1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 */
22 #ifndef MBEDTLS_SSL_MISC_H
23 #define MBEDTLS_SSL_MISC_H
24
25 #include "mbedtls/build_info.h"
26
27 #include "mbedtls/ssl.h"
28 #include "mbedtls/cipher.h"
29
30 #if defined(MBEDTLS_USE_PSA_CRYPTO)
31 #include "psa/crypto.h"
32 #endif
33
34 #if defined(MBEDTLS_MD5_C)
35 #include "mbedtls/md5.h"
36 #endif
37
38 #if defined(MBEDTLS_SHA1_C)
39 #include "mbedtls/sha1.h"
40 #endif
41
42 #if defined(MBEDTLS_SHA256_C)
43 #include "mbedtls/sha256.h"
44 #endif
45
46 #if defined(MBEDTLS_SHA512_C)
47 #include "mbedtls/sha512.h"
48 #endif
49
50 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
51 #include "mbedtls/ecjpake.h"
52 #endif
53
54 #if defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "psa/crypto.h"
56 #include "mbedtls/psa_util.h"
57 #endif /* MBEDTLS_USE_PSA_CRYPTO */
58
59 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
60 !defined(inline) && !defined(__cplusplus)
61 #define inline __inline
62 #endif
63
64 /* Legacy minor version numbers as defined by:
65 * - RFC 2246: ProtocolVersion version = { 3, 1 }; // TLS v1.0
66 * - RFC 4346: ProtocolVersion version = { 3, 2 }; // TLS v1.1
67 *
68 * We no longer support these versions, but some code still references those
69 * constants as part of negotiating with the peer, so keep them available
70 * internally.
71 */
72 #define MBEDTLS_SSL_MINOR_VERSION_1 1
73 #define MBEDTLS_SSL_MINOR_VERSION_2 2
74
75 /* Determine minimum supported version */
76 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
77
78 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
79 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
80 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
81
82 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
83 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
84
85 /* Determine maximum supported version */
86 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
87
88 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
89 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
90 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
91
92 /* Shorthand for restartable ECC */
93 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
94 defined(MBEDTLS_SSL_CLI_C) && \
95 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
96 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
97 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
98 #endif
99
100 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
101 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
102 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
103 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
104
105 /*
106 * Mask of TLS 1.3 handshake extensions used in extensions_present
107 * of mbedtls_ssl_handshake_params.
108 */
109 #define MBEDTLS_SSL_EXT_NONE 0
110
111 #define MBEDTLS_SSL_EXT_SERVERNAME ( 1 << 0 )
112 #define MBEDTLS_SSL_EXT_MAX_FRAGMENT_LENGTH ( 1 << 1 )
113 #define MBEDTLS_SSL_EXT_STATUS_REQUEST ( 1 << 2 )
114 #define MBEDTLS_SSL_EXT_SUPPORTED_GROUPS ( 1 << 3 )
115 #define MBEDTLS_SSL_EXT_SIG_ALG ( 1 << 4 )
116 #define MBEDTLS_SSL_EXT_USE_SRTP ( 1 << 5 )
117 #define MBEDTLS_SSL_EXT_HEARTBEAT ( 1 << 6 )
118 #define MBEDTLS_SSL_EXT_ALPN ( 1 << 7 )
119 #define MBEDTLS_SSL_EXT_SCT ( 1 << 8 )
120 #define MBEDTLS_SSL_EXT_CLI_CERT_TYPE ( 1 << 9 )
121 #define MBEDTLS_SSL_EXT_SERV_CERT_TYPE ( 1 << 10 )
122 #define MBEDTLS_SSL_EXT_PADDING ( 1 << 11 )
123 #define MBEDTLS_SSL_EXT_PRE_SHARED_KEY ( 1 << 12 )
124 #define MBEDTLS_SSL_EXT_EARLY_DATA ( 1 << 13 )
125 #define MBEDTLS_SSL_EXT_SUPPORTED_VERSIONS ( 1 << 14 )
126 #define MBEDTLS_SSL_EXT_COOKIE ( 1 << 15 )
127 #define MBEDTLS_SSL_EXT_PSK_KEY_EXCHANGE_MODES ( 1 << 16 )
128 #define MBEDTLS_SSL_EXT_CERT_AUTH ( 1 << 17 )
129 #define MBEDTLS_SSL_EXT_OID_FILTERS ( 1 << 18 )
130 #define MBEDTLS_SSL_EXT_POST_HANDSHAKE_AUTH ( 1 << 19 )
131 #define MBEDTLS_SSL_EXT_SIG_ALG_CERT ( 1 << 20 )
132 #define MBEDTLS_SSL_EXT_KEY_SHARE ( 1 << 21 )
133
134 /*
135 * Helper macros for function call with return check.
136 */
137 /*
138 * Exit when return non-zero value
139 */
140 #define MBEDTLS_SSL_PROC_CHK( f ) \
141 do { \
142 ret = ( f ); \
143 if( ret != 0 ) \
144 { \
145 goto cleanup; \
146 } \
147 } while( 0 )
148 /*
149 * Exit when return negative value
150 */
151 #define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
152 do { \
153 ret = ( f ); \
154 if( ret < 0 ) \
155 { \
156 goto cleanup; \
157 } \
158 } while( 0 )
159
160 /*
161 * DTLS retransmission states, see RFC 6347 4.2.4
162 *
163 * The SENDING state is merged in PREPARING for initial sends,
164 * but is distinct for resends.
165 *
166 * Note: initial state is wrong for server, but is not used anyway.
