1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 */
22 #ifndef MBEDTLS_SSL_MISC_H
23 #define MBEDTLS_SSL_MISC_H
24
25 #include "mbedtls/build_info.h"
26
27 #include "mbedtls/ssl.h"
28 #include "mbedtls/cipher.h"
29
30 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
31 #include "psa/crypto.h"
32 #include "mbedtls/psa_util.h"
33 #include "hash_info.h"
34 #endif
35 #include "mbedtls/legacy_or_psa.h"
36
37 #if defined(MBEDTLS_MD5_C)
38 #include "mbedtls/md5.h"
39 #endif
40
41 #if defined(MBEDTLS_SHA1_C)
42 #include "mbedtls/sha1.h"
43 #endif
44
45 #if defined(MBEDTLS_SHA256_C)
46 #include "mbedtls/sha256.h"
47 #endif
48
49 #if defined(MBEDTLS_SHA512_C)
50 #include "mbedtls/sha512.h"
51 #endif
52
53 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
54 !defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "mbedtls/ecjpake.h"
56 #endif
57
58 #include "mbedtls/pk.h"
59 #include "common.h"
60
61 /* Shorthand for restartable ECC */
62 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
63 defined(MBEDTLS_SSL_CLI_C) && \
64 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
65 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
66 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
67 #endif
68
69 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
70 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
71 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
72 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
73
74 /* Faked handshake message identity for HelloRetryRequest. */
75 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
76
77 /*
78 * Internal identity of handshake extensions
79 */
80 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
81 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
82 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
83 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
84 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
85 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
86 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
87 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
88 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
89 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
90 #define MBEDTLS_SSL_EXT_ID_ALPN 8
91 #define MBEDTLS_SSL_EXT_ID_SCT 9
92 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
93 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
94 #define MBEDTLS_SSL_EXT_ID_PADDING 12
95 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
96 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
97 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
98 #define MBEDTLS_SSL_EXT_ID_COOKIE 16
99 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
100 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
101 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
102 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
103 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
104 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
105 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
106 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
107 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
108 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
109 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
110 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
111
112 /* Utility for translating IANA extension type. */
113 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
114 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
115 /* Macros used to define mask constants */
116 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
117 /* Reset value of extension mask */
118 #define MBEDTLS_SSL_EXT_MASK_NONE 0
119
120 /* In messages containing extension requests, we should ignore unrecognized
121 * extensions. In messages containing extension responses, unrecognized
122 * extensions should result in handshake abortion. Messages containing
123 * extension requests include ClientHello, CertificateRequest and
124 * NewSessionTicket. Messages containing extension responses include
125 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
126 *
127 * RFC 8446 section 4.1.3
128 *
129 * The ServerHello MUST only include extensions which are required to establish
130 * the cryptographic context and negotiate the protocol version.
131 *
132 * RFC 8446 section 4.2
133 *
134 * If an implementation receives an extension which it recognizes and which is
135 * not specified for the message in which it appears, it MUST abort the handshake
136 * with an "illegal_parameter" alert.
137 */
138
139 /* Extensions that are not recognized by TLS 1.3 */
140 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
141 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
142 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
143 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
144 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
145 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
146 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
147
148 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
149 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
150 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
151 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
152 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
153 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
154 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
155 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
156 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
157 MBEDTLS_SSL_EXT_MASK(ALPN) | \
158 MBEDTLS_SSL_EXT_MASK(SCT) | \
159 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
160 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
161 MBEDTLS_SSL_EXT_MASK(PADDING) | \
162 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
163 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
164 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
165 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
166 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
167 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
168 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
169 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
170 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
171 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
172 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
173
174 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
175 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
176 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
177 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
178 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
179 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
180 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
181 MBEDTLS_SSL_EXT_MASK(ALPN) | \
182 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
183 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
184 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
185 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
186
187 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
188 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
189 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
190 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
191 MBEDTLS_SSL_EXT_MASK(SCT) | \
192 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
193 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
194 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
195 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
196
197 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
198 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
199 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
200 MBEDTLS_SSL_EXT_MASK(SCT))
201
202 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
203 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
204 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
205 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
206 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
207
208 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
209 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
210 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
211 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
212 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
213
214 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
215 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
216 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
217 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
218
219 /*
220 * Helper macros for function call with return check.
221 */
222 /*
223 * Exit when return non-zero value
224 */
225 #define MBEDTLS_SSL_PROC_CHK(f) \
226 do { \
227 ret = (f); \
228 if (ret != 0) \
229 { \
230 goto cleanup; \
231 } \
232 } while (0)
233 /*
234 * Exit when return negative value
235 */
236 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \
237 do { \
238 ret = (f); \
239 if (ret < 0) \
240 { \
241 goto cleanup; \
242 } \
243 } while (0)
244
245 /*
246 * DTLS retransmission states, see RFC 6347 4.2.4
247 *
248 * The SENDING state is merged in PREPARING for initial sends,
249 * but is distinct for resends.
250 *
251 * Note: initial state is wrong for server, but is not used anyway.
252 */
253 #define MBEDTLS_SSL_RETRANS_PREPARING 0
254 #define MBEDTLS_SSL_RETRANS_SENDING 1
255 #define MBEDTLS_SSL_RETRANS_WAITING 2
256 #define MBEDTLS_SSL_RETRANS_FINISHED 3
257
258 /*
259 * Allow extra bytes for record, authentication and encryption overhead:
260 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
261 */
262
263 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
264
265 /* This macro determines whether CBC is supported. */
266 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
267 (defined(MBEDTLS_AES_C) || \
268 defined(MBEDTLS_CAMELLIA_C) || \
269 defined(MBEDTLS_ARIA_C) || \
270 defined(MBEDTLS_DES_C))
271 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
272 #endif
273
274 /* This macro determines whether a ciphersuite using a
275 * stream cipher can be used. */
276 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
277 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
278 #endif
279
280 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
281 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
282 defined(MBEDTLS_SSL_PROTO_TLS1_2)
283 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
284 #endif
285
286 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
287 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
288 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
289 #endif
290
291 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
292 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
293 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
294 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
295 #endif
296
297 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
298
299 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
300 /* Ciphersuites using HMAC */
301 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
302 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
303 #elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
304 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
305 #else
306 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
307 #endif
308 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
309 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
310 #define MBEDTLS_SSL_MAC_ADD 16
311 #endif
312
313 #if defined(MBEDTLS_CIPHER_MODE_CBC)
314 #define MBEDTLS_SSL_PADDING_ADD 256
315 #else
316 #define MBEDTLS_SSL_PADDING_ADD 0
317 #endif
318
319 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
320 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
321 #else
322 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
323 #endif
324
325 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
326 MBEDTLS_SSL_MAC_ADD + \
327 MBEDTLS_SSL_PADDING_ADD + \
328 MBEDTLS_SSL_MAX_CID_EXPANSION \
329 )
330
331 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
332 (MBEDTLS_SSL_IN_CONTENT_LEN))
333
334 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
335 (MBEDTLS_SSL_OUT_CONTENT_LEN))
336
337 /* The maximum number of buffered handshake messages. */
338 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
339
340 /* Maximum length we can advertise as our max content length for
341 RFC 6066 max_fragment_length extension negotiation purposes
342 (the lesser of both sizes, if they are unequal.)
343 */
344 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
345 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
346 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
347 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
348 )
349
350 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
351 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
352
353 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
354 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
355
356 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
357 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
358
359 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
360
361 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
362
363 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
364
365 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
366 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
367 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
368 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
369 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
370
371 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
372
373 /*
374 * Check that we obey the standard's message size bounds
375 */
376
377 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
378 #error "Bad configuration - incoming record content too large."
379 #endif
380
381 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
382 #error "Bad configuration - outgoing record content too large."
383 #endif
384
385 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
386 #error "Bad configuration - incoming protected record payload too large."
387 #endif
388
389 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
390 #error "Bad configuration - outgoing protected record payload too large."
391 #endif
392
393 /* Calculate buffer sizes */
394
395 /* Note: Even though the TLS record header is only 5 bytes
396 long, we're internally using 8 bytes to store the
397 implicit sequence number. */
398 #define MBEDTLS_SSL_HEADER_LEN 13
399
400 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
401 #define MBEDTLS_SSL_IN_BUFFER_LEN \
402 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
403 #else
404 #define MBEDTLS_SSL_IN_BUFFER_LEN \
405 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
406 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
407 #endif
408
409 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
410 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
411 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
412 #else
413 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
414 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
415 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
416 #endif
417
418 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
419 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
420
421 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
422 /**
423 * \brief Return the maximum fragment length (payload, in bytes) for
424 * the output buffer. For the client, this is the configured
425 * value. For the server, it is the minimum of two - the
426 * configured value and the negotiated one.
427 *
428 * \sa mbedtls_ssl_conf_max_frag_len()
429 * \sa mbedtls_ssl_get_max_out_record_payload()
430 *
431 * \param ssl SSL context
432 *
433 * \return Current maximum fragment length for the output buffer.
434 */
435 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
436
437 /**
438 * \brief Return the maximum fragment length (payload, in bytes) for
439 * the input buffer. This is the negotiated maximum fragment
440 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
441 * If it is not defined either, the value is 2^14. This function
442 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
443 *
444 * \sa mbedtls_ssl_conf_max_frag_len()
445 * \sa mbedtls_ssl_get_max_in_record_payload()
446 *
447 * \param ssl SSL context
448 *
449 * \return Current maximum fragment length for the output buffer.
