1 /**
2 * \file ssl_internal.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 *
22 * This file is part of mbed TLS (https://tls.mbed.org)
23 */
24 #ifndef MBEDTLS_SSL_INTERNAL_H
25 #define MBEDTLS_SSL_INTERNAL_H
26
27 #if !defined(MBEDTLS_CONFIG_FILE)
28 #include "config.h"
29 #else
30 #include MBEDTLS_CONFIG_FILE
31 #endif
32
33 #include "ssl.h"
34 #include "cipher.h"
35
36 #if defined(MBEDTLS_MD5_C)
37 #include "md5.h"
38 #endif
39
40 #if defined(MBEDTLS_SHA1_C)
41 #include "sha1.h"
42 #endif
43
44 #if defined(MBEDTLS_SHA256_C)
45 #include "sha256.h"
46 #endif
47
48 #if defined(MBEDTLS_SHA512_C)
49 #include "sha512.h"
50 #endif
51
52 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
53 #include "ecjpake.h"
54 #endif
55
56 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
57 !defined(inline) && !defined(__cplusplus)
58 #define inline __inline
59 #endif
60
61 /* Determine minimum supported version */
62 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
63
64 #if defined(MBEDTLS_SSL_PROTO_SSL3)
65 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
66 #else
67 #if defined(MBEDTLS_SSL_PROTO_TLS1)
68 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
69 #else
70 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
71 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
72 #else
73 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
74 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
75 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
76 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
77 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
78 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
79
80 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
81 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
82
83 /* Determine maximum supported version */
84 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
85
86 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
87 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
88 #else
89 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
90 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
91 #else
92 #if defined(MBEDTLS_SSL_PROTO_TLS1)
93 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
94 #else
95 #if defined(MBEDTLS_SSL_PROTO_SSL3)
96 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
97 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
98 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
99 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
100 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
101
102 /* Shorthand for restartable ECC */
103 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
104 defined(MBEDTLS_SSL_CLI_C) && \
105 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
106 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
107 #define MBEDTLS_SSL__ECP_RESTARTABLE
108 #endif
109
110 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
111 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
112 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
113 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
114
115 /*
116 * DTLS retransmission states, see RFC 6347 4.2.4
117 *
118 * The SENDING state is merged in PREPARING for initial sends,
119 * but is distinct for resends.
120 *
121 * Note: initial state is wrong for server, but is not used anyway.
122 */
123 #define MBEDTLS_SSL_RETRANS_PREPARING 0
124 #define MBEDTLS_SSL_RETRANS_SENDING 1
125 #define MBEDTLS_SSL_RETRANS_WAITING 2
126 #define MBEDTLS_SSL_RETRANS_FINISHED 3
127
128 /*
129 * Allow extra bytes for record, authentication and encryption overhead:
130 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
131 * and allow for a maximum of 1024 of compression expansion if
132 * enabled.
133 */
134 #if defined(MBEDTLS_ZLIB_SUPPORT)
135 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
136 #else
137 #define MBEDTLS_SSL_COMPRESSION_ADD 0
138 #endif
139
140 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
141 /* Ciphersuites using HMAC */
142 #if defined(MBEDTLS_SHA512_C)
143 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
144 #elif defined(MBEDTLS_SHA256_C)
145 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
146 #else
147 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
148 #endif
149 #else
150 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
151 #define MBEDTLS_SSL_MAC_ADD 16
152 #endif
153
154 #if defined(MBEDTLS_CIPHER_MODE_CBC)
155 #define MBEDTLS_SSL_PADDING_ADD 256
156 #else
157 #define MBEDTLS_SSL_PADDING_ADD 0
158 #endif
159
160 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
161 MBEDTLS_MAX_IV_LENGTH + \
162 MBEDTLS_SSL_MAC_ADD + \
163 MBEDTLS_SSL_PADDING_ADD \
164 )
165
166 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
167 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
168
169 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
170 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
171
172 /* The maximum number of buffered handshake messages. */
173 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
174
175 /* Maximum length we can advertise as our max content length for
176 RFC 6066 max_fragment_length extension negotiation purposes
177 (the lesser of both sizes, if they are unequal.)
