1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0
9 *
10 * Licensed under the Apache License, Version 2.0 (the "License"); you may
11 * not use this file except in compliance with the License.
12 * You may obtain a copy of the License at
13 *
14 * http://www.apache.org/licenses/LICENSE-2.0
15 *
16 * Unless required by applicable law or agreed to in writing, software
17 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
18 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 * See the License for the specific language governing permissions and
20 * limitations under the License.
21 */
22 #ifndef MBEDTLS_SSL_MISC_H
23 #define MBEDTLS_SSL_MISC_H
24
25 #include "mbedtls/build_info.h"
26
27 #include "mbedtls/ssl.h"
28 #include "mbedtls/cipher.h"
29
30 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
31 #include "psa/crypto.h"
32 #include "mbedtls/psa_util.h"
33 #include "hash_info.h"
34 #endif
35 #include "mbedtls/legacy_or_psa.h"
36
37 #if defined(MBEDTLS_MD5_C)
38 #include "mbedtls/md5.h"
39 #endif
40
41 #if defined(MBEDTLS_SHA1_C)
42 #include "mbedtls/sha1.h"
43 #endif
44
45 #if defined(MBEDTLS_SHA256_C)
46 #include "mbedtls/sha256.h"
47 #endif
48
49 #if defined(MBEDTLS_SHA512_C)
50 #include "mbedtls/sha512.h"
51 #endif
52
53 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
54 !defined(MBEDTLS_USE_PSA_CRYPTO)
55 #include "mbedtls/ecjpake.h"
56 #endif
57
58 #include "common.h"
59
60 /* Shorthand for restartable ECC */
61 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
62 defined(MBEDTLS_SSL_CLI_C) && \
63 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
64 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
65 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
66 #endif
67
68 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
69 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
70 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
71 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
72
73 /* Faked handshake message identity for HelloRetryRequest. */
74 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST ( -MBEDTLS_SSL_HS_SERVER_HELLO )
75
76 /*
77 * Internal identity of handshake extensions
78 */
79 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
80 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
81 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
82 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
83 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
84 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
85 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
86 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
87 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
88 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
89 #define MBEDTLS_SSL_EXT_ID_ALPN 8
90 #define MBEDTLS_SSL_EXT_ID_SCT 9
91 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
92 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
93 #define MBEDTLS_SSL_EXT_ID_PADDING 12
94 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
95 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
96 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
97 #define MBEDTLS_SSL_EXT_ID_COOKIE 16
98 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
99 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
100 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
101 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
102 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
103 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
104 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
105 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
106 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
107 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
108 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
109
110 /* Utility for translating IANA extension type. */
111 uint32_t mbedtls_ssl_get_extension_id( unsigned int extension_type );
112 uint32_t mbedtls_ssl_get_extension_mask( unsigned int extension_type );
113 /* Macros used to define mask constants */
114 #define MBEDTLS_SSL_EXT_MASK( id ) ( 1ULL << ( MBEDTLS_SSL_EXT_ID_##id ) )
115 /* Reset value of extension mask */
116 #define MBEDTLS_SSL_EXT_MASK_NONE 0
117
118 /* In messages containing extension requests, we should ignore unrecognized
119 * extensions. In messages containing extension responses, unrecognized
120 * extensions should result in handshake abortion. Messages containing
121 * extension requests include ClientHello, CertificateRequest and
122 * NewSessionTicket. Messages containing extension responses include
123 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
124 *
125 * RFC 8446 section 4.1.3
126 *
127 * The ServerHello MUST only include extensions which are required to establish
128 * the cryptographic context and negotiate the protocol version.
129 *
130 * RFC 8446 section 4.2
131 *
132 * If an implementation receives an extension which it recognizes and which is
133 * not specified for the message in which it appears, it MUST abort the handshake
134 * with an "illegal_parameter" alert.
135 */
136
137 /* Extensions that are not recognized by TLS 1.3 */
138 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
139 ( MBEDTLS_SSL_EXT_MASK( SUPPORTED_POINT_FORMATS ) | \
140 MBEDTLS_SSL_EXT_MASK( ENCRYPT_THEN_MAC ) | \
141 MBEDTLS_SSL_EXT_MASK( EXTENDED_MASTER_SECRET ) | \
142 MBEDTLS_SSL_EXT_MASK( SESSION_TICKET ) | \
143 MBEDTLS_SSL_EXT_MASK( TRUNCATED_HMAC ) | \
144 MBEDTLS_SSL_EXT_MASK( UNRECOGNIZED ) )
145
146 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
147 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
148 ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
149 MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
150 MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
151 MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
152 MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
153 MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
154 MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
155 MBEDTLS_SSL_EXT_MASK( ALPN ) | \
156 MBEDTLS_SSL_EXT_MASK( SCT ) | \
157 MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
158 MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
159 MBEDTLS_SSL_EXT_MASK( PADDING ) | \
160 MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
161 MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
162 MBEDTLS_SSL_EXT_MASK( PSK_KEY_EXCHANGE_MODES ) | \
163 MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
164 MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
165 MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) | \
166 MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
167 MBEDTLS_SSL_EXT_MASK( POST_HANDSHAKE_AUTH ) | \
168 MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
169 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
170
171 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
172 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
173 ( MBEDTLS_SSL_EXT_MASK( SERVERNAME ) | \
174 MBEDTLS_SSL_EXT_MASK( MAX_FRAGMENT_LENGTH ) | \
175 MBEDTLS_SSL_EXT_MASK( SUPPORTED_GROUPS ) | \
176 MBEDTLS_SSL_EXT_MASK( USE_SRTP ) | \
177 MBEDTLS_SSL_EXT_MASK( HEARTBEAT ) | \
178 MBEDTLS_SSL_EXT_MASK( ALPN ) | \
179 MBEDTLS_SSL_EXT_MASK( CLI_CERT_TYPE ) | \
180 MBEDTLS_SSL_EXT_MASK( SERV_CERT_TYPE ) | \
181 MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) )
182
183 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
184 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
185 ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
186 MBEDTLS_SSL_EXT_MASK( SIG_ALG ) | \
187 MBEDTLS_SSL_EXT_MASK( SCT ) | \
188 MBEDTLS_SSL_EXT_MASK( CERT_AUTH ) | \
189 MBEDTLS_SSL_EXT_MASK( OID_FILTERS ) | \
190 MBEDTLS_SSL_EXT_MASK( SIG_ALG_CERT ) | \
191 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
192
193 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
194 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
195 ( MBEDTLS_SSL_EXT_MASK( STATUS_REQUEST ) | \
196 MBEDTLS_SSL_EXT_MASK( SCT ) )
197
198 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
199 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
200 ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
201 MBEDTLS_SSL_EXT_MASK( PRE_SHARED_KEY ) | \
202 MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
203
204 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
205 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
206 ( MBEDTLS_SSL_EXT_MASK( KEY_SHARE ) | \
207 MBEDTLS_SSL_EXT_MASK( COOKIE ) | \
208 MBEDTLS_SSL_EXT_MASK( SUPPORTED_VERSIONS ) )
209
210 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
211 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
212 ( MBEDTLS_SSL_EXT_MASK( EARLY_DATA ) | \
213 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED )
214
215 /*
216 * Helper macros for function call with return check.
217 */
218 /*
219 * Exit when return non-zero value
220 */
221 #define MBEDTLS_SSL_PROC_CHK( f ) \
222 do { \
223 ret = ( f ); \
224 if( ret != 0 ) \
225 { \
226 goto cleanup; \
227 } \
228 } while( 0 )
229 /*
230 * Exit when return negative value
231 */
232 #define MBEDTLS_SSL_PROC_CHK_NEG( f ) \
233 do { \
234 ret = ( f ); \
235 if( ret < 0 ) \
236 { \
237 goto cleanup; \
238 } \
239 } while( 0 )
240
241 /*
242 * DTLS retransmission states, see RFC 6347 4.2.4
243 *
244 * The SENDING state is merged in PREPARING for initial sends,
245 * but is distinct for resends.
246 *
247 * Note: initial state is wrong for server, but is not used anyway.
248 */
249 #define MBEDTLS_SSL_RETRANS_PREPARING 0
250 #define MBEDTLS_SSL_RETRANS_SENDING 1
251 #define MBEDTLS_SSL_RETRANS_WAITING 2
252 #define MBEDTLS_SSL_RETRANS_FINISHED 3
253
254 /*
255 * Allow extra bytes for record, authentication and encryption overhead:
256 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
257 */
258
259 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
260
261 /* This macro determines whether CBC is supported. */
262 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
263 ( defined(MBEDTLS_AES_C) || \
264 defined(MBEDTLS_CAMELLIA_C) || \
265 defined(MBEDTLS_ARIA_C) || \
266 defined(MBEDTLS_DES_C) )
267 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
268 #endif
269
270 /* This macro determines whether a ciphersuite using a
271 * stream cipher can be used. */
272 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
273 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
274 #endif
275
276 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
277 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
278 defined(MBEDTLS_SSL_PROTO_TLS1_2)
279 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
280 #endif
281
282 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
283 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
284 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
285 #endif
286
287 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
288 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
289 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
290 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
291 #endif
292
293 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
294
295 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
296 /* Ciphersuites using HMAC */
297 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
298 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
299 #elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
300 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
301 #else
302 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
303 #endif
304 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
305 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
306 #define MBEDTLS_SSL_MAC_ADD 16
307 #endif
308
309 #if defined(MBEDTLS_CIPHER_MODE_CBC)
310 #define MBEDTLS_SSL_PADDING_ADD 256
311 #else
312 #define MBEDTLS_SSL_PADDING_ADD 0
313 #endif
314
315 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
316 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
317 #else
318 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
319 #endif
320
321 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_MAX_IV_LENGTH + \
322 MBEDTLS_SSL_MAC_ADD + \
323 MBEDTLS_SSL_PADDING_ADD + \
324 MBEDTLS_SSL_MAX_CID_EXPANSION \
325 )
326
327 #define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
328 ( MBEDTLS_SSL_IN_CONTENT_LEN ) )
329
330 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
331 ( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
332
333 /* The maximum number of buffered handshake messages. */
334 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
335
336 /* Maximum length we can advertise as our max content length for
337 RFC 6066 max_fragment_length extension negotiation purposes
338 (the lesser of both sizes, if they are unequal.)