450 */
451 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
452 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
453
454 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)455 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
456 {
457 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
458 return mbedtls_ssl_get_output_max_frag_len(ctx)
459 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
460 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
461 #else
462 return mbedtls_ssl_get_output_max_frag_len(ctx)
463 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
464 #endif
465 }
466
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)467 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
468 {
469 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
470 return mbedtls_ssl_get_input_max_frag_len(ctx)
471 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
472 + MBEDTLS_SSL_CID_IN_LEN_MAX;
473 #else
474 return mbedtls_ssl_get_input_max_frag_len(ctx)
475 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
476 #endif
477 }
478 #endif
479
480 /*
481 * TLS extension flags (for extensions with outgoing ServerHello content
482 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
483 * of state of the renegotiation flag, so no indicator is required)
484 */
485 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
486 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
487
488 /**
489 * \brief This function checks if the remaining size in a buffer is
490 * greater or equal than a needed space.
491 *
492 * \param cur Pointer to the current position in the buffer.
493 * \param end Pointer to one past the end of the buffer.
494 * \param need Needed space in bytes.
495 *
496 * \return Zero if the needed space is available in the buffer, non-zero
497 * otherwise.
498 */
499 #if !defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)500 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
501 const uint8_t *end, size_t need)
502 {
503 return (cur > end) || (need > (size_t) (end - cur));
504 }
505 #else
506 typedef struct {
507 const uint8_t *cur;
508 const uint8_t *end;
509 size_t need;
510 } mbedtls_ssl_chk_buf_ptr_args;
511
512 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
513 const uint8_t *cur, const uint8_t *end, size_t need);
514 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
515
516 MBEDTLS_CHECK_RETURN_CRITICAL
517 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
518
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)519 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
520 const uint8_t *end, size_t need)
521 {
522 if ((cur > end) || (need > (size_t) (end - cur))) {
523 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
524 return 1;
525 }
526 return 0;
527 }
528 #endif /* MBEDTLS_TEST_HOOKS */
529
530 /**
531 * \brief This macro checks if the remaining size in a buffer is
532 * greater or equal than a needed space. If it is not the case,
533 * it returns an SSL_BUFFER_TOO_SMALL error.
534 *
535 * \param cur Pointer to the current position in the buffer.
536 * \param end Pointer to one past the end of the buffer.
537 * \param need Needed space in bytes.
538 *
539 */
540 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
541 do { \
542 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
543 { \
544 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
545 } \
546 } while (0)
547
548 /**
549 * \brief This macro checks if the remaining length in an input buffer is
550 * greater or equal than a needed length. If it is not the case, it
551 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
552 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
553 *
554 * This is a function-like macro. It is guaranteed to evaluate each
555 * argument exactly once.
556 *
557 * \param cur Pointer to the current position in the buffer.
558 * \param end Pointer to one past the end of the buffer.
559 * \param need Needed length in bytes.
560 *
561 */
562 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
563 do { \
564 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
565 { \
566 MBEDTLS_SSL_DEBUG_MSG(1, \
567 ("missing input data in %s", __func__)); \
568 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
569 MBEDTLS_ERR_SSL_DECODE_ERROR); \
570 return MBEDTLS_ERR_SSL_DECODE_ERROR; \
571 } \
572 } while (0)
573
574 #ifdef __cplusplus
575 extern "C" {
576 #endif
577
578 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
579 const char *label,
580 const unsigned char *random, size_t rlen,
581 unsigned char *dstbuf, size_t dlen);
582
583 /* cipher.h exports the maximum IV, key and block length from
584 * all ciphers enabled in the config, regardless of whether those
585 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
586 * in the default configuration and uses 64 Byte keys, but it is
587 * not used for record protection in SSL/TLS.
588 *
589 * In order to prevent unnecessary inflation of key structures,
590 * we introduce SSL-specific variants of the max-{key,block,IV}
591 * macros here which are meant to only take those ciphers into
592 * account which can be negotiated in SSL/TLS.
593 *
594 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
595 * in cipher.h are rough overapproximations of the real maxima, here
596 * we content ourselves with replicating those overapproximations
597 * for the maximum block and IV length, and excluding XTS from the
598 * computation of the maximum key length. */
599 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
600 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
601 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
602
603 /**
604 * \brief The data structure holding the cryptographic material (key and IV)
605 * used for record protection in TLS 1.3.
606 */
607 struct mbedtls_ssl_key_set {
608 /*! The key for client->server records. */
609 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
610 /*! The key for server->client records. */
611 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
612 /*! The IV for client->server records. */
613 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
614 /*! The IV for server->client records. */
615 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
616
617 size_t key_len; /*!< The length of client_write_key and
618 * server_write_key, in Bytes. */
619 size_t iv_len; /*!< The length of client_write_iv and
620 * server_write_iv, in Bytes. */
621 };
622 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
623
624 typedef struct {
625 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
626 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
627 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
628 } mbedtls_ssl_tls13_early_secrets;
629
630 typedef struct {
631 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
632 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
633 } mbedtls_ssl_tls13_handshake_secrets;
634
635 /*
636 * This structure contains the parameters only needed during handshake.
637 */
638 struct mbedtls_ssl_handshake_params {
639 /* Frequently-used boolean or byte fields (placed early to take
640 * advantage of smaller code size for indirect access on Arm Thumb) */
641 uint8_t resume; /*!< session resume indicator*/
642 uint8_t cli_exts; /*!< client extension presence*/
643
644 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
645 uint8_t sni_authmode; /*!< authmode from SNI callback */
646 #endif
647
648 #if defined(MBEDTLS_SSL_SRV_C)
649 /* Flag indicating if a CertificateRequest message has been sent
650 * to the client or not. */
651 uint8_t certificate_request_sent;
652 #endif /* MBEDTLS_SSL_SRV_C */
653
654 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
655 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
656 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
657
658 #if defined(MBEDTLS_SSL_CLI_C)
659 /** Minimum TLS version to be negotiated.
660 *
661 * It is set up in the ClientHello writing preparation stage and used
662 * throughout the ClientHello writing. Not relevant anymore as soon as
663 * the protocol version has been negotiated thus as soon as the
664 * ServerHello is received.
665 * For a fresh handshake not linked to any previous handshake, it is
666 * equal to the configured minimum minor version to be negotiated. When
667 * renegotiating or resuming a session, it is equal to the previously
668 * negotiated minor version.
669 *
670 * There is no maximum TLS version field in this handshake context.
671 * From the start of the handshake, we need to define a current protocol
672 * version for the record layer which we define as the maximum TLS
673 * version to be negotiated. The `tls_version` field of the SSL context is
674 * used to store this maximum value until it contains the actual
675 * negotiated value.
676 */
677 mbedtls_ssl_protocol_version min_tls_version;
678 #endif
679
680 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
681 uint8_t extended_ms; /*!< use Extended Master Secret? */
682 #endif
683
684 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
685 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
686 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
687
688 #if defined(MBEDTLS_SSL_PROTO_DTLS)
689 unsigned char retransmit_state; /*!< Retransmission state */
690 #endif
691
692 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
693 unsigned char group_list_heap_allocated;
694 unsigned char sig_algs_heap_allocated;
695 #endif
696
697 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
698 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
699 enum { /* this complements ssl->state with info on intra-state operations */
700 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
701 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
702 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
703 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
704 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
705 } ecrs_state; /*!< current (or last) operation */
706 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
707 size_t ecrs_n; /*!< place for saving a length */
708 #endif
709
710 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
711
712 MBEDTLS_CHECK_RETURN_CRITICAL
713 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
714 MBEDTLS_CHECK_RETURN_CRITICAL
715 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
716 MBEDTLS_CHECK_RETURN_CRITICAL
717 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
718 mbedtls_ssl_tls_prf_cb *tls_prf;
719
720 /*
721 * Handshake specific crypto variables
722 */
723 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
724 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
725
726 /** Number of HelloRetryRequest messages received/sent from/to the server. */
727 int hello_retry_request_count;
728
729 #if defined(MBEDTLS_SSL_SRV_C)
730 /** selected_group of key_share extension in HelloRetryRequest message. */
731 uint16_t hrr_selected_group;
732 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
733 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
734 #endif
735 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
736 uint16_t new_session_tickets_count; /*!< number of session tickets */
737 #endif
738 #endif /* MBEDTLS_SSL_SRV_C */
739
740 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
741
742 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
743 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
744 #endif
745
746 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
747 const uint16_t *group_list;
748 const uint16_t *sig_algs;
749 #endif
750
751 #if defined(MBEDTLS_DHM_C)
752 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
753 #endif
754
755 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
756 * to guards in client and server code. There is a gap in functionality that
757 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
758 * seem correct.
