1 /**
2 * \file ssl_internal.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 */
10 #ifndef MBEDTLS_SSL_INTERNAL_H
11 #define MBEDTLS_SSL_INTERNAL_H
12
13 #if !defined(MBEDTLS_CONFIG_FILE)
14 #include "mbedtls/config.h"
15 #else
16 #include MBEDTLS_CONFIG_FILE
17 #endif
18
19 #include "mbedtls/ssl.h"
20 #include "mbedtls/cipher.h"
21
22 #if defined(MBEDTLS_USE_PSA_CRYPTO)
23 #include "psa/crypto.h"
24 #endif
25
26 #if defined(MBEDTLS_MD5_C)
27 #include "mbedtls/md5.h"
28 #endif
29
30 #if defined(MBEDTLS_SHA1_C)
31 #include "mbedtls/sha1.h"
32 #endif
33
34 #if defined(MBEDTLS_SHA256_C)
35 #include "mbedtls/sha256.h"
36 #endif
37
38 #if defined(MBEDTLS_SHA512_C)
39 #include "mbedtls/sha512.h"
40 #endif
41
42 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
43 #include "mbedtls/ecjpake.h"
44 #endif
45
46 #if defined(MBEDTLS_USE_PSA_CRYPTO)
47 #include "psa/crypto.h"
48 #include "mbedtls/psa_util.h"
49 #endif /* MBEDTLS_USE_PSA_CRYPTO */
50
51 #if (defined(__ARMCC_VERSION) || defined(_MSC_VER)) && \
52 !defined(inline) && !defined(__cplusplus)
53 #define inline __inline
54 #endif
55
56 /* Determine minimum supported version */
57 #define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
58
59 #if defined(MBEDTLS_SSL_PROTO_SSL3)
60 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
61 #else
62 #if defined(MBEDTLS_SSL_PROTO_TLS1)
63 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
64 #else
65 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
66 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
67 #else
68 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
69 #define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
70 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
71 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
72 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
73 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
74
75 #define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
76 #define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
77
78 /* Determine maximum supported version */
79 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
80
81 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
82 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
83 #else
84 #if defined(MBEDTLS_SSL_PROTO_TLS1_1)
85 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
86 #else
87 #if defined(MBEDTLS_SSL_PROTO_TLS1)
88 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
89 #else
90 #if defined(MBEDTLS_SSL_PROTO_SSL3)
91 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
92 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
93 #endif /* MBEDTLS_SSL_PROTO_TLS1 */
94 #endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
95 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
96
97 /* Shorthand for restartable ECC */
98 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
99 defined(MBEDTLS_SSL_CLI_C) && \
100 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
101 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
102 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
103 #endif
104
105 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
106 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
107 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
108 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
109
110 /*
111 * DTLS retransmission states, see RFC 6347 4.2.4
112 *
113 * The SENDING state is merged in PREPARING for initial sends,
114 * but is distinct for resends.
115 *
116 * Note: initial state is wrong for server, but is not used anyway.
117 */
118 #define MBEDTLS_SSL_RETRANS_PREPARING 0
119 #define MBEDTLS_SSL_RETRANS_SENDING 1
120 #define MBEDTLS_SSL_RETRANS_WAITING 2
121 #define MBEDTLS_SSL_RETRANS_FINISHED 3
122
123 /*
124 * Allow extra bytes for record, authentication and encryption overhead:
125 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
126 * and allow for a maximum of 1024 of compression expansion if
127 * enabled.
128 */
129 #if defined(MBEDTLS_ZLIB_SUPPORT)
130 #define MBEDTLS_SSL_COMPRESSION_ADD 1024
131 #else
132 #define MBEDTLS_SSL_COMPRESSION_ADD 0
133 #endif
134
135 /* This macro determines whether CBC is supported. */
136 #if defined(MBEDTLS_CIPHER_MODE_CBC) && \
137 (defined(MBEDTLS_AES_C) || \
138 defined(MBEDTLS_CAMELLIA_C) || \
139 defined(MBEDTLS_ARIA_C) || \
140 defined(MBEDTLS_DES_C))
141 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
142 #endif
143
144 /* This macro determines whether the CBC construct used in TLS 1.0-1.2 (as
145 * opposed to the very different CBC construct used in SSLv3) is supported. */
146 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
147 (defined(MBEDTLS_SSL_PROTO_TLS1) || \
148 defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
149 defined(MBEDTLS_SSL_PROTO_TLS1_2))
150 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
151 #endif
152
153 #if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_NULL_CIPHER) || \
154 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
155 #define MBEDTLS_SSL_SOME_MODES_USE_MAC
156 #endif
157
158 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
159 /* Ciphersuites using HMAC */
160 #if defined(MBEDTLS_SHA512_C)
161 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
162 #elif defined(MBEDTLS_SHA256_C)
163 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
164 #else
165 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
166 #endif
167 #else /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
168 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
169 #define MBEDTLS_SSL_MAC_ADD 16
170 #endif
171
172 #if defined(MBEDTLS_CIPHER_MODE_CBC)
173 #define MBEDTLS_SSL_PADDING_ADD 256
174 #else
175 #define MBEDTLS_SSL_PADDING_ADD 0
176 #endif
177
178 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
179 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_PADDING_GRANULARITY
180 #else
181 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
182 #endif
183
184 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_SSL_COMPRESSION_ADD + \
185 MBEDTLS_MAX_IV_LENGTH + \
186 MBEDTLS_SSL_MAC_ADD + \
187 MBEDTLS_SSL_PADDING_ADD + \
188 MBEDTLS_SSL_MAX_CID_EXPANSION \
189 )
190
191 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
192 (MBEDTLS_SSL_IN_CONTENT_LEN))
193
194 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
195 (MBEDTLS_SSL_OUT_CONTENT_LEN))
196
197 /* The maximum number of buffered handshake messages. */
198 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
199
200 /* Maximum length we can advertise as our max content length for
201 RFC 6066 max_fragment_length extension negotiation purposes
202 (the lesser of both sizes, if they are unequal.)
