1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 */
10 #ifndef MBEDTLS_SSL_MISC_H
11 #define MBEDTLS_SSL_MISC_H
12
13 #include "tf_psa_crypto_common.h"
14 #include "mbedtls/build_info.h"
15
16 #include "mbedtls/error.h"
17
18 #include "mbedtls/ssl.h"
19 #include "mbedtls/debug.h"
20 #include "debug_internal.h"
21
22 #include "mbedtls/cipher.h"
23
24 #include "psa/crypto.h"
25 #include "psa_util_internal.h"
26 extern const mbedtls_error_pair_t psa_to_ssl_errors[7];
27
28 #if defined(PSA_WANT_ALG_MD5)
29 #include "mbedtls/md5.h"
30 #endif
31
32 #if defined(PSA_WANT_ALG_SHA_1)
33 #include "mbedtls/sha1.h"
34 #endif
35
36 #if defined(PSA_WANT_ALG_SHA_256)
37 #include "mbedtls/sha256.h"
38 #endif
39
40 #if defined(PSA_WANT_ALG_SHA_512)
41 #include "mbedtls/sha512.h"
42 #endif
43
44 #include "mbedtls/pk.h"
45 #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER)
46 #include <mbedtls/private/pk_private.h>
47 #endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */
48 #include "ssl_ciphersuites_internal.h"
49 #include "x509_internal.h"
50 #include "pk_internal.h"
51
52 /* Shorthand for restartable ECC */
53 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
54 defined(MBEDTLS_SSL_CLI_C) && \
55 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
56 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
57 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
58 #endif
59
60 /** Flag values for mbedtls_ssl_context::flags. */
61 typedef enum {
62 /** Set if mbedtls_ssl_set_hostname() has been called. */
63 MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET = 1,
64 } mbedtls_ssl_context_flags_t;
65
66 /** Flags from ::mbedtls_ssl_context_flags_t to keep in
67 * mbedtls_ssl_session_reset().
68 *
69 * The flags that are in this list are kept until explicitly updated or
70 * until mbedtls_ssl_free(). The flags that are not listed here are
71 * reset to 0 in mbedtls_ssl_session_reset().
72 */
73 #define MBEDTLS_SSL_CONTEXT_FLAGS_KEEP_AT_SESSION \
74 (MBEDTLS_SSL_CONTEXT_FLAG_HOSTNAME_SET)
75
76 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
77 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
78 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
79 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
80
81 /* Faked handshake message identity for HelloRetryRequest. */
82 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
83
84 /*
85 * Internal identity of handshake extensions
86 */
87 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
88 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
89 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
90 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
91 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
92 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
93 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
94 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
95 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
96 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
97 #define MBEDTLS_SSL_EXT_ID_ALPN 8
98 #define MBEDTLS_SSL_EXT_ID_SCT 9
99 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
100 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
101 #define MBEDTLS_SSL_EXT_ID_PADDING 12
102 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
103 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
104 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
105 #define MBEDTLS_SSL_EXT_ID_COOKIE 16
106 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
107 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
108 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
109 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
110 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
111 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
112 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
113 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
114 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
115 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
116 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
117 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
118
119 /* Utility for translating IANA extension type. */
120 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
121 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
122 /* Macros used to define mask constants */
123 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
124 /* Reset value of extension mask */
125 #define MBEDTLS_SSL_EXT_MASK_NONE 0
126
127 /* In messages containing extension requests, we should ignore unrecognized
128 * extensions. In messages containing extension responses, unrecognized
129 * extensions should result in handshake abortion. Messages containing
130 * extension requests include ClientHello, CertificateRequest and
131 * NewSessionTicket. Messages containing extension responses include
132 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
133 *
134 * RFC 8446 section 4.1.3
135 *
136 * The ServerHello MUST only include extensions which are required to establish
137 * the cryptographic context and negotiate the protocol version.
138 *
139 * RFC 8446 section 4.2
140 *
141 * If an implementation receives an extension which it recognizes and which is
142 * not specified for the message in which it appears, it MUST abort the handshake
143 * with an "illegal_parameter" alert.
144 */
145
146 /* Extensions that are not recognized by TLS 1.3 */
147 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
148 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
149 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
150 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
151 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
152 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
153 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
154
155 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
156 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
157 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
158 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
159 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
160 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
161 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
162 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
163 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
164 MBEDTLS_SSL_EXT_MASK(ALPN) | \
165 MBEDTLS_SSL_EXT_MASK(SCT) | \
166 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
167 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
168 MBEDTLS_SSL_EXT_MASK(PADDING) | \
169 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
170 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
171 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
172 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
173 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
174 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
175 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
176 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
177 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
178 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
179 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
180
181 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
182 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
183 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
184 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
185 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
186 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
187 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
188 MBEDTLS_SSL_EXT_MASK(ALPN) | \
189 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
190 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
191 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
192 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
193
194 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
195 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
196 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
197 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
198 MBEDTLS_SSL_EXT_MASK(SCT) | \
199 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
200 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
201 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
202 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
203
204 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
205 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
206 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
207 MBEDTLS_SSL_EXT_MASK(SCT))
208
209 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
210 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
211 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
212 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
213 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
214
215 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
216 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
217 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
218 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
219 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
220
221 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
222 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
223 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
224 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
225
226 /*
227 * Helper macros for function call with return check.
228 */
229 /*
230 * Exit when return non-zero value
231 */
232 #define MBEDTLS_SSL_PROC_CHK(f) \
233 do { \
234 ret = (f); \
235 if (ret != 0) \
236 { \
237 goto cleanup; \
238 } \
239 } while (0)
240 /*
241 * Exit when return negative value
242 */
243 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \
244 do { \
245 ret = (f); \
246 if (ret < 0) \
247 { \
248 goto cleanup; \
249 } \
250 } while (0)
251
252 /*
253 * DTLS retransmission states, see RFC 6347 4.2.4
254 *
255 * The SENDING state is merged in PREPARING for initial sends,
256 * but is distinct for resends.
257 *
258 * Note: initial state is wrong for server, but is not used anyway.
259 */
260 #define MBEDTLS_SSL_RETRANS_PREPARING 0
261 #define MBEDTLS_SSL_RETRANS_SENDING 1
262 #define MBEDTLS_SSL_RETRANS_WAITING 2
263 #define MBEDTLS_SSL_RETRANS_FINISHED 3
264
265 /*
266 * Allow extra bytes for record, authentication and encryption overhead:
267 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
268 */
269
270 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
271
272 /* This macro determines whether CBC is supported. */
273 #if defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
274 (defined(PSA_WANT_KEY_TYPE_AES) || \
275 defined(PSA_WANT_KEY_TYPE_CAMELLIA) || \
276 defined(PSA_WANT_KEY_TYPE_ARIA))
277 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
278 #endif
279
280 /* This macro determines whether a ciphersuite using a
281 * stream cipher can be used. */
282 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
283 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
284 #endif
285
286 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
287 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
288 defined(MBEDTLS_SSL_PROTO_TLS1_2)
289 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
290 #endif
291
292 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
293 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
294 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
295 #endif
296
297 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
298 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
299 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
300 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
301 #endif
302
303 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
304
305 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
306 /* Ciphersuites using HMAC */
307 #if defined(PSA_WANT_ALG_SHA_384)
308 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
309 #elif defined(PSA_WANT_ALG_SHA_256)
310 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
311 #else
312 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
313 #endif
314 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
315 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
316 #define MBEDTLS_SSL_MAC_ADD 16
317 #endif
318
319 #if defined(PSA_WANT_ALG_CBC_NO_PADDING)
320 #define MBEDTLS_SSL_PADDING_ADD 256
321 #else
322 #define MBEDTLS_SSL_PADDING_ADD 0
323 #endif
324
325 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
326 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
327 #else
328 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
329 #endif
330
331 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
332 MBEDTLS_SSL_MAC_ADD + \
333 MBEDTLS_SSL_PADDING_ADD + \
334 MBEDTLS_SSL_MAX_CID_EXPANSION \
335 )
336
337 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
338 (MBEDTLS_SSL_IN_CONTENT_LEN))
339
340 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
341 (MBEDTLS_SSL_OUT_CONTENT_LEN))
342
343 /* The maximum number of buffered handshake messages. */
344 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
345
346 /* Maximum length we can advertise as our max content length for
347 RFC 6066 max_fragment_length extension negotiation purposes
348 (the lesser of both sizes, if they are unequal.)
349 */
350 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
351 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
352 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
353 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
354 )
355
356 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
357 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
358
359 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
360 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
361
362 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
363 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
364
365 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
366
367 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
368
369 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
370
371 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
372 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
373 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
374 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
375 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
376
377 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
378
379 /*
380 * Check that we obey the standard's message size bounds
381 */
382
383 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
384 #error "Bad configuration - incoming record content too large."
385 #endif
386
387 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
388 #error "Bad configuration - outgoing record content too large."
389 #endif
390
391 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
392 #error "Bad configuration - incoming protected record payload too large."
393 #endif
394
395 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
396 #error "Bad configuration - outgoing protected record payload too large."
397 #endif
398
399 /* Calculate buffer sizes */
400
401 /* Note: Even though the TLS record header is only 5 bytes
402 long, we're internally using 8 bytes to store the
403 implicit sequence number. */
404 #define MBEDTLS_SSL_HEADER_LEN 13
405
406 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
407 #define MBEDTLS_SSL_IN_BUFFER_LEN \
408 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
409 #else
410 #define MBEDTLS_SSL_IN_BUFFER_LEN \
411 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
412 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
413 #endif
414
415 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
416 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
417 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
418 #else
419 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
420 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
421 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
422 #endif
423
424 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
425 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
426
427 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
428 /**
429 * \brief Return the maximum fragment length (payload, in bytes) for
430 * the output buffer. For the client, this is the configured
431 * value. For the server, it is the minimum of two - the
432 * configured value and the negotiated one.
433 *
434 * \sa mbedtls_ssl_conf_max_frag_len()
435 * \sa mbedtls_ssl_get_max_out_record_payload()
436 *
437 * \param ssl SSL context
438 *
439 * \return Current maximum fragment length for the output buffer.
