1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 */
22 #ifndef MBEDTLS_SSL_MISC_H
23 #define MBEDTLS_SSL_MISC_H
24
25 #include "mbedtls/build_info.h"
26
27 #include "mbedtls/ssl.h"
28 #include "mbedtls/cipher.h"
29
30 #if defined(MBEDTLS_USE_PSA_CRYPTO)
31 #include "psa/crypto.h"
32 #endif
33
34 #if defined(MBEDTLS_MD5_C)
35 #include "mbedtls/md5.h"
36 #endif
37
38 #if defined(MBEDTLS_SHA1_C)
39 #include "mbedtls/sha1.h"
40 #endif
41
42 #if defined(MBEDTLS_SHA256_C)
43 #include "mbedtls/sha256.h"
44 #endif
45
46 #if defined(MBEDTLS_SHA512_C)
47 #include "mbedtls/sha512.h"
48 #endif
49
50 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
51 #include "mbedtls/ecjpake.h"
52 #endif
53
54 #if defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "psa/crypto.h"
56 #include "mbedtls/psa_util.h"
57 #endif /* MBEDTLS_USE_PSA_CRYPTO */
58
59 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
60 !defined(inline) && !defined(__cplusplus)
61 #define inline __inline
62 #endif
63
64 /* Legacy minor version numbers as defined by:
65 * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0
66 * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1
67 *
68 * We no longer support these versions, but some code still references those
69 * constants as part of negotiating with the peer, so keep them available
70 * internally.
71 */
72 #define MBEDTLS_SSL_MINOR_VERSION_1 1
73 #define MBEDTLS_SSL_MINOR_VERSION_2 2
74
75 /* Determine minimum supported version */
76 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
77
78 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
79 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
80 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
81
82 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
83 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
84
85 /* Determine maximum supported version */
86 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
87
88 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
89 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
90 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
91
92 /* Shorthand for restartable ECC */
93 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
94 defined(MBEDTLS_SSL_CLI_C) && \
95 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
96 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
97 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
98 #endif
99
100 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
101 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
102 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
103 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
104
105 /*
106 * Mask of TLS 1.3 handshake extensions used in extensions_present
107 * of mbedtls_ssl_handshake_params.
108 */
109 #define MBEDTLS_SSL_EXT_NONE 0
110
111 #define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
112 #define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
113 #define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
114 #define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
115 #define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
116 #define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
117 #define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
118 #define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
119 #define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
120 #define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
121 #define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
122 #define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
123 #define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
124 #define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
125 #define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
126 #define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
127 #define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
128 #define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
129 #define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
130 #define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
131 #define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
132 #define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
133
134 /*
135 * Helper macros for function call with return check.
136 */
137 /*
138 * Exit when return non-zero value
139 */
140 #define MBEDTLS_SSL_PROC_CHK( f ) \
141 do { \
142 ret = ( f ); \
143 if( ret != 0 ) \
144 { \
145 goto cleanup; \
146 } \
147 } while( 0 )
148 /*
149 * Exit when return negative value
150 */
151 #define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
152 do { \
153 ret = ( f ); \
154 if( ret < 0 ) \
155 { \
156 goto cleanup; \
157 } \
158 } while( 0 )
159
160 /*
161 * DTLS retransmission states, see RFC 6347 4.2.4
162 *
163 * The SENDING state is merged in PREPARING for initial sends,
164 * but is distinct for resends.
165 *
166 * Note: initial state is wrong for server, but is not used anyway.
167 */
168 #define MBEDTLS_SSL_RETRANS_PREPARING 0
169 #define MBEDTLS_SSL_RETRANS_SENDING 1
170 #define MBEDTLS_SSL_RETRANS_WAITING 2
171 #define MBEDTLS_SSL_RETRANS_FINISHED 3
172
173 /*
174 * Allow extra bytes for record, authentication and encryption overhead:
175 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
176 */
177
178 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
179
180 /* This macro determines whether CBC is supported. */
181 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
182 ( defined(MBEDTLS_AES_C) || \
183 defined(MBEDTLS_CAMELLIA_C) || \
184 defined(MBEDTLS_ARIA_C) || \
185 defined(MBEDTLS_DES_C) )
186 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
187 #endif
188
189 /* This macro determines whether a ciphersuite using a
190 * stream cipher can be used. */
191 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
192 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
193 #endif
194
195 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
196 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
197 defined(MBEDTLS_SSL_PROTO_TLS1_2)
198 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
199 #endif
200
201 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
202 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
203 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
204 #endif
205
206 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
207
208 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
209 /* Ciphersuites using HMAC */
210 #if defined(MBEDTLS_SHA384_C)
211 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
212 #elif defined(MBEDTLS_SHA256_C)
213 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
214 #else
215 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
216 #endif
217 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
218 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
219 #define MBEDTLS_SSL_MAC_ADD 16
220 #endif
221
222 #if defined(MBEDTLS_CIPHER_MODE_CBC)
223 #define MBEDTLS_SSL_PADDING_ADD 256
224 #else
225 #define MBEDTLS_SSL_PADDING_ADD 0
226 #endif
227
228 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
229 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
230 #else
231 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
232 #endif
233
234 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
235 MBEDTLS_SSL_MAC_ADD + \
236 MBEDTLS_SSL_PADDING_ADD + \
237 MBEDTLS_SSL_MAX_CID_EXPANSION \
238 )
239
240 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
241 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
242
243 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
244 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
245
246 /* The maximum number of buffered handshake messages. */
247 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
248
249 /* Maximum length we can advertise as our max content length for
250 RFC 6066 max_fragment_length extension negotiation purposes
251 (the lesser of both sizes, if they are unequal.)