759 */
760 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
761 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
762 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
763 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
764
765 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
766 psa_key_type_t ecdh_psa_type;
767 size_t ecdh_bits;
768 mbedtls_svc_key_id_t ecdh_psa_privkey;
769 uint8_t ecdh_psa_privkey_is_external;
770 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
771 size_t ecdh_psa_peerkey_len;
772 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
773 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
774
775 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
776 #if defined(MBEDTLS_USE_PSA_CRYPTO)
777 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
778 mbedtls_svc_key_id_t psa_pake_password;
779 uint8_t psa_pake_ctx_is_ok;
780 #else
781 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
782 #endif /* MBEDTLS_USE_PSA_CRYPTO */
783 #if defined(MBEDTLS_SSL_CLI_C)
784 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
785 size_t ecjpake_cache_len; /*!< Length of cached data */
786 #endif
787 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
788
789 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
790 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
791 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
792 #endif
793
794 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
795 #if defined(MBEDTLS_USE_PSA_CRYPTO)
796 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
797 uint8_t psk_opaque_is_internal;
798 #else
799 unsigned char *psk; /*!< PSK from the callback */
800 size_t psk_len; /*!< Length of PSK from callback */
801 #endif /* MBEDTLS_USE_PSA_CRYPTO */
802 uint16_t selected_identity;
803 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
804
805 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
806 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
807 #endif
808
809 #if defined(MBEDTLS_X509_CRT_PARSE_C)
810 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
811 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
812 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
813 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
814 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
815 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
816 #endif /* MBEDTLS_X509_CRT_PARSE_C */
817
818 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
819 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
820 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
821 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
822
823 struct {
824 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
825 * buffers used for message buffering. */
826
827 uint8_t seen_ccs; /*!< Indicates if a CCS message has
828 * been seen in the current flight. */
829
830 struct mbedtls_ssl_hs_buffer {
831 unsigned is_valid : 1;
832 unsigned is_fragmented : 1;
833 unsigned is_complete : 1;
834 unsigned char *data;
835 size_t data_len;
836 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
837
838 struct {
839 unsigned char *data;
840 size_t len;
841 unsigned epoch;
842 } future_record;
843
844 } buffering;
845
846 #if defined(MBEDTLS_SSL_CLI_C) && \
847 (defined(MBEDTLS_SSL_PROTO_DTLS) || \
848 defined(MBEDTLS_SSL_PROTO_TLS1_3))
849 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
850 * HelloRetryRequest cookie for TLS 1.3 */
851 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
852 /* RFC 6347 page 15
853 ...
854 opaque cookie<0..2^8-1>;
855 ...
856 */
857 uint8_t cookie_len;
858 #else
859 /* RFC 8446 page 39
860 ...
861 opaque cookie<0..2^16-1>;
862 ...
863 If TLS1_3 is enabled, the max length is 2^16 - 1
864 */
865 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
866 * TLS1_3: HelloRetryRequest cookie length */
867 #endif
868 #endif /* MBEDTLS_SSL_CLI_C &&
869 ( MBEDTLS_SSL_PROTO_DTLS ||
870 MBEDTLS_SSL_PROTO_TLS1_3 ) */
871 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
872 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
873 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
874
875 #if defined(MBEDTLS_SSL_PROTO_DTLS)
876 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
877 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
878
879 uint32_t retransmit_timeout; /*!< Current value of timeout */
880 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
881 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
882 unsigned char *cur_msg_p; /*!< Position in current message */
883 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
884 flight being received */
885 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
886 resending messages */
887 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
888 for resending messages */
889
890 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
891 /* The state of CID configuration in this handshake. */
892
893 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
894 * has been negotiated. Possible values are
895 * #MBEDTLS_SSL_CID_ENABLED and
896 * #MBEDTLS_SSL_CID_DISABLED. */
897 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
898 uint8_t peer_cid_len; /*!< The length of
899 * \c peer_cid. */
900 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
901
902 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
903 #endif /* MBEDTLS_SSL_PROTO_DTLS */
904
905 /*
906 * Checksum contexts
907 */
908 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
909 #if defined(MBEDTLS_USE_PSA_CRYPTO)
910 psa_hash_operation_t fin_sha256_psa;
911 #else
912 mbedtls_md_context_t fin_sha256;
913 #endif
914 #endif
915 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
916 #if defined(MBEDTLS_USE_PSA_CRYPTO)
917 psa_hash_operation_t fin_sha384_psa;
918 #else
919 mbedtls_md_context_t fin_sha384;
920 #endif
921 #endif
922
923 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
924 uint16_t offered_group_id; /* The NamedGroup value for the group
925 * that is being used for ephemeral
926 * key exchange.
927 *
928 * On the client: Defaults to the first
929 * entry in the client's group list,
930 * but can be overwritten by the HRR. */
931 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
932
933 #if defined(MBEDTLS_SSL_CLI_C)
934 uint8_t client_auth; /*!< used to check if CertificateRequest has been
935 received from server side. If CertificateRequest
936 has been received, Certificate and CertificateVerify
937 should be sent to server */
938 #endif /* MBEDTLS_SSL_CLI_C */
939 /*
940 * State-local variables used during the processing
941 * of a specific handshake state.
942 */
943 union {
944 /* Outgoing Finished message */
945 struct {
946 uint8_t preparation_done;
947
948 /* Buffer holding digest of the handshake up to
949 * but excluding the outgoing finished message. */
950 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
951 size_t digest_len;
952 } finished_out;
953
954 /* Incoming Finished message */
955 struct {
956 uint8_t preparation_done;
957
958 /* Buffer holding digest of the handshake up to but
959 * excluding the peer's incoming finished message. */
960 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
961 size_t digest_len;
962 } finished_in;
963
964 } state_local;
965
966 /* End of state-local variables. */
967
968 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
969 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
970 /*!< random bytes */
971 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
972 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
973 /*!< premaster secret */
974 size_t pmslen; /*!< premaster length */
975 #endif
976
977 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
978 uint32_t sent_extensions; /*!< extensions sent by endpoint */
979 uint32_t received_extensions; /*!< extensions received by endpoint */
980
981 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
982 unsigned char certificate_request_context_len;
983 unsigned char *certificate_request_context;
984 #endif
985
986 /** TLS 1.3 transform for encrypted handshake messages. */
987 mbedtls_ssl_transform *transform_handshake;
988 union {
989 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
990 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
991 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
992 } tls13_master_secrets;
993
994 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
995 #if defined(MBEDTLS_SSL_EARLY_DATA)
996 /** TLS 1.3 transform for early data and handshake messages. */
997 mbedtls_ssl_transform *transform_earlydata;
998 #endif
999 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1000
1001 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1002 /** Asynchronous operation context. This field is meant for use by the
1003 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
1004 * mbedtls_ssl_config::f_async_decrypt_start,
1005 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
1006 * The library does not use it internally. */
1007 void *user_async_ctx;
1008 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1009
1010 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1011 const unsigned char *sni_name; /*!< raw SNI */
1012 size_t sni_name_len; /*!< raw SNI len */
1013 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1014 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
1015 #endif
1016 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1017 };
1018
1019 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1020
1021 /*
1022 * Representation of decryption/encryption transformations on records
1023 *
1024 * There are the following general types of record transformations:
1025 * - Stream transformations (TLS versions == 1.2 only)
1026 * Transformation adding a MAC and applying a stream-cipher
1027 * to the authenticated message.
1028 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1029 * For TLS 1.2, no IV is generated at key extraction time, but every
1030 * encrypted record is explicitly prefixed by the IV with which it was
1031 * encrypted.
1032 * - AEAD transformations ([D]TLS versions == 1.2 only)
1033 * These come in two fundamentally different versions, the first one
1034 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1035 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1036 * In the first transformation, the IV to be used for a record is obtained
1037 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1038 * record sequence number, and explicitly prepending this sequence number
1039 * to the encrypted record. In contrast, in the second transformation
1040 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1041 * time with the 8-byte record sequence number, without prepending the
1042 * latter to the encrypted record.
1043 *
1044 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1045 * which allows to add flexible length padding and to hide a record's true
1046 * content type.
1047 *
1048 * In addition to type and version, the following parameters are relevant:
1049 * - The symmetric cipher algorithm to be used.
1050 * - The (static) encryption/decryption keys for the cipher.
1051 * - For stream/CBC, the type of message digest to be used.
1052 * - For stream/CBC, (static) encryption/decryption keys for the digest.
1053 * - For AEAD transformations, the size (potentially 0) of an explicit,
1054 * random initialization vector placed in encrypted records.
1055 * - For some transformations (currently AEAD) an implicit IV. It is static
1056 * and (if present) is combined with the explicit IV in a transformation-
1057 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1058 * - For stream/CBC, a flag determining the order of encryption and MAC.
1059 * - The details of the transformation depend on the SSL/TLS version.
1060 * - The length of the authentication tag.
1061 *
1062 * The struct below refines this abstract view as follows:
1063 * - The cipher underlying the transformation is managed in
1064 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1065 * same cipher type. The mode of these cipher contexts determines
1066 * the type of the transformation in the sense above: e.g., if
1067 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1068 * then the transformation has type CBC resp. AEAD.
1069 * - The cipher keys are never stored explicitly but
1070 * are maintained within cipher_ctx_{enc/dec}.
1071 * - For stream/CBC transformations, the message digest contexts
1072 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1073 * are unused for AEAD transformations.
1074 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1075 * but maintained within md_ctx_{enc/dec}.
1076 * - The mac_enc and mac_dec fields are unused for EAD transformations.
1077 * - For transformations using an implicit IV maintained within
1078 * the transformation context, its contents are stored within
1079 * iv_{enc/dec}.
1080 * - The value of ivlen indicates the length of the IV.
1081 * This is redundant in case of stream/CBC transformations
1082 * which always use 0 resp. the cipher's block length as the
1083 * IV length, but is needed for AEAD ciphers and may be
1084 * different from the underlying cipher's block length
1085 * in this case.
1086 * - The field fixed_ivlen is nonzero for AEAD transformations only
1087 * and indicates the length of the static part of the IV which is
1088 * constant throughout the communication, and which is stored in
1089 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1090 * - tls_version denotes the 2-byte TLS version
1091 * - For stream/CBC transformations, maclen denotes the length of the
1092 * authentication tag, while taglen is unused and 0.