440 */
441 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
442
443 /**
444 * \brief Return the maximum fragment length (payload, in bytes) for
445 * the input buffer. This is the negotiated maximum fragment
446 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
447 * If it is not defined either, the value is 2^14. This function
448 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
449 *
450 * \sa mbedtls_ssl_conf_max_frag_len()
451 * \sa mbedtls_ssl_get_max_in_record_payload()
452 *
453 * \param ssl SSL context
454 *
455 * \return Current maximum fragment length for the output buffer.
456 */
457 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
458 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
459
460 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
461 /**
462 * \brief Get the size limit in bytes for the protected outgoing records
463 * as defined in RFC 8449
464 *
465 * \param ssl SSL context
466 *
467 * \return The size limit in bytes for the protected outgoing
468 * records as defined in RFC 8449.
469 */
470 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
471 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
472
473 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)474 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
475 {
476 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
477 return mbedtls_ssl_get_output_max_frag_len(ctx)
478 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
479 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
480 #else
481 return mbedtls_ssl_get_output_max_frag_len(ctx)
482 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
483 #endif
484 }
485
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)486 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
487 {
488 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
489 return mbedtls_ssl_get_input_max_frag_len(ctx)
490 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
491 + MBEDTLS_SSL_CID_IN_LEN_MAX;
492 #else
493 return mbedtls_ssl_get_input_max_frag_len(ctx)
494 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
495 #endif
496 }
497 #endif
498
499 /*
500 * TLS extension flags (for extensions with outgoing ServerHello content
501 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
502 * of state of the renegotiation flag, so no indicator is required)
503 */
504 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
505 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
506
507 /**
508 * \brief This function checks if the remaining size in a buffer is
509 * greater or equal than a needed space.
510 *
511 * \param cur Pointer to the current position in the buffer.
512 * \param end Pointer to one past the end of the buffer.
513 * \param need Needed space in bytes.
514 *
515 * \return Zero if the needed space is available in the buffer, non-zero
516 * otherwise.
517 */
518 #if !defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)519 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
520 const uint8_t *end, size_t need)
521 {
522 return (cur > end) || (need > (size_t) (end - cur));
523 }
524 #else
525 typedef struct {
526 const uint8_t *cur;
527 const uint8_t *end;
528 size_t need;
529 } mbedtls_ssl_chk_buf_ptr_args;
530
531 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
532 const uint8_t *cur, const uint8_t *end, size_t need);
533 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
534
535 MBEDTLS_CHECK_RETURN_CRITICAL
536 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
537
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)538 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
539 const uint8_t *end, size_t need)
540 {
541 if ((cur > end) || (need > (size_t) (end - cur))) {
542 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
543 return 1;
544 }
545 return 0;
546 }
547 #endif /* MBEDTLS_TEST_HOOKS */
548
549 /**
550 * \brief This macro checks if the remaining size in a buffer is
551 * greater or equal than a needed space. If it is not the case,
552 * it returns an SSL_BUFFER_TOO_SMALL error.
553 *
554 * \param cur Pointer to the current position in the buffer.
555 * \param end Pointer to one past the end of the buffer.
556 * \param need Needed space in bytes.
557 *
558 */
559 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
560 do { \
561 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
562 { \
563 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
564 } \
565 } while (0)
566
567 /**
568 * \brief This macro checks if the remaining length in an input buffer is
569 * greater or equal than a needed length. If it is not the case, it
570 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
571 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
572 *
573 * This is a function-like macro. It is guaranteed to evaluate each
574 * argument exactly once.
575 *
576 * \param cur Pointer to the current position in the buffer.
577 * \param end Pointer to one past the end of the buffer.
578 * \param need Needed length in bytes.
579 *
580 */
581 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
582 do { \
583 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
584 { \
585 MBEDTLS_SSL_DEBUG_MSG(1, \
586 ("missing input data in %s", __func__)); \
587 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
588 MBEDTLS_ERR_SSL_DECODE_ERROR); \
589 return MBEDTLS_ERR_SSL_DECODE_ERROR; \
590 } \
591 } while (0)
592
593 #ifdef __cplusplus
594 extern "C" {
595 #endif
596
597 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
598 const char *label,
599 const unsigned char *random, size_t rlen,
600 unsigned char *dstbuf, size_t dlen);
601
602 /* cipher.h exports the maximum IV, key and block length from
603 * all ciphers enabled in the config, regardless of whether those
604 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
605 * in the default configuration and uses 64 Byte keys, but it is
606 * not used for record protection in SSL/TLS.
607 *
608 * In order to prevent unnecessary inflation of key structures,
609 * we introduce SSL-specific variants of the max-{key,block,IV}
610 * macros here which are meant to only take those ciphers into
611 * account which can be negotiated in SSL/TLS.
612 *
613 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
614 * in cipher.h are rough overapproximations of the real maxima, here
615 * we content ourselves with replicating those overapproximations
616 * for the maximum block and IV length, and excluding XTS from the
617 * computation of the maximum key length. */
618 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
619 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
620 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
621
622 /**
623 * \brief The data structure holding the cryptographic material (key and IV)
624 * used for record protection in TLS 1.3.
625 */
626 struct mbedtls_ssl_key_set {
627 /*! The key for client->server records. */
628 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
629 /*! The key for server->client records. */
630 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
631 /*! The IV for client->server records. */
632 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
633 /*! The IV for server->client records. */
634 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
635
636 size_t key_len; /*!< The length of client_write_key and
637 * server_write_key, in Bytes. */
638 size_t iv_len; /*!< The length of client_write_iv and
639 * server_write_iv, in Bytes. */
640 };
641 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
642
643 typedef struct {
644 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
645 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
646 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
647 } mbedtls_ssl_tls13_early_secrets;
648
649 typedef struct {
650 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
651 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
652 } mbedtls_ssl_tls13_handshake_secrets;
653
654 /*
655 * This structure contains the parameters only needed during handshake.
656 */
657 struct mbedtls_ssl_handshake_params {
658 /* Frequently-used boolean or byte fields (placed early to take
659 * advantage of smaller code size for indirect access on Arm Thumb) */
660 uint8_t resume; /*!< session resume indicator*/
661 uint8_t cli_exts; /*!< client extension presence*/
662
663 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
664 uint8_t sni_authmode; /*!< authmode from SNI callback */
665 #endif
666
667 #if defined(MBEDTLS_SSL_SRV_C)
668 /* Flag indicating if a CertificateRequest message has been sent
669 * to the client or not. */
670 uint8_t certificate_request_sent;
671 #if defined(MBEDTLS_SSL_EARLY_DATA)
672 /* Flag indicating if the server has accepted early data or not. */
673 uint8_t early_data_accepted;
674 #endif
675 #endif /* MBEDTLS_SSL_SRV_C */
676
677 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
678 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
679 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
680
681 #if defined(MBEDTLS_SSL_CLI_C)
682 /** Minimum TLS version to be negotiated.
683 *
684 * It is set up in the ClientHello writing preparation stage and used
685 * throughout the ClientHello writing. Not relevant anymore as soon as
686 * the protocol version has been negotiated thus as soon as the
687 * ServerHello is received.
688 * For a fresh handshake not linked to any previous handshake, it is
689 * equal to the configured minimum minor version to be negotiated. When
690 * renegotiating or resuming a session, it is equal to the previously
691 * negotiated minor version.
692 *
693 * There is no maximum TLS version field in this handshake context.
694 * From the start of the handshake, we need to define a current protocol
695 * version for the record layer which we define as the maximum TLS
696 * version to be negotiated. The `tls_version` field of the SSL context is
697 * used to store this maximum value until it contains the actual
698 * negotiated value.
699 */
700 mbedtls_ssl_protocol_version min_tls_version;
701 #endif
702
703 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
704 uint8_t extended_ms; /*!< use Extended Master Secret? */
705 #endif
706
707 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
708 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
709 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
710
711 #if defined(MBEDTLS_SSL_PROTO_DTLS)
712 unsigned char retransmit_state; /*!< Retransmission state */
713 #endif
714
715 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
716 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
717 enum { /* this complements ssl->state with info on intra-state operations */
718 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
719 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
720 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
721 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
722 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
723 } ecrs_state; /*!< current (or last) operation */
724 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
725 size_t ecrs_n; /*!< place for saving a length */
726 #endif
727
728 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
729
730 MBEDTLS_CHECK_RETURN_CRITICAL
731 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
732 MBEDTLS_CHECK_RETURN_CRITICAL
733 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
734 MBEDTLS_CHECK_RETURN_CRITICAL
735 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
736 mbedtls_ssl_tls_prf_cb *tls_prf;
737
738 /*
739 * Handshake specific crypto variables
740 */
741 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
742 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
743
744 /**
745 * Flag indicating if, in the course of the current handshake, an
746 * HelloRetryRequest message has been sent by the server or received by
747 * the client (<> 0) or not (0).
748 */
749 uint8_t hello_retry_request_flag;
750
751 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
752 /**
753 * Flag indicating if, in the course of the current handshake, a dummy
754 * change_cipher_spec (CCS) record has already been sent. Used to send only
755 * one CCS per handshake while not complicating the handshake state
756 * transitions for that purpose.