252 */
253 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
254 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
255 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
256 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
257 )
258
259 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
260 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
261
262 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
263 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
264
265 /*
266 * Check that we obey the standard's message size bounds
267 */
268
269 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
270 #error "Bad configuration - incoming record content too large."
271 #endif
272
273 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
274 #error "Bad configuration - outgoing record content too large."
275 #endif
276
277 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
278 #error "Bad configuration - incoming protected record payload too large."
279 #endif
280
281 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
282 #error "Bad configuration - outgoing protected record payload too large."
283 #endif
284
285 /* Calculate buffer sizes */
286
287 /* Note: Even though the TLS record header is only 5 bytes
288 long, we're internally using 8 bytes to store the
289 implicit sequence number. */
290 #define MBEDTLS_SSL_HEADER_LEN 13
291
292 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
293 #define MBEDTLS_SSL_IN_BUFFER_LEN \
294 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
295 #else
296 #define MBEDTLS_SSL_IN_BUFFER_LEN \
297 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
298 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
299 #endif
300
301 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
302 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
303 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
304 #else
305 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
306 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
307 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
308 #endif
309
310 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
311 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
312
313 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
314 /**
315 * \brief Return the maximum fragment length (payload, in bytes) for
316 * the output buffer. For the client, this is the configured
317 * value. For the server, it is the minimum of two - the
318 * configured value and the negotiated one.
319 *
320 * \sa mbedtls_ssl_conf_max_frag_len()
321 * \sa mbedtls_ssl_get_max_out_record_payload()
322 *
323 * \param ssl SSL context
324 *
325 * \return Current maximum fragment length for the output buffer.
326 */
327 size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
328
329 /**
330 * \brief Return the maximum fragment length (payload, in bytes) for
331 * the input buffer. This is the negotiated maximum fragment
332 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
333 * If it is not defined either, the value is 2^14. This function
334 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
335 *
336 * \sa mbedtls_ssl_conf_max_frag_len()
337 * \sa mbedtls_ssl_get_max_in_record_payload()
338 *
339 * \param ssl SSL context
340 *
341 * \return Current maximum fragment length for the output buffer.
342 */
343 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
344 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
345
346 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)347 static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
348 {
349 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
350 return mbedtls_ssl_get_output_max_frag_len( ctx )
351 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
352 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
353 #else
354 return mbedtls_ssl_get_output_max_frag_len( ctx )
355 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
356 #endif
357 }
358
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)359 static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
360 {
361 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
362 return mbedtls_ssl_get_input_max_frag_len( ctx )
363 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
364 + MBEDTLS_SSL_CID_IN_LEN_MAX;
365 #else
366 return mbedtls_ssl_get_input_max_frag_len( ctx )
367 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
368 #endif
369 }
370 #endif
371
372 /*
373 * TLS extension flags (for extensions with outgoing ServerHello content
374 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
375 * of state of the renegotiation flag, so no indicator is required)
376 */
377 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
378 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
379
380 /**
381 * \brief This function checks if the remaining size in a buffer is
382 * greater or equal than a needed space.
383 *
384 * \param cur Pointer to the current position in the buffer.
385 * \param end Pointer to one past the end of the buffer.
386 * \param need Needed space in bytes.
387 *
388 * \return Zero if the needed space is available in the buffer, non-zero
389 * otherwise.
390 */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)391 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
392 const uint8_t *end, size_t need )
393 {
394 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
395 }
396
397 /**
398 * \brief This macro checks if the remaining size in a buffer is
399 * greater or equal than a needed space. If it is not the case,
400 * it returns an SSL_BUFFER_TOO_SMALL error.
401 *
402 * \param cur Pointer to the current position in the buffer.
403 * \param end Pointer to one past the end of the buffer.
404 * \param need Needed space in bytes.
405 *
406 */
407 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
408 do { \
409 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
410 { \
411 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
412 } \
413 } while( 0 )
414
415 /**
416 * \brief This macro checks if the remaining length in an input buffer is
417 * greater or equal than a needed length. If it is not the case, it
418 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
419 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
420 *
421 * This is a function-like macro. It is guaranteed to evaluate each
422 * argument exactly once.
423 *
424 * \param cur Pointer to the current position in the buffer.
425 * \param end Pointer to one past the end of the buffer.
426 * \param need Needed length in bytes.
427 *
428 */
429 #define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
430 do { \
431 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
432 { \
433 MBEDTLS_SSL_DEBUG_MSG( 1, \
434 ( "missing input data in %s", __func__ ) ); \
435 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
436 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
437 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
438 } \
439 } while( 0 )
440
441 #ifdef __cplusplus
442 extern "C" {
443 #endif
444
445 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
446 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
447 /*
448 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
449 */
450 struct mbedtls_ssl_sig_hash_set_t
451 {
452 /* At the moment, we only need to remember a single suitable
453 * hash algorithm per signature algorithm. As long as that's
454 * the case - and we don't need a general lookup function -
455 * we can implement the sig-hash-set as a map from signatures
456 * to hash algorithms. */
457 mbedtls_md_type_t rsa;
458 mbedtls_md_type_t ecdsa;
459 };
460 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
461 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
462
463 typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
464 const char *label,
465 const unsigned char *random, size_t rlen,
466 unsigned char *dstbuf, size_t dlen );
467
468 /* cipher.h exports the maximum IV, key and block length from
469 * all ciphers enabled in the config, regardless of whether those
470 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
471 * in the default configuration and uses 64 Byte keys, but it is
472 * not used for record protection in SSL/TLS.