1093 * - For AEAD transformations, taglen denotes the length of the
1094 * authentication tag, while maclen is unused and 0.
1095 * - For CBC transformations, encrypt_then_mac determines the
1096 * order of encryption and authentication. This field is unused
1097 * in other transformations.
1098 *
1099 */
1100 struct mbedtls_ssl_transform {
1101 /*
1102 * Session specific crypto layer
1103 */
1104 size_t minlen; /*!< min. ciphertext length */
1105 size_t ivlen; /*!< IV length */
1106 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
1107 size_t maclen; /*!< MAC(CBC) len */
1108 size_t taglen; /*!< TAG(AEAD) len */
1109
1110 unsigned char iv_enc[16]; /*!< IV (encryption) */
1111 unsigned char iv_dec[16]; /*!< IV (decryption) */
1112
1113 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1114
1115 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1116 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1117 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1118 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
1119 #else
1120 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
1121 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
1122 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1123
1124 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1125 int encrypt_then_mac; /*!< flag for EtM activation */
1126 #endif
1127
1128 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1129
1130 mbedtls_ssl_protocol_version tls_version;
1131
1132 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1133 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1134 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1135 psa_algorithm_t psa_alg; /*!< psa algorithm */
1136 #else
1137 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
1138 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
1139 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1140
1141 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1142 uint8_t in_cid_len;
1143 uint8_t out_cid_len;
1144 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
1145 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1146 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1147
1148 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1149 /* We need the Hello random bytes in order to re-derive keys from the
1150 * Master Secret and other session info,
1151 * see ssl_tls12_populate_transform() */
1152 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1153 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1154 /*!< ServerHello.random+ClientHello.random */
1155 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
1156 };
1157
1158 /*
1159 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1160 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1161 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1162 static inline int mbedtls_ssl_transform_uses_aead(
1163 const mbedtls_ssl_transform *transform)
1164 {
1165 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1166 return transform->maclen == 0 && transform->taglen != 0;
1167 #else
1168 (void) transform;
1169 return 1;
1170 #endif
1171 }
1172
1173 /*
1174 * Internal representation of record frames
1175 *
1176 * Instances come in two flavors:
1177 * (1) Encrypted
1178 * These always have data_offset = 0
1179 * (2) Unencrypted
1180 * These have data_offset set to the amount of
1181 * pre-expansion during record protection. Concretely,
1182 * this is the length of the fixed part of the explicit IV
1183 * used for encryption, or 0 if no explicit IV is used
1184 * (e.g. for stream ciphers).
1185 *
1186 * The reason for the data_offset in the unencrypted case
1187 * is to allow for in-place conversion of an unencrypted to
1188 * an encrypted record. If the offset wasn't included, the
1189 * encrypted content would need to be shifted afterwards to
1190 * make space for the fixed IV.
1191 *
1192 */
1193 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1194 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1195 #else
1196 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1197 #endif
1198
1199 typedef struct {
1200 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1201 * In DTLS: The 2-byte epoch followed by
1202 * the 6-byte sequence number.
1203 * This is stored as a raw big endian byte array
1204 * as opposed to a uint64_t because we rarely
1205 * need to perform arithmetic on this, but do
1206 * need it as a Byte array for the purpose of
1207 * MAC computations. */
1208 uint8_t type; /* The record content type. */
1209 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1210 * Convert to internal presentation of versions
1211 * using mbedtls_ssl_read_version() and
1212 * mbedtls_ssl_write_version().
1213 * Keep wire-format for MAC computations. */
1214
1215 unsigned char *buf; /* Memory buffer enclosing the record content */
1216 size_t buf_len; /* Buffer length */
1217 size_t data_offset; /* Offset of record content */
1218 size_t data_len; /* Length of record content */
1219
1220 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1221 uint8_t cid_len; /* Length of the CID (0 if not present) */
1222 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
1223 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1224 } mbedtls_record;
1225
1226 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1227 /*
1228 * List of certificate + private key pairs
1229 */
1230 struct mbedtls_ssl_key_cert {
1231 mbedtls_x509_crt *cert; /*!< cert */
1232 mbedtls_pk_context *key; /*!< private key */
1233 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1234 };
1235 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1236
1237 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1238 /*
1239 * List of handshake messages kept around for resending
1240 */
1241 struct mbedtls_ssl_flight_item {
1242 unsigned char *p; /*!< message, including handshake headers */
1243 size_t len; /*!< length of p */
1244 unsigned char type; /*!< type of the message: handshake or CCS */
1245 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1246 };
1247 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1248
1249 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1250 /**
1251 * \brief Given an SSL context and its associated configuration, write the TLS
1252 * 1.2 specific extensions of the ClientHello message.
1253 *
1254 * \param[in] ssl SSL context
1255 * \param[in] buf Base address of the buffer where to write the extensions
1256 * \param[in] end End address of the buffer where to write the extensions
1257 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1258 * (<> 0) or not ( 0 ).
1259 * \param[out] out_len Length of the data written into the buffer \p buf
1260 */
1261 MBEDTLS_CHECK_RETURN_CRITICAL
1262 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
1263 unsigned char *buf,
1264 const unsigned char *end,
1265 int uses_ec,
1266 size_t *out_len);
1267 #endif
1268
1269 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1270 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1271
1272 /**
1273 * \brief Find the preferred hash for a given signature algorithm.
1274 *
1275 * \param[in] ssl SSL context
1276 * \param[in] sig_alg A signature algorithm identifier as defined in the
1277 * TLS 1.2 SignatureAlgorithm enumeration.
1278 *
1279 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1280 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1281 */
1282 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1283 mbedtls_ssl_context *ssl,
1284 unsigned int sig_alg);
1285
1286 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1287 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1288
1289 /**
1290 * \brief Free referenced items in an SSL transform context and clear
1291 * memory
1292 *
1293 * \param transform SSL transform context
1294 */
1295 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
1296
1297 /**
1298 * \brief Free referenced items in an SSL handshake context and clear
1299 * memory
1300 *
1301 * \param ssl SSL context
1302 */
1303 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
1304
1305 /* set inbound transform of ssl context */
1306 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
1307 mbedtls_ssl_transform *transform);
1308
1309 /* set outbound transform of ssl context */
1310 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
1311 mbedtls_ssl_transform *transform);
1312
1313 MBEDTLS_CHECK_RETURN_CRITICAL
1314 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
1315 MBEDTLS_CHECK_RETURN_CRITICAL
1316 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
1317 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1318 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
1319 mbedtls_ssl_states state)
1320 {
1321 ssl->state = (int) state;
1322 }
1323
1324 MBEDTLS_CHECK_RETURN_CRITICAL
1325 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
1326
1327 MBEDTLS_CHECK_RETURN_CRITICAL
1328 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
1329
1330 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1331 MBEDTLS_CHECK_RETURN_CRITICAL
1332 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
1333 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1334
1335 MBEDTLS_CHECK_RETURN_CRITICAL
1336 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
1337 MBEDTLS_CHECK_RETURN_CRITICAL
1338 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
1339 MBEDTLS_CHECK_RETURN_CRITICAL
1340 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
1341
1342 /**
1343 * \brief Update record layer
1344 *
1345 * This function roughly separates the implementation
1346 * of the logic of (D)TLS from the implementation
1347 * of the secure transport.
1348 *
1349 * \param ssl The SSL context to use.
1350 * \param update_hs_digest This indicates if the handshake digest
1351 * should be automatically updated in case
1352 * a handshake message is found.
1353 *
1354 * \return 0 or non-zero error code.
1355 *
1356 * \note A clarification on what is called 'record layer' here
1357 * is in order, as many sensible definitions are possible:
1358 *
1359 * The record layer takes as input an untrusted underlying
1360 * transport (stream or datagram) and transforms it into
1361 * a serially multiplexed, secure transport, which
1362 * conceptually provides the following:
1363 *
1364 * (1) Three datagram based, content-agnostic transports
1365 * for handshake, alert and CCS messages.
1366 * (2) One stream- or datagram-based transport
1367 * for application data.
1368 * (3) Functionality for changing the underlying transform
1369 * securing the contents.
1370 *
1371 * The interface to this functionality is given as follows:
1372 *
1373 * a Updating
1374 * [Currently implemented by mbedtls_ssl_read_record]
1375 *
1376 * Check if and on which of the four 'ports' data is pending:
1377 * Nothing, a controlling datagram of type (1), or application
1378 * data (2). In any case data is present, internal buffers
1379 * provide access to the data for the user to process it.
1380 * Consumption of type (1) datagrams is done automatically
1381 * on the next update, invalidating that the internal buffers
1382 * for previous datagrams, while consumption of application
1383 * data (2) is user-controlled.
1384 *
1385 * b Reading of application data
1386 * [Currently manual adaption of ssl->in_offt pointer]
1387 *
1388 * As mentioned in the last paragraph, consumption of data
1389 * is different from the automatic consumption of control
1390 * datagrams (1) because application data is treated as a stream.
1391 *
1392 * c Tracking availability of application data
1393 * [Currently manually through decreasing ssl->in_msglen]
1394 *
1395 * For efficiency and to retain datagram semantics for
1396 * application data in case of DTLS, the record layer
1397 * provides functionality for checking how much application
1398 * data is still available in the internal buffer.
1399 *
1400 * d Changing the transformation securing the communication.
