1 /**
2 * \file ssl_internal.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 *
22 * This file is part of mbed TLS (https://tls.mbed.org)
23 */
24 #ifndef MBEDTLS_SSL_INTERNAL_H
25 #define MBEDTLS_SSL_INTERNAL_H
26
27 #include "ssl.h"
28 #include "cipher.h"
29
30 #if defined(MBEDTLS_MD5_C)
31 #include "md5.h"
32 #endif
33
34 #if defined(MBEDTLS_SHA1_C)
35 #include "sha1.h"
36 #endif
37
38 #if defined(MBEDTLS_SHA256_C)
39 #include "sha256.h"
40 #endif
41
42 #if defined(MBEDTLS_SHA512_C)
43 #include "sha512.h"
44 #endif
45
46 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
47 #include "ecjpake.h"
48 #endif
49
50 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
51 !defined(inline) && !defined(__cplusplus)
52 #define inline __inline
53 #endif
54
55 /* Determine minimum supported version */
56 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
57
58 #if defined(MBEDTLS_SSL_PROTO_SSL3)
59 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
60 #else
61 #if defined(MBEDTLS_SSL_PROTO_TLS1)
62 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
63 #else
64 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
65 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
66 #else
67 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
68 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
69 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
70 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
71 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
72 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
73
74 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
75 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
76
77 /* Determine maximum supported version */
78 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
79
80 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
81 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
82 #else
83 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
84 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
85 #else
86 #if defined(MBEDTLS_SSL_PROTO_TLS1)
87 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
88 #else
89 #if defined(MBEDTLS_SSL_PROTO_SSL3)
90 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
91 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
92 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
93 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
94 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
95
96 /* Shorthand for restartable ECC */
97 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
98 defined(MBEDTLS_SSL_CLI_C) && \
99 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
100 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
101 #define MBEDTLS_SSL__ECP_RESTARTABLE
102 #endif
103
104 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
105 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
106 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
107 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
108
109 /*
110 * DTLS retransmission states, see RFC 6347 4.2.4
111 *
112 * The SENDING state is merged in PREPARING for initial sends,
113 * but is distinct for resends.
114 *
115 * Note: initial state is wrong for server, but is not used anyway.
116 */
117 #define MBEDTLS_SSL_RETRANS_PREPARING 0
118 #define MBEDTLS_SSL_RETRANS_SENDING 1
119 #define MBEDTLS_SSL_RETRANS_WAITING 2
120 #define MBEDTLS_SSL_RETRANS_FINISHED 3
121
122 /*
123 * Allow extra bytes for record, authentication and encryption overhead:
124 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
125 * and allow for a maximum of 1024 of compression expansion if
126 * enabled.
127 */
128 #if defined(MBEDTLS_ZLIB_SUPPORT)
129 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
130 #else
131 #define MBEDTLS_SSL_COMPRESSION_ADD 0
132 #endif
133
134 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
135 /* Ciphersuites using HMAC */
136 #if defined(MBEDTLS_SHA512_C)
137 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
138 #elif defined(MBEDTLS_SHA256_C)
139 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
140 #else
141 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
142 #endif
143 #else
144 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
145 #define MBEDTLS_SSL_MAC_ADD 16
146 #endif
147
148 #if defined(MBEDTLS_CIPHER_MODE_CBC)
149 #define MBEDTLS_SSL_PADDING_ADD 256
150 #else
151 #define MBEDTLS_SSL_PADDING_ADD 0
152 #endif
153
154 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
155 MBEDTLS_MAX_IV_LENGTH + \
156 MBEDTLS_SSL_MAC_ADD + \
157 MBEDTLS_SSL_PADDING_ADD \
158 )
159
160 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
161 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
162
163 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
164 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
165
166 /* The maximum number of buffered handshake messages. */
167 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
168
169 /* Maximum length we can advertise as our max content length for
170 RFC 6066 max_fragment_length extension negotiation purposes
171 (the lesser of both sizes, if they are unequal.)