167 */
168 #define MBEDTLS_SSL_RETRANS_PREPARING 0
169 #define MBEDTLS_SSL_RETRANS_SENDING 1
170 #define MBEDTLS_SSL_RETRANS_WAITING 2
171 #define MBEDTLS_SSL_RETRANS_FINISHED 3
172
173 /*
174 * Allow extra bytes for record, authentication and encryption overhead:
175 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
176 */
177
178 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
179
180 /* This macro determines whether CBC is supported. */
181 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
182 ( defined(MBEDTLS_AES_C) || \
183 defined(MBEDTLS_CAMELLIA_C) || \
184 defined(MBEDTLS_ARIA_C) || \
185 defined(MBEDTLS_DES_C) )
186 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
187 #endif
188
189 /* This macro determines whether a ciphersuite using a
190 * stream cipher can be used. */
191 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
192 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
193 #endif
194
195 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
196 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
197 defined(MBEDTLS_SSL_PROTO_TLS1_2)
198 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
199 #endif
200
201 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
202 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
203 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
204 #endif
205
206 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
207
208 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
209 /* Ciphersuites using HMAC */
210 #if defined(MBEDTLS_SHA384_C)
211 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
212 #elif defined(MBEDTLS_SHA256_C)
213 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
214 #else
215 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
216 #endif
217 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
218 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
219 #define MBEDTLS_SSL_MAC_ADD 16
220 #endif
221
222 #if defined(MBEDTLS_CIPHER_MODE_CBC)
223 #define MBEDTLS_SSL_PADDING_ADD 256
224 #else
225 #define MBEDTLS_SSL_PADDING_ADD 0
226 #endif
227
228 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
229 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
230 #else
231 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
232 #endif
233
234 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
235 MBEDTLS_SSL_MAC_ADD + \
236 MBEDTLS_SSL_PADDING_ADD + \
237 MBEDTLS_SSL_MAX_CID_EXPANSION \
238 )
239
240 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
241 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
242
243 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
244 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
245
246 /* The maximum number of buffered handshake messages. */
247 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
248
249 /* Maximum length we can advertise as our max content length for
250 RFC 6066 max_fragment_length extension negotiation purposes
251 (the lesser of both sizes, if they are unequal.)
252 */
253 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
254 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
255 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
256 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
257 )
258
259 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
260 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
261
262 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
263 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
264
265 /*
266 * Check that we obey the standard's message size bounds
267 */
268
269 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
270 #error "Bad configuration - incoming record content too large."
271 #endif
272
273 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
274 #error "Bad configuration - outgoing record content too large."
275 #endif
276
277 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
278 #error "Bad configuration - incoming protected record payload too large."
279 #endif
280
281 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
282 #error "Bad configuration - outgoing protected record payload too large."
283 #endif
284
285 /* Calculate buffer sizes */
286
287 /* Note: Even though the TLS record header is only 5 bytes
288 long, we're internally using 8 bytes to store the
289 implicit sequence number. */
290 #define MBEDTLS_SSL_HEADER_LEN 13
291
292 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
293 #define MBEDTLS_SSL_IN_BUFFER_LEN \
294 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
295 #else
296 #define MBEDTLS_SSL_IN_BUFFER_LEN \
297 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
298 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
299 #endif
300
301 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
302 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
303 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
304 #else
305 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
306 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
307 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
308 #endif
309
310 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
311 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
312
313 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
314 /**
315 * \brief Return the maximum fragment length (payload, in bytes) for
316 * the output buffer. For the client, this is the configured
317 * value. For the server, it is the minimum of two - the
318 * configured value and the negotiated one.
319 *
320 * \sa mbedtls_ssl_conf_max_frag_len()
321 * \sa mbedtls_ssl_get_max_out_record_payload()
322 *
323 * \param ssl SSL context
324 *
325 * \return Current maximum fragment length for the output buffer.
326 */
327 size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
328
329 /**
330 * \brief Return the maximum fragment length (payload, in bytes) for
331 * the input buffer. This is the negotiated maximum fragment
332 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
333 * If it is not defined either, the value is 2^14. This function
334 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
335 *
336 * \sa mbedtls_ssl_conf_max_frag_len()
337 * \sa mbedtls_ssl_get_max_in_record_payload()
338 *
339 * \param ssl SSL context
340 *
341 * \return Current maximum fragment length for the output buffer.
342 */
343 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
344 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
345
346 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)347 static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
348 {
349 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
350 return mbedtls_ssl_get_output_max_frag_len( ctx )
351 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
352 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
353 #else
354 return mbedtls_ssl_get_output_max_frag_len( ctx )
355 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
356 #endif
357 }
358
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)359 static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
360 {
361 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
362 return mbedtls_ssl_get_input_max_frag_len( ctx )
363 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
364 + MBEDTLS_SSL_CID_IN_LEN_MAX;
365 #else
366 return mbedtls_ssl_get_input_max_frag_len( ctx )
367 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
368 #endif
369 }
370 #endif
371
372 /*
373 * TLS extension flags (for extensions with outgoing ServerHello content
374 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
375 * of state of the renegotiation flag, so no indicator is required)
376 */
377 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
378 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
379
380 /**
381 * \brief This function checks if the remaining size in a buffer is
382 * greater or equal than a needed space.
383 *
384 * \param cur Pointer to the current position in the buffer.
385 * \param end Pointer to one past the end of the buffer.
386 * \param need Needed space in bytes.
387 *
388 * \return Zero if the needed space is available in the buffer, non-zero
389 * otherwise.
390 */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)391 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
392 const uint8_t *end, size_t need )
393 {
394 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
395 }
396
397 /**
398 * \brief This macro checks if the remaining size in a buffer is
399 * greater or equal than a needed space. If it is not the case,
400 * it returns an SSL_BUFFER_TOO_SMALL error.
401 *
402 * \param cur Pointer to the current position in the buffer.
403 * \param end Pointer to one past the end of the buffer.
404 * \param need Needed space in bytes.
