|
|
#include "constant_time_internal.h" |
|
|
#include "mbedtls/constant_time.h" |
|
|
|
|
|
#include <limits.h> |
|
|
#include <string.h> |
|
|
|
|
|
#if defined(MBEDTLS_USE_PSA_CRYPTO) |
| ... |
... |
@@ -3220,19 +3221,34 @@ static uint32_t ssl_get_hs_total_len(mbedtls_ssl_context const *ssl) |
|
|
|
|
|
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) |
|
|
{ |
|
|
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, |
|
|
ssl->in_msglen)); |
|
|
return MBEDTLS_ERR_SSL_INVALID_RECORD; |
|
|
} |
|
|
if (ssl->badmac_seen_or_in_hsfraglen == 0) { |
|
|
/* The handshake message must at least include the header. |
|
|
* We may not have the full message yet in case of fragmentation. |
|
|
* To simplify the code, we insist on having the header (and in |
|
|
* particular the handshake message length) in the first |
|
|
* fragment. */ |
|
|
if (ssl->in_msglen < mbedtls_ssl_hs_hdr_len(ssl)) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("handshake message too short: %" MBEDTLS_PRINTF_SIZET, |
|
|
ssl->in_msglen)); |
|
|
return MBEDTLS_ERR_SSL_INVALID_RECORD; |
|
|
} |
|
|
|
|
|
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); |
|
|
ssl->in_hslen = mbedtls_ssl_hs_hdr_len(ssl) + ssl_get_hs_total_len(ssl); |
|
|
} |
|
|
|
|
|
MBEDTLS_SSL_DEBUG_MSG(3, ("handshake message: msglen =" |
|
|
" %" MBEDTLS_PRINTF_SIZET ", type = %u, hslen = %" |
|
|
MBEDTLS_PRINTF_SIZET, |
|
|
ssl->in_msglen, ssl->in_msg[0], ssl->in_hslen)); |
|
|
|
|
|
if (ssl->transform_in != NULL) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(4, ("decrypted handshake message:" |
|
|
" iv-buf=%d hdr-buf=%d hdr-buf=%d", |
|
|
(int) (ssl->in_iv - ssl->in_buf), |
|
|
(int) (ssl->in_hdr - ssl->in_buf), |
|
|
(int) (ssl->in_msg - ssl->in_buf))); |
|
|
} |
|
|
|
|
|
#if defined(MBEDTLS_SSL_PROTO_DTLS) |
|
|
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
| ... |
... |
@@ -3292,10 +3308,103 @@ int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl) |
|
|
} |
|
|
} else |
|
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */ |
|
|
/* With TLS we don't handle fragmentation (for now) */ |
|
|
if (ssl->in_msglen < ssl->in_hslen) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("TLS handshake fragmentation not supported")); |
|
|
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; |
|
|
{ |
|
|
unsigned char *const reassembled_record_start = |
|
|
ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
|
|
unsigned char *const payload_start = |
|
|
reassembled_record_start + mbedtls_ssl_in_hdr_len(ssl); |
|
|
unsigned char *payload_end = payload_start + ssl->badmac_seen_or_in_hsfraglen; |
|
|
/* How many more bytes we want to have a complete handshake message. */ |
|
|
const size_t hs_remain = ssl->in_hslen - ssl->badmac_seen_or_in_hsfraglen; |
|
|
/* How many bytes of the current record are part of the first |
|
|
* handshake message. There may be more handshake messages (possibly |
|
|
* incomplete) in the same record; if so, we leave them after the |
|
|
* current record, and ssl_consume_current_message() will take |
|
|
* care of consuming the next handshake message. */ |
|
|
const size_t hs_this_fragment_len = |
|
|
ssl->in_msglen > hs_remain ? hs_remain : ssl->in_msglen; |
|
|
(void) hs_this_fragment_len; |
|
|
|
|
|
MBEDTLS_SSL_DEBUG_MSG(3, |
|
|
("%s handshake fragment: %" MBEDTLS_PRINTF_SIZET |
|
|
", %u..%u of %" MBEDTLS_PRINTF_SIZET, |
|
|
(ssl->badmac_seen_or_in_hsfraglen != 0 ? |
|
|
"subsequent" : |
|
|
hs_this_fragment_len == ssl->in_hslen ? |
|
|
"sole" : |
|
|
"initial"), |
|
|
ssl->in_msglen, |
|
|
ssl->badmac_seen_or_in_hsfraglen, |
|
|
ssl->badmac_seen_or_in_hsfraglen + |
|
|
(unsigned) hs_this_fragment_len, |
|
|
ssl->in_hslen)); |
|
|
|
|
|
/* Move the received handshake fragment to have the whole message |
|
|
* (at least the part received so far) in a single segment at a |
|
|
* known offset in the input buffer. |
|