172 */
173 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
174 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
175 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
176 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
177 )
178
179 /*
180 * Check that we obey the standard's message size bounds
181 */
182
183 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
184 #error "Bad configuration - record content too large."
185 #endif
186
187 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
188 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
189 #endif
190
191 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
192 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
193 #endif
194
195 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
196 #error "Bad configuration - incoming protected record payload too large."
197 #endif
198
199 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
200 #error "Bad configuration - outgoing protected record payload too large."
201 #endif
202
203 /* Calculate buffer sizes */
204
205 /* Note: Even though the TLS record header is only 5 bytes
206 long, we're internally using 8 bytes to store the
207 implicit sequence number. */
208 #define MBEDTLS_SSL_HEADER_LEN 13
209
210 #define MBEDTLS_SSL_IN_BUFFER_LEN \
211 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
212
213 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
214 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
215
216 #ifdef MBEDTLS_ZLIB_SUPPORT
217 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
218 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
219 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
220 ? MBEDTLS_SSL_IN_BUFFER_LEN \
221 : MBEDTLS_SSL_OUT_BUFFER_LEN \
222 )
223 #endif
224
225 /*
226 * TLS extension flags (for extensions with outgoing ServerHello content
227 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
228 * of state of the renegotiation flag, so no indicator is required)
229 */
230 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
231 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
232
233 #ifdef __cplusplus
234 extern "C" {
235 #endif
236
237 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
238 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
239 /*
240 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
241 */
242 struct mbedtls_ssl_sig_hash_set_t
243 {
244 /* At the moment, we only need to remember a single suitable
245 * hash algorithm per signature algorithm. As long as that's
246 * the case - and we don't need a general lookup function -
247 * we can implement the sig-hash-set as a map from signatures
248 * to hash algorithms. */
249 mbedtls_md_type_t rsa;
250 mbedtls_md_type_t ecdsa;
251 };
252 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
253 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
254
255 /*
256 * This structure contains the parameters only needed during handshake.
257 */
258 struct mbedtls_ssl_handshake_params
259 {
260 /*
261 * Handshake specific crypto variables
262 */
263
264 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
265 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
266 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
267 #endif
268 #if defined(MBEDTLS_DHM_C)
269 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
270 #endif
271 #if defined(MBEDTLS_ECDH_C)
272 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
273 #endif
274 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
275 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
276 #if defined(MBEDTLS_SSL_CLI_C)
277 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
278 size_t ecjpake_cache_len; /*!< Length of cached data */
279 #endif
280 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
281 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
282 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
283 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
284 #endif
285 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
286 unsigned char *psk; /*!< PSK from the callback */
287 size_t psk_len; /*!< Length of PSK from callback */
288 #endif
289 #if defined(MBEDTLS_X509_CRT_PARSE_C)
290 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
291 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
292 int sni_authmode; /*!< authmode from SNI callback */
293 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
294 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
295 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
296 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
297 #endif /* MBEDTLS_X509_CRT_PARSE_C */
298 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
299 int ecrs_enabled; /*!< Handshake supports EC restart? */
300 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
301 enum { /* this complements ssl->state with info on intra-state operations */
302 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
303 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
304 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
305 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
306 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
307 } ecrs_state; /*!< current (or last) operation */
308 size_t ecrs_n; /*!< place for saving a length */
309 #endif
310 #if defined(MBEDTLS_SSL_PROTO_DTLS)
311 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
312 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
313
