1 /*
2  *  Generic SSL/TLS messaging layer functions
3  *  (record layer + retransmission state machine)
4  *
5  *  Copyright The Mbed TLS Contributors
6  *  SPDX-License-Identifier: Apache-2.0
7  *
8  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
9  *  not use this file except in compliance with the License.
10  *  You may obtain a copy of the License at
11  *
12  *  http://www.apache.org/licenses/LICENSE-2.0
13  *
14  *  Unless required by applicable law or agreed to in writing, software
15  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
16  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
17  *  See the License for the specific language governing permissions and
18  *  limitations under the License.
19  */
20 /*
21  *  http://www.ietf.org/rfc/rfc2246.txt
22  *  http://www.ietf.org/rfc/rfc4346.txt
23  */
24 
25 #include "common.h"
26 
27 #if defined(MBEDTLS_SSL_TLS_C)
28 
29 #if defined(MBEDTLS_PLATFORM_C)
30 #include "mbedtls/platform.h"
31 #else
32 #include <stdlib.h>
33 #define mbedtls_calloc    calloc
34 #define mbedtls_free      free
35 #endif
36 
37 #include "mbedtls/ssl.h"
38 #include "ssl_misc.h"
39 #include "mbedtls/debug.h"
40 #include "mbedtls/error.h"
41 #include "mbedtls/platform_util.h"
42 #include "mbedtls/version.h"
43 
44 #include "ssl_invasive.h"
45 
46 #include <string.h>
47 
48 #if defined(MBEDTLS_USE_PSA_CRYPTO)
49 #include "mbedtls/psa_util.h"
50 #include "psa/crypto.h"
51 #endif
52 
53 #if defined(MBEDTLS_X509_CRT_PARSE_C)
54 #include "mbedtls/oid.h"
55 #endif
56 
57 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl );
58 
59 /*
60  * Start a timer.
61  * Passing millisecs = 0 cancels a running timer.
62  */
mbedtls_ssl_set_timer(mbedtls_ssl_context * ssl,uint32_t millisecs)63 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs )
64 {
65     if( ssl->f_set_timer == NULL )
66         return;
67 
68     MBEDTLS_SSL_DEBUG_MSG( 3, ( "set_timer to %d ms", (int) millisecs ) );
69     ssl->f_set_timer( ssl->p_timer, millisecs / 4, millisecs );
70 }
71 
72 /*
73  * Return -1 is timer is expired, 0 if it isn't.
74  */
mbedtls_ssl_check_timer(mbedtls_ssl_context * ssl)75 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl )
76 {
77     if( ssl->f_get_timer == NULL )
78         return( 0 );
79 
80     if( ssl->f_get_timer( ssl->p_timer ) == 2 )
81     {
82         MBEDTLS_SSL_DEBUG_MSG( 3, ( "timer expired" ) );
83         return( -1 );
84     }
85 
86     return( 0 );
87 }
88 
89 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
90                                     unsigned char *buf,
91                                     size_t len,
92                                     mbedtls_record *rec );
93 
mbedtls_ssl_check_record(mbedtls_ssl_context const * ssl,unsigned char * buf,size_t buflen)94 int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
95                               unsigned char *buf,
96                               size_t buflen )
97 {
98     int ret = 0;
99     MBEDTLS_SSL_DEBUG_MSG( 1, ( "=> mbedtls_ssl_check_record" ) );
100     MBEDTLS_SSL_DEBUG_BUF( 3, "record buffer", buf, buflen );
101 
102     /* We don't support record checking in TLS because
103      * there doesn't seem to be a usecase for it.
104      */
105     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM )
106     {
107         ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
108         goto exit;
109     }
110 #if defined(MBEDTLS_SSL_PROTO_DTLS)
111     else
112     {
113         mbedtls_record rec;
114 
115         ret = ssl_parse_record_header( ssl, buf, buflen, &rec );
116         if( ret != 0 )
117         {
118             MBEDTLS_SSL_DEBUG_RET( 3, "ssl_parse_record_header", ret );
119             goto exit;
120         }
121 
122         if( ssl->transform_in != NULL )
123         {
124             ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in, &rec );
125             if( ret != 0 )
126             {
127                 MBEDTLS_SSL_DEBUG_RET( 3, "mbedtls_ssl_decrypt_buf", ret );
128                 goto exit;
129             }
130         }
131     }
132 #endif /* MBEDTLS_SSL_PROTO_DTLS */
133 
134 exit:
135     /* On success, we have decrypted the buffer in-place, so make
136      * sure we don't leak any plaintext data. */
137     mbedtls_platform_zeroize( buf, buflen );
138 
139     /* For the purpose of this API, treat messages with unexpected CID
140      * as well as such from future epochs as unexpected. */
141     if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID ||
142         ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
143     {
144         ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
145     }
146 
147     MBEDTLS_SSL_DEBUG_MSG( 1, ( "<= mbedtls_ssl_check_record" ) );
148     return( ret );
149 }
150 
151 #define SSL_DONT_FORCE_FLUSH 0
152 #define SSL_FORCE_FLUSH      1
153 
154 #if defined(MBEDTLS_SSL_PROTO_DTLS)
155 
156 /* Forward declarations for functions related to message buffering. */
157 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
158                                      uint8_t slot );
159 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl );
160 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl );
161 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl );
162 static int ssl_buffer_message( mbedtls_ssl_context *ssl );
163 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
164                                      mbedtls_record const *rec );
165 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl );
166 
ssl_get_maximum_datagram_size(mbedtls_ssl_context const * ssl)167 static size_t ssl_get_maximum_datagram_size( mbedtls_ssl_context const *ssl )
168 {
169     size_t mtu = mbedtls_ssl_get_current_mtu( ssl );
170 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
171     size_t out_buf_len = ssl->out_buf_len;
172 #else
173     size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
174 #endif
175 
176     if( mtu != 0 && mtu < out_buf_len )
177         return( mtu );
178 
179     return( out_buf_len );
180 }
181 
ssl_get_remaining_space_in_datagram(mbedtls_ssl_context const * ssl)182 static int ssl_get_remaining_space_in_datagram( mbedtls_ssl_context const *ssl )
183 {
184     size_t const bytes_written = ssl->out_left;
185     size_t const mtu           = ssl_get_maximum_datagram_size( ssl );
186 
187     /* Double-check that the write-index hasn't gone
188      * past what we can transmit in a single datagram. */
189     if( bytes_written > mtu )
190     {
191         /* Should never happen... */
192         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
193     }
194 
195     return( (int) ( mtu - bytes_written ) );
196 }
197 
ssl_get_remaining_payload_in_datagram(mbedtls_ssl_context const * ssl)198 static int ssl_get_remaining_payload_in_datagram( mbedtls_ssl_context const *ssl )
199 {
200     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
201     size_t remaining, expansion;
202     size_t max_len = MBEDTLS_SSL_OUT_CONTENT_LEN;
203 
204 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
205     const size_t mfl = mbedtls_ssl_get_output_max_frag_len( ssl );
206 
207     if( max_len > mfl )
208         max_len = mfl;
209 
210     /* By the standard (RFC 6066 Sect. 4), the MFL extension
211      * only limits the maximum record payload size, so in theory
212      * we would be allowed to pack multiple records of payload size
213      * MFL into a single datagram. However, this would mean that there's
214      * no way to explicitly communicate MTU restrictions to the peer.
215      *
216      * The following reduction of max_len makes sure that we never
217      * write datagrams larger than MFL + Record Expansion Overhead.
218      */
219     if( max_len <= ssl->out_left )
220         return( 0 );
221 
222     max_len -= ssl->out_left;
223 #endif
224 
225     ret = ssl_get_remaining_space_in_datagram( ssl );
226     if( ret < 0 )
227         return( ret );
228     remaining = (size_t) ret;
229 
230     ret = mbedtls_ssl_get_record_expansion( ssl );
231     if( ret < 0 )
232         return( ret );
233     expansion = (size_t) ret;
234 
235     if( remaining <= expansion )
236         return( 0 );
237 
238     remaining -= expansion;
239     if( remaining >= max_len )
240         remaining = max_len;
241 
242     return( (int) remaining );
243 }
244 
245 /*
246  * Double the retransmit timeout value, within the allowed range,
247  * returning -1 if the maximum value has already been reached.
248  */
ssl_double_retransmit_timeout(mbedtls_ssl_context * ssl)249 static int ssl_double_retransmit_timeout( mbedtls_ssl_context *ssl )
250 {
251     uint32_t new_timeout;
252 
253     if( ssl->handshake->retransmit_timeout >= ssl->conf->hs_timeout_max )
254         return( -1 );
255 
256     /* Implement the final paragraph of RFC 6347 section 4.1.1.1
257      * in the following way: after the initial transmission and a first
258      * retransmission, back off to a temporary estimated MTU of 508 bytes.
259      * This value is guaranteed to be deliverable (if not guaranteed to be
260      * delivered) of any compliant IPv4 (and IPv6) network, and should work
261      * on most non-IP stacks too. */
262     if( ssl->handshake->retransmit_timeout != ssl->conf->hs_timeout_min )
263     {
264         ssl->handshake->mtu = 508;
265         MBEDTLS_SSL_DEBUG_MSG( 2, ( "mtu autoreduction to %d bytes", ssl->handshake->mtu ) );
266     }
267 
268     new_timeout = 2 * ssl->handshake->retransmit_timeout;
269 
270     /* Avoid arithmetic overflow and range overflow */
271     if( new_timeout < ssl->handshake->retransmit_timeout ||
272         new_timeout > ssl->conf->hs_timeout_max )
273     {
274         new_timeout = ssl->conf->hs_timeout_max;
275     }
276 
277     ssl->handshake->retransmit_timeout = new_timeout;
278     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
279                         (unsigned long) ssl->handshake->retransmit_timeout ) );
280 
281     return( 0 );
282 }
283 
ssl_reset_retransmit_timeout(mbedtls_ssl_context * ssl)284 static void ssl_reset_retransmit_timeout( mbedtls_ssl_context *ssl )
285 {
286     ssl->handshake->retransmit_timeout = ssl->conf->hs_timeout_min;
287     MBEDTLS_SSL_DEBUG_MSG( 3, ( "update timeout value to %lu millisecs",
288                         (unsigned long) ssl->handshake->retransmit_timeout ) );
289 }
290 #endif /* MBEDTLS_SSL_PROTO_DTLS */
291 
292 /*
293  * Encryption/decryption functions
294  */
295 
296 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ||  \
297     defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
298 
ssl_compute_padding_length(size_t len,size_t granularity)299 static size_t ssl_compute_padding_length( size_t len,
300                                           size_t granularity )
301 {
302     return( ( granularity - ( len + 1 ) % granularity ) % granularity );
303 }
304 
305 /* This functions transforms a (D)TLS plaintext fragment and a record content
306  * type into an instance of the (D)TLSInnerPlaintext structure. This is used
307  * in DTLS 1.2 + CID and within TLS 1.3 to allow flexible padding and to protect
308  * a record's content type.
309  *
310  *        struct {
311  *            opaque content[DTLSPlaintext.length];
312  *            ContentType real_type;
313  *            uint8 zeros[length_of_padding];
314  *        } (D)TLSInnerPlaintext;
315  *
316  *  Input:
317  *  - `content`: The beginning of the buffer holding the
318  *               plaintext to be wrapped.
319  *  - `*content_size`: The length of the plaintext in Bytes.
320  *  - `max_len`: The number of Bytes available starting from
321  *               `content`. This must be `>= *content_size`.
322  *  - `rec_type`: The desired record content type.
323  *
324  *  Output:
325  *  - `content`: The beginning of the resulting (D)TLSInnerPlaintext structure.
326  *  - `*content_size`: The length of the resulting (D)TLSInnerPlaintext structure.
327  *
328  *  Returns:
329  *  - `0` on success.
330  *  - A negative error code if `max_len` didn't offer enough space
331  *    for the expansion.
332  */
ssl_build_inner_plaintext(unsigned char * content,size_t * content_size,size_t remaining,uint8_t rec_type,size_t pad)333 static int ssl_build_inner_plaintext( unsigned char *content,
334                                       size_t *content_size,
335                                       size_t remaining,
336                                       uint8_t rec_type,
337                                       size_t pad )
338 {
339     size_t len = *content_size;
340 
341     /* Write real content type */
342     if( remaining == 0 )
343         return( -1 );
344     content[ len ] = rec_type;
345     len++;
346     remaining--;
347 
348     if( remaining < pad )
349         return( -1 );
350     memset( content + len, 0, pad );
351     len += pad;
352     remaining -= pad;
353 
354     *content_size = len;
355     return( 0 );
356 }
357 
358 /* This function parses a (D)TLSInnerPlaintext structure.
359  * See ssl_build_inner_plaintext() for details. */
ssl_parse_inner_plaintext(unsigned char const * content,size_t * content_size,uint8_t * rec_type)360 static int ssl_parse_inner_plaintext( unsigned char const *content,
361                                           size_t *content_size,
362                                           uint8_t *rec_type )
363 {
364     size_t remaining = *content_size;
365 
366     /* Determine length of padding by skipping zeroes from the back. */
367     do
368     {
369         if( remaining == 0 )
370             return( -1 );
371         remaining--;
372     } while( content[ remaining ] == 0 );
373 
374     *content_size = remaining;
375     *rec_type = content[ remaining ];
376 
377     return( 0 );
378 }
379 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID ||
380           MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
381 
382 /* `add_data` must have size 13 Bytes if the CID extension is disabled,
383  * and 13 + 1 + CID-length Bytes if the CID extension is enabled. */
ssl_extract_add_data_from_record(unsigned char * add_data,size_t * add_data_len,mbedtls_record * rec,unsigned minor_ver,size_t taglen)384 static void ssl_extract_add_data_from_record( unsigned char* add_data,
385                                               size_t *add_data_len,
386                                               mbedtls_record *rec,
387                                               unsigned minor_ver,
388                                               size_t taglen )
389 {
390     /* Quoting RFC 5246 (TLS 1.2):
391      *
392      *    additional_data = seq_num + TLSCompressed.type +
393      *                      TLSCompressed.version + TLSCompressed.length;
394      *
395      * For the CID extension, this is extended as follows
396      * (quoting draft-ietf-tls-dtls-connection-id-05,
397      *  https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05):
398      *
399      *       additional_data = seq_num + DTLSPlaintext.type +
400      *                         DTLSPlaintext.version +
401      *                         cid +
402      *                         cid_length +
403      *                         length_of_DTLSInnerPlaintext;
404      *
405      * For TLS 1.3, the record sequence number is dropped from the AAD
406      * and encoded within the nonce of the AEAD operation instead.
407      * Moreover, the additional data involves the length of the TLS
408      * ciphertext, not the TLS plaintext as in earlier versions.
409      * Quoting RFC 8446 (TLS 1.3):
410      *
411      *      additional_data = TLSCiphertext.opaque_type ||
412      *                        TLSCiphertext.legacy_record_version ||
413      *                        TLSCiphertext.length
414      *
415      * We pass the tag length to this function in order to compute the
416      * ciphertext length from the inner plaintext length rec->data_len via
417      *
418      *     TLSCiphertext.length = TLSInnerPlaintext.length + taglen.
419      *
420      */
421 
422     unsigned char *cur = add_data;
423     size_t ad_len_field = rec->data_len;
424 
425 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
426     if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
427     {
428         /* In TLS 1.3, the AAD contains the length of the TLSCiphertext,
429          * which differs from the length of the TLSInnerPlaintext
430          * by the length of the authentication tag. */
431         ad_len_field += taglen;
432     }
433     else
434 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
435     {
436         ((void) minor_ver);
437         ((void) taglen);
438         memcpy( cur, rec->ctr, sizeof( rec->ctr ) );
439         cur += sizeof( rec->ctr );
440     }
441 
442     *cur = rec->type;
443     cur++;
444 
445     memcpy( cur, rec->ver, sizeof( rec->ver ) );
446     cur += sizeof( rec->ver );
447 
448 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
449     if( rec->cid_len != 0 )
450     {
451         memcpy( cur, rec->cid, rec->cid_len );
452         cur += rec->cid_len;
453 
454         *cur = rec->cid_len;
455         cur++;
456 
457         MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
458         cur += 2;
459     }
460     else
461 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
462     {
463         MBEDTLS_PUT_UINT16_BE( ad_len_field, cur, 0 );
464         cur += 2;
465     }
466 
467     *add_data_len = cur - add_data;
468 }
469 
470 #if defined(MBEDTLS_GCM_C) || \
471     defined(MBEDTLS_CCM_C) || \
472     defined(MBEDTLS_CHACHAPOLY_C)
ssl_transform_aead_dynamic_iv_is_explicit(mbedtls_ssl_transform const * transform)473 static int ssl_transform_aead_dynamic_iv_is_explicit(
474                                 mbedtls_ssl_transform const *transform )
475 {
476     return( transform->ivlen != transform->fixed_ivlen );
477 }
478 
479 /* Compute IV := ( fixed_iv || 0 ) XOR ( 0 || dynamic_IV )
480  *
481  * Concretely, this occurs in two variants:
482  *
483  * a) Fixed and dynamic IV lengths add up to total IV length, giving
484  *       IV = fixed_iv || dynamic_iv
485  *
486  *    This variant is used in TLS 1.2 when used with GCM or CCM.
487  *
488  * b) Fixed IV lengths matches total IV length, giving
489  *       IV = fixed_iv XOR ( 0 || dynamic_iv )
490  *
491  *    This variant occurs in TLS 1.3 and for TLS 1.2 when using ChaChaPoly.
492  *
493  * See also the documentation of mbedtls_ssl_transform.
494  *
495  * This function has the precondition that
496  *
497  *     dst_iv_len >= max( fixed_iv_len, dynamic_iv_len )
498  *
499  * which has to be ensured by the caller. If this precondition
500  * violated, the behavior of this function is undefined.
501  */
ssl_build_record_nonce(unsigned char * dst_iv,size_t dst_iv_len,unsigned char const * fixed_iv,size_t fixed_iv_len,unsigned char const * dynamic_iv,size_t dynamic_iv_len)502 static void ssl_build_record_nonce( unsigned char *dst_iv,
503                                     size_t dst_iv_len,
504                                     unsigned char const *fixed_iv,
505                                     size_t fixed_iv_len,
506                                     unsigned char const *dynamic_iv,
507                                     size_t dynamic_iv_len )
508 {
509     size_t i;
510 
511     /* Start with Fixed IV || 0 */
512     memset( dst_iv, 0, dst_iv_len );
513     memcpy( dst_iv, fixed_iv, fixed_iv_len );
514 
515     dst_iv += dst_iv_len - dynamic_iv_len;
516     for( i = 0; i < dynamic_iv_len; i++ )
517         dst_iv[i] ^= dynamic_iv[i];
518 }
519 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
520 
mbedtls_ssl_encrypt_buf(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform,mbedtls_record * rec,int (* f_rng)(void *,unsigned char *,size_t),void * p_rng)521 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
522                              mbedtls_ssl_transform *transform,
523                              mbedtls_record *rec,
524                              int (*f_rng)(void *, unsigned char *, size_t),
525                              void *p_rng )
526 {
527     mbedtls_cipher_mode_t mode;
528     int auth_done = 0;
529     unsigned char * data;
530     unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_OUT_LEN_MAX ];
531     size_t add_data_len;
532     size_t post_avail;
533 
534     /* The SSL context is only used for debugging purposes! */
535 #if !defined(MBEDTLS_DEBUG_C)
536     ssl = NULL; /* make sure we don't use it except for debug */
537     ((void) ssl);
538 #endif
539 
540     /* The PRNG is used for dynamic IV generation that's used
541      * for CBC transformations in TLS 1.2. */
542 #if !( defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
543        defined(MBEDTLS_SSL_PROTO_TLS1_2) )
544     ((void) f_rng);
545     ((void) p_rng);
546 #endif
547 
548     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> encrypt buf" ) );
549 
550     if( transform == NULL )
551     {
552         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no transform provided to encrypt_buf" ) );
553         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
554     }
555     if( rec == NULL
556         || rec->buf == NULL
557         || rec->buf_len < rec->data_offset
558         || rec->buf_len - rec->data_offset < rec->data_len
559 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
560         || rec->cid_len != 0
561 #endif
562         )
563     {
564         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to encrypt_buf" ) );
565         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
566     }
567 
568     data = rec->buf + rec->data_offset;
569     post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
570     MBEDTLS_SSL_DEBUG_BUF( 4, "before encrypt: output payload",
571                            data, rec->data_len );
572 
573     mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc );
574 
575     if( rec->data_len > MBEDTLS_SSL_OUT_CONTENT_LEN )
576     {
577         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record content %" MBEDTLS_PRINTF_SIZET
578                                     " too large, maximum %" MBEDTLS_PRINTF_SIZET,
579                                     rec->data_len,
580                                     (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
581         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
582     }
583 
584     /* The following two code paths implement the (D)TLSInnerPlaintext
585      * structure present in TLS 1.3 and DTLS 1.2 + CID.
586      *
587      * See ssl_build_inner_plaintext() for more information.
588      *
589      * Note that this changes `rec->data_len`, and hence
590      * `post_avail` needs to be recalculated afterwards.
591      *
592      * Note also that the two code paths cannot occur simultaneously
593      * since they apply to different versions of the protocol. There
594      * is hence no risk of double-addition of the inner plaintext.
595      */
596 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
597     if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
598     {
599         size_t padding =
600             ssl_compute_padding_length( rec->data_len,
601                                         MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
602         if( ssl_build_inner_plaintext( data,
603                                        &rec->data_len,
604                                        post_avail,
605                                        rec->type,
606                                        padding ) != 0 )
607         {
608             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
609         }
610 
611         rec->type = MBEDTLS_SSL_MSG_APPLICATION_DATA;
612     }
613 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
614 
615 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
616     /*
617      * Add CID information
618      */
619     rec->cid_len = transform->out_cid_len;
620     memcpy( rec->cid, transform->out_cid, transform->out_cid_len );
621     MBEDTLS_SSL_DEBUG_BUF( 3, "CID", rec->cid, rec->cid_len );
622 
623     if( rec->cid_len != 0 )
624     {
625         size_t padding =
626             ssl_compute_padding_length( rec->data_len,
627                                         MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY );
628         /*
629          * Wrap plaintext into DTLSInnerPlaintext structure.
630          * See ssl_build_inner_plaintext() for more information.
631          *
632          * Note that this changes `rec->data_len`, and hence
633          * `post_avail` needs to be recalculated afterwards.
634          */
635         if( ssl_build_inner_plaintext( data,
636                         &rec->data_len,
637                         post_avail,
638                         rec->type,
639                         padding ) != 0 )
640         {
641             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
642         }
643 
644         rec->type = MBEDTLS_SSL_MSG_CID;
645     }
646 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
647 
648     post_avail = rec->buf_len - ( rec->data_len + rec->data_offset );
649 
650     /*
651      * Add MAC before if needed
652      */
653 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
654     if( mode == MBEDTLS_MODE_STREAM ||
655         ( mode == MBEDTLS_MODE_CBC
656 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
657           && transform->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED
658 #endif
659         ) )
660     {
661         if( post_avail < transform->maclen )
662         {
663             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
664             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
665         }
666 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
667         unsigned char mac[MBEDTLS_SSL_MAC_ADD];
668 
669         ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
670                                           transform->minor_ver,
671                                           transform->taglen );
672 
673         mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
674                                 add_data_len );
675         mbedtls_md_hmac_update( &transform->md_ctx_enc, data, rec->data_len );
676         mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
677         mbedtls_md_hmac_reset( &transform->md_ctx_enc );
678 
679         memcpy( data + rec->data_len, mac, transform->maclen );
680 #endif
681 
682         MBEDTLS_SSL_DEBUG_BUF( 4, "computed mac", data + rec->data_len,
683                                transform->maclen );
684 
685         rec->data_len += transform->maclen;
686         post_avail -= transform->maclen;
687         auth_done++;
688     }
689 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
690 
691     /*
692      * Encrypt
693      */
694 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
695     if( mode == MBEDTLS_MODE_STREAM )
696     {
697         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
698         size_t olen;
699         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
700                                     "including %d bytes of padding",
701                                     rec->data_len, 0 ) );
702 
703         if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
704                                    transform->iv_enc, transform->ivlen,
705                                    data, rec->data_len,
706                                    data, &olen ) ) != 0 )
707         {
708             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
709             return( ret );
710         }
711 
712         if( rec->data_len != olen )
713         {
714             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
715             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
716         }
717     }
718     else
719 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
720 
721 #if defined(MBEDTLS_GCM_C) || \
722     defined(MBEDTLS_CCM_C) || \
723     defined(MBEDTLS_CHACHAPOLY_C)
724     if( mode == MBEDTLS_MODE_GCM ||
725         mode == MBEDTLS_MODE_CCM ||
726         mode == MBEDTLS_MODE_CHACHAPOLY )
727     {
728         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
729         unsigned char iv[12];
730         unsigned char *dynamic_iv;
731         size_t dynamic_iv_len;
732         int dynamic_iv_is_explicit =
733             ssl_transform_aead_dynamic_iv_is_explicit( transform );
734 
735         /* Check that there's space for the authentication tag. */
736         if( post_avail < transform->taglen )
737         {
738             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
739             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
740         }
741 
742         /*
743          * Build nonce for AEAD encryption.
