1 /**
2 * \file ssl_misc.h
3 *
4 * \brief Internal functions shared by the SSL modules
5 */
6 /*
7 * Copyright The Mbed TLS Contributors
8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
9 */
10 #ifndef MBEDTLS_SSL_MISC_H
11 #define MBEDTLS_SSL_MISC_H
12
13 #include "mbedtls/build_info.h"
14 #include "common.h"
15
16 #include "mbedtls/error.h"
17
18 #include "mbedtls/ssl.h"
19 #include "mbedtls/debug.h"
20 #include "debug_internal.h"
21
22 #include "mbedtls/cipher.h"
23
24 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
25 #include "psa/crypto.h"
26 #include "psa_util_internal.h"
27 #endif
28
29 #if defined(MBEDTLS_MD_CAN_MD5)
30 #include "mbedtls/md5.h"
31 #endif
32
33 #if defined(MBEDTLS_MD_CAN_SHA1)
34 #include "mbedtls/sha1.h"
35 #endif
36
37 #if defined(MBEDTLS_MD_CAN_SHA256)
38 #include "mbedtls/sha256.h"
39 #endif
40
41 #if defined(MBEDTLS_MD_CAN_SHA512)
42 #include "mbedtls/sha512.h"
43 #endif
44
45 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
46 !defined(MBEDTLS_USE_PSA_CRYPTO)
47 #include "mbedtls/ecjpake.h"
48 #endif
49
50 #include "mbedtls/pk.h"
51 #include "ssl_ciphersuites_internal.h"
52 #include "x509_internal.h"
53 #include "pk_internal.h"
54
55
56 /* Shorthand for restartable ECC */
57 #if defined(MBEDTLS_ECP_RESTARTABLE) && \
58 defined(MBEDTLS_SSL_CLI_C) && \
59 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
60 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
61 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
62 #endif
63
64 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
65 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
66 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
67 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
68
69 /* Faked handshake message identity for HelloRetryRequest. */
70 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
71
72 /*
73 * Internal identity of handshake extensions
74 */
75 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
76 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
77 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
78 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
79 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
80 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
81 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
82 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
83 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
84 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
85 #define MBEDTLS_SSL_EXT_ID_ALPN 8
86 #define MBEDTLS_SSL_EXT_ID_SCT 9
87 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
88 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
89 #define MBEDTLS_SSL_EXT_ID_PADDING 12
90 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
91 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
92 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
93 #define MBEDTLS_SSL_EXT_ID_COOKIE 16
94 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
95 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
96 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
97 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
98 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
99 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
100 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
101 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
102 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
103 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
104 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
105 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
106
107 /* Utility for translating IANA extension type. */
108 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
109 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
110 /* Macros used to define mask constants */
111 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
112 /* Reset value of extension mask */
113 #define MBEDTLS_SSL_EXT_MASK_NONE 0
114
115 /* In messages containing extension requests, we should ignore unrecognized
116 * extensions. In messages containing extension responses, unrecognized
117 * extensions should result in handshake abortion. Messages containing
118 * extension requests include ClientHello, CertificateRequest and
119 * NewSessionTicket. Messages containing extension responses include
120 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
121 *
122 * RFC 8446 section 4.1.3
123 *
124 * The ServerHello MUST only include extensions which are required to establish
125 * the cryptographic context and negotiate the protocol version.
126 *
127 * RFC 8446 section 4.2
128 *
129 * If an implementation receives an extension which it recognizes and which is
130 * not specified for the message in which it appears, it MUST abort the handshake
131 * with an "illegal_parameter" alert.
132 */
133
134 /* Extensions that are not recognized by TLS 1.3 */
135 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
136 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
137 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
138 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
139 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
140 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
141 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
142
143 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
144 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
145 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
146 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
147 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
148 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
149 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
150 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
151 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
152 MBEDTLS_SSL_EXT_MASK(ALPN) | \
153 MBEDTLS_SSL_EXT_MASK(SCT) | \
154 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
155 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
156 MBEDTLS_SSL_EXT_MASK(PADDING) | \
157 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
158 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
159 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
160 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
161 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
162 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
163 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
164 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
165 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
166 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
167 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
168
169 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
170 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
171 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
172 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
173 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
174 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
175 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
176 MBEDTLS_SSL_EXT_MASK(ALPN) | \
177 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
178 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
179 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
180 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
181
182 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
183 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
184 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
185 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
186 MBEDTLS_SSL_EXT_MASK(SCT) | \
187 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
188 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
189 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
190 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
191
192 /* RFC 8446 section 4.2. Allowed extensions for Certificate */
193 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
194 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
195 MBEDTLS_SSL_EXT_MASK(SCT))
196
197 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
198 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
199 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
200 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
201 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
202
203 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
204 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
205 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
206 MBEDTLS_SSL_EXT_MASK(COOKIE) | \
207 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
208
209 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
210 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
211 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
212 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
213
214 /*
215 * Helper macros for function call with return check.