203 */
204 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
205 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
206 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
207 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
208 )
209
210 /* Maximum size in bytes of list in sig-hash algorithm ext., RFC 5246 */
211 #define MBEDTLS_SSL_MAX_SIG_HASH_ALG_LIST_LEN 65534
212
213 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
214 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
215
216 /*
217 * Check that we obey the standard's message size bounds
218 */
219
220 #if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
221 #error "Bad configuration - record content too large."
222 #endif
223
224 #if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
225 #error \
226 "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
227 #endif
228
229 #if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
230 #error \
231 "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
232 #endif
233
234 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
235 #error "Bad configuration - incoming protected record payload too large."
236 #endif
237
238 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
239 #error "Bad configuration - outgoing protected record payload too large."
240 #endif
241
242 /* Calculate buffer sizes */
243
244 /* Note: Even though the TLS record header is only 5 bytes
245 long, we're internally using 8 bytes to store the
246 implicit sequence number. */
247 #define MBEDTLS_SSL_HEADER_LEN 13
248
249 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
250 #define MBEDTLS_SSL_IN_BUFFER_LEN \
251 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
252 #else
253 #define MBEDTLS_SSL_IN_BUFFER_LEN \
254 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
255 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
256 #endif
257
258 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
259 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
260 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
261 #else
262 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
263 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
264 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
265 #endif
266
267 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)268 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
269 {
270 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
271 return mbedtls_ssl_get_output_max_frag_len(ctx)
272 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
273 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
274 #else
275 return mbedtls_ssl_get_output_max_frag_len(ctx)
276 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
277 #endif
278 }
279
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)280 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
281 {
282 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
283 return mbedtls_ssl_get_input_max_frag_len(ctx)
284 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
285 + MBEDTLS_SSL_CID_IN_LEN_MAX;
286 #else
287 return mbedtls_ssl_get_input_max_frag_len(ctx)
288 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
289 #endif
290 }
291 #endif
292
293 #ifdef MBEDTLS_ZLIB_SUPPORT
294 /* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
295 #define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
296 (MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN) \
297 ? MBEDTLS_SSL_IN_BUFFER_LEN \
298 : MBEDTLS_SSL_OUT_BUFFER_LEN \
299 )
300 #endif
301
302 /*
303 * TLS extension flags (for extensions with outgoing ServerHello content
304 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
305 * of state of the renegotiation flag, so no indicator is required)
306 */
307 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
308 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
309
310 /**
311 * \brief This function checks if the remaining size in a buffer is
312 * greater or equal than a needed space.
313 *
314 * \param cur Pointer to the current position in the buffer.
315 * \param end Pointer to one past the end of the buffer.
316 * \param need Needed space in bytes.
317 *
318 * \return Zero if the needed space is available in the buffer, non-zero
319 * otherwise.
320 */
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)321 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
322 const uint8_t *end, size_t need)
323 {
324 return (cur > end) || (need > (size_t) (end - cur));
325 }
326
327 /**
328 * \brief This macro checks if the remaining size in a buffer is
329 * greater or equal than a needed space. If it is not the case,
330 * it returns an SSL_BUFFER_TOO_SMALL error.
331 *
332 * \param cur Pointer to the current position in the buffer.
333 * \param end Pointer to one past the end of the buffer.
334 * \param need Needed space in bytes.
335 *
336 */
337 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
338 do { \
339 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
340 { \
341 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
342 } \
343 } while (0)
344
345 #ifdef __cplusplus
346 extern "C" {
347 #endif
348
349 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
350 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
351 /*
352 * Abstraction for a grid of allowed signature-hash-algorithm pairs.