473 *
474 * In order to prevent unnecessary inflation of key structures,
475 * we introduce SSL-specific variants of the max-{key,block,IV}
476 * macros here which are meant to only take those ciphers into
477 * account which can be negotiated in SSL/TLS.
478 *
479 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
480 * in cipher.h are rough overapproximations of the real maxima, here
481 * we content ourselves with replicating those overapproximations
482 * for the maximum block and IV length, and excluding XTS from the
483 * computation of the maximum key length. */
484 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
485 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
486 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
487
488 /**
489 * \brief The data structure holding the cryptographic material (key and IV)
490 * used for record protection in TLS 1.3.
491 */
492 struct mbedtls_ssl_key_set
493 {
494 /*! The key for client->server records. */
495 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
496 /*! The key for server->client records. */
497 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
498 /*! The IV for client->server records. */
499 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
500 /*! The IV for server->client records. */
501 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
502
503 size_t key_len; /*!< The length of client_write_key and
504 * server_write_key, in Bytes. */
505 size_t iv_len; /*!< The length of client_write_iv and
506 * server_write_iv, in Bytes. */
507 };
508 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
509
510 typedef struct
511 {
512 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
513 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
514 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
515 } mbedtls_ssl_tls1_3_early_secrets;
516
517 typedef struct
518 {
519 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
520 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
521 } mbedtls_ssl_tls1_3_handshake_secrets;
522
523 /*
524 * This structure contains the parameters only needed during handshake.
525 */
526 struct mbedtls_ssl_handshake_params
527 {
528 /*
529 * Handshake specific crypto variables
530 */
531 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
532 int tls1_3_kex_modes; /*!< key exchange modes for TLS 1.3 */
533 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
534
535 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
536 const uint16_t *group_list;
537 unsigned char group_list_heap_allocated;
538 #endif
539
540 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
541 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
542 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
543 #endif
544 #if defined(MBEDTLS_DHM_C)
545 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
546 #endif
547 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
548 * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
549 * in functionality that access to ecdh_ctx structure is needed for
550 * MBEDTLS_ECDSA_C which does not seem correct.
551 */
552 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
553 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
554
555 #if defined(MBEDTLS_USE_PSA_CRYPTO)
556 psa_key_type_t ecdh_psa_type;
557 uint16_t ecdh_bits;
558 psa_key_id_t ecdh_psa_privkey;
559 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
560 size_t ecdh_psa_peerkey_len;
561 #endif /* MBEDTLS_USE_PSA_CRYPTO */
562 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
563
564 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
565 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
566 #if defined(MBEDTLS_SSL_CLI_C)
567 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
568 size_t ecjpake_cache_len; /*!< Length of cached data */
569 #endif
570 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
571 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
572 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
573 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
574 #endif
575 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
576 #if defined(MBEDTLS_USE_PSA_CRYPTO)
577 psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
578 #endif /* MBEDTLS_USE_PSA_CRYPTO */
579 unsigned char *psk; /*!< PSK from the callback */
580 size_t psk_len; /*!< Length of PSK from callback */
581 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
583 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
584 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
585 int sni_authmode; /*!< authmode from SNI callback */
586 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
587 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
588 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
589 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
590 #endif /* MBEDTLS_X509_CRT_PARSE_C */
591 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
592 int ecrs_enabled; /*!< Handshake supports EC restart? */
593 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
594 enum { /* this complements ssl->state with info on intra-state operations */
595 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
596 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
597 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
598 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
599 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
600 } ecrs_state; /*!< current (or last) operation */
601 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
602 size_t ecrs_n; /*!< place for saving a length */
603 #endif
604 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
605 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
606 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
607 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
608 #if defined(MBEDTLS_SSL_PROTO_DTLS)
609 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
610 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
611
612 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
613 Srv: unused */
614 unsigned char verify_cookie_len; /*!< Cli: cookie length
615 Srv: flag for sending a cookie */
616
617 uint32_t retransmit_timeout; /*!< Current value of timeout */
618 unsigned char retransmit_state; /*!< Retransmission state */
619 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
620 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
621 unsigned char *cur_msg_p; /*!< Position in current message */
622 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
623 flight being received */
624 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
625 resending messages */
626 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
627 for resending messages */
628
629 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
630 /* The state of CID configuration in this handshake. */
631
632 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
633 * has been negotiated. Possible values are
634 * #MBEDTLS_SSL_CID_ENABLED and
635 * #MBEDTLS_SSL_CID_DISABLED. */
636 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
637 uint8_t peer_cid_len; /*!< The length of
638 * \c peer_cid. */
639 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
640
641 struct
642 {
643 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
644 * buffers used for message buffering. */
645
646 uint8_t seen_ccs; /*!< Indicates if a CCS message has
647 * been seen in the current flight. */
648
649 struct mbedtls_ssl_hs_buffer
650 {
651 unsigned is_valid : 1;
652 unsigned is_fragmented : 1;
653 unsigned is_complete : 1;
654 unsigned char *data;
655 size_t data_len;
656 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
657
658 struct
659 {
660 unsigned char *data;
661 size_t len;
662 unsigned epoch;
663 } future_record;
664
665 } buffering;
666
667 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
668 #endif /* MBEDTLS_SSL_PROTO_DTLS */
669
670 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
671 /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
672 * Those pointers own the transforms they reference. */
673 mbedtls_ssl_transform *transform_handshake;
674 mbedtls_ssl_transform *transform_earlydata;
675 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
676
677 /*
678 * Checksum contexts
679 */
680 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
681 #if defined(MBEDTLS_SHA256_C)
682 #if defined(MBEDTLS_USE_PSA_CRYPTO)
683 psa_hash_operation_t fin_sha256_psa;
684 #else
685 mbedtls_sha256_context fin_sha256;
686 #endif
687 #endif
688 #if defined(MBEDTLS_SHA384_C)
689 #if defined(MBEDTLS_USE_PSA_CRYPTO)
690 psa_hash_operation_t fin_sha384_psa;
691 #else
692 mbedtls_sha512_context fin_sha512;
693 #endif
694 #endif
695 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
696
697 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
698 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
699 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
700 mbedtls_ssl_tls_prf_cb *tls_prf;
701
702 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
703 uint16_t offered_group_id; /* The NamedGroup value for the group
704 * that is being used for ephemeral
705 * key exchange.
