 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7470 }
7471
7472 if( conf->psk != NULL )
7473 {
7474 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
7475
7476 mbedtls_free( conf->psk );
7477 conf->psk = NULL;
7478 conf->psk_len = 0;
7479 }
7480 if( conf->psk_identity != NULL )
7481 {
7482 mbedtls_free( conf->psk_identity );
7483 conf->psk_identity = NULL;
7484 conf->psk_identity_len = 0;
7485 }
7486
7487 if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL ||
7488 ( conf->psk_identity = mbedtls_calloc( 1, psk_identity_len ) ) == NULL )
7489 {
7490 mbedtls_free( conf->psk );
7491 mbedtls_free( conf->psk_identity );
7492 conf->psk = NULL;
7493 conf->psk_identity = NULL;
7494 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
7495 }
7496
7497 conf->psk_len = psk_len;
7498 conf->psk_identity_len = psk_identity_len;
7499
7500 memcpy( conf->psk, psk, conf->psk_len );
7501 memcpy( conf->psk_identity, psk_identity, conf->psk_identity_len );
7502
7503 return( 0 );
7504}
7505
7506int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
7507 const unsigned char *psk, size_t psk_len )
7508{
7509 if( psk == NULL || ssl->handshake == NULL )
7510 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7511
7512 if( psk_len > MBEDTLS_PSK_MAX_LEN )
7513 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7514
7515 if( ssl->handshake->psk != NULL )
7516 {
7517 mbedtls_platform_zeroize( ssl->handshake->psk,
7518 ssl->handshake->psk_len );
7519 mbedtls_free( ssl->handshake->psk );
7520 ssl->handshake->psk_len = 0;
7521 }
7522
7523 if( ( ssl->handshake->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
7524 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
7525
7526 ssl->handshake->psk_len = psk_len;
7527 memcpy( ssl->handshake->psk, psk, ssl->handshake->psk_len );
7528
7529 return( 0 );
7530}
7531
7532void mbedtls_ssl_conf_psk_cb( mbedtls_ssl_config *conf,
7533 int (*f_psk)(void *, mbedtls_ssl_context *, const unsigned char *,
7534 size_t),
7535 void *p_psk )
7536{
7537 conf->f_psk = f_psk;
7538 conf->p_psk = p_psk;
7539}
7540#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
7541
7542#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
7543
7544#if !defined(MBEDTLS_DEPRECATED_REMOVED)
7545int mbedtls_ssl_conf_dh_param( mbedtls_ssl_config *conf, const char *dhm_P, const char *dhm_G )
7546{
7547 int ret;
7548
7549 if( ( ret = mbedtls_mpi_read_string( &conf->dhm_P, 16, dhm_P ) ) != 0 ||
7550 ( ret = mbedtls_mpi_read_string( &conf->dhm_G, 16, dhm_G ) ) != 0 )
7551 {
7552 mbedtls_mpi_free( &conf->dhm_P );
7553 mbedtls_mpi_free( &conf->dhm_G );
7554 return( ret );
7555 }
7556
7557 return( 0 );
7558}
7559#endif /* MBEDTLS_DEPRECATED_REMOVED */
7560
7561int mbedtls_ssl_conf_dh_param_bin( mbedtls_ssl_config *conf,
7562 const unsigned char *dhm_P, size_t P_len,
7563 const unsigned char *dhm_G, size_t G_len )
7564{
7565 int ret;
7566
7567 if( ( ret = mbedtls_mpi_read_binary( &conf->dhm_P, dhm_P, P_len ) ) != 0 ||
7568 ( ret = mbedtls_mpi_read_binary( &conf->dhm_G, dhm_G, G_len ) ) != 0 )
7569 {
7570 mbedtls_mpi_free( &conf->dhm_P );
7571 mbedtls_mpi_free( &conf->dhm_G );
7572 return( ret );
7573 }
7574
7575 return( 0 );
7576}
7577
7578int mbedtls_ssl_conf_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context *dhm_ctx )
7579{
7580 int ret;
7581
7582 if( ( ret = mbedtls_mpi_copy( &conf->dhm_P, &dhm_ctx->P ) ) != 0 ||
7583 ( ret = mbedtls_mpi_copy( &conf->dhm_G, &dhm_ctx->G ) ) != 0 )
7584 {
7585 mbedtls_mpi_free( &conf->dhm_P );
7586 mbedtls_mpi_free( &conf->dhm_G );
7587 return( ret );
7588 }
7589
7590 return( 0 );
7591}
7592#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_SRV_C */
7593
7594#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
7595/*
7596 * Set the minimum length for Diffie-Hellman parameters
7597 */
7598void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
7599 unsigned int bitlen )
7600{
7601 conf->dhm_min_bitlen = bitlen;
7602}
7603#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
7604
7605#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
7606/*
7607 * Set allowed/preferred hashes for handshake signatures
7608 */
7609void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
7610 const int *hashes )
7611{
7612 conf->sig_hashes = hashes;
7613}
7614#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
7615
7616#if defined(MBEDTLS_ECP_C)
7617/*
7618 * Set the allowed elliptic curves
7619 */
7620void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
7621 const mbedtls_ecp_group_id *curve_list )
7622{
7623 conf->curve_list = curve_list;
7624}
7625#endif /* MBEDTLS_ECP_C */
7626
7627#if defined(MBEDTLS_X509_CRT_PARSE_C)
7628int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
7629{
7630 /* Initialize to suppress unnecessary compiler warning */
7631 size_t hostname_len = 0;
7632
7633 /* Check if new hostname is valid before
7634 * making any change to current one */
7635 if( hostname != NULL )
7636 {
7637 hostname_len = strlen( hostname );
7638
7639 if( hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
7640 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7641 }
7642
7643 /* Now it's clear that we will overwrite the old hostname,
7644 * so we can free it safely */
7645
7646 if( ssl->hostname != NULL )
7647 {
7648 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
7649 mbedtls_free( ssl->hostname );
7650 }
7651
7652 /* Passing NULL as hostname shall clear the old one */
7653
7654 if( hostname == NULL )
7655 {
7656 ssl->hostname = NULL;
7657 }
7658 else
7659 {
7660 ssl->hostname = mbedtls_calloc( 1, hostname_len + 1 );
7661 if( ssl->hostname == NULL )
7662 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
7663
7664 memcpy( ssl->hostname, hostname, hostname_len );
7665
7666 ssl->hostname[hostname_len] = '\0';
7667 }
7668
7669 return( 0 );
7670}
7671#endif /* MBEDTLS_X509_CRT_PARSE_C */
7672
7673#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
7674void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
7675 int (*f_sni)(void *, mbedtls_ssl_context *,
7676 const unsigned char *, size_t),
7677 void *p_sni )
7678{
7679 conf->f_sni = f_sni;
7680 conf->p_sni = p_sni;
7681}
7682#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
7683
7684#if defined(MBEDTLS_SSL_ALPN)
7685int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **protos )
7686{
7687 size_t cur_len, tot_len;
7688 const char **p;
7689
7690 /*
7691 * RFC 7301 3.1: "Empty strings MUST NOT be included and byte strings
7692 * MUST NOT be truncated."
7693 * We check lengths now rather than later.
7694 */
7695 tot_len = 0;
7696 for( p = protos; *p != NULL; p++ )
7697 {
7698 cur_len = strlen( *p );
7699 tot_len += cur_len;
7700
7701 if( ( cur_len == 0 ) ||
7702 ( cur_len > MBEDTLS_SSL_MAX_ALPN_NAME_LEN ) ||
7703 ( tot_len > MBEDTLS_SSL_MAX_ALPN_LIST_LEN ) )
7704 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7705 }
7706
7707 conf->alpn_list = protos;
7708
7709 return( 0 );
7710}
7711
7712const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
7713{
7714 return( ssl->alpn_chosen );
7715}
7716#endif /* MBEDTLS_SSL_ALPN */
7717
7718void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
7719{
7720 conf->max_major_ver = major;
7721 conf->max_minor_ver = minor;
7722}
7723
7724void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
7725{
7726 conf->min_major_ver = major;
7727 conf->min_minor_ver = minor;
7728}
7729
7730#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
7731void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
7732{
7733 conf->fallback = fallback;
7734}
7735#endif
7736
7737#if defined(MBEDTLS_SSL_SRV_C)
7738void mbedtls_ssl_conf_cert_req_ca_list( mbedtls_ssl_config *conf,
7739 char cert_req_ca_list )
7740{
7741 conf->cert_req_ca_list = cert_req_ca_list;
7742}
7743#endif
7744
7745#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
7746void mbedtls_ssl_conf_encrypt_then_mac( mbedtls_ssl_config *conf, char etm )
7747{
7748 conf->encrypt_then_mac = etm;
7749}
7750#endif
7751
7752#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
7753void mbedtls_ssl_conf_extended_master_secret( mbedtls_ssl_config *conf, char ems )
7754{
7755 conf->extended_ms = ems;
7756}
7757#endif
7758
7759#if defined(MBEDTLS_ARC4_C)
7760void mbedtls_ssl_conf_arc4_support( mbedtls_ssl_config *conf, char arc4 )
7761{
7762 conf->arc4_disabled = arc4;
7763}
7764#endif
7765
7766#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
7767int mbedtls_ssl_conf_max_frag_len( mbedtls_ssl_config *conf, unsigned char mfl_code )
7768{
7769 if( mfl_code >= MBEDTLS_SSL_MAX_FRAG_LEN_INVALID ||
7770 ssl_mfl_code_to_length( mfl_code ) > MBEDTLS_TLS_EXT_ADV_CONTENT_LEN )
7771 {
7772 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
7773 }
7774
7775 conf->mfl_code = mfl_code;
7776
7777 return( 0 );
7778}
7779#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
7780
7781#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
7782void mbedtls_ssl_conf_truncated_hmac( mbedtls_ssl_config *conf, int truncate )
7783{
7784 conf->trunc_hmac = truncate;
7785}
7786#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
7787
7788#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
7789void mbedtls_ssl_conf_cbc_record_splitting( mbedtls_ssl_config *conf, char split )
7790{
7791 conf->cbc_record_splitting = split;
7792}
7793#endif
7794
7795void mbedtls_ssl_conf_legacy_renegotiation( mbedtls_ssl_config *conf, int allow_legacy )
7796{
7797 conf->allow_legacy_renegotiation = allow_legacy;
7798}
7799
7800#if defined(MBEDTLS_SSL_RENEGOTIATION)
7801void mbedtls_ssl_conf_renegotiation( mbedtls_ssl_config *conf, int renegotiation )
7802{
7803 conf->disable_renegotiation = renegotiation;
7804}
7805
7806void mbedtls_ssl_conf_renegotiation_enforced( mbedtls_ssl_config *conf, int max_records )
7807{
7808 conf->renego_max_records = max_records;
7809}
7810
7811void mbedtls_ssl_conf_renegotiation_period( mbedtls_ssl_config *conf,
7812 const unsigned char period[8] )
7813{
7814 memcpy( conf->renego_period, period, 8 );
7815}
7816#endif /* MBEDTLS_SSL_RENEGOTIATION */
7817
7818#if defined(MBEDTLS_SSL_SESSION_TICKETS)
7819#if defined(MBEDTLS_SSL_CLI_C)
7820void mbedtls_ssl_conf_session_tickets( mbedtls_ssl_config *conf, int use_tickets )
7821{
7822 conf->session_tickets = use_tickets;
7823}
7824#endif
7825
7826#if defined(MBEDTLS_SSL_SRV_C)
7827void mbedtls_ssl_conf_session_tickets_cb( mbedtls_ssl_config *conf,
7828 mbedtls_ssl_ticket_write_t *f_ticket_write,
7829 mbedtls_ssl_ticket_parse_t *f_ticket_parse,
7830 void *p_ticket )
7831{
7832 conf->f_ticket_write = f_ticket_write;
7833 conf->f_ticket_parse = f_ticket_parse;
7834 conf->p_ticket = p_ticket;
7835}
7836#endif
7837#endif /* MBEDTLS_SSL_SESSION_TICKETS */
7838
7839#if defined(MBEDTLS_SSL_EXPORT_KEYS)
7840void mbedtls_ssl_conf_export_keys_cb( mbedtls_ssl_config *conf,
7841 mbedtls_ssl_export_keys_t *f_export_keys,
7842 void *p_export_keys )
7843{
7844 conf->f_export_keys = f_export_keys;
7845 conf->p_export_keys = p_export_keys;
7846}
7847#endif
7848
7849#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
7850void mbedtls_ssl_conf_async_private_cb(
7851 mbedtls_ssl_config *conf,
7852 mbedtls_ssl_async_sign_t *f_async_sign,
7853 mbedtls_ssl_async_decrypt_t *f_async_decrypt,
7854 mbedtls_ssl_async_resume_t *f_async_resume,
7855 mbedtls_ssl_async_cancel_t *f_async_cancel,
7856 void *async_config_data )
7857{
7858 conf->f_async_sign_start = f_async_sign;
7859 conf->f_async_decrypt_start = f_async_decrypt;
7860 conf->f_async_resume = f_async_resume;
7861 conf->f_async_cancel = f_async_cancel;
7862 conf->p_async_config_data = async_config_data;
7863}
7864
7865void *mbedtls_ssl_conf_get_async_config_data( const mbedtls_ssl_config *conf )
7866{
7867 return( conf->p_async_config_data );
7868}
7869
7870void *mbedtls_ssl_get_async_operation_data( const mbedtls_ssl_context *ssl )
7871{
7872 if( ssl->handshake == NULL )
7873 return( NULL );
7874 else
7875 return( ssl->handshake->user_async_ctx );
7876}
7877
7878void mbedtls_ssl_set_async_operation_data( mbedtls_ssl_context *ssl,
7879 void *ctx )
7880{
7881 if( ssl->handshake != NULL )
7882 ssl->handshake->user_async_ctx = ctx;
7883}
7884#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
7885
7886/*
7887 * SSL get accessors
7888 */
7889size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
7890{
7891 return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
7892}
7893
7894int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
7895{
7896 /*
7897 * Case A: We're currently holding back
7898 * a message for further processing.
7899 */
7900
7901 if( ssl->keep_current_message == 1 )
7902 {
7903 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
7904 return( 1 );
7905 }
7906
7907 /*
7908 * Case B: Further records are pending in the current datagram.
7909 */
7910
7911#if defined(MBEDTLS_SSL_PROTO_DTLS)
7912 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
7913 ssl->in_left > ssl->next_record_offset )
7914 {
7915 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
7916 return( 1 );
7917 }
7918#endif /* MBEDTLS_SSL_PROTO_DTLS */
7919
7920 /*
7921 * Case C: A handshake message is being processed.
7922 */
7923
7924 if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
7925 {
7926 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
7927 return( 1 );
7928 }
7929
7930 /*
7931 * Case D: An application data message is being processed
7932 */
7933 if( ssl->in_offt != NULL )
7934 {
7935 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
7936 return( 1 );
7937 }
7938
7939 /*
7940 * In all other cases, the rest of the message can be dropped.
7941 * As in ssl_get_next_record, this needs to be adapted if
7942 * we implement support for multiple alerts in single records.
7943 */
7944
7945 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
7946 return( 0 );
7947}
7948
7949uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
7950{
7951 if( ssl->session != NULL )
7952 return( ssl->session->verify_result );
7953
7954 if( ssl->session_negotiate != NULL )
7955 return( ssl->session_negotiate->verify_result );
7956
7957 return( 0xFFFFFFFF );
7958}
7959
7960const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
7961{
7962 if( ssl == NULL || ssl->session == NULL )
7963 return( NULL );
7964
7965 return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
7966}
7967
7968const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
7969{
7970#if defined(MBEDTLS_SSL_PROTO_DTLS)
7971 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
7972 {
7973 switch( ssl->minor_ver )
7974 {
7975 case MBEDTLS_SSL_MINOR_VERSION_2:
7976 return( "DTLSv1.0" );
7977
7978 case MBEDTLS_SSL_MINOR_VERSION_3:
7979 return( "DTLSv1.2" );
7980
7981 default:
7982 return( "unknown (DTLS)" );
7983 }
7984 }
7985#endif
7986
7987 switch( ssl->minor_ver )
7988 {
7989 case MBEDTLS_SSL_MINOR_VERSION_0:
7990 return( "SSLv3.0" );
7991
7992 case MBEDTLS_SSL_MINOR_VERSION_1:
7993 return( "TLSv1.0" );
7994
7995 case MBEDTLS_SSL_MINOR_VERSION_2:
7996 return( "TLSv1.1" );
7997
7998 case MBEDTLS_SSL_MINOR_VERSION_3:
7999 return( "TLSv1.2" );
8000
8001 default:
8002 return( "unknown" );
8003 }
8004}
8005
8006int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
8007{
8008 size_t transform_expansion = 0;
8009 const mbedtls_ssl_transform *transform = ssl->transform_out;
8010 unsigned block_size;
8011
8012 if( transform == NULL )
8013 return( (int) mbedtls_ssl_hdr_len( ssl ) );
8014
8015#if defined(MBEDTLS_ZLIB_SUPPORT)
8016 if( ssl->session_out->compression != MBEDTLS_SSL_COMPRESS_NULL )
8017 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
8018#endif
8019
8020 switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
8021 {
8022 case MBEDTLS_MODE_GCM:
8023 case MBEDTLS_MODE_CCM:
8024 case MBEDTLS_MODE_CHACHAPOLY:
8025 case MBEDTLS_MODE_STREAM:
8026 transform_expansion = transform->minlen;
8027 break;
8028
8029 case MBEDTLS_MODE_CBC:
8030
8031 block_size = mbedtls_cipher_get_block_size(
8032 &transform->cipher_ctx_enc );
8033
8034 /* Expansion due to the addition of the MAC. */
8035 transform_expansion += transform->maclen;
8036
8037 /* Expansion due to the addition of CBC padding;
8038 * Theoretically up to 256 bytes, but we never use
8039 * more than the block size of the underlying cipher. */
8040 transform_expansion += block_size;
8041
8042 /* For TLS 1.1 or higher, an explicit IV is added
8043 * after the record header. */
8044#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
8045 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
8046 transform_expansion += block_size;
8047#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
8048
8049 break;
8050
8051 default:
8052 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
8053 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
8054 }
8055
8056 return( (int)( mbedtls_ssl_hdr_len( ssl ) + transform_expansion ) );
8057}
8058
8059#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8060size_t mbedtls_ssl_get_max_frag_len( const mbedtls_ssl_context *ssl )
8061{
8062 size_t max_len;
8063
8064 /*
8065 * Assume mfl_code is correct since it was checked when set
8066 */
8067 max_len = ssl_mfl_code_to_length( ssl->conf->mfl_code );
8068
8069 /* Check if a smaller max length was negotiated */
8070 if( ssl->session_out != NULL &&
8071 ssl_mfl_code_to_length( ssl->session_out->mfl_code ) < max_len )
8072 {
8073 max_len = ssl_mfl_code_to_length( ssl->session_out->mfl_code );
8074 }
8075
8076 /* During a handshake, use the value being negotiated */
8077 if( ssl->session_negotiate != NULL &&
8078 ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code ) < max_len )
8079 {
8080 max_len = ssl_mfl_code_to_length( ssl->session_negotiate->mfl_code );
8081 }
8082
8083 return( max_len );
8084}
8085#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
8086
8087#if defined(MBEDTLS_SSL_PROTO_DTLS)
8088static size_t ssl_get_current_mtu( const mbedtls_ssl_context *ssl )
8089{
8090 /* Return unlimited mtu for client hello messages to avoid fragmentation. */
8091 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
8092 ( ssl->state == MBEDTLS_SSL_CLIENT_HELLO ||
8093 ssl->state == MBEDTLS_SSL_SERVER_HELLO ) )
8094 return ( 0 );
8095
8096 if( ssl->handshake == NULL || ssl->handshake->mtu == 0 )
8097 return( ssl->mtu );
8098
8099 if( ssl->mtu == 0 )
8100 return( ssl->handshake->mtu );
8101
8102 return( ssl->mtu < ssl->handshake->mtu ?