744          *
745          * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
746          *       part of the IV is prepended to the ciphertext and
747          *       can be chosen freely - in particular, it need not
748          *       agree with the record sequence number.
749          *       However, since ChaChaPoly as well as all AEAD modes
750          *       in TLS 1.3 use the record sequence number as the
751          *       dynamic part of the nonce, we uniformly use the
752          *       record sequence number here in all cases.
753          */
754         dynamic_iv     = rec->ctr;
755         dynamic_iv_len = sizeof( rec->ctr );
756 
757         ssl_build_record_nonce( iv, sizeof( iv ),
758                                 transform->iv_enc,
759                                 transform->fixed_ivlen,
760                                 dynamic_iv,
761                                 dynamic_iv_len );
762 
763         /*
764          * Build additional data for AEAD encryption.
765          * This depends on the TLS version.
766          */
767         ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
768                                           transform->minor_ver,
769                                           transform->taglen );
770 
771         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (internal)",
772                                iv, transform->ivlen );
773         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used (transmitted)",
774                                dynamic_iv,
775                                dynamic_iv_is_explicit ? dynamic_iv_len : 0 );
776         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
777                                add_data, add_data_len );
778         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
779                                     "including 0 bytes of padding",
780                                     rec->data_len ) );
781 
782         /*
783          * Encrypt and authenticate
784          */
785 
786         if( ( ret = mbedtls_cipher_auth_encrypt_ext( &transform->cipher_ctx_enc,
787                    iv, transform->ivlen,
788                    add_data, add_data_len,
789                    data, rec->data_len,                     /* src */
790                    data, rec->buf_len - (data - rec->buf),  /* dst */
791                    &rec->data_len,
792                    transform->taglen ) ) != 0 )
793         {
794             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_encrypt_ext", ret );
795             return( ret );
796         }
797         MBEDTLS_SSL_DEBUG_BUF( 4, "after encrypt: tag",
798                                data + rec->data_len - transform->taglen,
799                                transform->taglen );
800         /* Account for authentication tag. */
801         post_avail -= transform->taglen;
802 
803         /*
804          * Prefix record content with dynamic IV in case it is explicit.
805          */
806         if( dynamic_iv_is_explicit != 0 )
807         {
808             if( rec->data_offset < dynamic_iv_len )
809             {
810                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
811                 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
812             }
813 
814             memcpy( data - dynamic_iv_len, dynamic_iv, dynamic_iv_len );
815             rec->data_offset -= dynamic_iv_len;
816             rec->data_len    += dynamic_iv_len;
817         }
818 
819         auth_done++;
820     }
821     else
822 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C */
823 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
824     if( mode == MBEDTLS_MODE_CBC )
825     {
826         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
827         size_t padlen, i;
828         size_t olen;
829 
830         /* Currently we're always using minimal padding
831          * (up to 255 bytes would be allowed). */
832         padlen = transform->ivlen - ( rec->data_len + 1 ) % transform->ivlen;
833         if( padlen == transform->ivlen )
834             padlen = 0;
835 
836         /* Check there's enough space in the buffer for the padding. */
837         if( post_avail < padlen + 1 )
838         {
839             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
840             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
841         }
842 
843         for( i = 0; i <= padlen; i++ )
844             data[rec->data_len + i] = (unsigned char) padlen;
845 
846         rec->data_len += padlen + 1;
847         post_avail -= padlen + 1;
848 
849 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
850         /*
851          * Prepend per-record IV for block cipher in TLS v1.2 as per
852          * Method 1 (6.2.3.2. in RFC4346 and RFC5246)
853          */
854         if( f_rng == NULL )
855         {
856             MBEDTLS_SSL_DEBUG_MSG( 1, ( "No PRNG provided to encrypt_record routine" ) );
857             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
858         }
859 
860         if( rec->data_offset < transform->ivlen )
861         {
862             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
863             return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
864         }
865 
866         /*
867          * Generate IV
868          */
869         ret = f_rng( p_rng, transform->iv_enc, transform->ivlen );
870         if( ret != 0 )
871             return( ret );
872 
873         memcpy( data - transform->ivlen, transform->iv_enc, transform->ivlen );
874 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
875 
876         MBEDTLS_SSL_DEBUG_MSG( 3, ( "before encrypt: msglen = %" MBEDTLS_PRINTF_SIZET ", "
877                             "including %" MBEDTLS_PRINTF_SIZET
878                             " bytes of IV and %" MBEDTLS_PRINTF_SIZET " bytes of padding",
879                             rec->data_len, transform->ivlen,
880                             padlen + 1 ) );
881 
882         if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_enc,
883                                    transform->iv_enc,
884                                    transform->ivlen,
885                                    data, rec->data_len,
886                                    data, &olen ) ) != 0 )
887         {
888             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
889             return( ret );
890         }
891 
892         if( rec->data_len != olen )
893         {
894             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
895             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
896         }
897 
898         data             -= transform->ivlen;
899         rec->data_offset -= transform->ivlen;
900         rec->data_len    += transform->ivlen;
901 
902 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
903         if( auth_done == 0 )
904         {
905             unsigned char mac[MBEDTLS_SSL_MAC_ADD];
906 
907             /*
908              * MAC(MAC_write_key, seq_num +
909              *     TLSCipherText.type +
910              *     TLSCipherText.version +
911              *     length_of( (IV +) ENC(...) ) +
912              *     IV +
913              *     ENC(content + padding + padding_length));
914              */
915 
916             if( post_avail < transform->maclen)
917             {
918                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "Buffer provided for encrypted record not large enough" ) );
919                 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
920             }
921 
922             ssl_extract_add_data_from_record( add_data, &add_data_len,
923                                               rec, transform->minor_ver,
924                                               transform->taglen );
925 
926             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
927             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
928                                    add_data_len );
929 
930             mbedtls_md_hmac_update( &transform->md_ctx_enc, add_data,
931                                     add_data_len );
932             mbedtls_md_hmac_update( &transform->md_ctx_enc,
933                                     data, rec->data_len );
934             mbedtls_md_hmac_finish( &transform->md_ctx_enc, mac );
935             mbedtls_md_hmac_reset( &transform->md_ctx_enc );
936 
937             memcpy( data + rec->data_len, mac, transform->maclen );
938 
939             rec->data_len += transform->maclen;
940             post_avail -= transform->maclen;
941             auth_done++;
942         }
943 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
944     }
945     else
946 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC) */
947     {
948         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
949         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
950     }
951 
952     /* Make extra sure authentication was performed, exactly once */
953     if( auth_done != 1 )
954     {
955         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
956         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
957     }
958 
959     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
960 
961     return( 0 );
962 }
963 
964 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC)
965 /*
966  * Turn a bit into a mask:
967  * - if bit == 1, return the all-bits 1 mask, aka (size_t) -1
968  * - if bit == 0, return the all-bits 0 mask, aka 0
969  *
970  * This function can be used to write constant-time code by replacing branches
971  * with bit operations using masks.
972  *
973  * This function is implemented without using comparison operators, as those
974  * might be translated to branches by some compilers on some platforms.
975  */
mbedtls_ssl_cf_mask_from_bit(size_t bit)976 static size_t mbedtls_ssl_cf_mask_from_bit( size_t bit )
977 {
978     /* MSVC has a warning about unary minus on unsigned integer types,
979      * but this is well-defined and precisely what we want to do here. */
980 #if defined(_MSC_VER)
981 #pragma warning( push )
982 #pragma warning( disable : 4146 )
983 #endif
984     return -bit;
985 #if defined(_MSC_VER)
986 #pragma warning( pop )
987 #endif
988 }
989 
990 /*
991  * Constant-flow mask generation for "less than" comparison:
992  * - if x < y,  return all bits 1, that is (size_t) -1
993  * - otherwise, return all bits 0, that is 0
994  *
995  * This function can be used to write constant-time code by replacing branches
996  * with bit operations using masks.
997  *
998  * This function is implemented without using comparison operators, as those
999  * might be translated to branches by some compilers on some platforms.
1000  */
mbedtls_ssl_cf_mask_lt(size_t x,size_t y)1001 static size_t mbedtls_ssl_cf_mask_lt( size_t x, size_t y )
1002 {
1003     /* This has the most significant bit set if and only if x < y */
1004     const size_t sub = x - y;
1005 
1006     /* sub1 = (x < y) ? 1 : 0 */
1007     const size_t sub1 = sub >> ( sizeof( sub ) * 8 - 1 );
1008 
1009     /* mask = (x < y) ? 0xff... : 0x00... */
1010     const size_t mask = mbedtls_ssl_cf_mask_from_bit( sub1 );
1011 
1012     return( mask );
1013 }
1014 
1015 /*
1016  * Constant-flow mask generation for "greater or equal" comparison:
1017  * - if x >= y, return all bits 1, that is (size_t) -1
1018  * - otherwise, return all bits 0, that is 0
1019  *
1020  * This function can be used to write constant-time code by replacing branches
1021  * with bit operations using masks.
1022  *
1023  * This function is implemented without using comparison operators, as those
1024  * might be translated to branches by some compilers on some platforms.
1025  */
mbedtls_ssl_cf_mask_ge(size_t x,size_t y)1026 static size_t mbedtls_ssl_cf_mask_ge( size_t x, size_t y )
1027 {
1028     return( ~mbedtls_ssl_cf_mask_lt( x, y ) );
1029 }
1030 
1031 /*
1032  * Constant-flow boolean "equal" comparison:
1033  * return x == y
1034  *
1035  * This function can be used to write constant-time code by replacing branches
1036  * with bit operations - it can be used in conjunction with
1037  * mbedtls_ssl_cf_mask_from_bit().
1038  *
1039  * This function is implemented without using comparison operators, as those
1040  * might be translated to branches by some compilers on some platforms.
1041  */
mbedtls_ssl_cf_bool_eq(size_t x,size_t y)1042 static size_t mbedtls_ssl_cf_bool_eq( size_t x, size_t y )
1043 {
1044     /* diff = 0 if x == y, non-zero otherwise */
1045     const size_t diff = x ^ y;
1046 
1047     /* MSVC has a warning about unary minus on unsigned integer types,
1048      * but this is well-defined and precisely what we want to do here. */
1049 #if defined(_MSC_VER)
1050 #pragma warning( push )
1051 #pragma warning( disable : 4146 )
1052 #endif
1053 
1054     /* diff_msb's most significant bit is equal to x != y */
1055     const size_t diff_msb = ( diff | -diff );
1056 
1057 #if defined(_MSC_VER)
1058 #pragma warning( pop )
1059 #endif
1060 
1061     /* diff1 = (x != y) ? 1 : 0 */
1062     const size_t diff1 = diff_msb >> ( sizeof( diff_msb ) * 8 - 1 );
1063 
1064     return( 1 ^ diff1 );
1065 }
1066 
1067 /*
1068  * Constant-flow conditional memcpy:
1069  *  - if c1 == c2, equivalent to memcpy(dst, src, len),
1070  *  - otherwise, a no-op,
1071  * but with execution flow independent of the values of c1 and c2.
1072  *
1073  * This function is implemented without using comparison operators, as those
1074  * might be translated to branches by some compilers on some platforms.
1075  */
mbedtls_ssl_cf_memcpy_if_eq(unsigned char * dst,const unsigned char * src,size_t len,size_t c1,size_t c2)1076 static void mbedtls_ssl_cf_memcpy_if_eq( unsigned char *dst,
1077                                          const unsigned char *src,
1078                                          size_t len,
1079                                          size_t c1, size_t c2 )
1080 {
1081     /* mask = c1 == c2 ? 0xff : 0x00 */
1082     const size_t equal = mbedtls_ssl_cf_bool_eq( c1, c2 );
1083     const unsigned char mask = (unsigned char) mbedtls_ssl_cf_mask_from_bit( equal );
1084 
1085     /* dst[i] = c1 == c2 ? src[i] : dst[i] */
1086     for( size_t i = 0; i < len; i++ )
1087         dst[i] = ( src[i] & mask ) | ( dst[i] & ~mask );
1088 }
1089 
1090 /*
1091  * Compute HMAC of variable-length data with constant flow.
1092  *
1093  * Only works with MD-5, SHA-1, SHA-256 and SHA-384.
1094  * (Otherwise, computation of block_size needs to be adapted.)
1095  */
mbedtls_ssl_cf_hmac(mbedtls_md_context_t * ctx,const unsigned char * add_data,size_t add_data_len,const unsigned char * data,size_t data_len_secret,size_t min_data_len,size_t max_data_len,unsigned char * output)1096 MBEDTLS_STATIC_TESTABLE int mbedtls_ssl_cf_hmac(
1097         mbedtls_md_context_t *ctx,
1098         const unsigned char *add_data, size_t add_data_len,
1099         const unsigned char *data, size_t data_len_secret,
1100         size_t min_data_len, size_t max_data_len,
1101         unsigned char *output )
1102 {
1103     /*
1104      * This function breaks the HMAC abstraction and uses the md_clone()
1105      * extension to the MD API in order to get constant-flow behaviour.
1106      *
1107      * HMAC(msg) is defined as HASH(okey + HASH(ikey + msg)) where + means
1108      * concatenation, and okey/ikey are the XOR of the key with some fixed bit
1109      * patterns (see RFC 2104, sec. 2), which are stored in ctx->hmac_ctx.
1110      *
1111      * We'll first compute inner_hash = HASH(ikey + msg) by hashing up to
1112      * minlen, then cloning the context, and for each byte up to maxlen
1113      * finishing up the hash computation, keeping only the correct result.
1114      *
1115      * Then we only need to compute HASH(okey + inner_hash) and we're done.
1116      */
1117     const mbedtls_md_type_t md_alg = mbedtls_md_get_type( ctx->md_info );
1118     /* TLS 1.2 only supports SHA-384, SHA-256, SHA-1, MD-5,
1119      * all of which have the same block size except SHA-384. */
1120     const size_t block_size = md_alg == MBEDTLS_MD_SHA384 ? 128 : 64;
1121     const unsigned char * const ikey = ctx->hmac_ctx;
1122     const unsigned char * const okey = ikey + block_size;
1123     const size_t hash_size = mbedtls_md_get_size( ctx->md_info );
1124 
1125     unsigned char aux_out[MBEDTLS_MD_MAX_SIZE];
1126     mbedtls_md_context_t aux;
1127     size_t offset;
1128     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1129 
1130     mbedtls_md_init( &aux );
1131 
1132 #define MD_CHK( func_call ) \
1133     do {                    \
1134         ret = (func_call);  \
1135         if( ret != 0 )      \
1136             goto cleanup;   \
1137     } while( 0 )
1138 
1139     MD_CHK( mbedtls_md_setup( &aux, ctx->md_info, 0 ) );
1140 
1141     /* After hmac_start() of hmac_reset(), ikey has already been hashed,
1142      * so we can start directly with the message */
1143     MD_CHK( mbedtls_md_update( ctx, add_data, add_data_len ) );
1144     MD_CHK( mbedtls_md_update( ctx, data, min_data_len ) );
1145 
1146     /* For each possible length, compute the hash up to that point */
1147     for( offset = min_data_len; offset <= max_data_len; offset++ )
1148     {
1149         MD_CHK( mbedtls_md_clone( &aux, ctx ) );
1150         MD_CHK( mbedtls_md_finish( &aux, aux_out ) );
1151         /* Keep only the correct inner_hash in the output buffer */
1152         mbedtls_ssl_cf_memcpy_if_eq( output, aux_out, hash_size,
1153                                      offset, data_len_secret );
1154 
1155         if( offset < max_data_len )
1156             MD_CHK( mbedtls_md_update( ctx, data + offset, 1 ) );
1157     }
1158 
1159     /* The context needs to finish() before it starts() again */
1160     MD_CHK( mbedtls_md_finish( ctx, aux_out ) );
1161 
1162     /* Now compute HASH(okey + inner_hash) */
1163     MD_CHK( mbedtls_md_starts( ctx ) );
1164     MD_CHK( mbedtls_md_update( ctx, okey, block_size ) );
1165     MD_CHK( mbedtls_md_update( ctx, output, hash_size ) );
1166     MD_CHK( mbedtls_md_finish( ctx, output ) );
1167 
1168     /* Done, get ready for next time */
1169     MD_CHK( mbedtls_md_hmac_reset( ctx ) );
1170 
1171 #undef MD_CHK
1172 
1173 cleanup:
1174     mbedtls_md_free( &aux );
1175     return( ret );
1176 }
1177 
1178 /*
1179  * Constant-flow memcpy from variable position in buffer.
1180  * - functionally equivalent to memcpy(dst, src + offset_secret, len)
1181  * - but with execution flow independent from the value of offset_secret.
1182  */
mbedtls_ssl_cf_memcpy_offset(unsigned char * dst,const unsigned char * src_base,size_t offset_secret,size_t offset_min,size_t offset_max,size_t len)1183 MBEDTLS_STATIC_TESTABLE void mbedtls_ssl_cf_memcpy_offset(
1184                                    unsigned char *dst,
1185                                    const unsigned char *src_base,
1186                                    size_t offset_secret,
1187                                    size_t offset_min, size_t offset_max,
1188                                    size_t len )
1189 {
1190     size_t offset;
1191 
1192     for( offset = offset_min; offset <= offset_max; offset++ )
1193     {
1194         mbedtls_ssl_cf_memcpy_if_eq( dst, src_base + offset, len,
1195                                      offset, offset_secret );
1196     }
1197 }
1198 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */
1199 
mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const * ssl,mbedtls_ssl_transform * transform,mbedtls_record * rec)1200 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1201                              mbedtls_ssl_transform *transform,
1202                              mbedtls_record *rec )
1203 {
1204     size_t olen;
1205     mbedtls_cipher_mode_t mode;
1206     int ret, auth_done = 0;
1207 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1208     size_t padlen = 0, correct = 1;
1209 #endif
1210     unsigned char* data;
1211     unsigned char add_data[13 + 1 + MBEDTLS_SSL_CID_IN_LEN_MAX ];
1212     size_t add_data_len;
1213 
1214 #if !defined(MBEDTLS_DEBUG_C)
1215     ssl = NULL; /* make sure we don't use it except for debug */
1216     ((void) ssl);
1217 #endif
1218 
1219     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> decrypt buf" ) );
1220     if( rec == NULL                     ||
1221         rec->buf == NULL                ||
1222         rec->buf_len < rec->data_offset ||
1223         rec->buf_len - rec->data_offset < rec->data_len )
1224     {
1225         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad record structure provided to decrypt_buf" ) );
1226         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1227     }
1228 
1229     data = rec->buf + rec->data_offset;
1230     mode = mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_dec );
1231 
1232 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1233     /*
1234      * Match record's CID with incoming CID.
1235      */
1236     if( rec->cid_len != transform->in_cid_len ||
1237         memcmp( rec->cid, transform->in_cid, rec->cid_len ) != 0 )
1238     {
1239         return( MBEDTLS_ERR_SSL_UNEXPECTED_CID );
1240     }
1241 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1242 
1243 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM)
1244     if( mode == MBEDTLS_MODE_STREAM )
1245     {
1246         padlen = 0;
1247         if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1248                                    transform->iv_dec,
1249                                    transform->ivlen,
1250                                    data, rec->data_len,
1251                                    data, &olen ) ) != 0 )
1252         {
1253             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1254             return( ret );
1255         }
1256 
1257         if( rec->data_len != olen )
1258         {
1259             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1260             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1261         }
1262     }
1263     else
1264 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_STREAM */
1265 #if defined(MBEDTLS_GCM_C) || \
1266     defined(MBEDTLS_CCM_C) || \
1267     defined(MBEDTLS_CHACHAPOLY_C)
1268     if( mode == MBEDTLS_MODE_GCM ||
1269         mode == MBEDTLS_MODE_CCM ||
1270         mode == MBEDTLS_MODE_CHACHAPOLY )
1271     {
1272         unsigned char iv[12];
1273         unsigned char *dynamic_iv;
1274         size_t dynamic_iv_len;
1275 
1276         /*
1277          * Extract dynamic part of nonce for AEAD decryption.
1278          *
1279          * Note: In the case of CCM and GCM in TLS 1.2, the dynamic
1280          *       part of the IV is prepended to the ciphertext and
1281          *       can be chosen freely - in particular, it need not
1282          *       agree with the record sequence number.
1283          */
1284         dynamic_iv_len = sizeof( rec->ctr );
1285         if( ssl_transform_aead_dynamic_iv_is_explicit( transform ) == 1 )
1286         {
1287             if( rec->data_len < dynamic_iv_len )
1288             {
1289                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1290                                             " ) < explicit_iv_len (%" MBEDTLS_PRINTF_SIZET ") ",
1291                                             rec->data_len,
1292                                             dynamic_iv_len ) );
1293                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1294             }
1295             dynamic_iv = data;
1296 
1297             data += dynamic_iv_len;
1298             rec->data_offset += dynamic_iv_len;
1299             rec->data_len    -= dynamic_iv_len;
1300         }
1301         else
1302         {
1303             dynamic_iv = rec->ctr;
1304         }
1305 
1306         /* Check that there's space for the authentication tag. */
1307         if( rec->data_len < transform->taglen )
1308         {
1309             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1310                                         ") < taglen (%" MBEDTLS_PRINTF_SIZET ") ",
1311                                         rec->data_len,
1312                                         transform->taglen ) );
1313             return( MBEDTLS_ERR_SSL_INVALID_MAC );
1314         }
1315         rec->data_len -= transform->taglen;
1316 
1317         /*
1318          * Prepare nonce from dynamic and static parts.
1319          */
1320         ssl_build_record_nonce( iv, sizeof( iv ),
1321                                 transform->iv_dec,
1322                                 transform->fixed_ivlen,
1323                                 dynamic_iv,
1324                                 dynamic_iv_len );
1325 
1326         /*
1327          * Build additional data for AEAD encryption.
1328          * This depends on the TLS version.
1329          */
1330         ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1331                                           transform->minor_ver,
1332                                           transform->taglen );
1333         MBEDTLS_SSL_DEBUG_BUF( 4, "additional data used for AEAD",
1334                                add_data, add_data_len );
1335 
1336         /* Because of the check above, we know that there are
1337          * explicit_iv_len Bytes preceeding data, and taglen
1338          * bytes following data + data_len. This justifies
1339          * the debug message and the invocation of
1340          * mbedtls_cipher_auth_decrypt_ext() below. */
1341 
1342         MBEDTLS_SSL_DEBUG_BUF( 4, "IV used", iv, transform->ivlen );
1343         MBEDTLS_SSL_DEBUG_BUF( 4, "TAG used", data + rec->data_len,
1344                                transform->taglen );
1345 
1346         /*
1347          * Decrypt and authenticate
1348          */
1349         if( ( ret = mbedtls_cipher_auth_decrypt_ext( &transform->cipher_ctx_dec,
1350                   iv, transform->ivlen,
1351                   add_data, add_data_len,
1352                   data, rec->data_len + transform->taglen,          /* src */
1353                   data, rec->buf_len - (data - rec->buf), &olen,    /* dst */
1354                   transform->taglen ) ) != 0 )
1355         {
1356             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_auth_decrypt_ext", ret );
1357 
1358             if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
1359                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1360 
1361             return( ret );
1362         }
1363         auth_done++;
1364 
1365         /* Double-check that AEAD decryption doesn't change content length. */
1366         if( olen != rec->data_len )
1367         {
1368             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1369             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1370         }
1371     }
1372     else
1373 #endif /* MBEDTLS_GCM_C || MBEDTLS_CCM_C */
1374 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
1375     if( mode == MBEDTLS_MODE_CBC )
1376     {
1377         size_t minlen = 0;
1378 
1379         /*
1380          * Check immediate ciphertext sanity
1381          */
1382 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1383         /* The ciphertext is prefixed with the CBC IV. */
1384         minlen += transform->ivlen;
1385 #endif
1386 
1387         /* Size considerations:
1388          *
1389          * - The CBC cipher text must not be empty and hence
1390          *   at least of size transform->ivlen.
1391          *
1392          * Together with the potential IV-prefix, this explains
1393          * the first of the two checks below.
1394          *
1395          * - The record must contain a MAC, either in plain or
1396          *   encrypted, depending on whether Encrypt-then-MAC
1397          *   is used or not.
1398          *   - If it is, the message contains the IV-prefix,
1399          *     the CBC ciphertext, and the MAC.
1400          *   - If it is not, the padded plaintext, and hence
1401          *     the CBC ciphertext, has at least length maclen + 1
1402          *     because there is at least the padding length byte.
1403          *
1404          * As the CBC ciphertext is not empty, both cases give the
1405          * lower bound minlen + maclen + 1 on the record size, which
1406          * we test for in the second check below.