757 */
758 uint8_t ccs_sent;
759 #endif
760
761 #if defined(MBEDTLS_SSL_SRV_C)
762 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
763 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
764 #endif
765 /** selected_group of key_share extension in HelloRetryRequest message. */
766 uint16_t hrr_selected_group;
767 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
768 uint16_t new_session_tickets_count; /*!< number of session tickets */
769 #endif
770 #endif /* MBEDTLS_SSL_SRV_C */
771
772 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
773
774 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
775 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
776 #endif
777
778 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
779 const uint16_t *group_list;
780 const uint16_t *sig_algs;
781 #endif
782
783 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
784 psa_key_type_t xxdh_psa_type;
785 size_t xxdh_psa_bits;
786 mbedtls_svc_key_id_t xxdh_psa_privkey;
787 uint8_t xxdh_psa_privkey_is_external;
788 unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
789 size_t xxdh_psa_peerkey_len;
790 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
791
792 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
793 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
794 mbedtls_svc_key_id_t psa_pake_password;
795 uint8_t psa_pake_ctx_is_ok;
796 #if defined(MBEDTLS_SSL_CLI_C)
797 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
798 size_t ecjpake_cache_len; /*!< Length of cached data */
799 #endif
800 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
801
802 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
803 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
804 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
805 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
806 #endif
807
808 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
809 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
810 uint8_t psk_opaque_is_internal;
811 uint16_t selected_identity;
812 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
813
814 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
815 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
816 #endif
817
818 #if defined(MBEDTLS_X509_CRT_PARSE_C)
819 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
820 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
821 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
822 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
823 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
824 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
825 #endif /* MBEDTLS_X509_CRT_PARSE_C */
826
827 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
828 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
829 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
830 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
831
832 struct {
833 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
834 * buffers used for message buffering. */
835
836 uint8_t seen_ccs; /*!< Indicates if a CCS message has
837 * been seen in the current flight. */
838
839 struct mbedtls_ssl_hs_buffer {
840 unsigned is_valid : 1;
841 unsigned is_fragmented : 1;
842 unsigned is_complete : 1;
843 unsigned char *data;
844 size_t data_len;
845 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
846
847 struct {
848 unsigned char *data;
849 size_t len;
850 unsigned epoch;
851 } future_record;
852
853 } buffering;
854
855 #if defined(MBEDTLS_SSL_CLI_C) && \
856 (defined(MBEDTLS_SSL_PROTO_DTLS) || \
857 defined(MBEDTLS_SSL_PROTO_TLS1_3))
858 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
859 * HelloRetryRequest cookie for TLS 1.3 */
860 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
861 /* RFC 6347 page 15
862 ...
863 opaque cookie<0..2^8-1>;
864 ...
865 */
866 uint8_t cookie_len;
867 #else
868 /* RFC 8446 page 39
869 ...
870 opaque cookie<0..2^16-1>;
871 ...
872 If TLS1_3 is enabled, the max length is 2^16 - 1
873 */
874 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
875 * TLS1_3: HelloRetryRequest cookie length */
876 #endif
877 #endif /* MBEDTLS_SSL_CLI_C &&
878 ( MBEDTLS_SSL_PROTO_DTLS ||
879 MBEDTLS_SSL_PROTO_TLS1_3 ) */
880 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
881 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
882 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
883
884 #if defined(MBEDTLS_SSL_PROTO_DTLS)
885 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
886 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
887
888 uint32_t retransmit_timeout; /*!< Current value of timeout */
889 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
890 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
891 unsigned char *cur_msg_p; /*!< Position in current message */
892 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
893 flight being received */
894 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
895 resending messages */
896 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
897 for resending messages */
898
899 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
900 /* The state of CID configuration in this handshake. */
901
902 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
903 * has been negotiated. Possible values are
904 * #MBEDTLS_SSL_CID_ENABLED and
905 * #MBEDTLS_SSL_CID_DISABLED. */
906 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
907 uint8_t peer_cid_len; /*!< The length of
908 * \c peer_cid. */
909 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
910
911 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
912 #endif /* MBEDTLS_SSL_PROTO_DTLS */
913
914 /*
915 * Checksum contexts
916 */
917 #if defined(PSA_WANT_ALG_SHA_256)
918 psa_hash_operation_t fin_sha256_psa;
919 #endif
920 #if defined(PSA_WANT_ALG_SHA_384)
921 psa_hash_operation_t fin_sha384_psa;
922 #endif
923
924 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
925 uint16_t offered_group_id; /* The NamedGroup value for the group
926 * that is being used for ephemeral
927 * key exchange.
928 *
929 * On the client: Defaults to the first
930 * entry in the client's group list,
931 * but can be overwritten by the HRR. */
932 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
933
934 #if defined(MBEDTLS_SSL_CLI_C)
935 uint8_t client_auth; /*!< used to check if CertificateRequest has been
936 received from server side. If CertificateRequest
937 has been received, Certificate and CertificateVerify
938 should be sent to server */
939 #endif /* MBEDTLS_SSL_CLI_C */
940 /*
941 * State-local variables used during the processing
942 * of a specific handshake state.
943 */
944 union {
945 /* Outgoing Finished message */
946 struct {
947 uint8_t preparation_done;
948
949 /* Buffer holding digest of the handshake up to
950 * but excluding the outgoing finished message. */
951 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
952 size_t digest_len;
953 } finished_out;
954
955 /* Incoming Finished message */
956 struct {
957 uint8_t preparation_done;
958
959 /* Buffer holding digest of the handshake up to but
960 * excluding the peer's incoming finished message. */
961 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
962 size_t digest_len;
963 } finished_in;
964
965 } state_local;
966
967 /* End of state-local variables. */
968
969 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
970 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
971 /*!< random bytes */
972 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
973 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
974 /*!< premaster secret */
975 size_t pmslen; /*!< premaster length */
976 #endif
977
978 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
979 uint32_t sent_extensions; /*!< extensions sent by endpoint */
980 uint32_t received_extensions; /*!< extensions received by endpoint */
981
982 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
983 unsigned char certificate_request_context_len;
984 unsigned char *certificate_request_context;
985 #endif
986
987 /** TLS 1.3 transform for encrypted handshake messages. */
988 mbedtls_ssl_transform *transform_handshake;
989 union {
990 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
991 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
992 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
993 } tls13_master_secrets;
994
995 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
996 #if defined(MBEDTLS_SSL_EARLY_DATA)
997 /** TLS 1.3 transform for early data and handshake messages. */
998 mbedtls_ssl_transform *transform_earlydata;
999 #endif
1000 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1001
1002 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1003 /** Asynchronous operation context. This field is meant for use by the
1004 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
1005 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
1006 * The library does not use it internally. */
1007 void *user_async_ctx;
1008 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1009
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011 const unsigned char *sni_name; /*!< raw SNI */
1012 size_t sni_name_len; /*!< raw SNI len */
1013 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1014 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
1015 #endif
1016 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1017 };
1018
1019 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1020
1021 /*
1022 * Representation of decryption/encryption transformations on records
1023 *
1024 * There are the following general types of record transformations:
1025 * - Stream transformations (TLS versions == 1.2 only)
1026 * Transformation adding a MAC and applying a stream-cipher
1027 * to the authenticated message.
1028 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1029 * For TLS 1.2, no IV is generated at key extraction time, but every
1030 * encrypted record is explicitly prefixed by the IV with which it was
1031 * encrypted.
1032 * - AEAD transformations ([D]TLS versions == 1.2 only)
1033 * These come in two fundamentally different versions, the first one
1034 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1035 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1036 * In the first transformation, the IV to be used for a record is obtained
1037 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1038 * record sequence number, and explicitly prepending this sequence number
1039 * to the encrypted record. In contrast, in the second transformation
1040 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1041 * time with the 8-byte record sequence number, without prepending the
1042 * latter to the encrypted record.
1043 *
1044 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1045 * which allows to add flexible length padding and to hide a record's true
1046 * content type.
1047 *
1048 * In addition to type and version, the following parameters are relevant:
1049 * - The symmetric cipher algorithm to be used.
1050 * - The (static) encryption/decryption keys for the cipher.
1051 * - For stream/CBC, the type of message digest to be used.
1052 * - For stream/CBC, (static) encryption/decryption keys for the digest.
1053 * - For AEAD transformations, the size (potentially 0) of an explicit,
1054 * random initialization vector placed in encrypted records.
1055 * - For some transformations (currently AEAD) an implicit IV. It is static
1056 * and (if present) is combined with the explicit IV in a transformation-
1057 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1058 * - For stream/CBC, a flag determining the order of encryption and MAC.
1059 * - The details of the transformation depend on the SSL/TLS version.
1060 * - The length of the authentication tag.
1061 *
1062 * The struct below refines this abstract view as follows:
1063 * - The cipher underlying the transformation is managed in
1064 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1065 * same cipher type. The mode of these cipher contexts determines
1066 * the type of the transformation in the sense above: e.g., if
1067 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1068 * then the transformation has type CBC resp. AEAD.
1069 * - The cipher keys are never stored explicitly but
1070 * are maintained within cipher_ctx_{enc/dec}.
1071 * - For stream/CBC transformations, the message digest contexts
1072 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1073 * are unused for AEAD transformations.
1074 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1075 * but maintained within md_ctx_{enc/dec}.
1076 * - The mac_enc and mac_dec fields are unused for EAD transformations.
1077 * - For transformations using an implicit IV maintained within
1078 * the transformation context, its contents are stored within
1079 * iv_{enc/dec}.
1080 * - The value of ivlen indicates the length of the IV.
1081 * This is redundant in case of stream/CBC transformations
1082 * which always use 0 resp. the cipher's block length as the
1083 * IV length, but is needed for AEAD ciphers and may be
1084 * different from the underlying cipher's block length
1085 * in this case.
1086 * - The field fixed_ivlen is nonzero for AEAD transformations only
1087 * and indicates the length of the static part of the IV which is
1088 * constant throughout the communication, and which is stored in
1089 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1090 * - tls_version denotes the 2-byte TLS version
1091 * - For stream/CBC transformations, maclen denotes the length of the
1092 * authentication tag, while taglen is unused and 0.
1093 * - For AEAD transformations, taglen denotes the length of the
1094 * authentication tag, while maclen is unused and 0.
1095 * - For CBC transformations, encrypt_then_mac determines the
1096 * order of encryption and authentication. This field is unused
1097 * in other transformations.
1098 *
1099 */
1100 struct mbedtls_ssl_transform {
1101 /*
1102 * Session specific crypto layer
1103 */
1104 size_t minlen; /*!< min. ciphertext length */
1105 size_t ivlen; /*!< IV length */
1106 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
1107 size_t maclen; /*!< MAC(CBC) len */
1108 size_t taglen; /*!< TAG(AEAD) len */
1109
1110 unsigned char iv_enc[16]; /*!< IV (encryption) */
1111 unsigned char iv_dec[16]; /*!< IV (decryption) */
1112
1113 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1114
1115 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1116 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1117 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
1118
1119 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1120 int encrypt_then_mac; /*!< flag for EtM activation */
1121 #endif
1122
1123 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1124
1125 mbedtls_ssl_protocol_version tls_version;
1126
1127 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1128 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1129 psa_algorithm_t psa_alg; /*!< psa algorithm */
1130
1131 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1132 uint8_t in_cid_len;
1133 uint8_t out_cid_len;
1134 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
1135 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1136 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1137
1138 #if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
1139 /* We need the Hello random bytes in order to re-derive keys from the
1140 * Master Secret and other session info and for the keying material
1141 * exporter in TLS 1.2.