339 */
340 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
341 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
342 ? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
343 : ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
344 )
345
346 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
347 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
348
349 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
350 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
351
352 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
353 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
354
355 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
356
357 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
358
359 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
360
361 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
362 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG( sig, hash ) (( hash << 8 ) | sig)
363 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
364 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
365 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
366
367 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
368
369 /*
370 * Check that we obey the standard's message size bounds
371 */
372
373 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
374 #error "Bad configuration - incoming record content too large."
375 #endif
376
377 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
378 #error "Bad configuration - outgoing record content too large."
379 #endif
380
381 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
382 #error "Bad configuration - incoming protected record payload too large."
383 #endif
384
385 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
386 #error "Bad configuration - outgoing protected record payload too large."
387 #endif
388
389 /* Calculate buffer sizes */
390
391 /* Note: Even though the TLS record header is only 5 bytes
392 long, we're internally using 8 bytes to store the
393 implicit sequence number. */
394 #define MBEDTLS_SSL_HEADER_LEN 13
395
396 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
397 #define MBEDTLS_SSL_IN_BUFFER_LEN \
398 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
399 #else
400 #define MBEDTLS_SSL_IN_BUFFER_LEN \
401 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) \
402 + ( MBEDTLS_SSL_CID_IN_LEN_MAX ) )
403 #endif
404
405 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
406 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
407 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
408 #else
409 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
410 ( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) \
411 + ( MBEDTLS_SSL_CID_OUT_LEN_MAX ) )
412 #endif
413
414 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
415 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
416
417 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
418 /**
419 * \brief Return the maximum fragment length (payload, in bytes) for
420 * the output buffer. For the client, this is the configured
421 * value. For the server, it is the minimum of two - the
422 * configured value and the negotiated one.
423 *
424 * \sa mbedtls_ssl_conf_max_frag_len()
425 * \sa mbedtls_ssl_get_max_out_record_payload()
426 *
427 * \param ssl SSL context
428 *
429 * \return Current maximum fragment length for the output buffer.
430 */
431 size_t mbedtls_ssl_get_output_max_frag_len( const mbedtls_ssl_context *ssl );
432
433 /**
434 * \brief Return the maximum fragment length (payload, in bytes) for
435 * the input buffer. This is the negotiated maximum fragment
436 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
437 * If it is not defined either, the value is 2^14. This function
438 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
439 *
440 * \sa mbedtls_ssl_conf_max_frag_len()
441 * \sa mbedtls_ssl_get_max_in_record_payload()
442 *
443 * \param ssl SSL context
444 *
445 * \return Current maximum fragment length for the output buffer.
446 */
447 size_t mbedtls_ssl_get_input_max_frag_len( const mbedtls_ssl_context *ssl );
448 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
449
450 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)451 static inline size_t mbedtls_ssl_get_output_buflen( const mbedtls_ssl_context *ctx )
452 {
453 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
454 return mbedtls_ssl_get_output_max_frag_len( ctx )
455 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
456 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
457 #else
458 return mbedtls_ssl_get_output_max_frag_len( ctx )
459 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
460 #endif
461 }
462
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)463 static inline size_t mbedtls_ssl_get_input_buflen( const mbedtls_ssl_context *ctx )
464 {
465 #if defined (MBEDTLS_SSL_DTLS_CONNECTION_ID)
466 return mbedtls_ssl_get_input_max_frag_len( ctx )
467 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
468 + MBEDTLS_SSL_CID_IN_LEN_MAX;
469 #else
470 return mbedtls_ssl_get_input_max_frag_len( ctx )
471 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
472 #endif
473 }
474 #endif
475
476 /*
477 * TLS extension flags (for extensions with outgoing ServerHello content
478 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
479 * of state of the renegotiation flag, so no indicator is required)
480 */
481 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
482 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
483
484 /**
485 * \brief This function checks if the remaining size in a buffer is
486 * greater or equal than a needed space.
487 *
488 * \param cur Pointer to the current position in the buffer.
489 * \param end Pointer to one past the end of the buffer.
490 * \param need Needed space in bytes.
491 *
492 * \return Zero if the needed space is available in the buffer, non-zero
493 * otherwise.
494 */
495 #if ! defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)496 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
497 const uint8_t *end, size_t need )
498 {
499 return( ( cur > end ) || ( need > (size_t)( end - cur ) ) );
500 }
501 #else
502 typedef struct
503 {
504 const uint8_t *cur;
505 const uint8_t *end;
506 size_t need;
507 } mbedtls_ssl_chk_buf_ptr_args;
508
509 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
510 const uint8_t *cur, const uint8_t *end, size_t need );
511 void mbedtls_ssl_reset_chk_buf_ptr_fail_args( void );
512
513 MBEDTLS_CHECK_RETURN_CRITICAL
514 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args( mbedtls_ssl_chk_buf_ptr_args *args );
515
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)516 static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur,
517 const uint8_t *end, size_t need )
518 {
519 if( ( cur > end ) || ( need > (size_t)( end - cur ) ) )
520 {
521 mbedtls_ssl_set_chk_buf_ptr_fail_args( cur, end, need );
522 return( 1 );
523 }
524 return( 0 );
525 }
526 #endif /* MBEDTLS_TEST_HOOKS */
527
528 /**
529 * \brief This macro checks if the remaining size in a buffer is
530 * greater or equal than a needed space. If it is not the case,
531 * it returns an SSL_BUFFER_TOO_SMALL error.
532 *
533 * \param cur Pointer to the current position in the buffer.
534 * \param end Pointer to one past the end of the buffer.
535 * \param need Needed space in bytes.
536 *
537 */
538 #define MBEDTLS_SSL_CHK_BUF_PTR( cur, end, need ) \
539 do { \
540 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
541 { \
542 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); \
543 } \
544 } while( 0 )
545
546 /**
547 * \brief This macro checks if the remaining length in an input buffer is
548 * greater or equal than a needed length. If it is not the case, it
549 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
550 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
551 *
552 * This is a function-like macro. It is guaranteed to evaluate each
553 * argument exactly once.
554 *
555 * \param cur Pointer to the current position in the buffer.
556 * \param end Pointer to one past the end of the buffer.
557 * \param need Needed length in bytes.
558 *
559 */
560 #define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
561 do { \
562 if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
563 { \
564 MBEDTLS_SSL_DEBUG_MSG( 1, \
565 ( "missing input data in %s", __func__ ) ); \
566 MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
567 MBEDTLS_ERR_SSL_DECODE_ERROR ); \
568 return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
569 } \
570 } while( 0 )
571
572 #ifdef __cplusplus
573 extern "C" {
574 #endif
575
576 typedef int mbedtls_ssl_tls_prf_cb( const unsigned char *secret, size_t slen,
577 const char *label,
578 const unsigned char *random, size_t rlen,
579 unsigned char *dstbuf, size_t dlen );
580
581 /* cipher.h exports the maximum IV, key and block length from
582 * all ciphers enabled in the config, regardless of whether those
583 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
584 * in the default configuration and uses 64 Byte keys, but it is
585 * not used for record protection in SSL/TLS.
586 *
587 * In order to prevent unnecessary inflation of key structures,
588 * we introduce SSL-specific variants of the max-{key,block,IV}
589 * macros here which are meant to only take those ciphers into
590 * account which can be negotiated in SSL/TLS.
591 *
592 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
593 * in cipher.h are rough overapproximations of the real maxima, here
594 * we content ourselves with replicating those overapproximations
595 * for the maximum block and IV length, and excluding XTS from the
596 * computation of the maximum key length. */
597 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
598 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
599 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
600
601 /**
602 * \brief The data structure holding the cryptographic material (key and IV)
603 * used for record protection in TLS 1.3.
604 */
605 struct mbedtls_ssl_key_set
606 {
607 /*! The key for client->server records. */
608 unsigned char client_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
609 /*! The key for server->client records. */
610 unsigned char server_write_key[ MBEDTLS_SSL_MAX_KEY_LENGTH ];
611 /*! The IV for client->server records. */
612 unsigned char client_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
613 /*! The IV for server->client records. */
614 unsigned char server_write_iv[ MBEDTLS_SSL_MAX_IV_LENGTH ];
615
616 size_t key_len; /*!< The length of client_write_key and
617 * server_write_key, in Bytes. */
618 size_t iv_len; /*!< The length of client_write_iv and
619 * server_write_iv, in Bytes. */
620 };
621 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
622
623 typedef struct
624 {
625 unsigned char binder_key [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
626 unsigned char client_early_traffic_secret [ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
627 unsigned char early_exporter_master_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
628 } mbedtls_ssl_tls13_early_secrets;
629
630 typedef struct
631 {
632 unsigned char client_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
633 unsigned char server_handshake_traffic_secret[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
634 } mbedtls_ssl_tls13_handshake_secrets;
635
636 /*
637 * This structure contains the parameters only needed during handshake.
638 */
639 struct mbedtls_ssl_handshake_params
640 {
641 /* Frequently-used boolean or byte fields (placed early to take
642 * advantage of smaller code size for indirect access on Arm Thumb) */
643 uint8_t resume; /*!< session resume indicator*/
644 uint8_t cli_exts; /*!< client extension presence*/
645
646 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
647 uint8_t sni_authmode; /*!< authmode from SNI callback */
648 #endif
649
650 #if defined(MBEDTLS_SSL_SRV_C)
651 /* Flag indicating if a CertificateRequest message has been sent
652 * to the client or not. */
653 uint8_t certificate_request_sent;
654 #endif /* MBEDTLS_SSL_SRV_C */
655
656 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
657 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
658 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
659
660 #if defined(MBEDTLS_SSL_CLI_C)
661 /** Minimum TLS version to be negotiated.
662 *
663 * It is set up in the ClientHello writing preparation stage and used
664 * throughout the ClientHello writing. Not relevant anymore as soon as
665 * the protocol version has been negotiated thus as soon as the
666 * ServerHello is received.