353 */
354 struct mbedtls_ssl_sig_hash_set_t {
355 /* At the moment, we only need to remember a single suitable
356 * hash algorithm per signature algorithm. As long as that's
357 * the case - and we don't need a general lookup function -
358 * we can implement the sig-hash-set as a map from signatures
359 * to hash algorithms. */
360 mbedtls_md_type_t rsa;
361 mbedtls_md_type_t ecdsa;
362 };
363 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
364 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
365
366 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
367 const char *label,
368 const unsigned char *random, size_t rlen,
369 unsigned char *dstbuf, size_t dlen);
370
371 /* cipher.h exports the maximum IV, key and block length from
372 * all ciphers enabled in the config, regardless of whether those
373 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
374 * in the default configuration and uses 64 Byte keys, but it is
375 * not used for record protection in SSL/TLS.
376 *
377 * In order to prevent unnecessary inflation of key structures,
378 * we introduce SSL-specific variants of the max-{key,block,IV}
379 * macros here which are meant to only take those ciphers into
380 * account which can be negotiated in SSL/TLS.
381 *
382 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
383 * in cipher.h are rough overapproximations of the real maxima, here
384 * we content ourselves with replicating those overapproximations
385 * for the maximum block and IV length, and excluding XTS from the
386 * computation of the maximum key length. */
387 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
388 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
389 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
390
391 /**
392 * \brief The data structure holding the cryptographic material (key and IV)
393 * used for record protection in TLS 1.3.
394 */
395 struct mbedtls_ssl_key_set {
396 /*! The key for client->server records. */
397 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
398 /*! The key for server->client records. */
399 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
400 /*! The IV for client->server records. */
401 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
402 /*! The IV for server->client records. */
403 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
404
405 size_t key_len; /*!< The length of client_write_key and
406 * server_write_key, in Bytes. */
407 size_t iv_len; /*!< The length of client_write_iv and
408 * server_write_iv, in Bytes. */
409 };
410 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
411
412 /*
413 * This structure contains the parameters only needed during handshake.
414 */
415 struct mbedtls_ssl_handshake_params {
416 /*
417 * Handshake specific crypto variables
418 */
419
420 uint8_t max_major_ver; /*!< max. major version client*/
421 uint8_t max_minor_ver; /*!< max. minor version client*/
422 uint8_t resume; /*!< session resume indicator*/
423 uint8_t cli_exts; /*!< client extension presence*/
424
425 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
426 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
427 uint8_t sni_authmode; /*!< authmode from SNI callback */
428 #endif
429
430 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
431 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
432 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
433
434 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
435 uint8_t extended_ms; /*!< use Extended Master Secret? */
436 #endif
437
438 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
439 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
440 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
441
442 #if defined(MBEDTLS_SSL_PROTO_DTLS)
443 unsigned char retransmit_state; /*!< Retransmission state */
444 #endif
445
446 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
447 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
448 enum { /* this complements ssl->state with info on intra-state operations */
449 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
450 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
451 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
452 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
453 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
454 } ecrs_state; /*!< current (or last) operation */
455 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
456 size_t ecrs_n; /*!< place for saving a length */
457 #endif
458
459 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
460 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
461 mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
462 #endif
463
464 size_t pmslen; /*!< premaster length */
465
466 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
467
468 void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
469 void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
470 void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
471 mbedtls_ssl_tls_prf_cb *tls_prf;
472
473 #if defined(MBEDTLS_DHM_C)
474 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
475 #endif
476
477 /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due
478 * to guards also being in ssl_srv.c and ssl_cli.c. There is a gap
479 * in functionality that access to ecdh_ctx structure is needed for
480 * MBEDTLS_ECDSA_C which does not seem correct.
481 */
482 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C)
483 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
484
485 #if defined(MBEDTLS_USE_PSA_CRYPTO)
486 psa_key_type_t ecdh_psa_type;
487 uint16_t ecdh_bits;
488 psa_key_id_t ecdh_psa_privkey;
489 unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
490 size_t ecdh_psa_peerkey_len;
491 #endif /* MBEDTLS_USE_PSA_CRYPTO */
492 #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
493
494 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
495 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
496 #if defined(MBEDTLS_SSL_CLI_C)
497 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
498 size_t ecjpake_cache_len; /*!< Length of cached data */
499 #endif
500 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
501
502 #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
503 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
504 const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
505 #endif
506
507 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
508 #if defined(MBEDTLS_USE_PSA_CRYPTO)
509 psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
510 #endif /* MBEDTLS_USE_PSA_CRYPTO */
511 unsigned char *psk; /*!< PSK from the callback */
512 size_t psk_len; /*!< Length of PSK from callback */
513 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
514
515 #if defined(MBEDTLS_X509_CRT_PARSE_C)
516 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
517 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
518 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