1142 * See ssl_tls12_populate_transform() */
1143 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1144 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1145 /*!< ServerHello.random+ClientHello.random */
1146 #endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
1147 };
1148
1149 /*
1150 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1151 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1152 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1153 static inline int mbedtls_ssl_transform_uses_aead(
1154 const mbedtls_ssl_transform *transform)
1155 {
1156 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1157 return transform->maclen == 0 && transform->taglen != 0;
1158 #else
1159 (void) transform;
1160 return 1;
1161 #endif
1162 }
1163
1164 /*
1165 * Internal representation of record frames
1166 *
1167 * Instances come in two flavors:
1168 * (1) Encrypted
1169 * These always have data_offset = 0
1170 * (2) Unencrypted
1171 * These have data_offset set to the amount of
1172 * pre-expansion during record protection. Concretely,
1173 * this is the length of the fixed part of the explicit IV
1174 * used for encryption, or 0 if no explicit IV is used
1175 * (e.g. for stream ciphers).
1176 *
1177 * The reason for the data_offset in the unencrypted case
1178 * is to allow for in-place conversion of an unencrypted to
1179 * an encrypted record. If the offset wasn't included, the
1180 * encrypted content would need to be shifted afterwards to
1181 * make space for the fixed IV.
1182 *
1183 */
1184 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1185 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1186 #else
1187 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1188 #endif
1189
1190 typedef struct {
1191 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1192 * In DTLS: The 2-byte epoch followed by
1193 * the 6-byte sequence number.
1194 * This is stored as a raw big endian byte array
1195 * as opposed to a uint64_t because we rarely
1196 * need to perform arithmetic on this, but do
1197 * need it as a Byte array for the purpose of
1198 * MAC computations. */
1199 uint8_t type; /* The record content type. */
1200 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1201 * Convert to internal presentation of versions
1202 * using mbedtls_ssl_read_version() and
1203 * mbedtls_ssl_write_version().
1204 * Keep wire-format for MAC computations. */
1205
1206 unsigned char *buf; /* Memory buffer enclosing the record content */
1207 size_t buf_len; /* Buffer length */
1208 size_t data_offset; /* Offset of record content */
1209 size_t data_len; /* Length of record content */
1210
1211 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1212 uint8_t cid_len; /* Length of the CID (0 if not present) */
1213 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
1214 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1215 } mbedtls_record;
1216
1217 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1218 /*
1219 * List of certificate + private key pairs
1220 */
1221 struct mbedtls_ssl_key_cert {
1222 mbedtls_x509_crt *cert; /*!< cert */
1223 mbedtls_pk_context *key; /*!< private key */
1224 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1225 };
1226 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1227
1228 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1229 /*
1230 * List of handshake messages kept around for resending
1231 */
1232 struct mbedtls_ssl_flight_item {
1233 unsigned char *p; /*!< message, including handshake headers */
1234 size_t len; /*!< length of p */
1235 unsigned char type; /*!< type of the message: handshake or CCS */
1236 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1237 };
1238 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1239
1240 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1241 /**
1242 * \brief Given an SSL context and its associated configuration, write the TLS
1243 * 1.2 specific extensions of the ClientHello message.
1244 *
1245 * \param[in] ssl SSL context
1246 * \param[in] buf Base address of the buffer where to write the extensions
1247 * \param[in] end End address of the buffer where to write the extensions
1248 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1249 * (<> 0) or not ( 0 ).
1250 * \param[out] out_len Length of the data written into the buffer \p buf
1251 */
1252 MBEDTLS_CHECK_RETURN_CRITICAL
1253 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
1254 unsigned char *buf,
1255 const unsigned char *end,
1256 int uses_ec,
1257 size_t *out_len);
1258 #endif
1259
1260 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1261 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1262
1263 /**
1264 * \brief Find the preferred hash for a given signature algorithm.
1265 *
1266 * \param[in] ssl SSL context
1267 * \param[in] sig_alg A signature algorithm identifier as defined in the
1268 * TLS 1.2 SignatureAlgorithm enumeration.
1269 *
1270 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1271 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1272 */
1273 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1274 mbedtls_ssl_context *ssl,
1275 unsigned int sig_alg);
1276
1277 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1278 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1279
1280 /**
1281 * \brief Free referenced items in an SSL transform context and clear
1282 * memory
1283 *
1284 * \param transform SSL transform context
1285 */
1286 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
1287
1288 /**
1289 * \brief Free referenced items in an SSL handshake context and clear
1290 * memory
1291 *
1292 * \param ssl SSL context
1293 */
1294 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
1295
1296 /* set inbound transform of ssl context */
1297 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
1298 mbedtls_ssl_transform *transform);
1299
1300 /* set outbound transform of ssl context */
1301 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
1302 mbedtls_ssl_transform *transform);
1303
1304 MBEDTLS_CHECK_RETURN_CRITICAL
1305 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
1306 MBEDTLS_CHECK_RETURN_CRITICAL
1307 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
1308 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
1309
1310 #if defined(MBEDTLS_DEBUG_C)
1311 /* Declared in "ssl_debug_helpers.h". We can't include this file from
1312 * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
1313 * type definitions. TODO: split the type definitions and the helper
1314 * functions into different headers.
1315 */
1316 const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
1317 #endif
1318
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1319 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
1320 mbedtls_ssl_states state)
1321 {
1322 MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
1323 ssl->state, mbedtls_ssl_states_str(ssl->state),
1324 (int) state, mbedtls_ssl_states_str(state)));
1325 ssl->state = (int) state;
1326 }
1327
mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context * ssl)1328 static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
1329 {
1330 mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
1331 }
1332
1333 MBEDTLS_CHECK_RETURN_CRITICAL
1334 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
1335
1336 MBEDTLS_CHECK_RETURN_CRITICAL
1337 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
1338
1339 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1340 MBEDTLS_CHECK_RETURN_CRITICAL
1341 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
1342 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1343
1344 MBEDTLS_CHECK_RETURN_CRITICAL
1345 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
1346 MBEDTLS_CHECK_RETURN_CRITICAL
1347 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
1348 MBEDTLS_CHECK_RETURN_CRITICAL
1349 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
1350
1351 /**
1352 * \brief Update record layer
1353 *
1354 * This function roughly separates the implementation
1355 * of the logic of (D)TLS from the implementation
1356 * of the secure transport.
1357 *
1358 * \param ssl The SSL context to use.
1359 * \param update_hs_digest This indicates if the handshake digest
1360 * should be automatically updated in case
1361 * a handshake message is found.
1362 *
1363 * \return 0 or non-zero error code.
1364 *
1365 * \note A clarification on what is called 'record layer' here
1366 * is in order, as many sensible definitions are possible:
1367 *
1368 * The record layer takes as input an untrusted underlying
1369 * transport (stream or datagram) and transforms it into
1370 * a serially multiplexed, secure transport, which
1371 * conceptually provides the following:
1372 *
1373 * (1) Three datagram based, content-agnostic transports
1374 * for handshake, alert and CCS messages.
1375 * (2) One stream- or datagram-based transport
1376 * for application data.
1377 * (3) Functionality for changing the underlying transform
1378 * securing the contents.
1379 *
1380 * The interface to this functionality is given as follows:
1381 *
1382 * a Updating
1383 * [Currently implemented by mbedtls_ssl_read_record]
1384 *
1385 * Check if and on which of the four 'ports' data is pending:
1386 * Nothing, a controlling datagram of type (1), or application
1387 * data (2). In any case data is present, internal buffers
1388 * provide access to the data for the user to process it.
1389 * Consumption of type (1) datagrams is done automatically
1390 * on the next update, invalidating that the internal buffers
1391 * for previous datagrams, while consumption of application
1392 * data (2) is user-controlled.
1393 *
1394 * b Reading of application data
1395 * [Currently manual adaption of ssl->in_offt pointer]
1396 *
1397 * As mentioned in the last paragraph, consumption of data
1398 * is different from the automatic consumption of control
1399 * datagrams (1) because application data is treated as a stream.
1400 *
1401 * c Tracking availability of application data
1402 * [Currently manually through decreasing ssl->in_msglen]
1403 *
1404 * For efficiency and to retain datagram semantics for
1405 * application data in case of DTLS, the record layer
1406 * provides functionality for checking how much application
1407 * data is still available in the internal buffer.
1408 *
1409 * d Changing the transformation securing the communication.
1410 *
1411 * Given an opaque implementation of the record layer in the
1412 * above sense, it should be possible to implement the logic
1413 * of (D)TLS on top of it without the need to know anything
1414 * about the record layer's internals. This is done e.g.
1415 * in all the handshake handling functions, and in the
1416 * application data reading function mbedtls_ssl_read.
1417 *
1418 * \note The above tries to give a conceptual picture of the
1419 * record layer, but the current implementation deviates
1420 * from it in some places. For example, our implementation of
1421 * the update functionality through mbedtls_ssl_read_record
1422 * discards datagrams depending on the current state, which
1423 * wouldn't fall under the record layer's responsibility
1424 * following the above definition.