8103 ssl->mtu : ssl->handshake->mtu );
8104}
8105#endif /* MBEDTLS_SSL_PROTO_DTLS */
8106
8107int mbedtls_ssl_get_max_out_record_payload( const mbedtls_ssl_context *ssl )
8108{
8109 size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
8110
8111#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8112 !defined(MBEDTLS_SSL_PROTO_DTLS)
8113 (void) ssl;
8114#endif
8115
8116#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
8117 const size_t mfl = mbedtls_ssl_get_max_frag_len( ssl );
8118
8119 if( max_len > mfl )
8120 max_len = mfl;
8121#endif
8122
8123#if defined(MBEDTLS_SSL_PROTO_DTLS)
8124 if( ssl_get_current_mtu( ssl ) != 0 )
8125 {
8126 const size_t mtu = ssl_get_current_mtu( ssl );
8127 const int ret = mbedtls_ssl_get_record_expansion( ssl );
8128 const size_t overhead = (size_t) ret;
8129
8130 if( ret < 0 )
8131 return( ret );
8132
8133 if( mtu <= overhead )
8134 {
8135 MBEDTLS_SSL_DEBUG_MSG( 1, ( "MTU too low for record expansion" ) );
8136 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
8137 }
8138
8139 if( max_len > mtu - overhead )
8140 max_len = mtu - overhead;
8141 }
8142#endif /* MBEDTLS_SSL_PROTO_DTLS */
8143
8144#if !defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) && \
8145 !defined(MBEDTLS_SSL_PROTO_DTLS)
8146 ((void) ssl);
8147#endif
8148
8149 return( (int) max_len );
8150}
8151
8152#if defined(MBEDTLS_X509_CRT_PARSE_C)
8153const mbedtls_x509_crt *mbedtls_ssl_get_peer_cert( const mbedtls_ssl_context *ssl )
8154{
8155 if( ssl == NULL || ssl->session == NULL )
8156 return( NULL );
8157
8158 return( ssl->session->peer_cert );
8159}
8160#endif /* MBEDTLS_X509_CRT_PARSE_C */
8161
8162#if defined(MBEDTLS_SSL_CLI_C)
8163int mbedtls_ssl_get_session( const mbedtls_ssl_context *ssl, mbedtls_ssl_session *dst )
8164{
8165 if( ssl == NULL ||
8166 dst == NULL ||
8167 ssl->session == NULL ||
8168 ssl->conf->endpoint != MBEDTLS_SSL_IS_CLIENT )
8169 {
8170 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8171 }
8172
8173 return( ssl_session_copy( dst, ssl->session ) );
8174}
8175#endif /* MBEDTLS_SSL_CLI_C */
8176
8177/*
8178 * Perform a single step of the SSL handshake
8179 */
8180int mbedtls_ssl_handshake_step( mbedtls_ssl_context *ssl )
8181{
8182 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
8183
8184 if( ssl == NULL || ssl->conf == NULL )
8185 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8186
8187#if defined(MBEDTLS_SSL_CLI_C)
8188 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
8189 ret = mbedtls_ssl_handshake_client_step( ssl );
8190#endif
8191#if defined(MBEDTLS_SSL_SRV_C)
8192 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
8193 ret = mbedtls_ssl_handshake_server_step( ssl );
8194#endif
8195
8196 return( ret );
8197}
8198
8199/*
8200 * Perform the SSL handshake
8201 */
8202int mbedtls_ssl_handshake( mbedtls_ssl_context *ssl )
8203{
8204 int ret = 0;
8205
8206 if( ssl == NULL || ssl->conf == NULL )
8207 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8208
8209 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> handshake" ) );
8210
8211 while( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8212 {
8213 ret = mbedtls_ssl_handshake_step( ssl );
8214
8215 if( ret != 0 )
8216 break;
8217 }
8218
8219 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= handshake" ) );
8220
8221 return( ret );
8222}
8223
8224#if defined(MBEDTLS_SSL_RENEGOTIATION)
8225#if defined(MBEDTLS_SSL_SRV_C)
8226/*
8227 * Write HelloRequest to request renegotiation on server
8228 */
8229static int ssl_write_hello_request( mbedtls_ssl_context *ssl )
8230{
8231 int ret;
8232
8233 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello request" ) );
8234
8235 ssl->out_msglen = 4;
8236 ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
8237 ssl->out_msg[0] = MBEDTLS_SSL_HS_HELLO_REQUEST;
8238
8239 if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
8240 {
8241 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
8242 return( ret );
8243 }
8244
8245 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello request" ) );
8246
8247 return( 0 );
8248}
8249#endif /* MBEDTLS_SSL_SRV_C */
8250
8251/*
8252 * Actually renegotiate current connection, triggered by either:
8253 * - any side: calling mbedtls_ssl_renegotiate(),
8254 * - client: receiving a HelloRequest during mbedtls_ssl_read(),
8255 * - server: receiving any handshake message on server during mbedtls_ssl_read() after
8256 * the initial handshake is completed.
8257 * If the handshake doesn't complete due to waiting for I/O, it will continue
8258 * during the next calls to mbedtls_ssl_renegotiate() or mbedtls_ssl_read() respectively.
8259 */
8260static int ssl_start_renegotiation( mbedtls_ssl_context *ssl )
8261{
8262 int ret;
8263
8264 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> renegotiate" ) );
8265
8266 if( ( ret = ssl_handshake_init( ssl ) ) != 0 )
8267 return( ret );
8268
8269 /* RFC 6347 4.2.2: "[...] the HelloRequest will have message_seq = 0 and
8270 * the ServerHello will have message_seq = 1" */
8271#if defined(MBEDTLS_SSL_PROTO_DTLS)
8272 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8273 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
8274 {
8275 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
8276 ssl->handshake->out_msg_seq = 1;
8277 else
8278 ssl->handshake->in_msg_seq = 1;
8279 }
8280#endif
8281
8282 ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
8283 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS;
8284
8285 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
8286 {
8287 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
8288 return( ret );
8289 }
8290
8291 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= renegotiate" ) );
8292
8293 return( 0 );
8294}
8295
8296/*
8297 * Renegotiate current connection on client,
8298 * or request renegotiation on server
8299 */
8300int mbedtls_ssl_renegotiate( mbedtls_ssl_context *ssl )
8301{
8302 int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
8303
8304 if( ssl == NULL || ssl->conf == NULL )
8305 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8306
8307#if defined(MBEDTLS_SSL_SRV_C)
8308 /* On server, just send the request */
8309 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
8310 {
8311 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8312 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8313
8314 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
8315
8316 /* Did we already try/start sending HelloRequest? */
8317 if( ssl->out_left != 0 )
8318 return( mbedtls_ssl_flush_output( ssl ) );
8319
8320 return( ssl_write_hello_request( ssl ) );
8321 }
8322#endif /* MBEDTLS_SSL_SRV_C */
8323
8324#if defined(MBEDTLS_SSL_CLI_C)
8325 /*
8326 * On client, either start the renegotiation process or,
8327 * if already in progress, continue the handshake
8328 */
8329 if( ssl->renego_status != MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS )
8330 {
8331 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8332 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8333
8334 if( ( ret = ssl_start_renegotiation( ssl ) ) != 0 )
8335 {
8336 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
8337 return( ret );
8338 }
8339 }
8340 else
8341 {
8342 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
8343 {
8344 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
8345 return( ret );
8346 }
8347 }
8348#endif /* MBEDTLS_SSL_CLI_C */
8349
8350 return( ret );
8351}
8352
8353/*
8354 * Check record counters and renegotiate if they're above the limit.
8355 */
8356static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
8357{
8358 size_t ep_len = ssl_ep_len( ssl );
8359 int in_ctr_cmp;
8360 int out_ctr_cmp;
8361
8362 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
8363 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
8364 ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
8365 {
8366 return( 0 );
8367 }
8368
8369 in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
8370 ssl->conf->renego_period + ep_len, 8 - ep_len );
8371 out_ctr_cmp = memcmp( ssl->cur_out_ctr + ep_len,
8372 ssl->conf->renego_period + ep_len, 8 - ep_len );
8373
8374 if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
8375 {
8376 return( 0 );
8377 }
8378
8379 MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
8380 return( mbedtls_ssl_renegotiate( ssl ) );
8381}
8382#endif /* MBEDTLS_SSL_RENEGOTIATION */
8383
8384/*
8385 * Receive application data decrypted from the SSL layer
8386 */
8387int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
8388{
8389 int ret;
8390 size_t n;
8391
8392 if( ssl == NULL || ssl->conf == NULL )
8393 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8394
8395 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
8396
8397#if defined(MBEDTLS_SSL_PROTO_DTLS)
8398 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
8399 {
8400 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
8401 return( ret );
8402
8403 if( ssl->handshake != NULL &&
8404 ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
8405 {
8406 if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
8407 return( ret );
8408 }
8409 }
8410#endif
8411
8412 /*
8413 * Check if renegotiation is necessary and/or handshake is
8414 * in process. If yes, perform/continue, and fall through
8415 * if an unexpected packet is received while the client
8416 * is waiting for the ServerHello.
8417 *
8418 * (There is no equivalent to the last condition on
8419 * the server-side as it is not treated as within
8420 * a handshake while waiting for the ClientHello
8421 * after a renegotiation request.)
8422 */
8423
8424#if defined(MBEDTLS_SSL_RENEGOTIATION)
8425 ret = ssl_check_ctr_renegotiate( ssl );
8426 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8427 ret != 0 )
8428 {
8429 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
8430 return( ret );
8431 }
8432#endif
8433
8434 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8435 {
8436 ret = mbedtls_ssl_handshake( ssl );
8437 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8438 ret != 0 )
8439 {
8440 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
8441 return( ret );
8442 }
8443 }
8444
8445 /* Loop as long as no application data record is available */
8446 while( ssl->in_offt == NULL )
8447 {
8448 /* Start timer if not already running */
8449 if( ssl->f_get_timer != NULL &&
8450 ssl->f_get_timer( ssl->p_timer ) == -1 )
8451 {
8452 ssl_set_timer( ssl, ssl->conf->read_timeout );
8453 }
8454
8455 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
8456 {
8457 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
8458 return( 0 );
8459
8460 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
8461 return( ret );
8462 }
8463
8464 if( ssl->in_msglen == 0 &&
8465 ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
8466 {
8467 /*
8468 * OpenSSL sends empty messages to randomize the IV
8469 */
8470 if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
8471 {
8472 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
8473 return( 0 );
8474
8475 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
8476 return( ret );
8477 }
8478 }
8479
8480 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
8481 {
8482 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received handshake message" ) );
8483
8484 /*
8485 * - For client-side, expect SERVER_HELLO_REQUEST.
8486 * - For server-side, expect CLIENT_HELLO.
8487 * - Fail (TLS) or silently drop record (DTLS) in other cases.
8488 */
8489
8490#if defined(MBEDTLS_SSL_CLI_C)
8491 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
8492 ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
8493 ssl->in_hslen != mbedtls_ssl_hs_hdr_len( ssl ) ) )
8494 {
8495 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
8496
8497 /* With DTLS, drop the packet (probably from last handshake) */
8498#if defined(MBEDTLS_SSL_PROTO_DTLS)
8499 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
8500 {
8501 continue;
8502 }
8503#endif
8504 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
8505 }
8506#endif /* MBEDTLS_SSL_CLI_C */
8507
8508#if defined(MBEDTLS_SSL_SRV_C)
8509 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
8510 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
8511 {
8512 MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
8513
8514 /* With DTLS, drop the packet (probably from last handshake) */
8515#if defined(MBEDTLS_SSL_PROTO_DTLS)
8516 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
8517 {
8518 continue;
8519 }
8520#endif
8521 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
8522 }
8523#endif /* MBEDTLS_SSL_SRV_C */
8524
8525#if defined(MBEDTLS_SSL_RENEGOTIATION)
8526 /* Determine whether renegotiation attempt should be accepted */
8527 if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
8528 ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
8529 ssl->conf->allow_legacy_renegotiation ==
8530 MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
8531 {
8532 /*
8533 * Accept renegotiation request
8534 */
8535
8536 /* DTLS clients need to know renego is server-initiated */
8537#if defined(MBEDTLS_SSL_PROTO_DTLS)
8538 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
8539 ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
8540 {
8541 ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
8542 }
8543#endif
8544 ret = ssl_start_renegotiation( ssl );
8545 if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
8546 ret != 0 )
8547 {
8548 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_start_renegotiation", ret );
8549 return( ret );
8550 }
8551 }
8552 else
8553#endif /* MBEDTLS_SSL_RENEGOTIATION */
8554 {
8555 /*
8556 * Refuse renegotiation
8557 */
8558
8559 MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
8560
8561#if defined(MBEDTLS_SSL_PROTO_SSL3)
8562 if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
8563 {
8564 /* SSLv3 does not have a "no_renegotiation" warning, so
8565 we send a fatal alert and abort the connection. */
8566 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
8567 MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
8568 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
8569 }
8570 else
8571#endif /* MBEDTLS_SSL_PROTO_SSL3 */
8572#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
8573 defined(MBEDTLS_SSL_PROTO_TLS1_2)
8574 if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
8575 {
8576 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
8577 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
8578 MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
8579 {
8580 return( ret );
8581 }
8582 }
8583 else
8584#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 ||
8585 MBEDTLS_SSL_PROTO_TLS1_2 */
8586 {
8587 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
8588 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
8589 }
8590 }
8591
8592 /* At this point, we don't know whether the renegotiation has been
8593 * completed or not. The cases to consider are the following:
8594 * 1) The renegotiation is complete. In this case, no new record
8595 * has been read yet.
8596 * 2) The renegotiation is incomplete because the client received
8597 * an application data record while awaiting the ServerHello.
8598 * 3) The renegotiation is incomplete because the client received
8599 * a non-handshake, non-application data message while awaiting
8600 * the ServerHello.
8601 * In each of these case, looping will be the proper action:
8602 * - For 1), the next iteration will read a new record and check
8603 * if it's application data.
8604 * - For 2), the loop condition isn't satisfied as application data
8605 * is present, hence continue is the same as break
8606 * - For 3), the loop condition is satisfied and read_record
8607 * will re-deliver the message that was held back by the client
8608 * when expecting the ServerHello.
8609 */
8610 continue;
8611 }
8612#if defined(MBEDTLS_SSL_RENEGOTIATION)
8613 else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
8614 {
8615 if( ssl->conf->renego_max_records >= 0 )
8616 {
8617 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
8618 {
8619 MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
8620 "but not honored by client" ) );
8621 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
8622 }
8623 }
8624 }
8625#endif /* MBEDTLS_SSL_RENEGOTIATION */
8626
8627 /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
8628 if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
8629 {
8630 MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
8631 return( MBEDTLS_ERR_SSL_WANT_READ );
8632 }
8633
8634 if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
8635 {
8636 MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
8637 return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
8638 }
8639
8640 ssl->in_offt = ssl->in_msg;
8641
8642 /* We're going to return something now, cancel timer,
8643 * except if handshake (renegotiation) is in progress */
8644 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
8645 ssl_set_timer( ssl, 0 );
8646
8647#if defined(MBEDTLS_SSL_PROTO_DTLS)
8648 /* If we requested renego but received AppData, resend HelloRequest.
8649 * Do it now, after setting in_offt, to avoid taking this branch
8650 * again if ssl_write_hello_request() returns WANT_WRITE */
8651#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
8652 if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
8653 ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
8654 {
8655 if( ( ret = ssl_resend_hello_request( ssl ) ) != 0 )
8656 {
8657 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_resend_hello_request", ret );
8658 return( ret );
8659 }
8660 }
8661#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
8662#endif /* MBEDTLS_SSL_PROTO_DTLS */
8663 }
8664
8665 n = ( len < ssl->in_msglen )
8666 ? len : ssl->in_msglen;
8667
8668 memcpy( buf, ssl->in_offt, n );
8669 ssl->in_msglen -= n;
8670
8671 /* Zeroising the plaintext buffer to erase unused application data
8672 from the memory. */
8673 mbedtls_platform_zeroize( ssl->in_offt, n );
8674
8675 if( ssl->in_msglen == 0 )
8676 {
8677 /* all bytes consumed */
8678 ssl->in_offt = NULL;
8679 ssl->keep_current_message = 0;
8680 }
8681 else
8682 {
8683 /* more data available */
8684 ssl->in_offt += n;
8685 }
8686
8687 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
8688
8689 return( (int) n );
8690}
8691
8692/*
8693 * Send application data to be encrypted by the SSL layer, taking care of max
8694 * fragment length and buffer size.
8695 *
8696 * According to RFC 5246 Section 6.2.1:
8697 *
8698 * Zero-length fragments of Application data MAY be sent as they are
8699 * potentially useful as a traffic analysis countermeasure.
8700 *
8701 * Therefore, it is possible that the input message length is 0 and the
8702 * corresponding return code is 0 on success.
8703 */
8704static int ssl_write_real( mbedtls_ssl_context *ssl,
8705 const unsigned char *buf, size_t len )
8706{
8707 int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
8708 const size_t max_len = (size_t) ret;
8709
8710 if( ret < 0 )
8711 {
8712 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
8713 return( ret );
8714 }
8715
8716 if( len > max_len )
8717 {
8718#if defined(MBEDTLS_SSL_PROTO_DTLS)
8719 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
8720 {
8721 MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
8722 "maximum fragment length: %d > %d",
8723 len, max_len ) );
8724 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8725 }
8726 else
8727#endif
8728 len = max_len;
8729 }
8730
8731 if( ssl->out_left != 0 )
8732 {
8733 /*
8734 * The user has previously tried to send the data and
8735 * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
8736 * written. In this case, we expect the high-level write function
8737 * (e.g. mbedtls_ssl_write()) to be called with the same parameters
8738 */
8739 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
8740 {
8741 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
8742 return( ret );
8743 }
8744 }
8745 else
8746 {
8747 /*
8748 * The user is trying to send a message the first time, so we need to
8749 * copy the data into the internal buffers and setup the data structure
8750 * to keep track of partial writes
8751 */
8752 ssl->out_msglen = len;
8753 ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
8754 memcpy( ssl->out_msg, buf, len );
8755
8756 if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
8757 {
8758 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
8759 return( ret );
8760 }
8761 }
8762
8763 return( (int) len );
8764}
8765
8766/*
8767 * Write application data, doing 1/n-1 splitting if necessary.
8768 *
8769 * With non-blocking I/O, ssl_write_real() may return WANT_WRITE,
8770 * then the caller will call us again with the same arguments, so
8771 * remember whether we already did the split or not.