706 *
707 * On the client: Defaults to the first
708 * entry in the client's group list,
709 * but can be overwritten by the HRR. */
710 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
711
712 /*
713 * State-local variables used during the processing
714 * of a specific handshake state.
715 */
716 union
717 {
718 /* Outgoing Finished message */
719 struct
720 {
721 uint8_t preparation_done;
722
723 /* Buffer holding digest of the handshake up to
724 * but excluding the outgoing finished message. */
725 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
726 size_t digest_len;
727 } finished_out;
728
729 /* Incoming Finished message */
730 struct
731 {
732 uint8_t preparation_done;
733
734 /* Buffer holding digest of the handshake up to but
735 * excluding the peer's incoming finished message. */
736 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
737 size_t digest_len;
738 } finished_in;
739
740 } state_local;
741
742 /* End of state-local variables. */
743
744 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
745
746 size_t pmslen; /*!< premaster length */
747
748 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
749 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
750 /*!< random bytes */
751 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
752 /*!< premaster secret */
753
754 int resume; /*!< session resume indicator*/
755 int max_major_ver; /*!< max. major version client*/
756 int max_minor_ver; /*!< max. minor version client*/
757 int cli_exts; /*!< client extension presence*/
758 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
759 int extensions_present; /*!< extension presence; Each bitfield
760 represents an extension and defined
761 as \c MBEDTLS_SSL_EXT_XXX */
762
763 union
764 {
765 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
766 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
767 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
768 } tls1_3_master_secrets;
769
770 mbedtls_ssl_tls1_3_handshake_secrets tls13_hs_secrets;
771 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
772
773 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
774 int new_session_ticket; /*!< use NewSessionTicket? */
775 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
776 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
777 int extended_ms; /*!< use Extended Master Secret? */
778 #endif
779
780 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
781 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
782 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
783
784 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
785 /** Asynchronous operation context. This field is meant for use by the
786 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
787 * mbedtls_ssl_config::f_async_decrypt_start,
788 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
789 * The library does not use it internally. */
790 void *user_async_ctx;
791 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
792 };
793
794 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
795
796 /*
797 * Representation of decryption/encryption transformations on records
798 *
799 * There are the following general types of record transformations:
800 * - Stream transformations (TLS versions == 1.2 only)
801 * Transformation adding a MAC and applying a stream-cipher
802 * to the authenticated message.
803 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
804 * For TLS 1.2, no IV is generated at key extraction time, but every
805 * encrypted record is explicitly prefixed by the IV with which it was
806 * encrypted.
807 * - AEAD transformations ([D]TLS versions == 1.2 only)
808 * These come in two fundamentally different versions, the first one
809 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
810 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
811 * In the first transformation, the IV to be used for a record is obtained
812 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
813 * record sequence number, and explicitly prepending this sequence number
814 * to the encrypted record. In contrast, in the second transformation
815 * the IV is obtained by XOR'ing a static IV obtained at key extraction
816 * time with the 8-byte record sequence number, without prepending the
817 * latter to the encrypted record.
818 *
819 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
820 * which allows to add flexible length padding and to hide a record's true
821 * content type.
822 *
823 * In addition to type and version, the following parameters are relevant:
824 * - The symmetric cipher algorithm to be used.
825 * - The (static) encryption/decryption keys for the cipher.
826 * - For stream/CBC, the type of message digest to be used.
827 * - For stream/CBC, (static) encryption/decryption keys for the digest.
828 * - For AEAD transformations, the size (potentially 0) of an explicit,
829 * random initialization vector placed in encrypted records.
830 * - For some transformations (currently AEAD) an implicit IV. It is static
831 * and (if present) is combined with the explicit IV in a transformation-
832 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
833 * - For stream/CBC, a flag determining the order of encryption and MAC.
834 * - The details of the transformation depend on the SSL/TLS version.
835 * - The length of the authentication tag.
836 *
837 * The struct below refines this abstract view as follows:
838 * - The cipher underlying the transformation is managed in
839 * cipher contexts cipher_ctx_{enc/dec}, which must have the
840 * same cipher type. The mode of these cipher contexts determines
841 * the type of the transformation in the sense above: e.g., if
842 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
843 * then the transformation has type CBC resp. AEAD.