1401 *
1402 * Given an opaque implementation of the record layer in the
1403 * above sense, it should be possible to implement the logic
1404 * of (D)TLS on top of it without the need to know anything
1405 * about the record layer's internals. This is done e.g.
1406 * in all the handshake handling functions, and in the
1407 * application data reading function mbedtls_ssl_read.
1408 *
1409 * \note The above tries to give a conceptual picture of the
1410 * record layer, but the current implementation deviates
1411 * from it in some places. For example, our implementation of
1412 * the update functionality through mbedtls_ssl_read_record
1413 * discards datagrams depending on the current state, which
1414 * wouldn't fall under the record layer's responsibility
1415 * following the above definition.
1416 *
1417 */
1418 MBEDTLS_CHECK_RETURN_CRITICAL
1419 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1420 unsigned update_hs_digest);
1421 MBEDTLS_CHECK_RETURN_CRITICAL
1422 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1423
1424 /*
1425 * Write handshake message header
1426 */
1427 MBEDTLS_CHECK_RETURN_CRITICAL
1428 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type,
1429 unsigned char **buf, size_t *buf_len);
1430
1431 MBEDTLS_CHECK_RETURN_CRITICAL
1432 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
1433 int update_checksum,
1434 int force_flush);
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1435 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
1436 {
1437 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
1438 }
1439
1440 /*
1441 * Write handshake message tail
1442 */
1443 MBEDTLS_CHECK_RETURN_CRITICAL
1444 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
1445 size_t buf_len, size_t msg_len);
1446
1447 MBEDTLS_CHECK_RETURN_CRITICAL
1448 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
1449 MBEDTLS_CHECK_RETURN_CRITICAL
1450 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1451
1452 MBEDTLS_CHECK_RETURN_CRITICAL
1453 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1454 MBEDTLS_CHECK_RETURN_CRITICAL
1455 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1456
1457 MBEDTLS_CHECK_RETURN_CRITICAL
1458 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1459 MBEDTLS_CHECK_RETURN_CRITICAL
1460 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1461
1462 MBEDTLS_CHECK_RETURN_CRITICAL
1463 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1464 MBEDTLS_CHECK_RETURN_CRITICAL
1465 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1466
1467 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1468 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1469
1470 /*
1471 * Update checksum of handshake messages.
1472 */
1473 MBEDTLS_CHECK_RETURN_CRITICAL
1474 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
1475 unsigned hs_type,
1476 unsigned char const *msg,
1477 size_t msg_len);
1478
1479 MBEDTLS_CHECK_RETURN_CRITICAL
1480 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
1481 unsigned hs_type,
1482 size_t total_hs_len);
1483
1484 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1485 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1486 MBEDTLS_CHECK_RETURN_CRITICAL
1487 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
1488 mbedtls_key_exchange_type_t key_ex);
1489 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1490 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1491
1492 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1493 #if defined(MBEDTLS_SSL_CLI_C)
1494 MBEDTLS_CHECK_RETURN_CRITICAL
1495 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
1496 #endif
1497 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1498 /**
1499 * Get the first defined opaque PSK by order of precedence:
1500 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1501 * callback
1502 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1503 * Return an opaque PSK
1504 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1505 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1506 const mbedtls_ssl_context *ssl)
1507 {
1508 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1509 return ssl->handshake->psk_opaque;
1510 }
1511
1512 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1513 return ssl->conf->psk_opaque;
1514 }
1515
1516 return MBEDTLS_SVC_KEY_ID_INIT;
1517 }
1518 #else
1519
1520 /**
1521 * Get the first defined PSK by order of precedence:
1522 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1523 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1524 * Return a code and update the pair (PSK, PSK length) passed to this function
1525 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1526 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
1527 const unsigned char **psk, size_t *psk_len)
1528 {
1529 if (ssl->MBEDTLS_PRIVATE(handshake)->psk != NULL && ssl->MBEDTLS_PRIVATE(handshake)->psk_len > 0)
1530 {
1531 *psk = ssl->MBEDTLS_PRIVATE(handshake)->psk;
1532 *psk_len = ssl->MBEDTLS_PRIVATE(handshake)->psk_len;
1533 } else if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk) != NULL &&
1534 ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk_len) > 0) {
1535 *psk = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk);
1536 *psk_len = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(psk_len);
1537 } else {
1538 *psk = NULL;
1539 *psk_len = 0;
1540 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
1541 }
1542
1543 return 0;
1544 }
1545 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1546
1547 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1548
1549 #if defined(MBEDTLS_PK_C)
1550 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1551 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1552 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1553 #endif
1554
1555 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1556 unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1557
1558 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1559 MBEDTLS_CHECK_RETURN_CRITICAL
1560 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1561 #endif
1562
1563 MBEDTLS_CHECK_RETURN_CRITICAL
1564 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1565
1566 #if defined(MBEDTLS_ECP_C)
1567 MBEDTLS_CHECK_RETURN_CRITICAL
1568 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1569 #endif
1570
1571 /**
1572 * \brief Return PSA EC info for the specified TLS ID.
1573 *
1574 * \param tls_id The TLS ID to look for
1575 * \param family If the TLD ID is supported, then proper \c psa_ecc_family_t
1576 * value is returned here. Can be NULL.
1577 * \param bits If the TLD ID is supported, then proper bit size is returned
1578 * here. Can be NULL.
1579 * \return PSA_SUCCESS if the TLS ID is supported,
1580 * PSA_ERROR_NOT_SUPPORTED otherwise
1581 *
1582 * \note If either \c family or \c bits parameters are NULL, then
1583 * the corresponding value is not returned.
1584 * The function can be called with both parameters as NULL
1585 * simply to check if a specific TLS ID is supported.
1586 */
1587 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
1588 psa_ecc_family_t *family,
1589 size_t *bits);
1590
1591 /**
1592 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
1593 *
1594 * \param tls_id The TLS ID to look for
1595 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
1596 * or MBEDTLS_ECP_DP_NONE otherwise
1597 */
1598 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
1599
1600 /**
1601 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
1602 *
1603 * \param grp_id The \c mbedtls_ecp_group_id ID to look for
1604 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
1605 * or 0 otherwise
1606 */
1607 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
1608
1609 #if defined(MBEDTLS_DEBUG_C)
1610 /**
1611 * \brief Return EC's name for the specified TLS ID.
1612 *
1613 * \param tls_id The TLS ID to look for
1614 * \return A pointer to a const string with the proper name. If TLS
1615 * ID is not supported, a NULL pointer is returned instead.
1616 */
1617 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
1618 #endif
1619
1620 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1621 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1622 (const uint16_t srtp_profile_value)
1623 {
1624 switch (srtp_profile_value) {
1625 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1626 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1627 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1628 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1629 return srtp_profile_value;
1630 default: break;
1631 }
1632 return MBEDTLS_TLS_SRTP_UNSET;
1633 }
1634 #endif
1635
1636 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1637 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1638 {
1639 mbedtls_ssl_key_cert *key_cert;
1640
1641 if (ssl->MBEDTLS_PRIVATE(handshake) != NULL && ssl->MBEDTLS_PRIVATE(handshake)->key_cert != NULL) {
1642 key_cert = ssl->MBEDTLS_PRIVATE(handshake)->key_cert;
1643 } else {
1644 key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
1645 }
1646
1647 return key_cert == NULL ? NULL : key_cert->key;
1648 }
1649
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1650 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1651 {
1652 mbedtls_ssl_key_cert *key_cert;
1653
1654 if (ssl->MBEDTLS_PRIVATE(handshake) != NULL && ssl->MBEDTLS_PRIVATE(handshake)->key_cert != NULL) {
1655 key_cert = ssl->MBEDTLS_PRIVATE(handshake)->key_cert;
1656 } else {
1657 key_cert = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(key_cert);
1658 }
1659
1660 return key_cert == NULL ? NULL : key_cert->cert;
1661 }
1662
1663 /*
1664 * Check usage of a certificate wrt extensions:
1665 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1666 *
1667 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1668 * check a cert we received from them)!
1669 *
1670 * Return 0 if everything is OK, -1 if not.