519 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
520 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
521 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
522 #endif /* MBEDTLS_X509_CRT_PARSE_C */
523
524 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
525 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
526 #endif
527
528 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
529 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
530 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
531 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
532
533 #if defined(MBEDTLS_SSL_PROTO_DTLS)
534 struct {
535 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
536 * buffers used for message buffering. */
537
538 uint8_t seen_ccs; /*!< Indicates if a CCS message has
539 * been seen in the current flight. */
540
541 struct mbedtls_ssl_hs_buffer {
542 unsigned is_valid : 1;
543 unsigned is_fragmented : 1;
544 unsigned is_complete : 1;
545 unsigned char *data;
546 size_t data_len;
547 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
548
549 struct {
550 unsigned char *data;
551 size_t len;
552 unsigned epoch;
553 } future_record;
554
555 } buffering;
556
557 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
558 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
559
560 unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
561 Srv: unused */
562 unsigned char verify_cookie_len; /*!< Cli: cookie length
563 Srv: flag for sending a cookie */
564
565 uint32_t retransmit_timeout; /*!< Current value of timeout */
566 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
567 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
568 unsigned char *cur_msg_p; /*!< Position in current message */
569 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
570 flight being received */
571 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
572 resending messages */
573 unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
574 for resending messages */
575
576 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
577 /* The state of CID configuration in this handshake. */
578
579 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
580 * has been negotiated. Possible values are
581 * #MBEDTLS_SSL_CID_ENABLED and
582 * #MBEDTLS_SSL_CID_DISABLED. */
583 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
584 uint8_t peer_cid_len; /*!< The length of
585 * \c peer_cid. */
586 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
587
588 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
589 #endif /* MBEDTLS_SSL_PROTO_DTLS */
590
591 /*
592 * Checksum contexts
593 */
594 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
595 defined(MBEDTLS_SSL_PROTO_TLS1_1)
596 mbedtls_md5_context fin_md5;
597 mbedtls_sha1_context fin_sha1;
598 #endif
599 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
600 #if defined(MBEDTLS_SHA256_C)
601 #if defined(MBEDTLS_USE_PSA_CRYPTO)
602 psa_hash_operation_t fin_sha256_psa;
603 #else
604 mbedtls_sha256_context fin_sha256;
605 #endif
606 #endif
607 #if defined(MBEDTLS_SHA512_C)
608 #if defined(MBEDTLS_USE_PSA_CRYPTO)
609 psa_hash_operation_t fin_sha384_psa;
610 #else
611 mbedtls_sha512_context fin_sha512;
612 #endif
613 #endif
614 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
615
616 unsigned char randbytes[64]; /*!< random bytes */
617 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
618 /*!< premaster secret */
619
620 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
621 /** Asynchronous operation context. This field is meant for use by the
622 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
623 * mbedtls_ssl_config::f_async_decrypt_start,
624 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
625 * The library does not use it internally. */
626 void *user_async_ctx;
627 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
628 };
629
630 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
631
632 /*
633 * Representation of decryption/encryption transformations on records
634 *
635 * There are the following general types of record transformations:
636 * - Stream transformations (TLS versions <= 1.2 only)
637 * Transformation adding a MAC and applying a stream-cipher
638 * to the authenticated message.
639 * - CBC block cipher transformations ([D]TLS versions <= 1.2 only)
640 * In addition to the distinction of the order of encryption and
641 * authentication, there's a fundamental difference between the
642 * handling in SSL3 & TLS 1.0 and TLS 1.1 and TLS 1.2: For SSL3
643 * and TLS 1.0, the final IV after processing a record is used
644 * as the IV for the next record. No explicit IV is contained
645 * in an encrypted record. The IV for the first record is extracted
646 * at key extraction time. In contrast, for TLS 1.1 and 1.2, no
647 * IV is generated at key extraction time, but every encrypted
648 * record is explicitly prefixed by the IV with which it was encrypted.
649 * - AEAD transformations ([D]TLS versions >= 1.2 only)
650 * These come in two fundamentally different versions, the first one
651 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
652 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
653 * In the first transformation, the IV to be used for a record is obtained
654 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
655 * record sequence number, and explicitly prepending this sequence number
656 * to the encrypted record. In contrast, in the second transformation
657 * the IV is obtained by XOR'ing a static IV obtained at key extraction
658 * time with the 8-byte record sequence number, without prepending the
659 * latter to the encrypted record.
660 *
661 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
662 * which allows to add flexible length padding and to hide a record's true
663 * content type.
664 *
665 * In addition to type and version, the following parameters are relevant:
666 * - The symmetric cipher algorithm to be used.
667 * - The (static) encryption/decryption keys for the cipher.
668 * - For stream/CBC, the type of message digest to be used.
669 * - For stream/CBC, (static) encryption/decryption keys for the digest.
670 * - For AEAD transformations, the size (potentially 0) of an explicit,
671 * random initialization vector placed in encrypted records.
672 * - For some transformations (currently AEAD and CBC in SSL3 and TLS 1.0)
673 * an implicit IV. It may be static (e.g. AEAD) or dynamic (e.g. CBC)
674 * and (if present) is combined with the explicit IV in a transformation-
675 * dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
676 * - For stream/CBC, a flag determining the order of encryption and MAC.
677 * - The details of the transformation depend on the SSL/TLS version.
678 * - The length of the authentication tag.
679 *
680 * Note: Except for CBC in SSL3 and TLS 1.0, these parameters are
681 * constant across multiple encryption/decryption operations.
682 * For CBC, the implicit IV needs to be updated after each
683 * operation.