178 */
179 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN MBEDTLS_SSL_IN_CONTENT_LEN
180
181 /*
182 * Check that we obey the standard's message size bounds
183 */
184
185 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
186 #error "Bad configuration - record content too large."
187 #endif
188
189 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
190 #error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
191 #endif
192
193 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
194 #error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
195 #endif
196
197 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
198 #error "Bad configuration - incoming protected record payload too large."
199 #endif
200
201 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
202 #error "Bad configuration - outgoing protected record payload too large."
203 #endif
204
205 /* Calculate buffer sizes */
206
207 /* Note: Even though the TLS record header is only 5 bytes
208 long, we're internally using 8 bytes to store the
209 implicit sequence number. */
210 #define MBEDTLS_SSL_HEADER_LEN 13
211
212 #define MBEDTLS_SSL_IN_BUFFER_LEN \
213 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
214
215 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
216 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
217
218 #ifdef MBEDTLS_ZLIB_SUPPORT
219 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
220 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
221 ( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
222 ? MBEDTLS_SSL_IN_BUFFER_LEN \
223 : MBEDTLS_SSL_OUT_BUFFER_LEN \
224 )
225 #endif
226
227 /*
228 * TLS extension flags (for extensions with outgoing ServerHello content
229 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
230 * of state of the renegotiation flag, so no indicator is required)
231 */
232 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
233 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
234
235 #ifdef __cplusplus
236 extern "C" {
237 #endif
238
239 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
240 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
241 /*
242 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
243 */
244 struct mbedtls_ssl_sig_hash_set_t
245 {
246 /* At the moment, we only need to remember a single suitable
247 * hash algorithm per signature algorithm. As long as that's
248 * the case - and we don't need a general lookup function -
249 * we can implement the sig-hash-set as a map from signatures
250 * to hash algorithms. */
251 mbedtls_md_type_t rsa;
252 mbedtls_md_type_t ecdsa;
253 };
254 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
255 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
256
257 /*
258 * This structure contains the parameters only needed during handshake.
259 */
260 struct mbedtls_ssl_handshake_params
261 {
262 /*
263 * Handshake specific crypto variables
264 */
265
266 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
267 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
268 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
269 #endif
270 #if defined(MBEDTLS_DHM_C)
271 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
272 #endif
273 #if defined(MBEDTLS_ECDH_C)
274 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
275 #endif
276 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
277 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
278 #if defined(MBEDTLS_SSL_CLI_C)
279 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
280 size_t ecjpake_cache_len; /*!< Length of cached data */
281 #endif
282 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
283 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
284 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
285 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
286 #endif
287 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
288 unsigned char *psk; /*!< PSK from the callback */
289 size_t psk_len; /*!< Length of PSK from callback */
290 #endif
291 #if defined(MBEDTLS_X509_CRT_PARSE_C)
292 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
293 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
294 int sni_authmode; /*!< authmode from SNI callback */
295 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
296 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
297 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
298 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
299 #endif /* MBEDTLS_X509_CRT_PARSE_C */
300 #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
301 int ecrs_enabled; /*!< Handshake supports EC restart? */
302 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
303 enum { /* this complements ssl->state with info on intra-state operations */
304 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
305 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
306 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
307 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
308 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
309 } ecrs_state; /*!< current (or last) operation */
310 size_t ecrs_n; /*!< place for saving a length */
311 #endif
312 #if defined(MBEDTLS_SSL_PROTO_DTLS)
313 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
314 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
315
316 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
317 Srv: unused */