405 *
406 */
407 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
408 do { \
409 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
410 { \
411 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
412 } \
413 } while( 0 )
414
415 /**
416 * \brief This macro checks if the remaining length in an input buffer is
417 * greater or equal than a needed length. If it is not the case, it
418 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
419 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
420 *
421 * This is a function-like macro. It is guaranteed to evaluate each
422 * argument exactly once.
423 *
424 * \param cur Pointer to the current position in the buffer.
425 * \param end Pointer to one past the end of the buffer.
426 * \param need Needed length in bytes.
427 *
428 */
429 #define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
430 do { \
431 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
432 { \
433 MBEDTLS_SSL_DEBUG_MSG( 1, \
434 ( "missing input data in %s", __func__ ) ); \
435 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
436 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
437 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
438 } \
439 } while( 0 )
440
441 #ifdef __cplusplus
442 extern "C" {
443 #endif
444
445 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
446 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
447 /*
448 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
449 */
450 struct mbedtls_ssl_sig_hash_set_t
451 {
452 /* At the moment, we only need to remember a single suitable
453 * hash algorithm per signature algorithm. As long as that's
454 * the case - and we don't need a general lookup function -
455 * we can implement the sig-hash-set as a map from signatures
456 * to hash algorithms. */
457 mbedtls_md_type_t rsa;
458 mbedtls_md_type_t ecdsa;
459 };
460 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
461 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
462
463 typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
464 const char *label,
465 const unsigned char *random, size_t rlen,
466 unsigned char *dstbuf, size_t dlen );
467
468 /* cipher.h exports the maximum IV, key and block length from
469 * all ciphers enabled in the config, regardless of whether those
470 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
471 * in the default configuration and uses 64 Byte keys, but it is
472 * not used for record protection in SSL/TLS.
473 *
474 * In order to prevent unnecessary inflation of key structures,
475 * we introduce SSL-specific variants of the max-{key,block,IV}
476 * macros here which are meant to only take those ciphers into
477 * account which can be negotiated in SSL/TLS.
478 *
479 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
480 * in cipher.h are rough overapproximations of the real maxima, here
481 * we content ourselves with replicating those overapproximations
482 * for the maximum block and IV length, and excluding XTS from the
483 * computation of the maximum key length. */
484 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
485 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
486 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
487
488 /**
489 * \brief The data structure holding the cryptographic material (key and IV)
490 * used for record protection in TLS 1.3.
491 */
492 struct mbedtls_ssl_key_set
493 {
494 /*! The key for client->server records. */
495 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
496 /*! The key for server->client records. */
497 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
498 /*! The IV for client->server records. */
499 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
500 /*! The IV for server->client records. */
501 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
502
503 size_t key_len; /*!< The length of client_write_key and
504 * server_write_key, in Bytes. */
505 size_t iv_len; /*!< The length of client_write_iv and
506 * server_write_iv, in Bytes. */
507 };
508 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
509
510 typedef struct
511 {
512 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
513 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
514 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
515 } mbedtls_ssl_tls13_early_secrets;
516
517 typedef struct
518 {
519 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
520 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
521 } mbedtls_ssl_tls13_handshake_secrets;
522
523 /*
524 * This structure contains the parameters only needed during handshake.
525 */
526 struct mbedtls_ssl_handshake_params
527 {
528 /* Frequently-used boolean or byte fields (placed early to take
529 * advantage of smaller code size for indirect access on Arm Thumb) */
530 uint8_t max_major_ver; /*!< max. major version client*/
531 uint8_t max_minor_ver; /*!< max. minor version client*/
532 uint8_t resume; /*!< session resume indicator*/
533 uint8_t cli_exts; /*!< client extension presence*/
534
535 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
536 uint8_t sni_authmode; /*!< authmode from SNI callback */
537 #endif
538
539 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
540 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
541 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
542
543 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
544 uint8_t extended_ms; /*!< use Extended Master Secret? */
545 #endif
546
547 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
548 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
549 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
550
551 #if defined(MBEDTLS_SSL_PROTO_DTLS)
552 unsigned char retransmit_state; /*!< Retransmission state */
553 #endif
554
555 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
556 unsigned char group_list_heap_allocated;
557 #endif
558
559 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
560 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
561 enum { /* this complements ssl->state with info on intra-state operations */
562 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
563 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
564 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
565 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
566 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
567 } ecrs_state; /*!< current (or last) operation */
568 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
569 size_t ecrs_n; /*!< place for saving a length */
570 #endif
571
572 size_t pmslen; /*!< premaster length */
573
574 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
575
576 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
577 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
578 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
579 mbedtls_ssl_tls_prf_cb *tls_prf;
580
581 /*
582 * Handshake specific crypto variables
583 */
584 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
585 int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
586 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
587
588 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
589 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
590 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
591 #endif
592
593 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
594 const uint16_t *group_list;
595 #endif
596
597 #if defined(MBEDTLS_DHM_C)
598 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
599 #endif
600
601 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
602 * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
603 * in functionality that access to ecdh_ctx structure is needed for
604 * MBEDTLS_ECDSA_C which does not seem correct.