8772 */
8773#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
8774static int ssl_write_split( mbedtls_ssl_context *ssl,
8775 const unsigned char *buf, size_t len )
8776{
8777 int ret;
8778
8779 if( ssl->conf->cbc_record_splitting ==
8780 MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
8781 len <= 1 ||
8782 ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
8783 mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
8784 != MBEDTLS_MODE_CBC )
8785 {
8786 return( ssl_write_real( ssl, buf, len ) );
8787 }
8788
8789 if( ssl->split_done == 0 )
8790 {
8791 if( ( ret = ssl_write_real( ssl, buf, 1 ) ) <= 0 )
8792 return( ret );
8793 ssl->split_done = 1;
8794 }
8795
8796 if( ( ret = ssl_write_real( ssl, buf + 1, len - 1 ) ) <= 0 )
8797 return( ret );
8798 ssl->split_done = 0;
8799
8800 return( ret + 1 );
8801}
8802#endif /* MBEDTLS_SSL_CBC_RECORD_SPLITTING */
8803
8804/*
8805 * Write application data (public-facing wrapper)
8806 */
8807int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
8808{
8809 int ret;
8810
8811 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
8812
8813 if( ssl == NULL || ssl->conf == NULL )
8814 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8815
8816#if defined(MBEDTLS_SSL_RENEGOTIATION)
8817 if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
8818 {
8819 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
8820 return( ret );
8821 }
8822#endif
8823
8824 if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
8825 {
8826 if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
8827 {
8828 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
8829 return( ret );
8830 }
8831 }
8832
8833#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
8834 ret = ssl_write_split( ssl, buf, len );
8835#else
8836 ret = ssl_write_real( ssl, buf, len );
8837#endif
8838
8839 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
8840
8841 return( ret );
8842}
8843
8844/*
8845 * Notify the peer that the connection is being closed
8846 */
8847int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
8848{
8849 int ret;
8850
8851 if( ssl == NULL || ssl->conf == NULL )
8852 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
8853
8854 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
8855
8856 if( ssl->out_left != 0 )
8857 return( mbedtls_ssl_flush_output( ssl ) );
8858
8859 if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
8860 {
8861 if( ( ret = mbedtls_ssl_send_alert_message( ssl,
8862 MBEDTLS_SSL_ALERT_LEVEL_WARNING,
8863 MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
8864 {
8865 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
8866 return( ret );
8867 }
8868 }
8869
8870 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
8871
8872 return( 0 );
8873}
8874
8875void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
8876{
8877 if( transform == NULL )
8878 return;
8879
8880#if defined(MBEDTLS_ZLIB_SUPPORT)
8881 deflateEnd( &transform->ctx_deflate );
8882 inflateEnd( &transform->ctx_inflate );
8883#endif
8884
8885 mbedtls_cipher_free( &transform->cipher_ctx_enc );
8886 mbedtls_cipher_free( &transform->cipher_ctx_dec );
8887
8888 mbedtls_md_free( &transform->md_ctx_enc );
8889 mbedtls_md_free( &transform->md_ctx_dec );
8890
8891 mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
8892}
8893
8894#if defined(MBEDTLS_X509_CRT_PARSE_C)
8895static void ssl_key_cert_free( mbedtls_ssl_key_cert *key_cert )
8896{
8897 mbedtls_ssl_key_cert *cur = key_cert, *next;
8898
8899 while( cur != NULL )
8900 {
8901 next = cur->next;
8902 mbedtls_free( cur );
8903 cur = next;
8904 }
8905}
8906#endif /* MBEDTLS_X509_CRT_PARSE_C */
8907
8908#if defined(MBEDTLS_SSL_PROTO_DTLS)
8909
8910static void ssl_buffering_free( mbedtls_ssl_context *ssl )
8911{
8912 unsigned offset;
8913 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
8914
8915 if( hs == NULL )
8916 return;
8917
8918 ssl_free_buffered_record( ssl );
8919
8920 for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
8921 ssl_buffering_free_slot( ssl, offset );
8922}
8923
8924static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
8925 uint8_t slot )
8926{
8927 mbedtls_ssl_handshake_params * const hs = ssl->handshake;
8928 mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
8929
8930 if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
8931 return;
8932
8933 if( hs_buf->is_valid == 1 )
8934 {
8935 hs->buffering.total_bytes_buffered -= hs_buf->data_len;
8936 mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
8937 mbedtls_free( hs_buf->data );
8938 memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
8939 }
8940}
8941
8942#endif /* MBEDTLS_SSL_PROTO_DTLS */
8943
8944void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
8945{
8946 mbedtls_ssl_handshake_params *handshake = ssl->handshake;
8947
8948 if( handshake == NULL )
8949 return;
8950
8951#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
8952 if( ssl->conf->f_async_cancel != NULL && handshake->async_in_progress != 0 )
8953 {
8954 ssl->conf->f_async_cancel( ssl );
8955 handshake->async_in_progress = 0;
8956 }
8957#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
8958
8959#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
8960 defined(MBEDTLS_SSL_PROTO_TLS1_1)
8961 mbedtls_md5_free( &handshake->fin_md5 );
8962 mbedtls_sha1_free( &handshake->fin_sha1 );
8963#endif
8964#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
8965#if defined(MBEDTLS_SHA256_C)
8966 mbedtls_sha256_free( &handshake->fin_sha256 );
8967#endif
8968#if defined(MBEDTLS_SHA512_C)
8969 mbedtls_sha512_free( &handshake->fin_sha512 );
8970#endif
8971#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
8972
8973#if defined(MBEDTLS_DHM_C)
8974 mbedtls_dhm_free( &handshake->dhm_ctx );
8975#endif
8976#if defined(MBEDTLS_ECDH_C)
8977 mbedtls_ecdh_free( &handshake->ecdh_ctx );
8978#endif
8979#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
8980 mbedtls_ecjpake_free( &handshake->ecjpake_ctx );
8981#if defined(MBEDTLS_SSL_CLI_C)
8982 mbedtls_free( handshake->ecjpake_cache );
8983 handshake->ecjpake_cache = NULL;
8984 handshake->ecjpake_cache_len = 0;
8985#endif
8986#endif
8987
8988#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
8989 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
8990 /* explicit void pointer cast for buggy MS compiler */
8991 mbedtls_free( (void *) handshake->curves );
8992#endif
8993
8994#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
8995 if( handshake->psk != NULL )
8996 {
8997 mbedtls_platform_zeroize( handshake->psk, handshake->psk_len );
8998 mbedtls_free( handshake->psk );
8999 }
9000#endif
9001
9002#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
9003 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
9004 /*
9005 * Free only the linked list wrapper, not the keys themselves
9006 * since the belong to the SNI callback
9007 */
9008 if( handshake->sni_key_cert != NULL )
9009 {
9010 mbedtls_ssl_key_cert *cur = handshake->sni_key_cert, *next;
9011
9012 while( cur != NULL )
9013 {
9014 next = cur->next;
9015 mbedtls_free( cur );
9016 cur = next;
9017 }
9018 }
9019#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_SERVER_NAME_INDICATION */
9020
9021#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
9022 mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
9023#endif
9024
9025#if defined(MBEDTLS_SSL_PROTO_DTLS)
9026 mbedtls_free( handshake->verify_cookie );
9027 ssl_flight_free( handshake->flight );
9028 ssl_buffering_free( ssl );
9029#endif
9030
9031 mbedtls_platform_zeroize( handshake,
9032 sizeof( mbedtls_ssl_handshake_params ) );
9033}
9034
9035void mbedtls_ssl_session_free( mbedtls_ssl_session *session )
9036{
9037 if( session == NULL )
9038 return;
9039
9040#if defined(MBEDTLS_X509_CRT_PARSE_C)
9041 if( session->peer_cert != NULL )
9042 {
9043 mbedtls_x509_crt_free( session->peer_cert );
9044 mbedtls_free( session->peer_cert );
9045 }
9046#endif
9047
9048#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
9049 mbedtls_free( session->ticket );
9050#endif
9051
9052 mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
9053}
9054
9055/*
9056 * Free an SSL context
9057 */
9058void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
9059{
9060 if( ssl == NULL )
9061 return;
9062
9063 MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> free" ) );
9064
9065 if( ssl->out_buf != NULL )
9066 {
9067 mbedtls_platform_zeroize( ssl->out_buf, MBEDTLS_SSL_OUT_BUFFER_LEN );
9068 mbedtls_free( ssl->out_buf );
9069 }
9070
9071 if( ssl->in_buf != NULL )
9072 {
9073 mbedtls_platform_zeroize( ssl->in_buf, MBEDTLS_SSL_IN_BUFFER_LEN );
9074 mbedtls_free( ssl->in_buf );
9075 }
9076
9077#if defined(MBEDTLS_ZLIB_SUPPORT)
9078 if( ssl->compress_buf != NULL )
9079 {
9080 mbedtls_platform_zeroize( ssl->compress_buf, MBEDTLS_SSL_COMPRESS_BUFFER_LEN );
9081 mbedtls_free( ssl->compress_buf );
9082 }
9083#endif
9084
9085 if( ssl->transform )
9086 {
9087 mbedtls_ssl_transform_free( ssl->transform );
9088 mbedtls_free( ssl->transform );
9089 }
9090
9091 if( ssl->handshake )
9092 {
9093 mbedtls_ssl_handshake_free( ssl );
9094 mbedtls_ssl_transform_free( ssl->transform_negotiate );
9095 mbedtls_ssl_session_free( ssl->session_negotiate );
9096
9097 mbedtls_free( ssl->handshake );
9098 mbedtls_free( ssl->transform_negotiate );
9099 mbedtls_free( ssl->session_negotiate );
9100 }
9101
9102 if( ssl->session )
9103 {
9104 mbedtls_ssl_session_free( ssl->session );
9105 mbedtls_free( ssl->session );
9106 }
9107
9108#if defined(MBEDTLS_X509_CRT_PARSE_C)
9109 if( ssl->hostname != NULL )
9110 {
9111 mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
9112 mbedtls_free( ssl->hostname );
9113 }
9114#endif
9115
9116#if defined(MBEDTLS_SSL_HW_RECORD_ACCEL)
9117 if( mbedtls_ssl_hw_record_finish != NULL )
9118 {
9119 MBEDTLS_SSL_DEBUG_MSG( 2, ( "going for mbedtls_ssl_hw_record_finish()" ) );
9120 mbedtls_ssl_hw_record_finish( ssl );
9121 }
9122#endif
9123
9124#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
9125 mbedtls_free( ssl->cli_id );
9126#endif
9127
9128 MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= free" ) );
9129
9130 /* Actually clear after last debug message */
9131 mbedtls_platform_zeroize( ssl, sizeof( mbedtls_ssl_context ) );
9132}
9133
9134/*
9135 * Initialze mbedtls_ssl_config
9136 */
9137void mbedtls_ssl_config_init( mbedtls_ssl_config *conf )
9138{
9139 memset( conf, 0, sizeof( mbedtls_ssl_config ) );
9140}
9141
9142#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9143static int ssl_preset_default_hashes[] = {
9144#if defined(MBEDTLS_SHA512_C)
9145 MBEDTLS_MD_SHA512,
9146 MBEDTLS_MD_SHA384,
9147#endif
9148#if defined(MBEDTLS_SHA256_C)
9149 MBEDTLS_MD_SHA256,
9150 MBEDTLS_MD_SHA224,
9151#endif
9152#if defined(MBEDTLS_SHA1_C) && defined(MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE)
9153 MBEDTLS_MD_SHA1,
9154#endif
9155 MBEDTLS_MD_NONE
9156};
9157#endif
9158
9159static int ssl_preset_suiteb_ciphersuites[] = {
9160 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
9161 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
9162 0
9163};
9164
9165#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9166static int ssl_preset_suiteb_hashes[] = {
9167 MBEDTLS_MD_SHA256,
9168 MBEDTLS_MD_SHA384,
9169 MBEDTLS_MD_NONE
9170};
9171#endif
9172
9173#if defined(MBEDTLS_ECP_C)
9174static mbedtls_ecp_group_id ssl_preset_suiteb_curves[] = {
9175#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
9176 MBEDTLS_ECP_DP_SECP256R1,
9177#endif
9178#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
9179 MBEDTLS_ECP_DP_SECP384R1,
9180#endif
9181 MBEDTLS_ECP_DP_NONE
9182};
9183#endif
9184
9185/*
9186 * Load default in mbedtls_ssl_config
9187 */
9188int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
9189 int endpoint, int transport, int preset )
9190{
9191#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
9192 int ret;
9193#endif
9194
9195 /* Use the functions here so that they are covered in tests,
9196 * but otherwise access member directly for efficiency */
9197 mbedtls_ssl_conf_endpoint( conf, endpoint );
9198 mbedtls_ssl_conf_transport( conf, transport );
9199
9200 /*
9201 * Things that are common to all presets
9202 */
9203#if defined(MBEDTLS_SSL_CLI_C)
9204 if( endpoint == MBEDTLS_SSL_IS_CLIENT )
9205 {
9206 conf->authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
9207#if defined(MBEDTLS_SSL_SESSION_TICKETS)
9208 conf->session_tickets = MBEDTLS_SSL_SESSION_TICKETS_ENABLED;
9209#endif
9210 }
9211#endif
9212
9213#if defined(MBEDTLS_ARC4_C)
9214 conf->arc4_disabled = MBEDTLS_SSL_ARC4_DISABLED;
9215#endif
9216
9217#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
9218 conf->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
9219#endif
9220
9221#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
9222 conf->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
9223#endif
9224
9225#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
9226 conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
9227#endif
9228
9229#if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY) && defined(MBEDTLS_SSL_SRV_C)
9230 conf->f_cookie_write = ssl_cookie_write_dummy;
9231 conf->f_cookie_check = ssl_cookie_check_dummy;
9232#endif
9233
9234#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
9235 conf->anti_replay = MBEDTLS_SSL_ANTI_REPLAY_ENABLED;
9236#endif
9237
9238#if defined(MBEDTLS_SSL_SRV_C)
9239 conf->cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
9240#endif
9241
9242#if defined(MBEDTLS_SSL_PROTO_DTLS)
9243 conf->hs_timeout_min = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN;
9244 conf->hs_timeout_max = MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX;
9245#endif
9246
9247#if defined(MBEDTLS_SSL_RENEGOTIATION)
9248 conf->renego_max_records = MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT;
9249 memset( conf->renego_period, 0x00, 2 );
9250 memset( conf->renego_period + 2, 0xFF, 6 );
9251#endif
9252
9253#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_SRV_C)
9254 if( endpoint == MBEDTLS_SSL_IS_SERVER )
9255 {
9256 const unsigned char dhm_p[] =
9257 MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
9258 const unsigned char dhm_g[] =
9259 MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
9260
9261 if ( ( ret = mbedtls_ssl_conf_dh_param_bin( conf,
9262 dhm_p, sizeof( dhm_p ),
9263 dhm_g, sizeof( dhm_g ) ) ) != 0 )
9264 {
9265 return( ret );
9266 }
9267 }
9268#endif
9269
9270 /*
9271 * Preset-specific defaults
9272 */
9273 switch( preset )
9274 {
9275 /*
9276 * NSA Suite B
9277 */
9278 case MBEDTLS_SSL_PRESET_SUITEB:
9279 conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
9280 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
9281 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9282 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9283
9284 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9285 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9286 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9287 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9288 ssl_preset_suiteb_ciphersuites;
9289
9290#if defined(MBEDTLS_X509_CRT_PARSE_C)
9291 conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
9292#endif
9293
9294#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9295 conf->sig_hashes = ssl_preset_suiteb_hashes;
9296#endif
9297
9298#if defined(MBEDTLS_ECP_C)
9299 conf->curve_list = ssl_preset_suiteb_curves;
9300#endif
9301 break;
9302
9303 /*
9304 * Default
9305 */
9306 default:
9307 conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
9308 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
9309 MBEDTLS_SSL_MIN_MAJOR_VERSION :
9310 MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
9311 conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
9312 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
9313 MBEDTLS_SSL_MIN_MINOR_VERSION :
9314 MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
9315 conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
9316 conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
9317
9318#if defined(MBEDTLS_SSL_PROTO_DTLS)
9319 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9320 conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
9321#endif
9322
9323 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
9324 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
9325 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
9326 conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
9327 mbedtls_ssl_list_ciphersuites();
9328
9329#if defined(MBEDTLS_X509_CRT_PARSE_C)
9330 conf->cert_profile = &mbedtls_x509_crt_profile_default;
9331#endif
9332
9333#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9334 conf->sig_hashes = ssl_preset_default_hashes;
9335#endif
9336
9337#if defined(MBEDTLS_ECP_C)
9338 conf->curve_list = mbedtls_ecp_grp_id_list();
9339#endif
9340
9341#if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_SSL_CLI_C)
9342 conf->dhm_min_bitlen = 1024;
9343#endif
9344 }
9345
9346 return( 0 );
9347}
9348
9349/*
9350 * Free mbedtls_ssl_config
9351 */
9352void mbedtls_ssl_config_free( mbedtls_ssl_config *conf )
9353{
9354#if defined(MBEDTLS_DHM_C)
9355 mbedtls_mpi_free( &conf->dhm_P );
9356 mbedtls_mpi_free( &conf->dhm_G );
9357#endif
9358
9359#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
9360 if( conf->psk != NULL )
9361 {
9362 mbedtls_platform_zeroize( conf->psk, conf->psk_len );
9363 mbedtls_free( conf->psk );
9364 conf->psk = NULL;
9365 conf->psk_len = 0;
9366 }
9367
9368 if( conf->psk_identity != NULL )
9369 {
9370 mbedtls_platform_zeroize( conf->psk_identity, conf->psk_identity_len );
9371 mbedtls_free( conf->psk_identity );
9372 conf->psk_identity = NULL;
9373 conf->psk_identity_len = 0;
9374 }
9375#endif
9376
9377#if defined(MBEDTLS_X509_CRT_PARSE_C)
9378 ssl_key_cert_free( conf->key_cert );
9379#endif
9380
9381 mbedtls_platform_zeroize( conf, sizeof( mbedtls_ssl_config ) );
9382}
9383
9384#if defined(MBEDTLS_PK_C) && \
9385 ( defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_C) )
9386/*
9387 * Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
9388 */
9389unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk )
9390{
9391#if defined(MBEDTLS_RSA_C)
9392 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_RSA ) )
9393 return( MBEDTLS_SSL_SIG_RSA );
9394#endif
9395#if defined(MBEDTLS_ECDSA_C)
9396 if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECDSA ) )
9397 return( MBEDTLS_SSL_SIG_ECDSA );
9398#endif
9399 return( MBEDTLS_SSL_SIG_ANON );
9400}
9401
9402unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type )
9403{
9404 switch( type ) {
9405 case MBEDTLS_PK_RSA:
9406 return( MBEDTLS_SSL_SIG_RSA );
9407 case MBEDTLS_PK_ECDSA:
9408 case MBEDTLS_PK_ECKEY:
9409 return( MBEDTLS_SSL_SIG_ECDSA );
9410 default:
9411 return( MBEDTLS_SSL_SIG_ANON );
9412 }
9413}
9414
9415mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig )
9416{
9417 switch( sig )
9418 {
9419#if defined(MBEDTLS_RSA_C)
9420 case MBEDTLS_SSL_SIG_RSA:
9421 return( MBEDTLS_PK_RSA );
9422#endif
9423#if defined(MBEDTLS_ECDSA_C)
9424 case MBEDTLS_SSL_SIG_ECDSA:
9425 return( MBEDTLS_PK_ECDSA );
9426#endif
9427 default:
9428 return( MBEDTLS_PK_NONE );
9429 }
9430}
9431#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_ECDSA_C ) */
9432
9433#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
9434 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9435
9436/* Find an entry in a signature-hash set matching a given hash algorithm. */
9437mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
9438 mbedtls_pk_type_t sig_alg )
9439{
9440 switch( sig_alg )
9441 {
9442 case MBEDTLS_PK_RSA:
9443 return( set->rsa );
9444 case MBEDTLS_PK_ECDSA:
9445 return( set->ecdsa );
9446 default:
9447 return( MBEDTLS_MD_NONE );
9448 }
9449}
9450
9451/* Add a signature-hash-pair to a signature-hash set */
9452void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
9453 mbedtls_pk_type_t sig_alg,
9454 mbedtls_md_type_t md_alg )
9455{
9456 switch( sig_alg )
9457 {
9458 case MBEDTLS_PK_RSA:
9459 if( set->rsa == MBEDTLS_MD_NONE )
9460 set->rsa = md_alg;
9461 break;
9462
9463 case MBEDTLS_PK_ECDSA:
9464 if( set->ecdsa == MBEDTLS_MD_NONE )
9465 set->ecdsa = md_alg;
9466 break;
9467
9468 default:
9469 break;
9470 }
9471}
9472
9473/* Allow exactly one hash algorithm for each signature. */
9474void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
9475 mbedtls_md_type_t md_alg )
9476{
9477 set->rsa = md_alg;
9478 set->ecdsa = md_alg;
9479}
9480
9481#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
9482 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
9483
9484/*
9485 * Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
9486 */
9487mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
9488{
9489 switch( hash )
9490 {
9491#if defined(MBEDTLS_MD5_C)
9492 case MBEDTLS_SSL_HASH_MD5:
9493 return( MBEDTLS_MD_MD5 );
9494#endif
9495#if defined(MBEDTLS_SHA1_C)
9496 case MBEDTLS_SSL_HASH_SHA1:
9497 return( MBEDTLS_MD_SHA1 );
9498#endif
9499#if defined(MBEDTLS_SHA256_C)
9500 case MBEDTLS_SSL_HASH_SHA224:
9501 return( MBEDTLS_MD_SHA224 );
9502 case MBEDTLS_SSL_HASH_SHA256:
9503 return( MBEDTLS_MD_SHA256 );
9504#endif
9505#if defined(MBEDTLS_SHA512_C)
9506 case MBEDTLS_SSL_HASH_SHA384:
9507 return( MBEDTLS_MD_SHA384 );
9508 case MBEDTLS_SSL_HASH_SHA512:
9509 return( MBEDTLS_MD_SHA512 );
9510#endif
9511 default:
9512 return( MBEDTLS_MD_NONE );
9513 }
9514}
9515
9516/*
9517 * Convert from MBEDTLS_MD_XXX to MBEDTLS_SSL_HASH_XXX
9518 */
9519unsigned char mbedtls_ssl_hash_from_md_alg( int md )
9520{
9521 switch( md )
9522 {
9523#if defined(MBEDTLS_MD5_C)
9524 case MBEDTLS_MD_MD5:
9525 return( MBEDTLS_SSL_HASH_MD5 );
9526#endif
9527#if defined(MBEDTLS_SHA1_C)
9528 case MBEDTLS_MD_SHA1:
9529 return( MBEDTLS_SSL_HASH_SHA1 );
9530#endif
9531#if defined(MBEDTLS_SHA256_C)
9532 case MBEDTLS_MD_SHA224:
9533 return( MBEDTLS_SSL_HASH_SHA224 );
9534 case MBEDTLS_MD_SHA256:
9535 return( MBEDTLS_SSL_HASH_SHA256 );
9536#endif
9537#if defined(MBEDTLS_SHA512_C)
9538 case MBEDTLS_MD_SHA384:
9539 return( MBEDTLS_SSL_HASH_SHA384 );
9540 case MBEDTLS_MD_SHA512:
9541 return( MBEDTLS_SSL_HASH_SHA512 );
9542#endif
9543 default:
9544 return( MBEDTLS_SSL_HASH_NONE );
9545 }
9546}
9547
9548#if defined(MBEDTLS_ECP_C)
9549/*
9550 * Check if a curve proposed by the peer is in our list.