318 unsigned char verify_cookie_len; /*!< Cli: cookie length
319 Srv: flag for sending a cookie */
320
321 uint32_t retransmit_timeout; /*!< Current value of timeout */
322 unsigned char retransmit_state; /*!< Retransmission state */
323 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
324 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
325 unsigned char *cur_msg_p; /*!< Position in current message */
326 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
327 flight being received */
328 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
329 resending messages */
330 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
331 for resending messages */
332
333 struct
334 {
335 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
336 * buffers used for message buffering. */
337
338 uint8_t seen_ccs; /*!< Indicates if a CCS message has
339 * been seen in the current flight. */
340
341 struct mbedtls_ssl_hs_buffer
342 {
343 unsigned is_valid : 1;
344 unsigned is_fragmented : 1;
345 unsigned is_complete : 1;
346 unsigned char *data;
347 size_t data_len;
348 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
349
350 struct
351 {
352 unsigned char *data;
353 size_t len;
354 unsigned epoch;
355 } future_record;
356
357 } buffering;
358
359 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
360 #endif /* MBEDTLS_SSL_PROTO_DTLS */
361
362 /*
363 * Checksum contexts
364 */
365 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
366 defined(MBEDTLS_SSL_PROTO_TLS1_1)
367 mbedtls_md5_context fin_md5;
368 mbedtls_sha1_context fin_sha1;
369 #endif
370 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
371 #if defined(MBEDTLS_SHA256_C)
372 mbedtls_sha256_context fin_sha256;
373 #endif
374 #if defined(MBEDTLS_SHA512_C)
375 mbedtls_sha512_context fin_sha512;
376 #endif
377 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
378
379 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
380 void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
381 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
382 int (*tls_prf)(const unsigned char *, size_t, const char *,
383 const unsigned char *, size_t,
384 unsigned char *, size_t);
385
386 size_t pmslen; /*!< premaster length */
387
388 unsigned char randbytes[64]; /*!< random bytes */
389 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
390 /*!< premaster secret */
391
392 int resume; /*!< session resume indicator*/
393 int max_major_ver; /*!< max. major version client*/
394 int max_minor_ver; /*!< max. minor version client*/
395 int cli_exts; /*!< client extension presence*/
396
397 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
398 int new_session_ticket; /*!< use NewSessionTicket? */
399 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
400 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
401 int extended_ms; /*!< use Extended Master Secret? */
402 #endif
403
404 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
405 unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
406 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
407
408 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
409 /** Asynchronous operation context. This field is meant for use by the
410 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
411 * mbedtls_ssl_config::f_async_decrypt_start,
412 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
413 * The library does not use it internally. */
414 void *user_async_ctx;
415 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
416 };
417
418 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
419
420 /*
421 * This structure contains a full set of runtime transform parameters
422 * either in negotiation or active.
423 */
424 struct mbedtls_ssl_transform
425 {
426 /*
427 * Session specific crypto layer
428 */
429 const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
430 /*!< Chosen cipersuite_info */
431 unsigned int keylen; /*!< symmetric key length (bytes) */
432 size_t minlen; /*!< min. ciphertext length */
433 size_t ivlen; /*!< IV length */
434 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
435 size_t maclen; /*!< MAC length */
436
437 unsigned char iv_enc[16]; /*!< IV (encryption) */
438 unsigned char iv_dec[16]; /*!< IV (decryption) */
439
440 #if defined(MBEDTLS_SSL_PROTO_SSL3)
441 /* Needed only for SSL v3.0 secret */
442 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
443 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
444 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
445
446 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
447 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
448
449 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
450 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
451
452 /*
453 * Session specific compression layer
454 */
455 #if defined(MBEDTLS_ZLIB_SUPPORT)
456 z_stream ctx_deflate; /*!< compression context */
457 z_stream ctx_inflate; /*!< decompression context */
458 #endif
459 };
460
461 #if defined(MBEDTLS_X509_CRT_PARSE_C)
462 /*
463 * List of certificate + private key pairs
464 */
465 struct mbedtls_ssl_key_cert
466 {
467 mbedtls_x509_crt *cert; /*!< cert */
468 mbedtls_pk_context *key; /*!< private key */
469 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
470 };
471 #endif /* MBEDTLS_X509_CRT_PARSE_C */
472
473 #if defined(MBEDTLS_SSL_PROTO_DTLS)
474 /*
475 * List of handshake messages kept around for resending
476 */