667 * For a fresh handshake not linked to any previous handshake, it is
668 * equal to the configured minimum minor version to be negotiated. When
669 * renegotiating or resuming a session, it is equal to the previously
670 * negotiated minor version.
671 *
672 * There is no maximum TLS version field in this handshake context.
673 * From the start of the handshake, we need to define a current protocol
674 * version for the record layer which we define as the maximum TLS
675 * version to be negotiated. The `tls_version` field of the SSL context is
676 * used to store this maximum value until it contains the actual
677 * negotiated value.
678 */
679 mbedtls_ssl_protocol_version min_tls_version;
680 #endif
681
682 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
683 uint8_t extended_ms; /*!< use Extended Master Secret? */
684 #endif
685
686 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
687 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
688 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
689
690 #if defined(MBEDTLS_SSL_PROTO_DTLS)
691 unsigned char retransmit_state; /*!< Retransmission state */
692 #endif
693
694 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
695 unsigned char group_list_heap_allocated;
696 unsigned char sig_algs_heap_allocated;
697 #endif
698
699 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
700 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
701 enum { /* this complements ssl->state with info on intra-state operations */
702 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
703 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
704 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
705 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
706 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
707 } ecrs_state; /*!< current (or last) operation */
708 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
709 size_t ecrs_n; /*!< place for saving a length */
710 #endif
711
712 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
713
714 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
715 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
716 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
717 mbedtls_ssl_tls_prf_cb *tls_prf;
718
719 /*
720 * Handshake specific crypto variables
721 */
722 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
723 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
724
725 /** Number of HelloRetryRequest messages received/sent from/to the server. */
726 int hello_retry_request_count;
727
728 #if defined(MBEDTLS_SSL_SRV_C)
729 /** selected_group of key_share extension in HelloRetryRequest message. */
730 uint16_t hrr_selected_group;
731 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
732 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
733 #endif
734 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
735 uint16_t new_session_tickets_count; /*!< number of session tickets */
736 #endif
737 #endif /* MBEDTLS_SSL_SRV_C */
738
739 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
740
741 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
742 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
743 #endif
744
745 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
746 const uint16_t *group_list;
747 const uint16_t *sig_algs;
748 #endif
749
750 #if defined(MBEDTLS_DHM_C)
751 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
752 #endif
753
754 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
755 * to guards in client and server code. There is a gap in functionality that
756 * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not
757 * seem correct.
758 */
759 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
760 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
761 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
762 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
763
764 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
765 psa_key_type_t ecdh_psa_type;
766 size_t ecdh_bits;
767 mbedtls_svc_key_id_t ecdh_psa_privkey;
768 uint8_t ecdh_psa_privkey_is_external;
769 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
770 size_t ecdh_psa_peerkey_len;
771 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
772 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
773
774 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
775 #if defined(MBEDTLS_USE_PSA_CRYPTO)
776 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
777 mbedtls_svc_key_id_t psa_pake_password;
778 uint8_t psa_pake_ctx_is_ok;
779 #else
780 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
781 #endif /* MBEDTLS_USE_PSA_CRYPTO */
782 #if defined(MBEDTLS_SSL_CLI_C)
783 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
784 size_t ecjpake_cache_len; /*!< Length of cached data */
785 #endif
786 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
787
788 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
789 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
790 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
791 #endif
792
793 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
794 #if defined(MBEDTLS_USE_PSA_CRYPTO)
795 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
796 uint8_t psk_opaque_is_internal;
797 #else
798 unsigned char *psk; /*!< PSK from the callback */
799 size_t psk_len; /*!< Length of PSK from callback */
800 #endif /* MBEDTLS_USE_PSA_CRYPTO */
801 uint16_t selected_identity;
802 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
803
804 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
805 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
806 #endif
807
808 #if defined(MBEDTLS_X509_CRT_PARSE_C)
809 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
810 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
811 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
812 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
813 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
814 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
815 #endif /* MBEDTLS_X509_CRT_PARSE_C */
816
817 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
818 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
819 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
820 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
821
822 struct
823 {
824 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
825 * buffers used for message buffering. */
826
827 uint8_t seen_ccs; /*!< Indicates if a CCS message has
828 * been seen in the current flight. */
829
830 struct mbedtls_ssl_hs_buffer
831 {
832 unsigned is_valid : 1;
833 unsigned is_fragmented : 1;
834 unsigned is_complete : 1;
835 unsigned char *data;
836 size_t data_len;
837 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
838
839 struct
840 {
841 unsigned char *data;
842 size_t len;
843 unsigned epoch;
844 } future_record;
845
846 } buffering;
847
848 #if defined(MBEDTLS_SSL_CLI_C) && \
849 ( defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3) )
850 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
851 * HelloRetryRequest cookie for TLS 1.3 */
852 #endif /* MBEDTLS_SSL_CLI_C &&
853 ( MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 ) */
854 #if defined(MBEDTLS_SSL_PROTO_DTLS)
855 unsigned char verify_cookie_len; /*!< Cli: HelloVerifyRequest cookie
856 * length
857 * Srv: flag for sending a cookie */
858 #endif /* MBEDTLS_SSL_PROTO_DTLS */
859 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
860 uint16_t hrr_cookie_len; /*!< HelloRetryRequest cookie length */
861 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_SSL_PROTO_TLS1_3 */
862
863 #if defined(MBEDTLS_SSL_PROTO_DTLS)
864 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
865 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
866
867 uint32_t retransmit_timeout; /*!< Current value of timeout */
868 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
869 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
870 unsigned char *cur_msg_p; /*!< Position in current message */
871 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
872 flight being received */
873 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
874 resending messages */
875 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
876 for resending messages */
877
878 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
879 /* The state of CID configuration in this handshake. */
880
881 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
882 * has been negotiated. Possible values are
883 * #MBEDTLS_SSL_CID_ENABLED and
884 * #MBEDTLS_SSL_CID_DISABLED. */
885 unsigned char peer_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ]; /*! The peer's CID */
886 uint8_t peer_cid_len; /*!< The length of
887 * \c peer_cid. */
888 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
889
890 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
891 #endif /* MBEDTLS_SSL_PROTO_DTLS */
892
893 /*
894 * Checksum contexts
895 */
896 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
897 #if defined(MBEDTLS_USE_PSA_CRYPTO)
898 psa_hash_operation_t fin_sha256_psa;
899 #else
900 mbedtls_sha256_context fin_sha256;
901 #endif
902 #endif
903 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
904 #if defined(MBEDTLS_USE_PSA_CRYPTO)
905 psa_hash_operation_t fin_sha384_psa;
906 #else
907 mbedtls_sha512_context fin_sha384;
908 #endif
909 #endif
910
911 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
912 uint16_t offered_group_id; /* The NamedGroup value for the group
913 * that is being used for ephemeral
914 * key exchange.
915 *
916 * On the client: Defaults to the first
917 * entry in the client's group list,
918 * but can be overwritten by the HRR. */
919 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
920
921 #if defined(MBEDTLS_SSL_CLI_C)
922 uint8_t client_auth; /*!< used to check if CertificateRequest has been
923 received from server side. If CertificateRequest
924 has been received, Certificate and CertificateVerify
925 should be sent to server */
926 #endif /* MBEDTLS_SSL_CLI_C */
927 /*
928 * State-local variables used during the processing
929 * of a specific handshake state.
930 */
931 union
932 {
933 /* Outgoing Finished message */
934 struct
935 {
936 uint8_t preparation_done;
937
938 /* Buffer holding digest of the handshake up to
939 * but excluding the outgoing finished message. */
940 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
941 size_t digest_len;
942 } finished_out;
943
944 /* Incoming Finished message */
945 struct
946 {
947 uint8_t preparation_done;
948
949 /* Buffer holding digest of the handshake up to but
950 * excluding the peer's incoming finished message. */
951 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
952 size_t digest_len;
953 } finished_in;
954
955 } state_local;
956
957 /* End of state-local variables. */
958
959 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
960 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
961 /*!< random bytes */
962 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
963 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
964 /*!< premaster secret */
965 size_t pmslen; /*!< premaster length */
966 #endif
967
968 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
969 uint32_t sent_extensions; /*!< extensions sent by endpoint */
970 uint32_t received_extensions; /*!< extensions received by endpoint */
971
972 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
973 unsigned char certificate_request_context_len;
974 unsigned char *certificate_request_context;
975 #endif
976
977 /** TLS 1.3 transform for encrypted handshake messages. */
978 mbedtls_ssl_transform *transform_handshake;
979 union
980 {
981 unsigned char early [MBEDTLS_TLS1_3_MD_MAX_SIZE];
982 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
983 unsigned char app [MBEDTLS_TLS1_3_MD_MAX_SIZE];
984 } tls13_master_secrets;
985
986 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
987 #if defined(MBEDTLS_SSL_EARLY_DATA)
988 mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
989 /** TLS 1.3 transform for early data and handshake messages. */
990 mbedtls_ssl_transform *transform_earlydata;
991 #endif
992 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
993
994 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
995 /** Asynchronous operation context. This field is meant for use by the
996 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
997 * mbedtls_ssl_config::f_async_decrypt_start,
998 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
999 * The library does not use it internally. */
1000 void *user_async_ctx;
1001 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1002
1003 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1004 const unsigned char *sni_name; /*!< raw SNI */
1005 size_t sni_name_len; /*!< raw SNI len */
1006 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1007 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
1008 #endif
1009 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1010 };
1011
1012 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1013
1014 /*
1015 * Representation of decryption/encryption transformations on records
1016 *
1017 * There are the following general types of record transformations:
1018 * - Stream transformations (TLS versions == 1.2 only)
1019 * Transformation adding a MAC and applying a stream-cipher
1020 * to the authenticated message.
1021 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1022 * For TLS 1.2, no IV is generated at key extraction time, but every
1023 * encrypted record is explicitly prefixed by the IV with which it was
1024 * encrypted.