1407          */
1408         if( rec->data_len < minlen + transform->ivlen ||
1409             rec->data_len < minlen + transform->maclen + 1 )
1410         {
1411             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1412                                         ") < max( ivlen(%" MBEDTLS_PRINTF_SIZET
1413                                         "), maclen (%" MBEDTLS_PRINTF_SIZET ") "
1414                                 "+ 1 ) ( + expl IV )", rec->data_len,
1415                                 transform->ivlen,
1416                                 transform->maclen ) );
1417             return( MBEDTLS_ERR_SSL_INVALID_MAC );
1418         }
1419 
1420         /*
1421          * Authenticate before decrypt if enabled
1422          */
1423 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1424         if( transform->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED )
1425         {
1426             unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1427 
1428             MBEDTLS_SSL_DEBUG_MSG( 3, ( "using encrypt then mac" ) );
1429 
1430             /* Update data_len in tandem with add_data.
1431              *
1432              * The subtraction is safe because of the previous check
1433              * data_len >= minlen + maclen + 1.
1434              *
1435              * Afterwards, we know that data + data_len is followed by at
1436              * least maclen Bytes, which justifies the call to
1437              * mbedtls_ssl_safer_memcmp() below.
1438              *
1439              * Further, we still know that data_len > minlen */
1440             rec->data_len -= transform->maclen;
1441             ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1442                                               transform->minor_ver,
1443                                               transform->taglen );
1444 
1445             /* Calculate expected MAC. */
1446             MBEDTLS_SSL_DEBUG_BUF( 4, "MAC'd meta-data", add_data,
1447                                    add_data_len );
1448             mbedtls_md_hmac_update( &transform->md_ctx_dec, add_data,
1449                                     add_data_len );
1450             mbedtls_md_hmac_update( &transform->md_ctx_dec,
1451                                     data, rec->data_len );
1452             mbedtls_md_hmac_finish( &transform->md_ctx_dec, mac_expect );
1453             mbedtls_md_hmac_reset( &transform->md_ctx_dec );
1454 
1455             MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", data + rec->data_len,
1456                                    transform->maclen );
1457             MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect,
1458                                    transform->maclen );
1459 
1460             /* Compare expected MAC with MAC at the end of the record. */
1461             if( mbedtls_ssl_safer_memcmp( data + rec->data_len, mac_expect,
1462                                           transform->maclen ) != 0 )
1463             {
1464                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1465                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
1466             }
1467             auth_done++;
1468         }
1469 #endif /* MBEDTLS_SSL_ENCRYPT_THEN_MAC */
1470 
1471         /*
1472          * Check length sanity
1473          */
1474 
1475         /* We know from above that data_len > minlen >= 0,
1476          * so the following check in particular implies that
1477          * data_len >= minlen + ivlen ( = minlen or 2 * minlen ). */
1478         if( rec->data_len % transform->ivlen != 0 )
1479         {
1480             MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1481                                         ") %% ivlen (%" MBEDTLS_PRINTF_SIZET ") != 0",
1482                                         rec->data_len, transform->ivlen ) );
1483             return( MBEDTLS_ERR_SSL_INVALID_MAC );
1484         }
1485 
1486 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1487         /*
1488          * Initialize for prepended IV for block cipher in TLS v1.2
1489          */
1490         /* Safe because data_len >= minlen + ivlen = 2 * ivlen. */
1491         memcpy( transform->iv_dec, data, transform->ivlen );
1492 
1493         data += transform->ivlen;
1494         rec->data_offset += transform->ivlen;
1495         rec->data_len -= transform->ivlen;
1496 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1497 
1498         /* We still have data_len % ivlen == 0 and data_len >= ivlen here. */
1499 
1500         if( ( ret = mbedtls_cipher_crypt( &transform->cipher_ctx_dec,
1501                                    transform->iv_dec, transform->ivlen,
1502                                    data, rec->data_len, data, &olen ) ) != 0 )
1503         {
1504             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_cipher_crypt", ret );
1505             return( ret );
1506         }
1507 
1508         /* Double-check that length hasn't changed during decryption. */
1509         if( rec->data_len != olen )
1510         {
1511             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1512             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1513         }
1514 
1515         /* Safe since data_len >= minlen + maclen + 1, so after having
1516          * subtracted at most minlen and maclen up to this point,
1517          * data_len > 0 (because of data_len % ivlen == 0, it's actually
1518          * >= ivlen ). */
1519         padlen = data[rec->data_len - 1];
1520 
1521         if( auth_done == 1 )
1522         {
1523             const size_t mask = mbedtls_ssl_cf_mask_ge(
1524                                 rec->data_len,
1525                                 padlen + 1 );
1526             correct &= mask;
1527             padlen  &= mask;
1528         }
1529         else
1530         {
1531 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1532             if( rec->data_len < transform->maclen + padlen + 1 )
1533             {
1534                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "msglen (%" MBEDTLS_PRINTF_SIZET
1535                                             ") < maclen (%" MBEDTLS_PRINTF_SIZET
1536                                             ") + padlen (%" MBEDTLS_PRINTF_SIZET ")",
1537                                             rec->data_len,
1538                                             transform->maclen,
1539                                             padlen + 1 ) );
1540             }
1541 #endif
1542 
1543             const size_t mask = mbedtls_ssl_cf_mask_ge(
1544                                 rec->data_len,
1545                                 transform->maclen + padlen + 1 );
1546             correct &= mask;
1547             padlen  &= mask;
1548         }
1549 
1550         padlen++;
1551 
1552         /* Regardless of the validity of the padding,
1553          * we have data_len >= padlen here. */
1554 
1555 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1556         /* The padding check involves a series of up to 256
1557             * consecutive memory reads at the end of the record
1558             * plaintext buffer. In order to hide the length and
1559             * validity of the padding, always perform exactly
1560             * `min(256,plaintext_len)` reads (but take into account
1561             * only the last `padlen` bytes for the padding check). */
1562         size_t pad_count = 0;
1563         volatile unsigned char* const check = data;
1564 
1565         /* Index of first padding byte; it has been ensured above
1566             * that the subtraction is safe. */
1567         size_t const padding_idx = rec->data_len - padlen;
1568         size_t const num_checks = rec->data_len <= 256 ? rec->data_len : 256;
1569         size_t const start_idx = rec->data_len - num_checks;
1570         size_t idx;
1571 
1572         for( idx = start_idx; idx < rec->data_len; idx++ )
1573         {
1574             /* pad_count += (idx >= padding_idx) &&
1575                 *              (check[idx] == padlen - 1);
1576                 */
1577             const size_t mask = mbedtls_ssl_cf_mask_ge( idx, padding_idx );
1578             const size_t equal = mbedtls_ssl_cf_bool_eq( check[idx],
1579                                                             padlen - 1 );
1580             pad_count += mask & equal;
1581         }
1582         correct &= mbedtls_ssl_cf_bool_eq( pad_count, padlen );
1583 
1584 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1585         if( padlen > 0 && correct == 0 )
1586             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad padding byte detected" ) );
1587 #endif
1588         padlen &= mbedtls_ssl_cf_mask_from_bit( correct );
1589 
1590 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1591 
1592         /* If the padding was found to be invalid, padlen == 0
1593          * and the subtraction is safe. If the padding was found valid,
1594          * padlen hasn't been changed and the previous assertion
1595          * data_len >= padlen still holds. */
1596         rec->data_len -= padlen;
1597     }
1598     else
1599 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC */
1600     {
1601         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1602         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1603     }
1604 
1605 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1606     MBEDTLS_SSL_DEBUG_BUF( 4, "raw buffer after decryption",
1607                            data, rec->data_len );
1608 #endif
1609 
1610     /*
1611      * Authenticate if not done yet.
1612      * Compute the MAC regardless of the padding result (RFC4346, CBCTIME).
1613      */
1614 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1615     if( auth_done == 0 )
1616     {
1617         unsigned char mac_expect[MBEDTLS_SSL_MAC_ADD];
1618         unsigned char mac_peer[MBEDTLS_SSL_MAC_ADD];
1619 
1620         /* If the initial value of padlen was such that
1621          * data_len < maclen + padlen + 1, then padlen
1622          * got reset to 1, and the initial check
1623          * data_len >= minlen + maclen + 1
1624          * guarantees that at this point we still
1625          * have at least data_len >= maclen.
1626          *
1627          * If the initial value of padlen was such that
1628          * data_len >= maclen + padlen + 1, then we have
1629          * subtracted either padlen + 1 (if the padding was correct)
1630          * or 0 (if the padding was incorrect) since then,
1631          * hence data_len >= maclen in any case.
1632          */
1633         rec->data_len -= transform->maclen;
1634         ssl_extract_add_data_from_record( add_data, &add_data_len, rec,
1635                                           transform->minor_ver,
1636                                           transform->taglen );
1637 
1638 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1639         /*
1640             * The next two sizes are the minimum and maximum values of
1641             * data_len over all padlen values.
1642             *
1643             * They're independent of padlen, since we previously did
1644             * data_len -= padlen.
1645             *
1646             * Note that max_len + maclen is never more than the buffer
1647             * length, as we previously did in_msglen -= maclen too.
1648             */
1649         const size_t max_len = rec->data_len + padlen;
1650         const size_t min_len = ( max_len > 256 ) ? max_len - 256 : 0;
1651 
1652         ret = mbedtls_ssl_cf_hmac( &transform->md_ctx_dec,
1653                                     add_data, add_data_len,
1654                                     data, rec->data_len, min_len, max_len,
1655                                     mac_expect );
1656         if( ret != 0 )
1657         {
1658             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_cf_hmac", ret );
1659             return( ret );
1660         }
1661 
1662         mbedtls_ssl_cf_memcpy_offset( mac_peer, data,
1663                                         rec->data_len,
1664                                         min_len, max_len,
1665                                         transform->maclen );
1666 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1667 
1668 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1669         MBEDTLS_SSL_DEBUG_BUF( 4, "expected mac", mac_expect, transform->maclen );
1670         MBEDTLS_SSL_DEBUG_BUF( 4, "message  mac", mac_peer, transform->maclen );
1671 #endif
1672 
1673         if( mbedtls_ssl_safer_memcmp( mac_peer, mac_expect,
1674                                       transform->maclen ) != 0 )
1675         {
1676 #if defined(MBEDTLS_SSL_DEBUG_ALL)
1677             MBEDTLS_SSL_DEBUG_MSG( 1, ( "message mac does not match" ) );
1678 #endif
1679             correct = 0;
1680         }
1681         auth_done++;
1682     }
1683 
1684     /*
1685      * Finally check the correct flag
1686      */
1687     if( correct == 0 )
1688         return( MBEDTLS_ERR_SSL_INVALID_MAC );
1689 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1690 
1691     /* Make extra sure authentication was performed, exactly once */
1692     if( auth_done != 1 )
1693     {
1694         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1695         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1696     }
1697 
1698 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1699     if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1700     {
1701         /* Remove inner padding and infer true content type. */
1702         ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1703                                          &rec->type );
1704 
1705         if( ret != 0 )
1706             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1707     }
1708 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1709 
1710 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1711     if( rec->cid_len != 0 )
1712     {
1713         ret = ssl_parse_inner_plaintext( data, &rec->data_len,
1714                                          &rec->type );
1715         if( ret != 0 )
1716             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
1717     }
1718 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1719 
1720     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
1721 
1722     return( 0 );
1723 }
1724 
1725 #undef MAC_NONE
1726 #undef MAC_PLAINTEXT
1727 #undef MAC_CIPHERTEXT
1728 
1729 /*
1730  * Fill the input message buffer by appending data to it.
1731  * The amount of data already fetched is in ssl->in_left.
1732  *
1733  * If we return 0, is it guaranteed that (at least) nb_want bytes are
1734  * available (from this read and/or a previous one). Otherwise, an error code
1735  * is returned (possibly EOF or WANT_READ).
1736  *
1737  * With stream transport (TLS) on success ssl->in_left == nb_want, but
1738  * with datagram transport (DTLS) on success ssl->in_left >= nb_want,
1739  * since we always read a whole datagram at once.
1740  *
1741  * For DTLS, it is up to the caller to set ssl->next_record_offset when
1742  * they're done reading a record.
1743  */
mbedtls_ssl_fetch_input(mbedtls_ssl_context * ssl,size_t nb_want)1744 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want )
1745 {
1746     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1747     size_t len;
1748 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
1749     size_t in_buf_len = ssl->in_buf_len;
1750 #else
1751     size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
1752 #endif
1753 
1754     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> fetch input" ) );
1755 
1756     if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL )
1757     {
1758         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
1759                             "or mbedtls_ssl_set_bio()" ) );
1760         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1761     }
1762 
1763     if( nb_want > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
1764     {
1765         MBEDTLS_SSL_DEBUG_MSG( 1, ( "requesting more data than fits" ) );
1766         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1767     }
1768 
1769 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1770     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1771     {
1772         uint32_t timeout;
1773 
1774         /*
1775          * The point is, we need to always read a full datagram at once, so we
1776          * sometimes read more then requested, and handle the additional data.
1777          * It could be the rest of the current record (while fetching the
1778          * header) and/or some other records in the same datagram.
1779          */
1780 
1781         /*
1782          * Move to the next record in the already read datagram if applicable
1783          */
1784         if( ssl->next_record_offset != 0 )
1785         {
1786             if( ssl->in_left < ssl->next_record_offset )
1787             {
1788                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1789                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1790             }
1791 
1792             ssl->in_left -= ssl->next_record_offset;
1793 
1794             if( ssl->in_left != 0 )
1795             {
1796                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "next record in same datagram, offset: %"
1797                                             MBEDTLS_PRINTF_SIZET,
1798                                     ssl->next_record_offset ) );
1799                 memmove( ssl->in_hdr,
1800                          ssl->in_hdr + ssl->next_record_offset,
1801                          ssl->in_left );
1802             }
1803 
1804             ssl->next_record_offset = 0;
1805         }
1806 
1807         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1808                                     ", nb_want: %" MBEDTLS_PRINTF_SIZET,
1809                        ssl->in_left, nb_want ) );
1810 
1811         /*
1812          * Done if we already have enough data.
1813          */
1814         if( nb_want <= ssl->in_left)
1815         {
1816             MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1817             return( 0 );
1818         }
1819 
1820         /*
1821          * A record can't be split across datagrams. If we need to read but
1822          * are not at the beginning of a new record, the caller did something
1823          * wrong.
1824          */
1825         if( ssl->in_left != 0 )
1826         {
1827             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
1828             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1829         }
1830 
1831         /*
1832          * Don't even try to read if time's out already.
1833          * This avoids by-passing the timer when repeatedly receiving messages
1834          * that will end up being dropped.
1835          */
1836         if( mbedtls_ssl_check_timer( ssl ) != 0 )
1837         {
1838             MBEDTLS_SSL_DEBUG_MSG( 2, ( "timer has expired" ) );
1839             ret = MBEDTLS_ERR_SSL_TIMEOUT;
1840         }
1841         else
1842         {
1843             len = in_buf_len - ( ssl->in_hdr - ssl->in_buf );
1844 
1845             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
1846                 timeout = ssl->handshake->retransmit_timeout;
1847             else
1848                 timeout = ssl->conf->read_timeout;
1849 
1850             MBEDTLS_SSL_DEBUG_MSG( 3, ( "f_recv_timeout: %lu ms", (unsigned long) timeout ) );
1851 
1852             if( ssl->f_recv_timeout != NULL )
1853                 ret = ssl->f_recv_timeout( ssl->p_bio, ssl->in_hdr, len,
1854                                                                     timeout );
1855             else
1856                 ret = ssl->f_recv( ssl->p_bio, ssl->in_hdr, len );
1857 
1858             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
1859 
1860             if( ret == 0 )
1861                 return( MBEDTLS_ERR_SSL_CONN_EOF );
1862         }
1863 
1864         if( ret == MBEDTLS_ERR_SSL_TIMEOUT )
1865         {
1866             MBEDTLS_SSL_DEBUG_MSG( 2, ( "timeout" ) );
1867             mbedtls_ssl_set_timer( ssl, 0 );
1868 
1869             if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
1870             {
1871                 if( ssl_double_retransmit_timeout( ssl ) != 0 )
1872                 {
1873                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake timeout" ) );
1874                     return( MBEDTLS_ERR_SSL_TIMEOUT );
1875                 }
1876 
1877                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
1878                 {
1879                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
1880                     return( ret );
1881                 }
1882 
1883                 return( MBEDTLS_ERR_SSL_WANT_READ );
1884             }
1885 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
1886             else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
1887                      ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
1888             {
1889                 if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
1890                 {
1891                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
1892                                            ret );
1893                     return( ret );
1894                 }
1895 
1896                 return( MBEDTLS_ERR_SSL_WANT_READ );
1897             }
1898 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
1899         }
1900 
1901         if( ret < 0 )
1902             return( ret );
1903 
1904         ssl->in_left = ret;
1905     }
1906     else
1907 #endif
1908     {
1909         MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1910                                     ", nb_want: %" MBEDTLS_PRINTF_SIZET,
1911                        ssl->in_left, nb_want ) );
1912 
1913         while( ssl->in_left < nb_want )
1914         {
1915             len = nb_want - ssl->in_left;
1916 
1917             if( mbedtls_ssl_check_timer( ssl ) != 0 )
1918                 ret = MBEDTLS_ERR_SSL_TIMEOUT;
1919             else
1920             {
1921                 if( ssl->f_recv_timeout != NULL )
1922                 {
1923                     ret = ssl->f_recv_timeout( ssl->p_bio,
1924                                                ssl->in_hdr + ssl->in_left, len,
1925                                                ssl->conf->read_timeout );
1926                 }
1927                 else
1928                 {
1929                     ret = ssl->f_recv( ssl->p_bio,
1930                                        ssl->in_hdr + ssl->in_left, len );
1931                 }
1932             }
1933 
1934             MBEDTLS_SSL_DEBUG_MSG( 2, ( "in_left: %" MBEDTLS_PRINTF_SIZET
1935                                         ", nb_want: %" MBEDTLS_PRINTF_SIZET,
1936                                         ssl->in_left, nb_want ) );
1937             MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_recv(_timeout)", ret );
1938 
1939             if( ret == 0 )
1940                 return( MBEDTLS_ERR_SSL_CONN_EOF );
1941 
1942             if( ret < 0 )
1943                 return( ret );
1944 
1945             if ( (size_t)ret > len || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
1946             {
1947                 MBEDTLS_SSL_DEBUG_MSG( 1,
1948                     ( "f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " were requested",
1949                     ret, len ) );
1950                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
1951             }
1952 
1953             ssl->in_left += ret;
1954         }
1955     }
1956 
1957     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= fetch input" ) );
1958 
1959     return( 0 );
1960 }
1961 
1962 /*
1963  * Flush any data not yet written
1964  */
mbedtls_ssl_flush_output(mbedtls_ssl_context * ssl)1965 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl )
1966 {
1967     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1968     unsigned char *buf;
1969 
1970     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> flush output" ) );
1971 
1972     if( ssl->f_send == NULL )
1973     {
1974         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() "
1975                             "or mbedtls_ssl_set_bio()" ) );
1976         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
1977     }
1978 
1979     /* Avoid incrementing counter if data is flushed */
1980     if( ssl->out_left == 0 )
1981     {
1982         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
1983         return( 0 );
1984     }
1985 
1986     while( ssl->out_left > 0 )
1987     {
1988         MBEDTLS_SSL_DEBUG_MSG( 2, ( "message length: %" MBEDTLS_PRINTF_SIZET
1989                                     ", out_left: %" MBEDTLS_PRINTF_SIZET,
1990                        mbedtls_ssl_out_hdr_len( ssl ) + ssl->out_msglen, ssl->out_left ) );
1991 
1992         buf = ssl->out_hdr - ssl->out_left;
1993         ret = ssl->f_send( ssl->p_bio, buf, ssl->out_left );
1994 
1995         MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", ret );
1996 
1997         if( ret <= 0 )
1998             return( ret );
1999 
2000         if( (size_t)ret > ssl->out_left || ( INT_MAX > SIZE_MAX && ret > (int)SIZE_MAX ) )
2001         {
2002             MBEDTLS_SSL_DEBUG_MSG( 1,
2003                 ( "f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET " bytes were sent",
2004                 ret, ssl->out_left ) );
2005             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2006         }
2007 
2008         ssl->out_left -= ret;
2009     }
2010 
2011 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2012     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2013     {
2014         ssl->out_hdr = ssl->out_buf;
2015     }
2016     else
2017 #endif
2018     {
2019         ssl->out_hdr = ssl->out_buf + 8;
2020     }
2021     mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2022 
2023     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= flush output" ) );
2024 
2025     return( 0 );
2026 }
2027 
2028 /*
2029  * Functions to handle the DTLS retransmission state machine
2030  */
2031 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2032 /*
2033  * Append current handshake message to current outgoing flight
2034  */
ssl_flight_append(mbedtls_ssl_context * ssl)2035 static int ssl_flight_append( mbedtls_ssl_context *ssl )
2036 {
2037     mbedtls_ssl_flight_item *msg;
2038     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_flight_append" ) );
2039     MBEDTLS_SSL_DEBUG_BUF( 4, "message appended to flight",
2040                            ssl->out_msg, ssl->out_msglen );
2041 
2042     /* Allocate space for current message */
2043     if( ( msg = mbedtls_calloc( 1, sizeof(  mbedtls_ssl_flight_item ) ) ) == NULL )
2044     {
2045         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
2046                             sizeof( mbedtls_ssl_flight_item ) ) );
2047         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2048     }
2049 
2050     if( ( msg->p = mbedtls_calloc( 1, ssl->out_msglen ) ) == NULL )
2051     {
2052         MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc %" MBEDTLS_PRINTF_SIZET " bytes failed",
2053                                     ssl->out_msglen ) );
2054         mbedtls_free( msg );
2055         return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2056     }
2057 
2058     /* Copy current handshake message with headers */
2059     memcpy( msg->p, ssl->out_msg, ssl->out_msglen );
2060     msg->len = ssl->out_msglen;
2061     msg->type = ssl->out_msgtype;
2062     msg->next = NULL;
2063 
2064     /* Append to the current flight */
2065     if( ssl->handshake->flight == NULL )
2066         ssl->handshake->flight = msg;
2067     else
2068     {
2069         mbedtls_ssl_flight_item *cur = ssl->handshake->flight;
2070         while( cur->next != NULL )
2071             cur = cur->next;
2072         cur->next = msg;
2073     }
2074 
2075     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_flight_append" ) );
2076     return( 0 );
2077 }
2078 
2079 /*
2080  * Free the current flight of handshake messages
2081  */
mbedtls_ssl_flight_free(mbedtls_ssl_flight_item * flight)2082 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight )
2083 {
2084     mbedtls_ssl_flight_item *cur = flight;
2085     mbedtls_ssl_flight_item *next;
2086 
2087     while( cur != NULL )
2088     {
2089         next = cur->next;
2090 
2091         mbedtls_free( cur->p );
2092         mbedtls_free( cur );
2093 
2094         cur = next;
2095     }
2096 }
2097 
2098 /*
2099  * Swap transform_out and out_ctr with the alternative ones
2100  */
ssl_swap_epochs(mbedtls_ssl_context * ssl)2101 static int ssl_swap_epochs( mbedtls_ssl_context *ssl )
2102 {
2103     mbedtls_ssl_transform *tmp_transform;
2104     unsigned char tmp_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN];
2105 
2106     if( ssl->transform_out == ssl->handshake->alt_transform_out )
2107     {
2108         MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip swap epochs" ) );
2109         return( 0 );
2110     }
2111 
2112     MBEDTLS_SSL_DEBUG_MSG( 3, ( "swap epochs" ) );
2113 
2114     /* Swap transforms */
2115     tmp_transform                     = ssl->transform_out;
2116     ssl->transform_out                = ssl->handshake->alt_transform_out;
2117     ssl->handshake->alt_transform_out = tmp_transform;
2118 
2119     /* Swap epoch + sequence_number */
2120     memcpy( tmp_out_ctr, ssl->cur_out_ctr, sizeof( tmp_out_ctr ) );
2121     memcpy( ssl->cur_out_ctr, ssl->handshake->alt_out_ctr,
2122             sizeof( ssl->cur_out_ctr ) );
2123     memcpy( ssl->handshake->alt_out_ctr, tmp_out_ctr,
2124             sizeof( ssl->handshake->alt_out_ctr ) );
2125 
2126     /* Adjust to the newly activated transform */
2127     mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2128 
2129     return( 0 );
2130 }
2131 
2132 /*
2133  * Retransmit the current flight of messages.
2134  */
mbedtls_ssl_resend(mbedtls_ssl_context * ssl)2135 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl )
2136 {
2137     int ret = 0;
2138 
2139     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_resend" ) );
2140 
2141     ret = mbedtls_ssl_flight_transmit( ssl );
2142 
2143     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_resend" ) );
2144 
2145     return( ret );
2146 }
2147 
2148 /*
2149  * Transmit or retransmit the current flight of messages.
2150  *
2151  * Need to remember the current message in case flush_output returns
2152  * WANT_WRITE, causing us to exit this function and come back later.