216 */
217 /*
218 * Exit when return non-zero value
219 */
220 #define MBEDTLS_SSL_PROC_CHK(f) \
221 do { \
222 ret = (f); \
223 if (ret != 0) \
224 { \
225 goto cleanup; \
226 } \
227 } while (0)
228 /*
229 * Exit when return negative value
230 */
231 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \
232 do { \
233 ret = (f); \
234 if (ret < 0) \
235 { \
236 goto cleanup; \
237 } \
238 } while (0)
239
240 /*
241 * DTLS retransmission states, see RFC 6347 4.2.4
242 *
243 * The SENDING state is merged in PREPARING for initial sends,
244 * but is distinct for resends.
245 *
246 * Note: initial state is wrong for server, but is not used anyway.
247 */
248 #define MBEDTLS_SSL_RETRANS_PREPARING 0
249 #define MBEDTLS_SSL_RETRANS_SENDING 1
250 #define MBEDTLS_SSL_RETRANS_WAITING 2
251 #define MBEDTLS_SSL_RETRANS_FINISHED 3
252
253 /*
254 * Allow extra bytes for record, authentication and encryption overhead:
255 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
256 */
257
258 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
259
260 /* This macro determines whether CBC is supported. */
261 #if defined(MBEDTLS_SSL_HAVE_CBC) && \
262 (defined(MBEDTLS_SSL_HAVE_AES) || \
263 defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
264 defined(MBEDTLS_SSL_HAVE_ARIA))
265 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
266 #endif
267
268 /* This macro determines whether a ciphersuite using a
269 * stream cipher can be used. */
270 #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
271 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
272 #endif
273
274 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
275 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
276 defined(MBEDTLS_SSL_PROTO_TLS1_2)
277 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
278 #endif
279
280 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
281 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
282 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
283 #endif
284
285 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
286 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
287 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
288 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
289 #endif
290
291 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
292
293 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
294 /* Ciphersuites using HMAC */
295 #if defined(MBEDTLS_MD_CAN_SHA384)
296 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
297 #elif defined(MBEDTLS_MD_CAN_SHA256)
298 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
299 #else
300 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
301 #endif
302 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
303 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
304 #define MBEDTLS_SSL_MAC_ADD 16
305 #endif
306
307 #if defined(MBEDTLS_SSL_HAVE_CBC)
308 #define MBEDTLS_SSL_PADDING_ADD 256
309 #else
310 #define MBEDTLS_SSL_PADDING_ADD 0
311 #endif
312
313 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
314 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
315 #else
316 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
317 #endif
318
319 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
320 MBEDTLS_SSL_MAC_ADD + \
321 MBEDTLS_SSL_PADDING_ADD + \
322 MBEDTLS_SSL_MAX_CID_EXPANSION \
323 )
324
325 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
326 (MBEDTLS_SSL_IN_CONTENT_LEN))
327
328 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
329 (MBEDTLS_SSL_OUT_CONTENT_LEN))
330
331 /* The maximum number of buffered handshake messages. */
332 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
333
334 /* Maximum length we can advertise as our max content length for
335 RFC 6066 max_fragment_length extension negotiation purposes
336 (the lesser of both sizes, if they are unequal.)
337 */
338 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
339 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
340 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
341 : (MBEDTLS_SSL_IN_CONTENT_LEN) \
342 )
343
344 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
345 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
346
347 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
348 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
349
350 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
351 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
352
353 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
354
355 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
356
357 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
358
359 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
360 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
361 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
362 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
363 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
364
365 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
366
367 /*
368 * Check that we obey the standard's message size bounds
369 */
370
371 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
372 #error "Bad configuration - incoming record content too large."