1425 *
1426 */
1427 MBEDTLS_CHECK_RETURN_CRITICAL
1428 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1429 unsigned update_hs_digest);
1430 MBEDTLS_CHECK_RETURN_CRITICAL
1431 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1432
1433 /*
1434 * Write handshake message header
1435 */
1436 MBEDTLS_CHECK_RETURN_CRITICAL
1437 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
1438 unsigned char **buf, size_t *buf_len);
1439
1440 MBEDTLS_CHECK_RETURN_CRITICAL
1441 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
1442 int update_checksum,
1443 int force_flush);
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1444 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
1445 {
1446 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
1447 }
1448
1449 /*
1450 * Write handshake message tail
1451 */
1452 MBEDTLS_CHECK_RETURN_CRITICAL
1453 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
1454 size_t buf_len, size_t msg_len);
1455
1456 MBEDTLS_CHECK_RETURN_CRITICAL
1457 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
1458 MBEDTLS_CHECK_RETURN_CRITICAL
1459 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1460
1461 MBEDTLS_CHECK_RETURN_CRITICAL
1462 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1463 MBEDTLS_CHECK_RETURN_CRITICAL
1464 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1465
1466 MBEDTLS_CHECK_RETURN_CRITICAL
1467 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1468 MBEDTLS_CHECK_RETURN_CRITICAL
1469 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1470
1471 MBEDTLS_CHECK_RETURN_CRITICAL
1472 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1473 MBEDTLS_CHECK_RETURN_CRITICAL
1474 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1475
1476 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1477 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1478
1479 /*
1480 * Update checksum of handshake messages.
1481 */
1482 MBEDTLS_CHECK_RETURN_CRITICAL
1483 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
1484 unsigned hs_type,
1485 unsigned char const *msg,
1486 size_t msg_len);
1487
1488 MBEDTLS_CHECK_RETURN_CRITICAL
1489 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
1490 unsigned hs_type,
1491 size_t total_hs_len);
1492
1493 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1494 #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
1495 MBEDTLS_CHECK_RETURN_CRITICAL
1496 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
1497 #endif
1498 /**
1499 * Get the first defined opaque PSK by order of precedence:
1500 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1501 * callback
1502 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1503 * Return an opaque PSK
1504 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1505 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1506 const mbedtls_ssl_context *ssl)
1507 {
1508 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1509 return ssl->handshake->psk_opaque;
1510 }
1511
1512 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1513 return ssl->conf->psk_opaque;
1514 }
1515
1516 return MBEDTLS_SVC_KEY_ID_INIT;
1517 }
1518
1519 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1520
1521 #if defined(MBEDTLS_PK_C)
1522 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1523 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1524 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1525 #endif
1526
1527 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1528 unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1529
1530 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1531 MBEDTLS_CHECK_RETURN_CRITICAL
1532 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1533 #endif
1534
1535 MBEDTLS_CHECK_RETURN_CRITICAL
1536 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1537 #if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
1538 MBEDTLS_CHECK_RETURN_CRITICAL
1539 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1540 #endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
1541
1542 /**
1543 * \brief Return PSA EC info for the specified TLS ID.
1544 *
1545 * \param tls_id The TLS ID to look for
1546 * \param type If the TLD ID is supported, then proper \c psa_key_type_t
1547 * value is returned here. Can be NULL.
1548 * \param bits If the TLD ID is supported, then proper bit size is returned
1549 * here. Can be NULL.
1550 * \return PSA_SUCCESS if the TLS ID is supported,
1551 * PSA_ERROR_NOT_SUPPORTED otherwise
1552 *
1553 * \note If either \c family or \c bits parameters are NULL, then
1554 * the corresponding value is not returned.
1555 * The function can be called with both parameters as NULL
1556 * simply to check if a specific TLS ID is supported.
1557 */
1558 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
1559 psa_key_type_t *type,
1560 size_t *bits);
1561
1562 /**
1563 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
1564 *
1565 * \param tls_id The TLS ID to look for
1566 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
1567 * or MBEDTLS_ECP_DP_NONE otherwise
1568 */
1569 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
1570
1571 /**
1572 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
1573 *
1574 * \param grp_id The \c mbedtls_ecp_group_id ID to look for
1575 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
1576 * or 0 otherwise
1577 */
1578 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
1579
1580 #if defined(MBEDTLS_DEBUG_C)
1581 /**
1582 * \brief Return EC's name for the specified TLS ID.
1583 *
1584 * \param tls_id The TLS ID to look for
1585 * \return A pointer to a const string with the proper name. If TLS
1586 * ID is not supported, a NULL pointer is returned instead.
1587 */
1588 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
1589 #endif
1590
1591 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1592 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1593 (const uint16_t srtp_profile_value)
1594 {
1595 switch (srtp_profile_value) {
1596 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1597 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1598 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1599 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1600 return srtp_profile_value;
1601 default: break;
1602 }
1603 return MBEDTLS_TLS_SRTP_UNSET;
1604 }
1605 #endif
1606
1607 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1608 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1609 {
1610 mbedtls_ssl_key_cert *key_cert;
1611
1612 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1613 key_cert = ssl->handshake->key_cert;
1614 } else {
1615 key_cert = ssl->conf->key_cert;
1616 }
1617
1618 return key_cert == NULL ? NULL : key_cert->key;
1619 }
1620
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1621 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1622 {
1623 mbedtls_ssl_key_cert *key_cert;
1624
1625 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1626 key_cert = ssl->handshake->key_cert;
1627 } else {
1628 key_cert = ssl->conf->key_cert;
1629 }
1630
1631 return key_cert == NULL ? NULL : key_cert->cert;
1632 }
1633
1634 /*
1635 * Verify a certificate.
1636 *
1637 * [in/out] ssl: misc. things read
1638 * ssl->session_negotiate->verify_result updated
1639 * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
1640 * [in] chain: the certificate chain to verify (ie the peer's chain)
1641 * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
1642 * for TLS 1.3, may be left NULL.
1643 * [in] rs_ctx: restart context if restartable ECC is in use;
1644 * leave NULL for no restartable behaviour.
1645 *
1646 * Return:
1647 * - 0 if the handshake should continue. Depending on the
1648 * authmode it means:
1649 * - REQUIRED: the certificate was found to be valid, trusted & acceptable.
1650 * ssl->session_negotiate->verify_result is 0.
1651 * - OPTIONAL: the certificate may or may not be acceptable, but
1652 * ssl->session_negotiate->verify_result was updated with the result.
1653 * - NONE: the certificate wasn't even checked.
1654 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
1655 * the certificate was found to be invalid/untrusted/unacceptable and the
1656 * handshake should be aborted (can only happen with REQUIRED).
1657 * - another error code if another error happened (out-of-memory, etc.)
1658 */
1659 MBEDTLS_CHECK_RETURN_CRITICAL
1660 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
1661 int authmode,
1662 mbedtls_x509_crt *chain,
1663 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
1664 void *rs_ctx);
1665
1666 /*
1667 * Check usage of a certificate wrt usage extensions:
1668 * keyUsage and extendedKeyUsage.
1669 * (Note: nSCertType is deprecated and not standard, we don't check it.)
1670 *
1671 * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
1672 *
1673 * Note: recv_endpoint is the receiver's endpoint.
1674 *
1675 * Return 0 if everything is OK, -1 if not.
1676 */
1677 MBEDTLS_CHECK_RETURN_CRITICAL
1678 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1679 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1680 int recv_endpoint,
1681 mbedtls_ssl_protocol_version tls_version,
1682 uint32_t *flags);
1683 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1684
1685 void mbedtls_ssl_write_version(unsigned char version[2], int transport,
1686 mbedtls_ssl_protocol_version tls_version);
1687 uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
1688 int transport);
1689
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1690 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1691 {
1692 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1693 ((void) ssl);
1694 #endif
1695
1696 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1697 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1698 return 13;
1699 } else
1700 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1701 {
1702 return 5;
1703 }
1704 }
1705
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1706 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1707 {
1708 return (size_t) (ssl->out_iv - ssl->out_hdr);
1709 }
1710
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1711 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1712 {
1713 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1714 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1715 return 12;
1716 }
1717 #else
1718 ((void) ssl);
1719 #endif
1720 return 4;
1721 }
1722
1723 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1724 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1725 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1726 MBEDTLS_CHECK_RETURN_CRITICAL
1727 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1728 MBEDTLS_CHECK_RETURN_CRITICAL
1729 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1730 #endif
1731
1732 /* Visible for testing purposes only */
1733 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1734 MBEDTLS_CHECK_RETURN_CRITICAL
1735 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1736 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1737 #endif
1738
1739 MBEDTLS_CHECK_RETURN_CRITICAL
1740 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1741 const mbedtls_ssl_session *src);
1742
1743 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1744 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1745 MBEDTLS_CHECK_RETURN_CRITICAL
1746 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1747 unsigned char *hash, size_t *hashlen,
1748 unsigned char *data, size_t data_len,
1749 mbedtls_md_type_t md_alg);
1750 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1751
1752 #ifdef __cplusplus
1753 }
1754 #endif
1755
1756 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1757 MBEDTLS_CHECK_RETURN_CRITICAL
1758 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1759 mbedtls_ssl_transform *transform,
1760 mbedtls_record *rec);
1761 MBEDTLS_CHECK_RETURN_CRITICAL
1762 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1763 mbedtls_ssl_transform *transform,
1764 mbedtls_record *rec);
1765
1766 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1767 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1768 {
1769 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1770 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1771 return 2;
1772 }
1773 #else
1774 ((void) ssl);
1775 #endif
1776 return 0;
1777 }
1778
1779 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1780 MBEDTLS_CHECK_RETURN_CRITICAL
1781 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1782 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1783
1784 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1785 MBEDTLS_CHECK_RETURN_CRITICAL
1786 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1787
1788 void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
1789 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1790 void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
1791 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1792 mbedtls_ssl_transform *transform);
1793
1794 MBEDTLS_CHECK_RETURN_CRITICAL
1795 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1796 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1797 int partial);
1798
1799 /*
1800 * Send pending alert
1801 */
1802 MBEDTLS_CHECK_RETURN_CRITICAL
1803 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
1804
1805 /*
1806 * Set pending fatal alert flag.
1807 */
1808 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
1809 unsigned char alert_type,
1810 int alert_reason);
1811
1812 /* Alias of mbedtls_ssl_pend_fatal_alert */
1813 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
1814 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
1815
1816 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1817 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1818 #endif
1819
1820 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1821
1822 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1823 MBEDTLS_CHECK_RETURN_CRITICAL
1824 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1825 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1826
1827 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1828 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1829 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1830 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1831 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1832
1833 /**
1834 * ssl utils functions for checking configuration.