684 *
685 * The struct below refines this abstract view as follows:
686 * - The cipher underlying the transformation is managed in
687 * cipher contexts cipher_ctx_{enc/dec}, which must have the
688 * same cipher type. The mode of these cipher contexts determines
689 * the type of the transformation in the sense above: e.g., if
690 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
691 * then the transformation has type CBC resp. AEAD.
692 * - The cipher keys are never stored explicitly but
693 * are maintained within cipher_ctx_{enc/dec}.
694 * - For stream/CBC transformations, the message digest contexts
695 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
696 * are unused for AEAD transformations.
697 * - For stream/CBC transformations and versions > SSL3, the
698 * MAC keys are not stored explicitly but maintained within
699 * md_ctx_{enc/dec}.
700 * - For stream/CBC transformations and version SSL3, the MAC
701 * keys are stored explicitly in mac_enc, mac_dec and have
702 * a fixed size of 20 bytes. These fields are unused for
703 * AEAD transformations or transformations >= TLS 1.0.
704 * - For transformations using an implicit IV maintained within
705 * the transformation context, its contents are stored within
706 * iv_{enc/dec}.
707 * - The value of ivlen indicates the length of the IV.
708 * This is redundant in case of stream/CBC transformations
709 * which always use 0 resp. the cipher's block length as the
710 * IV length, but is needed for AEAD ciphers and may be
711 * different from the underlying cipher's block length
712 * in this case.
713 * - The field fixed_ivlen is nonzero for AEAD transformations only
714 * and indicates the length of the static part of the IV which is
715 * constant throughout the communication, and which is stored in
716 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
717 * Note: For CBC in SSL3 and TLS 1.0, the fields iv_{enc/dec}
718 * still store IV's for continued use across multiple transformations,
719 * so it is not true that fixed_ivlen == 0 means that iv_{enc/dec} are
720 * not being used!
721 * - minor_ver denotes the SSL/TLS version
722 * - For stream/CBC transformations, maclen denotes the length of the
723 * authentication tag, while taglen is unused and 0.
724 * - For AEAD transformations, taglen denotes the length of the
725 * authentication tag, while maclen is unused and 0.
726 * - For CBC transformations, encrypt_then_mac determines the
727 * order of encryption and authentication. This field is unused
728 * in other transformations.
729 *
730 */
731 struct mbedtls_ssl_transform {
732 /*
733 * Session specific crypto layer
734 */
735 size_t minlen; /*!< min. ciphertext length */
736 size_t ivlen; /*!< IV length */
737 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
738 size_t maclen; /*!< MAC(CBC) len */
739 size_t taglen; /*!< TAG(AEAD) len */
740
741 unsigned char iv_enc[16]; /*!< IV (encryption) */
742 unsigned char iv_dec[16]; /*!< IV (decryption) */
743
744 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
745
746 #if defined(MBEDTLS_SSL_PROTO_SSL3)
747 /* Needed only for SSL v3.0 secret */
748 unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
749 unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
750 #endif /* MBEDTLS_SSL_PROTO_SSL3 */
751
752 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
753 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
754
755 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
756 int encrypt_then_mac; /*!< flag for EtM activation */
757 #endif
758
759 #endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
760
761 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
762 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
763 int minor_ver;
764
765 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
766 uint8_t in_cid_len;
767 uint8_t out_cid_len;
768 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
769 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
770 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
771
772 /*
773 * Session specific compression layer
774 */
775 #if defined(MBEDTLS_ZLIB_SUPPORT)
776 z_stream ctx_deflate; /*!< compression context */
777 z_stream ctx_inflate; /*!< decompression context */
778 #endif
779
780 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
781 /* We need the Hello random bytes in order to re-derive keys from the
782 * Master Secret and other session info, see ssl_populate_transform() */
783 unsigned char randbytes[64]; /*!< ServerHello.random+ClientHello.random */
784 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
785 };
786
787 /*
788 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
789 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
790 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)791 static inline int mbedtls_ssl_transform_uses_aead(
792 const mbedtls_ssl_transform *transform)
793 {
794 #if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
795 return transform->maclen == 0 && transform->taglen != 0;
796 #else
797 (void) transform;
798 return 1;
799 #endif
800 }
801
802 /*
803 * Internal representation of record frames
804 *
805 * Instances come in two flavors:
806 * (1) Encrypted
807 * These always have data_offset = 0
808 * (2) Unencrypted
809 * These have data_offset set to the amount of
810 * pre-expansion during record protection. Concretely,
811 * this is the length of the fixed part of the explicit IV
812 * used for encryption, or 0 if no explicit IV is used
813 * (e.g. for CBC in TLS 1.0, or stream ciphers).
814 *
815 * The reason for the data_offset in the unencrypted case
816 * is to allow for in-place conversion of an unencrypted to
817 * an encrypted record. If the offset wasn't included, the
818 * encrypted content would need to be shifted afterwards to
819 * make space for the fixed IV.
820 *
821 */
822 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
823 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
824 #else
825 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
826 #endif
827
828 typedef struct {
829 uint8_t ctr[8]; /* In TLS: The implicit record sequence number.