477 struct mbedtls_ssl_flight_item
478 {
479 unsigned char *p; /*!< message, including handshake headers */
480 size_t len; /*!< length of p */
481 unsigned char type; /*!< type of the message: handshake or CCS */
482 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
483 };
484 #endif /* MBEDTLS_SSL_PROTO_DTLS */
485
486 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
487 defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
488
489 /* Find an entry in a signature-hash set matching a given hash algorithm. */
490 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
491 mbedtls_pk_type_t sig_alg );
492 /* Add a signature-hash-pair to a signature-hash set */
493 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
494 mbedtls_pk_type_t sig_alg,
495 mbedtls_md_type_t md_alg );
496 /* Allow exactly one hash algorithm for each signature. */
497 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
498 mbedtls_md_type_t md_alg );
499
500 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)501 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
502 {
503 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
504 }
505
506 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
507 MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
508
509 /**
510 * \brief Free referenced items in an SSL transform context and clear
511 * memory
512 *
513 * \param transform SSL transform context
514 */
515 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
516
517 /**
518 * \brief Free referenced items in an SSL handshake context and clear
519 * memory
520 *
521 * \param ssl SSL context
522 */
523 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
524
525 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
526 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
527 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
528
529 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
530
531 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
532 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
533
534 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
535 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
536 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
537
538 /**
539 * \brief Update record layer
540 *
541 * This function roughly separates the implementation
542 * of the logic of (D)TLS from the implementation
543 * of the secure transport.
544 *
545 * \param ssl The SSL context to use.
546 * \param update_hs_digest This indicates if the handshake digest
547 * should be automatically updated in case
548 * a handshake message is found.
549 *
550 * \return 0 or non-zero error code.
551 *
552 * \note A clarification on what is called 'record layer' here
553 * is in order, as many sensible definitions are possible:
554 *
555 * The record layer takes as input an untrusted underlying
556 * transport (stream or datagram) and transforms it into
557 * a serially multiplexed, secure transport, which
558 * conceptually provides the following:
559 *
560 * (1) Three datagram based, content-agnostic transports
561 * for handshake, alert and CCS messages.
562 * (2) One stream- or datagram-based transport
563 * for application data.
564 * (3) Functionality for changing the underlying transform
565 * securing the contents.
566 *
567 * The interface to this functionality is given as follows:
568 *
569 * a Updating
570 * [Currently implemented by mbedtls_ssl_read_record]
571 *
572 * Check if and on which of the four 'ports' data is pending:
573 * Nothing, a controlling datagram of type (1), or application
574 * data (2). In any case data is present, internal buffers
575 * provide access to the data for the user to process it.
576 * Consumption of type (1) datagrams is done automatically
577 * on the next update, invalidating that the internal buffers
578 * for previous datagrams, while consumption of application
579 * data (2) is user-controlled.
580 *
581 * b Reading of application data
582 * [Currently manual adaption of ssl->in_offt pointer]
583 *
584 * As mentioned in the last paragraph, consumption of data
585 * is different from the automatic consumption of control
586 * datagrams (1) because application data is treated as a stream.
587 *
588 * c Tracking availability of application data
589 * [Currently manually through decreasing ssl->in_msglen]
590 *
591 * For efficiency and to retain datagram semantics for
592 * application data in case of DTLS, the record layer
593 * provides functionality for checking how much application
594 * data is still available in the internal buffer.
595 *
596 * d Changing the transformation securing the communication.
597 *
598 * Given an opaque implementation of the record layer in the
599 * above sense, it should be possible to implement the logic
600 * of (D)TLS on top of it without the need to know anything
601 * about the record layer's internals. This is done e.g.
602 * in all the handshake handling functions, and in the
603 * application data reading function mbedtls_ssl_read.
604 *
605 * \note The above tries to give a conceptual picture of the
606 * record layer, but the current implementation deviates
607 * from it in some places. For example, our implementation of
608 * the update functionality through mbedtls_ssl_read_record
609 * discards datagrams depending on the current state, which
610 * wouldn't fall under the record layer's responsibility
611 * following the above definition.