2153  * This function must be called until state is no longer SENDING.
2154  */
mbedtls_ssl_flight_transmit(mbedtls_ssl_context * ssl)2155 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl )
2156 {
2157     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2158     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> mbedtls_ssl_flight_transmit" ) );
2159 
2160     if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING )
2161     {
2162         MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) );
2163 
2164         ssl->handshake->cur_msg = ssl->handshake->flight;
2165         ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12;
2166         ret = ssl_swap_epochs( ssl );
2167         if( ret != 0 )
2168             return( ret );
2169 
2170         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_SENDING;
2171     }
2172 
2173     while( ssl->handshake->cur_msg != NULL )
2174     {
2175         size_t max_frag_len;
2176         const mbedtls_ssl_flight_item * const cur = ssl->handshake->cur_msg;
2177 
2178         int const is_finished =
2179             ( cur->type == MBEDTLS_SSL_MSG_HANDSHAKE &&
2180               cur->p[0] == MBEDTLS_SSL_HS_FINISHED );
2181 
2182         uint8_t const force_flush = ssl->disable_datagram_packing == 1 ?
2183             SSL_FORCE_FLUSH : SSL_DONT_FORCE_FLUSH;
2184 
2185         /* Swap epochs before sending Finished: we can't do it after
2186          * sending ChangeCipherSpec, in case write returns WANT_READ.
2187          * Must be done before copying, may change out_msg pointer */
2188         if( is_finished && ssl->handshake->cur_msg_p == ( cur->p + 12 ) )
2189         {
2190             MBEDTLS_SSL_DEBUG_MSG( 2, ( "swap epochs to send finished message" ) );
2191             ret = ssl_swap_epochs( ssl );
2192             if( ret != 0 )
2193                 return( ret );
2194         }
2195 
2196         ret = ssl_get_remaining_payload_in_datagram( ssl );
2197         if( ret < 0 )
2198             return( ret );
2199         max_frag_len = (size_t) ret;
2200 
2201         /* CCS is copied as is, while HS messages may need fragmentation */
2202         if( cur->type == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2203         {
2204             if( max_frag_len == 0 )
2205             {
2206                 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2207                     return( ret );
2208 
2209                 continue;
2210             }
2211 
2212             memcpy( ssl->out_msg, cur->p, cur->len );
2213             ssl->out_msglen  = cur->len;
2214             ssl->out_msgtype = cur->type;
2215 
2216             /* Update position inside current message */
2217             ssl->handshake->cur_msg_p += cur->len;
2218         }
2219         else
2220         {
2221             const unsigned char * const p = ssl->handshake->cur_msg_p;
2222             const size_t hs_len = cur->len - 12;
2223             const size_t frag_off = p - ( cur->p + 12 );
2224             const size_t rem_len = hs_len - frag_off;
2225             size_t cur_hs_frag_len, max_hs_frag_len;
2226 
2227             if( ( max_frag_len < 12 ) || ( max_frag_len == 12 && hs_len != 0 ) )
2228             {
2229                 if( is_finished )
2230                 {
2231                     ret = ssl_swap_epochs( ssl );
2232                     if( ret != 0 )
2233                         return( ret );
2234                 }
2235 
2236                 if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2237                     return( ret );
2238 
2239                 continue;
2240             }
2241             max_hs_frag_len = max_frag_len - 12;
2242 
2243             cur_hs_frag_len = rem_len > max_hs_frag_len ?
2244                 max_hs_frag_len : rem_len;
2245 
2246             if( frag_off == 0 && cur_hs_frag_len != hs_len )
2247             {
2248                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)",
2249                                             (unsigned) cur_hs_frag_len,
2250                                             (unsigned) max_hs_frag_len ) );
2251             }
2252 
2253             /* Messages are stored with handshake headers as if not fragmented,
2254              * copy beginning of headers then fill fragmentation fields.
2255              * Handshake headers: type(1) len(3) seq(2) f_off(3) f_len(3) */
2256             memcpy( ssl->out_msg, cur->p, 6 );
2257 
2258             ssl->out_msg[6] = MBEDTLS_BYTE_2( frag_off );
2259             ssl->out_msg[7] = MBEDTLS_BYTE_1( frag_off );
2260             ssl->out_msg[8] = MBEDTLS_BYTE_0( frag_off );
2261 
2262             ssl->out_msg[ 9] = MBEDTLS_BYTE_2( cur_hs_frag_len );
2263             ssl->out_msg[10] = MBEDTLS_BYTE_1( cur_hs_frag_len );
2264             ssl->out_msg[11] = MBEDTLS_BYTE_0( cur_hs_frag_len );
2265 
2266             MBEDTLS_SSL_DEBUG_BUF( 3, "handshake header", ssl->out_msg, 12 );
2267 
2268             /* Copy the handshake message content and set records fields */
2269             memcpy( ssl->out_msg + 12, p, cur_hs_frag_len );
2270             ssl->out_msglen = cur_hs_frag_len + 12;
2271             ssl->out_msgtype = cur->type;
2272 
2273             /* Update position inside current message */
2274             ssl->handshake->cur_msg_p += cur_hs_frag_len;
2275         }
2276 
2277         /* If done with the current message move to the next one if any */
2278         if( ssl->handshake->cur_msg_p >= cur->p + cur->len )
2279         {
2280             if( cur->next != NULL )
2281             {
2282                 ssl->handshake->cur_msg = cur->next;
2283                 ssl->handshake->cur_msg_p = cur->next->p + 12;
2284             }
2285             else
2286             {
2287                 ssl->handshake->cur_msg = NULL;
2288                 ssl->handshake->cur_msg_p = NULL;
2289             }
2290         }
2291 
2292         /* Actually send the message out */
2293         if( ( ret = mbedtls_ssl_write_record( ssl, force_flush ) ) != 0 )
2294         {
2295             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
2296             return( ret );
2297         }
2298     }
2299 
2300     if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2301         return( ret );
2302 
2303     /* Update state and set timer */
2304     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
2305         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2306     else
2307     {
2308         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2309         mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2310     }
2311 
2312     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= mbedtls_ssl_flight_transmit" ) );
2313 
2314     return( 0 );
2315 }
2316 
2317 /*
2318  * To be called when the last message of an incoming flight is received.
2319  */
mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context * ssl)2320 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl )
2321 {
2322     /* We won't need to resend that one any more */
2323     mbedtls_ssl_flight_free( ssl->handshake->flight );
2324     ssl->handshake->flight = NULL;
2325     ssl->handshake->cur_msg = NULL;
2326 
2327     /* The next incoming flight will start with this msg_seq */
2328     ssl->handshake->in_flight_start_seq = ssl->handshake->in_msg_seq;
2329 
2330     /* We don't want to remember CCS's across flight boundaries. */
2331     ssl->handshake->buffering.seen_ccs = 0;
2332 
2333     /* Clear future message buffering structure. */
2334     mbedtls_ssl_buffering_free( ssl );
2335 
2336     /* Cancel timer */
2337     mbedtls_ssl_set_timer( ssl, 0 );
2338 
2339     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2340         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2341     {
2342         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2343     }
2344     else
2345         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_PREPARING;
2346 }
2347 
2348 /*
2349  * To be called when the last message of an outgoing flight is send.
2350  */
mbedtls_ssl_send_flight_completed(mbedtls_ssl_context * ssl)2351 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl )
2352 {
2353     ssl_reset_retransmit_timeout( ssl );
2354     mbedtls_ssl_set_timer( ssl, ssl->handshake->retransmit_timeout );
2355 
2356     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2357         ssl->in_msg[0] == MBEDTLS_SSL_HS_FINISHED )
2358     {
2359         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_FINISHED;
2360     }
2361     else
2362         ssl->handshake->retransmit_state = MBEDTLS_SSL_RETRANS_WAITING;
2363 }
2364 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2365 
2366 /*
2367  * Handshake layer functions
2368  */
2369 
2370 /*
2371  * Write (DTLS: or queue) current handshake (including CCS) message.
2372  *
2373  *  - fill in handshake headers
2374  *  - update handshake checksum
2375  *  - DTLS: save message for resending
2376  *  - then pass to the record layer
2377  *
2378  * DTLS: except for HelloRequest, messages are only queued, and will only be
2379  * actually sent when calling flight_transmit() or resend().
2380  *
2381  * Inputs:
2382  *  - ssl->out_msglen: 4 + actual handshake message len
2383  *      (4 is the size of handshake headers for TLS)
2384  *  - ssl->out_msg[0]: the handshake type (ClientHello, ServerHello, etc)
2385  *  - ssl->out_msg + 4: the handshake message body
2386  *
2387  * Outputs, ie state before passing to flight_append() or write_record():
2388  *   - ssl->out_msglen: the length of the record contents
2389  *      (including handshake headers but excluding record headers)
2390  *   - ssl->out_msg: the record contents (handshake headers + content)
2391  */
mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context * ssl,int update_checksum)2392 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
2393                                          int update_checksum )
2394 {
2395     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2396     const size_t hs_len = ssl->out_msglen - 4;
2397     const unsigned char hs_type = ssl->out_msg[0];
2398 
2399     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write handshake message" ) );
2400 
2401     /*
2402      * Sanity checks
2403      */
2404     if( ssl->out_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE          &&
2405         ssl->out_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
2406     {
2407         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2408         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2409     }
2410 
2411     /* Whenever we send anything different from a
2412      * HelloRequest we should be in a handshake - double check. */
2413     if( ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2414             hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) &&
2415         ssl->handshake == NULL )
2416     {
2417         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2418         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2419     }
2420 
2421 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2422     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2423         ssl->handshake != NULL &&
2424         ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
2425     {
2426         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2427         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2428     }
2429 #endif
2430 
2431     /* Double-check that we did not exceed the bounds
2432      * of the outgoing record buffer.
2433      * This should never fail as the various message
2434      * writing functions must obey the bounds of the
2435      * outgoing record buffer, but better be safe.
2436      *
2437      * Note: We deliberately do not check for the MTU or MFL here.
2438      */
2439     if( ssl->out_msglen > MBEDTLS_SSL_OUT_CONTENT_LEN )
2440     {
2441         MBEDTLS_SSL_DEBUG_MSG( 1, ( "Record too large: "
2442                                     "size %" MBEDTLS_PRINTF_SIZET
2443                                     ", maximum %" MBEDTLS_PRINTF_SIZET,
2444                                     ssl->out_msglen,
2445                                     (size_t) MBEDTLS_SSL_OUT_CONTENT_LEN ) );
2446         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2447     }
2448 
2449     /*
2450      * Fill handshake headers
2451      */
2452     if( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
2453     {
2454         ssl->out_msg[1] = MBEDTLS_BYTE_2( hs_len );
2455         ssl->out_msg[2] = MBEDTLS_BYTE_1( hs_len );
2456         ssl->out_msg[3] = MBEDTLS_BYTE_0( hs_len );
2457 
2458         /*
2459          * DTLS has additional fields in the Handshake layer,
2460          * between the length field and the actual payload:
2461          *      uint16 message_seq;
2462          *      uint24 fragment_offset;
2463          *      uint24 fragment_length;
2464          */
2465 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2466         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2467         {
2468             /* Make room for the additional DTLS fields */
2469             if( MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen < 8 )
2470             {
2471                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS handshake message too large: "
2472                               "size %" MBEDTLS_PRINTF_SIZET ", maximum %" MBEDTLS_PRINTF_SIZET,
2473                                hs_len,
2474                                (size_t) ( MBEDTLS_SSL_OUT_CONTENT_LEN - 12 ) ) );
2475                 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2476             }
2477 
2478             memmove( ssl->out_msg + 12, ssl->out_msg + 4, hs_len );
2479             ssl->out_msglen += 8;
2480 
2481             /* Write message_seq and update it, except for HelloRequest */
2482             if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST )
2483             {
2484                 MBEDTLS_PUT_UINT16_BE( ssl->handshake->out_msg_seq, ssl->out_msg, 4 );
2485                 ++( ssl->handshake->out_msg_seq );
2486             }
2487             else
2488             {
2489                 ssl->out_msg[4] = 0;
2490                 ssl->out_msg[5] = 0;
2491             }
2492 
2493             /* Handshake hashes are computed without fragmentation,
2494              * so set frag_offset = 0 and frag_len = hs_len for now */
2495             memset( ssl->out_msg + 6, 0x00, 3 );
2496             memcpy( ssl->out_msg + 9, ssl->out_msg + 1, 3 );
2497         }
2498 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2499 
2500         /* Update running hashes of handshake messages seen */
2501         if( hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0 )
2502             ssl->handshake->update_checksum( ssl, ssl->out_msg, ssl->out_msglen );
2503     }
2504 
2505     /* Either send now, or just save to be sent (and resent) later */
2506 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2507     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2508         ! ( ssl->out_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
2509             hs_type          == MBEDTLS_SSL_HS_HELLO_REQUEST ) )
2510     {
2511         if( ( ret = ssl_flight_append( ssl ) ) != 0 )
2512         {
2513             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_flight_append", ret );
2514             return( ret );
2515         }
2516     }
2517     else
2518 #endif
2519     {
2520         if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
2521         {
2522             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_write_record", ret );
2523             return( ret );
2524         }
2525     }
2526 
2527     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write handshake message" ) );
2528 
2529     return( 0 );
2530 }
2531 
2532 /*
2533  * Record layer functions
2534  */
2535 
2536 /*
2537  * Write current record.
2538  *
2539  * Uses:
2540  *  - ssl->out_msgtype: type of the message (AppData, Handshake, Alert, CCS)
2541  *  - ssl->out_msglen: length of the record content (excl headers)
2542  *  - ssl->out_msg: record content
2543  */
mbedtls_ssl_write_record(mbedtls_ssl_context * ssl,uint8_t force_flush)2544 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
2545 {
2546     int ret, done = 0;
2547     size_t len = ssl->out_msglen;
2548     uint8_t flush = force_flush;
2549 
2550     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write record" ) );
2551 
2552     if( !done )
2553     {
2554         unsigned i;
2555         size_t protected_record_size;
2556 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
2557         size_t out_buf_len = ssl->out_buf_len;
2558 #else
2559         size_t out_buf_len = MBEDTLS_SSL_OUT_BUFFER_LEN;
2560 #endif
2561         /* Skip writing the record content type to after the encryption,
2562          * as it may change when using the CID extension. */
2563         int minor_ver = ssl->minor_ver;
2564 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
2565         /* TLS 1.3 still uses the TLS 1.2 version identifier
2566          * for backwards compatibility. */
2567         if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
2568             minor_ver = MBEDTLS_SSL_MINOR_VERSION_3;
2569 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
2570         mbedtls_ssl_write_version( ssl->major_ver, minor_ver,
2571                                    ssl->conf->transport, ssl->out_hdr + 1 );
2572 
2573         memcpy( ssl->out_ctr, ssl->cur_out_ctr, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
2574         MBEDTLS_PUT_UINT16_BE( len, ssl->out_len, 0);
2575 
2576         if( ssl->transform_out != NULL )
2577         {
2578             mbedtls_record rec;
2579 
2580             rec.buf         = ssl->out_iv;
2581             rec.buf_len     = out_buf_len - ( ssl->out_iv - ssl->out_buf );
2582             rec.data_len    = ssl->out_msglen;
2583             rec.data_offset = ssl->out_msg - rec.buf;
2584 
2585             memcpy( &rec.ctr[0], ssl->out_ctr, sizeof( rec.ctr ) );
2586             mbedtls_ssl_write_version( ssl->major_ver, minor_ver,
2587                                        ssl->conf->transport, rec.ver );
2588             rec.type = ssl->out_msgtype;
2589 
2590 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2591             /* The CID is set by mbedtls_ssl_encrypt_buf(). */
2592             rec.cid_len = 0;
2593 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2594 
2595             if( ( ret = mbedtls_ssl_encrypt_buf( ssl, ssl->transform_out, &rec,
2596                                          ssl->conf->f_rng, ssl->conf->p_rng ) ) != 0 )
2597             {
2598                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_encrypt_buf", ret );
2599                 return( ret );
2600             }
2601 
2602             if( rec.data_offset != 0 )
2603             {
2604                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
2605                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2606             }
2607 
2608             /* Update the record content type and CID. */
2609             ssl->out_msgtype = rec.type;
2610 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID )
2611             memcpy( ssl->out_cid, rec.cid, rec.cid_len );
2612 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2613             ssl->out_msglen = len = rec.data_len;
2614             MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->out_len, 0 );
2615         }
2616 
2617         protected_record_size = len + mbedtls_ssl_out_hdr_len( ssl );
2618 
2619 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2620         /* In case of DTLS, double-check that we don't exceed
2621          * the remaining space in the datagram. */
2622         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2623         {
2624             ret = ssl_get_remaining_space_in_datagram( ssl );
2625             if( ret < 0 )
2626                 return( ret );
2627 
2628             if( protected_record_size > (size_t) ret )
2629             {
2630                 /* Should never happen */
2631                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2632             }
2633         }
2634 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2635 
2636         /* Now write the potentially updated record content type. */
2637         ssl->out_hdr[0] = (unsigned char) ssl->out_msgtype;
2638 
2639         MBEDTLS_SSL_DEBUG_MSG( 3, ( "output record: msgtype = %u, "
2640                                     "version = [%u:%u], msglen = %" MBEDTLS_PRINTF_SIZET,
2641                                     ssl->out_hdr[0], ssl->out_hdr[1],
2642                                     ssl->out_hdr[2], len ) );
2643 
2644         MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
2645                                ssl->out_hdr, protected_record_size );
2646 
2647         ssl->out_left += protected_record_size;
2648         ssl->out_hdr  += protected_record_size;
2649         mbedtls_ssl_update_out_pointers( ssl, ssl->transform_out );
2650 
2651         for( i = 8; i > mbedtls_ssl_ep_len( ssl ); i-- )
2652             if( ++ssl->cur_out_ctr[i - 1] != 0 )
2653                 break;
2654 
2655         /* The loop goes to its end iff the counter is wrapping */
2656         if( i == mbedtls_ssl_ep_len( ssl ) )
2657         {
2658             MBEDTLS_SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
2659             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
2660         }
2661     }
2662 
2663 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2664     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2665         flush == SSL_DONT_FORCE_FLUSH )
2666     {
2667         size_t remaining;
2668         ret = ssl_get_remaining_payload_in_datagram( ssl );
2669         if( ret < 0 )
2670         {
2671             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_remaining_payload_in_datagram",
2672                                    ret );
2673             return( ret );
2674         }
2675 
2676         remaining = (size_t) ret;
2677         if( remaining == 0 )
2678         {
2679             flush = SSL_FORCE_FLUSH;
2680         }
2681         else
2682         {
2683             MBEDTLS_SSL_DEBUG_MSG( 2, ( "Still %u bytes available in current datagram", (unsigned) remaining ) );
2684         }
2685     }
2686 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2687 
2688     if( ( flush == SSL_FORCE_FLUSH ) &&
2689         ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
2690     {
2691         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
2692         return( ret );
2693     }
2694 
2695     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write record" ) );
2696 
2697     return( 0 );
2698 }
2699 
2700 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2701 
ssl_hs_is_proper_fragment(mbedtls_ssl_context * ssl)2702 static int ssl_hs_is_proper_fragment( mbedtls_ssl_context *ssl )
2703 {
2704     if( ssl->in_msglen < ssl->in_hslen ||
2705         memcmp( ssl->in_msg + 6, "\0\0\0",        3 ) != 0 ||
2706         memcmp( ssl->in_msg + 9, ssl->in_msg + 1, 3 ) != 0 )
2707     {
2708         return( 1 );
2709     }
2710     return( 0 );
2711 }
2712 
ssl_get_hs_frag_len(mbedtls_ssl_context const * ssl)2713 static uint32_t ssl_get_hs_frag_len( mbedtls_ssl_context const *ssl )
2714 {
2715     return( ( ssl->in_msg[9] << 16  ) |
2716             ( ssl->in_msg[10] << 8  ) |
2717               ssl->in_msg[11] );
2718 }
2719 
ssl_get_hs_frag_off(mbedtls_ssl_context const * ssl)2720 static uint32_t ssl_get_hs_frag_off( mbedtls_ssl_context const *ssl )
2721 {
2722     return( ( ssl->in_msg[6] << 16 ) |
2723             ( ssl->in_msg[7] << 8  ) |
2724               ssl->in_msg[8] );
2725 }
2726 
ssl_check_hs_header(mbedtls_ssl_context const * ssl)2727 static int ssl_check_hs_header( mbedtls_ssl_context const *ssl )
2728 {
2729     uint32_t msg_len, frag_off, frag_len;
2730 
2731     msg_len  = ssl_get_hs_total_len( ssl );
2732     frag_off = ssl_get_hs_frag_off( ssl );
2733     frag_len = ssl_get_hs_frag_len( ssl );
2734 
2735     if( frag_off > msg_len )
2736         return( -1 );
2737 
2738     if( frag_len > msg_len - frag_off )
2739         return( -1 );
2740 
2741     if( frag_len + 12 > ssl->in_msglen )
2742         return( -1 );
2743 
2744     return( 0 );
2745 }
2746 
2747 /*
2748  * Mark bits in bitmask (used for DTLS HS reassembly)
2749  */
ssl_bitmask_set(unsigned char * mask,size_t offset,size_t len)2750 static void ssl_bitmask_set( unsigned char *mask, size_t offset, size_t len )
2751 {
2752     unsigned int start_bits, end_bits;
2753 
2754     start_bits = 8 - ( offset % 8 );
2755     if( start_bits != 8 )
2756     {
2757         size_t first_byte_idx = offset / 8;
2758 
2759         /* Special case */
2760         if( len <= start_bits )
2761         {
2762             for( ; len != 0; len-- )
2763                 mask[first_byte_idx] |= 1 << ( start_bits - len );
2764 
2765             /* Avoid potential issues with offset or len becoming invalid */
2766             return;
2767         }
2768 
2769         offset += start_bits; /* Now offset % 8 == 0 */
2770         len -= start_bits;
2771 
2772         for( ; start_bits != 0; start_bits-- )
2773             mask[first_byte_idx] |= 1 << ( start_bits - 1 );
2774     }
2775 
2776     end_bits = len % 8;
2777     if( end_bits != 0 )
2778     {
2779         size_t last_byte_idx = ( offset + len ) / 8;
2780 
2781         len -= end_bits; /* Now len % 8 == 0 */
2782 
2783         for( ; end_bits != 0; end_bits-- )
2784             mask[last_byte_idx] |= 1 << ( 8 - end_bits );
2785     }
2786 
2787     memset( mask + offset / 8, 0xFF, len / 8 );
2788 }
2789 
2790 /*
2791  * Check that bitmask is full
2792  */
ssl_bitmask_check(unsigned char * mask,size_t len)2793 static int ssl_bitmask_check( unsigned char *mask, size_t len )
2794 {
2795     size_t i;
2796 
2797     for( i = 0; i < len / 8; i++ )
2798         if( mask[i] != 0xFF )
2799             return( -1 );
2800 
2801     for( i = 0; i < len % 8; i++ )
2802         if( ( mask[len / 8] & ( 1 << ( 7 - i ) ) ) == 0 )
2803             return( -1 );
2804 
2805     return( 0 );
2806 }
2807 
2808 /* msg_len does not include the handshake header */
ssl_get_reassembly_buffer_size(size_t msg_len,unsigned add_bitmap)2809 static size_t ssl_get_reassembly_buffer_size( size_t msg_len,
2810                                               unsigned add_bitmap )
2811 {
2812     size_t alloc_len;
2813 
2814     alloc_len  = 12;                                 /* Handshake header */
2815     alloc_len += msg_len;                            /* Content buffer   */
2816 
2817     if( add_bitmap )
2818         alloc_len += msg_len / 8 + ( msg_len % 8 != 0 ); /* Bitmap       */
2819 
2820     return( alloc_len );
2821 }
2822 
2823 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2824 
ssl_get_hs_total_len(mbedtls_ssl_context const * ssl)2825 static uint32_t ssl_get_hs_total_len( mbedtls_ssl_context const *ssl )
2826 {
2827     return( ( ssl->in_msg[1] << 16 ) |
2828             ( ssl->in_msg[2] << 8  ) |
2829               ssl->in_msg[3] );
2830 }
2831 
mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context * ssl)2832 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl )
2833 {
2834     if( ssl->in_msglen < mbedtls_ssl_hs_hdr_len( ssl ) )
2835     {
2836         MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake message too short: %" MBEDTLS_PRINTF_SIZET,
2837                             ssl->in_msglen ) );
2838         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2839     }
2840 
2841     ssl->in_hslen = mbedtls_ssl_hs_hdr_len( ssl ) + ssl_get_hs_total_len( ssl );
2842 
2843     MBEDTLS_SSL_DEBUG_MSG( 3, ( "handshake message: msglen ="
2844                         " %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" MBEDTLS_PRINTF_SIZET,
2845                         ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen ) );
2846 
2847 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2848     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
2849     {
2850         int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2851         unsigned int recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
2852 
2853         if( ssl_check_hs_header( ssl ) != 0 )
2854         {
2855             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid handshake header" ) );
2856             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
2857         }
2858 
2859         if( ssl->handshake != NULL &&
2860             ( ( ssl->state   != MBEDTLS_SSL_HANDSHAKE_OVER &&
2861                 recv_msg_seq != ssl->handshake->in_msg_seq ) ||
2862               ( ssl->state  == MBEDTLS_SSL_HANDSHAKE_OVER &&
2863                 ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO ) ) )
2864         {
2865             if( recv_msg_seq > ssl->handshake->in_msg_seq )
2866             {
2867                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received future handshake message of sequence number %u (next %u)",
2868                                             recv_msg_seq,
2869                                             ssl->handshake->in_msg_seq ) );
2870                 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2871             }
2872 
2873             /* Retransmit only on last message from previous flight, to avoid
2874              * too many retransmissions.