605 */
606 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
607 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
608
609 #if defined(MBEDTLS_USE_PSA_CRYPTO)
610 psa_key_type_t ecdh_psa_type;
611 uint16_t ecdh_bits;
612 psa_key_id_t ecdh_psa_privkey;
613 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
614 size_t ecdh_psa_peerkey_len;
615 #endif /* MBEDTLS_USE_PSA_CRYPTO */
616 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
617
618 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
619 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
620 #if defined(MBEDTLS_SSL_CLI_C)
621 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
622 size_t ecjpake_cache_len; /*!< Length of cached data */
623 #endif
624 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
625
626 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
627 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
628 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
629 #endif
630
631 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
632 #if defined(MBEDTLS_USE_PSA_CRYPTO)
633 psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
634 #endif /* MBEDTLS_USE_PSA_CRYPTO */
635 unsigned char *psk; /*!< PSK from the callback */
636 size_t psk_len; /*!< Length of PSK from callback */
637 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
638
639 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
640 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
641 #endif
642
643 #if defined(MBEDTLS_X509_CRT_PARSE_C)
644 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
645 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
646 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
647 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
648 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
649 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
650 #endif /* MBEDTLS_X509_CRT_PARSE_C */
651
652 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
653 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
654 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
655 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
656
657 struct
658 {
659 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
660 * buffers used for message buffering. */
661
662 uint8_t seen_ccs; /*!< Indicates if a CCS message has
663 * been seen in the current flight. */
664
665 struct mbedtls_ssl_hs_buffer
666 {
667 unsigned is_valid : 1;
668 unsigned is_fragmented : 1;
669 unsigned is_complete : 1;
670 unsigned char *data;
671 size_t data_len;
672 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
673
674 struct
675 {
676 unsigned char *data;
677 size_t len;
678 unsigned epoch;
679 } future_record;
680
681 } buffering;
682
683 #if defined(MBEDTLS_SSL_PROTO_DTLS)
684 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
685 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
686
687 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
688 Srv: unused */
689 unsigned char verify_cookie_len; /*!< Cli: cookie length
690 Srv: flag for sending a cookie */
691
692 uint32_t retransmit_timeout; /*!< Current value of timeout */
693 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
694 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
695 unsigned char *cur_msg_p; /*!< Position in current message */
696 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
697 flight being received */
698 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
699 resending messages */
700 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
701 for resending messages */
702
703 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
704 /* The state of CID configuration in this handshake. */
705
706 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
707 * has been negotiated. Possible values are
708 * #MBEDTLS_SSL_CID_ENABLED and
709 * #MBEDTLS_SSL_CID_DISABLED. */
710 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
711 uint8_t peer_cid_len; /*!< The length of
712 * \c peer_cid. */
713 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
714
715 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
716 #endif /* MBEDTLS_SSL_PROTO_DTLS */
717
718 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
719 /*! TLS 1.3 transforms for 0-RTT and encrypted handshake messages.
720 * Those pointers own the transforms they reference. */
721 mbedtls_ssl_transform *transform_handshake;
722 mbedtls_ssl_transform *transform_earlydata;
723 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
724
725 /*
726 * Checksum contexts
727 */
728 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
729 #if defined(MBEDTLS_SHA256_C)
730 #if defined(MBEDTLS_USE_PSA_CRYPTO)
731 psa_hash_operation_t fin_sha256_psa;
732 #else
733 mbedtls_sha256_context fin_sha256;
734 #endif
735 #endif
736 #if defined(MBEDTLS_SHA384_C)
737 #if defined(MBEDTLS_USE_PSA_CRYPTO)
738 psa_hash_operation_t fin_sha384_psa;
739 #else
740 mbedtls_sha512_context fin_sha512;
741 #endif
742 #endif
743 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
744
745 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
746 uint16_t offered_group_id; /* The NamedGroup value for the group
747 * that is being used for ephemeral
748 * key exchange.
749 *
750 * On the client: Defaults to the first
751 * entry in the client's group list,
752 * but can be overwritten by the HRR. */
753 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
754
755 /*
756 * State-local variables used during the processing
757 * of a specific handshake state.
758 */
759 union
760 {
761 /* Outgoing Finished message */
762 struct
763 {
764 uint8_t preparation_done;
765
766 /* Buffer holding digest of the handshake up to
767 * but excluding the outgoing finished message. */
768 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
769 size_t digest_len;
770 } finished_out;
771
772 /* Incoming Finished message */
773 struct
774 {
775 uint8_t preparation_done;
776
777 /* Buffer holding digest of the handshake up to but
778 * excluding the peer's incoming finished message. */
779 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
780 size_t digest_len;
781 } finished_in;
782
783 } state_local;
784
785 /* End of state-local variables. */
786
787 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
788 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
789 /*!< random bytes */
790 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
791 /*!< premaster secret */
792
793 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
794 int extensions_present; /*!< extension presence; Each bitfield
795 represents an extension and defined
796 as \c MBEDTLS_SSL_EXT_XXX */
797
798 union
799 {
800 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
801 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
802 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
803 } tls13_master_secrets;
804
805 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
806 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
807
808 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
809 /** Asynchronous operation context. This field is meant for use by the
810 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
811 * mbedtls_ssl_config::f_async_decrypt_start,
812 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
813 * The library does not use it internally. */
814 void *user_async_ctx;
815 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
816 };
817
818 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
819
820 /*
821 * Representation of decryption/encryption transformations on records
822 *
823 * There are the following general types of record transformations:
824 * - Stream transformations (TLS versions == 1.2 only)
825 * Transformation adding a MAC and applying a stream-cipher
826 * to the authenticated message.
827 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
828 * For TLS 1.2, no IV is generated at key extraction time, but every
829 * encrypted record is explicitly prefixed by the IV with which it was
830 * encrypted.
831 * - AEAD transformations ([D]TLS versions == 1.2 only)
832 * These come in two fundamentally different versions, the first one
833 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
834 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
835 * In the first transformation, the IV to be used for a record is obtained
836 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
837 * record sequence number, and explicitly prepending this sequence number
838 * to the encrypted record. In contrast, in the second transformation
839 * the IV is obtained by XOR'ing a static IV obtained at key extraction
840 * time with the 8-byte record sequence number, without prepending the
841 * latter to the encrypted record.
842 *
843 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
844 * which allows to add flexible length padding and to hide a record's true
845 * content type.
846 *
847 * In addition to type and version, the following parameters are relevant:
848 * - The symmetric cipher algorithm to be used.
849 * - The (static) encryption/decryption keys for the cipher.