9551 * Return 0 if we're willing to use it, -1 otherwise.
9552 */
9553int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
9554{
9555 const mbedtls_ecp_group_id *gid;
9556
9557 if( ssl->conf->curve_list == NULL )
9558 return( -1 );
9559
9560 for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
9561 if( *gid == grp_id )
9562 return( 0 );
9563
9564 return( -1 );
9565}
9566#endif /* MBEDTLS_ECP_C */
9567
9568#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
9569/*
9570 * Check if a hash proposed by the peer is in our list.
9571 * Return 0 if we're willing to use it, -1 otherwise.
9572 */
9573int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
9574 mbedtls_md_type_t md )
9575{
9576 const int *cur;
9577
9578 if( ssl->conf->sig_hashes == NULL )
9579 return( -1 );
9580
9581 for( cur = ssl->conf->sig_hashes; *cur != MBEDTLS_MD_NONE; cur++ )
9582 if( *cur == (int) md )
9583 return( 0 );
9584
9585 return( -1 );
9586}
9587#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
9588
9589#if defined(MBEDTLS_X509_CRT_PARSE_C)
9590int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
9591 const mbedtls_ssl_ciphersuite_t *ciphersuite,
9592 int cert_endpoint,
9593 uint32_t *flags )
9594{
9595 int ret = 0;
9596#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
9597 int usage = 0;
9598#endif
9599#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
9600 const char *ext_oid;
9601 size_t ext_len;
9602#endif
9603
9604#if !defined(MBEDTLS_X509_CHECK_KEY_USAGE) && \
9605 !defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
9606 ((void) cert);
9607 ((void) cert_endpoint);
9608 ((void) flags);
9609#endif
9610
9611#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
9612 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
9613 {
9614 /* Server part of the key exchange */
9615 switch( ciphersuite->key_exchange )
9616 {
9617 case MBEDTLS_KEY_EXCHANGE_RSA:
9618 case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
9619 usage = MBEDTLS_X509_KU_KEY_ENCIPHERMENT;
9620 break;
9621
9622 case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
9623 case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
9624 case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
9625 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9626 break;
9627
9628 case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
9629 case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
9630 usage = MBEDTLS_X509_KU_KEY_AGREEMENT;
9631 break;
9632
9633 /* Don't use default: we want warnings when adding new values */
9634 case MBEDTLS_KEY_EXCHANGE_NONE:
9635 case MBEDTLS_KEY_EXCHANGE_PSK:
9636 case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
9637 case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
9638 case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
9639 usage = 0;
9640 }
9641 }
9642 else
9643 {
9644 /* Client auth: we only implement rsa_sign and mbedtls_ecdsa_sign for now */
9645 usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE;
9646 }
9647
9648 if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
9649 {
9650 *flags |= MBEDTLS_X509_BADCERT_KEY_USAGE;
9651 ret = -1;
9652 }
9653#else
9654 ((void) ciphersuite);
9655#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
9656
9657#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
9658 if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
9659 {
9660 ext_oid = MBEDTLS_OID_SERVER_AUTH;
9661 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_SERVER_AUTH );
9662 }
9663 else
9664 {
9665 ext_oid = MBEDTLS_OID_CLIENT_AUTH;
9666 ext_len = MBEDTLS_OID_SIZE( MBEDTLS_OID_CLIENT_AUTH );
9667 }
9668
9669 if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
9670 {
9671 *flags |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
9672 ret = -1;
9673 }
9674#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
9675
9676 return( ret );
9677}
9678#endif /* MBEDTLS_X509_CRT_PARSE_C */
9679
9680/*
9681 * Convert version numbers to/from wire format
9682 * and, for DTLS, to/from TLS equivalent.
9683 *
9684 * For TLS this is the identity.
9685 * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
9686 * 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
9687 * 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
9688 */
9689void mbedtls_ssl_write_version( int major, int minor, int transport,
9690 unsigned char ver[2] )
9691{
9692#if defined(MBEDTLS_SSL_PROTO_DTLS)
9693 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9694 {
9695 if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
9696 --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
9697
9698 ver[0] = (unsigned char)( 255 - ( major - 2 ) );
9699 ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
9700 }
9701 else
9702#else
9703 ((void) transport);
9704#endif
9705 {
9706 ver[0] = (unsigned char) major;
9707 ver[1] = (unsigned char) minor;
9708 }
9709}
9710
9711void mbedtls_ssl_read_version( int *major, int *minor, int transport,
9712 const unsigned char ver[2] )
9713{
9714#if defined(MBEDTLS_SSL_PROTO_DTLS)
9715 if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
9716 {
9717 *major = 255 - ver[0] + 2;
9718 *minor = 255 - ver[1] + 1;
9719
9720 if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
9721 ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
9722 }
9723 else
9724#else
9725 ((void) transport);
9726#endif
9727 {
9728 *major = ver[0];
9729 *minor = ver[1];
9730 }
9731}
9732
9733int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
9734{
9735#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
9736 if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
9737 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
9738
9739 switch( md )
9740 {
9741#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1)
9742#if defined(MBEDTLS_MD5_C)
9743 case MBEDTLS_SSL_HASH_MD5:
9744 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
9745#endif
9746#if defined(MBEDTLS_SHA1_C)
9747 case MBEDTLS_SSL_HASH_SHA1:
9748 ssl->handshake->calc_verify = ssl_calc_verify_tls;
9749 break;
9750#endif
9751#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 */
9752#if defined(MBEDTLS_SHA512_C)
9753 case MBEDTLS_SSL_HASH_SHA384:
9754 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
9755 break;
9756#endif
9757#if defined(MBEDTLS_SHA256_C)
9758 case MBEDTLS_SSL_HASH_SHA256:
9759 ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
9760 break;
9761#endif
9762 default:
9763 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
9764 }
9765
9766 return 0;
9767#else /* !MBEDTLS_SSL_PROTO_TLS1_2 */
9768 (void) ssl;
9769 (void) md;
9770
9771 return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
9772#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
9773}
9774
9775#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
9776 defined(MBEDTLS_SSL_PROTO_TLS1_1)
9777int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
9778 unsigned char *output,
9779 unsigned char *data, size_t data_len )
9780{
9781 int ret = 0;
9782 mbedtls_md5_context mbedtls_md5;
9783 mbedtls_sha1_context mbedtls_sha1;
9784
9785 mbedtls_md5_init( &mbedtls_md5 );
9786 mbedtls_sha1_init( &mbedtls_sha1 );
9787
9788 /*
9789 * digitally-signed struct {
9790 * opaque md5_hash[16];
9791 * opaque sha_hash[20];
9792 * };
9793 *
9794 * md5_hash
9795 * MD5(ClientHello.random + ServerHello.random
9796 * + ServerParams);
9797 * sha_hash
9798 * SHA(ClientHello.random + ServerHello.random
9799 * + ServerParams);
9800 */
9801 if( ( ret = mbedtls_md5_starts_ret( &mbedtls_md5 ) ) != 0 )
9802 {
9803 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_starts_ret", ret );
9804 goto exit;
9805 }
9806 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5,
9807 ssl->handshake->randbytes, 64 ) ) != 0 )
9808 {
9809 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
9810 goto exit;
9811 }
9812 if( ( ret = mbedtls_md5_update_ret( &mbedtls_md5, data, data_len ) ) != 0 )
9813 {
9814 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_update_ret", ret );
9815 goto exit;
9816 }
9817 if( ( ret = mbedtls_md5_finish_ret( &mbedtls_md5, output ) ) != 0 )
9818 {
9819 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md5_finish_ret", ret );
9820 goto exit;
9821 }
9822
9823 if( ( ret = mbedtls_sha1_starts_ret( &mbedtls_sha1 ) ) != 0 )
9824 {
9825 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_starts_ret", ret );
9826 goto exit;
9827 }
9828 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1,
9829 ssl->handshake->randbytes, 64 ) ) != 0 )
9830 {
9831 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
9832 goto exit;
9833 }
9834 if( ( ret = mbedtls_sha1_update_ret( &mbedtls_sha1, data,
9835 data_len ) ) != 0 )
9836 {
9837 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_update_ret", ret );
9838 goto exit;
9839 }
9840 if( ( ret = mbedtls_sha1_finish_ret( &mbedtls_sha1,
9841 output + 16 ) ) != 0 )
9842 {
9843 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha1_finish_ret", ret );
9844 goto exit;
9845 }
9846
9847exit:
9848 mbedtls_md5_free( &mbedtls_md5 );
9849 mbedtls_sha1_free( &mbedtls_sha1 );
9850
9851 if( ret != 0 )
9852 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9853 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
9854
9855 return( ret );
9856
9857}
9858#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
9859 MBEDTLS_SSL_PROTO_TLS1_1 */
9860
9861#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
9862 defined(MBEDTLS_SSL_PROTO_TLS1_2)
9863int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
9864 unsigned char *hash, size_t *hashlen,
9865 unsigned char *data, size_t data_len,
9866 mbedtls_md_type_t md_alg )
9867{
9868 int ret = 0;
9869 mbedtls_md_context_t ctx;
9870 const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
9871 *hashlen = mbedtls_md_get_size( md_info );
9872
9873 mbedtls_md_init( &ctx );
9874
9875 /*
9876 * digitally-signed struct {
9877 * opaque client_random[32];
9878 * opaque server_random[32];
9879 * ServerDHParams params;
9880 * };
9881 */
9882 if( ( ret = mbedtls_md_setup( &ctx, md_info, 0 ) ) != 0 )
9883 {
9884 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_setup", ret );
9885 goto exit;
9886 }
9887 if( ( ret = mbedtls_md_starts( &ctx ) ) != 0 )
9888 {
9889 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_starts", ret );
9890 goto exit;
9891 }
9892 if( ( ret = mbedtls_md_update( &ctx, ssl->handshake->randbytes, 64 ) ) != 0 )
9893 {
9894 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
9895 goto exit;
9896 }
9897 if( ( ret = mbedtls_md_update( &ctx, data, data_len ) ) != 0 )
9898 {
9899 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_update", ret );
9900 goto exit;
9901 }
9902 if( ( ret = mbedtls_md_finish( &ctx, hash ) ) != 0 )
9903 {
9904 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_md_finish", ret );
9905 goto exit;
9906 }
9907
9908exit:
9909 mbedtls_md_free( &ctx );
9910
9911 if( ret != 0 )
9912 mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
9913 MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
9914
9915 return( ret );
9916}
9917#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
9918 MBEDTLS_SSL_PROTO_TLS1_2 */
9919
9920#endif /* MBEDTLS_SSL_TLS_C */
memcmp
int memcmp(void *Buffer1, void *Buffer2, ACPI_SIZE Count)
Definition: utclib.c:112
strlen
ACPI_SIZE strlen(const char *String)
Definition: utclib.c:269
uint16_t
unsigned short int uint16_t
Definition: acefiex.h:54
head
struct outqueuenode * head
Definition: adnsresfilter.c:66
msg
#define msg(x)
Definition: auth_time.c:54
hostname
char * hostname
Definition: ftp.c:88
mbedtls_mpi_read_string
int mbedtls_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
Import an MPI from an ASCII string.
mbedtls_mpi_copy
int mbedtls_mpi_copy(mbedtls_mpi *X, const mbedtls_mpi *Y)
Make a copy of an MPI.
mbedtls_mpi_read_binary
int mbedtls_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, size_t buflen)
Import an MPI from unsigned big endian binary data.
mbedtls_mpi_free
void mbedtls_mpi_free(mbedtls_mpi *X)
This function frees the components of an MPI context.
mbedtls_cipher_setup
int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, const mbedtls_cipher_info_t *cipher_info)
This function initializes and fills the cipher-context structure with the appropriate values....
mbedtls_cipher_setkey
int mbedtls_cipher_setkey(mbedtls_cipher_context_t *ctx, const unsigned char *key, int key_bitlen, const mbedtls_operation_t operation)
This function sets the key to use with the given context.
mbedtls_cipher_crypt
int mbedtls_cipher_crypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen)
The generic all-in-one encryption/decryption function, for all ciphers except AEAD constructs.
MBEDTLS_PADDING_NONE
@ MBEDTLS_PADDING_NONE
Definition: cipher.h:227
mbedtls_cipher_auth_encrypt
int mbedtls_cipher_auth_encrypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, unsigned char *tag, size_t tag_len)
The generic autenticated encryption (AEAD) function.
MBEDTLS_ERR_CIPHER_AUTH_FAILED
#define MBEDTLS_ERR_CIPHER_AUTH_FAILED
Definition: cipher.h:89
mbedtls_cipher_auth_decrypt
int mbedtls_cipher_auth_decrypt(mbedtls_cipher_context_t *ctx, const unsigned char *iv, size_t iv_len, const unsigned char *ad, size_t ad_len, const unsigned char *input, size_t ilen, unsigned char *output, size_t *olen, const unsigned char *tag, size_t tag_len)
The generic autenticated decryption (AEAD) function.
mbedtls_cipher_init
void mbedtls_cipher_init(mbedtls_cipher_context_t *ctx)
This function initializes a cipher_context as NONE.
mbedtls_cipher_free
void mbedtls_cipher_free(mbedtls_cipher_context_t *ctx)
This function frees and clears the cipher-specific context of ctx. Freeing ctx itself remains the res...
mbedtls_cipher_get_block_size
static unsigned int mbedtls_cipher_get_block_size(const mbedtls_cipher_context_t *ctx)
This function returns the block size of the given cipher.
Definition: cipher.h:452
MBEDTLS_DECRYPT
@ MBEDTLS_DECRYPT
Definition: cipher.h:233
MBEDTLS_ENCRYPT
@ MBEDTLS_ENCRYPT
Definition: cipher.h:234
mbedtls_cipher_get_cipher_mode
static mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(const mbedtls_cipher_context_t *ctx)
This function returns the mode of operation for the cipher. For example, MBEDTLS_MODE_CBC.
Definition: cipher.h:471
mbedtls_cipher_mode_t
mbedtls_cipher_mode_t
Definition: cipher.h:207
MBEDTLS_MODE_CCM
@ MBEDTLS_MODE_CCM
Definition: cipher.h:216
MBEDTLS_MODE_STREAM
@ MBEDTLS_MODE_STREAM
Definition: cipher.h:215
MBEDTLS_MODE_GCM
@ MBEDTLS_MODE_GCM
Definition: cipher.h:214
MBEDTLS_MODE_CBC
@ MBEDTLS_MODE_CBC
Definition: cipher.h:210
MBEDTLS_MODE_CHACHAPOLY
@ MBEDTLS_MODE_CHACHAPOLY
Definition: cipher.h:218
mbedtls_cipher_set_padding_mode
int mbedtls_cipher_set_padding_mode(mbedtls_cipher_context_t *ctx, mbedtls_cipher_padding_t mode)
This function sets the padding mode, for cipher modes that use padding.
set
Definition: _set.h:50
split
static LPSTR * split(LPSTR s, LPINT args)
Definition: cmdcons.c:163
md5
#define md5
Definition: compat-1.3.h:2034
sha256
#define sha256
Definition: compat-1.3.h:2272
md
#define md
Definition: compat-1.3.h:2013
sha1
#define sha1
Definition: compat-1.3.h:2261
sha512
#define sha512
Definition: compat-1.3.h:2283
mbedtls_dhm_free
void mbedtls_dhm_free(mbedtls_dhm_context *ctx)
This function frees and clears the components of a DHM context.
MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN
#define MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN
Definition: dhm.h:611
mbedtls_dhm_init
void mbedtls_dhm_init(mbedtls_dhm_context *ctx)
This function initializes the DHM context.
mbedtls_dhm_calc_secret
int mbedtls_dhm_calc_secret(mbedtls_dhm_context *ctx, unsigned char *output, size_t output_size, size_t *olen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function derives and exports the shared secret (G^Y)^X mod P.
MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
#define MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN
Definition: dhm.h:577
NULL
#define NULL
Definition: types.h:112
uint32_t
UINT32 uint32_t
Definition: types.h:75
uint64_t
UINT64 uint64_t
Definition: types.h:77
add_data
static int add_data(struct Vector *v, const BYTE *pData, int size)
Definition: filtermapper.c:146
inflate
int inflate(z_streamp strm, int flush)
Definition: inflate.c:1257
inflateEnd
int inflateEnd(z_streamp strm)
Definition: inflate.c:1910
Z_OK
#define Z_OK
Definition: zlib.h:114
deflate
int deflate(z_streamp strm, int flush) DECLSPEC_HIDDEN
Definition: deflate.c:815
Z_SYNC_FLUSH
#define Z_SYNC_FLUSH
Definition: zlib.h:107
deflateEnd
int deflateEnd(z_streamp strm) DECLSPEC_HIDDEN
Definition: deflate.c:1130
Z_DEFAULT_COMPRESSION
#define Z_DEFAULT_COMPRESSION
Definition: zlib.h:130
cleanup
static void cleanup(void)
Definition: main.c:1335
tls1_prf
static BOOL tls1_prf(HCRYPTPROV hProv, HCRYPTPROV hSecret, const PCRYPT_DATA_BLOB pblobLabel, const PCRYPT_DATA_BLOB pblobSeed, BYTE *pbBuffer, DWORD dwBufferLen)
Definition: rsaenh.c:1624
int
unsigned int(__cdecl typeof(jpeg_read_scanlines))(struct jpeg_decompress_struct *
Definition: typeof.h:31
char
unsigned char
Definition: typeof.h:29
size_t
__kernel_size_t size_t
Definition: linux.h:237
ptrdiff_t
__kernel_ptrdiff_t ptrdiff_t
Definition: linux.h:247
mbedtls_ecdh_calc_secret
int mbedtls_ecdh_calc_secret(mbedtls_ecdh_context *ctx, size_t *olen, unsigned char *buf, size_t blen, int(*f_rng)(void *, unsigned char *, size_t), void *p_rng)
This function derives and exports the shared secret.
mbedtls_ecdh_free
void mbedtls_ecdh_free(mbedtls_ecdh_context *ctx)
This function frees a context.
mbedtls_ecdh_init
void mbedtls_ecdh_init(mbedtls_ecdh_context *ctx)
This function initializes an ECDH context.
mbedtls_ecjpake_role
mbedtls_ecjpake_role
Definition: ecjpake.h:84
MBEDTLS_ECJPAKE_CLIENT
@ MBEDTLS_ECJPAKE_CLIENT
Definition: ecjpake.h:85
MBEDTLS_ECJPAKE_SERVER
@ MBEDTLS_ECJPAKE_SERVER
Definition: ecjpake.h:86
mbedtls_ecjpake_setup
int mbedtls_ecjpake_setup(mbedtls_ecjpake_context *ctx, mbedtls_ecjpake_role role, mbedtls_md_type_t hash, mbedtls_ecp_group_id curve, const unsigned char *secret, size_t len)
Set up an ECJPAKE context for use.
mbedtls_ecjpake_init
void mbedtls_ecjpake_init(mbedtls_ecjpake_context *ctx)
Initialize an ECJPAKE context.
mbedtls_ecjpake_free
void mbedtls_ecjpake_free(mbedtls_ecjpake_context *ctx)
This clears an ECJPAKE context and frees any embedded data structure.
mbedtls_ecp_grp_id_list
const mbedtls_ecp_group_id * mbedtls_ecp_grp_id_list(void)
This function retrieves the list of internal group identifiers of all supported curves in the order o...
MBEDTLS_ERR_ECP_IN_PROGRESS
#define MBEDTLS_ERR_ECP_IN_PROGRESS
Definition: ecp.h:87
mbedtls_ecp_group_id
mbedtls_ecp_group_id
Definition: ecp.h:103
MBEDTLS_ECP_DP_SECP384R1
@ MBEDTLS_ECP_DP_SECP384R1
Definition: ecp.h:108
MBEDTLS_ECP_DP_NONE
@ MBEDTLS_ECP_DP_NONE
Definition: ecp.h:104
MBEDTLS_ECP_DP_SECP256R1
@ MBEDTLS_ECP_DP_SECP256R1
Definition: ecp.h:107
cur
FxCollectionEntry * cur
Definition: fxresourceapi.cpp:412
level
GLint level
Definition: gl.h:1546
type
GLuint GLuint GLsizei GLenum type
Definition: gl.h:1545
end
GLuint GLuint end
Definition: gl.h:1545
data
GLint GLenum GLsizei GLsizei GLsizei GLint GLsizei const GLvoid * data
Definition: gl.h:1950
n
GLdouble n
Definition: glext.h:7729
transform
GLuint GLenum GLenum transform
Definition: glext.h:9407
src
GLenum src
Definition: glext.h:6340
mask
GLenum GLint GLuint mask
Definition: glext.h:6028
limit
GLint limit
Definition: glext.h:10326
mode
GLenum mode
Definition: glext.h:6217
buf
GLenum GLuint GLenum GLsizei const GLchar * buf
Definition: glext.h:7751
in
GLuint in
Definition: glext.h:9616
dst
GLenum GLenum dst
Definition: glext.h:6340
flags
GLbitfield flags
Definition: glext.h:7161
p
GLfloat GLfloat p
Definition: glext.h:8902
key1
GLuint64EXT GLuint GLuint GLenum GLenum GLuint GLuint GLenum GLuint GLuint key1
Definition: glext.h:10608
len
GLenum GLsizei len
Definition: glext.h:6722
usage
GLsizeiptr const GLvoid GLenum usage
Definition: glext.h:5919
offset
GLintptr offset
Definition: glext.h:5920
i
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint i
Definition: glfuncs.h:248
j
GLsizei GLenum const GLvoid GLsizei GLenum GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLint GLint GLint GLshort GLshort GLshort GLubyte GLubyte GLubyte GLuint GLuint GLuint GLushort GLushort GLushort GLbyte GLbyte GLbyte GLbyte GLdouble GLdouble GLdouble GLdouble GLfloat GLfloat GLfloat GLfloat GLint GLint GLint GLint GLshort GLshort GLshort GLshort GLubyte GLubyte GLubyte GLubyte GLuint GLuint GLuint GLuint GLushort GLushort GLushort GLushort GLboolean const GLdouble const GLfloat const GLint const GLshort const GLbyte const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLdouble const GLfloat const GLfloat const GLint const GLint const GLshort const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort const GLdouble const GLfloat const GLint const GLshort GLenum GLenum GLenum GLfloat GLenum GLint GLenum GLenum GLenum GLfloat GLenum GLenum GLint GLenum GLfloat GLenum GLint GLint GLushort GLenum GLenum GLfloat GLenum GLenum GLint GLfloat const GLubyte GLenum GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLint GLint GLsizei GLsizei GLint GLenum GLenum const GLvoid GLenum GLenum const GLfloat GLenum GLenum const GLint GLenum GLenum const GLdouble GLenum GLenum const GLfloat GLenum GLenum const GLint GLsizei GLuint GLfloat GLuint GLbitfield GLfloat GLint GLuint GLboolean GLenum GLfloat GLenum GLbitfield GLenum GLfloat GLfloat GLint GLint const GLfloat GLenum GLfloat GLfloat GLint GLint GLfloat GLfloat GLint GLint const GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat GLint GLfloat GLfloat const GLdouble const GLfloat const GLdouble const GLfloat GLint GLint GLint j
Definition: glfuncs.h:250
mbedtls_asn1_buf::len
size_t len
Definition: asn1.h:162
mbedtls_asn1_buf::p
unsigned char * p
Definition: asn1.h:163
MBEDTLS_OID_SIZE
#define MBEDTLS_OID_SIZE(x)
Definition: asn1.h:135
mbedtls_x509_crt_parse_der
int mbedtls_x509_crt_parse_der(mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen)
Parse a single DER formatted certificate and add it to the chained list.
mbedtls_x509_crt_init
void mbedtls_x509_crt_init(mbedtls_x509_crt *crt)
Initialize a certificate (chain)
mbedtls_x509_crt_check_key_usage
int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, unsigned int usage)
Check usage of certificate against keyUsage extension.
MBEDTLS_X509_BADCERT_NOT_TRUSTED
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED
Definition: x509.h:116
MBEDTLS_X509_BADCERT_SKIP_VERIFY
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY
Definition: x509.h:120
MBEDTLS_X509_BADCERT_KEY_USAGE
#define MBEDTLS_X509_BADCERT_KEY_USAGE
Definition: x509.h:124
MBEDTLS_X509_KU_DIGITAL_SIGNATURE
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE
Definition: x509.h:141
mbedtls_x509_crt_verify_restartable
int mbedtls_x509_crt_verify_restartable(mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, const char *cn, uint32_t *flags, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx)
Restartable version of mbedtls_crt_verify_with_profile()
MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG
Definition: x509.h:97
mbedtls_x509_crt::raw
mbedtls_x509_buf raw
Definition: x509_crt.h:80
MBEDTLS_X509_BADCERT_EXPIRED
#define MBEDTLS_X509_BADCERT_EXPIRED
Definition: x509.h:113
mbedtls_x509_crt::pk
mbedtls_pk_context pk
Definition: x509_crt.h:96
MBEDTLS_X509_BADCERT_CN_MISMATCH
#define MBEDTLS_X509_BADCERT_CN_MISMATCH
Definition: x509.h:115
MBEDTLS_X509_BADCERT_OTHER
#define MBEDTLS_X509_BADCERT_OTHER
Definition: x509.h:121
MBEDTLS_X509_BADCERT_MISSING
#define MBEDTLS_X509_BADCERT_MISSING
Definition: x509.h:119
MBEDTLS_X509_BADCERT_BAD_PK
#define MBEDTLS_X509_BADCERT_BAD_PK
Definition: x509.h:128
mbedtls_x509_crt_profile_default
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default
MBEDTLS_X509_BADCERT_NS_CERT_TYPE
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE
Definition: x509.h:126
mbedtls_x509_crt_free
void mbedtls_x509_crt_free(mbedtls_x509_crt *crt)
Unallocate all certificate data.
MBEDTLS_ERR_X509_UNKNOWN_VERSION
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION
Definition: x509.h:96
MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED
Definition: x509.h:99
MBEDTLS_X509_KU_KEY_AGREEMENT
#define MBEDTLS_X509_KU_KEY_AGREEMENT
Definition: x509.h:145
MBEDTLS_X509_BADCERT_EXT_KEY_USAGE
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE
Definition: x509.h:125
mbedtls_x509_crt::next
struct mbedtls_x509_crt * next
Definition: x509_crt.h:118
MBEDTLS_ERR_X509_ALLOC_FAILED
#define MBEDTLS_ERR_X509_ALLOC_FAILED
Definition: x509.h:102
mbedtls_x509_crt_check_extended_key_usage
int mbedtls_x509_crt_check_extended_key_usage(const mbedtls_x509_crt *crt, const char *usage_oid, size_t usage_len)
Check usage of certificate against extendedKeyUsage.
MBEDTLS_X509_KU_KEY_ENCIPHERMENT
#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT
Definition: x509.h:143
MBEDTLS_X509_BADCERT_REVOKED
#define MBEDTLS_X509_BADCERT_REVOKED
Definition: x509.h:114
MBEDTLS_X509_BADCERT_BAD_KEY
#define MBEDTLS_X509_BADCERT_BAD_KEY
Definition: x509.h:129
mbedtls_x509_crt_profile_suiteb
const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb
obuf
static char obuf[100]
Definition: i386-dis.c:1281
SIZE_MAX
#define SIZE_MAX
Definition: limits.h:75
INT_MAX
#define INT_MAX
Definition: limits.h:40
mbedtls_sha1_free
void mbedtls_sha1_free(mbedtls_sha1_context *ctx)
This function clears a SHA-1 context.
mbedtls_sha1_clone
void mbedtls_sha1_clone(mbedtls_sha1_context *dst, const mbedtls_sha1_context *src)
This function clones the state of a SHA-1 context.
mbedtls_sha1_update_ret
int mbedtls_sha1_update_ret(mbedtls_sha1_context *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing SHA-1 checksum calculation.
mbedtls_sha1_starts_ret
int mbedtls_sha1_starts_ret(mbedtls_sha1_context *ctx)
This function starts a SHA-1 checksum calculation.
mbedtls_sha1
MBEDTLS_DEPRECATED void mbedtls_sha1(const unsigned char *input, size_t ilen, unsigned char output[20])
This function calculates the SHA-1 checksum of a buffer.
mbedtls_sha1_finish_ret
int mbedtls_sha1_finish_ret(mbedtls_sha1_context *ctx, unsigned char output[20])
This function finishes the SHA-1 operation, and writes the result to the output buffer.
mbedtls_sha1_init
void mbedtls_sha1_init(mbedtls_sha1_context *ctx)
This function initializes a SHA-1 context.
desired
int desired
Definition: jpeglib.h:1119
block_size
static DWORD block_size(DWORD block)
Definition: jsutils.c:66
profile
#define profile
Definition: kernel32.h:12
mbedtls_md_setup
int mbedtls_md_setup(mbedtls_md_context_t *ctx, const mbedtls_md_info_t *md_info, int hmac)
This function selects the message digest algorithm to use, and allocates internal structures.
mbedtls_md_type_t
mbedtls_md_type_t
Supported message digests.
Definition: md.h:83
MBEDTLS_MD_SHA512
@ MBEDTLS_MD_SHA512
Definition: md.h:92
MBEDTLS_MD_MD5
@ MBEDTLS_MD_MD5
Definition: md.h:87
MBEDTLS_MD_SHA384
@ MBEDTLS_MD_SHA384
Definition: md.h:91
MBEDTLS_MD_NONE
@ MBEDTLS_MD_NONE
Definition: md.h:84
MBEDTLS_MD_SHA256
@ MBEDTLS_MD_SHA256
Definition: md.h:90
MBEDTLS_MD_SHA224
@ MBEDTLS_MD_SHA224
Definition: md.h:89
MBEDTLS_MD_SHA1
@ MBEDTLS_MD_SHA1
Definition: md.h:88
mbedtls_md_starts
int mbedtls_md_starts(mbedtls_md_context_t *ctx)
This function starts a message-digest computation.
mbedtls_md_hmac_reset
int mbedtls_md_hmac_reset(mbedtls_md_context_t *ctx)
This function prepares to authenticate a new message with the same key as the previous HMAC operation...
mbedtls_md_clone
int mbedtls_md_clone(mbedtls_md_context_t *dst, const mbedtls_md_context_t *src)
This function clones the state of an message-digest context.
mbedtls_md_get_type
mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
This function extracts the message-digest type from the message-digest information structure.
mbedtls_md_hmac_finish
int mbedtls_md_hmac_finish(mbedtls_md_context_t *ctx, unsigned char *output)
This function finishes the HMAC operation, and writes the result to the output buffer.
mbedtls_md_update
int mbedtls_md_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing message-digest computation.
mbedtls_md_hmac_update
int mbedtls_md_hmac_update(mbedtls_md_context_t *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing HMAC computation.
mbedtls_md_hmac_starts
int mbedtls_md_hmac_starts(mbedtls_md_context_t *ctx, const unsigned char *key, size_t keylen)
This function sets the HMAC key and prepares to authenticate a new message.
MBEDTLS_MD_MAX_SIZE
#define MBEDTLS_MD_MAX_SIZE
Definition: md.h:97
mbedtls_md_init
void mbedtls_md_init(mbedtls_md_context_t *ctx)
This function initializes a message-digest context without binding it to a particular message-digest ...
mbedtls_md_finish
int mbedtls_md_finish(mbedtls_md_context_t *ctx, unsigned char *output)
This function finishes the digest operation, and writes the result to the output buffer.
mbedtls_md_get_size
unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info)
This function extracts the message-digest size from the message-digest information structure.
mbedtls_md_free
void mbedtls_md_free(mbedtls_md_context_t *ctx)
This function clears the internal structure of ctx and frees any embedded internal structure,...
aux
static const WCHAR aux[]
Definition: metadataquery.c:824
error
#define error(str)
Definition: mkdosfs.c:1605
memcpy
#define memcpy(s1, s2, n)
Definition: mkisofs.h:878
memmove
#define memmove(s1, s2, n)
Definition: mkisofs.h:881
label
static const WCHAR label[]
Definition: itemdlg.c:1546
cert
static BYTE cert[]
Definition: msg.c:1437
secret
static DATA_BLOB CRYPTPROTECT_PROMPTSTRUCT DATA_BLOB *static LPWSTR DATA_BLOB CRYPTPROTECT_PROMPTSTRUCT DATA_BLOB *static char secret[]
Definition: protectdata.c:33
padding
static const DWORD padding[]
Definition: mciwnd.c:89
shift
#define shift
Definition: input.c:1755
min
#define min(a, b)
Definition: monoChain.cc:55
k
int k
Definition: mpi.c:3369
uint8_t
BYTE uint8_t
Definition: msvideo1.c:66
uint64_t
#define uint64_t
Definition: nsiface.idl:62
oid.h
Object Identifier (OID) database.
MBEDTLS_OID_CLIENT_AUTH
#define MBEDTLS_OID_CLIENT_AUTH
Definition: oid.h:205
MBEDTLS_ERR_OID_NOT_FOUND
#define MBEDTLS_ERR_OID_NOT_FOUND
Definition: oid.h:75
MBEDTLS_OID_SERVER_AUTH
#define MBEDTLS_OID_SERVER_AUTH
Definition: oid.h:204
mbedtls_pk_can_do
int mbedtls_pk_can_do(const mbedtls_pk_context *ctx, mbedtls_pk_type_t type)
Tell if a context can do the operation given by type.
mbedtls_pk_type_t
mbedtls_pk_type_t
Public key types.
Definition: pk.h:103
MBEDTLS_PK_NONE
@ MBEDTLS_PK_NONE
Definition: pk.h:104
MBEDTLS_PK_ECDSA
@ MBEDTLS_PK_ECDSA
Definition: pk.h:108
MBEDTLS_PK_RSA
@ MBEDTLS_PK_RSA
Definition: pk.h:105
MBEDTLS_PK_ECKEY
@ MBEDTLS_PK_ECKEY
Definition: pk.h:106
mbedtls_pk_ec
static mbedtls_ecp_keypair * mbedtls_pk_ec(const mbedtls_pk_context pk)
Definition: pk.h:195
mbedtls_platform_zeroize
void mbedtls_platform_zeroize(void *buf, size_t len)
Securely zeroize a buffer.
Definition: platform_util.c:98
platform_util.h
Common and shared functions used by multiple modules in the Mbed TLS library.
minor
#define minor(rdev)
Definition: propsheet.cpp:929
major
#define major(rdev)
Definition: propsheet.cpp:928
next
static unsigned __int64 next
Definition: rand_nt.c:6
out
static FILE * out
Definition: regtests2xml.c:44
random
#define random
Definition: rosdhcp.h:81
mbedtls_ssl_free
#define mbedtls_ssl_free
Definition: schannel_mbedtls_lazyload.h:149
mbedtls_ssl_get_max_frag_len
#define mbedtls_ssl_get_max_frag_len
Definition: schannel_mbedtls_lazyload.h:152
mbedtls_md_info_from_type
#define mbedtls_md_info_from_type
Definition: schannel_mbedtls_lazyload.h:172
mbedtls_ssl_init
#define mbedtls_ssl_init
Definition: schannel_mbedtls_lazyload.h:155
mbedtls_ssl_set_hostname
#define mbedtls_ssl_set_hostname
Definition: schannel_mbedtls_lazyload.h:160
mbedtls_ssl_conf_authmode
#define mbedtls_ssl_conf_authmode
Definition: schannel_mbedtls_lazyload.h:157
mbedtls_ssl_write
#define mbedtls_ssl_write
Definition: schannel_mbedtls_lazyload.h:164
mbedtls_ssl_conf_endpoint
#define mbedtls_ssl_conf_endpoint
Definition: schannel_mbedtls_lazyload.h:159
mbedtls_cipher_info_from_type
#define mbedtls_cipher_info_from_type
Definition: schannel_mbedtls_lazyload.h:171
mbedtls_ssl_config_defaults
#define mbedtls_ssl_config_defaults
Definition: schannel_mbedtls_lazyload.h:168
mbedtls_ssl_setup
#define mbedtls_ssl_setup
Definition: schannel_mbedtls_lazyload.h:170
mbedtls_ssl_set_bio
#define mbedtls_ssl_set_bio
Definition: schannel_mbedtls_lazyload.h:158
mbedtls_ssl_conf_rng
#define mbedtls_ssl_conf_rng
Definition: schannel_mbedtls_lazyload.h:163
mbedtls_ssl_config_free
#define mbedtls_ssl_config_free
Definition: schannel_mbedtls_lazyload.h:167
mbedtls_ssl_handshake
#define mbedtls_ssl_handshake
Definition: schannel_mbedtls_lazyload.h:154
mbedtls_ssl_get_version
#define mbedtls_ssl_get_version
Definition: schannel_mbedtls_lazyload.h:153
mbedtls_ssl_get_peer_cert
#define mbedtls_ssl_get_peer_cert
Definition: schannel_mbedtls_lazyload.h:165
mbedtls_ssl_conf_max_version
#define mbedtls_ssl_conf_max_version
Definition: schannel_mbedtls_lazyload.h:161
mbedtls_ssl_read
#define mbedtls_ssl_read
Definition: schannel_mbedtls_lazyload.h:156
mbedtls_ssl_conf_min_version
#define mbedtls_ssl_conf_min_version
Definition: schannel_mbedtls_lazyload.h:162
mbedtls_ssl_conf_dbg
#define mbedtls_ssl_conf_dbg
Definition: schannel_mbedtls_lazyload.h:169
mbedtls_ssl_config_init
#define mbedtls_ssl_config_init
Definition: schannel_mbedtls_lazyload.h:166
mbedtls_ssl_get_ciphersuite
#define mbedtls_ssl_get_ciphersuite
Definition: schannel_mbedtls_lazyload.h:150
config.h
Configuration options (set of defines)
MBEDTLS_SSL_RENEGOTIATION
#define MBEDTLS_SSL_RENEGOTIATION
Definition: config.h:1518
MBEDTLS_SSL_ENCRYPT_THEN_MAC
#define MBEDTLS_SSL_ENCRYPT_THEN_MAC
Definition: config.h:1439
debug.h
Functions for controlling and providing debug output from the library.