1025 * - AEAD transformations ([D]TLS versions == 1.2 only)
1026 * These come in two fundamentally different versions, the first one
1027 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1028 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1029 * In the first transformation, the IV to be used for a record is obtained
1030 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1031 * record sequence number, and explicitly prepending this sequence number
1032 * to the encrypted record. In contrast, in the second transformation
1033 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1034 * time with the 8-byte record sequence number, without prepending the
1035 * latter to the encrypted record.
1036 *
1037 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1038 * which allows to add flexible length padding and to hide a record's true
1039 * content type.
1040 *
1041 * In addition to type and version, the following parameters are relevant:
1042 * - The symmetric cipher algorithm to be used.
1043 * - The (static) encryption/decryption keys for the cipher.
1044 * - For stream/CBC, the type of message digest to be used.
1045 * - For stream/CBC, (static) encryption/decryption keys for the digest.
1046 * - For AEAD transformations, the size (potentially 0) of an explicit,
1047 * random initialization vector placed in encrypted records.
1048 * - For some transformations (currently AEAD) an implicit IV. It is static
1049 * and (if present) is combined with the explicit IV in a transformation-
1050 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1051 * - For stream/CBC, a flag determining the order of encryption and MAC.
1052 * - The details of the transformation depend on the SSL/TLS version.
1053 * - The length of the authentication tag.
1054 *
1055 * The struct below refines this abstract view as follows:
1056 * - The cipher underlying the transformation is managed in
1057 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1058 * same cipher type. The mode of these cipher contexts determines
1059 * the type of the transformation in the sense above: e.g., if
1060 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1061 * then the transformation has type CBC resp. AEAD.
1062 * - The cipher keys are never stored explicitly but
1063 * are maintained within cipher_ctx_{enc/dec}.
1064 * - For stream/CBC transformations, the message digest contexts
1065 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1066 * are unused for AEAD transformations.
1067 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1068 * but maintained within md_ctx_{enc/dec}.
1069 * - The mac_enc and mac_dec fields are unused for EAD transformations.
1070 * - For transformations using an implicit IV maintained within
1071 * the transformation context, its contents are stored within
1072 * iv_{enc/dec}.
1073 * - The value of ivlen indicates the length of the IV.
1074 * This is redundant in case of stream/CBC transformations
1075 * which always use 0 resp. the cipher's block length as the
1076 * IV length, but is needed for AEAD ciphers and may be
1077 * different from the underlying cipher's block length
1078 * in this case.
1079 * - The field fixed_ivlen is nonzero for AEAD transformations only
1080 * and indicates the length of the static part of the IV which is
1081 * constant throughout the communication, and which is stored in
1082 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1083 * - tls_version denotes the 2-byte TLS version
1084 * - For stream/CBC transformations, maclen denotes the length of the
1085 * authentication tag, while taglen is unused and 0.
1086 * - For AEAD transformations, taglen denotes the length of the
1087 * authentication tag, while maclen is unused and 0.
1088 * - For CBC transformations, encrypt_then_mac determines the
1089 * order of encryption and authentication. This field is unused
1090 * in other transformations.
1091 *
1092 */
1093 struct mbedtls_ssl_transform
1094 {
1095 /*
1096 * Session specific crypto layer
1097 */
1098 size_t minlen; /*!< min. ciphertext length */
1099 size_t ivlen; /*!< IV length */
1100 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
1101 size_t maclen; /*!< MAC(CBC) len */
1102 size_t taglen; /*!< TAG(AEAD) len */
1103
1104 unsigned char iv_enc[16]; /*!< IV (encryption) */
1105 unsigned char iv_dec[16]; /*!< IV (decryption) */
1106
1107 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1108
1109 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1110 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1111 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1112 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
1113 #else
1114 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
1115 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
1116 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1117
1118 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1119 int encrypt_then_mac; /*!< flag for EtM activation */
1120 #endif
1121
1122 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1123
1124 mbedtls_ssl_protocol_version tls_version;
1125
1126 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1127 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1128 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1129 psa_algorithm_t psa_alg; /*!< psa algorithm */
1130 #else
1131 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
1132 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
1133 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1134
1135 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1136 uint8_t in_cid_len;
1137 uint8_t out_cid_len;
1138 unsigned char in_cid [ MBEDTLS_SSL_CID_IN_LEN_MAX ];
1139 unsigned char out_cid[ MBEDTLS_SSL_CID_OUT_LEN_MAX ];
1140 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1141
1142 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1143 /* We need the Hello random bytes in order to re-derive keys from the
1144 * Master Secret and other session info,
1145 * see ssl_tls12_populate_transform() */
1146 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1147 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1148 /*!< ServerHello.random+ClientHello.random */
1149 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
1150 };
1151
1152 /*
1153 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1154 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1155 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1156 static inline int mbedtls_ssl_transform_uses_aead(
1157 const mbedtls_ssl_transform *transform )
1158 {
1159 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1160 return( transform->maclen == 0 && transform->taglen != 0 );
1161 #else
1162 (void) transform;
1163 return( 1 );
1164 #endif
1165 }
1166
1167 /*
1168 * Internal representation of record frames
1169 *
1170 * Instances come in two flavors:
1171 * (1) Encrypted
1172 * These always have data_offset = 0
1173 * (2) Unencrypted
1174 * These have data_offset set to the amount of
1175 * pre-expansion during record protection. Concretely,
1176 * this is the length of the fixed part of the explicit IV
1177 * used for encryption, or 0 if no explicit IV is used
1178 * (e.g. for stream ciphers).
1179 *
1180 * The reason for the data_offset in the unencrypted case
1181 * is to allow for in-place conversion of an unencrypted to
1182 * an encrypted record. If the offset wasn't included, the
1183 * encrypted content would need to be shifted afterwards to
1184 * make space for the fixed IV.
1185 *
1186 */
1187 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1188 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1189 #else
1190 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1191 #endif
1192
1193 typedef struct
1194 {
1195 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1196 * In DTLS: The 2-byte epoch followed by
1197 * the 6-byte sequence number.
1198 * This is stored as a raw big endian byte array
1199 * as opposed to a uint64_t because we rarely
1200 * need to perform arithmetic on this, but do
1201 * need it as a Byte array for the purpose of
1202 * MAC computations. */
1203 uint8_t type; /* The record content type. */
1204 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1205 * Convert to internal presentation of versions
1206 * using mbedtls_ssl_read_version() and
1207 * mbedtls_ssl_write_version().
1208 * Keep wire-format for MAC computations. */
1209
1210 unsigned char *buf; /* Memory buffer enclosing the record content */
1211 size_t buf_len; /* Buffer length */
1212 size_t data_offset; /* Offset of record content */
1213 size_t data_len; /* Length of record content */
1214
1215 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1216 uint8_t cid_len; /* Length of the CID (0 if not present) */
1217 unsigned char cid[ MBEDTLS_SSL_CID_LEN_MAX ]; /* The CID */
1218 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1219 } mbedtls_record;
1220
1221 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1222 /*
1223 * List of certificate + private key pairs
1224 */
1225 struct mbedtls_ssl_key_cert
1226 {
1227 mbedtls_x509_crt *cert; /*!< cert */
1228 mbedtls_pk_context *key; /*!< private key */
1229 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1230 };
1231 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1232
1233 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1234 /*
1235 * List of handshake messages kept around for resending
1236 */
1237 struct mbedtls_ssl_flight_item
1238 {
1239 unsigned char *p; /*!< message, including handshake headers */
1240 size_t len; /*!< length of p */
1241 unsigned char type; /*!< type of the message: handshake or CCS */
1242 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1243 };
1244 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1245
1246 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1247 /**
1248 * \brief Given an SSL context and its associated configuration, write the TLS
1249 * 1.2 specific extensions of the ClientHello message.
1250 *
1251 * \param[in] ssl SSL context
1252 * \param[in] buf Base address of the buffer where to write the extensions
1253 * \param[in] end End address of the buffer where to write the extensions
1254 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1255 * (<> 0) or not ( 0 ).
1256 * \param[out] out_len Length of the data written into the buffer \p buf
1257 */
1258 MBEDTLS_CHECK_RETURN_CRITICAL
1259 int mbedtls_ssl_tls12_write_client_hello_exts( mbedtls_ssl_context *ssl,
1260 unsigned char *buf,
1261 const unsigned char *end,
1262 int uses_ec,
1263 size_t *out_len );
1264 #endif
1265
1266 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1267 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1268
1269 /**
1270 * \brief Find the preferred hash for a given signature algorithm.
1271 *
1272 * \param[in] ssl SSL context
1273 * \param[in] sig_alg A signature algorithm identifier as defined in the
1274 * TLS 1.2 SignatureAlgorithm enumeration.
1275 *
1276 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1277 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1278 */
1279 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1280 mbedtls_ssl_context *ssl,
1281 unsigned int sig_alg );
1282
1283 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1284 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1285
1286 /**
1287 * \brief Free referenced items in an SSL transform context and clear
1288 * memory
1289 *
1290 * \param transform SSL transform context
1291 */
1292 void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
1293
1294 /**
1295 * \brief Free referenced items in an SSL handshake context and clear
1296 * memory
1297 *
1298 * \param ssl SSL context
1299 */
1300 void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
1301
1302 /* set inbound transform of ssl context */
1303 void mbedtls_ssl_set_inbound_transform( mbedtls_ssl_context *ssl,
1304 mbedtls_ssl_transform *transform );
1305
1306 /* set outbound transform of ssl context */
1307 void mbedtls_ssl_set_outbound_transform( mbedtls_ssl_context *ssl,
1308 mbedtls_ssl_transform *transform );
1309
1310 MBEDTLS_CHECK_RETURN_CRITICAL
1311 int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
1312 MBEDTLS_CHECK_RETURN_CRITICAL
1313 int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
1314 void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1315 static inline void mbedtls_ssl_handshake_set_state( mbedtls_ssl_context *ssl,
1316 mbedtls_ssl_states state )
1317 {
1318 ssl->state = ( int ) state;
1319 }
1320
1321 MBEDTLS_CHECK_RETURN_CRITICAL
1322 int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
1323
1324 void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
1325
1326 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1327 MBEDTLS_CHECK_RETURN_CRITICAL
1328 int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
1329 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1330
1331 MBEDTLS_CHECK_RETURN_CRITICAL
1332 int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
1333 MBEDTLS_CHECK_RETURN_CRITICAL
1334 int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
1335 void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
1336
1337 /**
1338 * \brief Update record layer
1339 *
1340 * This function roughly separates the implementation
1341 * of the logic of (D)TLS from the implementation
1342 * of the secure transport.