830 * In DTLS: The 2-byte epoch followed by
831 * the 6-byte sequence number.
832 * This is stored as a raw big endian byte array
833 * as opposed to a uint64_t because we rarely
834 * need to perform arithmetic on this, but do
835 * need it as a Byte array for the purpose of
836 * MAC computations. */
837 uint8_t type; /* The record content type. */
838 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
839 * Convert to internal presentation of versions
840 * using mbedtls_ssl_read_version() and
841 * mbedtls_ssl_write_version().
842 * Keep wire-format for MAC computations. */
843
844 unsigned char *buf; /* Memory buffer enclosing the record content */
845 size_t buf_len; /* Buffer length */
846 size_t data_offset; /* Offset of record content */
847 size_t data_len; /* Length of record content */
848
849 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
850 uint8_t cid_len; /* Length of the CID (0 if not present) */
851 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
852 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
853 } mbedtls_record;
854
855 #if defined(MBEDTLS_X509_CRT_PARSE_C)
856 /*
857 * List of certificate + private key pairs
858 */
859 struct mbedtls_ssl_key_cert {
860 mbedtls_x509_crt *cert; /*!< cert */
861 mbedtls_pk_context *key; /*!< private key */
862 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
863 };
864 #endif /* MBEDTLS_X509_CRT_PARSE_C */
865
866 #if defined(MBEDTLS_SSL_PROTO_DTLS)
867 /*
868 * List of handshake messages kept around for resending
869 */
870 struct mbedtls_ssl_flight_item {
871 unsigned char *p; /*!< message, including handshake headers */
872 size_t len; /*!< length of p */
873 unsigned char type; /*!< type of the message: handshake or CCS */
874 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
875 };
876 #endif /* MBEDTLS_SSL_PROTO_DTLS */
877
878 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
879 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
880
881 /* Find an entry in a signature-hash set matching a given hash algorithm. */
882 mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find(mbedtls_ssl_sig_hash_set_t *set,
883 mbedtls_pk_type_t sig_alg);
884 /* Add a signature-hash-pair to a signature-hash set */
885 void mbedtls_ssl_sig_hash_set_add(mbedtls_ssl_sig_hash_set_t *set,
886 mbedtls_pk_type_t sig_alg,
887 mbedtls_md_type_t md_alg);
888 /* Allow exactly one hash algorithm for each signature. */
889 void mbedtls_ssl_sig_hash_set_const_hash(mbedtls_ssl_sig_hash_set_t *set,
890 mbedtls_md_type_t md_alg);
891
892 /* Setup an empty signature-hash set */
mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t * set)893 static inline void mbedtls_ssl_sig_hash_set_init(mbedtls_ssl_sig_hash_set_t *set)
894 {
895 mbedtls_ssl_sig_hash_set_const_hash(set, MBEDTLS_MD_NONE);
896 }
897
898 #endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
899 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
900
901 /**
902 * \brief Free referenced items in an SSL transform context and clear
903 * memory
904 *
905 * \param transform SSL transform context
906 */
907 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
908
909 /**
910 * \brief Free referenced items in an SSL handshake context and clear
911 * memory
912 *
913 * \param ssl SSL context
914 */
915 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
916
917 MBEDTLS_CHECK_RETURN_CRITICAL
918 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
919 MBEDTLS_CHECK_RETURN_CRITICAL
920 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
921 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
922
923 MBEDTLS_CHECK_RETURN_CRITICAL
924 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
925
926 void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
927 MBEDTLS_CHECK_RETURN_CRITICAL
928 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
929
930 MBEDTLS_CHECK_RETURN_CRITICAL
931 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
932 MBEDTLS_CHECK_RETURN_CRITICAL
933 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
934 void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
935
936 /**
937 * \brief Update record layer
938 *
939 * This function roughly separates the implementation
940 * of the logic of (D)TLS from the implementation
941 * of the secure transport.
942 *
943 * \param ssl The SSL context to use.
944 * \param update_hs_digest This indicates if the handshake digest
945 * should be automatically updated in case
946 * a handshake message is found.
947 *
948 * \return 0 or non-zero error code.
949 *
950 * \note A clarification on what is called 'record layer' here
951 * is in order, as many sensible definitions are possible:
952 *
953 * The record layer takes as input an untrusted underlying
954 * transport (stream or datagram) and transforms it into
955 * a serially multiplexed, secure transport, which
956 * conceptually provides the following:
957 *
958 * (1) Three datagram based, content-agnostic transports
959 * for handshake, alert and CCS messages.
960 * (2) One stream- or datagram-based transport
961 * for application data.
962 * (3) Functionality for changing the underlying transform
963 * securing the contents.
964 *
965 * The interface to this functionality is given as follows:
966 *
967 * a Updating
968 * [Currently implemented by mbedtls_ssl_read_record]
969 *
970 * Check if and on which of the four 'ports' data is pending:
971 * Nothing, a controlling datagram of type (1), or application
972 * data (2). In any case data is present, internal buffers
973 * provide access to the data for the user to process it.