|
* - When receiving a non-initial handshake fragment, append it to |
|
|
* the initial segment. |
|
|
* - Even the initial handshake fragment is moved, if it was |
|
|
* encrypted with an explicit IV: decryption leaves the payload |
|
|
* after the explicit IV, but here we move it to start where the |
|
|
* IV was. |
|
|
*/ |
|
|
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) |
|
|
size_t const in_buf_len = ssl->in_buf_len; |
|
|
#else |
|
|
size_t const in_buf_len = MBEDTLS_SSL_IN_BUFFER_LEN; |
|
|
#endif |
|
|
if (payload_end + ssl->in_msglen > ssl->in_buf + in_buf_len) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, |
|
|
("Shouldn't happen: no room to move handshake fragment %" |
|
|
MBEDTLS_PRINTF_SIZET " from %p to %p (buf=%p len=%" |
|
|
MBEDTLS_PRINTF_SIZET ")", |
|
|
ssl->in_msglen, |
|
|
(void *) ssl->in_msg, (void *) payload_end, |
|
|
(void *) ssl->in_buf, in_buf_len)); |
|
|
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
|
|
} |
|
|
memmove(payload_end, ssl->in_msg, ssl->in_msglen); |
|
|
|
|
|
ssl->badmac_seen_or_in_hsfraglen += (unsigned) ssl->in_msglen; |
|
|
payload_end += ssl->in_msglen; |
|
|
|
|
|
if (ssl->badmac_seen_or_in_hsfraglen < ssl->in_hslen) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(3, ("Prepare: waiting for more handshake fragments " |
|
|
"%u/%" MBEDTLS_PRINTF_SIZET, |
|
|
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen)); |
|
|
ssl->in_hdr = payload_end; |
|
|
ssl->in_msglen = 0; |
|
|
mbedtls_ssl_update_in_pointers(ssl); |
|
|
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
|
|
} else { |
|
|
ssl->in_msglen = ssl->badmac_seen_or_in_hsfraglen; |
|
|
ssl->badmac_seen_or_in_hsfraglen = 0; |
|
|
ssl->in_hdr = reassembled_record_start; |
|
|
mbedtls_ssl_update_in_pointers(ssl); |
|
|
|
|
|
/* Update the record length in the fully reassembled record */ |
|
|
if (ssl->in_msglen > 0xffff) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, |
|
|
("Shouldn't happen: in_msglen=%" |
|
|
MBEDTLS_PRINTF_SIZET " > 0xffff", |
|
|
ssl->in_msglen)); |
|
|
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
|
|
} |
|
|
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); |
|
|
|
|
|
size_t record_len = mbedtls_ssl_in_hdr_len(ssl) + ssl->in_msglen; |
|
|
(void) record_len; |
|
|
MBEDTLS_SSL_DEBUG_BUF(4, "reassembled record", |
|
|
ssl->in_hdr, record_len); |
|
|
if (ssl->in_hslen < ssl->in_msglen) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(3, |
|
|
("More handshake messages in the record: " |
|
|
"%" MBEDTLS_PRINTF_SIZET " + %" MBEDTLS_PRINTF_SIZET, |
|
|
ssl->in_hslen, |
|
|
ssl->in_msglen - ssl->in_hslen)); |
|
|
} |
|
|
} |
|
|
} |
|
|
|
|
|
return 0; |
| ... |
... |
@@ -4640,6 +4749,14 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) |
|
|
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; |
|
|
} |
|
|
|
|
|
if (ssl->badmac_seen_or_in_hsfraglen != 0) { |
|
|
/* Not all handshake fragments have arrived, do not consume. */ |
|
|
MBEDTLS_SSL_DEBUG_MSG(3, ("Consume: waiting for more handshake fragments " |
|
|
"%u/%" MBEDTLS_PRINTF_SIZET, |
|
|
ssl->badmac_seen_or_in_hsfraglen, ssl->in_hslen)); |
|
|
return 0; |
|
|
} |
|
|
|
|
|
/* |
|
|
* Get next Handshake message in the current record |
|
|
*/ |
| ... |
... |
@@ -4665,6 +4782,7 @@ static int ssl_consume_current_message(mbedtls_ssl_context *ssl) |
|
|
ssl->in_msglen -= ssl->in_hslen; |
|
|
memmove(ssl->in_msg, ssl->in_msg + ssl->in_hslen, |
|
|
ssl->in_msglen); |
|
|
MBEDTLS_PUT_UINT16_BE(ssl->in_msglen, ssl->in_len, 0); |
|
|
|
|
|
MBEDTLS_SSL_DEBUG_BUF(4, "remaining content in record", |
|
|
ssl->in_msg, ssl->in_msglen); |
| ... |
... |
@@ -4967,10 +5085,12 @@ static int ssl_get_next_record(mbedtls_ssl_context *ssl) |
|
|
return ret; |
|
|
} |
|
|
|
|
|
if (ssl->conf->badmac_limit != 0 && |
|
|
++ssl->badmac_seen >= ssl->conf->badmac_limit) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC")); |