373 #endif
374
375 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
376 #error "Bad configuration - outgoing record content too large."
377 #endif
378
379 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
380 #error "Bad configuration - incoming protected record payload too large."
381 #endif
382
383 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
384 #error "Bad configuration - outgoing protected record payload too large."
385 #endif
386
387 /* Calculate buffer sizes */
388
389 /* Note: Even though the TLS record header is only 5 bytes
390 long, we're internally using 8 bytes to store the
391 implicit sequence number. */
392 #define MBEDTLS_SSL_HEADER_LEN 13
393
394 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
395 #define MBEDTLS_SSL_IN_BUFFER_LEN \
396 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
397 #else
398 #define MBEDTLS_SSL_IN_BUFFER_LEN \
399 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
400 + (MBEDTLS_SSL_CID_IN_LEN_MAX))
401 #endif
402
403 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
404 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
405 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
406 #else
407 #define MBEDTLS_SSL_OUT_BUFFER_LEN \
408 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
409 + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
410 #endif
411
412 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
413 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
414
415 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
416 /**
417 * \brief Return the maximum fragment length (payload, in bytes) for
418 * the output buffer. For the client, this is the configured
419 * value. For the server, it is the minimum of two - the
420 * configured value and the negotiated one.
421 *
422 * \sa mbedtls_ssl_conf_max_frag_len()
423 * \sa mbedtls_ssl_get_max_out_record_payload()
424 *
425 * \param ssl SSL context
426 *
427 * \return Current maximum fragment length for the output buffer.
428 */
429 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
430
431 /**
432 * \brief Return the maximum fragment length (payload, in bytes) for
433 * the input buffer. This is the negotiated maximum fragment
434 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
435 * If it is not defined either, the value is 2^14. This function
436 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
437 *
438 * \sa mbedtls_ssl_conf_max_frag_len()
439 * \sa mbedtls_ssl_get_max_in_record_payload()
440 *
441 * \param ssl SSL context
442 *
443 * \return Current maximum fragment length for the output buffer.
444 */
445 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
446 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
447
448 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
449 /**
450 * \brief Get the size limit in bytes for the protected outgoing records
451 * as defined in RFC 8449
452 *
453 * \param ssl SSL context
454 *
455 * \return The size limit in bytes for the protected outgoing
456 * records as defined in RFC 8449.
457 */
458 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
459 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
460
461 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)462 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
463 {
464 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
465 return mbedtls_ssl_get_output_max_frag_len(ctx)
466 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
467 + MBEDTLS_SSL_CID_OUT_LEN_MAX;
468 #else
469 return mbedtls_ssl_get_output_max_frag_len(ctx)
470 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
471 #endif
472 }
473
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)474 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
475 {
476 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
477 return mbedtls_ssl_get_input_max_frag_len(ctx)
478 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
479 + MBEDTLS_SSL_CID_IN_LEN_MAX;
480 #else
481 return mbedtls_ssl_get_input_max_frag_len(ctx)
482 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
483 #endif
484 }
485 #endif
486
487 /*
488 * TLS extension flags (for extensions with outgoing ServerHello content
489 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
490 * of state of the renegotiation flag, so no indicator is required)
491 */
492 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
493 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
494
495 /**
496 * \brief This function checks if the remaining size in a buffer is
497 * greater or equal than a needed space.
498 *
499 * \param cur Pointer to the current position in the buffer.
500 * \param end Pointer to one past the end of the buffer.
501 * \param need Needed space in bytes.
502 *
503 * \return Zero if the needed space is available in the buffer, non-zero
504 * otherwise.
505 */
506 #if !defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)507 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
508 const uint8_t *end, size_t need)
509 {
510 return (cur > end) || (need > (size_t) (end - cur));
511 }
512 #else
513 typedef struct {
514 const uint8_t *cur;
515 const uint8_t *end;
516 size_t need;
517 } mbedtls_ssl_chk_buf_ptr_args;
518
519 void mbedtls_ssl_set_chk_buf_ptr_fail_args(
520 const uint8_t *cur, const uint8_t *end, size_t need);
521 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
522
523 MBEDTLS_CHECK_RETURN_CRITICAL
524 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
525
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)526 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
527 const uint8_t *end, size_t need)
528 {
529 if ((cur > end) || (need > (size_t) (end - cur))) {
530 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
531 return 1;
532 }
533 return 0;
534 }
535 #endif /* MBEDTLS_TEST_HOOKS */
536
537 /**
538 * \brief This macro checks if the remaining size in a buffer is
539 * greater or equal than a needed space. If it is not the case,
540 * it returns an SSL_BUFFER_TOO_SMALL error.