850 * - For stream/CBC, the type of message digest to be used.
851 * - For stream/CBC, (static) encryption/decryption keys for the digest.
852 * - For AEAD transformations, the size (potentially 0) of an explicit,
853 * random initialization vector placed in encrypted records.
854 * - For some transformations (currently AEAD) an implicit IV. It is static
855 * and (if present) is combined with the explicit IV in a transformation-
856 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
857 * - For stream/CBC, a flag determining the order of encryption and MAC.
858 * - The details of the transformation depend on the SSL/TLS version.
859 * - The length of the authentication tag.
860 *
861 * The struct below refines this abstract view as follows:
862 * - The cipher underlying the transformation is managed in
863 * cipher contexts cipher_ctx_{enc/dec}, which must have the
864 * same cipher type. The mode of these cipher contexts determines
865 * the type of the transformation in the sense above: e.g., if
866 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
867 * then the transformation has type CBC resp. AEAD.
868 * - The cipher keys are never stored explicitly but
869 * are maintained within cipher_ctx_{enc/dec}.
870 * - For stream/CBC transformations, the message digest contexts
871 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
872 * are unused for AEAD transformations.
873 * - For stream/CBC transformations, the MAC keys are not stored explicitly
874 * but maintained within md_ctx_{enc/dec}.
875 * - The mac_enc and mac_dec fields are unused for EAD transformations.
876 * - For transformations using an implicit IV maintained within
877 * the transformation context, its contents are stored within
878 * iv_{enc/dec}.
879 * - The value of ivlen indicates the length of the IV.
880 * This is redundant in case of stream/CBC transformations
881 * which always use 0 resp. the cipher's block length as the
882 * IV length, but is needed for AEAD ciphers and may be
883 * different from the underlying cipher's block length
884 * in this case.
885 * - The field fixed_ivlen is nonzero for AEAD transformations only
886 * and indicates the length of the static part of the IV which is
887 * constant throughout the communication, and which is stored in
888 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
889 * - minor_ver denotes the SSL/TLS version
890 * - For stream/CBC transformations, maclen denotes the length of the
891 * authentication tag, while taglen is unused and 0.
892 * - For AEAD transformations, taglen denotes the length of the
893 * authentication tag, while maclen is unused and 0.
894 * - For CBC transformations, encrypt_then_mac determines the
895 * order of encryption and authentication. This field is unused
896 * in other transformations.
897 *
898 */
899 struct mbedtls_ssl_transform
900 {
901 /*
902 * Session specific crypto layer
903 */
904 size_t minlen; /*!< min. ciphertext length */
905 size_t ivlen; /*!< IV length */
906 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
907 size_t maclen; /*!< MAC(CBC) len */
908 size_t taglen; /*!< TAG(AEAD) len */
909
910 unsigned char iv_enc[16]; /*!< IV (encryption) */
911 unsigned char iv_dec[16]; /*!< IV (decryption) */
912
913 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
914
915 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
916 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
917
918 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
919 int encrypt_then_mac; /*!< flag for EtM activation */
920 #endif
921
922 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
923
924 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
925 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
926 int minor_ver;
927
928 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
929 uint8_t in_cid_len;
930 uint8_t out_cid_len;
931 unsigned char in_cid [ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
932 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
933 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
934
935 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
936 /* We need the Hello random bytes in order to re-derive keys from the
937 * Master Secret and other session info,
938 * see ssl_tls12_populate_transform() */
939 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
940 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
941 /*!< ServerHello.random+ClientHello.random */
942 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
943 };
944
945 /*
946 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
947 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
948 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)949 static inline int mbedtls_ssl_transform_uses_aead(
950 const mbedtls_ssl_transform *transform )
951 {
952 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
953 return( transform->maclen == 0 && transform->taglen != 0 );
954 #else
955 (void) transform;
956 return( 1 );
957 #endif
958 }
959
960 /*
961 * Internal representation of record frames
962 *
963 * Instances come in two flavors:
964 * (1) Encrypted
965 * These always have data_offset = 0
966 * (2) Unencrypted
967 * These have data_offset set to the amount of
968 * pre-expansion during record protection. Concretely,
969 * this is the length of the fixed part of the explicit IV
970 * used for encryption, or 0 if no explicit IV is used
971 * (e.g. for stream ciphers).
972 *
973 * The reason for the data_offset in the unencrypted case
974 * is to allow for in-place conversion of an unencrypted to
975 * an encrypted record. If the offset wasn't included, the
976 * encrypted content would need to be shifted afterwards to
977 * make space for the fixed IV.
978 *
979 */
980 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
981 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
982 #else
983 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
984 #endif
985
986 typedef struct
987 {
988 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
989 * In DTLS: The 2-byte epoch followed by
990 * the 6-byte sequence number.
991 * This is stored as a raw big endian byte array
992 * as opposed to a uint64_t because we rarely
993 * need to perform arithmetic on this, but do
994 * need it as a Byte array for the purpose of
995 * MAC computations. */
996 uint8_t type; /* The record content type. */
997 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
998 * Convert to internal presentation of versions
999 * using mbedtls_ssl_read_version() and
1000 * mbedtls_ssl_write_version().