1343 *
1344 * \param ssl The SSL context to use.
1345 * \param update_hs_digest This indicates if the handshake digest
1346 * should be automatically updated in case
1347 * a handshake message is found.
1348 *
1349 * \return 0 or non-zero error code.
1350 *
1351 * \note A clarification on what is called 'record layer' here
1352 * is in order, as many sensible definitions are possible:
1353 *
1354 * The record layer takes as input an untrusted underlying
1355 * transport (stream or datagram) and transforms it into
1356 * a serially multiplexed, secure transport, which
1357 * conceptually provides the following:
1358 *
1359 * (1) Three datagram based, content-agnostic transports
1360 * for handshake, alert and CCS messages.
1361 * (2) One stream- or datagram-based transport
1362 * for application data.
1363 * (3) Functionality for changing the underlying transform
1364 * securing the contents.
1365 *
1366 * The interface to this functionality is given as follows:
1367 *
1368 * a Updating
1369 * [Currently implemented by mbedtls_ssl_read_record]
1370 *
1371 * Check if and on which of the four 'ports' data is pending:
1372 * Nothing, a controlling datagram of type (1), or application
1373 * data (2). In any case data is present, internal buffers
1374 * provide access to the data for the user to process it.
1375 * Consumption of type (1) datagrams is done automatically
1376 * on the next update, invalidating that the internal buffers
1377 * for previous datagrams, while consumption of application
1378 * data (2) is user-controlled.
1379 *
1380 * b Reading of application data
1381 * [Currently manual adaption of ssl->in_offt pointer]
1382 *
1383 * As mentioned in the last paragraph, consumption of data
1384 * is different from the automatic consumption of control
1385 * datagrams (1) because application data is treated as a stream.
1386 *
1387 * c Tracking availability of application data
1388 * [Currently manually through decreasing ssl->in_msglen]
1389 *
1390 * For efficiency and to retain datagram semantics for
1391 * application data in case of DTLS, the record layer
1392 * provides functionality for checking how much application
1393 * data is still available in the internal buffer.
1394 *
1395 * d Changing the transformation securing the communication.
1396 *
1397 * Given an opaque implementation of the record layer in the
1398 * above sense, it should be possible to implement the logic
1399 * of (D)TLS on top of it without the need to know anything
1400 * about the record layer's internals. This is done e.g.
1401 * in all the handshake handling functions, and in the
1402 * application data reading function mbedtls_ssl_read.
1403 *
1404 * \note The above tries to give a conceptual picture of the
1405 * record layer, but the current implementation deviates
1406 * from it in some places. For example, our implementation of
1407 * the update functionality through mbedtls_ssl_read_record
1408 * discards datagrams depending on the current state, which
1409 * wouldn't fall under the record layer's responsibility
1410 * following the above definition.
1411 *
1412 */
1413 MBEDTLS_CHECK_RETURN_CRITICAL
1414 int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
1415 unsigned update_hs_digest );
1416 MBEDTLS_CHECK_RETURN_CRITICAL
1417 int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
1418
1419 /*
1420 * Write handshake message header
1421 */
1422 MBEDTLS_CHECK_RETURN_CRITICAL
1423 int mbedtls_ssl_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned hs_type,
1424 unsigned char **buf, size_t *buf_len );
1425
1426 MBEDTLS_CHECK_RETURN_CRITICAL
1427 int mbedtls_ssl_write_handshake_msg_ext( mbedtls_ssl_context *ssl,
1428 int update_checksum,
1429 int force_flush );
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1430 static inline int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
1431 {
1432 return( mbedtls_ssl_write_handshake_msg_ext( ssl, 1 /* update checksum */, 1 /* force flush */ ) );
1433 }
1434
1435 /*
1436 * Write handshake message tail
1437 */
1438 MBEDTLS_CHECK_RETURN_CRITICAL
1439 int mbedtls_ssl_finish_handshake_msg( mbedtls_ssl_context *ssl,
1440 size_t buf_len, size_t msg_len );
1441
1442 MBEDTLS_CHECK_RETURN_CRITICAL
1443 int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, int force_flush );
1444 MBEDTLS_CHECK_RETURN_CRITICAL
1445 int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
1446
1447 MBEDTLS_CHECK_RETURN_CRITICAL
1448 int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
1449 MBEDTLS_CHECK_RETURN_CRITICAL
1450 int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
1451
1452 MBEDTLS_CHECK_RETURN_CRITICAL
1453 int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
1454 MBEDTLS_CHECK_RETURN_CRITICAL
1455 int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
1456
1457 MBEDTLS_CHECK_RETURN_CRITICAL
1458 int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
1459 MBEDTLS_CHECK_RETURN_CRITICAL
1460 int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
1461
1462 void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
1463 const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
1464
1465 /*
1466 * Update checksum of handshake messages.
1467 */
1468 void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
1469 unsigned hs_type,
1470 unsigned char const *msg,
1471 size_t msg_len );
1472
1473 void mbedtls_ssl_add_hs_hdr_to_checksum( mbedtls_ssl_context *ssl,
1474 unsigned hs_type,
1475 size_t total_hs_len );
1476
1477 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1478 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1479 MBEDTLS_CHECK_RETURN_CRITICAL
1480 int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
1481 mbedtls_key_exchange_type_t key_ex );
1482 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1483 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1484
1485 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1486 #if defined(MBEDTLS_SSL_CLI_C)
1487 MBEDTLS_CHECK_RETURN_CRITICAL
1488 int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
1489 #endif
1490 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1491 /**
1492 * Get the first defined opaque PSK by order of precedence:
1493 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1494 * callback
1495 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1496 * Return an opaque PSK
1497 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1498 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1499 const mbedtls_ssl_context *ssl )
1500 {
1501 if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
1502 return( ssl->handshake->psk_opaque );
1503
1504 if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
1505 return( ssl->conf->psk_opaque );
1506
1507 return( MBEDTLS_SVC_KEY_ID_INIT );
1508 }
1509 #else
1510 /**
1511 * Get the first defined PSK by order of precedence:
1512 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1513 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1514 * Return a code and update the pair (PSK, PSK length) passed to this function
1515 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1516 static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
1517 const unsigned char **psk, size_t *psk_len )
1518 {
1519 if( ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0 )
1520 {
1521 *psk = ssl->handshake->psk;
1522 *psk_len = ssl->handshake->psk_len;
1523 }
1524
1525 else if( ssl->conf->psk != NULL && ssl->conf->psk_len > 0 )
1526 {
1527 *psk = ssl->conf->psk;
1528 *psk_len = ssl->conf->psk_len;
1529 }
1530
1531 else
1532 {
1533 *psk = NULL;
1534 *psk_len = 0;
1535 return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
1536 }
1537
1538 return( 0 );
1539 }
1540 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1541
1542 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1543
1544 #if defined(MBEDTLS_PK_C)
1545 unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
1546 unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
1547 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
1548 #endif
1549
1550 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
1551 unsigned char mbedtls_ssl_hash_from_md_alg( int md );
1552
1553 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1554 MBEDTLS_CHECK_RETURN_CRITICAL
1555 int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
1556 #endif
1557
1558 MBEDTLS_CHECK_RETURN_CRITICAL
1559 int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
1560 #if defined(MBEDTLS_ECP_C)
1561 MBEDTLS_CHECK_RETURN_CRITICAL
1562 int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
1563 #endif
1564
1565 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1566 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1567 ( const uint16_t srtp_profile_value )
1568 {
1569 switch( srtp_profile_value )
1570 {
1571 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1572 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1573 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1574 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1575 return srtp_profile_value;
1576 default: break;
1577 }
1578 return( MBEDTLS_TLS_SRTP_UNSET );
1579 }
1580 #endif
1581
1582 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1583 static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
1584 {
1585 mbedtls_ssl_key_cert *key_cert;
1586
1587 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1588 key_cert = ssl->handshake->key_cert;
1589 else
1590 key_cert = ssl->conf->key_cert;
1591
1592 return( key_cert == NULL ? NULL : key_cert->key );
1593 }
1594
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1595 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
1596 {
1597 mbedtls_ssl_key_cert *key_cert;
1598
1599 if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
1600 key_cert = ssl->handshake->key_cert;
1601 else
1602 key_cert = ssl->conf->key_cert;
1603
1604 return( key_cert == NULL ? NULL : key_cert->cert );
1605 }
1606
1607 /*
1608 * Check usage of a certificate wrt extensions:
1609 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1610 *
1611 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1612 * check a cert we received from them)!
1613 *
1614 * Return 0 if everything is OK, -1 if not.