844 * - The cipher keys are never stored explicitly but
845 * are maintained within cipher_ctx_{enc/dec}.
846 * - For stream/CBC transformations, the message digest contexts
847 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
848 * are unused for AEAD transformations.
849 * - For stream/CBC transformations, the MAC keys are not stored explicitly
850 * but maintained within md_ctx_{enc/dec}.
851 * - The mac_enc and mac_dec fields are unused for EAD transformations.
852 * - For transformations using an implicit IV maintained within
853 * the transformation context, its contents are stored within
854 * iv_{enc/dec}.
855 * - The value of ivlen indicates the length of the IV.
856 * This is redundant in case of stream/CBC transformations
857 * which always use 0 resp. the cipher's block length as the
858 * IV length, but is needed for AEAD ciphers and may be
859 * different from the underlying cipher's block length
860 * in this case.
861 * - The field fixed_ivlen is nonzero for AEAD transformations only
862 * and indicates the length of the static part of the IV which is
863 * constant throughout the communication, and which is stored in
864 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
865 * - minor_ver denotes the SSL/TLS version
866 * - For stream/CBC transformations, maclen denotes the length of the
867 * authentication tag, while taglen is unused and 0.
868 * - For AEAD transformations, taglen denotes the length of the
869 * authentication tag, while maclen is unused and 0.
870 * - For CBC transformations, encrypt_then_mac determines the
871 * order of encryption and authentication. This field is unused
872 * in other transformations.
873 *
874 */
875 struct mbedtls_ssl_transform
876 {
877 /*
878 * Session specific crypto layer
879 */
880 size_t minlen; /*!< min. ciphertext length */
881 size_t ivlen; /*!< IV length */
882 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
883 size_t maclen; /*!< MAC(CBC) len */
884 size_t taglen; /*!< TAG(AEAD) len */
885
886 unsigned char iv_enc[16]; /*!< IV (encryption) */
887 unsigned char iv_dec[16]; /*!< IV (decryption) */
888
889 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
890
891 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
892 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
893
894 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
895 int encrypt_then_mac; /*!< flag for EtM activation */
896 #endif
897
898 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
899
900 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
901 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
902 int minor_ver;
903
904 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
905 uint8_t in_cid_len;
906 uint8_t out_cid_len;
907 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
908 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
909 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
910
911 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
912 /* We need the Hello random bytes in order to re-derive keys from the
913 * Master Secret and other session info,
914 * see ssl_tls12_populate_transform() */
915 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
916 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
917 /*!< ServerHello.random+ClientHello.random */
918 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
919 };
920
921 /*
922 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
923 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
924 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)925 static inline int mbedtls_ssl_transform_uses_aead(
926 const mbedtls_ssl_transform *transform )
927 {
928 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
929 return( transform->maclen == 0 && transform->taglen != 0 );
930 #else
931 (void) transform;
932 return( 1 );
933 #endif
934 }
935
936 /*
937 * Internal representation of record frames
938 *
939 * Instances come in two flavors:
940 * (1) Encrypted
941 * These always have data_offset = 0
942 * (2) Unencrypted
943 * These have data_offset set to the amount of
944 * pre-expansion during record protection. Concretely,
945 * this is the length of the fixed part of the explicit IV
946 * used for encryption, or 0 if no explicit IV is used
947 * (e.g. for stream ciphers).
948 *
949 * The reason for the data_offset in the unencrypted case
950 * is to allow for in-place conversion of an unencrypted to
951 * an encrypted record. If the offset wasn't included, the
952 * encrypted content would need to be shifted afterwards to
953 * make space for the fixed IV.
954 *
955 */
956 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
957 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
958 #else
959 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
960 #endif
961
962 typedef struct
963 {
964 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
965 * In DTLS: The 2-byte epoch followed by
966 * the 6-byte sequence number.
967 * This is stored as a raw big endian byte array
968 * as opposed to a uint64_t because we rarely
969 * need to perform arithmetic on this, but do
970 * need it as a Byte array for the purpose of
971 * MAC computations. */
972 uint8_t type; /* The record content type. */
973 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
974 * Convert to internal presentation of versions
975 * using mbedtls_ssl_read_version() and
976 * mbedtls_ssl_write_version().