1001 * Keep wire-format for MAC computations. */
1002
1003 unsigned char *buf; /* Memory buffer enclosing the record content */
1004 size_t buf_len; /* Buffer length */
1005 size_t data_offset; /* Offset of record content */
1006 size_t data_len; /* Length of record content */
1007
1008 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1009 uint8_t cid_len; /* Length of the CID (0 if not present) */
1010 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
1011 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1012 } mbedtls_record;
1013
1014 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1015 /*
1016 * List of certificate + private key pairs
1017 */
1018 struct mbedtls_ssl_key_cert
1019 {
1020 mbedtls_x509_crt *cert; /*!< cert */
1021 mbedtls_pk_context *key; /*!< private key */
1022 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1023 };
1024 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1025
1026 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1027 /*
1028 * List of handshake messages kept around for resending
1029 */
1030 struct mbedtls_ssl_flight_item
1031 {
1032 unsigned char *p; /*!< message, including handshake headers */
1033 size_t len; /*!< length of p */
1034 unsigned char type; /*!< type of the message: handshake or CCS */
1035 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1036 };
1037 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1038
1039 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1040 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1041
1042 /* Find an entry in a signature-hash set matching a given hash algorithm. */
1043 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
1044 mbedtls_pk_type_t sig_alg );
1045 /* Add a signature-hash-pair to a signature-hash set */
1046 void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
1047 mbedtls_pk_type_t sig_alg,
1048 mbedtls_md_type_t md_alg );
1049 /* Allow exactly one hash algorithm for each signature. */
1050 void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
1051 mbedtls_md_type_t md_alg );
1052
1053 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)1054 static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
1055 {
1056 mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
1057 }
1058
1059 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
1060 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1061
1062 /**
1063 * \brief Free referenced items in an SSL transform context and clear
1064 * memory
1065 *
1066 * \param transform SSL transform context
1067 */
1068 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1069
1070 /**
1071 * \brief Free referenced items in an SSL handshake context and clear
1072 * memory
1073 *
1074 * \param ssl SSL context
1075 */
1076 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
1077
1078 /* set inbound transform of ssl context */
1079 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1080 mbedtls_ssl_transform *transform );
1081
1082 /* set outbound transform of ssl context */
1083 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1084 mbedtls_ssl_transform *transform );
1085
1086 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1087 int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
1088 unsigned char *buf,
1089 const unsigned char *end,
1090 size_t *olen );
1091 #endif
1092
1093 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1094 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1095 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
1096
1097 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1098
1099 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
1100 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
1101
1102 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1103 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1104 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1105
1106 /**
1107 * \brief Update record layer
1108 *
1109 * This function roughly separates the implementation
1110 * of the logic of (D)TLS from the implementation
1111 * of the secure transport.
1112 *
1113 * \param ssl The SSL context to use.
1114 * \param update_hs_digest This indicates if the handshake digest
1115 * should be automatically updated in case
1116 * a handshake message is found.
1117 *
1118 * \return 0 or non-zero error code.
1119 *
1120 * \note A clarification on what is called 'record layer' here
1121 * is in order, as many sensible definitions are possible:
1122 *
1123 * The record layer takes as input an untrusted underlying
1124 * transport (stream or datagram) and transforms it into
1125 * a serially multiplexed, secure transport, which
1126 * conceptually provides the following:
1127 *
1128 * (1) Three datagram based, content-agnostic transports
1129 * for handshake, alert and CCS messages.
1130 * (2) One stream- or datagram-based transport
1131 * for application data.
1132 * (3) Functionality for changing the underlying transform
1133 * securing the contents.
1134 *
1135 * The interface to this functionality is given as follows:
1136 *
1137 * a Updating
1138 * [Currently implemented by mbedtls_ssl_read_record]
1139 *
1140 * Check if and on which of the four 'ports' data is pending:
1141 * Nothing, a controlling datagram of type (1), or application
1142 * data (2). In any case data is present, internal buffers
1143 * provide access to the data for the user to process it.
1144 * Consumption of type (1) datagrams is done automatically
1145 * on the next update, invalidating that the internal buffers
1146 * for previous datagrams, while consumption of application
1147 * data (2) is user-controlled.
1148 *
1149 * b Reading of application data
1150 * [Currently manual adaption of ssl->in_offt pointer]
1151 *
1152 * As mentioned in the last paragraph, consumption of data
1153 * is different from the automatic consumption of control
1154 * datagrams (1) because application data is treated as a stream.
1155 *
1156 * c Tracking availability of application data
1157 * [Currently manually through decreasing ssl->in_msglen]
1158 *
1159 * For efficiency and to retain datagram semantics for
1160 * application data in case of DTLS, the record layer
1161 * provides functionality for checking how much application
1162 * data is still available in the internal buffer.
1163 *
1164 * d Changing the transformation securing the communication.
1165 *
1166 * Given an opaque implementation of the record layer in the
1167 * above sense, it should be possible to implement the logic
1168 * of (D)TLS on top of it without the need to know anything
1169 * about the record layer's internals. This is done e.g.
1170 * in all the handshake handling functions, and in the
1171 * application data reading function mbedtls_ssl_read.
1172 *
1173 * \note The above tries to give a conceptual picture of the
1174 * record layer, but the current implementation deviates
1175 * from it in some places. For example, our implementation of
1176 * the update functionality through mbedtls_ssl_read_record
1177 * discards datagrams depending on the current state, which
1178 * wouldn't fall under the record layer's responsibility
1179 * following the above definition.