541 *
542 * \param cur Pointer to the current position in the buffer.
543 * \param end Pointer to one past the end of the buffer.
544 * \param need Needed space in bytes.
545 *
546 */
547 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
548 do { \
549 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
550 { \
551 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
552 } \
553 } while (0)
554
555 /**
556 * \brief This macro checks if the remaining length in an input buffer is
557 * greater or equal than a needed length. If it is not the case, it
558 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
559 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
560 *
561 * This is a function-like macro. It is guaranteed to evaluate each
562 * argument exactly once.
563 *
564 * \param cur Pointer to the current position in the buffer.
565 * \param end Pointer to one past the end of the buffer.
566 * \param need Needed length in bytes.
567 *
568 */
569 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
570 do { \
571 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
572 { \
573 MBEDTLS_SSL_DEBUG_MSG(1, \
574 ("missing input data in %s", __func__)); \
575 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
576 MBEDTLS_ERR_SSL_DECODE_ERROR); \
577 return MBEDTLS_ERR_SSL_DECODE_ERROR; \
578 } \
579 } while (0)
580
581 #ifdef __cplusplus
582 extern "C" {
583 #endif
584
585 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
586 const char *label,
587 const unsigned char *random, size_t rlen,
588 unsigned char *dstbuf, size_t dlen);
589
590 /* cipher.h exports the maximum IV, key and block length from
591 * all ciphers enabled in the config, regardless of whether those
592 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
593 * in the default configuration and uses 64 Byte keys, but it is
594 * not used for record protection in SSL/TLS.
595 *
596 * In order to prevent unnecessary inflation of key structures,
597 * we introduce SSL-specific variants of the max-{key,block,IV}
598 * macros here which are meant to only take those ciphers into
599 * account which can be negotiated in SSL/TLS.
600 *
601 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
602 * in cipher.h are rough overapproximations of the real maxima, here
603 * we content ourselves with replicating those overapproximations
604 * for the maximum block and IV length, and excluding XTS from the
605 * computation of the maximum key length. */
606 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
607 #define MBEDTLS_SSL_MAX_IV_LENGTH 16
608 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
609
610 /**
611 * \brief The data structure holding the cryptographic material (key and IV)
612 * used for record protection in TLS 1.3.
613 */
614 struct mbedtls_ssl_key_set {
615 /*! The key for client->server records. */
616 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
617 /*! The key for server->client records. */
618 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
619 /*! The IV for client->server records. */
620 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
621 /*! The IV for server->client records. */
622 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
623
624 size_t key_len; /*!< The length of client_write_key and
625 * server_write_key, in Bytes. */
626 size_t iv_len; /*!< The length of client_write_iv and
627 * server_write_iv, in Bytes. */
628 };
629 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
630
631 typedef struct {
632 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
633 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
634 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
635 } mbedtls_ssl_tls13_early_secrets;
636
637 typedef struct {
638 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
639 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
640 } mbedtls_ssl_tls13_handshake_secrets;
641
642 /*
643 * This structure contains the parameters only needed during handshake.
644 */
645 struct mbedtls_ssl_handshake_params {
646 /* Frequently-used boolean or byte fields (placed early to take
647 * advantage of smaller code size for indirect access on Arm Thumb) */
648 uint8_t resume; /*!< session resume indicator*/
649 uint8_t cli_exts; /*!< client extension presence*/
650
651 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
652 uint8_t sni_authmode; /*!< authmode from SNI callback */
653 #endif
654
655 #if defined(MBEDTLS_SSL_SRV_C)
656 /* Flag indicating if a CertificateRequest message has been sent
657 * to the client or not. */
658 uint8_t certificate_request_sent;
659 #if defined(MBEDTLS_SSL_EARLY_DATA)
660 /* Flag indicating if the server has accepted early data or not. */
661 uint8_t early_data_accepted;
662 #endif
663 #endif /* MBEDTLS_SSL_SRV_C */
664
665 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
666 uint8_t new_session_ticket; /*!< use NewSessionTicket? */
667 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
668
669 #if defined(MBEDTLS_SSL_CLI_C)
670 /** Minimum TLS version to be negotiated.