2875              * Besides, No sane server ever retransmits HelloVerifyRequest */
2876             if( recv_msg_seq == ssl->handshake->in_flight_start_seq - 1 &&
2877                 ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST )
2878             {
2879                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "received message from last flight, "
2880                                     "message_seq = %u, start_of_flight = %u",
2881                                     recv_msg_seq,
2882                                     ssl->handshake->in_flight_start_seq ) );
2883 
2884                 if( ( ret = mbedtls_ssl_resend( ssl ) ) != 0 )
2885                 {
2886                     MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend", ret );
2887                     return( ret );
2888                 }
2889             }
2890             else
2891             {
2892                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "dropping out-of-sequence message: "
2893                                     "message_seq = %u, expected = %u",
2894                                     recv_msg_seq,
2895                                     ssl->handshake->in_msg_seq ) );
2896             }
2897 
2898             return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
2899         }
2900         /* Wait until message completion to increment in_msg_seq */
2901 
2902         /* Message reassembly is handled alongside buffering of future
2903          * messages; the commonality is that both handshake fragments and
2904          * future messages cannot be forwarded immediately to the
2905          * handshake logic layer. */
2906         if( ssl_hs_is_proper_fragment( ssl ) == 1 )
2907         {
2908             MBEDTLS_SSL_DEBUG_MSG( 2, ( "found fragmented DTLS handshake message" ) );
2909             return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
2910         }
2911     }
2912     else
2913 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2914     /* With TLS we don't handle fragmentation (for now) */
2915     if( ssl->in_msglen < ssl->in_hslen )
2916     {
2917         MBEDTLS_SSL_DEBUG_MSG( 1, ( "TLS handshake fragmentation not supported" ) );
2918         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2919     }
2920 
2921     return( 0 );
2922 }
2923 
mbedtls_ssl_update_handshake_status(mbedtls_ssl_context * ssl)2924 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl )
2925 {
2926     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
2927 
2928     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER && hs != NULL )
2929     {
2930         ssl->handshake->update_checksum( ssl, ssl->in_msg, ssl->in_hslen );
2931     }
2932 
2933     /* Handshake message is complete, increment counter */
2934 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2935     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
2936         ssl->handshake != NULL )
2937     {
2938         unsigned offset;
2939         mbedtls_ssl_hs_buffer *hs_buf;
2940 
2941         /* Increment handshake sequence number */
2942         hs->in_msg_seq++;
2943 
2944         /*
2945          * Clear up handshake buffering and reassembly structure.
2946          */
2947 
2948         /* Free first entry */
2949         ssl_buffering_free_slot( ssl, 0 );
2950 
2951         /* Shift all other entries */
2952         for( offset = 0, hs_buf = &hs->buffering.hs[0];
2953              offset + 1 < MBEDTLS_SSL_MAX_BUFFERED_HS;
2954              offset++, hs_buf++ )
2955         {
2956             *hs_buf = *(hs_buf + 1);
2957         }
2958 
2959         /* Create a fresh last entry */
2960         memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
2961     }
2962 #endif
2963 }
2964 
2965 /*
2966  * DTLS anti-replay: RFC 6347 4.1.2.6
2967  *
2968  * in_window is a field of bits numbered from 0 (lsb) to 63 (msb).
2969  * Bit n is set iff record number in_window_top - n has been seen.
2970  *
2971  * Usually, in_window_top is the last record number seen and the lsb of
2972  * in_window is set. The only exception is the initial state (record number 0
2973  * not seen yet).
2974  */
2975 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context * ssl)2976 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl )
2977 {
2978     ssl->in_window_top = 0;
2979     ssl->in_window = 0;
2980 }
2981 
ssl_load_six_bytes(unsigned char * buf)2982 static inline uint64_t ssl_load_six_bytes( unsigned char *buf )
2983 {
2984     return( ( (uint64_t) buf[0] << 40 ) |
2985             ( (uint64_t) buf[1] << 32 ) |
2986             ( (uint64_t) buf[2] << 24 ) |
2987             ( (uint64_t) buf[3] << 16 ) |
2988             ( (uint64_t) buf[4] <<  8 ) |
2989             ( (uint64_t) buf[5]       ) );
2990 }
2991 
mbedtls_ssl_dtls_record_replay_check(mbedtls_ssl_context * ssl,uint8_t * record_in_ctr)2992 static int mbedtls_ssl_dtls_record_replay_check( mbedtls_ssl_context *ssl, uint8_t *record_in_ctr )
2993 {
2994     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
2995     unsigned char *original_in_ctr;
2996 
2997     // save original in_ctr
2998     original_in_ctr = ssl->in_ctr;
2999 
3000     // use counter from record
3001     ssl->in_ctr = record_in_ctr;
3002 
3003     ret = mbedtls_ssl_dtls_replay_check( (mbedtls_ssl_context const *) ssl );
3004 
3005     // restore the counter
3006     ssl->in_ctr = original_in_ctr;
3007 
3008     return ret;
3009 }
3010 
3011 /*
3012  * Return 0 if sequence number is acceptable, -1 otherwise
3013  */
mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const * ssl)3014 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl )
3015 {
3016     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3017     uint64_t bit;
3018 
3019     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3020         return( 0 );
3021 
3022     if( rec_seqnum > ssl->in_window_top )
3023         return( 0 );
3024 
3025     bit = ssl->in_window_top - rec_seqnum;
3026 
3027     if( bit >= 64 )
3028         return( -1 );
3029 
3030     if( ( ssl->in_window & ( (uint64_t) 1 << bit ) ) != 0 )
3031         return( -1 );
3032 
3033     return( 0 );
3034 }
3035 
3036 /*
3037  * Update replay window on new validated record
3038  */
mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context * ssl)3039 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl )
3040 {
3041     uint64_t rec_seqnum = ssl_load_six_bytes( ssl->in_ctr + 2 );
3042 
3043     if( ssl->conf->anti_replay == MBEDTLS_SSL_ANTI_REPLAY_DISABLED )
3044         return;
3045 
3046     if( rec_seqnum > ssl->in_window_top )
3047     {
3048         /* Update window_top and the contents of the window */
3049         uint64_t shift = rec_seqnum - ssl->in_window_top;
3050 
3051         if( shift >= 64 )
3052             ssl->in_window = 1;
3053         else
3054         {
3055             ssl->in_window <<= shift;
3056             ssl->in_window |= 1;
3057         }
3058 
3059         ssl->in_window_top = rec_seqnum;
3060     }
3061     else
3062     {
3063         /* Mark that number as seen in the current window */
3064         uint64_t bit = ssl->in_window_top - rec_seqnum;
3065 
3066         if( bit < 64 ) /* Always true, but be extra sure */
3067             ssl->in_window |= (uint64_t) 1 << bit;
3068     }
3069 }
3070 #endif /* MBEDTLS_SSL_DTLS_ANTI_REPLAY */
3071 
3072 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
3073 /*
3074  * Without any SSL context, check if a datagram looks like a ClientHello with
3075  * a valid cookie, and if it doesn't, generate a HelloVerifyRequest message.
3076  * Both input and output include full DTLS headers.
3077  *
3078  * - if cookie is valid, return 0
3079  * - if ClientHello looks superficially valid but cookie is not,
3080  *   fill obuf and set olen, then
3081  *   return MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED
3082  * - otherwise return a specific error code
3083  */
ssl_check_dtls_clihlo_cookie(mbedtls_ssl_cookie_write_t * f_cookie_write,mbedtls_ssl_cookie_check_t * f_cookie_check,void * p_cookie,const unsigned char * cli_id,size_t cli_id_len,const unsigned char * in,size_t in_len,unsigned char * obuf,size_t buf_len,size_t * olen)3084 static int ssl_check_dtls_clihlo_cookie(
3085                            mbedtls_ssl_cookie_write_t *f_cookie_write,
3086                            mbedtls_ssl_cookie_check_t *f_cookie_check,
3087                            void *p_cookie,
3088                            const unsigned char *cli_id, size_t cli_id_len,
3089                            const unsigned char *in, size_t in_len,
3090                            unsigned char *obuf, size_t buf_len, size_t *olen )
3091 {
3092     size_t sid_len, cookie_len;
3093     unsigned char *p;
3094 
3095     /*
3096      * Structure of ClientHello with record and handshake headers,
3097      * and expected values. We don't need to check a lot, more checks will be
3098      * done when actually parsing the ClientHello - skipping those checks
3099      * avoids code duplication and does not make cookie forging any easier.
3100      *
3101      *  0-0  ContentType type;                  copied, must be handshake
3102      *  1-2  ProtocolVersion version;           copied
3103      *  3-4  uint16 epoch;                      copied, must be 0
3104      *  5-10 uint48 sequence_number;            copied
3105      * 11-12 uint16 length;                     (ignored)
3106      *
3107      * 13-13 HandshakeType msg_type;            (ignored)
3108      * 14-16 uint24 length;                     (ignored)
3109      * 17-18 uint16 message_seq;                copied
3110      * 19-21 uint24 fragment_offset;            copied, must be 0
3111      * 22-24 uint24 fragment_length;            (ignored)
3112      *
3113      * 25-26 ProtocolVersion client_version;    (ignored)
3114      * 27-58 Random random;                     (ignored)
3115      * 59-xx SessionID session_id;              1 byte len + sid_len content
3116      * 60+   opaque cookie<0..2^8-1>;           1 byte len + content
3117      *       ...
3118      *
3119      * Minimum length is 61 bytes.
3120      */
3121     if( in_len < 61 ||
3122         in[0] != MBEDTLS_SSL_MSG_HANDSHAKE ||
3123         in[3] != 0 || in[4] != 0 ||
3124         in[19] != 0 || in[20] != 0 || in[21] != 0 )
3125     {
3126         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3127     }
3128 
3129     sid_len = in[59];
3130     if( sid_len > in_len - 61 )
3131         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3132 
3133     cookie_len = in[60 + sid_len];
3134     if( cookie_len > in_len - 60 )
3135         return( MBEDTLS_ERR_SSL_DECODE_ERROR );
3136 
3137     if( f_cookie_check( p_cookie, in + sid_len + 61, cookie_len,
3138                         cli_id, cli_id_len ) == 0 )
3139     {
3140         /* Valid cookie */
3141         return( 0 );
3142     }
3143 
3144     /*
3145      * If we get here, we've got an invalid cookie, let's prepare HVR.
3146      *
3147      *  0-0  ContentType type;                  copied
3148      *  1-2  ProtocolVersion version;           copied
3149      *  3-4  uint16 epoch;                      copied
3150      *  5-10 uint48 sequence_number;            copied
3151      * 11-12 uint16 length;                     olen - 13
3152      *
3153      * 13-13 HandshakeType msg_type;            hello_verify_request
3154      * 14-16 uint24 length;                     olen - 25
3155      * 17-18 uint16 message_seq;                copied
3156      * 19-21 uint24 fragment_offset;            copied
3157      * 22-24 uint24 fragment_length;            olen - 25
3158      *
3159      * 25-26 ProtocolVersion server_version;    0xfe 0xff
3160      * 27-27 opaque cookie<0..2^8-1>;           cookie_len = olen - 27, cookie
3161      *
3162      * Minimum length is 28.
3163      */
3164     if( buf_len < 28 )
3165         return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
3166 
3167     /* Copy most fields and adapt others */
3168     memcpy( obuf, in, 25 );
3169     obuf[13] = MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST;
3170     obuf[25] = 0xfe;
3171     obuf[26] = 0xff;
3172 
3173     /* Generate and write actual cookie */
3174     p = obuf + 28;
3175     if( f_cookie_write( p_cookie,
3176                         &p, obuf + buf_len, cli_id, cli_id_len ) != 0 )
3177     {
3178         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3179     }
3180 
3181     *olen = p - obuf;
3182 
3183     /* Go back and fill length fields */
3184     obuf[27] = (unsigned char)( *olen - 28 );
3185 
3186     obuf[14] = obuf[22] = MBEDTLS_BYTE_2( *olen - 25 );
3187     obuf[15] = obuf[23] = MBEDTLS_BYTE_1( *olen - 25 );
3188     obuf[16] = obuf[24] = MBEDTLS_BYTE_0( *olen - 25 );
3189 
3190     MBEDTLS_PUT_UINT16_BE( *olen - 13, obuf, 11 );
3191 
3192     return( MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED );
3193 }
3194 
3195 /*
3196  * Handle possible client reconnect with the same UDP quadruplet
3197  * (RFC 6347 Section 4.2.8).
3198  *
3199  * Called by ssl_parse_record_header() in case we receive an epoch 0 record
3200  * that looks like a ClientHello.
3201  *
3202  * - if the input looks like a ClientHello without cookies,
3203  *   send back HelloVerifyRequest, then return 0
3204  * - if the input looks like a ClientHello with a valid cookie,
3205  *   reset the session of the current context, and
3206  *   return MBEDTLS_ERR_SSL_CLIENT_RECONNECT
3207  * - if anything goes wrong, return a specific error code
3208  *
3209  * This function is called (through ssl_check_client_reconnect()) when an
3210  * unexpected record is found in ssl_get_next_record(), which will discard the
3211  * record if we return 0, and bubble up the return value otherwise (this
3212  * includes the case of MBEDTLS_ERR_SSL_CLIENT_RECONNECT and of unexpected
3213  * errors, and is the right thing to do in both cases).
3214  */
ssl_handle_possible_reconnect(mbedtls_ssl_context * ssl)3215 static int ssl_handle_possible_reconnect( mbedtls_ssl_context *ssl )
3216 {
3217     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3218     size_t len;
3219 
3220     if( ssl->conf->f_cookie_write == NULL ||
3221         ssl->conf->f_cookie_check == NULL )
3222     {
3223         /* If we can't use cookies to verify reachability of the peer,
3224          * drop the record. */
3225         MBEDTLS_SSL_DEBUG_MSG( 1, ( "no cookie callbacks, "
3226                                     "can't check reconnect validity" ) );
3227         return( 0 );
3228     }
3229 
3230     ret = ssl_check_dtls_clihlo_cookie(
3231             ssl->conf->f_cookie_write,
3232             ssl->conf->f_cookie_check,
3233             ssl->conf->p_cookie,
3234             ssl->cli_id, ssl->cli_id_len,
3235             ssl->in_buf, ssl->in_left,
3236             ssl->out_buf, MBEDTLS_SSL_OUT_CONTENT_LEN, &len );
3237 
3238     MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_dtls_clihlo_cookie", ret );
3239 
3240     if( ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED )
3241     {
3242         int send_ret;
3243         MBEDTLS_SSL_DEBUG_MSG( 1, ( "sending HelloVerifyRequest" ) );
3244         MBEDTLS_SSL_DEBUG_BUF( 4, "output record sent to network",
3245                                   ssl->out_buf, len );
3246         /* Don't check write errors as we can't do anything here.
3247          * If the error is permanent we'll catch it later,
3248          * if it's not, then hopefully it'll work next time. */
3249         send_ret = ssl->f_send( ssl->p_bio, ssl->out_buf, len );
3250         MBEDTLS_SSL_DEBUG_RET( 2, "ssl->f_send", send_ret );
3251         (void) send_ret;
3252 
3253         return( 0 );
3254     }
3255 
3256     if( ret == 0 )
3257     {
3258         MBEDTLS_SSL_DEBUG_MSG( 1, ( "cookie is valid, resetting context" ) );
3259         if( ( ret = mbedtls_ssl_session_reset_int( ssl, 1 ) ) != 0 )
3260         {
3261             MBEDTLS_SSL_DEBUG_RET( 1, "reset", ret );
3262             return( ret );
3263         }
3264 
3265         return( MBEDTLS_ERR_SSL_CLIENT_RECONNECT );
3266     }
3267 
3268     return( ret );
3269 }
3270 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3271 
ssl_check_record_type(uint8_t record_type)3272 static int ssl_check_record_type( uint8_t record_type )
3273 {
3274     if( record_type != MBEDTLS_SSL_MSG_HANDSHAKE &&
3275         record_type != MBEDTLS_SSL_MSG_ALERT &&
3276         record_type != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC &&
3277         record_type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3278     {
3279         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3280     }
3281 
3282     return( 0 );
3283 }
3284 
3285 /*
3286  * ContentType type;
3287  * ProtocolVersion version;
3288  * uint16 epoch;            // DTLS only
3289  * uint48 sequence_number;  // DTLS only
3290  * uint16 length;
3291  *
3292  * Return 0 if header looks sane (and, for DTLS, the record is expected)
3293  * MBEDTLS_ERR_SSL_INVALID_RECORD if the header looks bad,
3294  * MBEDTLS_ERR_SSL_UNEXPECTED_RECORD (DTLS only) if sane but unexpected.
3295  *
3296  * With DTLS, mbedtls_ssl_read_record() will:
3297  * 1. proceed with the record if this function returns 0
3298  * 2. drop only the current record if this function returns UNEXPECTED_RECORD
3299  * 3. return CLIENT_RECONNECT if this function return that value
3300  * 4. drop the whole datagram if this function returns anything else.
3301  * Point 2 is needed when the peer is resending, and we have already received
3302  * the first record from a datagram but are still waiting for the others.
3303  */
ssl_parse_record_header(mbedtls_ssl_context const * ssl,unsigned char * buf,size_t len,mbedtls_record * rec)3304 static int ssl_parse_record_header( mbedtls_ssl_context const *ssl,
3305                                     unsigned char *buf,
3306                                     size_t len,
3307                                     mbedtls_record *rec )
3308 {
3309     int major_ver, minor_ver;
3310 
3311     size_t const rec_hdr_type_offset    = 0;
3312     size_t const rec_hdr_type_len       = 1;
3313 
3314     size_t const rec_hdr_version_offset = rec_hdr_type_offset +
3315                                           rec_hdr_type_len;
3316     size_t const rec_hdr_version_len    = 2;
3317 
3318     size_t const rec_hdr_ctr_len        = 8;
3319 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3320     uint32_t     rec_epoch;
3321     size_t const rec_hdr_ctr_offset     = rec_hdr_version_offset +
3322                                           rec_hdr_version_len;
3323 
3324 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3325     size_t const rec_hdr_cid_offset     = rec_hdr_ctr_offset +
3326                                           rec_hdr_ctr_len;
3327     size_t       rec_hdr_cid_len        = 0;
3328 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3329 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3330 
3331     size_t       rec_hdr_len_offset; /* To be determined */
3332     size_t const rec_hdr_len_len    = 2;
3333 
3334     /*
3335      * Check minimum lengths for record header.
3336      */
3337 
3338 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3339     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3340     {
3341         rec_hdr_len_offset = rec_hdr_ctr_offset + rec_hdr_ctr_len;
3342     }
3343     else
3344 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3345     {
3346         rec_hdr_len_offset = rec_hdr_version_offset + rec_hdr_version_len;
3347     }
3348 
3349     if( len < rec_hdr_len_offset + rec_hdr_len_len )
3350     {
3351         MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header of length %u",
3352                  (unsigned) len,
3353                  (unsigned)( rec_hdr_len_len + rec_hdr_len_len ) ) );
3354         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3355     }
3356 
3357     /*
3358      * Parse and validate record content type
3359      */
3360 
3361     rec->type = buf[ rec_hdr_type_offset ];
3362 
3363     /* Check record content type */
3364 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3365     rec->cid_len = 0;
3366 
3367     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3368         ssl->conf->cid_len != 0                                &&
3369         rec->type == MBEDTLS_SSL_MSG_CID )
3370     {
3371         /* Shift pointers to account for record header including CID
3372          * struct {
3373          *   ContentType special_type = tls12_cid;
3374          *   ProtocolVersion version;
3375          *   uint16 epoch;
3376          *   uint48 sequence_number;
3377          *   opaque cid[cid_length]; // Additional field compared to
3378          *                           // default DTLS record format
3379          *   uint16 length;
3380          *   opaque enc_content[DTLSCiphertext.length];
3381          * } DTLSCiphertext;
3382          */
3383 
3384         /* So far, we only support static CID lengths
3385          * fixed in the configuration. */
3386         rec_hdr_cid_len = ssl->conf->cid_len;
3387         rec_hdr_len_offset += rec_hdr_cid_len;
3388 
3389         if( len < rec_hdr_len_offset + rec_hdr_len_len )
3390         {
3391             MBEDTLS_SSL_DEBUG_MSG( 1, ( "datagram of length %u too small to hold DTLS record header including CID, length %u",
3392                 (unsigned) len,
3393                 (unsigned)( rec_hdr_len_offset + rec_hdr_len_len ) ) );
3394             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3395         }
3396 
3397         /* configured CID len is guaranteed at most 255, see
3398          * MBEDTLS_SSL_CID_OUT_LEN_MAX in check_config.h */
3399         rec->cid_len = (uint8_t) rec_hdr_cid_len;
3400         memcpy( rec->cid, buf + rec_hdr_cid_offset, rec_hdr_cid_len );
3401     }
3402     else
3403 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3404     {
3405         if( ssl_check_record_type( rec->type ) )
3406         {
3407             MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type %u",
3408                                         (unsigned) rec->type ) );
3409             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3410         }
3411     }
3412 
3413     /*
3414      * Parse and validate record version
3415      */
3416 
3417     rec->ver[0] = buf[ rec_hdr_version_offset + 0 ];
3418     rec->ver[1] = buf[ rec_hdr_version_offset + 1 ];
3419     mbedtls_ssl_read_version( &major_ver, &minor_ver,
3420                               ssl->conf->transport,
3421                               &rec->ver[0] );
3422 
3423     if( major_ver != ssl->major_ver )
3424     {
3425         MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
3426         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3427     }
3428 
3429     if( minor_ver > ssl->conf->max_minor_ver )
3430     {
3431         MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
3432         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3433     }
3434 
3435     /*
3436      * Parse/Copy record sequence number.
3437      */
3438 
3439 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3440     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3441     {
3442         /* Copy explicit record sequence number from input buffer. */
3443         memcpy( &rec->ctr[0], buf + rec_hdr_ctr_offset,
3444                 rec_hdr_ctr_len );
3445     }
3446     else
3447 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3448     {
3449         /* Copy implicit record sequence number from SSL context structure. */
3450         memcpy( &rec->ctr[0], ssl->in_ctr, rec_hdr_ctr_len );
3451     }
3452 
3453     /*
3454      * Parse record length.
3455      */
3456 
3457     rec->data_offset = rec_hdr_len_offset + rec_hdr_len_len;
3458     rec->data_len    = ( (size_t) buf[ rec_hdr_len_offset + 0 ] << 8 ) |
3459                        ( (size_t) buf[ rec_hdr_len_offset + 1 ] << 0 );
3460     MBEDTLS_SSL_DEBUG_BUF( 4, "input record header", buf, rec->data_offset );
3461 
3462     MBEDTLS_SSL_DEBUG_MSG( 3, ( "input record: msgtype = %u, "
3463                                 "version = [%d:%d], msglen = %" MBEDTLS_PRINTF_SIZET,
3464                                 rec->type,
3465                                 major_ver, minor_ver, rec->data_len ) );
3466 
3467     rec->buf     = buf;
3468     rec->buf_len = rec->data_offset + rec->data_len;
3469 
3470     if( rec->data_len == 0 )
3471         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3472 
3473     /*
3474      * DTLS-related tests.
3475      * Check epoch before checking length constraint because
3476      * the latter varies with the epoch. E.g., if a ChangeCipherSpec
3477      * message gets duplicated before the corresponding Finished message,
3478      * the second ChangeCipherSpec should be discarded because it belongs
3479      * to an old epoch, but not because its length is shorter than
3480      * the minimum record length for packets using the new record transform.
3481      * Note that these two kinds of failures are handled differently,
3482      * as an unexpected record is silently skipped but an invalid
3483      * record leads to the entire datagram being dropped.
3484      */
3485 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3486     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3487     {
3488         rec_epoch = ( rec->ctr[0] << 8 ) | rec->ctr[1];
3489 
3490         /* Check that the datagram is large enough to contain a record
3491          * of the advertised length. */
3492         if( len < rec->data_offset + rec->data_len )
3493         {
3494             MBEDTLS_SSL_DEBUG_MSG( 1, ( "Datagram of length %u too small to contain record of advertised length %u.",
3495                              (unsigned) len,
3496                              (unsigned)( rec->data_offset + rec->data_len ) ) );
3497             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3498         }
3499 
3500         /* Records from other, non-matching epochs are silently discarded.