977 * Keep wire-format for MAC computations. */
978
979 unsigned char *buf; /* Memory buffer enclosing the record content */
980 size_t buf_len; /* Buffer length */
981 size_t data_offset; /* Offset of record content */
982 size_t data_len; /* Length of record content */
983
984 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
985 uint8_t cid_len; /* Length of the CID (0 if not present) */
986 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
987 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
988 } mbedtls_record;
989
990 #if defined(MBEDTLS_X509_CRT_PARSE_C)
991 /*
992 * List of certificate + private key pairs
993 */
994 struct mbedtls_ssl_key_cert
995 {
996 mbedtls_x509_crt *cert; /*!< cert */
997 mbedtls_pk_context *key; /*!< private key */
998 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
999 };
1000 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1001
1002 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1003 /*
1004 * List of handshake messages kept around for resending
1005 */
1006 struct mbedtls_ssl_flight_item
1007 {
1008 unsigned char *p; /*!< message, including handshake headers */
1009 size_t len; /*!< length of p */
1010 unsigned char type; /*!< type of the message: handshake or CCS */
1011 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1012 };
1013 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1014
1015 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1016 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1017
1018 /* Find an entry in a signature-hash set matching a given hash algorithm. */
1019 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
1020 mbedtls_pk_type_t sig_alg );
1021 /* Add a signature-hash-pair to a signature-hash set */
1022 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
1023 mbedtls_pk_type_t sig_alg,
1024 mbedtls_md_type_t md_alg );
1025 /* Allow exactly one hash algorithm for each signature. */
1026 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
1027 mbedtls_md_type_t md_alg );
1028
1029 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)1030 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
1031 {
1032 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
1033 }
1034
1035 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
1036 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1037
1038 /**
1039 * \brief Free referenced items in an SSL transform context and clear
1040 * memory
1041 *
1042 * \param transform SSL transform context
1043 */
1044 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1045
1046 /**
1047 * \brief Free referenced items in an SSL handshake context and clear
1048 * memory
1049 *
1050 * \param ssl SSL context
1051 */
1052 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
1053
1054 /* set inbound transform of ssl context */
1055 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1056 mbedtls_ssl_transform *transform );
1057
1058 /* set outbound transform of ssl context */
1059 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1060 mbedtls_ssl_transform *transform );
1061
1062 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1063 int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
1064 unsigned char *buf,
1065 const unsigned char *end,
1066 size_t *olen );
1067 #endif
1068
1069 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1070 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1071 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
1072 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1073 /**
1074 * \brief TLS 1.3 client side state machine entry
1075 *
1076 * \param ssl SSL context
1077 */
1078 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1079
1080 /**
1081 * \brief TLS 1.3 server side state machine entry
1082 *
1083 * \param ssl SSL context
1084 */
1085 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1086 #endif
1087
1088 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1089
1090 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
1091 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
1092
1093 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1094 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1095 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1096
1097 /**
1098 * \brief Update record layer
1099 *
1100 * This function roughly separates the implementation
1101 * of the logic of (D)TLS from the implementation
1102 * of the secure transport.
1103 *
1104 * \param ssl The SSL context to use.
1105 * \param update_hs_digest This indicates if the handshake digest
1106 * should be automatically updated in case
1107 * a handshake message is found.
1108 *
1109 * \return 0 or non-zero error code.
1110 *
1111 * \note A clarification on what is called 'record layer' here
1112 * is in order, as many sensible definitions are possible:
1113 *
1114 * The record layer takes as input an untrusted underlying
1115 * transport (stream or datagram) and transforms it into
1116 * a serially multiplexed, secure transport, which
1117 * conceptually provides the following:
1118 *
1119 * (1) Three datagram based, content-agnostic transports
1120 * for handshake, alert and CCS messages.
1121 * (2) One stream- or datagram-based transport
1122 * for application data.
1123 * (3) Functionality for changing the underlying transform
1124 * securing the contents.
1125 *
1126 * The interface to this functionality is given as follows:
1127 *
1128 * a Updating
1129 * [Currently implemented by mbedtls_ssl_read_record]
1130 *
1131 * Check if and on which of the four 'ports' data is pending:
1132 * Nothing, a controlling datagram of type (1), or application
1133 * data (2). In any case data is present, internal buffers
1134 * provide access to the data for the user to process it.
1135 * Consumption of type (1) datagrams is done automatically
1136 * on the next update, invalidating that the internal buffers
1137 * for previous datagrams, while consumption of application
1138 * data (2) is user-controlled.
1139 *
1140 * b Reading of application data
1141 * [Currently manual adaption of ssl->in_offt pointer]
1142 *
1143 * As mentioned in the last paragraph, consumption of data
1144 * is different from the automatic consumption of control
1145 * datagrams (1) because application data is treated as a stream.
1146 *
1147 * c Tracking availability of application data
1148 * [Currently manually through decreasing ssl->in_msglen]
1149 *
1150 * For efficiency and to retain datagram semantics for
1151 * application data in case of DTLS, the record layer
1152 * provides functionality for checking how much application
1153 * data is still available in the internal buffer.
1154 *
1155 * d Changing the transformation securing the communication.
1156 *
1157 * Given an opaque implementation of the record layer in the
1158 * above sense, it should be possible to implement the logic
1159 * of (D)TLS on top of it without the need to know anything
1160 * about the record layer's internals. This is done e.g.
1161 * in all the handshake handling functions, and in the
1162 * application data reading function mbedtls_ssl_read.
1163 *
1164 * \note The above tries to give a conceptual picture of the
1165 * record layer, but the current implementation deviates
1166 * from it in some places. For example, our implementation of
1167 * the update functionality through mbedtls_ssl_read_record
1168 * discards datagrams depending on the current state, which
1169 * wouldn't fall under the record layer's responsibility
1170 * following the above definition.