671 *
672 * It is set up in the ClientHello writing preparation stage and used
673 * throughout the ClientHello writing. Not relevant anymore as soon as
674 * the protocol version has been negotiated thus as soon as the
675 * ServerHello is received.
676 * For a fresh handshake not linked to any previous handshake, it is
677 * equal to the configured minimum minor version to be negotiated. When
678 * renegotiating or resuming a session, it is equal to the previously
679 * negotiated minor version.
680 *
681 * There is no maximum TLS version field in this handshake context.
682 * From the start of the handshake, we need to define a current protocol
683 * version for the record layer which we define as the maximum TLS
684 * version to be negotiated. The `tls_version` field of the SSL context is
685 * used to store this maximum value until it contains the actual
686 * negotiated value.
687 */
688 mbedtls_ssl_protocol_version min_tls_version;
689 #endif
690
691 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
692 uint8_t extended_ms; /*!< use Extended Master Secret? */
693 #endif
694
695 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
696 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
697 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
698
699 #if defined(MBEDTLS_SSL_PROTO_DTLS)
700 unsigned char retransmit_state; /*!< Retransmission state */
701 #endif
702
703 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
704 unsigned char group_list_heap_allocated;
705 unsigned char sig_algs_heap_allocated;
706 #endif
707
708 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
709 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
710 enum { /* this complements ssl->state with info on intra-state operations */
711 ssl_ecrs_none = 0, /*!< nothing going on (yet) */
712 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
713 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
714 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
715 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
716 } ecrs_state; /*!< current (or last) operation */
717 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
718 size_t ecrs_n; /*!< place for saving a length */
719 #endif
720
721 mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
722
723 MBEDTLS_CHECK_RETURN_CRITICAL
724 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
725 MBEDTLS_CHECK_RETURN_CRITICAL
726 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
727 MBEDTLS_CHECK_RETURN_CRITICAL
728 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
729 mbedtls_ssl_tls_prf_cb *tls_prf;
730
731 /*
732 * Handshake specific crypto variables
733 */
734 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
735 uint8_t key_exchange_mode; /*!< Selected key exchange mode */
736
737 /**
738 * Flag indicating if, in the course of the current handshake, an
739 * HelloRetryRequest message has been sent by the server or received by
740 * the client (<> 0) or not (0).
741 */
742 uint8_t hello_retry_request_flag;
743
744 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
745 /**
746 * Flag indicating if, in the course of the current handshake, a dummy
747 * change_cipher_spec (CCS) record has already been sent. Used to send only
748 * one CCS per handshake while not complicating the handshake state
749 * transitions for that purpose.
750 */
751 uint8_t ccs_sent;
752 #endif
753
754 #if defined(MBEDTLS_SSL_SRV_C)
755 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
756 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
757 #endif
758 /** selected_group of key_share extension in HelloRetryRequest message. */
759 uint16_t hrr_selected_group;
760 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
761 uint16_t new_session_tickets_count; /*!< number of session tickets */
762 #endif
763 #endif /* MBEDTLS_SSL_SRV_C */
764
765 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
766
767 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
768 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
769 #endif
770
771 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
772 const uint16_t *group_list;
773 const uint16_t *sig_algs;
774 #endif
775
776 #if defined(MBEDTLS_DHM_C)
777 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
778 #endif
779
780 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
781 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
782 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
783 #endif /* !MBEDTLS_USE_PSA_CRYPTO &&
784 MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
785
786 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
787 psa_key_type_t xxdh_psa_type;
788 size_t xxdh_psa_bits;
789 mbedtls_svc_key_id_t xxdh_psa_privkey;
790 uint8_t xxdh_psa_privkey_is_external;
791 unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
792 size_t xxdh_psa_peerkey_len;
793 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
794
795 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
796 #if defined(MBEDTLS_USE_PSA_CRYPTO)
797 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
798 mbedtls_svc_key_id_t psa_pake_password;
799 uint8_t psa_pake_ctx_is_ok;
800 #else
801 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
802 #endif /* MBEDTLS_USE_PSA_CRYPTO */
803 #if defined(MBEDTLS_SSL_CLI_C)
804 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
805 size_t ecjpake_cache_len; /*!< Length of cached data */
806 #endif
807 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