1671 */
1672 MBEDTLS_CHECK_RETURN_CRITICAL
1673 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1674 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1675 int cert_endpoint,
1676 uint32_t *flags);
1677 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1678
1679 void mbedtls_ssl_write_version(unsigned char version[2], int transport,
1680 mbedtls_ssl_protocol_version tls_version);
1681 uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
1682 int transport);
1683
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1684 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1685 {
1686 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1687 ((void) ssl);
1688 #endif
1689
1690 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1691 if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1692 return 13;
1693 } else
1694 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1695 {
1696 return 5;
1697 }
1698 }
1699
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1700 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1701 {
1702 return (size_t) (ssl->MBEDTLS_PRIVATE(out_iv) - ssl->MBEDTLS_PRIVATE(out_hdr));
1703 }
1704
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1705 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1706 {
1707 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1708 if(ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1709 return 12;
1710 }
1711 #else
1712 ((void) ssl);
1713 #endif
1714 return 4;
1715 }
1716
1717 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1718 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1719 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1720 MBEDTLS_CHECK_RETURN_CRITICAL
1721 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1722 MBEDTLS_CHECK_RETURN_CRITICAL
1723 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1724 #endif
1725
1726 /* Visible for testing purposes only */
1727 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1728 MBEDTLS_CHECK_RETURN_CRITICAL
1729 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1730 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1731 #endif
1732
1733 MBEDTLS_CHECK_RETURN_CRITICAL
1734 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1735 const mbedtls_ssl_session *src);
1736
1737 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1738 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1739 MBEDTLS_CHECK_RETURN_CRITICAL
1740 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1741 unsigned char *hash, size_t *hashlen,
1742 unsigned char *data, size_t data_len,
1743 mbedtls_md_type_t md_alg);
1744 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1745
1746 #ifdef __cplusplus
1747 }
1748 #endif
1749
1750 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1751 MBEDTLS_CHECK_RETURN_CRITICAL
1752 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1753 mbedtls_ssl_transform *transform,
1754 mbedtls_record *rec,
1755 int (*f_rng)(void *, unsigned char *, size_t),
1756 void *p_rng);
1757 MBEDTLS_CHECK_RETURN_CRITICAL
1758 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1759 mbedtls_ssl_transform *transform,
1760 mbedtls_record *rec);
1761
1762 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1763 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1764 {
1765 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1766 if (ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(transport) == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1767 return 2;
1768 }
1769 #else
1770 ((void) ssl);
1771 #endif
1772 return 0;
1773 }
1774
1775 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1776 MBEDTLS_CHECK_RETURN_CRITICAL
1777 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1778 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1779
1780 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1781 MBEDTLS_CHECK_RETURN_CRITICAL
1782 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1783
1784 void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
1785 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1786 mbedtls_ssl_transform *transform);
1787 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1788
1789 MBEDTLS_CHECK_RETURN_CRITICAL
1790 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1791 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1792 int partial);
1793
1794 /*
1795 * Send pending alert
1796 */
1797 MBEDTLS_CHECK_RETURN_CRITICAL
1798 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
1799
1800 /*
1801 * Set pending fatal alert flag.
1802 */
1803 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
1804 unsigned char alert_type,
1805 int alert_reason);
1806
1807 /* Alias of mbedtls_ssl_pend_fatal_alert */
1808 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
1809 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
1810
1811 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1812 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1813 #endif
1814
1815 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1816
1817 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1818 MBEDTLS_CHECK_RETURN_CRITICAL
1819 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1820 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1821
1822 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1823 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1824 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1825 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1826 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1827
1828 /**
1829 * ssl utils functions for checking configuration.
1830 */
1831
1832 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1833 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
1834 {
1835 return conf->MBEDTLS_PRIVATE(min_tls_version) == MBEDTLS_SSL_VERSION_TLS1_3 &&
1836 conf->MBEDTLS_PRIVATE(max_tls_version) == MBEDTLS_SSL_VERSION_TLS1_3;
1837 }
1838 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1839
1840 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1841 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
1842 {
1843 return conf->MBEDTLS_PRIVATE(min_tls_version) == MBEDTLS_SSL_VERSION_TLS1_2 &&
1844 conf->MBEDTLS_PRIVATE(max_tls_version) == MBEDTLS_SSL_VERSION_TLS1_2;
1845 }
1846 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1847
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1848 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
1849 {
1850 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1851 return conf->MBEDTLS_PRIVATE(min_tls_version) <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1852 conf->MBEDTLS_PRIVATE(max_tls_version) >= MBEDTLS_SSL_VERSION_TLS1_3;
1853 #else
1854 ((void) conf);
1855 return 0;
1856 #endif
1857 }
1858
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1859 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
1860 {
1861 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1862 return conf->MBEDTLS_PRIVATE(min_tls_version) <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1863 conf->MBEDTLS_PRIVATE(max_tls_version) >= MBEDTLS_SSL_VERSION_TLS1_2;
1864 #else
1865 ((void) conf);
1866 return 0;
1867 #endif
1868 }
1869
1870 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1871 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
1872 {
1873 return conf->MBEDTLS_PRIVATE(min_tls_version) == MBEDTLS_SSL_VERSION_TLS1_2 &&
1874 conf->MBEDTLS_PRIVATE(max_tls_version) == MBEDTLS_SSL_VERSION_TLS1_3;
1875 }
1876 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1877
1878 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1879 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1880 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1881 MBEDTLS_CHECK_RETURN_CRITICAL
1882 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
1883 MBEDTLS_CHECK_RETURN_CRITICAL
1884 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
1885 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
1886
1887 /**
1888 * \brief Given an SSL context and its associated configuration, write the TLS
1889 * 1.3 specific extensions of the ClientHello message.
1890 *
1891 * \param[in] ssl SSL context
1892 * \param[in] buf Base address of the buffer where to write the extensions
1893 * \param[in] end End address of the buffer where to write the extensions
1894 * \param[out] out_len Length of the data written into the buffer \p buf
1895 */
1896 MBEDTLS_CHECK_RETURN_CRITICAL
1897 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1898 unsigned char *buf,
1899 unsigned char *end,
1900 size_t *out_len);
1901
1902 /**
1903 * \brief TLS 1.3 client side state machine entry
1904 *
1905 * \param ssl SSL context
1906 */
1907 MBEDTLS_CHECK_RETURN_CRITICAL
1908 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
1909
1910 /**
1911 * \brief TLS 1.3 server side state machine entry
1912 *
1913 * \param ssl SSL context
1914 */
1915 MBEDTLS_CHECK_RETURN_CRITICAL
1916 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
1917
1918
1919 /*
1920 * Helper functions around key exchange modes.
1921 */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1922 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
1923 int kex_mode_mask)
1924 {
1925 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
1926 }
1927
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1928 static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
1929 {
1930 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1931 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1932 }
1933
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1934 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
1935 {
1936 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1937 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1938 }
1939
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1940 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
1941 {
1942 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1943 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
1944 }
1945
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1946 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
1947 {
1948 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1949 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
1950 }
1951
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1952 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
1953 {
1954 return mbedtls_ssl_conf_tls13_check_kex_modes(ssl,
1955 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
1956 }
1957
1958 #if defined(MBEDTLS_SSL_SRV_C) && \
1959 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1960 /**
1961 * Given a list of key exchange modes, check if at least one of them is
1962 * supported.
1963 *
1964 * \param[in] ssl SSL context
1965 * \param kex_modes_mask Mask of the key exchange modes to check
1966 *
1967 * \return 0 if at least one of the key exchange modes is supported,
1968 * !=0 otherwise.
1969 */
mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1970 static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl,
1971 int kex_modes_mask)
1972 {
1973 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0;
1974 }
1975
mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context * ssl)1976 static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl)
1977 {
1978 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1979 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
1980 }
1981
mbedtls_ssl_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1982 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
1983 mbedtls_ssl_context *ssl)
1984 {
1985 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1986 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
1987 }
1988
mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1989 static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
1990 {
1991 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1992 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
1993 }
1994
mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1995 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
1996 {
1997 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
1998 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
1999 }
2000
mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)2001 static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
2002 {
2003 return !mbedtls_ssl_tls13_check_kex_modes(ssl,
2004 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2005 }
2006 #endif /* MBEDTLS_SSL_SRV_C &&
2007 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2008
2009 /*
2010 * Helper functions for extensions checking.
2011 */
2012
2013 MBEDTLS_CHECK_RETURN_CRITICAL
2014 int mbedtls_ssl_tls13_check_received_extension(
2015 mbedtls_ssl_context *ssl,
2016 int hs_msg_type,
2017 unsigned int received_extension_type,
2018 uint32_t hs_msg_allowed_extensions_mask);
2019
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)2020 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
2021 mbedtls_ssl_context *ssl, unsigned int extension_type)
2022 {
2023 ssl->handshake->sent_extensions |=
2024 mbedtls_ssl_get_extension_mask(extension_type);
2025 }
2026
2027 /*
2028 * Helper functions to check the selected key exchange mode.
2029 */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)2030 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
2031 mbedtls_ssl_context *ssl, int kex_mask)
2032 {
2033 return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
2034 }
2035
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)2036 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
2037 mbedtls_ssl_context *ssl)
2038 {
2039 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2040 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2041 }
2042
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)2043 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
2044 mbedtls_ssl_context *ssl)
2045 {
2046 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2047 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2048 }
2049
2050 /*
2051 * Fetch TLS 1.3 handshake message header
2052 */
2053 MBEDTLS_CHECK_RETURN_CRITICAL
2054 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
2055 unsigned hs_type,
2056 unsigned char **buf,
2057 size_t *buf_len);
2058
2059 /*
2060 * Handler of TLS 1.3 server certificate message
2061 */
2062 MBEDTLS_CHECK_RETURN_CRITICAL
2063 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
2064
2065 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2066 /*
2067 * Handler of TLS 1.3 write Certificate message
2068 */
2069 MBEDTLS_CHECK_RETURN_CRITICAL
2070 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
2071
2072 /*
2073 * Handler of TLS 1.3 write Certificate Verify message
2074 */
2075 MBEDTLS_CHECK_RETURN_CRITICAL
2076 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
2077
2078 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2079
2080 /*
2081 * Generic handler of Certificate Verify
2082 */
2083 MBEDTLS_CHECK_RETURN_CRITICAL
2084 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
2085
2086 /*
2087 * Write of dummy-CCS's for middlebox compatibility
2088 */
2089 MBEDTLS_CHECK_RETURN_CRITICAL
2090 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
2091
2092 MBEDTLS_CHECK_RETURN_CRITICAL
2093 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
2094
2095 #if defined(MBEDTLS_ECDH_C)
2096 MBEDTLS_CHECK_RETURN_CRITICAL
2097 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
2098 mbedtls_ssl_context *ssl,
2099 uint16_t named_group,
2100 unsigned char *buf,
2101 unsigned char *end,
2102 size_t *out_len);
2103 #endif /* MBEDTLS_ECDH_C */
2104
2105 #if defined(MBEDTLS_SSL_EARLY_DATA)
2106 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
2107 unsigned char *buf,
2108 const unsigned char *end,
2109 size_t *out_len);
2110 #endif /* MBEDTLS_SSL_EARLY_DATA */
2111
2112 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2113
2114 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2115 /*
2116 * Write Signature Algorithm extension
2117 */
2118 MBEDTLS_CHECK_RETURN_CRITICAL
2119 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
2120 const unsigned char *end, size_t *out_len);
2121 /*
2122 * Parse TLS Signature Algorithm extension
2123 */
2124 MBEDTLS_CHECK_RETURN_CRITICAL
2125 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
2126 const unsigned char *buf,
2127 const unsigned char *end);
2128 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2129
2130 /* Get handshake transcript */
2131 MBEDTLS_CHECK_RETURN_CRITICAL
2132 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
2133 const mbedtls_md_type_t md,
2134 unsigned char *dst,
2135 size_t dst_len,
2136 size_t *olen);
2137
2138 /*
2139 * Return supported groups.