1171 *
1172 */
1173 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1174 unsigned update_hs_digest );
1175 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1176
1177 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
1178 int update_checksum );
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1179 static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1180 {
1181 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */ ) );
1182 }
1183
1184 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
1185 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1186
1187 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1188
1189 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1190 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1191
1192 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1193 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1194
1195 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1196 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1197
1198 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1199 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1200
1201 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1202 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
1203
1204 /**
1205 * Get the first defined PSK by order of precedence:
1206 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1207 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1208 * Return a code and update the pair (PSK, PSK length) passed to this function
1209 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1210 static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1211 const unsigned char **psk, size_t *psk_len )
1212 {
1213 if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1214 {
1215 *psk = ssl->handshake->psk;
1216 *psk_len = ssl->handshake->psk_len;
1217 }
1218
1219 else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1220 {
1221 *psk = ssl->conf->psk;
1222 *psk_len = ssl->conf->psk_len;
1223 }
1224
1225 else
1226 {
1227 *psk = NULL;
1228 *psk_len = 0;
1229 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1230 }
1231
1232 return( 0 );
1233 }
1234
1235 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1236 /**
1237 * Get the first defined opaque PSK by order of precedence:
1238 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1239 * callback
1240 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1241 * Return an opaque PSK
1242 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1243 static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
1244 const mbedtls_ssl_context *ssl )
1245 {
1246 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1247 return( ssl->handshake->psk_opaque );
1248
1249 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1250 return( ssl->conf->psk_opaque );
1251
1252 return( MBEDTLS_SVC_KEY_ID_INIT );
1253 }
1254 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1255
1256 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1257
1258 #if defined(MBEDTLS_PK_C)
1259 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
1260 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
1261 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1262 #endif
1263
1264 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
1265 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
1266 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
1267
1268 #if defined(MBEDTLS_ECP_C)
1269 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
1270 #endif
1271
1272 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1273 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
1274 mbedtls_md_type_t md );
1275 #endif
1276
1277 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1278 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1279 ( const uint16_t srtp_profile_value )
1280 {
1281 switch( srtp_profile_value )
1282 {
1283 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1284 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1285 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1286 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1287 return srtp_profile_value;
1288 default: break;
1289 }
1290 return( MBEDTLS_TLS_SRTP_UNSET );
1291 }
1292 #endif
1293
1294 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1295 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1296 {
1297 mbedtls_ssl_key_cert *key_cert;
1298
1299 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1300 key_cert = ssl->handshake->key_cert;
1301 else
1302 key_cert = ssl->conf->key_cert;
1303
1304 return( key_cert == NULL ? NULL : key_cert->key );
1305 }
1306
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1307 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1308 {
1309 mbedtls_ssl_key_cert *key_cert;
1310
1311 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1312 key_cert = ssl->handshake->key_cert;
1313 else
1314 key_cert = ssl->conf->key_cert;
1315
1316 return( key_cert == NULL ? NULL : key_cert->cert );
1317 }
1318
1319 /*
1320 * Check usage of a certificate wrt extensions:
1321 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1322 *
1323 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1324 * check a cert we received from them)!
1325 *
1326 * Return 0 if everything is OK, -1 if not.
1327 */
1328 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1329 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1330 int cert_endpoint,
1331 uint32_t *flags );
1332 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1333
1334 void mbedtls_ssl_write_version( int major, int minor, int transport,
1335 unsigned char ver[2] );
1336 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
1337 const unsigned char ver[2] );
1338
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1339 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
1340 {
1341 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1342 ((void) ssl);
1343 #endif
1344
1345 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1346 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1347 {
1348 return( 13 );
1349 }
1350 else
1351 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1352 {
1353 return( 5 );
1354 }
1355 }
1356
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1357 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1358 {
1359 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
1360 }
1361
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1362 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1363 {
1364 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1365 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1366 return( 12 );
1367 #else
1368 ((void) ssl);
1369 #endif
1370 return( 4 );
1371 }
1372
1373 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1374 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1375 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1376 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
1377 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
1378 #endif
1379
1380 /* Visible for testing purposes only */
1381 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1382 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
1383 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1384 #endif
1385
1386 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1387 const mbedtls_ssl_session *src );
1388
1389 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)1390 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
1391 {
1392 size_t i;
1393 volatile const unsigned char *A = (volatile const unsigned char *) a;
1394 volatile const unsigned char *B = (volatile const unsigned char *) b;
1395 volatile unsigned char diff = 0;
1396
1397 for( i = 0; i < n; i++ )
1398 {
1399 /* Read volatile data in order before computing diff.
1400 * This avoids IAR compiler warning:
1401 * 'the order of volatile accesses is undefined ..' */
1402 unsigned char x = A[i], y = B[i];
1403 diff |= x ^ y;
1404 }
1405
1406 return( diff );
1407 }
1408
1409 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1410 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1411 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
1412 unsigned char *hash, size_t *hashlen,
1413 unsigned char *data, size_t data_len,
1414 mbedtls_md_type_t md_alg );
1415 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1416
1417 #ifdef __cplusplus
1418 }
1419 #endif
1420
1421 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1422 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1423 mbedtls_ssl_transform *transform,
1424 mbedtls_record *rec,
1425 int (*f_rng)(void *, unsigned char *, size_t),
1426 void *p_rng );
1427 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1428 mbedtls_ssl_transform *transform,
1429 mbedtls_record *rec );
1430
1431 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1432 static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1433 {
1434 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1435 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1436 return( 2 );
1437 #else
1438 ((void) ssl);
1439 #endif
1440 return( 0 );
1441 }
1442
1443 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1444 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
1445 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1446
1447 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
1448 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1449
1450 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1451 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1452 mbedtls_ssl_transform *transform );
1453 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1454
1455 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
1456
1457 /*
1458 * Send pending alert
1459 */
1460 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1461
1462 /*
1463 * Set pending fatal alert flag.