808
809 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
810 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
811 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
812 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
813 #endif
814
815 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
816 #if defined(MBEDTLS_USE_PSA_CRYPTO)
817 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
818 uint8_t psk_opaque_is_internal;
819 #else
820 unsigned char *psk; /*!< PSK from the callback */
821 size_t psk_len; /*!< Length of PSK from callback */
822 #endif /* MBEDTLS_USE_PSA_CRYPTO */
823 uint16_t selected_identity;
824 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
825
826 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
827 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
828 #endif
829
830 #if defined(MBEDTLS_X509_CRT_PARSE_C)
831 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
832 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
833 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
834 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
835 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
836 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
837 #endif /* MBEDTLS_X509_CRT_PARSE_C */
838
839 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
840 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
841 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
842 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
843
844 struct {
845 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
846 * buffers used for message buffering. */
847
848 uint8_t seen_ccs; /*!< Indicates if a CCS message has
849 * been seen in the current flight. */
850
851 struct mbedtls_ssl_hs_buffer {
852 unsigned is_valid : 1;
853 unsigned is_fragmented : 1;
854 unsigned is_complete : 1;
855 unsigned char *data;
856 size_t data_len;
857 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
858
859 struct {
860 unsigned char *data;
861 size_t len;
862 unsigned epoch;
863 } future_record;
864
865 } buffering;
866
867 #if defined(MBEDTLS_SSL_CLI_C) && \
868 (defined(MBEDTLS_SSL_PROTO_DTLS) || \
869 defined(MBEDTLS_SSL_PROTO_TLS1_3))
870 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
871 * HelloRetryRequest cookie for TLS 1.3 */
872 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
873 /* RFC 6347 page 15
874 ...
875 opaque cookie<0..2^8-1>;
876 ...
877 */
878 uint8_t cookie_len;
879 #else
880 /* RFC 8446 page 39
881 ...
882 opaque cookie<0..2^16-1>;
883 ...
884 If TLS1_3 is enabled, the max length is 2^16 - 1
885 */
886 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
887 * TLS1_3: HelloRetryRequest cookie length */
888 #endif
889 #endif /* MBEDTLS_SSL_CLI_C &&
890 ( MBEDTLS_SSL_PROTO_DTLS ||
891 MBEDTLS_SSL_PROTO_TLS1_3 ) */
892 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
893 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
894 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
895
896 #if defined(MBEDTLS_SSL_PROTO_DTLS)
897 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
898 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
899
900 uint32_t retransmit_timeout; /*!< Current value of timeout */
901 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
902 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
903 unsigned char *cur_msg_p; /*!< Position in current message */
904 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
905 flight being received */
906 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
907 resending messages */
908 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
909 for resending messages */
910
911 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
912 /* The state of CID configuration in this handshake. */
913
914 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
915 * has been negotiated. Possible values are
916 * #MBEDTLS_SSL_CID_ENABLED and
917 * #MBEDTLS_SSL_CID_DISABLED. */
918 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
919 uint8_t peer_cid_len; /*!< The length of
920 * \c peer_cid. */
921 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
922
923 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
924 #endif /* MBEDTLS_SSL_PROTO_DTLS */
925
926 /*
927 * Checksum contexts
928 */
929 #if defined(MBEDTLS_MD_CAN_SHA256)
930 #if defined(MBEDTLS_USE_PSA_CRYPTO)
931 psa_hash_operation_t fin_sha256_psa;
932 #else
933 mbedtls_md_context_t fin_sha256;
934 #endif
935 #endif
936 #if defined(MBEDTLS_MD_CAN_SHA384)
937 #if defined(MBEDTLS_USE_PSA_CRYPTO)
938 psa_hash_operation_t fin_sha384_psa;
939 #else
940 mbedtls_md_context_t fin_sha384;
941 #endif
942 #endif
943
944 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
945 uint16_t offered_group_id; /* The NamedGroup value for the group
946 * that is being used for ephemeral
947 * key exchange.
948 *
949 * On the client: Defaults to the first
950 * entry in the client's group list,
951 * but can be overwritten by the HRR. */
952 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
953
954 #if defined(MBEDTLS_SSL_CLI_C)
955 uint8_t client_auth; /*!< used to check if CertificateRequest has been
956 received from server side. If CertificateRequest
957 has been received, Certificate and CertificateVerify
958 should be sent to server */
959 #endif /* MBEDTLS_SSL_CLI_C */
960 /*
961 * State-local variables used during the processing
962 * of a specific handshake state.