1180 *
1181 */
1182 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1183 unsigned update_hs_digest );
1184 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1185
1186 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
1187 int update_checksum );
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1188 static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1189 {
1190 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */ ) );
1191 }
1192
1193 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
1194 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1195
1196 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1197 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1198
1199 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1200 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1201
1202 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1203 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1204
1205 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1206 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1207
1208 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1209 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
1210
1211 /**
1212 * Get the first defined PSK by order of precedence:
1213 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1214 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1215 * Return a code and update the pair (PSK, PSK length) passed to this function
1216 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1217 static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1218 const unsigned char **psk, size_t *psk_len )
1219 {
1220 if( ssl->MBEDTLS_PRIVATE(handshake)->psk != NULL && ssl->MBEDTLS_PRIVATE(handshake)->psk_len > 0 )
1221 {
1222 *psk = ssl->MBEDTLS_PRIVATE(handshake)->psk;
1223 *psk_len = ssl->MBEDTLS_PRIVATE(handshake)->psk_len;
1224 }
1225
1226 else if( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk) != NULL &&
1227 ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk_len) > 0 )
1228 {
1229 *psk = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk);
1230 *psk_len = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk_len);
1231 }
1232
1233 else
1234 {
1235 *psk = NULL;
1236 *psk_len = 0;
1237 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1238 }
1239
1240 return( 0 );
1241 }
1242
1243 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1244 /**
1245 * Get the first defined opaque PSK by order of precedence:
1246 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1247 * callback
1248 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1249 * Return an opaque PSK
1250 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1251 static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
1252 const mbedtls_ssl_context *ssl )
1253 {
1254 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1255 return( ssl->handshake->psk_opaque );
1256
1257 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1258 return( ssl->conf->psk_opaque );
1259
1260 return( MBEDTLS_SVC_KEY_ID_INIT );
1261 }
1262 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1263
1264 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1265
1266 #if defined(MBEDTLS_PK_C)
1267 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
1268 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
1269 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1270 #endif
1271
1272 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
1273 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
1274 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
1275
1276 #if defined(MBEDTLS_ECP_C)
1277 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
1278 #endif
1279
1280 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1281 int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
1282 mbedtls_md_type_t md );
1283 #endif
1284
1285 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1286 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1287 ( const uint16_t srtp_profile_value )
1288 {
1289 switch( srtp_profile_value )
1290 {
1291 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1292 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1293 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1294 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1295 return srtp_profile_value;
1296 default: break;
1297 }
1298 return( MBEDTLS_TLS_SRTP_UNSET );
1299 }
1300 #endif
1301
1302 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1303 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1304 {
1305 mbedtls_ssl_key_cert *key_cert;
1306
1307 if( ssl->MBEDTLS_PRIVATE(handshake) != NULL && ssl->MBEDTLS_PRIVATE(handshake)->key_cert != NULL )
1308 key_cert = ssl->MBEDTLS_PRIVATE(handshake)->key_cert;
1309 else
1310 key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
1311
1312 return( key_cert == NULL ? NULL : key_cert->key );
1313 }
1314
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1315 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1316 {
1317 mbedtls_ssl_key_cert *key_cert;
1318
1319 if( ssl->MBEDTLS_PRIVATE(handshake) != NULL && ssl->MBEDTLS_PRIVATE(handshake)->key_cert != NULL )
1320 key_cert = ssl->MBEDTLS_PRIVATE(handshake)->key_cert;
1321 else
1322 key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
1323
1324 return( key_cert == NULL ? NULL : key_cert->cert );
1325 }
1326
1327 /*
1328 * Check usage of a certificate wrt extensions:
1329 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1330 *
1331 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1332 * check a cert we received from them)!
1333 *
1334 * Return 0 if everything is OK, -1 if not.
1335 */
1336 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1337 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1338 int cert_endpoint,
1339 uint32_t *flags );
1340 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1341
1342 void mbedtls_ssl_write_version( int major, int minor, int transport,
1343 unsigned char ver[2] );
1344 void mbedtls_ssl_read_version( int *major, int *minor, int transport,
1345 const unsigned char ver[2] );
1346
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1347 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
1348 {
1349 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1350 ((void) ssl);
1351 #endif
1352
1353 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1354 if( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1355 {
1356 return( 13 );
1357 }
1358 else
1359 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1360 {
1361 return( 5 );
1362 }
1363 }
1364
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1365 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1366 {
1367 return( (size_t) ( ssl->MBEDTLS_PRIVATE(out_iv) - ssl->MBEDTLS_PRIVATE(out_hdr) ) );
1368 }
1369
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1370 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1371 {
1372 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1373 if( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1374 return( 12 );
1375 #else
1376 ((void) ssl);
1377 #endif
1378 return( 4 );
1379 }
1380
1381 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1382 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1383 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1384 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
1385 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
1386 #endif
1387
1388 /* Visible for testing purposes only */
1389 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1390 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
1391 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1392 #endif
1393
1394 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1395 const mbedtls_ssl_session *src );
1396
1397 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1398 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1399 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
1400 unsigned char *hash, size_t *hashlen,
1401 unsigned char *data, size_t data_len,
1402 mbedtls_md_type_t md_alg );
1403 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1404
1405 #ifdef __cplusplus
1406 }
1407 #endif
1408
1409 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1410 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1411 mbedtls_ssl_transform *transform,
1412 mbedtls_record *rec,
1413 int (*f_rng)(void *, unsigned char *, size_t),
1414 void *p_rng );
1415 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1416 mbedtls_ssl_transform *transform,
1417 mbedtls_record *rec );
1418
1419 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1420 static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1421 {
1422 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1423 if( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1424 return( 2 );
1425 #else
1426 ((void) ssl);
1427 #endif
1428 return( 0 );
1429 }
1430
1431 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1432 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
1433 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1434
1435 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
1436 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1437
1438 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1439 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1440 mbedtls_ssl_transform *transform );
1441 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1442
1443 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
1444
1445 /*
1446 * Send pending alert
1447 */
1448 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1449
1450 /*
1451 * Set pending fatal alert flag.
1452 */
1453 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1454 unsigned char alert_type,
1455 int alert_reason );
1456
1457 /* Alias of mbedtls_ssl_pend_fatal_alert */
1458 #define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1459 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1460
1461 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1462 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1463 #endif
1464
1465 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1466
1467 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1468 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
1469 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1470
1471 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1472 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
1473 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1474 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1475 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1476
1477 /**
1478 * ssl utils functions for checking configuration.