2140 *
2141 * In future, invocations can be changed to ssl->conf->group_list
2142 * when mbedtls_ssl_conf_curves() is deleted.
2143 *
2144 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2145 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2146 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2147 *
2148 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)2149 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
2150 {
2151 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2152 return ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(group_list);
2153 #else
2154 if ((ssl->MBEDTLS_PRIVATE(handshake) != NULL) && (ssl->MBEDTLS_PRIVATE(handshake)->group_list != NULL)) {
2155 return ssl->MBEDTLS_PRIVATE(handshake)->group_list;
2156 } else {
2157 return ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(group_list);
2158 }
2159 #endif
2160 }
2161
2162 /*
2163 * Helper functions for NamedGroup.
2164 */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2165 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
2166 {
2167 /*
2168 * RFC 8422 section 5.1.1
2169 */
2170 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2171 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2172 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2173 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2174 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
2175 /* Below deprecated curves should be removed with notice to users */
2176 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
2177 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2178 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2179 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2180 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2181 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2182 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2183 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
2184 }
2185
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2186 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
2187 {
2188 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2189 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2190 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2191 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2192 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
2193 }
2194
mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)2195 static inline int mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)
2196 {
2197 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2198 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
2199 }
2200
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2201 static inline int mbedtls_ssl_named_group_is_offered(
2202 const mbedtls_ssl_context *ssl, uint16_t named_group)
2203 {
2204 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2205
2206 if (group_list == NULL) {
2207 return 0;
2208 }
2209
2210 for (; *group_list != 0; group_list++) {
2211 if (*group_list == named_group) {
2212 return 1;
2213 }
2214 }
2215
2216 return 0;
2217 }
2218
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2219 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
2220 {
2221 #if defined(MBEDTLS_ECDH_C)
2222 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
2223 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
2224 MBEDTLS_ECP_DP_NONE) {
2225 return 1;
2226 }
2227 }
2228 #else
2229 ((void) named_group);
2230 #endif /* MBEDTLS_ECDH_C */
2231 return 0;
2232 }
2233
2234 /*
2235 * Return supported signature algorithms.
2236 *
2237 * In future, invocations can be changed to ssl->conf->sig_algs when
2238 * mbedtls_ssl_conf_sig_hashes() is deleted.
2239 *
2240 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2241 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2242 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2243 * been more recently invoked.
2244 *
2245 */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2246 static inline const void *mbedtls_ssl_get_sig_algs(
2247 const mbedtls_ssl_context *ssl)
2248 {
2249 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2250
2251 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2252 if (ssl->MBEDTLS_PRIVATE(handshake) != NULL &&
2253 ssl->MBEDTLS_PRIVATE(handshake)->sig_algs_heap_allocated == 1 &&
2254 ssl->MBEDTLS_PRIVATE(handshake)->sig_algs != NULL) {
2255 return ssl->MBEDTLS_PRIVATE(handshake)->sig_algs;
2256 }
2257 #endif
2258 return ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(sig_algs);
2259
2260 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2261
2262 ((void) ssl);
2263 return NULL;
2264 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2265 }
2266
2267 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2268 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
2269 uint16_t own_sig_alg)
2270 {
2271 const uint16_t *sig_alg = ssl->MBEDTLS_PRIVATE(handshake)->MBEDTLS_PRIVATE(received_sig_algs);
2272 if (sig_alg == NULL) {
2273 return 0;
2274 }
2275
2276 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2277 if (*sig_alg == own_sig_alg) {
2278 return 1;
2279 }
2280 }
2281 return 0;
2282 }
2283
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2284 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2285 const uint16_t sig_alg)
2286 {
2287 switch (sig_alg) {
2288 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2289 #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
2290 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2291 break;
2292 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2293 #if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
2294 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2295 break;
2296 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2297 #if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
2298 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2299 break;
2300 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2301 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
2302
2303 #if defined(MBEDTLS_PKCS1_V21)
2304 #if defined(PSA_WANT_ALG_SHA_256)
2305 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2306 break;
2307 #endif /* PSA_WANT_ALG_SHA_256 */
2308 #if defined(PSA_WANT_ALG_SHA_384)
2309 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2310 break;
2311 #endif /* PSA_WANT_ALG_SHA_384 */
2312 #if defined(PSA_WANT_ALG_SHA_512)
2313 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2314 break;
2315 #endif /* PSA_WANT_ALG_SHA_512 */
2316 #endif /* MBEDTLS_PKCS1_V21 */
2317 default:
2318 return 0;
2319 }
2320 return 1;
2321
2322 }
2323
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2324 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2325 const uint16_t sig_alg)
2326 {
2327 switch (sig_alg) {
2328 #if defined(MBEDTLS_PKCS1_V15)
2329 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2330 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2331 break;
2332 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2333 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2334 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2335 break;
2336 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2337 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2338 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2339 break;
2340 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2341 #endif /* MBEDTLS_PKCS1_V15 */
2342 default:
2343 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2344 sig_alg);
2345 }
2346 return 1;
2347 }
2348
2349 MBEDTLS_CHECK_RETURN_CRITICAL
2350 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
2351 mbedtls_pk_context *key);
2352 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2353
2354 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2355 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
2356 uint16_t proposed_sig_alg)
2357 {
2358 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2359 if (sig_alg == NULL) {
2360 return 0;
2361 }
2362
2363 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2364 if (*sig_alg == proposed_sig_alg) {
2365 return 1;
2366 }
2367 }
2368 return 0;
2369 }
2370
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2371 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2372 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
2373 {
2374 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
2375 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
2376
2377 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
2378 return 0;
2379 }
2380
2381 switch (sig_alg) {
2382 #if defined(MBEDTLS_PKCS1_V21)
2383 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2384 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2385 *md_alg = MBEDTLS_MD_SHA256;
2386 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2387 break;
2388 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2389 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2390 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2391 *md_alg = MBEDTLS_MD_SHA384;
2392 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2393 break;
2394 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2395 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2396 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2397 *md_alg = MBEDTLS_MD_SHA512;
2398 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2399 break;
2400 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2401 #endif /* MBEDTLS_PKCS1_V21 */
2402 default:
2403 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2404 }
2405 return 0;
2406 }
2407
2408 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2409 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2410 const uint16_t sig_alg)
2411 {
2412 /* High byte is hash */
2413 unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
2414 unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
2415
2416 switch (hash) {
2417 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2418 case MBEDTLS_SSL_HASH_MD5:
2419 break;
2420 #endif
2421
2422 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2423 case MBEDTLS_SSL_HASH_SHA1:
2424 break;
2425 #endif
2426
2427 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2428 case MBEDTLS_SSL_HASH_SHA224:
2429 break;
2430 #endif
2431
2432 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2433 case MBEDTLS_SSL_HASH_SHA256:
2434 break;
2435 #endif
2436
2437 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2438 case MBEDTLS_SSL_HASH_SHA384:
2439 break;
2440 #endif
2441
2442 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2443 case MBEDTLS_SSL_HASH_SHA512:
2444 break;
2445 #endif
2446
2447 default:
2448 return 0;
2449 }
2450
2451 switch (sig) {
2452 #if defined(MBEDTLS_RSA_C)
2453 case MBEDTLS_SSL_SIG_RSA:
2454 break;
2455 #endif
2456
2457 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2458 case MBEDTLS_SSL_SIG_ECDSA:
2459 break;
2460 #endif
2461
2462 default:
2463 return 0;
2464 }
2465
2466 return 1;
2467 }
2468 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2469
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2470 static inline int mbedtls_ssl_sig_alg_is_supported(
2471 const mbedtls_ssl_context *ssl,
2472 const uint16_t sig_alg)
2473 {
2474
2475 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2476 if (ssl->MBEDTLS_PRIVATE(tls_version) == MBEDTLS_SSL_VERSION_TLS1_2) {
2477 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
2478 }
2479 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2480
2481 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2482 if (ssl->MBEDTLS_PRIVATE(tls_version) == MBEDTLS_SSL_VERSION_TLS1_3) {
2483 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
2484 }
2485 #endif
2486 ((void) ssl);
2487 ((void) sig_alg);
2488 return 0;
2489 }
2490 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2491
2492 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2493 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2494 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2495 * guaranteed to not be a valid PSA algorithm identifier.