1835 */
1836
1837 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1838 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
1839 {
1840 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1841 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1842 }
1843
1844 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1845
1846 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1847 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
1848 {
1849 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1850 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
1851 }
1852
1853 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1854
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1855 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
1856 {
1857 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1858 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1859 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
1860 #else
1861 ((void) conf);
1862 return 0;
1863 #endif
1864 }
1865
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1866 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
1867 {
1868 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1869 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1870 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
1871 #else
1872 ((void) conf);
1873 return 0;
1874 #endif
1875 }
1876
1877 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1878 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
1879 {
1880 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1881 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1882 }
1883 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1884
1885 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1886 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1887 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1888 MBEDTLS_CHECK_RETURN_CRITICAL
1889 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
1890 MBEDTLS_CHECK_RETURN_CRITICAL
1891 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
1892 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
1893
1894 /**
1895 * \brief Given an SSL context and its associated configuration, write the TLS
1896 * 1.3 specific extensions of the ClientHello message.
1897 *
1898 * \param[in] ssl SSL context
1899 * \param[in] buf Base address of the buffer where to write the extensions
1900 * \param[in] end End address of the buffer where to write the extensions
1901 * \param[out] out_len Length of the data written into the buffer \p buf
1902 */
1903 MBEDTLS_CHECK_RETURN_CRITICAL
1904 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1905 unsigned char *buf,
1906 unsigned char *end,
1907 size_t *out_len);
1908
1909 /**
1910 * \brief TLS 1.3 client side state machine entry
1911 *
1912 * \param ssl SSL context
1913 */
1914 MBEDTLS_CHECK_RETURN_CRITICAL
1915 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
1916
1917 /**
1918 * \brief TLS 1.3 server side state machine entry
1919 *
1920 * \param ssl SSL context
1921 */
1922 MBEDTLS_CHECK_RETURN_CRITICAL
1923 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
1924
1925
1926 /*
1927 * Helper functions around key exchange modes.
1928 */
mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context * ssl,int kex_mode_mask)1929 static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
1930 int kex_mode_mask)
1931 {
1932 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
1933 }
1934
mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context * ssl)1935 static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
1936 {
1937 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
1938 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1939 }
1940
mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1941 static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
1942 {
1943 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
1944 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1945 }
1946
mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context * ssl)1947 static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
1948 {
1949 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
1950 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
1951 }
1952
mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1953 static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
1954 {
1955 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
1956 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
1957 }
1958
mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context * ssl)1959 static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
1960 {
1961 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
1962 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
1963 }
1964
1965 #if defined(MBEDTLS_SSL_SRV_C) && \
1966 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1967 /**
1968 * Given a list of key exchange modes, check if at least one of them is
1969 * supported by peer.
1970 *
1971 * \param[in] ssl SSL context
1972 * \param kex_modes_mask Mask of the key exchange modes to check
1973 *
1974 * \return Non-zero if at least one of the key exchange modes is supported by
1975 * the peer, otherwise \c 0.
1976 */
mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context * ssl,int kex_modes_mask)1977 static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
1978 int kex_modes_mask)
1979 {
1980 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
1981 }
1982
mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context * ssl)1983 static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
1984 {
1985 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
1986 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1987 }
1988
mbedtls_ssl_tls13_is_psk_ephemeral_supported(mbedtls_ssl_context * ssl)1989 static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
1990 mbedtls_ssl_context *ssl)
1991 {
1992 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
1993 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1994 }
1995
mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context * ssl)1996 static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
1997 {
1998 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
1999 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
2000 }
2001
mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context * ssl)2002 static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
2003 {
2004 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2005 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2006 }
2007
mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context * ssl)2008 static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
2009 {
2010 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2011 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2012 }
2013 #endif /* MBEDTLS_SSL_SRV_C &&
2014 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2015
2016 /*
2017 * Helper functions for extensions checking.
2018 */
2019
2020 MBEDTLS_CHECK_RETURN_CRITICAL
2021 int mbedtls_ssl_tls13_check_received_extension(
2022 mbedtls_ssl_context *ssl,
2023 int hs_msg_type,
2024 unsigned int received_extension_type,
2025 uint32_t hs_msg_allowed_extensions_mask);
2026
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)2027 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
2028 mbedtls_ssl_context *ssl, unsigned int extension_type)
2029 {
2030 ssl->handshake->sent_extensions |=
2031 mbedtls_ssl_get_extension_mask(extension_type);
2032 }
2033
2034 /*
2035 * Helper functions to check the selected key exchange mode.
2036 */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)2037 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
2038 mbedtls_ssl_context *ssl, int kex_mask)
2039 {
2040 return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
2041 }
2042
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)2043 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
2044 mbedtls_ssl_context *ssl)
2045 {
2046 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2047 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2048 }
2049
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)2050 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
2051 mbedtls_ssl_context *ssl)
2052 {
2053 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2054 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2055 }
2056
2057 /*
2058 * Fetch TLS 1.3 handshake message header
2059 */
2060 MBEDTLS_CHECK_RETURN_CRITICAL
2061 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
2062 unsigned hs_type,
2063 unsigned char **buf,
2064 size_t *buf_len);
2065
2066 /**
2067 * \brief Detect if a list of extensions contains a supported_versions
2068 * extension or not.
2069 *
2070 * \param[in] ssl SSL context
2071 * \param[in] buf Address of the first byte of the extensions vector.
2072 * \param[in] end End of the buffer containing the list of extensions.
2073 * \param[out] supported_versions_data If the extension is present, address of
2074 * its first byte of data, NULL otherwise.
2075 * \param[out] supported_versions_data_end If the extension is present, address
2076 * of the first byte immediately
2077 * following the extension data, NULL
2078 * otherwise.
2079 * \return 0 if the list of extensions does not contain a supported_versions
2080 * extension.
2081 * \return 1 if the list of extensions contains a supported_versions
2082 * extension.
2083 * \return A negative value if an error occurred while parsing the
2084 * extensions.
2085 */
2086 MBEDTLS_CHECK_RETURN_CRITICAL
2087 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
2088 mbedtls_ssl_context *ssl,
2089 const unsigned char *buf, const unsigned char *end,
2090 const unsigned char **supported_versions_data,
2091 const unsigned char **supported_versions_data_end);
2092
2093 /*
2094 * Handler of TLS 1.3 server certificate message
2095 */
2096 MBEDTLS_CHECK_RETURN_CRITICAL
2097 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
2098
2099 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2100 /*
2101 * Handler of TLS 1.3 write Certificate message
2102 */
2103 MBEDTLS_CHECK_RETURN_CRITICAL
2104 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
2105
2106 /*
2107 * Handler of TLS 1.3 write Certificate Verify message
2108 */
2109 MBEDTLS_CHECK_RETURN_CRITICAL
2110 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
2111
2112 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2113
2114 /*
2115 * Generic handler of Certificate Verify
2116 */
2117 MBEDTLS_CHECK_RETURN_CRITICAL
2118 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
2119
2120 /*
2121 * Write of dummy-CCS's for middlebox compatibility
2122 */
2123 MBEDTLS_CHECK_RETURN_CRITICAL
2124 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
2125
2126 MBEDTLS_CHECK_RETURN_CRITICAL
2127 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
2128
2129 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2130 MBEDTLS_CHECK_RETURN_CRITICAL
2131 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
2132 mbedtls_ssl_context *ssl,
2133 uint16_t named_group,
2134 unsigned char *buf,
2135 unsigned char *end,
2136 size_t *out_len);
2137 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2138
2139 #if defined(MBEDTLS_SSL_EARLY_DATA)
2140 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
2141 int in_new_session_ticket,
2142 unsigned char *buf,
2143 const unsigned char *end,
2144 size_t *out_len);
2145
2146 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
2147 size_t early_data_len);
2148
2149 typedef enum {
2150 /*
2151 * The client has not sent the first ClientHello yet, the negotiation of early
2152 * data has not started yet.
2153 */
2154 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
2155
2156 /*
2157 * In its ClientHello, the client has not included an early data indication
2158 * extension.
2159 */
2160 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
2161
2162 /*
2163 * The client has sent an early data indication extension in its first
2164 * ClientHello, it has not received the response (ServerHello or
2165 * HelloRetryRequest) from the server yet. The transform to protect early data
2166 * is not set either as for middlebox compatibility a dummy CCS may have to be
2167 * sent in clear. Early data cannot be sent to the server yet.
2168 */
2169 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
2170
2171 /*
2172 * The client has sent an early data indication extension in its first
2173 * ClientHello, it has not received the response (ServerHello or
2174 * HelloRetryRequest) from the server yet. The transform to protect early data
2175 * has been set and early data can be written now.
2176 */
2177 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
2178
2179 /*
2180 * The client has indicated the use of early data and the server has accepted
2181 * it.
2182 */
2183 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
2184
2185 /*
2186 * The client has indicated the use of early data but the server has rejected
2187 * it.
2188 */
2189 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
2190
2191 /*
2192 * The client has sent an early data indication extension in its first
2193 * ClientHello, the server has accepted them and the client has received the
2194 * server Finished message. It cannot send early data to the server anymore.
2195 */
2196 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
2197
2198 } mbedtls_ssl_early_data_state;
2199 #endif /* MBEDTLS_SSL_EARLY_DATA */
2200
2201 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2202
2203 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2204 /*
2205 * Write Signature Algorithm extension
2206 */
2207 MBEDTLS_CHECK_RETURN_CRITICAL
2208 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
2209 const unsigned char *end, size_t *out_len);
2210 /*
2211 * Parse TLS Signature Algorithm extension
2212 */
2213 MBEDTLS_CHECK_RETURN_CRITICAL
2214 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
2215 const unsigned char *buf,
2216 const unsigned char *end);
2217 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2218
2219 /* Get handshake transcript */
2220 MBEDTLS_CHECK_RETURN_CRITICAL
2221 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
2222 const mbedtls_md_type_t md,
2223 unsigned char *dst,
2224 size_t dst_len,
2225 size_t *olen);
2226
2227 /*
2228 * Helper functions for NamedGroup.