1479 */
1480
1481 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1482 static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1483 {
1484 if( conf->MBEDTLS_PRIVATE(min_major_ver) == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1485 conf->MBEDTLS_PRIVATE(max_major_ver) == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1486 conf->MBEDTLS_PRIVATE(min_minor_ver) == MBEDTLS_SSL_MINOR_VERSION_4 &&
1487 conf->MBEDTLS_PRIVATE(max_minor_ver) == MBEDTLS_SSL_MINOR_VERSION_4 )
1488 {
1489 return( 1 );
1490 }
1491 return( 0 );
1492 }
1493 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1494
1495 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1496 static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1497 {
1498 if( conf->MBEDTLS_PRIVATE(min_major_ver) == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1499 conf->MBEDTLS_PRIVATE(max_major_ver) == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1500 conf->MBEDTLS_PRIVATE(min_minor_ver) == MBEDTLS_SSL_MINOR_VERSION_3 &&
1501 conf->MBEDTLS_PRIVATE(max_minor_ver) == MBEDTLS_SSL_MINOR_VERSION_3 )
1502 {
1503 return( 1 );
1504 }
1505 return( 0 );
1506 }
1507 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1508
1509 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1510 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1511 {
1512 if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1513 conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 &&
1514 conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
1515 conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 )
1516 {
1517 return( 1 );
1518 }
1519 return( 0 );
1520 }
1521 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1522
1523 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1524
1525 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1526 int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1527 void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1528
1529 /**
1530 * \brief TLS 1.3 client side state machine entry
1531 *
1532 * \param ssl SSL context
1533 */
1534 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1535
1536 /**
1537 * \brief TLS 1.3 server side state machine entry
1538 *
1539 * \param ssl SSL context
1540 */
1541 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1542
1543
1544 /*
1545 * Helper functions around key exchange modes.
1546 */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1547 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1548 int kex_mode_mask )
1549 {
1550 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1551 }
1552
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1553 static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1554 {
1555 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1556 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1557 }
1558
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1559 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1560 {
1561 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1562 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1563 }
1564
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1565 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1566 {
1567 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1568 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1569 }
1570
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1571 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1572 {
1573 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1574 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1575 }
1576
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1577 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1578 {
1579 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1580 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1581 }
1582
1583 /**
1584 * Given a list of key exchange modes, check if at least one of them is
1585 * supported.
1586 *
1587 * \param[in] ssl SSL context
1588 * \param kex_modes_mask Mask of the key exchange modes to check
1589 *
1590 * \return 0 if at least one of the key exchange modes is supported,
1591 * !=0 otherwise.
1592 */
mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1593 static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1594 int kex_modes_mask )
1595 {
1596 return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
1597 }
1598
mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context * ssl)1599 static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1600 {
1601 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1602 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1603 }
1604
mbedtls_ssl_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1605 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
1606 mbedtls_ssl_context *ssl )
1607 {
1608 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1609 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1610 }
1611
mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1612 static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1613 {
1614 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1615 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1616 }
1617
mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1618 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1619 {
1620 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1621 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1622 }
1623
mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1624 static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1625 {
1626 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1627 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1628 }
1629
1630 /*
1631 * Helper functions for NamedGroup.
1632 */
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)1633 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
1634 {
1635 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
1636 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
1637 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
1638 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
1639 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
1640 }
1641
mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)1642 static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
1643 {
1644 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
1645 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
1646 }
1647
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1648 static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1649 mbedtls_ssl_states state )
1650 {
1651 ssl->state = ( int ) state;
1652 }
1653
1654 /*
1655 * Fetch TLS 1.3 handshake message header
1656 */
1657 int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
1658 unsigned hs_type,
1659 unsigned char **buf,
1660 size_t *buf_len );
1661
1662 /*
1663 * Write TLS 1.3 handshake message header
1664 */
1665 int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
1666 unsigned hs_type,
1667 unsigned char **buf,
1668 size_t *buf_len );
1669
1670 /*
1671 * Handler of TLS 1.3 server certificate message
1672 */
1673 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
1674
1675 /*
1676 * Generic handler of Certificate Verify
1677 */
1678 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
1679
1680 /*
1681 * Write of dummy-CCS's for middlebox compatibility
1682 */
1683 int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1684
1685 /*
1686 * Write TLS 1.3 handshake message tail
1687 */
1688 int mbedtls_ssl_tls13_finish_handshake_msg( mbedtls_ssl_context *ssl,
1689 size_t buf_len,
1690 size_t msg_len );
1691
1692 void mbedtls_ssl_tls13_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
1693 unsigned hs_type,
1694 size_t total_hs_len );
1695
1696 /*
1697 * Update checksum of handshake messages.
1698 */
1699 void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1700 unsigned hs_type,
1701 unsigned char const *msg,
1702 size_t msg_len );
1703
1704 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1705 /*
1706 * Write TLS 1.3 Signature Algorithm extension
1707 */
1708 int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
1709 unsigned char *buf,
1710 unsigned char *end,
1711 size_t *out_len);
1712
1713 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1714
1715 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1716
1717 /* Get handshake transcript */
1718 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
1719 const mbedtls_md_type_t md,
1720 unsigned char *dst,
1721 size_t dst_len,
1722 size_t *olen );
1723
1724 /*
1725 * Return supported groups.
1726 *
1727 * In future, invocations can be changed to ssl->conf->group_list
1728 * when mbedtls_ssl_conf_curves() is deleted.
1729 *
1730 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
1731 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
1732 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
1733 *
1734 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)1735 static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
1736 {
1737 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
1738 return( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(group_list) );
1739 #else
1740 if( ( ssl->MBEDTLS_PRIVATE(handshake) != NULL ) && ( ssl->MBEDTLS_PRIVATE(handshake)->group_list != NULL ) )
1741 return( ssl->MBEDTLS_PRIVATE(handshake)->group_list );
1742 else
1743 return( ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(group_list) );
1744 #endif
1745 }
1746
1747 #endif /* ssl_misc.h */
1748