|
|
return MBEDTLS_ERR_SSL_INVALID_MAC; |
|
|
if (ssl->conf->badmac_limit != 0) { |
|
|
++ssl->badmac_seen_or_in_hsfraglen; |
|
|
if (ssl->badmac_seen_or_in_hsfraglen >= ssl->conf->badmac_limit) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("too many records with bad MAC")); |
|
|
return MBEDTLS_ERR_SSL_INVALID_MAC; |
|
|
} |
|
|
} |
|
|
|
|
|
/* As above, invalid records cause |
| ... |
... |
@@ -5028,6 +5148,18 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) |
|
|
{ |
|
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; |
|
|
|
|
|
/* If we're in the middle of a fragmented TLS handshake message, |
|
|
* we don't accept any other message type. For TLS 1.3, the spec forbids |
|
|
* interleaving other message types between handshake fragments. For TLS |
|
|
* 1.2, the spec does not forbid it but we do. */ |
|
|
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_STREAM && |
|
|
ssl->badmac_seen_or_in_hsfraglen != 0 && |
|
|
ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE) { |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, ("non-handshake message in the middle" |
|
|
" of a fragmented handshake message")); |
|
|
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; |
|
|
} |
|
|
|
|
|
/* |
|
|
* Handle particular types of records |
|
|
*/ |
| ... |
... |
@@ -5066,15 +5198,9 @@ int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl) |
|
|
|
|
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) |
|
|
if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { |
|
|
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, |
|
|
MBEDTLS_SSL_DEBUG_MSG(2, |
|
|
("Ignore ChangeCipherSpec in TLS 1.3 compatibility mode")); |
|
|
return MBEDTLS_ERR_SSL_CONTINUE_PROCESSING; |
|
|
#else |
|
|
MBEDTLS_SSL_DEBUG_MSG(1, |
|
|
("ChangeCipherSpec invalid in TLS 1.3 without compatibility mode")); |
|
|
return MBEDTLS_ERR_SSL_INVALID_RECORD; |
|
|
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ |
|
|
} |
|
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ |
|
|
} |
| ... |
... |
@@ -5345,7 +5471,7 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) |
|
|
} else |
|
|
#endif |
|
|
{ |
|
|
ssl->in_ctr = ssl->in_hdr - MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
|
|
ssl->in_ctr = ssl->in_buf; |
|
|
ssl->in_len = ssl->in_hdr + 3; |
|
|
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) |
|
|
ssl->in_cid = ssl->in_len; |
| ... |
... |
@@ -5361,24 +5487,35 @@ void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl) |
|
|
* Setup an SSL context |
|
|
*/ |
|
|
|
|
|
void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl) |
|
|
void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl) |
|
|
{ |
|
|
#if defined(MBEDTLS_SSL_PROTO_DTLS) |
|
|
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
|
|
ssl->in_hdr = ssl->in_buf; |
|
|
} else |
|
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */ |
|
|
{ |
|
|
ssl->in_hdr = ssl->in_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
|
|
} |
|
|
|
|
|
/* Derive other internal pointers. */ |
|
|
mbedtls_ssl_update_in_pointers(ssl); |
|
|
} |
|
|
|
|
|
void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl) |
|
|
{ |
|
|
/* Set the incoming and outgoing record pointers. */ |
|
|
#if defined(MBEDTLS_SSL_PROTO_DTLS) |
|
|
if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { |
|
|
ssl->out_hdr = ssl->out_buf; |
|
|
ssl->in_hdr = ssl->in_buf; |
|
|
} else |
|
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */ |
|
|
{ |
|
|
ssl->out_ctr = ssl->out_buf; |
|
|
ssl->out_hdr = ssl->out_buf + 8; |
|
|
ssl->in_hdr = ssl->in_buf + 8; |
|
|
ssl->out_hdr = ssl->out_buf + MBEDTLS_SSL_SEQUENCE_NUMBER_LEN; |
|
|
} |
|
|
|
|
|
/* Derive other internal pointers. */ |
|
|
mbedtls_ssl_update_out_pointers(ssl, NULL /* no transform enabled */); |
|
|
mbedtls_ssl_update_in_pointers(ssl); |
|
|
} |
|
|
|
|
|
/* |
| ... |
... |
|