3501          * (The case of same-port Client reconnects must be considered in
3502          *  the caller). */
3503         if( rec_epoch != ssl->in_epoch )
3504         {
3505             MBEDTLS_SSL_DEBUG_MSG( 1, ( "record from another epoch: "
3506                                         "expected %u, received %lu",
3507                                         ssl->in_epoch, (unsigned long) rec_epoch ) );
3508 
3509             /* Records from the next epoch are considered for buffering
3510              * (concretely: early Finished messages). */
3511             if( rec_epoch == (unsigned) ssl->in_epoch + 1 )
3512             {
3513                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Consider record for buffering" ) );
3514                 return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
3515             }
3516 
3517             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3518         }
3519 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3520         /* For records from the correct epoch, check whether their
3521          * sequence number has been seen before. */
3522         else if( mbedtls_ssl_dtls_record_replay_check( (mbedtls_ssl_context *) ssl,
3523             &rec->ctr[0] ) != 0 )
3524         {
3525             MBEDTLS_SSL_DEBUG_MSG( 1, ( "replayed record" ) );
3526             return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
3527         }
3528 #endif
3529     }
3530 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3531 
3532     return( 0 );
3533 }
3534 
3535 
3536 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
ssl_check_client_reconnect(mbedtls_ssl_context * ssl)3537 static int ssl_check_client_reconnect( mbedtls_ssl_context *ssl )
3538 {
3539     unsigned int rec_epoch = ( ssl->in_ctr[0] << 8 ) | ssl->in_ctr[1];
3540 
3541     /*
3542      * Check for an epoch 0 ClientHello. We can't use in_msg here to
3543      * access the first byte of record content (handshake type), as we
3544      * have an active transform (possibly iv_len != 0), so use the
3545      * fact that the record header len is 13 instead.
3546      */
3547     if( rec_epoch == 0 &&
3548         ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
3549         ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER &&
3550         ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3551         ssl->in_left > 13 &&
3552         ssl->in_buf[13] == MBEDTLS_SSL_HS_CLIENT_HELLO )
3553     {
3554         MBEDTLS_SSL_DEBUG_MSG( 1, ( "possible client reconnect "
3555                                     "from the same port" ) );
3556         return( ssl_handle_possible_reconnect( ssl ) );
3557     }
3558 
3559     return( 0 );
3560 }
3561 #endif /* MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE && MBEDTLS_SSL_SRV_C */
3562 
3563 /*
3564  * If applicable, decrypt record content
3565  */
ssl_prepare_record_content(mbedtls_ssl_context * ssl,mbedtls_record * rec)3566 static int ssl_prepare_record_content( mbedtls_ssl_context *ssl,
3567                                        mbedtls_record *rec )
3568 {
3569     int ret, done = 0;
3570 
3571     MBEDTLS_SSL_DEBUG_BUF( 4, "input record from network",
3572                            rec->buf, rec->buf_len );
3573 
3574     if( !done && ssl->transform_in != NULL )
3575     {
3576         unsigned char const old_msg_type = rec->type;
3577 
3578         if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
3579                                              rec ) ) != 0 )
3580         {
3581             MBEDTLS_SSL_DEBUG_RET( 1, "ssl_decrypt_buf", ret );
3582 
3583 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3584             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_CID &&
3585                 ssl->conf->ignore_unexpected_cid
3586                     == MBEDTLS_SSL_UNEXPECTED_CID_IGNORE )
3587             {
3588                 MBEDTLS_SSL_DEBUG_MSG( 3, ( "ignoring unexpected CID" ) );
3589                 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3590             }
3591 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3592 
3593             return( ret );
3594         }
3595 
3596         if( old_msg_type != rec->type )
3597         {
3598             MBEDTLS_SSL_DEBUG_MSG( 4, ( "record type after decrypt (before %d): %d",
3599                                         old_msg_type, rec->type ) );
3600         }
3601 
3602         MBEDTLS_SSL_DEBUG_BUF( 4, "input payload after decrypt",
3603                                rec->buf + rec->data_offset, rec->data_len );
3604 
3605 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3606         /* We have already checked the record content type
3607          * in ssl_parse_record_header(), failing or silently
3608          * dropping the record in the case of an unknown type.
3609          *
3610          * Since with the use of CIDs, the record content type
3611          * might change during decryption, re-check the record
3612          * content type, but treat a failure as fatal this time. */
3613         if( ssl_check_record_type( rec->type ) )
3614         {
3615             MBEDTLS_SSL_DEBUG_MSG( 1, ( "unknown record type" ) );
3616             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3617         }
3618 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3619 
3620         if( rec->data_len == 0 )
3621         {
3622 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
3623             if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
3624                 && rec->type != MBEDTLS_SSL_MSG_APPLICATION_DATA )
3625             {
3626                 /* TLS v1.2 explicitly disallows zero-length messages which are not application data */
3627                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid zero-length message type: %d", ssl->in_msgtype ) );
3628                 return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3629             }
3630 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3631 
3632             ssl->nb_zero++;
3633 
3634             /*
3635              * Three or more empty messages may be a DoS attack
3636              * (excessive CPU consumption).
3637              */
3638             if( ssl->nb_zero > 3 )
3639             {
3640                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "received four consecutive empty "
3641                                             "messages, possible DoS attack" ) );
3642                 /* Treat the records as if they were not properly authenticated,
3643                  * thereby failing the connection if we see more than allowed
3644                  * by the configured bad MAC threshold. */
3645                 return( MBEDTLS_ERR_SSL_INVALID_MAC );
3646             }
3647         }
3648         else
3649             ssl->nb_zero = 0;
3650 
3651 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3652         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3653         {
3654             ; /* in_ctr read from peer, not maintained internally */
3655         }
3656         else
3657 #endif
3658         {
3659             unsigned i;
3660             for( i = MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
3661                  i > mbedtls_ssl_ep_len( ssl ); i-- )
3662             {
3663                 if( ++ssl->in_ctr[i - 1] != 0 )
3664                     break;
3665             }
3666 
3667             /* The loop goes to its end iff the counter is wrapping */
3668             if( i == mbedtls_ssl_ep_len( ssl ) )
3669             {
3670                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
3671                 return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
3672             }
3673         }
3674 
3675     }
3676 
3677 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3678     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
3679     {
3680         mbedtls_ssl_dtls_replay_update( ssl );
3681     }
3682 #endif
3683 
3684     /* Check actual (decrypted) record content length against
3685      * configured maximum. */
3686     if( ssl->in_msglen > MBEDTLS_SSL_IN_CONTENT_LEN )
3687     {
3688         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
3689         return( MBEDTLS_ERR_SSL_INVALID_RECORD );
3690     }
3691 
3692     return( 0 );
3693 }
3694 
3695 /*
3696  * Read a record.
3697  *
3698  * Silently ignore non-fatal alert (and for DTLS, invalid records as well,
3699  * RFC 6347 4.1.2.7) and continue reading until a valid record is found.
3700  *
3701  */
3702 
3703 /* Helper functions for mbedtls_ssl_read_record(). */
3704 static int ssl_consume_current_message( mbedtls_ssl_context *ssl );
3705 static int ssl_get_next_record( mbedtls_ssl_context *ssl );
3706 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl );
3707 
mbedtls_ssl_read_record(mbedtls_ssl_context * ssl,unsigned update_hs_digest)3708 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
3709                              unsigned update_hs_digest )
3710 {
3711     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
3712 
3713     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read record" ) );
3714 
3715     if( ssl->keep_current_message == 0 )
3716     {
3717         do {
3718 
3719             ret = ssl_consume_current_message( ssl );
3720             if( ret != 0 )
3721                 return( ret );
3722 
3723             if( ssl_record_is_in_progress( ssl ) == 0 )
3724             {
3725 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3726                 int have_buffered = 0;
3727 
3728                 /* We only check for buffered messages if the
3729                  * current datagram is fully consumed. */
3730                 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
3731                     ssl_next_record_is_in_datagram( ssl ) == 0 )
3732                 {
3733                     if( ssl_load_buffered_message( ssl ) == 0 )
3734                         have_buffered = 1;
3735                 }
3736 
3737                 if( have_buffered == 0 )
3738 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3739                 {
3740                     ret = ssl_get_next_record( ssl );
3741                     if( ret == MBEDTLS_ERR_SSL_CONTINUE_PROCESSING )
3742                         continue;
3743 
3744                     if( ret != 0 )
3745                     {
3746                         MBEDTLS_SSL_DEBUG_RET( 1, ( "ssl_get_next_record" ), ret );
3747                         return( ret );
3748                     }
3749                 }
3750             }
3751 
3752             ret = mbedtls_ssl_handle_message_type( ssl );
3753 
3754 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3755             if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
3756             {
3757                 /* Buffer future message */
3758                 ret = ssl_buffer_message( ssl );
3759                 if( ret != 0 )
3760                     return( ret );
3761 
3762                 ret = MBEDTLS_ERR_SSL_CONTINUE_PROCESSING;
3763             }
3764 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3765 
3766         } while( MBEDTLS_ERR_SSL_NON_FATAL           == ret  ||
3767                  MBEDTLS_ERR_SSL_CONTINUE_PROCESSING == ret );
3768 
3769         if( 0 != ret )
3770         {
3771             MBEDTLS_SSL_DEBUG_RET( 1, ( "mbedtls_ssl_handle_message_type" ), ret );
3772             return( ret );
3773         }
3774 
3775         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
3776             update_hs_digest == 1 )
3777         {
3778             mbedtls_ssl_update_handshake_status( ssl );
3779         }
3780     }
3781     else
3782     {
3783         MBEDTLS_SSL_DEBUG_MSG( 2, ( "reuse previously read message" ) );
3784         ssl->keep_current_message = 0;
3785     }
3786 
3787     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read record" ) );
3788 
3789     return( 0 );
3790 }
3791 
3792 #if defined(MBEDTLS_SSL_PROTO_DTLS)
ssl_next_record_is_in_datagram(mbedtls_ssl_context * ssl)3793 static int ssl_next_record_is_in_datagram( mbedtls_ssl_context *ssl )
3794 {
3795     if( ssl->in_left > ssl->next_record_offset )
3796         return( 1 );
3797 
3798     return( 0 );
3799 }
3800 
ssl_load_buffered_message(mbedtls_ssl_context * ssl)3801 static int ssl_load_buffered_message( mbedtls_ssl_context *ssl )
3802 {
3803     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3804     mbedtls_ssl_hs_buffer * hs_buf;
3805     int ret = 0;
3806 
3807     if( hs == NULL )
3808         return( -1 );
3809 
3810     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_messsage" ) );
3811 
3812     if( ssl->state == MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC ||
3813         ssl->state == MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
3814     {
3815         /* Check if we have seen a ChangeCipherSpec before.
3816          * If yes, synthesize a CCS record. */
3817         if( !hs->buffering.seen_ccs )
3818         {
3819             MBEDTLS_SSL_DEBUG_MSG( 2, ( "CCS not seen in the current flight" ) );
3820             ret = -1;
3821             goto exit;
3822         }
3823 
3824         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Injecting buffered CCS message" ) );
3825         ssl->in_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
3826         ssl->in_msglen = 1;
3827         ssl->in_msg[0] = 1;
3828 
3829         /* As long as they are equal, the exact value doesn't matter. */
3830         ssl->in_left            = 0;
3831         ssl->next_record_offset = 0;
3832 
3833         hs->buffering.seen_ccs = 0;
3834         goto exit;
3835     }
3836 
3837 #if defined(MBEDTLS_DEBUG_C)
3838     /* Debug only */
3839     {
3840         unsigned offset;
3841         for( offset = 1; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
3842         {
3843             hs_buf = &hs->buffering.hs[offset];
3844             if( hs_buf->is_valid == 1 )
3845             {
3846                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "Future message with sequence number %u %s buffered.",
3847                             hs->in_msg_seq + offset,
3848                             hs_buf->is_complete ? "fully" : "partially" ) );
3849             }
3850         }
3851     }
3852 #endif /* MBEDTLS_DEBUG_C */
3853 
3854     /* Check if we have buffered and/or fully reassembled the
3855      * next handshake message. */
3856     hs_buf = &hs->buffering.hs[0];
3857     if( ( hs_buf->is_valid == 1 ) && ( hs_buf->is_complete == 1 ) )
3858     {
3859         /* Synthesize a record containing the buffered HS message. */
3860         size_t msg_len = ( hs_buf->data[1] << 16 ) |
3861                          ( hs_buf->data[2] << 8  ) |
3862                            hs_buf->data[3];
3863 
3864         /* Double-check that we haven't accidentally buffered
3865          * a message that doesn't fit into the input buffer. */
3866         if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
3867         {
3868             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3869             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3870         }
3871 
3872         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message has been buffered - load" ) );
3873         MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered handshake message (incl. header)",
3874                                hs_buf->data, msg_len + 12 );
3875 
3876         ssl->in_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
3877         ssl->in_hslen   = msg_len + 12;
3878         ssl->in_msglen  = msg_len + 12;
3879         memcpy( ssl->in_msg, hs_buf->data, ssl->in_hslen );
3880 
3881         ret = 0;
3882         goto exit;
3883     }
3884     else
3885     {
3886         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Next handshake message %u not or only partially bufffered",
3887                                     hs->in_msg_seq ) );
3888     }
3889 
3890     ret = -1;
3891 
3892 exit:
3893 
3894     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_message" ) );
3895     return( ret );
3896 }
3897 
ssl_buffer_make_space(mbedtls_ssl_context * ssl,size_t desired)3898 static int ssl_buffer_make_space( mbedtls_ssl_context *ssl,
3899                                   size_t desired )
3900 {
3901     int offset;
3902     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3903     MBEDTLS_SSL_DEBUG_MSG( 2, ( "Attempt to free buffered messages to have %u bytes available",
3904                                 (unsigned) desired ) );
3905 
3906     /* Get rid of future records epoch first, if such exist. */
3907     ssl_free_buffered_record( ssl );
3908 
3909     /* Check if we have enough space available now. */
3910     if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3911                      hs->buffering.total_bytes_buffered ) )
3912     {
3913         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing future epoch record" ) );
3914         return( 0 );
3915     }
3916 
3917     /* We don't have enough space to buffer the next expected handshake
3918      * message. Remove buffers used for future messages to gain space,
3919      * starting with the most distant one. */
3920     for( offset = MBEDTLS_SSL_MAX_BUFFERED_HS - 1;
3921          offset >= 0; offset-- )
3922     {
3923         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Free buffering slot %d to make space for reassembly of next handshake message",
3924                                     offset ) );
3925 
3926         ssl_buffering_free_slot( ssl, (uint8_t) offset );
3927 
3928         /* Check if we have enough space available now. */
3929         if( desired <= ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
3930                          hs->buffering.total_bytes_buffered ) )
3931         {
3932             MBEDTLS_SSL_DEBUG_MSG( 2, ( "Enough space available after freeing buffered HS messages" ) );
3933             return( 0 );
3934         }
3935     }
3936 
3937     return( -1 );
3938 }
3939 
ssl_buffer_message(mbedtls_ssl_context * ssl)3940 static int ssl_buffer_message( mbedtls_ssl_context *ssl )
3941 {
3942     int ret = 0;
3943     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
3944 
3945     if( hs == NULL )
3946         return( 0 );
3947 
3948     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_buffer_message" ) );
3949 
3950     switch( ssl->in_msgtype )
3951     {
3952         case MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC:
3953             MBEDTLS_SSL_DEBUG_MSG( 2, ( "Remember CCS message" ) );
3954 
3955             hs->buffering.seen_ccs = 1;
3956             break;
3957 
3958         case MBEDTLS_SSL_MSG_HANDSHAKE:
3959         {
3960             unsigned recv_msg_seq_offset;
3961             unsigned recv_msg_seq = ( ssl->in_msg[4] << 8 ) | ssl->in_msg[5];
3962             mbedtls_ssl_hs_buffer *hs_buf;
3963             size_t msg_len = ssl->in_hslen - 12;
3964 
3965             /* We should never receive an old handshake
3966              * message - double-check nonetheless. */
3967             if( recv_msg_seq < ssl->handshake->in_msg_seq )
3968             {
3969                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
3970                 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
3971             }
3972 
3973             recv_msg_seq_offset = recv_msg_seq - ssl->handshake->in_msg_seq;
3974             if( recv_msg_seq_offset >= MBEDTLS_SSL_MAX_BUFFERED_HS )
3975             {
3976                 /* Silently ignore -- message too far in the future */
3977                 MBEDTLS_SSL_DEBUG_MSG( 2,
3978                  ( "Ignore future HS message with sequence number %u, "
3979                    "buffering window %u - %u",
3980                    recv_msg_seq, ssl->handshake->in_msg_seq,
3981                    ssl->handshake->in_msg_seq + MBEDTLS_SSL_MAX_BUFFERED_HS - 1 ) );
3982 
3983                 goto exit;
3984             }
3985 
3986             MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering HS message with sequence number %u, offset %u ",
3987                                         recv_msg_seq, recv_msg_seq_offset ) );
3988 
3989             hs_buf = &hs->buffering.hs[ recv_msg_seq_offset ];
3990 
3991             /* Check if the buffering for this seq nr has already commenced. */
3992             if( !hs_buf->is_valid )
3993             {
3994                 size_t reassembly_buf_sz;
3995 
3996                 hs_buf->is_fragmented =
3997                     ( ssl_hs_is_proper_fragment( ssl ) == 1 );
3998 
3999                 /* We copy the message back into the input buffer
4000                  * after reassembly, so check that it's not too large.
4001                  * This is an implementation-specific limitation
4002                  * and not one from the standard, hence it is not
4003                  * checked in ssl_check_hs_header(). */
4004                 if( msg_len + 12 > MBEDTLS_SSL_IN_CONTENT_LEN )
4005                 {
4006                     /* Ignore message */
4007                     goto exit;
4008                 }
4009 
4010                 /* Check if we have enough space to buffer the message. */
4011                 if( hs->buffering.total_bytes_buffered >
4012                     MBEDTLS_SSL_DTLS_MAX_BUFFERING )
4013                 {
4014                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4015                     return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4016                 }
4017 
4018                 reassembly_buf_sz = ssl_get_reassembly_buffer_size( msg_len,
4019                                                        hs_buf->is_fragmented );
4020 
4021                 if( reassembly_buf_sz > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4022                                           hs->buffering.total_bytes_buffered ) )
4023                 {
4024                     if( recv_msg_seq_offset > 0 )
4025                     {
4026                         /* If we can't buffer a future message because
4027                          * of space limitations -- ignore. */
4028                         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4029                                                     " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4030                                                     " (already %" MBEDTLS_PRINTF_SIZET
4031                                                     " bytes buffered) -- ignore\n",
4032                              msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4033                              hs->buffering.total_bytes_buffered ) );
4034                         goto exit;
4035                     }
4036                     else
4037                     {
4038                         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future message of size %" MBEDTLS_PRINTF_SIZET
4039                                                     " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4040                                                     " (already %" MBEDTLS_PRINTF_SIZET
4041                                                     " bytes buffered) -- attempt to make space by freeing buffered future messages\n",
4042                              msg_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4043                              hs->buffering.total_bytes_buffered ) );
4044                     }
4045 
4046                     if( ssl_buffer_make_space( ssl, reassembly_buf_sz ) != 0 )
4047                     {
4048                         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Reassembly of next message of size %" MBEDTLS_PRINTF_SIZET
4049                                                     " (%" MBEDTLS_PRINTF_SIZET " with bitmap) would exceed"
4050                                                     " the compile-time limit %" MBEDTLS_PRINTF_SIZET
4051                                                     " (already %" MBEDTLS_PRINTF_SIZET
4052                                                     " bytes buffered) -- fail\n",
4053                              msg_len,
4054                              reassembly_buf_sz,
4055                              (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4056                              hs->buffering.total_bytes_buffered ) );
4057                         ret = MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
4058                         goto exit;
4059                     }
4060                 }
4061 
4062                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialize reassembly, total length = %" MBEDTLS_PRINTF_SIZET,
4063                                             msg_len ) );
4064 
4065                 hs_buf->data = mbedtls_calloc( 1, reassembly_buf_sz );
4066                 if( hs_buf->data == NULL )
4067                 {
4068                     ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
4069                     goto exit;
4070                 }
4071                 hs_buf->data_len = reassembly_buf_sz;
4072 
4073                 /* Prepare final header: copy msg_type, length and message_seq,
4074                  * then add standardised fragment_offset and fragment_length */
4075                 memcpy( hs_buf->data, ssl->in_msg, 6 );
4076                 memset( hs_buf->data + 6, 0, 3 );
4077                 memcpy( hs_buf->data + 9, hs_buf->data + 1, 3 );
4078 
4079                 hs_buf->is_valid = 1;
4080 
4081                 hs->buffering.total_bytes_buffered += reassembly_buf_sz;
4082             }
4083             else
4084             {
4085                 /* Make sure msg_type and length are consistent */
4086                 if( memcmp( hs_buf->data, ssl->in_msg, 4 ) != 0 )
4087                 {
4088                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "Fragment header mismatch - ignore" ) );
4089                     /* Ignore */
4090                     goto exit;
4091                 }
4092             }
4093 
4094             if( !hs_buf->is_complete )
4095             {
4096                 size_t frag_len, frag_off;
4097                 unsigned char * const msg = hs_buf->data + 12;
4098 
4099                 /*
4100                  * Check and copy current fragment
4101                  */
4102 
4103                 /* Validation of header fields already done in
4104                  * mbedtls_ssl_prepare_handshake_record(). */
4105                 frag_off = ssl_get_hs_frag_off( ssl );
4106                 frag_len = ssl_get_hs_frag_len( ssl );
4107 
4108                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "adding fragment, offset = %" MBEDTLS_PRINTF_SIZET
4109                                             ", length = %" MBEDTLS_PRINTF_SIZET,
4110                                             frag_off, frag_len ) );
4111                 memcpy( msg + frag_off, ssl->in_msg + 12, frag_len );
4112 
4113                 if( hs_buf->is_fragmented )
4114                 {
4115                     unsigned char * const bitmask = msg + msg_len;
4116                     ssl_bitmask_set( bitmask, frag_off, frag_len );
4117                     hs_buf->is_complete = ( ssl_bitmask_check( bitmask,
4118                                                                msg_len ) == 0 );
4119                 }
4120                 else
4121                 {
4122                     hs_buf->is_complete = 1;
4123                 }
4124 
4125                 MBEDTLS_SSL_DEBUG_MSG( 2, ( "message %scomplete",
4126                                    hs_buf->is_complete ? "" : "not yet " ) );
4127             }
4128 
4129             break;
4130         }
4131 
4132         default:
4133             /* We don't buffer other types of messages. */
4134             break;
4135     }
4136 
4137 exit:
4138 
4139     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_buffer_message" ) );
4140     return( ret );
4141 }
4142 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4143 
ssl_consume_current_message(mbedtls_ssl_context * ssl)4144 static int ssl_consume_current_message( mbedtls_ssl_context *ssl )
4145 {
4146     /*
4147      * Consume last content-layer message and potentially
4148      * update in_msglen which keeps track of the contents'
4149      * consumption state.
4150      *
4151      * (1) Handshake messages:
4152      *     Remove last handshake message, move content
4153      *     and adapt in_msglen.
4154      *
4155      * (2) Alert messages:
4156      *     Consume whole record content, in_msglen = 0.
4157      *
4158      * (3) Change cipher spec:
4159      *     Consume whole record content, in_msglen = 0.
4160      *
4161      * (4) Application data:
4162      *     Don't do anything - the record layer provides
4163      *     the application data as a stream transport
4164      *     and consumes through mbedtls_ssl_read only.
4165      *
4166      */
4167 
4168     /* Case (1): Handshake messages */
4169     if( ssl->in_hslen != 0 )
4170     {
4171         /* Hard assertion to be sure that no application data
4172          * is in flight, as corrupting ssl->in_msglen during
4173          * ssl->in_offt != NULL is fatal. */
4174         if( ssl->in_offt != NULL )
4175         {
4176             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4177             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4178         }
4179 
4180         /*
4181          * Get next Handshake message in the current record
4182          */
4183 
4184         /* Notes:
4185          * (1) in_hslen is not necessarily the size of the
4186          *     current handshake content: If DTLS handshake
4187          *     fragmentation is used, that's the fragment
4188          *     size instead. Using the total handshake message
4189          *     size here is faulty and should be changed at
4190          *     some point.
4191          * (2) While it doesn't seem to cause problems, one
4192          *     has to be very careful not to assume that in_hslen
4193          *     is always <= in_msglen in a sensible communication.
4194          *     Again, it's wrong for DTLS handshake fragmentation.
4195          *     The following check is therefore mandatory, and
4196          *     should not be treated as a silently corrected assertion.
4197          *     Additionally, ssl->in_hslen might be arbitrarily out of
4198          *     bounds after handling a DTLS message with an unexpected
4199          *     sequence number, see mbedtls_ssl_prepare_handshake_record.