314 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
315 Srv: unused */
316 unsigned char verify_cookie_len; /*!< Cli: cookie length
317 Srv: flag for sending a cookie */
318
319 uint32_t retransmit_timeout; /*!< Current value of timeout */
320 unsigned char retransmit_state; /*!< Retransmission state */
321 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
322 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
323 unsigned char *cur_msg_p; /*!< Position in current message */
324 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
325 flight being received */
326 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
327 resending messages */
328 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
329 for resending messages */
330
331 struct
332 {
333 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
334 * buffers used for message buffering. */
335
336 uint8_t seen_ccs; /*!< Indicates if a CCS message has
337 * been seen in the current flight. */
338
339 struct mbedtls_ssl_hs_buffer
340 {
341 unsigned is_valid : 1;
342 unsigned is_fragmented : 1;
343 unsigned is_complete : 1;
344 unsigned char *data;
345 size_t data_len;
346 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
347
348 struct
349 {
350 unsigned char *data;
351 size_t len;
352 unsigned epoch;
353 } future_record;
354
355 } buffering;
356
357 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
358 #endif /* MBEDTLS_SSL_PROTO_DTLS */
359
360 /*
361 * Checksum contexts
362 */
363 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
364 defined(MBEDTLS_SSL_PROTO_TLS1_1)
365 mbedtls_md5_context fin_md5;
366 mbedtls_sha1_context fin_sha1;
367 #endif
368 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
369 #if defined(MBEDTLS_SHA256_C)
370 mbedtls_sha256_context fin_sha256;
371 #endif
372 #if defined(MBEDTLS_SHA512_C)
373 mbedtls_sha512_context fin_sha512;
374 #endif
375 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
376
377 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
378 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
379 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
380 int (*tls_prf)(const unsigned char *, size_t, const char *,
381 const unsigned char *, size_t,
382 unsigned char *, size_t);
383
384 size_t pmslen; /*!< premaster length */
385
386 unsigned char randbytes[64]; /*!< random bytes */
387 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
388 /*!< premaster secret */
389
390 int resume; /*!< session resume indicator*/
391 int max_major_ver; /*!< max. major version client*/
392 int max_minor_ver; /*!< max. minor version client*/
393 int cli_exts; /*!< client extension presence*/
394
395 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
396 int new_session_ticket; /*!< use NewSessionTicket? */
397 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
398 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
399 int extended_ms; /*!< use Extended Master Secret? */
400 #endif
401
402 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
403 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
404 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
405
406 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
407 /** Asynchronous operation context. This field is meant for use by the
408 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
409 * mbedtls_ssl_config::f_async_decrypt_start,
410 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
411 * The library does not use it internally. */
412 void *user_async_ctx;
413 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
414 };
415
416 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
417
418 /*
419 * This structure contains a full set of runtime transform parameters
420 * either in negotiation or active.
421 */
422 struct mbedtls_ssl_transform
423 {
424 /*
425 * Session specific crypto layer
426 */
427 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
428 /*!< Chosen cipersuite_info */
429 unsigned int keylen; /*!< symmetric key length (bytes) */
430 size_t minlen; /*!< min. ciphertext length */
431 size_t ivlen; /*!< IV length */
432 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
433 size_t maclen; /*!< MAC length */
434
435 unsigned char iv_enc[16]; /*!< IV (encryption) */
436 unsigned char iv_dec[16]; /*!< IV (decryption) */
437
438 #if defined(MBEDTLS_SSL_PROTO_SSL3)
439 /* Needed only for SSL v3.0 secret */
440 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
441 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
442 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
443
444 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
445 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
446
447 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
448 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
449
450 /*
451 * Session specific compression layer
452 */
453 #if defined(MBEDTLS_ZLIB_SUPPORT)
454 z_stream ctx_deflate; /*!< compression context */
455 z_stream ctx_inflate; /*!< decompression context */
456 #endif
457 };
458
459 #if defined(MBEDTLS_X509_CRT_PARSE_C)
460 /*
461 * List of certificate + private key pairs
462 */
463 struct mbedtls_ssl_key_cert
464 {
465 mbedtls_x509_crt *cert; /*!< cert */
466 mbedtls_pk_context *key; /*!< private key */
467 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
468 };
469 #endif /* MBEDTLS_X509_CRT_PARSE_C */
470
471 #if defined(MBEDTLS_SSL_PROTO_DTLS)
472 /*
473 * List of handshake messages kept around for resending