2229 */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2230 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
2231 {
2232 /*
2233 * RFC 8422 section 5.1.1
2234 */
2235 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2236 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2237 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2238 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2239 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
2240 /* Below deprecated curves should be removed with notice to users */
2241 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2242 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2243 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2244 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
2245 }
2246
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2247 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
2248 {
2249 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2250 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2251 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2252 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2253 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
2254 }
2255
mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)2256 static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
2257 {
2258 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2259 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
2260 }
2261
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2262 static inline int mbedtls_ssl_named_group_is_offered(
2263 const mbedtls_ssl_context *ssl, uint16_t named_group)
2264 {
2265 const uint16_t *group_list = ssl->conf->group_list;
2266
2267 if (group_list == NULL) {
2268 return 0;
2269 }
2270
2271 for (; *group_list != 0; group_list++) {
2272 if (*group_list == named_group) {
2273 return 1;
2274 }
2275 }
2276
2277 return 0;
2278 }
2279
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2280 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
2281 {
2282 #if defined(PSA_WANT_ALG_ECDH)
2283 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
2284 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
2285 MBEDTLS_ECP_DP_NONE) {
2286 return 1;
2287 }
2288 }
2289 #endif
2290 #if defined(PSA_WANT_ALG_FFDH)
2291 if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
2292 return 1;
2293 }
2294 #endif
2295 #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
2296 (void) named_group;
2297 #endif
2298 return 0;
2299 }
2300
2301 /*
2302 * Return supported signature algorithms.
2303 */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2304 static inline const void *mbedtls_ssl_get_sig_algs(
2305 const mbedtls_ssl_context *ssl)
2306 {
2307 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2308
2309 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2310 if (ssl->handshake != NULL &&
2311 ssl->handshake->sig_algs != NULL) {
2312 return ssl->handshake->sig_algs;
2313 }
2314 #endif
2315 return ssl->conf->sig_algs;
2316
2317 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2318
2319 ((void) ssl);
2320 return NULL;
2321 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2322 }
2323
2324 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2325 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
2326 uint16_t own_sig_alg)
2327 {
2328 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2329 if (sig_alg == NULL) {
2330 return 0;
2331 }
2332
2333 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2334 if (*sig_alg == own_sig_alg) {
2335 return 1;
2336 }
2337 }
2338 return 0;
2339 }
2340
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2341 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2342 const uint16_t sig_alg)
2343 {
2344 switch (sig_alg) {
2345 #if defined(PSA_HAVE_ALG_SOME_ECDSA)
2346 #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
2347 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2348 break;
2349 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2350 #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
2351 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2352 break;
2353 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2354 #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
2355 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2356 break;
2357 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2358 #endif /* PSA_HAVE_ALG_SOME_ECDSA */
2359
2360 #if defined(PSA_WANT_ALG_RSA_PSS)
2361 #if defined(PSA_WANT_ALG_SHA_256)
2362 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2363 break;
2364 #endif /* PSA_WANT_ALG_SHA_256 */
2365 #if defined(PSA_WANT_ALG_SHA_384)
2366 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2367 break;
2368 #endif /* PSA_WANT_ALG_SHA_384 */
2369 #if defined(PSA_WANT_ALG_SHA_512)
2370 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2371 break;
2372 #endif /* PSA_WANT_ALG_SHA_512 */
2373 #endif /* PSA_WANT_ALG_RSA_PSS */
2374 default:
2375 return 0;
2376 }
2377 return 1;
2378
2379 }
2380
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2381 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2382 const uint16_t sig_alg)
2383 {
2384 switch (sig_alg) {
2385 #if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
2386 #if defined(PSA_WANT_ALG_SHA_256)
2387 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2388 break;
2389 #endif /* PSA_WANT_ALG_SHA_256 */
2390 #if defined(PSA_WANT_ALG_SHA_384)
2391 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2392 break;
2393 #endif /* PSA_WANT_ALG_SHA_384 */
2394 #if defined(PSA_WANT_ALG_SHA_512)
2395 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2396 break;
2397 #endif /* PSA_WANT_ALG_SHA_512 */
2398 #endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
2399 default:
2400 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2401 sig_alg);
2402 }
2403 return 1;
2404 }
2405
2406 MBEDTLS_CHECK_RETURN_CRITICAL
2407 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
2408 mbedtls_pk_context *key);
2409 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2410
2411 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2412 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
2413 uint16_t proposed_sig_alg)
2414 {
2415 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2416 if (sig_alg == NULL) {
2417 return 0;
2418 }
2419
2420 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2421 if (*sig_alg == proposed_sig_alg) {
2422 return 1;
2423 }
2424 }
2425 return 0;
2426 }
2427
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2428 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2429 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
2430 {
2431 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
2432 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
2433
2434 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
2435 return 0;
2436 }
2437
2438 switch (sig_alg) {
2439 #if defined(PSA_WANT_ALG_RSA_PSS)
2440 #if defined(PSA_WANT_ALG_SHA_256)
2441 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2442 *md_alg = MBEDTLS_MD_SHA256;
2443 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2444 break;
2445 #endif /* PSA_WANT_ALG_SHA_256 */
2446 #if defined(PSA_WANT_ALG_SHA_384)
2447 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2448 *md_alg = MBEDTLS_MD_SHA384;
2449 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2450 break;
2451 #endif /* PSA_WANT_ALG_SHA_384 */
2452 #if defined(PSA_WANT_ALG_SHA_512)
2453 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2454 *md_alg = MBEDTLS_MD_SHA512;
2455 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2456 break;
2457 #endif /* PSA_WANT_ALG_SHA_512 */
2458 #endif /* PSA_WANT_ALG_RSA_PSS */
2459 default:
2460 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2461 }
2462 return 0;
2463 }
2464
2465 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2466 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2467 const uint16_t sig_alg)
2468 {
2469 /* High byte is hash */
2470 unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
2471 unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
2472
2473 switch (hash) {
2474 #if defined(PSA_WANT_ALG_MD5)
2475 case MBEDTLS_SSL_HASH_MD5:
2476 break;
2477 #endif
2478
2479 #if defined(PSA_WANT_ALG_SHA_1)
2480 case MBEDTLS_SSL_HASH_SHA1:
2481 break;
2482 #endif
2483
2484 #if defined(PSA_WANT_ALG_SHA_224)
2485 case MBEDTLS_SSL_HASH_SHA224:
2486 break;
2487 #endif
2488
2489 #if defined(PSA_WANT_ALG_SHA_256)
2490 case MBEDTLS_SSL_HASH_SHA256:
2491 break;
2492 #endif
2493
2494 #if defined(PSA_WANT_ALG_SHA_384)
2495 case MBEDTLS_SSL_HASH_SHA384:
2496 break;
2497 #endif
2498
2499 #if defined(PSA_WANT_ALG_SHA_512)
2500 case MBEDTLS_SSL_HASH_SHA512:
2501 break;
2502 #endif
2503
2504 default:
2505 return 0;
2506 }
2507
2508 switch (sig) {
2509 #if defined(MBEDTLS_RSA_C)
2510 case MBEDTLS_SSL_SIG_RSA:
2511 break;
2512 #endif
2513
2514 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
2515 case MBEDTLS_SSL_SIG_ECDSA:
2516 break;
2517 #endif
2518
2519 default:
2520 return 0;
2521 }
2522
2523 return 1;
2524 }
2525 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2526
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2527 static inline int mbedtls_ssl_sig_alg_is_supported(
2528 const mbedtls_ssl_context *ssl,
2529 const uint16_t sig_alg)
2530 {
2531
2532 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2533 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2534 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
2535 }
2536 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2537
2538 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2539 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2540 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
2541 }
2542 #endif
2543 ((void) ssl);
2544 ((void) sig_alg);
2545 return 0;
2546 }
2547 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2548
2549 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2550 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2551 * guaranteed to not be a valid PSA algorithm identifier.
2552 */
2553 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2554
2555 /**
2556 * \brief Translate mbedtls cipher type/taglen pair to psa:
2557 * algorithm, key type and key size.
2558 *
2559 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2560 * \param taglen [in] given tag length
2561 * 0 - default tag length
2562 * \param alg [out] corresponding PSA alg
2563 * There is no corresponding PSA
2564 * alg for MBEDTLS_CIPHER_NULL, so
2565 * in this case MBEDTLS_SSL_NULL_CIPHER
2566 * is returned via this parameter
2567 * \param key_type [out] corresponding PSA key type
2568 * \param key_size [out] corresponding PSA key size
2569 *
2570 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2571 * conversion is not supported.
2572 */
2573 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2574 size_t taglen,
2575 psa_algorithm_t *alg,
2576 psa_key_type_t *key_type,
2577 size_t *key_size);
2578
2579 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2580 /**
2581 * \brief Convert given PSA status to mbedtls error code.