4200          */
4201         if( ssl->in_hslen < ssl->in_msglen )
4202         {
4203             ssl->in_msglen -= ssl->in_hslen;
4204             memmove( ssl->in_msg, ssl->in_msg + ssl->in_hslen,
4205                      ssl->in_msglen );
4206 
4207             MBEDTLS_SSL_DEBUG_BUF( 4, "remaining content in record",
4208                                    ssl->in_msg, ssl->in_msglen );
4209         }
4210         else
4211         {
4212             ssl->in_msglen = 0;
4213         }
4214 
4215         ssl->in_hslen   = 0;
4216     }
4217     /* Case (4): Application data */
4218     else if( ssl->in_offt != NULL )
4219     {
4220         return( 0 );
4221     }
4222     /* Everything else (CCS & Alerts) */
4223     else
4224     {
4225         ssl->in_msglen = 0;
4226     }
4227 
4228     return( 0 );
4229 }
4230 
ssl_record_is_in_progress(mbedtls_ssl_context * ssl)4231 static int ssl_record_is_in_progress( mbedtls_ssl_context *ssl )
4232 {
4233     if( ssl->in_msglen > 0 )
4234         return( 1 );
4235 
4236     return( 0 );
4237 }
4238 
4239 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4240 
ssl_free_buffered_record(mbedtls_ssl_context * ssl)4241 static void ssl_free_buffered_record( mbedtls_ssl_context *ssl )
4242 {
4243     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4244     if( hs == NULL )
4245         return;
4246 
4247     if( hs->buffering.future_record.data != NULL )
4248     {
4249         hs->buffering.total_bytes_buffered -=
4250             hs->buffering.future_record.len;
4251 
4252         mbedtls_free( hs->buffering.future_record.data );
4253         hs->buffering.future_record.data = NULL;
4254     }
4255 }
4256 
ssl_load_buffered_record(mbedtls_ssl_context * ssl)4257 static int ssl_load_buffered_record( mbedtls_ssl_context *ssl )
4258 {
4259     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4260     unsigned char * rec;
4261     size_t rec_len;
4262     unsigned rec_epoch;
4263 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
4264     size_t in_buf_len = ssl->in_buf_len;
4265 #else
4266     size_t in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN;
4267 #endif
4268     if( ssl->conf->transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4269         return( 0 );
4270 
4271     if( hs == NULL )
4272         return( 0 );
4273 
4274     rec       = hs->buffering.future_record.data;
4275     rec_len   = hs->buffering.future_record.len;
4276     rec_epoch = hs->buffering.future_record.epoch;
4277 
4278     if( rec == NULL )
4279         return( 0 );
4280 
4281     /* Only consider loading future records if the
4282      * input buffer is empty. */
4283     if( ssl_next_record_is_in_datagram( ssl ) == 1 )
4284         return( 0 );
4285 
4286     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> ssl_load_buffered_record" ) );
4287 
4288     if( rec_epoch != ssl->in_epoch )
4289     {
4290         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffered record not from current epoch." ) );
4291         goto exit;
4292     }
4293 
4294     MBEDTLS_SSL_DEBUG_MSG( 2, ( "Found buffered record from current epoch - load" ) );
4295 
4296     /* Double-check that the record is not too large */
4297     if( rec_len > in_buf_len - (size_t)( ssl->in_hdr - ssl->in_buf ) )
4298     {
4299         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
4300         return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
4301     }
4302 
4303     memcpy( ssl->in_hdr, rec, rec_len );
4304     ssl->in_left = rec_len;
4305     ssl->next_record_offset = 0;
4306 
4307     ssl_free_buffered_record( ssl );
4308 
4309 exit:
4310     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= ssl_load_buffered_record" ) );
4311     return( 0 );
4312 }
4313 
ssl_buffer_future_record(mbedtls_ssl_context * ssl,mbedtls_record const * rec)4314 static int ssl_buffer_future_record( mbedtls_ssl_context *ssl,
4315                                      mbedtls_record const *rec )
4316 {
4317     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
4318 
4319     /* Don't buffer future records outside handshakes. */
4320     if( hs == NULL )
4321         return( 0 );
4322 
4323     /* Only buffer handshake records (we are only interested
4324      * in Finished messages). */
4325     if( rec->type != MBEDTLS_SSL_MSG_HANDSHAKE )
4326         return( 0 );
4327 
4328     /* Don't buffer more than one future epoch record. */
4329     if( hs->buffering.future_record.data != NULL )
4330         return( 0 );
4331 
4332     /* Don't buffer record if there's not enough buffering space remaining. */
4333     if( rec->buf_len > ( MBEDTLS_SSL_DTLS_MAX_BUFFERING -
4334                          hs->buffering.total_bytes_buffered ) )
4335     {
4336         MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffering of future epoch record of size %" MBEDTLS_PRINTF_SIZET
4337                                     " would exceed the compile-time limit %" MBEDTLS_PRINTF_SIZET
4338                                     " (already %" MBEDTLS_PRINTF_SIZET
4339                                     " bytes buffered) -- ignore\n",
4340                         rec->buf_len, (size_t) MBEDTLS_SSL_DTLS_MAX_BUFFERING,
4341                         hs->buffering.total_bytes_buffered ) );
4342         return( 0 );
4343     }
4344 
4345     /* Buffer record */
4346     MBEDTLS_SSL_DEBUG_MSG( 2, ( "Buffer record from epoch %u",
4347                                 ssl->in_epoch + 1U ) );
4348     MBEDTLS_SSL_DEBUG_BUF( 3, "Buffered record", rec->buf, rec->buf_len );
4349 
4350     /* ssl_parse_record_header() only considers records
4351      * of the next epoch as candidates for buffering. */
4352     hs->buffering.future_record.epoch = ssl->in_epoch + 1;
4353     hs->buffering.future_record.len   = rec->buf_len;
4354 
4355     hs->buffering.future_record.data =
4356         mbedtls_calloc( 1, hs->buffering.future_record.len );
4357     if( hs->buffering.future_record.data == NULL )
4358     {
4359         /* If we run out of RAM trying to buffer a
4360          * record from the next epoch, just ignore. */
4361         return( 0 );
4362     }
4363 
4364     memcpy( hs->buffering.future_record.data, rec->buf, rec->buf_len );
4365 
4366     hs->buffering.total_bytes_buffered += rec->buf_len;
4367     return( 0 );
4368 }
4369 
4370 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4371 
ssl_get_next_record(mbedtls_ssl_context * ssl)4372 static int ssl_get_next_record( mbedtls_ssl_context *ssl )
4373 {
4374     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4375     mbedtls_record rec;
4376 
4377 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4378     /* We might have buffered a future record; if so,
4379      * and if the epoch matches now, load it.
4380      * On success, this call will set ssl->in_left to
4381      * the length of the buffered record, so that
4382      * the calls to ssl_fetch_input() below will
4383      * essentially be no-ops. */
4384     ret = ssl_load_buffered_record( ssl );
4385     if( ret != 0 )
4386         return( ret );
4387 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4388 
4389     /* Ensure that we have enough space available for the default form
4390      * of TLS / DTLS record headers (5 Bytes for TLS, 13 Bytes for DTLS,
4391      * with no space for CIDs counted in). */
4392     ret = mbedtls_ssl_fetch_input( ssl, mbedtls_ssl_in_hdr_len( ssl ) );
4393     if( ret != 0 )
4394     {
4395         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4396         return( ret );
4397     }
4398 
4399     ret = ssl_parse_record_header( ssl, ssl->in_hdr, ssl->in_left, &rec );
4400     if( ret != 0 )
4401     {
4402 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4403         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4404         {
4405             if( ret == MBEDTLS_ERR_SSL_EARLY_MESSAGE )
4406             {
4407                 ret = ssl_buffer_future_record( ssl, &rec );
4408                 if( ret != 0 )
4409                     return( ret );
4410 
4411                 /* Fall through to handling of unexpected records */
4412                 ret = MBEDTLS_ERR_SSL_UNEXPECTED_RECORD;
4413             }
4414 
4415             if( ret == MBEDTLS_ERR_SSL_UNEXPECTED_RECORD )
4416             {
4417 #if defined(MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE) && defined(MBEDTLS_SSL_SRV_C)
4418                 /* Reset in pointers to default state for TLS/DTLS records,
4419                  * assuming no CID and no offset between record content and
4420                  * record plaintext. */
4421                 mbedtls_ssl_update_in_pointers( ssl );
4422 
4423                 /* Setup internal message pointers from record structure. */
4424                 ssl->in_msgtype = rec.type;
4425 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4426                 ssl->in_len = ssl->in_cid + rec.cid_len;
4427 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4428                 ssl->in_iv  = ssl->in_msg = ssl->in_len + 2;
4429                 ssl->in_msglen = rec.data_len;
4430 
4431                 ret = ssl_check_client_reconnect( ssl );
4432                 MBEDTLS_SSL_DEBUG_RET( 2, "ssl_check_client_reconnect", ret );
4433                 if( ret != 0 )
4434                     return( ret );
4435 #endif
4436 
4437                 /* Skip unexpected record (but not whole datagram) */
4438                 ssl->next_record_offset = rec.buf_len;
4439 
4440                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding unexpected record "
4441                                             "(header)" ) );
4442             }
4443             else
4444             {
4445                 /* Skip invalid record and the rest of the datagram */
4446                 ssl->next_record_offset = 0;
4447                 ssl->in_left = 0;
4448 
4449                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record "
4450                                             "(header)" ) );
4451             }
4452 
4453             /* Get next record */
4454             return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4455         }
4456         else
4457 #endif
4458         {
4459             return( ret );
4460         }
4461     }
4462 
4463 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4464     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4465     {
4466         /* Remember offset of next record within datagram. */
4467         ssl->next_record_offset = rec.buf_len;
4468         if( ssl->next_record_offset < ssl->in_left )
4469         {
4470             MBEDTLS_SSL_DEBUG_MSG( 3, ( "more than one record within datagram" ) );
4471         }
4472     }
4473     else
4474 #endif
4475     {
4476         /*
4477          * Fetch record contents from underlying transport.
4478          */
4479         ret = mbedtls_ssl_fetch_input( ssl, rec.buf_len );
4480         if( ret != 0 )
4481         {
4482             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_fetch_input", ret );
4483             return( ret );
4484         }
4485 
4486         ssl->in_left = 0;
4487     }
4488 
4489     /*
4490      * Decrypt record contents.
4491      */
4492 
4493     if( ( ret = ssl_prepare_record_content( ssl, &rec ) ) != 0 )
4494     {
4495 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4496         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4497         {
4498             /* Silently discard invalid records */
4499             if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4500             {
4501                 /* Except when waiting for Finished as a bad mac here
4502                  * probably means something went wrong in the handshake
4503                  * (eg wrong psk used, mitm downgrade attempt, etc.) */
4504                 if( ssl->state == MBEDTLS_SSL_CLIENT_FINISHED ||
4505                     ssl->state == MBEDTLS_SSL_SERVER_FINISHED )
4506                 {
4507 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4508                     if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4509                     {
4510                         mbedtls_ssl_send_alert_message( ssl,
4511                                 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4512                                 MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4513                     }
4514 #endif
4515                     return( ret );
4516                 }
4517 
4518                 if( ssl->conf->badmac_limit != 0 &&
4519                     ++ssl->badmac_seen >= ssl->conf->badmac_limit )
4520                 {
4521                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "too many records with bad MAC" ) );
4522                     return( MBEDTLS_ERR_SSL_INVALID_MAC );
4523                 }
4524 
4525                 /* As above, invalid records cause
4526                  * dismissal of the whole datagram. */
4527 
4528                 ssl->next_record_offset = 0;
4529                 ssl->in_left = 0;
4530 
4531                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "discarding invalid record (mac)" ) );
4532                 return( MBEDTLS_ERR_SSL_CONTINUE_PROCESSING );
4533             }
4534 
4535             return( ret );
4536         }
4537         else
4538 #endif
4539         {
4540             /* Error out (and send alert) on invalid records */
4541 #if defined(MBEDTLS_SSL_ALL_ALERT_MESSAGES)
4542             if( ret == MBEDTLS_ERR_SSL_INVALID_MAC )
4543             {
4544                 mbedtls_ssl_send_alert_message( ssl,
4545                         MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4546                         MBEDTLS_SSL_ALERT_MSG_BAD_RECORD_MAC );
4547             }
4548 #endif
4549             return( ret );
4550         }
4551     }
4552 
4553 
4554     /* Reset in pointers to default state for TLS/DTLS records,
4555      * assuming no CID and no offset between record content and
4556      * record plaintext. */
4557     mbedtls_ssl_update_in_pointers( ssl );
4558 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4559     ssl->in_len = ssl->in_cid + rec.cid_len;
4560 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4561     ssl->in_iv  = ssl->in_len + 2;
4562 
4563     /* The record content type may change during decryption,
4564      * so re-read it. */
4565     ssl->in_msgtype = rec.type;
4566     /* Also update the input buffer, because unfortunately
4567      * the server-side ssl_parse_client_hello() reparses the
4568      * record header when receiving a ClientHello initiating
4569      * a renegotiation. */
4570     ssl->in_hdr[0] = rec.type;
4571     ssl->in_msg    = rec.buf + rec.data_offset;
4572     ssl->in_msglen = rec.data_len;
4573     MBEDTLS_PUT_UINT16_BE( rec.data_len, ssl->in_len, 0 );
4574 
4575     return( 0 );
4576 }
4577 
mbedtls_ssl_handle_message_type(mbedtls_ssl_context * ssl)4578 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
4579 {
4580     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4581 
4582     /*
4583      * Handle particular types of records
4584      */
4585     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
4586     {
4587         if( ( ret = mbedtls_ssl_prepare_handshake_record( ssl ) ) != 0 )
4588         {
4589             return( ret );
4590         }
4591     }
4592 
4593     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4594     {
4595         if( ssl->in_msglen != 1 )
4596         {
4597             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, len: %" MBEDTLS_PRINTF_SIZET,
4598                            ssl->in_msglen ) );
4599             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4600         }
4601 
4602         if( ssl->in_msg[0] != 1 )
4603         {
4604             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid CCS message, content: %02x",
4605                                         ssl->in_msg[0] ) );
4606             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4607         }
4608 
4609 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4610         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4611             ssl->state != MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC    &&
4612             ssl->state != MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC )
4613         {
4614             if( ssl->handshake == NULL )
4615             {
4616                 MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping ChangeCipherSpec outside handshake" ) );
4617                 return( MBEDTLS_ERR_SSL_UNEXPECTED_RECORD );
4618             }
4619 
4620             MBEDTLS_SSL_DEBUG_MSG( 1, ( "received out-of-order ChangeCipherSpec - remember" ) );
4621             return( MBEDTLS_ERR_SSL_EARLY_MESSAGE );
4622         }
4623 #endif
4624     }
4625 
4626     if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
4627     {
4628         if( ssl->in_msglen != 2 )
4629         {
4630             /* Note: Standard allows for more than one 2 byte alert
4631                to be packed in a single message, but Mbed TLS doesn't
4632                currently support this. */
4633             MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid alert message, len: %" MBEDTLS_PRINTF_SIZET,
4634                            ssl->in_msglen ) );
4635             return( MBEDTLS_ERR_SSL_INVALID_RECORD );
4636         }
4637 
4638         MBEDTLS_SSL_DEBUG_MSG( 2, ( "got an alert message, type: [%u:%u]",
4639                        ssl->in_msg[0], ssl->in_msg[1] ) );
4640 
4641         /*
4642          * Ignore non-fatal alerts, except close_notify and no_renegotiation
4643          */
4644         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_FATAL )
4645         {
4646             MBEDTLS_SSL_DEBUG_MSG( 1, ( "is a fatal alert message (msg %d)",
4647                            ssl->in_msg[1] ) );
4648             return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE );
4649         }
4650 
4651         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4652             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY )
4653         {
4654             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a close notify message" ) );
4655             return( MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY );
4656         }
4657 
4658 #if defined(MBEDTLS_SSL_RENEGOTIATION_ENABLED)
4659         if( ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
4660             ssl->in_msg[1] == MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION )
4661         {
4662             MBEDTLS_SSL_DEBUG_MSG( 2, ( "is a no renegotiation alert" ) );
4663             /* Will be handled when trying to parse ServerHello */
4664             return( 0 );
4665         }
4666 #endif
4667         /* Silently ignore: fetch new message */
4668         return MBEDTLS_ERR_SSL_NON_FATAL;
4669     }
4670 
4671 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4672     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4673     {
4674         /* Drop unexpected ApplicationData records,
4675          * except at the beginning of renegotiations */
4676         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA &&
4677             ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER
4678 #if defined(MBEDTLS_SSL_RENEGOTIATION)
4679             && ! ( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS &&
4680                    ssl->state == MBEDTLS_SSL_SERVER_HELLO )
4681 #endif
4682             )
4683         {
4684             MBEDTLS_SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
4685             return( MBEDTLS_ERR_SSL_NON_FATAL );
4686         }
4687 
4688         if( ssl->handshake != NULL &&
4689             ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER  )
4690         {
4691             mbedtls_ssl_handshake_wrapup_free_hs_transform( ssl );
4692         }
4693     }
4694 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4695 
4696     return( 0 );
4697 }
4698 
mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context * ssl)4699 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl )
4700 {
4701     return( mbedtls_ssl_send_alert_message( ssl,
4702                   MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4703                   MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ) );
4704 }
4705 
mbedtls_ssl_send_alert_message(mbedtls_ssl_context * ssl,unsigned char level,unsigned char message)4706 int mbedtls_ssl_send_alert_message( mbedtls_ssl_context *ssl,
4707                             unsigned char level,
4708                             unsigned char message )
4709 {
4710     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4711 
4712     if( ssl == NULL || ssl->conf == NULL )
4713         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
4714 
4715     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> send alert message" ) );
4716     MBEDTLS_SSL_DEBUG_MSG( 3, ( "send alert level=%u message=%u", level, message ));
4717 
4718     ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
4719     ssl->out_msglen = 2;
4720     ssl->out_msg[0] = level;
4721     ssl->out_msg[1] = message;
4722 
4723     if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
4724     {
4725         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
4726         return( ret );
4727     }
4728     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= send alert message" ) );
4729 
4730     return( 0 );
4731 }
4732 
mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context * ssl)4733 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl )
4734 {
4735     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4736 
4737     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write change cipher spec" ) );
4738 
4739     ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
4740     ssl->out_msglen  = 1;
4741     ssl->out_msg[0]  = 1;
4742 
4743     ssl->state++;
4744 
4745     if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
4746     {
4747         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret );
4748         return( ret );
4749     }
4750 
4751     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write change cipher spec" ) );
4752 
4753     return( 0 );
4754 }
4755 
mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context * ssl)4756 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
4757 {
4758     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
4759 
4760     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse change cipher spec" ) );
4761 
4762     if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
4763     {
4764         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
4765         return( ret );
4766     }
4767 
4768     if( ssl->in_msgtype != MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC )
4769     {
4770         MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad change cipher spec message" ) );
4771         mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
4772                                         MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE );
4773         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
4774     }
4775 
4776     /* CCS records are only accepted if they have length 1 and content '1',
4777      * so we don't need to check this here. */
4778 
4779     /*
4780      * Switch to our negotiated transform and session parameters for inbound
4781      * data.
4782      */
4783     MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
4784     ssl->transform_in = ssl->transform_negotiate;
4785     ssl->session_in = ssl->session_negotiate;
4786 
4787 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4788     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4789     {
4790 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
4791         mbedtls_ssl_dtls_replay_reset( ssl );
4792 #endif
4793 
4794         /* Increment epoch */
4795         if( ++ssl->in_epoch == 0 )
4796         {
4797             MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS epoch would wrap" ) );
4798             /* This is highly unlikely to happen for legitimate reasons, so
4799                treat it as an attack and don't send an alert. */
4800             return( MBEDTLS_ERR_SSL_COUNTER_WRAPPING );
4801         }
4802     }
4803     else
4804 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4805     memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
4806 
4807     mbedtls_ssl_update_in_pointers( ssl );
4808 
4809     ssl->state++;
4810 
4811     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse change cipher spec" ) );
4812 
4813     return( 0 );
4814 }
4815 
4816 /* Once ssl->out_hdr as the address of the beginning of the
4817  * next outgoing record is set, deduce the other pointers.
4818  *
4819  * Note: For TLS, we save the implicit record sequence number
4820  *       (entering MAC computation) in the 8 bytes before ssl->out_hdr,
4821  *       and the caller has to make sure there's space for this.
4822  */
4823 
ssl_transform_get_explicit_iv_len(mbedtls_ssl_transform const * transform)4824 static size_t ssl_transform_get_explicit_iv_len(
4825                         mbedtls_ssl_transform const *transform )
4826 {
4827     if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
4828         return( 0 );
4829 
4830     return( transform->ivlen - transform->fixed_ivlen );
4831 }
4832 
mbedtls_ssl_update_out_pointers(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)4833 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
4834                                       mbedtls_ssl_transform *transform )
4835 {
4836 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4837     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4838     {
4839         ssl->out_ctr = ssl->out_hdr +  3;
4840 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4841         ssl->out_cid = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4842         ssl->out_len = ssl->out_cid;
4843         if( transform != NULL )
4844             ssl->out_len += transform->out_cid_len;
4845 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4846         ssl->out_len = ssl->out_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4847 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4848         ssl->out_iv  = ssl->out_len + 2;
4849     }
4850     else
4851 #endif
4852     {
4853         ssl->out_len = ssl->out_hdr + 3;
4854 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4855         ssl->out_cid = ssl->out_len;
4856 #endif
4857         ssl->out_iv  = ssl->out_hdr + 5;
4858     }
4859 
4860     ssl->out_msg = ssl->out_iv;
4861     /* Adjust out_msg to make space for explicit IV, if used. */
4862     if( transform != NULL )
4863         ssl->out_msg += ssl_transform_get_explicit_iv_len( transform );
4864 }
4865 
4866 /* Once ssl->in_hdr as the address of the beginning of the
4867  * next incoming record is set, deduce the other pointers.
4868  *
4869  * Note: For TLS, we save the implicit record sequence number
4870  *       (entering MAC computation) in the 8 bytes before ssl->in_hdr,
4871  *       and the caller has to make sure there's space for this.
4872  */
4873 
mbedtls_ssl_update_in_pointers(mbedtls_ssl_context * ssl)4874 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl )
4875 {
4876     /* This function sets the pointers to match the case
4877      * of unprotected TLS/DTLS records, with both  ssl->in_iv
4878      * and ssl->in_msg pointing to the beginning of the record
4879      * content.
4880      *
4881      * When decrypting a protected record, ssl->in_msg
4882      * will be shifted to point to the beginning of the
4883      * record plaintext.
4884      */
4885 
4886 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4887     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4888     {
4889         /* This sets the header pointers to match records
4890          * without CID. When we receive a record containing
4891          * a CID, the fields are shifted accordingly in
4892          * ssl_parse_record_header(). */
4893         ssl->in_ctr = ssl->in_hdr +  3;
4894 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4895         ssl->in_cid = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4896         ssl->in_len = ssl->in_cid; /* Default: no CID */
4897 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4898         ssl->in_len = ssl->in_ctr + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4899 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
4900         ssl->in_iv  = ssl->in_len + 2;
4901     }
4902     else
4903 #endif
4904     {
4905         ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN;
4906         ssl->in_len = ssl->in_hdr + 3;
4907 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
4908         ssl->in_cid = ssl->in_len;
4909 #endif
4910         ssl->in_iv  = ssl->in_hdr + 5;
4911     }
4912 
4913     /* This will be adjusted at record decryption time. */
4914     ssl->in_msg = ssl->in_iv;
4915 }
4916 
4917 /*
4918  * Setup an SSL context
4919  */
4920 
mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context * ssl)4921 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl )
4922 {
4923     /* Set the incoming and outgoing record pointers. */
4924 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4925     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
4926     {
4927         ssl->out_hdr = ssl->out_buf;
4928         ssl->in_hdr  = ssl->in_buf;
4929     }
4930     else
4931 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4932     {
4933         ssl->out_ctr = ssl->out_buf;
4934         ssl->out_hdr = ssl->out_buf + 8;
4935         ssl->in_hdr  = ssl->in_buf  + 8;
4936     }
4937 
4938     /* Derive other internal pointers. */
4939     mbedtls_ssl_update_out_pointers( ssl, NULL /* no transform enabled */ );
4940     mbedtls_ssl_update_in_pointers ( ssl );
4941 }
4942 
4943 /*
4944  * SSL get accessors
4945  */
mbedtls_ssl_get_bytes_avail(const mbedtls_ssl_context * ssl)4946 size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
4947 {
4948     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
4949 }
4950 
mbedtls_ssl_check_pending(const mbedtls_ssl_context * ssl)4951 int mbedtls_ssl_check_pending( const mbedtls_ssl_context *ssl )
4952 {
4953     /*
4954      * Case A: We're currently holding back
4955      * a message for further processing.