474 */
475 struct mbedtls_ssl_flight_item
476 {
477 unsigned char *p; /*!< message, including handshake headers */
478 size_t len; /*!< length of p */
479 unsigned char type; /*!< type of the message: handshake or CCS */
480 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
481 };
482 #endif /* MBEDTLS_SSL_PROTO_DTLS */
483
484 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
485 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
486
487 /* Find an entry in a signature-hash set matching a given hash algorithm. */
488 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
489 mbedtls_pk_type_t sig_alg );
490 /* Add a signature-hash-pair to a signature-hash set */
491 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
492 mbedtls_pk_type_t sig_alg,
493 mbedtls_md_type_t md_alg );
494 /* Allow exactly one hash algorithm for each signature. */
495 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
496 mbedtls_md_type_t md_alg );
497
498 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)499 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
500 {
501 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
502 }
503
504 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
505 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
506
507 /**
508 * \brief Free referenced items in an SSL transform context and clear
509 * memory
510 *
511 * \param transform SSL transform context
512 */
513 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
514
515 /**
516 * \brief Free referenced items in an SSL handshake context and clear
517 * memory
518 *
519 * \param ssl SSL context
520 */
521 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
522
523 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
524 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
525 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
526
527 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
528
529 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
530 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
531
532 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
533 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
534 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
535
536 /**
537 * \brief Update record layer
538 *
539 * This function roughly separates the implementation
540 * of the logic of (D)TLS from the implementation
541 * of the secure transport.
542 *
543 * \param ssl The SSL context to use.
544 * \param update_hs_digest This indicates if the handshake digest
545 * should be automatically updated in case
546 * a handshake message is found.
547 *
548 * \return 0 or non-zero error code.
549 *
550 * \note A clarification on what is called 'record layer' here
551 * is in order, as many sensible definitions are possible:
552 *
553 * The record layer takes as input an untrusted underlying
554 * transport (stream or datagram) and transforms it into
555 * a serially multiplexed, secure transport, which
556 * conceptually provides the following:
557 *
558 * (1) Three datagram based, content-agnostic transports
559 * for handshake, alert and CCS messages.
560 * (2) One stream- or datagram-based transport
561 * for application data.
562 * (3) Functionality for changing the underlying transform
563 * securing the contents.
564 *
565 * The interface to this functionality is given as follows:
566 *
567 * a Updating
568 * [Currently implemented by mbedtls_ssl_read_record]
569 *
570 * Check if and on which of the four 'ports' data is pending:
571 * Nothing, a controlling datagram of type (1), or application
572 * data (2). In any case data is present, internal buffers
573 * provide access to the data for the user to process it.
574 * Consumption of type (1) datagrams is done automatically
575 * on the next update, invalidating that the internal buffers
576 * for previous datagrams, while consumption of application
577 * data (2) is user-controlled.
578 *
579 * b Reading of application data
580 * [Currently manual adaption of ssl->in_offt pointer]
581 *
582 * As mentioned in the last paragraph, consumption of data
583 * is different from the automatic consumption of control
584 * datagrams (1) because application data is treated as a stream.
585 *
586 * c Tracking availability of application data
587 * [Currently manually through decreasing ssl->in_msglen]
588 *
589 * For efficiency and to retain datagram semantics for
590 * application data in case of DTLS, the record layer
591 * provides functionality for checking how much application
592 * data is still available in the internal buffer.
593 *
594 * d Changing the transformation securing the communication.
595 *
596 * Given an opaque implementation of the record layer in the
597 * above sense, it should be possible to implement the logic
598 * of (D)TLS on top of it without the need to know anything
599 * about the record layer's internals. This is done e.g.
600 * in all the handshake handling functions, and in the
601 * application data reading function mbedtls_ssl_read.
602 *
603 * \note The above tries to give a conceptual picture of the
604 * record layer, but the current implementation deviates
605 * from it in some places. For example, our implementation of
606 * the update functionality through mbedtls_ssl_read_record
607 * discards datagrams depending on the current state, which
608 * wouldn't fall under the record layer's responsibility
609 * following the above definition.