974 * Consumption of type (1) datagrams is done automatically
975 * on the next update, invalidating that the internal buffers
976 * for previous datagrams, while consumption of application
977 * data (2) is user-controlled.
978 *
979 * b Reading of application data
980 * [Currently manual adaption of ssl->in_offt pointer]
981 *
982 * As mentioned in the last paragraph, consumption of data
983 * is different from the automatic consumption of control
984 * datagrams (1) because application data is treated as a stream.
985 *
986 * c Tracking availability of application data
987 * [Currently manually through decreasing ssl->in_msglen]
988 *
989 * For efficiency and to retain datagram semantics for
990 * application data in case of DTLS, the record layer
991 * provides functionality for checking how much application
992 * data is still available in the internal buffer.
993 *
994 * d Changing the transformation securing the communication.
995 *
996 * Given an opaque implementation of the record layer in the
997 * above sense, it should be possible to implement the logic
998 * of (D)TLS on top of it without the need to know anything
999 * about the record layer's internals. This is done e.g.
1000 * in all the handshake handling functions, and in the
1001 * application data reading function mbedtls_ssl_read.
1002 *
1003 * \note The above tries to give a conceptual picture of the
1004 * record layer, but the current implementation deviates
1005 * from it in some places. For example, our implementation of
1006 * the update functionality through mbedtls_ssl_read_record
1007 * discards datagrams depending on the current state, which
1008 * wouldn't fall under the record layer's responsibility
1009 * following the above definition.
1010 *
1011 */
1012 MBEDTLS_CHECK_RETURN_CRITICAL
1013 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1014 unsigned update_hs_digest);
1015 MBEDTLS_CHECK_RETURN_CRITICAL
1016 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1017
1018 MBEDTLS_CHECK_RETURN_CRITICAL
1019 int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl);
1020 MBEDTLS_CHECK_RETURN_CRITICAL
1021 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, uint8_t force_flush);
1022 MBEDTLS_CHECK_RETURN_CRITICAL
1023 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1024
1025 MBEDTLS_CHECK_RETURN_CRITICAL
1026 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1027 MBEDTLS_CHECK_RETURN_CRITICAL
1028 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1029
1030 MBEDTLS_CHECK_RETURN_CRITICAL
1031 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1032 MBEDTLS_CHECK_RETURN_CRITICAL
1033 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1034
1035 MBEDTLS_CHECK_RETURN_CRITICAL
1036 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1037 MBEDTLS_CHECK_RETURN_CRITICAL
1038 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1039
1040 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1041 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1042
1043 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1044 MBEDTLS_CHECK_RETURN_CRITICAL
1045 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex);
1046
1047 /**
1048 * Get the first defined PSK by order of precedence:
1049 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1050 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1051 * Return a code and update the pair (PSK, PSK length) passed to this function
1052 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1053 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
1054 const unsigned char **psk, size_t *psk_len)
1055 {
1056 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
1057 *psk = ssl->handshake->psk;
1058 *psk_len = ssl->handshake->psk_len;
1059 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
1060 *psk = ssl->conf->psk;
1061 *psk_len = ssl->conf->psk_len;
1062 } else {
1063 *psk = NULL;
1064 *psk_len = 0;
1065 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
1066 }
1067
1068 return 0;
1069 }
1070
1071 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1072 /**
1073 * Get the first defined opaque PSK by order of precedence:
1074 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1075 * callback
1076 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1077 * Return an opaque PSK
1078 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1079 static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
1080 const mbedtls_ssl_context *ssl)
1081 {
1082 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1083 return ssl->handshake->psk_opaque;
1084 }
1085
1086 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1087 return ssl->conf->psk_opaque;
1088 }
1089
1090 return MBEDTLS_SVC_KEY_ID_INIT;
1091 }
1092 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1093
1094 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1095
1096 #if defined(MBEDTLS_PK_C)
1097 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1098 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1099 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1100 #endif
1101
1102 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1103 unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1104 MBEDTLS_CHECK_RETURN_CRITICAL
1105 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1106
1107 #if defined(MBEDTLS_ECP_C)
1108 MBEDTLS_CHECK_RETURN_CRITICAL
1109 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1110 MBEDTLS_CHECK_RETURN_CRITICAL
1111 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1112 #endif
1113
1114 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1115 MBEDTLS_CHECK_RETURN_CRITICAL
1116 int mbedtls_ssl_check_sig_hash(const mbedtls_ssl_context *ssl,
1117 mbedtls_md_type_t md);
1118 #endif
1119
1120 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1121 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1122 (const uint16_t srtp_profile_value)
1123 {
1124 switch (srtp_profile_value) {
1125 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1126 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1127 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1128 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1129 return srtp_profile_value;
1130 default: break;
1131 }
1132 return MBEDTLS_TLS_SRTP_UNSET;
1133 }
1134 #endif
1135
1136 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1137 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1138 {
1139 mbedtls_ssl_key_cert *key_cert;
1140
1141 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1142 key_cert = ssl->handshake->key_cert;
1143 } else {
1144 key_cert = ssl->conf->key_cert;
1145 }
1146
1147 return key_cert == NULL ? NULL : key_cert->key;
1148 }
1149
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1150 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1151 {
1152 mbedtls_ssl_key_cert *key_cert;
1153
1154 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1155 key_cert = ssl->handshake->key_cert;
1156 } else {
1157 key_cert = ssl->conf->key_cert;
1158 }
1159
1160 return key_cert == NULL ? NULL : key_cert->cert;
1161 }
1162
1163 /*
1164 * Check usage of a certificate wrt extensions:
1165 * keyUsage, extendedKeyUsage (later), and nSCertType (later).