MBEDTLS_SSL_DEBUG_RET
#define MBEDTLS_SSL_DEBUG_RET(level, text, ret)
Definition: debug.h:101
MBEDTLS_SSL_DEBUG_ECDH
#define MBEDTLS_SSL_DEBUG_ECDH(level, ecdh, attr)
Definition: debug.h:106
MBEDTLS_SSL_DEBUG_CRT
#define MBEDTLS_SSL_DEBUG_CRT(level, text, crt)
Definition: debug.h:105
MBEDTLS_SSL_DEBUG_MSG
#define MBEDTLS_SSL_DEBUG_MSG(level, args)
Definition: debug.h:100
MBEDTLS_SSL_DEBUG_MPI
#define MBEDTLS_SSL_DEBUG_MPI(level, text, X)
Definition: debug.h:103
MBEDTLS_SSL_DEBUG_BUF
#define MBEDTLS_SSL_DEBUG_BUF(level, text, buf, len)
Definition: debug.h:102
MBEDTLS_DEBUG_ECDH_Z
@ MBEDTLS_DEBUG_ECDH_Z
Definition: debug.h:260
mbedtls_md5_clone
void mbedtls_md5_clone(mbedtls_md5_context *dst, const mbedtls_md5_context *src)
Clone (the state of) an MD5 context.
mbedtls_md5
MBEDTLS_DEPRECATED void mbedtls_md5(const unsigned char *input, size_t ilen, unsigned char output[16])
Output = MD5( input buffer )
mbedtls_md5_free
void mbedtls_md5_free(mbedtls_md5_context *ctx)
Clear MD5 context.
mbedtls_md5_starts_ret
int mbedtls_md5_starts_ret(mbedtls_md5_context *ctx)
MD5 context setup.
mbedtls_md5_init
void mbedtls_md5_init(mbedtls_md5_context *ctx)
Initialize MD5 context.
mbedtls_md5_update_ret
int mbedtls_md5_update_ret(mbedtls_md5_context *ctx, const unsigned char *input, size_t ilen)
MD5 process buffer.
mbedtls_md5_finish_ret
int mbedtls_md5_finish_ret(mbedtls_md5_context *ctx, unsigned char output[16])
MD5 final digest.
platform.h
This file contains the definitions and functions of the Mbed TLS platform abstraction layer.
mbedtls_free
#define mbedtls_free
Definition: platform.h:168
mbedtls_calloc
#define mbedtls_calloc
Definition: platform.h:169
inflateInit
#define inflateInit(strm)
Definition: zlib.h:1812
deflateInit
#define deflateInit(strm, level)
Definition: zlib.h:1810
S2
#define S2(x)
Definition: test.h:219
S1
#define S1(x)
Definition: test.h:218
flush
int flush
Definition: zlib.h:309
exit
#define exit(n)
Definition: config.h:202
memset
#define memset(x, y, z)
Definition: compat.h:39
mbedtls_sha256_free
void mbedtls_sha256_free(mbedtls_sha256_context *ctx)
This function clears a SHA-256 context.
mbedtls_sha256_init
void mbedtls_sha256_init(mbedtls_sha256_context *ctx)
This function initializes a SHA-256 context.
mbedtls_sha256_clone
void mbedtls_sha256_clone(mbedtls_sha256_context *dst, const mbedtls_sha256_context *src)
This function clones the state of a SHA-256 context.
mbedtls_sha256_finish_ret
int mbedtls_sha256_finish_ret(mbedtls_sha256_context *ctx, unsigned char output[32])
This function finishes the SHA-256 operation, and writes the result to the output buffer.
mbedtls_sha256_starts_ret
int mbedtls_sha256_starts_ret(mbedtls_sha256_context *ctx, int is224)
This function starts a SHA-224 or SHA-256 checksum calculation.
mbedtls_sha256_update_ret
int mbedtls_sha256_update_ret(mbedtls_sha256_context *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing SHA-256 checksum calculation.
mbedtls_sha512_clone
void mbedtls_sha512_clone(mbedtls_sha512_context *dst, const mbedtls_sha512_context *src)
This function clones the state of a SHA-512 context.
mbedtls_sha512_free
void mbedtls_sha512_free(mbedtls_sha512_context *ctx)
This function clears a SHA-512 context.
mbedtls_sha512_starts_ret
int mbedtls_sha512_starts_ret(mbedtls_sha512_context *ctx, int is384)
This function starts a SHA-384 or SHA-512 checksum calculation.
mbedtls_sha512_update_ret
int mbedtls_sha512_update_ret(mbedtls_sha512_context *ctx, const unsigned char *input, size_t ilen)
This function feeds an input buffer into an ongoing SHA-512 checksum calculation.
mbedtls_sha512_finish_ret
int mbedtls_sha512_finish_ret(mbedtls_sha512_context *ctx, unsigned char output[64])
This function finishes the SHA-512 operation, and writes the result to the output buffer.
mbedtls_sha512_init
void mbedtls_sha512_init(mbedtls_sha512_context *ctx)
This function initializes a SHA-512 context.
from
CardRegion * from
Definition: spigame.cpp:19
ssl.h
SSL/TLS functions.
MBEDTLS_PSK_MAX_LEN
#define MBEDTLS_PSK_MAX_LEN
Definition: ssl.h:408
MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
#define MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC
Definition: ssl.h:337
MBEDTLS_SSL_MAX_FRAG_LEN_2048
#define MBEDTLS_SSL_MAX_FRAG_LEN_2048
Definition: ssl.h:175
MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
#define MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN
Definition: ssl.h:347
mbedtls_ssl_conf_read_timeout
void mbedtls_ssl_conf_read_timeout(mbedtls_ssl_config *conf, uint32_t timeout)
Set the timeout period for mbedtls_ssl_read() (Default: no timeout.)
MBEDTLS_SSL_TRUNC_HMAC_ENABLED
#define MBEDTLS_SSL_TRUNC_HMAC_ENABLED
Definition: ssl.h:216
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
#define MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE
Definition: ssl.h:341
MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
#define MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH
Definition: ssl.h:146
mbedtls_ssl_ticket_write_t
int mbedtls_ssl_ticket_write_t(void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, const unsigned char *end, size_t *tlen, uint32_t *lifetime)
Callback type: generate and write session ticket.
Definition: ssl.h:1535
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
#define MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
Definition: ssl.h:344
mbedtls_ssl_conf_extended_master_secret
void mbedtls_ssl_conf_extended_master_secret(mbedtls_ssl_config *conf, char ems)
Enable or disable Extended Master Secret negotiation. (Default: MBEDTLS_SSL_EXTENDED_MS_ENABLED)
MBEDTLS_SSL_MAX_FRAG_LEN_512
#define MBEDTLS_SSL_MAX_FRAG_LEN_512
Definition: ssl.h:173
MBEDTLS_ERR_SSL_NON_FATAL
#define MBEDTLS_ERR_SSL_NON_FATAL
Definition: ssl.h:145
MBEDTLS_SSL_MAX_ALPN_LIST_LEN
#define MBEDTLS_SSL_MAX_ALPN_LIST_LEN
Definition: ssl.h:168
mbedtls_ssl_conf_renegotiation_period
void mbedtls_ssl_conf_renegotiation_period(mbedtls_ssl_config *conf, const unsigned char period[8])
Set record counter threshold for periodic renegotiation. (Default: 2^48 - 1)
MBEDTLS_SSL_ARC4_DISABLED
#define MBEDTLS_SSL_ARC4_DISABLED
Definition: ssl.h:226
MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
#define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
Definition: ssl.h:137
mbedtls_ssl_conf_legacy_renegotiation
void mbedtls_ssl_conf_legacy_renegotiation(mbedtls_ssl_config *conf, int allow_legacy)
Prevent or allow legacy renegotiation. (Default: MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION)
MBEDTLS_SSL_VERIFY_NONE
#define MBEDTLS_SSL_VERIFY_NONE
Definition: ssl.h:194
MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
#define MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED
Definition: ssl.h:346
MBEDTLS_SSL_IS_CLIENT
#define MBEDTLS_SSL_IS_CLIENT
Definition: ssl.h:179
mbedtls_ssl_session_reset
int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl)
Reset an already initialized SSL context for re-use while retaining application-set variables,...
MBEDTLS_SSL_ALERT_LEVEL_WARNING
#define MBEDTLS_SSL_ALERT_LEVEL_WARNING
Definition: ssl.h:332
MBEDTLS_ERR_SSL_COMPRESSION_FAILED
#define MBEDTLS_ERR_SSL_COMPRESSION_FAILED
Definition: ssl.h:128
mbedtls_ssl_get_alpn_protocol
const char * mbedtls_ssl_get_alpn_protocol(const mbedtls_ssl_context *ssl)
Get the name of the negotiated Application Layer Protocol. This function should be called after the h...
MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
#define MBEDTLS_SSL_MAX_FRAG_LEN_INVALID
Definition: ssl.h:177
MBEDTLS_SSL_ANTI_REPLAY_DISABLED
#define MBEDTLS_SSL_ANTI_REPLAY_DISABLED
Definition: ssl.h:205
MBEDTLS_SSL_TRUNCATED_HMAC_LEN
#define MBEDTLS_SSL_TRUNCATED_HMAC_LEN
Definition: ssl.h:217
MBEDTLS_SSL_MINOR_VERSION_0
#define MBEDTLS_SSL_MINOR_VERSION_0
Definition: ssl.h:157
MBEDTLS_SSL_SIG_RSA
#define MBEDTLS_SSL_SIG_RSA
Definition: ssl.h:314
MBEDTLS_SSL_HASH_SHA1
#define MBEDTLS_SSL_HASH_SHA1
Definition: ssl.h:307
mbedtls_ssl_conf_cbc_record_splitting
void mbedtls_ssl_conf_cbc_record_splitting(mbedtls_ssl_config *conf, char split)
Enable / Disable 1/n-1 record splitting (Default: MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED)
mbedtls_ssl_conf_renegotiation_enforced
void mbedtls_ssl_conf_renegotiation_enforced(mbedtls_ssl_config *conf, int max_records)
Enforce renegotiation requests. (Default: enforced, max_records = 16)
mbedtls_ssl_conf_transport
void mbedtls_ssl_conf_transport(mbedtls_ssl_config *conf, int transport)
Set the transport type (TLS or DTLS). Default: TLS.
MBEDTLS_SSL_DTLS_MAX_BUFFERING
#define MBEDTLS_SSL_DTLS_MAX_BUFFERING
Definition: ssl.h:281
MBEDTLS_SSL_MAX_ALPN_NAME_LEN
#define MBEDTLS_SSL_MAX_ALPN_NAME_LEN
Definition: ssl.h:166
MBEDTLS_ERR_SSL_TIMEOUT
#define MBEDTLS_ERR_SSL_TIMEOUT
Definition: ssl.h:142
MBEDTLS_ERR_SSL_BAD_HS_FINISHED
#define MBEDTLS_ERR_SSL_BAD_HS_FINISHED
Definition: ssl.h:124
MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
#define MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED
Definition: ssl.h:108
mbedtls_ssl_set_timer_cb
void mbedtls_ssl_set_timer_cb(mbedtls_ssl_context *ssl, void *p_timer, mbedtls_ssl_set_timer_t *f_set_timer, mbedtls_ssl_get_timer_t *f_get_timer)
Set the timer callbacks (Mandatory for DTLS.)
mbedtls_ssl_set_hs_ca_chain
void mbedtls_ssl_set_hs_ca_chain(mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl)
Set the data required to verify peer certificate for the current handshake.
MBEDTLS_SSL_ANTI_REPLAY_ENABLED
#define MBEDTLS_SSL_ANTI_REPLAY_ENABLED
Definition: ssl.h:206
MBEDTLS_SSL_MINOR_VERSION_1
#define MBEDTLS_SSL_MINOR_VERSION_1
Definition: ssl.h:158
mbedtls_ssl_send_t
int mbedtls_ssl_send_t(void *ctx, const unsigned char *buf, size_t len)
Callback type: send data on the network.
Definition: ssl.h:495
mbedtls_ssl_conf_sni
void mbedtls_ssl_conf_sni(mbedtls_ssl_config *conf, int(*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *p_sni)
Set server side ServerName TLS extension callback (optional, server-side only).
MBEDTLS_SSL_HANDSHAKE_OVER
@ MBEDTLS_SSL_HANDSHAKE_OVER
Definition: ssl.h:472
MBEDTLS_SSL_SERVER_FINISHED
@ MBEDTLS_SSL_SERVER_FINISHED
Definition: ssl.h:469
MBEDTLS_SSL_SERVER_HELLO
@ MBEDTLS_SSL_SERVER_HELLO
Definition: ssl.h:458
MBEDTLS_SSL_CLIENT_HELLO
@ MBEDTLS_SSL_CLIENT_HELLO
Definition: ssl.h:457
MBEDTLS_SSL_CLIENT_FINISHED
@ MBEDTLS_SSL_CLIENT_FINISHED
Definition: ssl.h:467
MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
@ MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC
Definition: ssl.h:468
MBEDTLS_SSL_HANDSHAKE_WRAPUP
@ MBEDTLS_SSL_HANDSHAKE_WRAPUP
Definition: ssl.h:471
MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
@ MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC
Definition: ssl.h:466
MBEDTLS_SSL_HELLO_REQUEST
@ MBEDTLS_SSL_HELLO_REQUEST
Definition: ssl.h:456
MBEDTLS_SSL_MINOR_VERSION_3
#define MBEDTLS_SSL_MINOR_VERSION_3
Definition: ssl.h:160
MBEDTLS_SSL_HASH_NONE
#define MBEDTLS_SSL_HASH_NONE
Definition: ssl.h:305
mbedtls_ssl_check_pending
int mbedtls_ssl_check_pending(const mbedtls_ssl_context *ssl)
Check if there is data already read from the underlying transport but not yet processed.
mbedtls_ssl_send_alert_message
int mbedtls_ssl_send_alert_message(mbedtls_ssl_context *ssl, unsigned char level, unsigned char message)
Send an alert message.
MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
#define MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY
Definition: ssl.h:335
MBEDTLS_SSL_MSG_APPLICATION_DATA
#define MBEDTLS_SSL_MSG_APPLICATION_DATA
Definition: ssl.h:330
mbedtls_ssl_ticket_parse_t
int mbedtls_ssl_ticket_parse_t(void *p_ticket, mbedtls_ssl_session *session, unsigned char *buf, size_t len)
Callback type: parse and load session ticket.
Definition: ssl.h:1594
mbedtls_ssl_renegotiate
int mbedtls_ssl_renegotiate(mbedtls_ssl_context *ssl)
Initiate an SSL renegotiation on the running connection. Client: perform the renegotiation right now....
mbedtls_ssl_conf_own_cert
int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key)
Set own certificate chain and private key.
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
#define MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR
Definition: ssl.h:351
MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MIN
Definition: ssl.h:238
mbedtls_ssl_get_verify_result
uint32_t mbedtls_ssl_get_verify_result(const mbedtls_ssl_context *ssl)
Return the result of the certificate verification.
mbedtls_ssl_cookie_write_t
int mbedtls_ssl_cookie_write_t(void *ctx, unsigned char **p, unsigned char *end, const unsigned char *info, size_t ilen)
Callback type: generate a cookie.
Definition: ssl.h:1729
MBEDTLS_ERR_SSL_CONTINUE_PROCESSING
#define MBEDTLS_ERR_SSL_CONTINUE_PROCESSING
Definition: ssl.h:147
mbedtls_ssl_get_max_out_record_payload
int mbedtls_ssl_get_max_out_record_payload(const mbedtls_ssl_context *ssl)
Return the current maximum outgoing record payload in bytes. This takes into account the config....
MBEDTLS_SSL_HASH_SHA224
#define MBEDTLS_SSL_HASH_SHA224
Definition: ssl.h:308
mbedtls_ssl_set_timer_t
void mbedtls_ssl_set_timer_t(void *ctx, uint32_t int_ms, uint32_t fin_ms)
Callback type: set a pair of timers/delays to watch.
Definition: ssl.h:570
MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS
Definition: ssl.h:150
MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
#define MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE
Definition: ssl.h:105
MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define MBEDTLS_SSL_SESSION_TICKETS_ENABLED
Definition: ssl.h:220
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED
Definition: ssl.h:222
MBEDTLS_ERR_SSL_BAD_INPUT_DATA
#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA
Definition: ssl.h:97
MBEDTLS_SSL_HASH_SHA256
#define MBEDTLS_SSL_HASH_SHA256
Definition: ssl.h:309
MBEDTLS_SSL_COMPRESS_NULL
#define MBEDTLS_SSL_COMPRESS_NULL
Definition: ssl.h:191
MBEDTLS_ERR_SSL_WANT_READ
#define MBEDTLS_ERR_SSL_WANT_READ
Definition: ssl.h:140
MBEDTLS_SSL_HS_FINISHED
#define MBEDTLS_SSL_HS_FINISHED
Definition: ssl.h:376
mbedtls_ssl_recv_timeout_t
int mbedtls_ssl_recv_timeout_t(void *ctx, unsigned char *buf, size_t len, uint32_t timeout)
Callback type: receive data from the network, with timeout.
Definition: ssl.h:544
MBEDTLS_SSL_IS_SERVER
#define MBEDTLS_SSL_IS_SERVER
Definition: ssl.h:180
MBEDTLS_SSL_LEGACY_RENEGOTIATION
#define MBEDTLS_SSL_LEGACY_RENEGOTIATION
Definition: ssl.h:199
MBEDTLS_ERR_SSL_ALLOC_FAILED
#define MBEDTLS_ERR_SSL_ALLOC_FAILED
Definition: ssl.h:125
MBEDTLS_SSL_HS_HELLO_REQUEST
#define MBEDTLS_SSL_HS_HELLO_REQUEST
Definition: ssl.h:365
MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
#define MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA
Definition: ssl.h:349
MBEDTLS_SSL_EXTENDED_MS_ENABLED
#define MBEDTLS_SSL_EXTENDED_MS_ENABLED
Definition: ssl.h:186
MBEDTLS_SSL_ALERT_MSG_NO_CERT
#define MBEDTLS_SSL_ALERT_MSG_NO_CERT
Definition: ssl.h:342
mbedtls_ssl_conf_sig_hashes
void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, const int *hashes)
Set the allowed hashes for signatures during the handshake. (Default: all SHA-2 hashes,...
mbedtls_ssl_conf_truncated_hmac
void mbedtls_ssl_conf_truncated_hmac(mbedtls_ssl_config *conf, int truncate)
Activate negotiation of truncated HMAC (Default: MBEDTLS_SSL_TRUNC_HMAC_DISABLED)
mbedtls_ssl_conf_cert_profile
void mbedtls_ssl_conf_cert_profile(mbedtls_ssl_config *conf, const mbedtls_x509_crt_profile *profile)
Set the X.509 security profile used for verification.
MBEDTLS_SSL_VERIFY_OPTIONAL
#define MBEDTLS_SSL_VERIFY_OPTIONAL
Definition: ssl.h:195
mbedtls_ssl_session_init
void mbedtls_ssl_session_init(mbedtls_ssl_session *session)
Initialize SSL session structure.