2496 */
2497 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2498
2499 /**
2500 * \brief Translate mbedtls cipher type/taglen pair to psa:
2501 * algorithm, key type and key size.
2502 *
2503 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2504 * \param taglen [in] given tag length
2505 * 0 - default tag length
2506 * \param alg [out] corresponding PSA alg
2507 * There is no corresponding PSA
2508 * alg for MBEDTLS_CIPHER_NULL, so
2509 * in this case MBEDTLS_SSL_NULL_CIPHER
2510 * is returned via this parameter
2511 * \param key_type [out] corresponding PSA key type
2512 * \param key_size [out] corresponding PSA key size
2513 *
2514 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2515 * conversion is not supported.
2516 */
2517 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2518 size_t taglen,
2519 psa_algorithm_t *alg,
2520 psa_key_type_t *key_type,
2521 size_t *key_size);
2522
2523 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2524 /**
2525 * \brief Convert given PSA status to mbedtls error code.
2526 *
2527 * \param status [in] given PSA status
2528 *
2529 * \return corresponding mbedtls error code
2530 */
psa_ssl_status_to_mbedtls(psa_status_t status)2531 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
2532 {
2533 switch (status) {
2534 case PSA_SUCCESS:
2535 return 0;
2536 case PSA_ERROR_INSUFFICIENT_MEMORY:
2537 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2538 case PSA_ERROR_NOT_SUPPORTED:
2539 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2540 case PSA_ERROR_INVALID_SIGNATURE:
2541 return MBEDTLS_ERR_SSL_INVALID_MAC;
2542 case PSA_ERROR_INVALID_ARGUMENT:
2543 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2544 case PSA_ERROR_BAD_STATE:
2545 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2546 case PSA_ERROR_BUFFER_TOO_SMALL:
2547 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2548 default:
2549 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2550 }
2551 }
2552 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2553 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2554
2555 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
2556 defined(MBEDTLS_USE_PSA_CRYPTO)
2557
2558 typedef enum {
2559 MBEDTLS_ECJPAKE_ROUND_ONE,
2560 MBEDTLS_ECJPAKE_ROUND_TWO
2561 } mbedtls_ecjpake_rounds_t;
2562
2563 /**
2564 * \brief Parse the provided input buffer for getting the first round
2565 * of key exchange. This code is common between server and client
2566 *
2567 * \param pake_ctx [in] the PAKE's operation/context structure
2568 * \param buf [in] input buffer to parse
2569 * \param len [in] length of the input buffer
2570 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2571 * MBEDTLS_ECJPAKE_ROUND_TWO
2572 *
2573 * \return 0 on success or a negative error code in case of failure
2574 */
2575 int mbedtls_psa_ecjpake_read_round(
2576 psa_pake_operation_t *pake_ctx,
2577 const unsigned char *buf,
2578 size_t len, mbedtls_ecjpake_rounds_t round);
2579
2580 /**
2581 * \brief Write the first round of key exchange into the provided output
2582 * buffer. This code is common between server and client
2583 *
2584 * \param pake_ctx [in] the PAKE's operation/context structure
2585 * \param buf [out] the output buffer in which data will be written to
2586 * \param len [in] length of the output buffer
2587 * \param olen [out] the length of the data really written on the buffer
2588 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2589 * MBEDTLS_ECJPAKE_ROUND_TWO
2590 *
2591 * \return 0 on success or a negative error code in case of failure
2592 */
2593 int mbedtls_psa_ecjpake_write_round(
2594 psa_pake_operation_t *pake_ctx,
2595 unsigned char *buf,
2596 size_t len, size_t *olen,
2597 mbedtls_ecjpake_rounds_t round);
2598
2599 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
2600
2601 /**
2602 * \brief TLS record protection modes
2603 */
2604 typedef enum {
2605 MBEDTLS_SSL_MODE_STREAM = 0,
2606 MBEDTLS_SSL_MODE_CBC,
2607 MBEDTLS_SSL_MODE_CBC_ETM,
2608 MBEDTLS_SSL_MODE_AEAD
2609 } mbedtls_ssl_mode_t;
2610
2611 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2612 const mbedtls_ssl_transform *transform);
2613
2614 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2615 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2616 int encrypt_then_mac,
2617 const mbedtls_ssl_ciphersuite_t *suite);
2618 #else
2619 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2620 const mbedtls_ssl_ciphersuite_t *suite);
2621 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2622
2623 #if defined(MBEDTLS_ECDH_C)
2624
2625 MBEDTLS_CHECK_RETURN_CRITICAL
2626 int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl,
2627 const unsigned char *buf,
2628 size_t buf_len);
2629
2630 #endif /* MBEDTLS_ECDH_C */
2631
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2632 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2633 mbedtls_ssl_context *ssl, int cipher_suite)
2634 {
2635 const int *ciphersuite_list = ssl->MBEDTLS_PRIVATE(conf)->MBEDTLS_PRIVATE(ciphersuite_list);
2636
2637 /* Check whether we have offered this ciphersuite */
2638 for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
2639 if (ciphersuite_list[i] == cipher_suite) {
2640 return 1;
2641 }
2642 }
2643 return 0;
2644 }
2645
2646 /**
2647 * \brief Validate cipher suite against config in SSL context.
2648 *
2649 * \param ssl SSL context
2650 * \param suite_info Cipher suite to validate
2651 * \param min_tls_version Minimal TLS version to accept a cipher suite
2652 * \param max_tls_version Maximal TLS version to accept a cipher suite
2653 *
2654 * \return 0 if valid, negative value otherwise.
2655 */
2656 MBEDTLS_CHECK_RETURN_CRITICAL
2657 int mbedtls_ssl_validate_ciphersuite(
2658 const mbedtls_ssl_context *ssl,
2659 const mbedtls_ssl_ciphersuite_t *suite_info,
2660 mbedtls_ssl_protocol_version min_tls_version,
2661 mbedtls_ssl_protocol_version max_tls_version);
2662
2663 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2664 MBEDTLS_CHECK_RETURN_CRITICAL
2665 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
2666 const unsigned char *buf,
2667 const unsigned char *end);
2668 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2669
2670 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2671 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
2672 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64)
2673
2674 MBEDTLS_CHECK_RETURN_CRITICAL
2675 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
2676 const unsigned char *buf,
2677 const unsigned char *end);
2678 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2679
2680 #if defined(MBEDTLS_SSL_ALPN)
2681 MBEDTLS_CHECK_RETURN_CRITICAL
2682 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
2683 const unsigned char *buf,
2684 const unsigned char *end);
2685
2686
2687 MBEDTLS_CHECK_RETURN_CRITICAL
2688 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2689 unsigned char *buf,
2690 unsigned char *end,
2691 size_t *out_len);
2692 #endif /* MBEDTLS_SSL_ALPN */
2693
2694 #if defined(MBEDTLS_TEST_HOOKS)
2695 int mbedtls_ssl_check_dtls_clihlo_cookie(
2696 mbedtls_ssl_context *ssl,
2697 const unsigned char *cli_id, size_t cli_id_len,
2698 const unsigned char *in, size_t in_len,
2699 unsigned char *obuf, size_t buf_len, size_t *olen);
2700 #endif
2701
2702 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2703 /**
2704 * \brief Given an SSL context and its associated configuration, write the TLS
2705 * 1.3 specific Pre-Shared key extension.
2706 *
2707 * \param[in] ssl SSL context
2708 * \param[in] buf Base address of the buffer where to write the extension
2709 * \param[in] end End address of the buffer where to write the extension
2710 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2711 * written into the buffer \p buf by this function plus
2712 * the length of the binders to be written.
2713 * \param[out] binders_len Length of the binders to be written at the end of
2714 * the extension.
2715 */
2716 MBEDTLS_CHECK_RETURN_CRITICAL
2717 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2718 mbedtls_ssl_context *ssl,
2719 unsigned char *buf, unsigned char *end,
2720 size_t *out_len, size_t *binders_len);
2721
2722 /**
2723 * \brief Given an SSL context and its associated configuration, write the TLS
2724 * 1.3 specific Pre-Shared key extension binders at the end of the
2725 * ClientHello.
2726 *
2727 * \param[in] ssl SSL context
2728 * \param[in] buf Base address of the buffer where to write the binders
2729 * \param[in] end End address of the buffer where to write the binders
2730 */
2731 MBEDTLS_CHECK_RETURN_CRITICAL
2732 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2733 mbedtls_ssl_context *ssl,
2734 unsigned char *buf, unsigned char *end);
2735 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2736
2737 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2738 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2739 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2740 defined(MBEDTLS_SSL_CLI_C)
2741 MBEDTLS_CHECK_RETURN_CRITICAL
2742 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
2743 const char *hostname);
2744 #endif
2745
2746 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_session_get_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2747 static inline unsigned int mbedtls_ssl_session_get_ticket_flags(
2748 mbedtls_ssl_session *session, unsigned int flags)
2749 {
2750 return session->ticket_flags &
2751 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2752 }
2753
mbedtls_ssl_session_set_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2754 static inline void mbedtls_ssl_session_set_ticket_flags(
2755 mbedtls_ssl_session *session, unsigned int flags)
2756 {
2757 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2758 }
2759
mbedtls_ssl_session_clear_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2760 static inline void mbedtls_ssl_session_clear_ticket_flags(
2761 mbedtls_ssl_session *session, unsigned int flags)
2762 {
2763 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2764 }
2765 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
2766
2767 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
2768 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
2769 #endif
2770
2771 #endif /* ssl_misc.h */
2772