1166 *
1167 * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
1168 * check a cert we received from them)!
1169 *
1170 * Return 0 if everything is OK, -1 if not.
1171 */
1172 MBEDTLS_CHECK_RETURN_CRITICAL
1173 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1174 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1175 int cert_endpoint,
1176 uint32_t *flags);
1177 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1178
1179 void mbedtls_ssl_write_version(int major, int minor, int transport,
1180 unsigned char ver[2]);
1181 void mbedtls_ssl_read_version(int *major, int *minor, int transport,
1182 const unsigned char ver[2]);
1183
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1184 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1185 {
1186 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1187 ((void) ssl);
1188 #endif
1189
1190 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1191 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1192 return 13;
1193 } else
1194 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1195 {
1196 return 5;
1197 }
1198 }
1199
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1200 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1201 {
1202 return (size_t) (ssl->out_iv - ssl->out_hdr);
1203 }
1204
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1205 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1206 {
1207 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1208 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1209 return 12;
1210 }
1211 #else
1212 ((void) ssl);
1213 #endif
1214 return 4;
1215 }
1216
1217 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1218 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1219 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1220 MBEDTLS_CHECK_RETURN_CRITICAL
1221 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1222 MBEDTLS_CHECK_RETURN_CRITICAL
1223 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1224 #endif
1225
1226 /* Visible for testing purposes only */
1227 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1228 MBEDTLS_CHECK_RETURN_CRITICAL
1229 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1230 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1231 #endif
1232
1233 MBEDTLS_CHECK_RETURN_CRITICAL
1234 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1235 const mbedtls_ssl_session *src);
1236
1237 #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
1238 defined(MBEDTLS_SSL_PROTO_TLS1_1)
1239 MBEDTLS_CHECK_RETURN_CRITICAL
1240 int mbedtls_ssl_get_key_exchange_md_ssl_tls(mbedtls_ssl_context *ssl,
1241 unsigned char *output,
1242 unsigned char *data, size_t data_len);
1243 #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
1244 MBEDTLS_SSL_PROTO_TLS1_1 */
1245
1246 #if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
1247 defined(MBEDTLS_SSL_PROTO_TLS1_2)
1248 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1249 MBEDTLS_CHECK_RETURN_CRITICAL
1250 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1251 unsigned char *hash, size_t *hashlen,
1252 unsigned char *data, size_t data_len,
1253 mbedtls_md_type_t md_alg);
1254 #endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
1255 MBEDTLS_SSL_PROTO_TLS1_2 */
1256
1257 #ifdef __cplusplus
1258 }
1259 #endif
1260
1261 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1262 MBEDTLS_CHECK_RETURN_CRITICAL
1263 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1264 mbedtls_ssl_transform *transform,
1265 mbedtls_record *rec,
1266 int (*f_rng)(void *, unsigned char *, size_t),
1267 void *p_rng);
1268 MBEDTLS_CHECK_RETURN_CRITICAL
1269 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1270 mbedtls_ssl_transform *transform,
1271 mbedtls_record *rec);
1272
1273 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1274 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1275 {
1276 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1277 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1278 return 2;
1279 }
1280 #else
1281 ((void) ssl);
1282 #endif
1283 return 0;
1284 }
1285
1286 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1287 MBEDTLS_CHECK_RETURN_CRITICAL
1288 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1289 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1290
1291 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1292 MBEDTLS_CHECK_RETURN_CRITICAL
1293 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1294
1295 void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl);
1296 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1297 mbedtls_ssl_transform *transform);
1298 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1299
1300 MBEDTLS_CHECK_RETURN_CRITICAL
1301 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1302
1303 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1304 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1305 #endif
1306
1307 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1308
1309 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1310 MBEDTLS_CHECK_RETURN_CRITICAL
1311 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1312 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1313
1314 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1315 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1316 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1317 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1318 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1319
1320 #if defined(MBEDTLS_TEST_HOOKS)
1321 int mbedtls_ssl_check_dtls_clihlo_cookie(
1322 mbedtls_ssl_context *ssl,
1323 const unsigned char *cli_id, size_t cli_id_len,
1324 const unsigned char *in, size_t in_len,
1325 unsigned char *obuf, size_t buf_len, size_t *olen);
1326 #endif
1327
1328 #endif /* ssl_internal.h */
1329