MBEDTLS_SSL_HASH_MD5
#define MBEDTLS_SSL_HASH_MD5
Definition: ssl.h:306
MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
#define MBEDTLS_ERR_SSL_UNEXPECTED_RECORD
Definition: ssl.h:144
MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
#define MBEDTLS_SSL_VERIFY_DATA_MAX_LEN
Definition: ssl.h:292
MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
#define MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC
Definition: ssl.h:327
mbedtls_ssl_set_hs_authmode
void mbedtls_ssl_set_hs_authmode(mbedtls_ssl_context *ssl, int authmode)
Set authmode for the current handshake.
mbedtls_ssl_conf_ca_chain
void mbedtls_ssl_conf_ca_chain(mbedtls_ssl_config *conf, mbedtls_x509_crt *ca_chain, mbedtls_x509_crl *ca_crl)
Set the data required to verify peer certificate.
MBEDTLS_SSL_PRESET_SUITEB
#define MBEDTLS_SSL_PRESET_SUITEB
Definition: ssl.h:229
MBEDTLS_SSL_ALERT_LEVEL_FATAL
#define MBEDTLS_SSL_ALERT_LEVEL_FATAL
Definition: ssl.h:333
MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
#define MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION
Definition: ssl.h:211
MBEDTLS_SSL_MSG_ALERT
#define MBEDTLS_SSL_MSG_ALERT
Definition: ssl.h:328
MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
#define MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION
Definition: ssl.h:359
mbedtls_ssl_set_session
int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session)
Request resumption of session (client-side only) Session data is copied from presented session struct...
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
#define MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR
Definition: ssl.h:356
mbedtls_ssl_get_record_expansion
int mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context *ssl)
Return the (maximum) number of bytes added by the record layer: header + encryption/MAC overhead (inc...
MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define MBEDTLS_SSL_MAX_FRAG_LEN_NONE
Definition: ssl.h:172
mbedtls_ssl_conf_session_tickets
void mbedtls_ssl_conf_session_tickets(mbedtls_ssl_config *conf, int use_tickets)
Enable / Disable session tickets (client only). (Default: MBEDTLS_SSL_SESSION_TICKETS_ENABLED....
MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
#define MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE
Definition: ssl.h:115
mbedtls_ssl_cookie_check_t
int mbedtls_ssl_cookie_check_t(void *ctx, const unsigned char *cookie, size_t clen, const unsigned char *info, size_t ilen)
Callback type: verify a cookie.
Definition: ssl.h:1746
MBEDTLS_SSL_MAJOR_VERSION_3
#define MBEDTLS_SSL_MAJOR_VERSION_3
Definition: ssl.h:156
mbedtls_ssl_conf_dhm_min_bitlen
void mbedtls_ssl_conf_dhm_min_bitlen(mbedtls_ssl_config *conf, unsigned int bitlen)
Set the minimum length for Diffie-Hellman parameters. (Client-side only.) (Default: 1024 bits....
mbedtls_ssl_conf_arc4_support
void mbedtls_ssl_conf_arc4_support(mbedtls_ssl_config *conf, char arc4)
Disable or enable support for RC4 (Default: MBEDTLS_SSL_ARC4_DISABLED)
MBEDTLS_SSL_MINOR_VERSION_2
#define MBEDTLS_SSL_MINOR_VERSION_2
Definition: ssl.h:159
mbedtls_ssl_set_hs_own_cert
int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, mbedtls_pk_context *pk_key)
Set own certificate and key for the current handshake.
MBEDTLS_SSL_HS_CERTIFICATE
#define MBEDTLS_SSL_HS_CERTIFICATE
Definition: ssl.h:370
mbedtls_ssl_conf_ciphersuites_for_version
void mbedtls_ssl_conf_ciphersuites_for_version(mbedtls_ssl_config *conf, const int *ciphersuites, int major, int minor)
Set the list of allowed ciphersuites and the preference order for a specific version of the protocol....
MBEDTLS_SSL_SIG_ECDSA
#define MBEDTLS_SSL_SIG_ECDSA
Definition: ssl.h:315
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
#define MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE
Definition: ssl.h:104
MBEDTLS_SSL_IN_CONTENT_LEN
#define MBEDTLS_SSL_IN_CONTENT_LEN
Definition: ssl.h:269
mbedtls_ssl_handshake_step
int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
Perform a single step of the SSL handshake.
MBEDTLS_ERR_SSL_INVALID_RECORD
#define MBEDTLS_ERR_SSL_INVALID_RECORD
Definition: ssl.h:99
mbedtls_ssl_conf_renegotiation
void mbedtls_ssl_conf_renegotiation(mbedtls_ssl_config *conf, int renegotiation)
Enable / Disable renegotiation support for connection when initiated by peer (Default: MBEDTLS_SSL_RE...
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
#define MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE
Definition: ssl.h:336
MBEDTLS_SSL_RENEGOTIATION_DISABLED
#define MBEDTLS_SSL_RENEGOTIATION_DISABLED
Definition: ssl.h:202
mbedtls_ssl_get_ciphersuite_name
const char * mbedtls_ssl_get_ciphersuite_name(const int ciphersuite_id)
Return the name of the ciphersuite associated with the given ID.
MBEDTLS_SSL_ETM_ENABLED
#define MBEDTLS_SSL_ETM_ENABLED
Definition: ssl.h:189
MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
#define MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED
Definition: ssl.h:223
MBEDTLS_ERR_SSL_CONN_EOF
#define MBEDTLS_ERR_SSL_CONN_EOF
Definition: ssl.h:100
MBEDTLS_SSL_ETM_DISABLED
#define MBEDTLS_SSL_ETM_DISABLED
Definition: ssl.h:188
MBEDTLS_SSL_HASH_SHA384
#define MBEDTLS_SSL_HASH_SHA384
Definition: ssl.h:310
MBEDTLS_SSL_COMPRESS_DEFLATE
#define MBEDTLS_SSL_COMPRESS_DEFLATE
Definition: ssl.h:192
MBEDTLS_SSL_TRANSPORT_DATAGRAM
#define MBEDTLS_SSL_TRANSPORT_DATAGRAM
Definition: ssl.h:163
mbedtls_ssl_recv_t
int mbedtls_ssl_recv_t(void *ctx, unsigned char *buf, size_t len)
Callback type: receive data from the network.
Definition: ssl.h:518
mbedtls_ssl_session_free
void mbedtls_ssl_session_free(mbedtls_ssl_session *session)
Free referenced items in an SSL session including the peer certificate and clear memory.
MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
#define MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED
Definition: ssl.h:345
mbedtls_ssl_close_notify
int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl)
Notify the peer that the connection is being closed.
MBEDTLS_SSL_SIG_ANON
#define MBEDTLS_SSL_SIG_ANON
Definition: ssl.h:313
MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
#define MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY
Definition: ssl.h:112
MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
#define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST
Definition: ssl.h:368
mbedtls_ssl_conf_max_frag_len
int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code)
Set the maximum fragment length to emit and/or negotiate. (Typical: the smaller of MBEDTLS_SSL_IN_CON...
MBEDTLS_ERR_SSL_INVALID_MAC
#define MBEDTLS_ERR_SSL_INVALID_MAC
Definition: ssl.h:98
MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
#define MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO
Definition: ssl.h:113
mbedtls_ssl_conf_ciphersuites
void mbedtls_ssl_conf_ciphersuites(mbedtls_ssl_config *conf, const int *ciphersuites)
Set the list of allowed ciphersuites and the preference order. First in the list has the highest pref...
MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
#define MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE
Definition: ssl.h:110
MBEDTLS_SSL_VERIFY_REQUIRED
#define MBEDTLS_SSL_VERIFY_REQUIRED
Definition: ssl.h:196
MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
#define MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED
Definition: ssl.h:106
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
#define MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED
Definition: ssl.h:350
MBEDTLS_SSL_MAX_FRAG_LEN_1024
#define MBEDTLS_SSL_MAX_FRAG_LEN_1024
Definition: ssl.h:174
mbedtls_ssl_get_bytes_avail
size_t mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context *ssl)
Return the number of application data bytes remaining to be read from the current record.
mbedtls_ssl_get_session
int mbedtls_ssl_get_session(const mbedtls_ssl_context *ssl, mbedtls_ssl_session *session)
Save session in order to resume it later (client-side only) Session data is copied to presented sessi...
MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
Definition: ssl.h:138
MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
#define MBEDTLS_SSL_DTLS_TIMEOUT_DFL_MAX
Definition: ssl.h:239
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
#define MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE
Definition: ssl.h:109
MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
#define MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO
Definition: ssl.h:136
mbedtls_ssl_get_timer_t
int mbedtls_ssl_get_timer_t(void *ctx)
Callback type: get status of timers/delays.
Definition: ssl.h:585
MBEDTLS_SSL_MAX_FRAG_LEN_4096
#define MBEDTLS_SSL_MAX_FRAG_LEN_4096
Definition: ssl.h:176
MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
#define MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
Definition: ssl.h:231
mbedtls_ssl_conf_curves
void mbedtls_ssl_conf_curves(mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves)
Set the allowed curves in order of preference. (Default: all defined curves in order of decreasing si...
mbedtls_ssl_conf_alpn_protocols
int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char **protos)
Set the supported Application Layer Protocols.
MBEDTLS_SSL_ALERT_MSG_BAD_CERT
#define MBEDTLS_SSL_ALERT_MSG_BAD_CERT
Definition: ssl.h:343
MBEDTLS_SSL_OUT_CONTENT_LEN
#define MBEDTLS_SSL_OUT_CONTENT_LEN
Definition: ssl.h:273
MBEDTLS_SSL_HS_CLIENT_HELLO
#define MBEDTLS_SSL_HS_CLIENT_HELLO
Definition: ssl.h:366
MBEDTLS_ERR_SSL_COUNTER_WRAPPING
#define MBEDTLS_ERR_SSL_COUNTER_WRAPPING
Definition: ssl.h:135
MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
#define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE
Definition: ssl.h:96
MBEDTLS_SSL_HASH_SHA512
#define MBEDTLS_SSL_HASH_SHA512
Definition: ssl.h:311
MBEDTLS_SSL_VERIFY_UNSET
#define MBEDTLS_SSL_VERIFY_UNSET
Definition: ssl.h:197
MBEDTLS_SSL_MAX_HOST_NAME_LEN
#define MBEDTLS_SSL_MAX_HOST_NAME_LEN
Definition: ssl.h:165
MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
#define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED
Definition: ssl.h:126
MBEDTLS_ERR_SSL_INTERNAL_ERROR
#define MBEDTLS_ERR_SSL_INTERNAL_ERROR
Definition: ssl.h:134
MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
#define MBEDTLS_SSL_RENEGO_MAX_RECORDS_DEFAULT
Definition: ssl.h:209
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
#define MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR
Definition: ssl.h:352
MBEDTLS_ERR_SSL_CLIENT_RECONNECT
#define MBEDTLS_ERR_SSL_CLIENT_RECONNECT
Definition: ssl.h:143
MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
#define MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH
Definition: ssl.h:127
MBEDTLS_SSL_MSG_HANDSHAKE
#define MBEDTLS_SSL_MSG_HANDSHAKE
Definition: ssl.h:329
mbedtls_ssl_conf_encrypt_then_mac
void mbedtls_ssl_conf_encrypt_then_mac(mbedtls_ssl_config *conf, char etm)
Enable or disable Encrypt-then-MAC (Default: MBEDTLS_SSL_ETM_ENABLED)
mbedtls_ssl_conf_verify
void mbedtls_ssl_conf_verify(mbedtls_ssl_config *conf, int(*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy)
Set the verification callback (Optional).
MBEDTLS_ERR_SSL_EARLY_MESSAGE
#define MBEDTLS_ERR_SSL_EARLY_MESSAGE
Definition: ssl.h:149
mbedtls_ssl_list_ciphersuites
const int * mbedtls_ssl_list_ciphersuites(void)
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
Definition: ssl_ciphersuites.h:184
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Definition: ssl_ciphersuites.h:185
MBEDTLS_CIPHERSUITE_SHORT_TAG
#define MBEDTLS_CIPHERSUITE_SHORT_TAG
Definition: ssl_ciphersuites.h:408
mbedtls_key_exchange_type_t
mbedtls_key_exchange_type_t
Definition: ssl_ciphersuites.h:317
MBEDTLS_KEY_EXCHANGE_PSK
@ MBEDTLS_KEY_EXCHANGE_PSK
Definition: ssl_ciphersuites.h:323
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
@ MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA
Definition: ssl_ciphersuites.h:328
MBEDTLS_KEY_EXCHANGE_DHE_PSK
@ MBEDTLS_KEY_EXCHANGE_DHE_PSK
Definition: ssl_ciphersuites.h:324
MBEDTLS_KEY_EXCHANGE_DHE_RSA
@ MBEDTLS_KEY_EXCHANGE_DHE_RSA
Definition: ssl_ciphersuites.h:320
MBEDTLS_KEY_EXCHANGE_ECDH_RSA
@ MBEDTLS_KEY_EXCHANGE_ECDH_RSA
Definition: ssl_ciphersuites.h:327
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
@ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
Definition: ssl_ciphersuites.h:322
MBEDTLS_KEY_EXCHANGE_RSA
@ MBEDTLS_KEY_EXCHANGE_RSA
Definition: ssl_ciphersuites.h:319
MBEDTLS_KEY_EXCHANGE_ECJPAKE
@ MBEDTLS_KEY_EXCHANGE_ECJPAKE
Definition: ssl_ciphersuites.h:329
MBEDTLS_KEY_EXCHANGE_RSA_PSK
@ MBEDTLS_KEY_EXCHANGE_RSA_PSK
Definition: ssl_ciphersuites.h:325
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
@ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK
Definition: ssl_ciphersuites.h:326
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
@ MBEDTLS_KEY_EXCHANGE_ECDHE_RSA
Definition: ssl_ciphersuites.h:321
MBEDTLS_KEY_EXCHANGE_NONE
@ MBEDTLS_KEY_EXCHANGE_NONE
Definition: ssl_ciphersuites.h:318
ssl_internal.h
Internal functions shared by the SSL modules.
mbedtls_ssl_safer_memcmp
static int mbedtls_ssl_safer_memcmp(const void *a, const void *b, size_t n)
Definition: ssl_internal.h:826
mbedtls_ssl_sig_hash_set_const_hash
void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set, mbedtls_md_type_t md_alg)
mbedtls_ssl_pk_alg_from_sig
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
mbedtls_ssl_parse_finished
int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl)
mbedtls_ssl_write_change_cipher_spec
int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_cf_memcpy_offset
void mbedtls_ssl_cf_memcpy_offset(unsigned char *dst, const unsigned char *src_base, size_t offset_secret, size_t offset_min, size_t offset_max, size_t len)
Copy data from a secret position with constant flow.
MBEDTLS_SSL_MAX_BUFFERED_HS
#define MBEDTLS_SSL_MAX_BUFFERED_HS
Definition: ssl_internal.h:216
mbedtls_ssl_handshake_free
void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
Free referenced items in an SSL handshake context and clear memory.
MBEDTLS_SSL_INITIAL_HANDSHAKE
#define MBEDTLS_SSL_INITIAL_HANDSHAKE
Definition: ssl_internal.h:135
MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS
Definition: ssl_internal.h:136
mbedtls_ssl_fetch_input
int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want)
MBEDTLS_SSL_RENEGOTIATION_PENDING
#define MBEDTLS_SSL_RENEGOTIATION_PENDING
Definition: ssl_internal.h:138
mbedtls_ssl_transform_free
void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform)
Free referenced items in an SSL transform context and clear memory.
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION
#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION
Definition: ssl_internal.h:106
MBEDTLS_SSL_MAX_MAJOR_VERSION
#define MBEDTLS_SSL_MAX_MAJOR_VERSION
Definition: ssl_internal.h:109
mbedtls_ssl_sig_from_pk_alg
unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type)
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION
Definition: ssl_internal.h:105
mbedtls_ssl_prepare_handshake_record
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl)
mbedtls_ssl_md_alg_from_hash
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
mbedtls_ssl_sig_hash_set_find
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set, mbedtls_pk_type_t sig_alg)
mbedtls_ssl_write_finished
int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_IN_BUFFER_LEN
#define MBEDTLS_SSL_IN_BUFFER_LEN
Definition: ssl_internal.h:265
mbedtls_ssl_handshake_server_step
int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_wrapup
void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl)
mbedtls_ssl_derive_keys
int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl)
mbedtls_ssl_write_version
void mbedtls_ssl_write_version(int major, int minor, int transport, unsigned char ver[2])
mbedtls_ssl_write_record
int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush)
mbedtls_ssl_check_cert_usage
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, int cert_endpoint, uint32_t *flags)
MBEDTLS_SSL_MIN_MINOR_VERSION
#define MBEDTLS_SSL_MIN_MINOR_VERSION
Definition: ssl_internal.h:93
MBEDTLS_SSL_OUT_BUFFER_LEN
#define MBEDTLS_SSL_OUT_BUFFER_LEN
Definition: ssl_internal.h:268
MBEDTLS_SSL_RENEGOTIATION_DONE
#define MBEDTLS_SSL_RENEGOTIATION_DONE
Definition: ssl_internal.h:137
MBEDTLS_SSL_RETRANS_SENDING
#define MBEDTLS_SSL_RETRANS_SENDING
Definition: ssl_internal.h:149
MBEDTLS_SSL_RETRANS_PREPARING
#define MBEDTLS_SSL_RETRANS_PREPARING
Definition: ssl_internal.h:148
mbedtls_ssl_read_version
void mbedtls_ssl_read_version(int *major, int *minor, int transport, const unsigned char ver[2])
mbedtls_ssl_sig_hash_set_init
static void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set)
Definition: ssl_internal.h:589
mbedtls_ssl_check_sig_hash
int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl, mbedtls_md_type_t md)
mbedtls_ssl_parse_certificate
int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl)
mbedtls_ssl_handshake_client_step
int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl)
mbedtls_ssl_write_handshake_msg
int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
mbedtls_ssl_optimize_checksum
void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, const mbedtls_ssl_ciphersuite_t *ciphersuite_info)
MBEDTLS_SSL_RETRANS_WAITING
#define MBEDTLS_SSL_RETRANS_WAITING
Definition: ssl_internal.h:150
mbedtls_ssl_hs_hdr_len
static size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:801
MBEDTLS_SSL_MAX_MINOR_VERSION
#define MBEDTLS_SSL_MAX_MINOR_VERSION
Definition: ssl_internal.h:112
mbedtls_ssl_parse_change_cipher_spec
int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl)
mbedtls_ssl_sig_hash_set_add
void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set, mbedtls_pk_type_t sig_alg, mbedtls_md_type_t md_alg)
mbedtls_ssl_own_cert
static mbedtls_x509_crt * mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:758
mbedtls_ssl_handle_message_type
int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl)
mbedtls_ssl_hash_from_md_alg
unsigned char mbedtls_ssl_hash_from_md_alg(int md)
mbedtls_ssl_send_fatal_handshake_failure
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl)
mbedtls_ssl_set_calc_verify_md
int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
mbedtls_ssl_read_record
int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, unsigned update_hs_digest)
Update record layer.
mbedtls_ssl_cf_hmac
int mbedtls_ssl_cf_hmac(mbedtls_md_context_t *ctx, const unsigned char *add_data, size_t add_data_len, const unsigned char *data, size_t data_len_secret, size_t min_data_len, size_t max_data_len, unsigned char *output)
Compute the HMAC of variable-length data with constant flow.
mbedtls_ssl_get_key_exchange_md_tls1_2
int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, unsigned char *data, size_t data_len, mbedtls_md_type_t md_alg)
mbedtls_ssl_get_key_exchange_md_ssl_tls
int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl, unsigned char *output, unsigned char *data, size_t data_len)
mbedtls_ssl_reset_checksum
void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
mbedtls_ssl_write_certificate
int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl)
mbedtls_ssl_update_handshake_status
void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
MBEDTLS_TLS_EXT_ADV_CONTENT_LEN
#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN
Definition: ssl_internal.h:222
mbedtls_ssl_flush_output
int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_MAC_ADD
#define MBEDTLS_SSL_MAC_ADD
Definition: ssl_internal.h:186
MBEDTLS_SSL_RETRANS_FINISHED
#define MBEDTLS_SSL_RETRANS_FINISHED
Definition: ssl_internal.h:151
mbedtls_ssl_check_curve
int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id)
mbedtls_ssl_sig_from_pk
unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
mbedtls_ssl_hs_buffer
struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer
Definition: ssl_internal.h:506
mbedtls_ssl_hdr_len
static size_t mbedtls_ssl_hdr_len(const mbedtls_ssl_context *ssl)
Definition: ssl_internal.h:790
MBEDTLS_SSL_MIN_MAJOR_VERSION
#define MBEDTLS_SSL_MIN_MAJOR_VERSION
Definition: ssl_internal.h:87
_slot
Definition: vfat.h:185
cookie
Definition: cookie.c:34
define::next
struct define * next
Definition: compiler.c:65
endpoint
Definition: nis.h:10
hash
Definition: _hash_fun.h:40
key
Definition: copy.c:22
mbedtls_cipher_context_t::iv
unsigned char iv[MBEDTLS_MAX_IV_LENGTH]
Definition: cipher.h:338
mbedtls_cipher_info_t
Definition: cipher.h:268
mbedtls_cipher_info_t::key_bitlen
unsigned int key_bitlen
Definition: cipher.h:281
mbedtls_cipher_info_t::iv_size
unsigned int iv_size
Definition: cipher.h:290
mbedtls_cipher_info_t::mode
mbedtls_cipher_mode_t mode
Definition: cipher.h:275
mbedtls_cipher_info_t::block_size
unsigned int block_size
Definition: cipher.h:299
mbedtls_dhm_context
The DHM context structure.