4956      */
4957 
4958     if( ssl->keep_current_message == 1 )
4959     {
4960         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: record held back for processing" ) );
4961         return( 1 );
4962     }
4963 
4964     /*
4965      * Case B: Further records are pending in the current datagram.
4966      */
4967 
4968 #if defined(MBEDTLS_SSL_PROTO_DTLS)
4969     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
4970         ssl->in_left > ssl->next_record_offset )
4971     {
4972         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more records within current datagram" ) );
4973         return( 1 );
4974     }
4975 #endif /* MBEDTLS_SSL_PROTO_DTLS */
4976 
4977     /*
4978      * Case C: A handshake message is being processed.
4979      */
4980 
4981     if( ssl->in_hslen > 0 && ssl->in_hslen < ssl->in_msglen )
4982     {
4983         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: more handshake messages within current record" ) );
4984         return( 1 );
4985     }
4986 
4987     /*
4988      * Case D: An application data message is being processed
4989      */
4990     if( ssl->in_offt != NULL )
4991     {
4992         MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: application data record is being processed" ) );
4993         return( 1 );
4994     }
4995 
4996     /*
4997      * In all other cases, the rest of the message can be dropped.
4998      * As in ssl_get_next_record, this needs to be adapted if
4999      * we implement support for multiple alerts in single records.
5000      */
5001 
5002     MBEDTLS_SSL_DEBUG_MSG( 3, ( "ssl_check_pending: nothing pending" ) );
5003     return( 0 );
5004 }
5005 
5006 
mbedtls_ssl_get_record_expansion(const mbedtls_ssl_context * ssl)5007 int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
5008 {
5009     size_t transform_expansion = 0;
5010     const mbedtls_ssl_transform *transform = ssl->transform_out;
5011     unsigned block_size;
5012 
5013     size_t out_hdr_len = mbedtls_ssl_out_hdr_len( ssl );
5014 
5015     if( transform == NULL )
5016         return( (int) out_hdr_len );
5017 
5018     switch( mbedtls_cipher_get_cipher_mode( &transform->cipher_ctx_enc ) )
5019     {
5020         case MBEDTLS_MODE_GCM:
5021         case MBEDTLS_MODE_CCM:
5022         case MBEDTLS_MODE_CHACHAPOLY:
5023         case MBEDTLS_MODE_STREAM:
5024             transform_expansion = transform->minlen;
5025             break;
5026 
5027         case MBEDTLS_MODE_CBC:
5028 
5029             block_size = mbedtls_cipher_get_block_size(
5030                 &transform->cipher_ctx_enc );
5031 
5032             /* Expansion due to the addition of the MAC. */
5033             transform_expansion += transform->maclen;
5034 
5035             /* Expansion due to the addition of CBC padding;
5036              * Theoretically up to 256 bytes, but we never use
5037              * more than the block size of the underlying cipher. */
5038             transform_expansion += block_size;
5039 
5040             /* For TLS 1.2 or higher, an explicit IV is added
5041              * after the record header. */
5042 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5043             transform_expansion += block_size;
5044 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5045 
5046             break;
5047 
5048         default:
5049             MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
5050             return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
5051     }
5052 
5053 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
5054     if( transform->out_cid_len != 0 )
5055         transform_expansion += MBEDTLS_SSL_MAX_CID_EXPANSION;
5056 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
5057 
5058     return( (int)( out_hdr_len + transform_expansion ) );
5059 }
5060 
5061 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5062 /*
5063  * Check record counters and renegotiate if they're above the limit.
5064  */
ssl_check_ctr_renegotiate(mbedtls_ssl_context * ssl)5065 static int ssl_check_ctr_renegotiate( mbedtls_ssl_context *ssl )
5066 {
5067     size_t ep_len = mbedtls_ssl_ep_len( ssl );
5068     int in_ctr_cmp;
5069     int out_ctr_cmp;
5070 
5071     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER ||
5072         ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING ||
5073         ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED )
5074     {
5075         return( 0 );
5076     }
5077 
5078     in_ctr_cmp = memcmp( ssl->in_ctr + ep_len,
5079                          &ssl->conf->renego_period[ep_len],
5080                          MBEDTLS_SSL_SEQUENCE_NUMBER_LEN - ep_len );
5081     out_ctr_cmp = memcmp( &ssl->cur_out_ctr[ep_len],
5082                           &ssl->conf->renego_period[ep_len],
5083                           sizeof( ssl->cur_out_ctr ) - ep_len );
5084 
5085     if( in_ctr_cmp <= 0 && out_ctr_cmp <= 0 )
5086     {
5087         return( 0 );
5088     }
5089 
5090     MBEDTLS_SSL_DEBUG_MSG( 1, ( "record counter limit reached: renegotiate" ) );
5091     return( mbedtls_ssl_renegotiate( ssl ) );
5092 }
5093 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5094 
5095 /* This function is called from mbedtls_ssl_read() when a handshake message is
5096  * received after the initial handshake. In this context, handshake messages
5097  * may only be sent for the purpose of initiating renegotiations.
5098  *
5099  * This function is introduced as a separate helper since the handling
5100  * of post-handshake handshake messages changes significantly in TLS 1.3,
5101  * and having a helper function allows to distinguish between TLS <= 1.2 and
5102  * TLS 1.3 in the future without bloating the logic of mbedtls_ssl_read().
5103  */
ssl_handle_hs_message_post_handshake(mbedtls_ssl_context * ssl)5104 static int ssl_handle_hs_message_post_handshake( mbedtls_ssl_context *ssl )
5105 {
5106     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5107 
5108     /*
5109      * - For client-side, expect SERVER_HELLO_REQUEST.
5110      * - For server-side, expect CLIENT_HELLO.
5111      * - Fail (TLS) or silently drop record (DTLS) in other cases.
5112      */
5113 
5114 #if defined(MBEDTLS_SSL_CLI_C)
5115     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
5116         ( ssl->in_msg[0] != MBEDTLS_SSL_HS_HELLO_REQUEST ||
5117           ssl->in_hslen  != mbedtls_ssl_hs_hdr_len( ssl ) ) )
5118     {
5119         MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not HelloRequest)" ) );
5120 
5121         /* With DTLS, drop the packet (probably from last handshake) */
5122 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5123         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5124         {
5125             return( 0 );
5126         }
5127 #endif
5128         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5129     }
5130 #endif /* MBEDTLS_SSL_CLI_C */
5131 
5132 #if defined(MBEDTLS_SSL_SRV_C)
5133     if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5134         ssl->in_msg[0] != MBEDTLS_SSL_HS_CLIENT_HELLO )
5135     {
5136         MBEDTLS_SSL_DEBUG_MSG( 1, ( "handshake received (not ClientHello)" ) );
5137 
5138         /* With DTLS, drop the packet (probably from last handshake) */
5139 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5140         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5141         {
5142             return( 0 );
5143         }
5144 #endif
5145         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5146     }
5147 #endif /* MBEDTLS_SSL_SRV_C */
5148 
5149 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5150     /* Determine whether renegotiation attempt should be accepted */
5151     if( ! ( ssl->conf->disable_renegotiation == MBEDTLS_SSL_RENEGOTIATION_DISABLED ||
5152             ( ssl->secure_renegotiation == MBEDTLS_SSL_LEGACY_RENEGOTIATION &&
5153               ssl->conf->allow_legacy_renegotiation ==
5154               MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION ) ) )
5155     {
5156         /*
5157          * Accept renegotiation request
5158          */
5159 
5160         /* DTLS clients need to know renego is server-initiated */
5161 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5162         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
5163             ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
5164         {
5165             ssl->renego_status = MBEDTLS_SSL_RENEGOTIATION_PENDING;
5166         }
5167 #endif
5168         ret = mbedtls_ssl_start_renegotiation( ssl );
5169         if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5170             ret != 0 )
5171         {
5172             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_start_renegotiation",
5173                                    ret );
5174             return( ret );
5175         }
5176     }
5177     else
5178 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5179     {
5180         /*
5181          * Refuse renegotiation
5182          */
5183 
5184         MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
5185 
5186 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
5187         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5188                          MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5189                          MBEDTLS_SSL_ALERT_MSG_NO_RENEGOTIATION ) ) != 0 )
5190         {
5191             return( ret );
5192         }
5193 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
5194     }
5195 
5196     return( 0 );
5197 }
5198 
5199 /*
5200  * Receive application data decrypted from the SSL layer
5201  */
mbedtls_ssl_read(mbedtls_ssl_context * ssl,unsigned char * buf,size_t len)5202 int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
5203 {
5204     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5205     size_t n;
5206 
5207     if( ssl == NULL || ssl->conf == NULL )
5208         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5209 
5210     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> read" ) );
5211 
5212 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5213     if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5214     {
5215         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5216             return( ret );
5217 
5218         if( ssl->handshake != NULL &&
5219             ssl->handshake->retransmit_state == MBEDTLS_SSL_RETRANS_SENDING )
5220         {
5221             if( ( ret = mbedtls_ssl_flight_transmit( ssl ) ) != 0 )
5222                 return( ret );
5223         }
5224     }
5225 #endif
5226 
5227     /*
5228      * Check if renegotiation is necessary and/or handshake is
5229      * in process. If yes, perform/continue, and fall through
5230      * if an unexpected packet is received while the client
5231      * is waiting for the ServerHello.
5232      *
5233      * (There is no equivalent to the last condition on
5234      *  the server-side as it is not treated as within
5235      *  a handshake while waiting for the ClientHello
5236      *  after a renegotiation request.)
5237      */
5238 
5239 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5240     ret = ssl_check_ctr_renegotiate( ssl );
5241     if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5242         ret != 0 )
5243     {
5244         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5245         return( ret );
5246     }
5247 #endif
5248 
5249     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5250     {
5251         ret = mbedtls_ssl_handshake( ssl );
5252         if( ret != MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO &&
5253             ret != 0 )
5254         {
5255             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5256             return( ret );
5257         }
5258     }
5259 
5260     /* Loop as long as no application data record is available */
5261     while( ssl->in_offt == NULL )
5262     {
5263         /* Start timer if not already running */
5264         if( ssl->f_get_timer != NULL &&
5265             ssl->f_get_timer( ssl->p_timer ) == -1 )
5266         {
5267             mbedtls_ssl_set_timer( ssl, ssl->conf->read_timeout );
5268         }
5269 
5270         if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5271         {
5272             if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5273                 return( 0 );
5274 
5275             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5276             return( ret );
5277         }
5278 
5279         if( ssl->in_msglen  == 0 &&
5280             ssl->in_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA )
5281         {
5282             /*
5283              * OpenSSL sends empty messages to randomize the IV
5284              */
5285             if( ( ret = mbedtls_ssl_read_record( ssl, 1 ) ) != 0 )
5286             {
5287                 if( ret == MBEDTLS_ERR_SSL_CONN_EOF )
5288                     return( 0 );
5289 
5290                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
5291                 return( ret );
5292             }
5293         }
5294 
5295         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE )
5296         {
5297             ret = ssl_handle_hs_message_post_handshake( ssl );
5298             if( ret != 0)
5299             {
5300                 MBEDTLS_SSL_DEBUG_RET( 1, "ssl_handle_hs_message_post_handshake",
5301                                           ret );
5302                 return( ret );
5303             }
5304 
5305             /* At this point, we don't know whether the renegotiation triggered
5306              * by the post-handshake message has been completed or not. The cases
5307              * to consider are the following:
5308              * 1) The renegotiation is complete. In this case, no new record
5309              *    has been read yet.
5310              * 2) The renegotiation is incomplete because the client received
5311              *    an application data record while awaiting the ServerHello.
5312              * 3) The renegotiation is incomplete because the client received
5313              *    a non-handshake, non-application data message while awaiting
5314              *    the ServerHello.
5315              *
5316              * In each of these cases, looping will be the proper action:
5317              * - For 1), the next iteration will read a new record and check
5318              *   if it's application data.
5319              * - For 2), the loop condition isn't satisfied as application data
5320              *   is present, hence continue is the same as break
5321              * - For 3), the loop condition is satisfied and read_record
5322              *   will re-deliver the message that was held back by the client
5323              *   when expecting the ServerHello.
5324              */
5325 
5326             continue;
5327         }
5328 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5329         else if( ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5330         {
5331             if( ssl->conf->renego_max_records >= 0 )
5332             {
5333                 if( ++ssl->renego_records_seen > ssl->conf->renego_max_records )
5334                 {
5335                     MBEDTLS_SSL_DEBUG_MSG( 1, ( "renegotiation requested, "
5336                                         "but not honored by client" ) );
5337                     return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5338                 }
5339             }
5340         }
5341 #endif /* MBEDTLS_SSL_RENEGOTIATION */
5342 
5343         /* Fatal and closure alerts handled by mbedtls_ssl_read_record() */
5344         if( ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT )
5345         {
5346             MBEDTLS_SSL_DEBUG_MSG( 2, ( "ignoring non-fatal non-closure alert" ) );
5347             return( MBEDTLS_ERR_SSL_WANT_READ );
5348         }
5349 
5350         if( ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
5351         {
5352             MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad application data message" ) );
5353             return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
5354         }
5355 
5356         ssl->in_offt = ssl->in_msg;
5357 
5358         /* We're going to return something now, cancel timer,
5359          * except if handshake (renegotiation) is in progress */
5360         if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5361             mbedtls_ssl_set_timer( ssl, 0 );
5362 
5363 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5364         /* If we requested renego but received AppData, resend HelloRequest.
5365          * Do it now, after setting in_offt, to avoid taking this branch
5366          * again if ssl_write_hello_request() returns WANT_WRITE */
5367 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_RENEGOTIATION)
5368         if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
5369             ssl->renego_status == MBEDTLS_SSL_RENEGOTIATION_PENDING )
5370         {
5371             if( ( ret = mbedtls_ssl_resend_hello_request( ssl ) ) != 0 )
5372             {
5373                 MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_resend_hello_request",
5374                                        ret );
5375                 return( ret );
5376             }
5377         }
5378 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_RENEGOTIATION */
5379 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5380     }
5381 
5382     n = ( len < ssl->in_msglen )
5383         ? len : ssl->in_msglen;
5384 
5385     memcpy( buf, ssl->in_offt, n );
5386     ssl->in_msglen -= n;
5387 
5388     /* Zeroising the plaintext buffer to erase unused application data
5389        from the memory. */
5390     mbedtls_platform_zeroize( ssl->in_offt, n );
5391 
5392     if( ssl->in_msglen == 0 )
5393     {
5394         /* all bytes consumed */
5395         ssl->in_offt = NULL;
5396         ssl->keep_current_message = 0;
5397     }
5398     else
5399     {
5400         /* more data available */
5401         ssl->in_offt += n;
5402     }
5403 
5404     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= read" ) );
5405 
5406     return( (int) n );
5407 }
5408 
5409 /*
5410  * Send application data to be encrypted by the SSL layer, taking care of max
5411  * fragment length and buffer size.
5412  *
5413  * According to RFC 5246 Section 6.2.1:
5414  *
5415  *      Zero-length fragments of Application data MAY be sent as they are
5416  *      potentially useful as a traffic analysis countermeasure.
5417  *
5418  * Therefore, it is possible that the input message length is 0 and the
5419  * corresponding return code is 0 on success.
5420  */
ssl_write_real(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5421 static int ssl_write_real( mbedtls_ssl_context *ssl,
5422                            const unsigned char *buf, size_t len )
5423 {
5424     int ret = mbedtls_ssl_get_max_out_record_payload( ssl );
5425     const size_t max_len = (size_t) ret;
5426 
5427     if( ret < 0 )
5428     {
5429         MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_get_max_out_record_payload", ret );
5430         return( ret );
5431     }
5432 
5433     if( len > max_len )
5434     {
5435 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5436         if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5437         {
5438             MBEDTLS_SSL_DEBUG_MSG( 1, ( "fragment larger than the (negotiated) "
5439                                 "maximum fragment length: %" MBEDTLS_PRINTF_SIZET
5440                                 " > %" MBEDTLS_PRINTF_SIZET,
5441                                 len, max_len ) );
5442             return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5443         }
5444         else
5445 #endif
5446             len = max_len;
5447     }
5448 
5449     if( ssl->out_left != 0 )
5450     {
5451         /*
5452          * The user has previously tried to send the data and
5453          * MBEDTLS_ERR_SSL_WANT_WRITE or the message was only partially
5454          * written. In this case, we expect the high-level write function
5455          * (e.g. mbedtls_ssl_write()) to be called with the same parameters
5456          */
5457         if( ( ret = mbedtls_ssl_flush_output( ssl ) ) != 0 )
5458         {
5459             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_flush_output", ret );
5460             return( ret );
5461         }
5462     }
5463     else
5464     {
5465         /*
5466          * The user is trying to send a message the first time, so we need to
5467          * copy the data into the internal buffers and setup the data structure
5468          * to keep track of partial writes
5469          */
5470         ssl->out_msglen  = len;
5471         ssl->out_msgtype = MBEDTLS_SSL_MSG_APPLICATION_DATA;
5472         memcpy( ssl->out_msg, buf, len );
5473 
5474         if( ( ret = mbedtls_ssl_write_record( ssl, SSL_FORCE_FLUSH ) ) != 0 )
5475         {
5476             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_record", ret );
5477             return( ret );
5478         }
5479     }
5480 
5481     return( (int) len );
5482 }
5483 
5484 /*
5485  * Write application data (public-facing wrapper)
5486  */
mbedtls_ssl_write(mbedtls_ssl_context * ssl,const unsigned char * buf,size_t len)5487 int mbedtls_ssl_write( mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
5488 {
5489     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5490 
5491     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write" ) );
5492 
5493     if( ssl == NULL || ssl->conf == NULL )
5494         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5495 
5496 #if defined(MBEDTLS_SSL_RENEGOTIATION)
5497     if( ( ret = ssl_check_ctr_renegotiate( ssl ) ) != 0 )
5498     {
5499         MBEDTLS_SSL_DEBUG_RET( 1, "ssl_check_ctr_renegotiate", ret );
5500         return( ret );
5501     }
5502 #endif
5503 
5504     if( ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER )
5505     {
5506         if( ( ret = mbedtls_ssl_handshake( ssl ) ) != 0 )
5507         {
5508             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_handshake", ret );
5509             return( ret );
5510         }
5511     }
5512 
5513     ret = ssl_write_real( ssl, buf, len );
5514 
5515     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write" ) );
5516 
5517     return( ret );
5518 }
5519 
5520 /*
5521  * Notify the peer that the connection is being closed
5522  */
mbedtls_ssl_close_notify(mbedtls_ssl_context * ssl)5523 int mbedtls_ssl_close_notify( mbedtls_ssl_context *ssl )
5524 {
5525     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
5526 
5527     if( ssl == NULL || ssl->conf == NULL )
5528         return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
5529 
5530     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );
5531 
5532     if( ssl->out_left != 0 )
5533         return( mbedtls_ssl_flush_output( ssl ) );
5534 
5535     if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER )
5536     {
5537         if( ( ret = mbedtls_ssl_send_alert_message( ssl,
5538                         MBEDTLS_SSL_ALERT_LEVEL_WARNING,
5539                         MBEDTLS_SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
5540         {
5541             MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_send_alert_message", ret );
5542             return( ret );
5543         }
5544     }
5545 
5546     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );
5547 
5548     return( 0 );
5549 }
5550 
mbedtls_ssl_transform_free(mbedtls_ssl_transform * transform)5551 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform )
5552 {
5553     if( transform == NULL )
5554         return;
5555 
5556     mbedtls_cipher_free( &transform->cipher_ctx_enc );
5557     mbedtls_cipher_free( &transform->cipher_ctx_dec );
5558 
5559 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
5560     mbedtls_md_free( &transform->md_ctx_enc );
5561     mbedtls_md_free( &transform->md_ctx_dec );
5562 #endif
5563 
5564     mbedtls_platform_zeroize( transform, sizeof( mbedtls_ssl_transform ) );
5565 }
5566 
mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)5567 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
5568                                         mbedtls_ssl_transform *transform )
5569 {
5570     ssl->transform_in = transform;
5571     memset( ssl->in_ctr, 0, MBEDTLS_SSL_SEQUENCE_NUMBER_LEN );
5572 }
5573 
mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context * ssl,mbedtls_ssl_transform * transform)5574 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
5575                                          mbedtls_ssl_transform *transform )
5576 {
5577     ssl->transform_out = transform;
5578     memset( ssl->cur_out_ctr, 0, sizeof( ssl->cur_out_ctr ) );
5579 }
5580 
5581 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5582 
mbedtls_ssl_buffering_free(mbedtls_ssl_context * ssl)5583 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl )
5584 {
5585     unsigned offset;
5586     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5587 
5588     if( hs == NULL )
5589         return;
5590 
5591     ssl_free_buffered_record( ssl );
5592 
5593     for( offset = 0; offset < MBEDTLS_SSL_MAX_BUFFERED_HS; offset++ )
5594         ssl_buffering_free_slot( ssl, offset );
5595 }
5596 
ssl_buffering_free_slot(mbedtls_ssl_context * ssl,uint8_t slot)5597 static void ssl_buffering_free_slot( mbedtls_ssl_context *ssl,
5598                                      uint8_t slot )
5599 {
5600     mbedtls_ssl_handshake_params * const hs = ssl->handshake;
5601     mbedtls_ssl_hs_buffer * const hs_buf = &hs->buffering.hs[slot];
5602 
5603     if( slot >= MBEDTLS_SSL_MAX_BUFFERED_HS )
5604         return;
5605 
5606     if( hs_buf->is_valid == 1 )
5607     {
5608         hs->buffering.total_bytes_buffered -= hs_buf->data_len;
5609         mbedtls_platform_zeroize( hs_buf->data, hs_buf->data_len );
5610         mbedtls_free( hs_buf->data );
5611         memset( hs_buf, 0, sizeof( mbedtls_ssl_hs_buffer ) );
5612     }
5613 }
5614 
5615 #endif /* MBEDTLS_SSL_PROTO_DTLS */
5616 
5617 /*
5618  * Convert version numbers to/from wire format
5619  * and, for DTLS, to/from TLS equivalent.
5620  *
5621  * For TLS this is the identity.
5622  * For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
5623  * 1.x <-> 3.x+1    for x != 0 (DTLS 1.2 based on TLS 1.2)
5624  */
mbedtls_ssl_write_version(int major,int minor,int transport,unsigned char ver[2])5625 void mbedtls_ssl_write_version( int major, int minor, int transport,
5626                         unsigned char ver[2] )
5627 {
5628 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5629     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5630     {
5631         if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
5632             --minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5633 
5634         ver[0] = (unsigned char)( 255 - ( major - 2 ) );
5635         ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
5636     }
5637     else
5638 #else
5639     ((void) transport);
5640 #endif
5641     {
5642         ver[0] = (unsigned char) major;
5643         ver[1] = (unsigned char) minor;
5644     }
5645 }
5646 
mbedtls_ssl_read_version(int * major,int * minor,int transport,const unsigned char ver[2])5647 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
5648                        const unsigned char ver[2] )
5649 {
5650 #if defined(MBEDTLS_SSL_PROTO_DTLS)
5651     if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
5652     {
5653         *major = 255 - ver[0] + 2;
5654         *minor = 255 - ver[1] + 1;
5655 
5656         if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
5657             ++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
5658     }
5659     else
5660 #else
5661     ((void) transport);
5662 #endif
5663     {
5664         *major = ver[0];
5665         *minor = ver[1];
5666     }
5667 }
5668 
5669 /*
5670  * Send pending fatal alert.
5671  * 0,   No alert message.
5672  * !0,  if mbedtls_ssl_send_alert_message() returned in error, the error code it
5673  *      returned, ssl->alert_reason otherwise.
5674  */
mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context * ssl)5675 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl )
5676 {
5677     int ret;
5678 
5679     /* No pending alert, return success*/
5680     if( ssl->send_alert == 0 )
5681         return( 0 );
5682 
5683     ret = mbedtls_ssl_send_alert_message( ssl,
5684                                 MBEDTLS_SSL_ALERT_LEVEL_FATAL,
5685                                 ssl->alert_type );
5686 
5687     /* If mbedtls_ssl_send_alert_message() returned with MBEDTLS_ERR_SSL_WANT_WRITE,
5688      * do not clear the alert to be able to send it later.
5689      */
5690     if( ret != MBEDTLS_ERR_SSL_WANT_WRITE )
5691     {
5692         ssl->send_alert = 0;
5693     }
5694 
5695     if( ret != 0 )
5696         return( ret );
5697 
5698     return( ssl->alert_reason );
5699 }
5700 
5701 /*
5702  * Set pending fatal alert flag.
5703  */
mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context * ssl,unsigned char alert_type,int alert_reason)5704 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
5705                                    unsigned char alert_type,
5706                                    int alert_reason )
5707 {
5708     ssl->send_alert = 1;
5709     ssl->alert_type = alert_type;
5710     ssl->alert_reason = alert_reason;
5711 }
5712 
5713 #endif /* MBEDTLS_SSL_TLS_C */
5714