612 *
613 */
614 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
615 unsigned update_hs_digest );
616 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
617
618 int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
619 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
620 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
621
622 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
623 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
624
625 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
626 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
627
628 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
629 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
630
631 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
632 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
633
634 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
635 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
636 #endif
637
638 #if defined(MBEDTLS_PK_C)
639 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
640 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
641 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
642 #endif
643
644 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
645 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
646 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
647
648 #if defined(MBEDTLS_ECP_C)
649 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
650 #endif
651
652 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
653 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
654 mbedtls_md_type_t md );
655 #endif
656
657 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)658 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
659 {
660 mbedtls_ssl_key_cert *key_cert;
661
662 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
663 key_cert = ssl->handshake->key_cert;
664 else
665 key_cert = ssl->conf->key_cert;
666
667 return( key_cert == NULL ? NULL : key_cert->key );
668 }
669
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)670 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
671 {
672 mbedtls_ssl_key_cert *key_cert;
673
674 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
675 key_cert = ssl->handshake->key_cert;
676 else
677 key_cert = ssl->conf->key_cert;
678
679 return( key_cert == NULL ? NULL : key_cert->cert );
680 }
681
682 /*
683 * Check usage of a certificate wrt extensions:
684 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
685 *
686 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
687 * check a cert we received from them)!
688 *
689 * Return 0 if everything is OK, -1 if not.
690 */
691 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
692 const mbedtls_ssl_ciphersuite_t *ciphersuite,
693 int cert_endpoint,
694 uint32_t *flags );
695 #endif /* MBEDTLS_X509_CRT_PARSE_C */
696
697 void mbedtls_ssl_write_version( int major, int minor, int transport,
698 unsigned char ver[2] );
699 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
700 const unsigned char ver[2] );
701
mbedtls_ssl_hdr_len(const mbedtls_ssl_context * ssl)702 static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
703 {
704 #if defined(MBEDTLS_SSL_PROTO_DTLS)
705 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
706 return( 13 );
707 #else
708 ((void) ssl);
709 #endif
710 return( 5 );
711 }
712
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)713 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
714 {
715 #if defined(MBEDTLS_SSL_PROTO_DTLS)
716 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
717 return( 12 );
718 #else
719 ((void) ssl);
720 #endif
721 return( 4 );
722 }
723
724 #if defined(MBEDTLS_SSL_PROTO_DTLS)
725 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
726 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
727 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
728 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
729 #endif
730
731 /* Visible for testing purposes only */
732 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
733 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
734 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
735 #endif
736
737 /* constant-time buffer comparison */
mbedtls_ssl_safer_memcmp(const void * a,const void * b,size_t n)738 static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
739 {
740 size_t i;
741 volatile const unsigned char *A = (volatile const unsigned char *) a;
742 volatile const unsigned char *B = (volatile const unsigned char *) b;
743 volatile unsigned char diff = 0;
744
745 for( i = 0; i < n; i++ )
746 {
747 /* Read volatile data in order before computing diff.
748 * This avoids IAR compiler warning:
749 * 'the order of volatile accesses is undefined ..' */
750 unsigned char x = A[i], y = B[i];
751 diff |= x ^ y;
752 }
753
754 return( diff );
755 }
756
757 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
758 defined(MBEDTLS_SSL_PROTO_TLS1_1)
759 int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
760 unsigned char *output,
761 unsigned char *data, size_t data_len );
762 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
763 MBEDTLS_SSL_PROTO_TLS1_1 */
764
765 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
766 defined(MBEDTLS_SSL_PROTO_TLS1_2)
767 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
768 unsigned char *hash, size_t *hashlen,
769 unsigned char *data, size_t data_len,
770 mbedtls_md_type_t md_alg );
771 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
772 MBEDTLS_SSL_PROTO_TLS1_2 */
773
774 #ifdef __cplusplus
775 }
776 #endif
777
778 #endif /* ssl_internal.h */
779