Definition: dhm.h:128
mbedtls_dhm_context::K
mbedtls_mpi K
Definition: dhm.h:135
mbedtls_dhm_context::G
mbedtls_mpi G
Definition: dhm.h:131
mbedtls_dhm_context::P
mbedtls_mpi P
Definition: dhm.h:130
mbedtls_ecp_group::id
mbedtls_ecp_group_id id
Definition: ecp.h:234
mbedtls_ecp_keypair::grp
mbedtls_ecp_group grp
Definition: ecp.h:399
mbedtls_md5_context
MD5 context structure.
Definition: md5.h:85
mbedtls_md_context_t
Definition: md.h:111
mbedtls_md_context_t::md_info
const mbedtls_md_info_t * md_info
Definition: md.h:113
mbedtls_md_info_t
Definition: md_internal.h:73
mbedtls_pk_context
Public key container.
Definition: pk.h:156
mbedtls_sha1_context
The SHA-1 context structure.
Definition: sha1.h:89
mbedtls_sha256_context
The SHA-256 context structure.
Definition: sha256.h:84
mbedtls_sha512_context
The SHA-512 context structure.
Definition: sha512.h:83
mbedtls_ssl_ciphersuite_t
This structure is used for storing ciphersuite information.
Definition: ssl_ciphersuites.h:416
mbedtls_ssl_ciphersuite_t::key_exchange
mbedtls_key_exchange_type_t key_exchange
Definition: ssl_ciphersuites.h:422
mbedtls_ssl_ciphersuite_t::mac
mbedtls_md_type_t mac
Definition: ssl_ciphersuites.h:421
mbedtls_ssl_ciphersuite_t::flags
unsigned char flags
Definition: ssl_ciphersuites.h:429
mbedtls_ssl_config
Definition: ssl.h:857
mbedtls_ssl_config::f_sni
int(* f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t)
Definition: ssl.h:882
mbedtls_ssl_config::cbc_record_splitting
unsigned int cbc_record_splitting
Definition: ssl.h:1030
mbedtls_ssl_config::authmode
unsigned int authmode
Definition: ssl.h:1011
mbedtls_ssl_config::renego_max_records
int renego_max_records
Definition: ssl.h:987
mbedtls_ssl_config::max_major_ver
unsigned char max_major_ver
Definition: ssl.h:1000
mbedtls_ssl_config::ciphersuite_list
const int * ciphersuite_list[4]
Definition: ssl.h:864
mbedtls_ssl_config::p_sni
void * p_sni
Definition: ssl.h:883
mbedtls_ssl_config::session_tickets
unsigned int session_tickets
Definition: ssl.h:1039
mbedtls_ssl_config::p_rng
void * p_rng
Definition: ssl.h:872
mbedtls_ssl_config::trunc_hmac
unsigned int trunc_hmac
Definition: ssl.h:1036
mbedtls_ssl_config::f_set_cache
int(* f_set_cache)(void *, const mbedtls_ssl_session *)
Definition: ssl.h:877
mbedtls_ssl_config::ca_crl
mbedtls_x509_crl * ca_crl
Definition: ssl.h:928
mbedtls_ssl_config::curve_list
const mbedtls_ecp_group_id * curve_list
Definition: ssl.h:946
mbedtls_ssl_config::ca_chain
mbedtls_x509_crt * ca_chain
Definition: ssl.h:927
mbedtls_ssl_config::max_minor_ver
unsigned char max_minor_ver
Definition: ssl.h:1001
mbedtls_ssl_config::min_minor_ver
unsigned char min_minor_ver
Definition: ssl.h:1003
mbedtls_ssl_config::transport
unsigned int transport
Definition: ssl.h:1010
mbedtls_ssl_config::mfl_code
unsigned int mfl_code
Definition: ssl.h:1018
mbedtls_ssl_config::arc4_disabled
unsigned int arc4_disabled
Definition: ssl.h:1015
mbedtls_ssl_config::cert_profile
const mbedtls_x509_crt_profile * cert_profile
Definition: ssl.h:925
mbedtls_ssl_config::endpoint
unsigned int endpoint
Definition: ssl.h:1009
mbedtls_ssl_config::sig_hashes
const int * sig_hashes
Definition: ssl.h:942
mbedtls_ssl_config::read_timeout
uint32_t read_timeout
Definition: ssl.h:977
mbedtls_ssl_config::encrypt_then_mac
unsigned int encrypt_then_mac
Definition: ssl.h:1021
mbedtls_ssl_config::f_rng
int(* f_rng)(void *, unsigned char *, size_t)
Definition: ssl.h:871
mbedtls_ssl_config::f_get_cache
int(* f_get_cache)(void *, mbedtls_ssl_session *)
Definition: ssl.h:875
mbedtls_ssl_config::disable_renegotiation
unsigned int disable_renegotiation
Definition: ssl.h:1033
mbedtls_ssl_config::f_dbg
void(* f_dbg)(void *, int, const char *, int, const char *)
Definition: ssl.h:867
mbedtls_ssl_config::renego_period
unsigned char renego_period[8]
Definition: ssl.h:988
mbedtls_ssl_config::f_vrfy
int(* f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *)
Definition: ssl.h:888
mbedtls_ssl_config::dhm_min_bitlen
unsigned int dhm_min_bitlen
Definition: ssl.h:997
mbedtls_ssl_config::alpn_list
const char ** alpn_list
Definition: ssl.h:970
mbedtls_ssl_config::p_vrfy
void * p_vrfy
Definition: ssl.h:889
mbedtls_ssl_config::p_cache
void * p_cache
Definition: ssl.h:878
mbedtls_ssl_config::extended_ms
unsigned int extended_ms
Definition: ssl.h:1024
mbedtls_ssl_config::p_dbg
void * p_dbg
Definition: ssl.h:868
mbedtls_ssl_config::min_major_ver
unsigned char min_major_ver
Definition: ssl.h:1002
mbedtls_ssl_config::dhm_G
mbedtls_mpi dhm_G
Definition: ssl.h:951
mbedtls_ssl_config::dhm_P
mbedtls_mpi dhm_P
Definition: ssl.h:950
mbedtls_ssl_config::key_cert
mbedtls_ssl_key_cert * key_cert
Definition: ssl.h:926
mbedtls_ssl_config::allow_legacy_renegotiation
unsigned int allow_legacy_renegotiation
Definition: ssl.h:1013
mbedtls_ssl_context
Definition: ssl.h:1052
mbedtls_ssl_context::out_hdr
unsigned char * out_hdr
Definition: ssl.h:1150
mbedtls_ssl_context::verify_data_len
size_t verify_data_len
Definition: ssl.h:1204
mbedtls_ssl_context::transform_out
mbedtls_ssl_transform * transform_out
Definition: ssl.h:1095
mbedtls_ssl_context::split_done
signed char split_done
Definition: ssl.h:1169
mbedtls_ssl_context::major_ver
int major_ver
Definition: ssl.h:1066
mbedtls_ssl_context::session_in
mbedtls_ssl_session * session_in
Definition: ssl.h:1083
mbedtls_ssl_context::f_set_timer
mbedtls_ssl_set_timer_t * f_set_timer
Definition: ssl.h:1104
mbedtls_ssl_context::renego_status
int renego_status
Definition: ssl.h:1060
mbedtls_ssl_context::session
mbedtls_ssl_session * session
Definition: ssl.h:1085
mbedtls_ssl_context::state
int state
Definition: ssl.h:1058
mbedtls_ssl_context::hostname
char * hostname
Definition: ssl.h:1181
mbedtls_ssl_context::cur_out_ctr
unsigned char cur_out_ctr[8]
Definition: ssl.h:1159
mbedtls_ssl_context::out_len
unsigned char * out_len
Definition: ssl.h:1151
mbedtls_ssl_context::nb_zero
int nb_zero
Definition: ssl.h:1135
mbedtls_ssl_context::f_get_timer
mbedtls_ssl_get_timer_t * f_get_timer
Definition: ssl.h:1105
mbedtls_ssl_context::transform
mbedtls_ssl_transform * transform
Definition: ssl.h:1096
mbedtls_ssl_context::own_verify_data
char own_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]
Definition: ssl.h:1205
mbedtls_ssl_context::f_send
mbedtls_ssl_send_t * f_send
Definition: ssl.h:1073
mbedtls_ssl_context::out_msg
unsigned char * out_msg
Definition: ssl.h:1153
mbedtls_ssl_context::session_negotiate
mbedtls_ssl_session * session_negotiate
Definition: ssl.h:1086
mbedtls_ssl_context::peer_verify_data
char peer_verify_data[MBEDTLS_SSL_VERIFY_DATA_MAX_LEN]
Definition: ssl.h:1206
mbedtls_ssl_context::in_iv
unsigned char * in_iv
Definition: ssl.h:1116
mbedtls_ssl_context::out_buf
unsigned char * out_buf
Definition: ssl.h:1148
mbedtls_ssl_context::in_buf
unsigned char * in_buf
Definition: ssl.h:1110
mbedtls_ssl_context::out_msgtype
int out_msgtype
Definition: ssl.h:1155
mbedtls_ssl_context::alpn_chosen
const char * alpn_chosen
Definition: ssl.h:1186
mbedtls_ssl_context::out_left
size_t out_left
Definition: ssl.h:1157
mbedtls_ssl_context::in_hslen
size_t in_hslen
Definition: ssl.h:1133
mbedtls_ssl_context::session_out
mbedtls_ssl_session * session_out
Definition: ssl.h:1084
mbedtls_ssl_context::in_msg
unsigned char * in_msg
Definition: ssl.h:1117
mbedtls_ssl_context::out_msglen
size_t out_msglen
Definition: ssl.h:1156
mbedtls_ssl_context::in_msgtype
int in_msgtype
Definition: ssl.h:1120
mbedtls_ssl_context::f_recv
mbedtls_ssl_recv_t * f_recv
Definition: ssl.h:1074
mbedtls_ssl_context::renego_records_seen
int renego_records_seen
Definition: ssl.h:1061
mbedtls_ssl_context::out_ctr
unsigned char * out_ctr
Definition: ssl.h:1149
mbedtls_ssl_context::client_auth
int client_auth
Definition: ssl.h:1175
mbedtls_ssl_context::out_iv
unsigned char * out_iv
Definition: ssl.h:1152
mbedtls_ssl_context::in_ctr
unsigned char * in_ctr
Definition: ssl.h:1111
mbedtls_ssl_context::f_recv_timeout
mbedtls_ssl_recv_timeout_t * f_recv_timeout
Definition: ssl.h:1075
mbedtls_ssl_context::in_hdr
unsigned char * in_hdr
Definition: ssl.h:1114
mbedtls_ssl_context::minor_ver
int minor_ver
Definition: ssl.h:1067
mbedtls_ssl_context::transform_in
mbedtls_ssl_transform * transform_in
Definition: ssl.h:1094
mbedtls_ssl_context::handshake
mbedtls_ssl_handshake_params * handshake
Definition: ssl.h:1088
mbedtls_ssl_context::secure_renegotiation
int secure_renegotiation
Definition: ssl.h:1201
mbedtls_ssl_context::transform_negotiate
mbedtls_ssl_transform * transform_negotiate
Definition: ssl.h:1097
mbedtls_ssl_context::in_msglen
size_t in_msglen
Definition: ssl.h:1121
mbedtls_ssl_context::p_timer
void * p_timer
Definition: ssl.h:1102
mbedtls_ssl_context::in_left
size_t in_left
Definition: ssl.h:1122
mbedtls_ssl_context::p_bio
void * p_bio
Definition: ssl.h:1078
mbedtls_ssl_context::in_offt
unsigned char * in_offt
Definition: ssl.h:1118
mbedtls_ssl_context::in_len
unsigned char * in_len
Definition: ssl.h:1115
mbedtls_ssl_context::conf
const mbedtls_ssl_config * conf
Definition: ssl.h:1053
mbedtls_ssl_context::keep_current_message
int keep_current_message
Definition: ssl.h:1137
mbedtls_ssl_handshake_params
Definition: ssl_internal.h:349
mbedtls_ssl_handshake_params::update_checksum
void(* update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t)
Definition: ssl_internal.h:467
mbedtls_ssl_handshake_params::fin_sha256
mbedtls_sha256_context fin_sha256
Definition: ssl_internal.h:460
mbedtls_ssl_handshake_params::premaster
unsigned char premaster[MBEDTLS_PREMASTER_SIZE]
Definition: ssl_internal.h:477
mbedtls_ssl_handshake_params::resume
int resume
Definition: ssl_internal.h:480
mbedtls_ssl_handshake_params::sni_ca_chain
mbedtls_x509_crt * sni_ca_chain
Definition: ssl_internal.h:384
mbedtls_ssl_handshake_params::curves
const mbedtls_ecp_curve_info ** curves
Definition: ssl_internal.h:373
mbedtls_ssl_handshake_params::calc_finished
void(* calc_finished)(mbedtls_ssl_context *, unsigned char *, int)
Definition: ssl_internal.h:469
mbedtls_ssl_handshake_params::randbytes
unsigned char randbytes[64]
Definition: ssl_internal.h:476
mbedtls_ssl_handshake_params::tls_prf
int(* tls_prf)(const unsigned char *, size_t, const char *, const unsigned char *, size_t, unsigned char *, size_t)
Definition: ssl_internal.h:470
mbedtls_ssl_handshake_params::hash_algs
mbedtls_ssl_sig_hash_set_t hash_algs
Definition: ssl_internal.h:356
mbedtls_ssl_handshake_params::fin_sha512
mbedtls_sha512_context fin_sha512
Definition: ssl_internal.h:463
mbedtls_ssl_handshake_params::dhm_ctx
mbedtls_dhm_context dhm_ctx
Definition: ssl_internal.h:359
mbedtls_ssl_handshake_params::sni_key_cert
mbedtls_ssl_key_cert * sni_key_cert
Definition: ssl_internal.h:383
mbedtls_ssl_handshake_params::ecdh_ctx
mbedtls_ecdh_context ecdh_ctx
Definition: ssl_internal.h:362
mbedtls_ssl_handshake_params::fin_sha1
mbedtls_sha1_context fin_sha1
Definition: ssl_internal.h:456
mbedtls_ssl_handshake_params::extended_ms
int extended_ms
Definition: ssl_internal.h:489
mbedtls_ssl_handshake_params::sni_authmode
int sni_authmode
Definition: ssl_internal.h:382
mbedtls_ssl_handshake_params::sni_ca_crl
mbedtls_x509_crl * sni_ca_crl
Definition: ssl_internal.h:385
mbedtls_ssl_handshake_params::fin_md5
mbedtls_md5_context fin_md5
Definition: ssl_internal.h:455
mbedtls_ssl_handshake_params::calc_verify
void(* calc_verify)(mbedtls_ssl_context *, unsigned char *)
Definition: ssl_internal.h:468
mbedtls_ssl_handshake_params::pmslen
size_t pmslen
Definition: ssl_internal.h:474
mbedtls_ssl_key_cert
Definition: ssl_internal.h:554
mbedtls_ssl_key_cert::key
mbedtls_pk_context * key
Definition: ssl_internal.h:556
mbedtls_ssl_key_cert::cert
mbedtls_x509_crt * cert
Definition: ssl_internal.h:555
mbedtls_ssl_key_cert::next
mbedtls_ssl_key_cert * next
Definition: ssl_internal.h:557
mbedtls_ssl_session
Definition: ssl.h:819
mbedtls_ssl_session::peer_cert
mbedtls_x509_crt * peer_cert
Definition: ssl.h:830
mbedtls_ssl_session::compression
int compression
Definition: ssl.h:824
mbedtls_ssl_session::verify_result
uint32_t verify_result
Definition: ssl.h:832
mbedtls_ssl_session::mfl_code
unsigned char mfl_code
Definition: ssl.h:841
mbedtls_ssl_session::encrypt_then_mac
int encrypt_then_mac
Definition: ssl.h:849
mbedtls_ssl_session::id_len
size_t id_len
Definition: ssl.h:825
mbedtls_ssl_session::ciphersuite
int ciphersuite
Definition: ssl.h:823
mbedtls_ssl_session::master
unsigned char master[48]
Definition: ssl.h:827
mbedtls_ssl_sig_hash_set_t
Definition: ssl_internal.h:333
mbedtls_ssl_transform
Definition: ssl_internal.h:513
mbedtls_ssl_transform::md_ctx_enc
mbedtls_md_context_t md_ctx_enc
Definition: ssl_internal.h:534
mbedtls_ssl_transform::maclen
size_t maclen
Definition: ssl_internal.h:523
mbedtls_ssl_transform::cipher_ctx_enc
mbedtls_cipher_context_t cipher_ctx_enc
Definition: ssl_internal.h:537
mbedtls_ssl_transform::iv_enc
unsigned char iv_enc[16]
Definition: ssl_internal.h:525
mbedtls_ssl_transform::ciphersuite_info
const mbedtls_ssl_ciphersuite_t * ciphersuite_info
Definition: ssl_internal.h:517
mbedtls_ssl_transform::cipher_ctx_dec
mbedtls_cipher_context_t cipher_ctx_dec
Definition: ssl_internal.h:538
mbedtls_ssl_transform::md_ctx_dec
mbedtls_md_context_t md_ctx_dec
Definition: ssl_internal.h:535
mbedtls_ssl_transform::minlen
size_t minlen
Definition: ssl_internal.h:520
mbedtls_ssl_transform::ivlen
size_t ivlen
Definition: ssl_internal.h:521
mbedtls_ssl_transform::iv_dec
unsigned char iv_dec[16]
Definition: ssl_internal.h:526
mbedtls_x509_crl
Definition: x509_crl.h:96
mbedtls_x509_crt_profile
Definition: x509_crt.h:134
mbedtls_x509_crt
Definition: x509_crt.h:79
message
Definition: tftpd.h:60
timeout
Definition: dhcpd.h:245
max
#define max(a, b)
Definition: svc.c:63
slot
struct _slot slot
Definition: vfat.h:196
ret
int ret
Definition: wcstombs-tests.c:31