2582 *
2583 * \param status [in] given PSA status
2584 *
2585 * \return corresponding mbedtls error code
2586 */
psa_ssl_status_to_mbedtls(psa_status_t status)2587 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
2588 {
2589 switch (status) {
2590 case PSA_SUCCESS:
2591 return 0;
2592 case PSA_ERROR_INSUFFICIENT_MEMORY:
2593 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2594 case PSA_ERROR_NOT_SUPPORTED:
2595 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2596 case PSA_ERROR_INVALID_SIGNATURE:
2597 return MBEDTLS_ERR_SSL_INVALID_MAC;
2598 case PSA_ERROR_INVALID_ARGUMENT:
2599 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2600 case PSA_ERROR_BAD_STATE:
2601 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2602 case PSA_ERROR_BUFFER_TOO_SMALL:
2603 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2604 default:
2605 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2606 }
2607 }
2608 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2609
2610 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
2611
2612 typedef enum {
2613 MBEDTLS_ECJPAKE_ROUND_ONE,
2614 MBEDTLS_ECJPAKE_ROUND_TWO
2615 } mbedtls_ecjpake_rounds_t;
2616
2617 /**
2618 * \brief Parse the provided input buffer for getting the first round
2619 * of key exchange. This code is common between server and client
2620 *
2621 * \param pake_ctx [in] the PAKE's operation/context structure
2622 * \param buf [in] input buffer to parse
2623 * \param len [in] length of the input buffer
2624 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2625 * MBEDTLS_ECJPAKE_ROUND_TWO
2626 *
2627 * \return 0 on success or a negative error code in case of failure
2628 */
2629 int mbedtls_psa_ecjpake_read_round(
2630 psa_pake_operation_t *pake_ctx,
2631 const unsigned char *buf,
2632 size_t len, mbedtls_ecjpake_rounds_t round);
2633
2634 /**
2635 * \brief Write the first round of key exchange into the provided output
2636 * buffer. This code is common between server and client
2637 *
2638 * \param pake_ctx [in] the PAKE's operation/context structure
2639 * \param buf [out] the output buffer in which data will be written to
2640 * \param len [in] length of the output buffer
2641 * \param olen [out] the length of the data really written on the buffer
2642 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2643 * MBEDTLS_ECJPAKE_ROUND_TWO
2644 *
2645 * \return 0 on success or a negative error code in case of failure
2646 */
2647 int mbedtls_psa_ecjpake_write_round(
2648 psa_pake_operation_t *pake_ctx,
2649 unsigned char *buf,
2650 size_t len, size_t *olen,
2651 mbedtls_ecjpake_rounds_t round);
2652
2653 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
2654
2655 /**
2656 * \brief TLS record protection modes
2657 */
2658 typedef enum {
2659 MBEDTLS_SSL_MODE_STREAM = 0,
2660 MBEDTLS_SSL_MODE_CBC,
2661 MBEDTLS_SSL_MODE_CBC_ETM,
2662 MBEDTLS_SSL_MODE_AEAD
2663 } mbedtls_ssl_mode_t;
2664
2665 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2666 const mbedtls_ssl_transform *transform);
2667
2668 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2669 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2670 int encrypt_then_mac,
2671 const mbedtls_ssl_ciphersuite_t *suite);
2672 #else
2673 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2674 const mbedtls_ssl_ciphersuite_t *suite);
2675 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2676
2677 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2678
2679 MBEDTLS_CHECK_RETURN_CRITICAL
2680 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
2681 const unsigned char *buf,
2682 size_t buf_len);
2683
2684 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2685
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2686 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2687 mbedtls_ssl_context *ssl, int cipher_suite)
2688 {
2689 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2690
2691 /* Check whether we have offered this ciphersuite */
2692 for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
2693 if (ciphersuite_list[i] == cipher_suite) {
2694 return 1;
2695 }
2696 }
2697 return 0;
2698 }
2699
2700 /**
2701 * \brief Validate cipher suite against config in SSL context.
2702 *
2703 * \param ssl SSL context
2704 * \param suite_info Cipher suite to validate
2705 * \param min_tls_version Minimal TLS version to accept a cipher suite
2706 * \param max_tls_version Maximal TLS version to accept a cipher suite
2707 *
2708 * \return 0 if valid, negative value otherwise.
2709 */
2710 MBEDTLS_CHECK_RETURN_CRITICAL
2711 int mbedtls_ssl_validate_ciphersuite(
2712 const mbedtls_ssl_context *ssl,
2713 const mbedtls_ssl_ciphersuite_t *suite_info,
2714 mbedtls_ssl_protocol_version min_tls_version,
2715 mbedtls_ssl_protocol_version max_tls_version);
2716
2717 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2718 MBEDTLS_CHECK_RETURN_CRITICAL
2719 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
2720 const unsigned char *buf,
2721 const unsigned char *end);
2722 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2723
2724 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2725 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
2726 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
2727
2728 MBEDTLS_CHECK_RETURN_CRITICAL
2729 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
2730 const unsigned char *buf,
2731 const unsigned char *end);
2732
2733 MBEDTLS_CHECK_RETURN_CRITICAL
2734 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
2735 unsigned char *buf,
2736 const unsigned char *end,
2737 size_t *out_len);
2738 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2739
2740 #if defined(MBEDTLS_SSL_ALPN)
2741 MBEDTLS_CHECK_RETURN_CRITICAL
2742 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
2743 const unsigned char *buf,
2744 const unsigned char *end);
2745
2746
2747 MBEDTLS_CHECK_RETURN_CRITICAL
2748 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2749 unsigned char *buf,
2750 unsigned char *end,
2751 size_t *out_len);
2752 #endif /* MBEDTLS_SSL_ALPN */
2753
2754 #if defined(MBEDTLS_TEST_HOOKS)
2755 int mbedtls_ssl_check_dtls_clihlo_cookie(
2756 mbedtls_ssl_context *ssl,
2757 const unsigned char *cli_id, size_t cli_id_len,
2758 const unsigned char *in, size_t in_len,
2759 unsigned char *obuf, size_t buf_len, size_t *olen);
2760 #endif
2761
2762 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2763 /**
2764 * \brief Given an SSL context and its associated configuration, write the TLS
2765 * 1.3 specific Pre-Shared key extension.
2766 *
2767 * \param[in] ssl SSL context
2768 * \param[in] buf Base address of the buffer where to write the extension
2769 * \param[in] end End address of the buffer where to write the extension
2770 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2771 * written into the buffer \p buf by this function plus
2772 * the length of the binders to be written.
2773 * \param[out] binders_len Length of the binders to be written at the end of
2774 * the extension.
2775 */
2776 MBEDTLS_CHECK_RETURN_CRITICAL
2777 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2778 mbedtls_ssl_context *ssl,
2779 unsigned char *buf, unsigned char *end,
2780 size_t *out_len, size_t *binders_len);
2781
2782 /**
2783 * \brief Given an SSL context and its associated configuration, write the TLS
2784 * 1.3 specific Pre-Shared key extension binders at the end of the
2785 * ClientHello.
2786 *
2787 * \param[in] ssl SSL context
2788 * \param[in] buf Base address of the buffer where to write the binders
2789 * \param[in] end End address of the buffer where to write the binders
2790 */
2791 MBEDTLS_CHECK_RETURN_CRITICAL
2792 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2793 mbedtls_ssl_context *ssl,
2794 unsigned char *buf, unsigned char *end);
2795 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2796
2797 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2798 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2799 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2800 defined(MBEDTLS_SSL_CLI_C)
2801 MBEDTLS_CHECK_RETURN_CRITICAL
2802 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
2803 const char *hostname);
2804 #endif
2805
2806 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
2807 defined(MBEDTLS_SSL_ALPN)
2808 MBEDTLS_CHECK_RETURN_CRITICAL
2809 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
2810 const char *alpn);
2811 #endif
2812
2813 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
2814
2815 #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
2816
mbedtls_ssl_tls13_session_get_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2817 static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
2818 mbedtls_ssl_session *session, unsigned int flags)
2819 {
2820 return session->ticket_flags &
2821 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2822 }
2823
2824 /**
2825 * Check if at least one of the given flags is set in
2826 * the session ticket. See the definition of
2827 * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
2828 * permitted flags.
2829 */
mbedtls_ssl_tls13_session_ticket_has_flags(mbedtls_ssl_session * session,unsigned int flags)2830 static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
2831 mbedtls_ssl_session *session, unsigned int flags)
2832 {
2833 return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
2834 }
2835
mbedtls_ssl_tls13_session_ticket_allow_psk(mbedtls_ssl_session * session)2836 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
2837 mbedtls_ssl_session *session)
2838 {
2839 return mbedtls_ssl_tls13_session_ticket_has_flags(
2840 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
2841 }
2842
mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(mbedtls_ssl_session * session)2843 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
2844 mbedtls_ssl_session *session)
2845 {
2846 return mbedtls_ssl_tls13_session_ticket_has_flags(
2847 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
2848 }
2849
mbedtls_ssl_tls13_session_ticket_allow_early_data(mbedtls_ssl_session * session)2850 static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
2851 mbedtls_ssl_session *session)
2852 {
2853 return mbedtls_ssl_tls13_session_ticket_has_flags(
2854 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2855 }
2856
mbedtls_ssl_tls13_session_set_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2857 static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
2858 mbedtls_ssl_session *session, unsigned int flags)
2859 {
2860 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2861 }
2862
mbedtls_ssl_tls13_session_clear_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2863 static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
2864 mbedtls_ssl_session *session, unsigned int flags)
2865 {
2866 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2867 }
2868 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
2869
2870 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
2871 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
2872 #endif
2873
2874 #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
2875
2876 /** Compute the HMAC of variable-length data with constant flow.
2877 *
2878 * This function computes the HMAC of the concatenation of \p add_data and \p
2879 * data, and does with a code flow and memory access pattern that does not
2880 * depend on \p data_len_secret, but only on \p min_data_len and \p
2881 * max_data_len. In particular, this function always reads exactly \p
2882 * max_data_len bytes from \p data.
2883 *
2884 * \param key The HMAC key.
2885 * \param mac_alg The hash algorithm.
2886 * Must be one of SHA-384, SHA-256, SHA-1 or MD-5.
2887 * \param add_data The first part of the message whose HMAC is being
2888 * calculated. This must point to a readable buffer
2889 * of \p add_data_len bytes.
2890 * \param add_data_len The length of \p add_data in bytes.
2891 * \param data The buffer containing the second part of the
2892 * message. This must point to a readable buffer
2893 * of \p max_data_len bytes.
2894 * \param data_len_secret The length of the data to process in \p data.
2895 * This must be no less than \p min_data_len and no
2896 * greater than \p max_data_len.
2897 * \param min_data_len The minimal length of the second part of the
2898 * message, read from \p data.
2899 * \param max_data_len The maximal length of the second part of the
2900 * message, read from \p data.
2901 * \param output The HMAC will be written here. This must point to
2902 * a writable buffer of sufficient size to hold the
2903 * HMAC value.
2904 *
2905 * \retval 0 on success.
2906 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
2907 * The hardware accelerator failed.
2908 */
2909 int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
2910 psa_algorithm_t mac_alg,
2911 const unsigned char *add_data,
2912 size_t add_data_len,
2913 const unsigned char *data,
2914 size_t data_len_secret,
2915 size_t min_data_len,
2916 size_t max_data_len,
2917 unsigned char *output);
2918 #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
2919
2920 #endif /* ssl_misc.h */
2921