1615 */
1616 MBEDTLS_CHECK_RETURN_CRITICAL
1617 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
1618 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1619 int cert_endpoint,
1620 uint32_t *flags );
1621 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1622
1623 void mbedtls_ssl_write_version( unsigned char version[2], int transport,
1624 mbedtls_ssl_protocol_version tls_version );
1625 uint16_t mbedtls_ssl_read_version( const unsigned char version[2],
1626 int transport );
1627
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1628 static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
1629 {
1630 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1631 ((void) ssl);
1632 #endif
1633
1634 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1635 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1636 {
1637 return( 13 );
1638 }
1639 else
1640 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1641 {
1642 return( 5 );
1643 }
1644 }
1645
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1646 static inline size_t mbedtls_ssl_out_hdr_len( const mbedtls_ssl_context *ssl )
1647 {
1648 return( (size_t) ( ssl->out_iv - ssl->out_hdr ) );
1649 }
1650
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1651 static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
1652 {
1653 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1654 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1655 return( 12 );
1656 #else
1657 ((void) ssl);
1658 #endif
1659 return( 4 );
1660 }
1661
1662 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1663 void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
1664 void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
1665 MBEDTLS_CHECK_RETURN_CRITICAL
1666 int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
1667 MBEDTLS_CHECK_RETURN_CRITICAL
1668 int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
1669 #endif
1670
1671 /* Visible for testing purposes only */
1672 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1673 MBEDTLS_CHECK_RETURN_CRITICAL
1674 int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context const *ssl );
1675 void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
1676 #endif
1677
1678 MBEDTLS_CHECK_RETURN_CRITICAL
1679 int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
1680 const mbedtls_ssl_session *src );
1681
1682 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1683 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1684 MBEDTLS_CHECK_RETURN_CRITICAL
1685 int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
1686 unsigned char *hash, size_t *hashlen,
1687 unsigned char *data, size_t data_len,
1688 mbedtls_md_type_t md_alg );
1689 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1690
1691 #ifdef __cplusplus
1692 }
1693 #endif
1694
1695 void mbedtls_ssl_transform_init( mbedtls_ssl_transform *transform );
1696 MBEDTLS_CHECK_RETURN_CRITICAL
1697 int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
1698 mbedtls_ssl_transform *transform,
1699 mbedtls_record *rec,
1700 int (*f_rng)(void *, unsigned char *, size_t),
1701 void *p_rng );
1702 MBEDTLS_CHECK_RETURN_CRITICAL
1703 int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl,
1704 mbedtls_ssl_transform *transform,
1705 mbedtls_record *rec );
1706
1707 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1708 static inline size_t mbedtls_ssl_ep_len( const mbedtls_ssl_context *ssl )
1709 {
1710 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1711 if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
1712 return( 2 );
1713 #else
1714 ((void) ssl);
1715 #endif
1716 return( 0 );
1717 }
1718
1719 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1720 MBEDTLS_CHECK_RETURN_CRITICAL
1721 int mbedtls_ssl_resend_hello_request( mbedtls_ssl_context *ssl );
1722 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1723
1724 void mbedtls_ssl_set_timer( mbedtls_ssl_context *ssl, uint32_t millisecs );
1725 MBEDTLS_CHECK_RETURN_CRITICAL
1726 int mbedtls_ssl_check_timer( mbedtls_ssl_context *ssl );
1727
1728 void mbedtls_ssl_reset_in_out_pointers( mbedtls_ssl_context *ssl );
1729 void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
1730 mbedtls_ssl_transform *transform );
1731 void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
1732
1733 MBEDTLS_CHECK_RETURN_CRITICAL
1734 int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
1735 void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
1736 int partial );
1737
1738 /*
1739 * Send pending alert
1740 */
1741 MBEDTLS_CHECK_RETURN_CRITICAL
1742 int mbedtls_ssl_handle_pending_alert( mbedtls_ssl_context *ssl );
1743
1744 /*
1745 * Set pending fatal alert flag.
1746 */
1747 void mbedtls_ssl_pend_fatal_alert( mbedtls_ssl_context *ssl,
1748 unsigned char alert_type,
1749 int alert_reason );
1750
1751 /* Alias of mbedtls_ssl_pend_fatal_alert */
1752 #define MBEDTLS_SSL_PEND_FATAL_ALERT( type, user_return_value ) \
1753 mbedtls_ssl_pend_fatal_alert( ssl, type, user_return_value )
1754
1755 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1756 void mbedtls_ssl_dtls_replay_reset( mbedtls_ssl_context *ssl );
1757 #endif
1758
1759 void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl );
1760
1761 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1762 MBEDTLS_CHECK_RETURN_CRITICAL
1763 int mbedtls_ssl_start_renegotiation( mbedtls_ssl_context *ssl );
1764 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1765
1766 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1767 size_t mbedtls_ssl_get_current_mtu( const mbedtls_ssl_context *ssl );
1768 void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl );
1769 void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight );
1770 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1771
1772 /**
1773 * ssl utils functions for checking configuration.
1774 */
1775
1776 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1777 static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf )
1778 {
1779 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1780 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
1781 }
1782
1783 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1784
1785 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1786 static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf )
1787 {
1788 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1789 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 );
1790 }
1791
1792 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1793
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1794 static inline int mbedtls_ssl_conf_is_tls13_enabled( const mbedtls_ssl_config *conf )
1795 {
1796 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1797 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1798 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3 );
1799 #else
1800 ((void) conf);
1801 return( 0 );
1802 #endif
1803 }
1804
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1805 static inline int mbedtls_ssl_conf_is_tls12_enabled( const mbedtls_ssl_config *conf )
1806 {
1807 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1808 return( conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1809 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2 );
1810 #else
1811 ((void) conf);
1812 return( 0 );
1813 #endif
1814 }
1815
1816 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1817 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf )
1818 {
1819 return( conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1820 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 );
1821 }
1822 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1823
1824 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1825 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1826 MBEDTLS_SERVER_HELLO_RANDOM_LEN ];
1827 MBEDTLS_CHECK_RETURN_CRITICAL
1828 int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl );
1829 MBEDTLS_CHECK_RETURN_CRITICAL
1830 int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl );
1831 void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl );
1832
1833 /**
1834 * \brief Given an SSL context and its associated configuration, write the TLS
1835 * 1.3 specific extensions of the ClientHello message.
1836 *
1837 * \param[in] ssl SSL context
1838 * \param[in] buf Base address of the buffer where to write the extensions
1839 * \param[in] end End address of the buffer where to write the extensions
1840 * \param[out] out_len Length of the data written into the buffer \p buf
1841 */
1842 MBEDTLS_CHECK_RETURN_CRITICAL
1843 int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
1844 unsigned char *buf,
1845 unsigned char *end,
1846 size_t *out_len );
1847
1848 /**
1849 * \brief TLS 1.3 client side state machine entry
1850 *
1851 * \param ssl SSL context
1852 */
1853 MBEDTLS_CHECK_RETURN_CRITICAL
1854 int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl );
1855
1856 /**
1857 * \brief TLS 1.3 server side state machine entry
1858 *
1859 * \param ssl SSL context
1860 */
1861 MBEDTLS_CHECK_RETURN_CRITICAL
1862 int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl );
1863
1864
1865 /*
1866 * Helper functions around key exchange modes.
1867 */
mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_mode_mask)1868 static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1869 int kex_mode_mask )
1870 {
1871 return( ( ssl->conf->tls13_kex_modes & kex_mode_mask ) != 0 );
1872 }
1873
mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context * ssl)1874 static inline int mbedtls_ssl_conf_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1875 {
1876 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1877 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1878 }
1879
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1880 static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled( mbedtls_ssl_context *ssl )
1881 {
1882 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1883 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1884 }
1885
mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1886 static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1887 {
1888 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1889 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1890 }
1891
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1892 static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1893 {
1894 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1895 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1896 }
1897
mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1898 static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1899 {
1900 return( mbedtls_ssl_conf_tls13_check_kex_modes( ssl,
1901 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1902 }
1903
1904 #if defined(MBEDTLS_SSL_SRV_C) && \
1905 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
1906 /**
1907 * Given a list of key exchange modes, check if at least one of them is
1908 * supported.
1909 *
1910 * \param[in] ssl SSL context
1911 * \param kex_modes_mask Mask of the key exchange modes to check
1912 *
1913 * \return 0 if at least one of the key exchange modes is supported,
1914 * !=0 otherwise.
1915 */
mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context * ssl,int kex_modes_mask)1916 static inline unsigned mbedtls_ssl_tls13_check_kex_modes( mbedtls_ssl_context *ssl,
1917 int kex_modes_mask )
1918 {
1919 return( ( ssl->handshake->tls13_kex_modes & kex_modes_mask ) == 0 );
1920 }
1921
mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context * ssl)1922 static inline int mbedtls_ssl_tls13_psk_enabled( mbedtls_ssl_context *ssl )
1923 {
1924 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1925 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK ) );
1926 }
1927
mbedtls_ssl_tls13_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)1928 static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled(
1929 mbedtls_ssl_context *ssl )
1930 {
1931 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1932 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
1933 }
1934
mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context * ssl)1935 static inline int mbedtls_ssl_tls13_ephemeral_enabled( mbedtls_ssl_context *ssl )
1936 {
1937 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1938 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL ) );
1939 }
1940
mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context * ssl)1941 static inline int mbedtls_ssl_tls13_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
1942 {
1943 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1944 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1945 }
1946
mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context * ssl)1947 static inline int mbedtls_ssl_tls13_some_psk_enabled( mbedtls_ssl_context *ssl )
1948 {
1949 return( ! mbedtls_ssl_tls13_check_kex_modes( ssl,
1950 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1951 }
1952 #endif /* MBEDTLS_SSL_SRV_C &&
1953 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
1954
1955 /*
1956 * Helper functions for extensions checking.
1957 */
1958
1959 MBEDTLS_CHECK_RETURN_CRITICAL
1960 int mbedtls_ssl_tls13_check_received_extension(
1961 mbedtls_ssl_context *ssl,
1962 int hs_msg_type,
1963 unsigned int received_extension_type,
1964 uint32_t hs_msg_allowed_extensions_mask );
1965
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)1966 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
1967 mbedtls_ssl_context *ssl, unsigned int extension_type )
1968 {
1969 ssl->handshake->sent_extensions |=
1970 mbedtls_ssl_get_extension_mask( extension_type );
1971 }
1972
1973 /*
1974 * Helper functions to check the selected key exchange mode.