1464 */
1465 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1466 unsigned char alert_type,
1467 int alert_reason );
1468
1469 /* Alias of mbedtls_ssl_pend_fatal_alert */
1470 #define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1471 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1472
1473 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1474 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1475 #endif
1476
1477 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1478
1479 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1480 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
1481 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1482
1483 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1484 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
1485 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1486 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1487 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1488
1489 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1490
1491 /*
1492 * Helper functions around key exchange modes.
1493 */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1494 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1495 int kex_mode_mask )
1496 {
1497 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1498 }
1499
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1500 static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1501 {
1502 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1503 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) );
1504 }
1505
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1506 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1507 {
1508 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1509 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1510 }
1511
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1512 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1513 {
1514 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1515 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1516 }
1517
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1518 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1519 {
1520 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1521 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1522 }
1523
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1524 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1525 {
1526 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1527 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) );
1528 }
1529
1530 /**
1531 * Given a list of key exchange modes, check if at least one of them is
1532 * supported.
1533 *
1534 * \param[in] ssl SSL context
1535 * \param kex_modes_mask Mask of the key exchange modes to check
1536 *
1537 * \return 0 if at least one of the key exchange modes is supported,
1538 * !=0 otherwise.
1539 */
mbedtls_ssl_tls1_3_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1540 static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl,
1541 int kex_modes_mask )
1542 {
1543 return( ( ssl->handshake->tls1_3_kex_modes & kex_modes_mask ) == 0 );
1544 }
1545
mbedtls_ssl_tls1_3_psk_enabled(mbedtls_ssl_context * ssl)1546 static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl )
1547 {
1548 return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
1549 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) );
1550 }
1551
mbedtls_ssl_tls1_3_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1552 static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled(
1553 mbedtls_ssl_context *ssl )
1554 {
1555 return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
1556 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1557 }
1558
mbedtls_ssl_tls1_3_ephemeral_enabled(mbedtls_ssl_context * ssl)1559 static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl )
1560 {
1561 return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
1562 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1563 }
1564
mbedtls_ssl_tls1_3_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1565 static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1566 {
1567 return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
1568 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1569 }
1570
mbedtls_ssl_tls1_3_some_psk_enabled(mbedtls_ssl_context * ssl)1571 static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl )
1572 {
1573 return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
1574 MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) );
1575 }
1576
1577 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1578
1579 /**
1580 * ssl utils functions for checking configuration.
1581 */
1582
1583 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1584 static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1585 {
1586 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1587 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1588 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 &&
1589 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1590 {
1591 return( 1 );
1592 }
1593 return( 0 );
1594 }
1595 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1596
1597 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1598 static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1599 {
1600 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1601 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1602 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1603 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
1604 {
1605 return( 1 );
1606 }
1607 return( 0 );
1608 }
1609 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1610
1611 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1612 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1613 {
1614 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1615 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1616 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1617 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1618 {
1619 return( 1 );
1620 }
1621 return( 0 );
1622 }
1623 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/
1624
1625 #if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
1626
1627 /*
1628 * Helper functions for NamedGroup.
1629 */
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)1630 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
1631 {
1632 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
1633 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
1634 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
1635 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1636 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
1637 }
1638
mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)1639 static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
1640 {
1641 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
1642 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
1643 }
1644
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1645 static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1646 mbedtls_ssl_states state )
1647 {
1648 ssl->state = ( int ) state;
1649 }
1650
1651 /*
1652 * Fetch TLS 1.3 handshake message header
1653 */
1654 int mbedtls_ssl_tls1_3_fetch_handshake_msg( mbedtls_ssl_context *ssl,
1655 unsigned hs_type,
1656 unsigned char **buf,
1657 size_t *buf_len );
1658
1659 /*
1660 * Write TLS 1.3 handshake message header
1661 */
1662 int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
1663 unsigned hs_type,
1664 unsigned char **buf,
1665 size_t *buflen );
1666
1667 /*
1668 * Handler of TLS 1.3 server certificate message
1669 */
1670 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
1671
1672 /*
1673 * Generic handler of Certificate Verify
1674 */
1675 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
1676
1677 /*
1678 * Write TLS 1.3 handshake message tail
1679 */
1680 int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
1681 size_t buf_len,
1682 size_t msg_len );
1683
1684 void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
1685 unsigned hs_type,
1686 size_t total_hs_len );
1687
1688 /*
1689 * Update checksum of handshake messages.
1690 */
1691 void mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1692 unsigned hs_type,
1693 unsigned char const *msg,
1694 size_t msg_len );
1695
1696 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1697 /*
1698 * Write TLS 1.3 Signature Algorithm extension
1699 */
1700 int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
1701 unsigned char *buf,
1702 unsigned char *end,
1703 size_t *olen);
1704
1705 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1706
1707 #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
1708
1709 /* Get handshake transcript */
1710 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
1711 const mbedtls_md_type_t md,
1712 unsigned char *dst,
1713 size_t dst_len,
1714 size_t *olen );
1715
1716 /*
1717 * Return supported groups.
1718 *
1719 * In future, invocations can be changed to ssl->conf->group_list
1720 * when mbedtls_ssl_conf_curves() is deleted.
1721 *
1722 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
1723 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
1724 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
1725 *
1726 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)1727 static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
1728 {
1729 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
1730 return( ssl->conf->group_list );
1731 #else
1732 if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
1733 return( ssl->handshake->group_list );
1734 else
1735 return( ssl->conf->group_list );
1736 #endif
1737 }
1738
1739 #endif /* ssl_misc.h */
1740