610 *
611 */
612 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
613 unsigned update_hs_digest );
614 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
615
616 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
617 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
618 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
619
620 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
621 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
622
623 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
624 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
625
626 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
627 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
628
629 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
630 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
631
632 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
633 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
634 #endif
635
636 #if defined(MBEDTLS_PK_C)
637 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
638 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
639 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
640 #endif
641
642 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
643 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
644 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
645
646 #if defined(MBEDTLS_ECP_C)
647 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
648 #endif
649
650 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
651 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
652 mbedtls_md_type_t md );
653 #endif
654
655 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)656 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
657 {
658 mbedtls_ssl_key_cert *key_cert;
659
660 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
661 key_cert = ssl->handshake->key_cert;
662 else
663 key_cert = ssl->conf->key_cert;
664
665 return( key_cert == NULL ? NULL : key_cert->key );
666 }
667
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)668 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
669 {
670 mbedtls_ssl_key_cert *key_cert;
671
672 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
673 key_cert = ssl->handshake->key_cert;
674 else
675 key_cert = ssl->conf->key_cert;
676
677 return( key_cert == NULL ? NULL : key_cert->cert );
678 }
679
680 /*
681 * Check usage of a certificate wrt extensions:
682 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
683 *
684 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
685 * check a cert we received from them)!
686 *
687 * Return 0 if everything is OK, -1 if not.
688 */
689 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
690 const mbedtls_ssl_ciphersuite_t *ciphersuite,
691 int cert_endpoint,
692 uint32_t *flags );
693 #endif /* MBEDTLS_X509_CRT_PARSE_C */
694
695 void mbedtls_ssl_write_version( int major, int minor, int transport,
696 unsigned char ver[2] );
697 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
698 const unsigned char ver[2] );
699
mbedtls_ssl_hdr_len(const mbedtls_ssl_context * ssl)700 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
701 {
702 #if defined(MBEDTLS_SSL_PROTO_DTLS)
703 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
704 return( 13 );
705 #else
706 ((void) ssl);
707 #endif
708 return( 5 );
709 }
710
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)711 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
712 {
713 #if defined(MBEDTLS_SSL_PROTO_DTLS)
714 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
715 return( 12 );
716 #else
717 ((void) ssl);
718 #endif
719 return( 4 );
720 }
721
722 #if defined(MBEDTLS_SSL_PROTO_DTLS)
723 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
724 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
725 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
726 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
727 #endif
728
729 /* Visible for testing purposes only */
730 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
731 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
732 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
733 #endif
734
735 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)736 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
737 {
738 size_t i;
739 volatile const unsigned char *A = (volatile const unsigned char *) a;
740 volatile const unsigned char *B = (volatile const unsigned char *) b;
741 volatile unsigned char diff = 0;
742
743 for( i = 0; i < n; i++ )
744 {
745 /* Read volatile data in order before computing diff.
746 * This avoids IAR compiler warning:
747 * 'the order of volatile accesses is undefined ..' */
748 unsigned char x = A[i], y = B[i];
749 diff |= x ^ y;
750 }
751
752 return( diff );
753 }
754
755 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
756 defined(MBEDTLS_SSL_PROTO_TLS1_1)
757 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
758 unsigned char *output,
759 unsigned char *data, size_t data_len );
760 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
761 MBEDTLS_SSL_PROTO_TLS1_1 */
762
763 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
764 defined(MBEDTLS_SSL_PROTO_TLS1_2)
765 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
766 unsigned char *hash, size_t *hashlen,
767 unsigned char *data, size_t data_len,
768 mbedtls_md_type_t md_alg );
769 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
770 MBEDTLS_SSL_PROTO_TLS1_2 */
771
772 #ifdef __cplusplus
773 }
774 #endif
775
776 #endif /* ssl_internal.h */
777