1975 */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)1976 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
1977 mbedtls_ssl_context *ssl, int kex_mask )
1978 {
1979 return( ( ssl->handshake->key_exchange_mode & kex_mask ) != 0 );
1980 }
1981
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)1982 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
1983 mbedtls_ssl_context *ssl )
1984 {
1985 return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1986 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL ) );
1987 }
1988
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)1989 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
1990 mbedtls_ssl_context *ssl )
1991 {
1992 return( mbedtls_ssl_tls13_key_exchange_mode_check( ssl,
1993 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
1994 }
1995
1996 /*
1997 * Fetch TLS 1.3 handshake message header
1998 */
1999 MBEDTLS_CHECK_RETURN_CRITICAL
2000 int mbedtls_ssl_tls13_fetch_handshake_msg( mbedtls_ssl_context *ssl,
2001 unsigned hs_type,
2002 unsigned char **buf,
2003 size_t *buf_len );
2004
2005 /*
2006 * Handler of TLS 1.3 server certificate message
2007 */
2008 MBEDTLS_CHECK_RETURN_CRITICAL
2009 int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
2010
2011 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2012 /*
2013 * Handler of TLS 1.3 write Certificate message
2014 */
2015 MBEDTLS_CHECK_RETURN_CRITICAL
2016 int mbedtls_ssl_tls13_write_certificate( mbedtls_ssl_context *ssl );
2017
2018 /*
2019 * Handler of TLS 1.3 write Certificate Verify message
2020 */
2021 MBEDTLS_CHECK_RETURN_CRITICAL
2022 int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
2023
2024 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2025
2026 /*
2027 * Generic handler of Certificate Verify
2028 */
2029 MBEDTLS_CHECK_RETURN_CRITICAL
2030 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl );
2031
2032 /*
2033 * Write of dummy-CCS's for middlebox compatibility
2034 */
2035 MBEDTLS_CHECK_RETURN_CRITICAL
2036 int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl );
2037
2038 MBEDTLS_CHECK_RETURN_CRITICAL
2039 int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
2040
2041 #if defined(MBEDTLS_ECDH_C)
2042 MBEDTLS_CHECK_RETURN_CRITICAL
2043 int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
2044 mbedtls_ssl_context *ssl,
2045 uint16_t named_group,
2046 unsigned char *buf,
2047 unsigned char *end,
2048 size_t *out_len );
2049 #endif /* MBEDTLS_ECDH_C */
2050
2051 #if defined(MBEDTLS_SSL_EARLY_DATA)
2052 int mbedtls_ssl_tls13_write_early_data_ext( mbedtls_ssl_context *ssl,
2053 unsigned char *buf,
2054 const unsigned char *end,
2055 size_t *out_len );
2056 #endif /* MBEDTLS_SSL_EARLY_DATA */
2057
2058 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2059
2060 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2061 /*
2062 * Parse TLS Signature Algorithm extension
2063 */
2064 MBEDTLS_CHECK_RETURN_CRITICAL
2065 int mbedtls_ssl_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
2066 const unsigned char *buf,
2067 const unsigned char *end );
2068 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2069
2070 /* Get handshake transcript */
2071 MBEDTLS_CHECK_RETURN_CRITICAL
2072 int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
2073 const mbedtls_md_type_t md,
2074 unsigned char *dst,
2075 size_t dst_len,
2076 size_t *olen );
2077
2078 /*
2079 * Return supported groups.
2080 *
2081 * In future, invocations can be changed to ssl->conf->group_list
2082 * when mbedtls_ssl_conf_curves() is deleted.
2083 *
2084 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2085 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2086 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2087 *
2088 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)2089 static inline const void *mbedtls_ssl_get_groups( const mbedtls_ssl_context *ssl )
2090 {
2091 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2092 return( ssl->conf->group_list );
2093 #else
2094 if( ( ssl->handshake != NULL ) && ( ssl->handshake->group_list != NULL ) )
2095 return( ssl->handshake->group_list );
2096 else
2097 return( ssl->conf->group_list );
2098 #endif
2099 }
2100
2101 /*
2102 * Helper functions for NamedGroup.
2103 */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2104 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe( uint16_t named_group )
2105 {
2106 /*
2107 * RFC 8422 section 5.1.1
2108 */
2109 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2110 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2111 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2112 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2113 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
2114 /* Below deprecated curves should be removed with notice to users */
2115 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
2116 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2117 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2118 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2119 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2120 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2121 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2122 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 );
2123 }
2124
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2125 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe( uint16_t named_group )
2126 {
2127 return( named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2128 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2129 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2130 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2131 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 );
2132 }
2133
mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group)2134 static inline int mbedtls_ssl_tls13_named_group_is_dhe( uint16_t named_group )
2135 {
2136 return( named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2137 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192 );
2138 }
2139
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2140 static inline int mbedtls_ssl_named_group_is_offered(
2141 const mbedtls_ssl_context *ssl, uint16_t named_group )
2142 {
2143 const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
2144
2145 if( group_list == NULL )
2146 return( 0 );
2147
2148 for( ; *group_list != 0; group_list++ )
2149 {
2150 if( *group_list == named_group )
2151 return( 1 );
2152 }
2153
2154 return( 0 );
2155 }
2156
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2157 static inline int mbedtls_ssl_named_group_is_supported( uint16_t named_group )
2158 {
2159 #if defined(MBEDTLS_ECDH_C)
2160 if( mbedtls_ssl_tls13_named_group_is_ecdhe( named_group ) )
2161 {
2162 const mbedtls_ecp_curve_info *curve_info =
2163 mbedtls_ecp_curve_info_from_tls_id( named_group );
2164 if( curve_info != NULL )
2165 return( 1 );
2166 }
2167 #else
2168 ((void) named_group);
2169 #endif /* MBEDTLS_ECDH_C */
2170 return( 0 );
2171 }
2172
2173 /*
2174 * Return supported signature algorithms.
2175 *
2176 * In future, invocations can be changed to ssl->conf->sig_algs when
2177 * mbedtls_ssl_conf_sig_hashes() is deleted.
2178 *
2179 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2180 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2181 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2182 * been more recently invoked.
2183 *
2184 */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2185 static inline const void *mbedtls_ssl_get_sig_algs(
2186 const mbedtls_ssl_context *ssl )
2187 {
2188 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2189
2190 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2191 if( ssl->handshake != NULL &&
2192 ssl->handshake->sig_algs_heap_allocated == 1 &&
2193 ssl->handshake->sig_algs != NULL )
2194 {
2195 return( ssl->handshake->sig_algs );
2196 }
2197 #endif
2198 return( ssl->conf->sig_algs );
2199
2200 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2201
2202 ((void) ssl);
2203 return( NULL );
2204 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2205 }
2206
2207 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2208 static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
2209 uint16_t own_sig_alg )
2210 {
2211 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2212 if( sig_alg == NULL )
2213 return( 0 );
2214
2215 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
2216 {
2217 if( *sig_alg == own_sig_alg )
2218 return( 1 );
2219 }
2220 return( 0 );
2221 }
2222
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2223 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2224 const uint16_t sig_alg )
2225 {
2226 switch( sig_alg )
2227 {
2228 #if defined(MBEDTLS_ECDSA_C)
2229 #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
2230 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2231 break;
2232 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2233 #if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
2234 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2235 break;
2236 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2237 #if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
2238 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2239 break;
2240 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2241 #endif /* MBEDTLS_ECDSA_C */
2242
2243 #if defined(MBEDTLS_PKCS1_V21)
2244 #if defined(PSA_WANT_ALG_SHA_256)
2245 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2246 break;
2247 #endif /* PSA_WANT_ALG_SHA_256 */
2248 #if defined(PSA_WANT_ALG_SHA_384)
2249 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2250 break;
2251 #endif /* PSA_WANT_ALG_SHA_384 */
2252 #if defined(PSA_WANT_ALG_SHA_512)
2253 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2254 break;
2255 #endif /* PSA_WANT_ALG_SHA_512 */
2256 #endif /* MBEDTLS_PKCS1_V21 */
2257 default:
2258 return( 0 );
2259 }
2260 return( 1 );
2261
2262 }
2263
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2264 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2265 const uint16_t sig_alg )
2266 {
2267 switch( sig_alg )
2268 {
2269 #if defined(MBEDTLS_PKCS1_V15)
2270 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2271 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2272 break;
2273 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2274 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2275 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2276 break;
2277 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2278 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2279 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2280 break;
2281 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2282 #endif /* MBEDTLS_PKCS1_V15 */
2283 default:
2284 return( mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2285 sig_alg ) );
2286 }
2287 return( 1 );
2288 }
2289
2290 MBEDTLS_CHECK_RETURN_CRITICAL
2291 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
2292 mbedtls_pk_context *key );
2293 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2294
2295 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2296 static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
2297 uint16_t proposed_sig_alg )
2298 {
2299 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
2300 if( sig_alg == NULL )
2301 return( 0 );
2302
2303 for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
2304 {
2305 if( *sig_alg == proposed_sig_alg )
2306 return( 1 );
2307 }
2308 return( 0 );
2309 }
2310
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2311 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2312 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
2313 {
2314 *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
2315 *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
2316
2317 if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
2318 return( 0 );
2319
2320 switch( sig_alg )
2321 {
2322 #if defined(MBEDTLS_PKCS1_V21)
2323 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2324 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2325 *md_alg = MBEDTLS_MD_SHA256;
2326 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2327 break;
2328 #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2329 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2330 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2331 *md_alg = MBEDTLS_MD_SHA384;
2332 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2333 break;
2334 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2335 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2336 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2337 *md_alg = MBEDTLS_MD_SHA512;
2338 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2339 break;
2340 #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2341 #endif /* MBEDTLS_PKCS1_V21 */
2342 default:
2343 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2344 }
2345 return( 0 );
2346 }
2347
2348 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2349 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2350 const uint16_t sig_alg )
2351 {
2352 /* High byte is hash */
2353 unsigned char hash = MBEDTLS_BYTE_1( sig_alg );
2354 unsigned char sig = MBEDTLS_BYTE_0( sig_alg );
2355
2356 switch( hash )
2357 {
2358 #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2359 case MBEDTLS_SSL_HASH_MD5:
2360 break;
2361 #endif
2362
2363 #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2364 case MBEDTLS_SSL_HASH_SHA1:
2365 break;
2366 #endif
2367
2368 #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2369 case MBEDTLS_SSL_HASH_SHA224:
2370 break;
2371 #endif
2372
2373 #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2374 case MBEDTLS_SSL_HASH_SHA256:
2375 break;
2376 #endif
2377
2378 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2379 case MBEDTLS_SSL_HASH_SHA384:
2380 break;
2381 #endif
2382
2383 #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2384 case MBEDTLS_SSL_HASH_SHA512:
2385 break;
2386 #endif
2387
2388 default:
2389 return( 0 );
2390 }
2391
2392 switch( sig )
2393 {
2394 #if defined(MBEDTLS_RSA_C)
2395 case MBEDTLS_SSL_SIG_RSA:
2396 break;
2397 #endif
2398
2399 #if defined(MBEDTLS_ECDSA_C)
2400 case MBEDTLS_SSL_SIG_ECDSA:
2401 break;
2402 #endif
2403
2404 default:
2405 return( 0 );
2406 }
2407
2408 return( 1 );
2409 }
2410 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2411
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2412 static inline int mbedtls_ssl_sig_alg_is_supported(
2413 const mbedtls_ssl_context *ssl,
2414 const uint16_t sig_alg )
2415 {
2416
2417 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2418 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2 )
2419 {
2420 return( mbedtls_ssl_tls12_sig_alg_is_supported( sig_alg ) );
2421 }
2422 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2423
2424 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2425 if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
2426 {
2427 return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
2428 }
2429 #endif
2430 ((void) ssl);
2431 ((void) sig_alg);
2432 return( 0 );
2433 }
2434 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2435
2436 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2437 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2438 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2439 * guaranteed to not be a valid PSA algorithm identifier.
2440 */
2441 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2442
2443 /**
2444 * \brief Translate mbedtls cipher type/taglen pair to psa:
2445 * algorithm, key type and key size.
2446 *
2447 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2448 * \param taglen [in] given tag length
2449 * 0 - default tag length
2450 * \param alg [out] corresponding PSA alg
2451 * There is no corresponding PSA
2452 * alg for MBEDTLS_CIPHER_NULL, so
2453 * in this case MBEDTLS_SSL_NULL_CIPHER
2454 * is returned via this parameter
2455 * \param key_type [out] corresponding PSA key type
2456 * \param key_size [out] corresponding PSA key size
2457 *
2458 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2459 * conversion is not supported.
2460 */
2461 psa_status_t mbedtls_ssl_cipher_to_psa( mbedtls_cipher_type_t mbedtls_cipher_type,
2462 size_t taglen,
2463 psa_algorithm_t *alg,
2464 psa_key_type_t *key_type,
2465 size_t *key_size );
2466
2467 /**
2468 * \brief Convert given PSA status to mbedtls error code.
2469 *
2470 * \param status [in] given PSA status
2471 *
2472 * \return corresponding mbedtls error code
2473 */
psa_ssl_status_to_mbedtls(psa_status_t status)2474 static inline int psa_ssl_status_to_mbedtls( psa_status_t status )
2475 {
2476 switch( status )
2477 {
2478 case PSA_SUCCESS:
2479 return( 0 );
2480 case PSA_ERROR_INSUFFICIENT_MEMORY:
2481 return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
2482 case PSA_ERROR_NOT_SUPPORTED:
2483 return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
2484 case PSA_ERROR_INVALID_SIGNATURE:
2485 return( MBEDTLS_ERR_SSL_INVALID_MAC );
2486 case PSA_ERROR_INVALID_ARGUMENT:
2487 return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
2488 case PSA_ERROR_BAD_STATE:
2489 return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
2490 case PSA_ERROR_BUFFER_TOO_SMALL:
2491 return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
2492 default:
2493 return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED );
2494 }
2495 }
2496 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2497
2498 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
2499 defined(MBEDTLS_USE_PSA_CRYPTO)
2500
2501 typedef enum {
2502 MBEDTLS_ECJPAKE_ROUND_ONE,
2503 MBEDTLS_ECJPAKE_ROUND_TWO
2504 } mbedtls_ecjpake_rounds_t;
2505
2506 /**
2507 * \brief Parse the provided input buffer for getting the first round
2508 * of key exchange. This code is common between server and client
2509 *
2510 * \param pake_ctx [in] the PAKE's operation/context structure
2511 * \param buf [in] input buffer to parse
2512 * \param len [in] length of the input buffer
2513 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2514 * MBEDTLS_ECJPAKE_ROUND_TWO
2515 *
2516 * \return 0 on success or a negative error code in case of failure
2517 */
2518 int mbedtls_psa_ecjpake_read_round(
2519 psa_pake_operation_t *pake_ctx,
2520 const unsigned char *buf,
2521 size_t len, mbedtls_ecjpake_rounds_t round );
2522
2523 /**
2524 * \brief Write the first round of key exchange into the provided output
2525 * buffer. This code is common between server and client
2526 *
2527 * \param pake_ctx [in] the PAKE's operation/context structure
2528 * \param buf [out] the output buffer in which data will be written to
2529 * \param len [in] length of the output buffer
2530 * \param olen [out] the length of the data really written on the buffer
2531 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2532 * MBEDTLS_ECJPAKE_ROUND_TWO
2533 *
2534 * \return 0 on success or a negative error code in case of failure
2535 */
2536 int mbedtls_psa_ecjpake_write_round(
2537 psa_pake_operation_t *pake_ctx,
2538 unsigned char *buf,
2539 size_t len, size_t *olen,
2540 mbedtls_ecjpake_rounds_t round );
2541
2542 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
2543
2544 /**
2545 * \brief TLS record protection modes
2546 */
2547 typedef enum {
2548 MBEDTLS_SSL_MODE_STREAM = 0,
2549 MBEDTLS_SSL_MODE_CBC,
2550 MBEDTLS_SSL_MODE_CBC_ETM,
2551 MBEDTLS_SSL_MODE_AEAD
2552 } mbedtls_ssl_mode_t;
2553
2554 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2555 const mbedtls_ssl_transform *transform );
2556
2557 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2558 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2559 int encrypt_then_mac,
2560 const mbedtls_ssl_ciphersuite_t *suite );
2561 #else
2562 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2563 const mbedtls_ssl_ciphersuite_t *suite );
2564 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2565
2566 #if defined(MBEDTLS_ECDH_C)
2567
2568 MBEDTLS_CHECK_RETURN_CRITICAL
2569 int mbedtls_ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
2570 const unsigned char *buf,
2571 size_t buf_len );
2572
2573 #endif /* MBEDTLS_ECDH_C */
2574
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2575 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2576 mbedtls_ssl_context *ssl, int cipher_suite )
2577 {
2578 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2579
2580 /* Check whether we have offered this ciphersuite */
2581 for ( size_t i = 0; ciphersuite_list[i] != 0; i++ )
2582 {
2583 if( ciphersuite_list[i] == cipher_suite )
2584 {
2585 return( 1 );
2586 }
2587 }
2588 return( 0 );
2589 }
2590
2591 /**
2592 * \brief Validate cipher suite against config in SSL context.
2593 *
2594 * \param ssl SSL context
2595 * \param suite_info Cipher suite to validate
2596 * \param min_tls_version Minimal TLS version to accept a cipher suite
2597 * \param max_tls_version Maximal TLS version to accept a cipher suite
2598 *
2599 * \return 0 if valid, negative value otherwise.
2600 */
2601 MBEDTLS_CHECK_RETURN_CRITICAL
2602 int mbedtls_ssl_validate_ciphersuite(
2603 const mbedtls_ssl_context *ssl,
2604 const mbedtls_ssl_ciphersuite_t *suite_info,
2605 mbedtls_ssl_protocol_version min_tls_version,
2606 mbedtls_ssl_protocol_version max_tls_version );
2607
2608 MBEDTLS_CHECK_RETURN_CRITICAL
2609 int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
2610 const unsigned char *end, size_t *out_len );
2611
2612 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2613 MBEDTLS_CHECK_RETURN_CRITICAL
2614 int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,
2615 const unsigned char *buf,
2616 const unsigned char *end );
2617 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2618
2619 #if defined(MBEDTLS_SSL_ALPN)
2620 MBEDTLS_CHECK_RETURN_CRITICAL
2621 int mbedtls_ssl_parse_alpn_ext( mbedtls_ssl_context *ssl,
2622 const unsigned char *buf,
2623 const unsigned char *end );
2624
2625
2626 MBEDTLS_CHECK_RETURN_CRITICAL
2627 int mbedtls_ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
2628 unsigned char *buf,
2629 unsigned char *end,
2630 size_t *out_len );
2631 #endif /* MBEDTLS_SSL_ALPN */
2632
2633 #if defined(MBEDTLS_TEST_HOOKS)
2634 int mbedtls_ssl_check_dtls_clihlo_cookie(
2635 mbedtls_ssl_context *ssl,
2636 const unsigned char *cli_id, size_t cli_id_len,
2637 const unsigned char *in, size_t in_len,
2638 unsigned char *obuf, size_t buf_len, size_t *olen );
2639 #endif
2640
2641 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2642 /**
2643 * \brief Given an SSL context and its associated configuration, write the TLS
2644 * 1.3 specific Pre-Shared key extension.
2645 *
2646 * \param[in] ssl SSL context
2647 * \param[in] buf Base address of the buffer where to write the extension
2648 * \param[in] end End address of the buffer where to write the extension
2649 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2650 * written into the buffer \p buf by this function plus
2651 * the length of the binders to be written.
2652 * \param[out] binders_len Length of the binders to be written at the end of
2653 * the extension.
2654 */
2655 MBEDTLS_CHECK_RETURN_CRITICAL
2656 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2657 mbedtls_ssl_context *ssl,
2658 unsigned char *buf, unsigned char *end,
2659 size_t *out_len, size_t *binders_len );
2660
2661 /**
2662 * \brief Given an SSL context and its associated configuration, write the TLS
2663 * 1.3 specific Pre-Shared key extension binders at the end of the
2664 * ClientHello.
2665 *
2666 * \param[in] ssl SSL context
2667 * \param[in] buf Base address of the buffer where to write the binders
2668 * \param[in] end End address of the buffer where to write the binders
2669 */
2670 MBEDTLS_CHECK_RETURN_CRITICAL
2671 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2672 mbedtls_ssl_context *ssl,
2673 unsigned char *buf, unsigned char *end );
2674 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2675
2676 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2677 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2678 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2679 defined(MBEDTLS_SSL_CLI_C)
2680 MBEDTLS_CHECK_RETURN_CRITICAL
2681 int mbedtls_ssl_session_set_hostname( mbedtls_ssl_session *session,
2682 const char *hostname );
2683 #endif
2684
2685 #endif /* ssl_misc.h */
2686