963 */
964 union {
965 /* Outgoing Finished message */
966 struct {
967 uint8_t preparation_done;
968
969 /* Buffer holding digest of the handshake up to
970 * but excluding the outgoing finished message. */
971 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
972 size_t digest_len;
973 } finished_out;
974
975 /* Incoming Finished message */
976 struct {
977 uint8_t preparation_done;
978
979 /* Buffer holding digest of the handshake up to but
980 * excluding the peer's incoming finished message. */
981 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
982 size_t digest_len;
983 } finished_in;
984
985 } state_local;
986
987 /* End of state-local variables. */
988
989 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
990 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
991 /*!< random bytes */
992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
993 unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
994 /*!< premaster secret */
995 size_t pmslen; /*!< premaster length */
996 #endif
997
998 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
999 uint32_t sent_extensions; /*!< extensions sent by endpoint */
1000 uint32_t received_extensions; /*!< extensions received by endpoint */
1001
1002 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1003 unsigned char certificate_request_context_len;
1004 unsigned char *certificate_request_context;
1005 #endif
1006
1007 /** TLS 1.3 transform for encrypted handshake messages. */
1008 mbedtls_ssl_transform *transform_handshake;
1009 union {
1010 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1011 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1012 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
1013 } tls13_master_secrets;
1014
1015 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
1016 #if defined(MBEDTLS_SSL_EARLY_DATA)
1017 /** TLS 1.3 transform for early data and handshake messages. */
1018 mbedtls_ssl_transform *transform_earlydata;
1019 #endif
1020 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1021
1022 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1023 /** Asynchronous operation context. This field is meant for use by the
1024 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
1025 * mbedtls_ssl_config::f_async_decrypt_start,
1026 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
1027 * The library does not use it internally. */
1028 void *user_async_ctx;
1029 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1030
1031 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
1032 const unsigned char *sni_name; /*!< raw SNI */
1033 size_t sni_name_len; /*!< raw SNI len */
1034 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
1035 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
1036 #endif
1037 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
1038 };
1039
1040 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
1041
1042 /*
1043 * Representation of decryption/encryption transformations on records
1044 *
1045 * There are the following general types of record transformations:
1046 * - Stream transformations (TLS versions == 1.2 only)
1047 * Transformation adding a MAC and applying a stream-cipher
1048 * to the authenticated message.
1049 * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
1050 * For TLS 1.2, no IV is generated at key extraction time, but every
1051 * encrypted record is explicitly prefixed by the IV with which it was
1052 * encrypted.
1053 * - AEAD transformations ([D]TLS versions == 1.2 only)
1054 * These come in two fundamentally different versions, the first one
1055 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
1056 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
1057 * In the first transformation, the IV to be used for a record is obtained
1058 * as the concatenation of an explicit, static 4-byte IV and the 8-byte
1059 * record sequence number, and explicitly prepending this sequence number
1060 * to the encrypted record. In contrast, in the second transformation
1061 * the IV is obtained by XOR'ing a static IV obtained at key extraction
1062 * time with the 8-byte record sequence number, without prepending the
1063 * latter to the encrypted record.
1064 *
1065 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
1066 * which allows to add flexible length padding and to hide a record's true
1067 * content type.
1068 *
1069 * In addition to type and version, the following parameters are relevant:
1070 * - The symmetric cipher algorithm to be used.
1071 * - The (static) encryption/decryption keys for the cipher.
1072 * - For stream/CBC, the type of message digest to be used.
1073 * - For stream/CBC, (static) encryption/decryption keys for the digest.
1074 * - For AEAD transformations, the size (potentially 0) of an explicit,
1075 * random initialization vector placed in encrypted records.
1076 * - For some transformations (currently AEAD) an implicit IV. It is static
1077 * and (if present) is combined with the explicit IV in a transformation-
1078 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
1079 * - For stream/CBC, a flag determining the order of encryption and MAC.
1080 * - The details of the transformation depend on the SSL/TLS version.
1081 * - The length of the authentication tag.
1082 *
1083 * The struct below refines this abstract view as follows:
1084 * - The cipher underlying the transformation is managed in
1085 * cipher contexts cipher_ctx_{enc/dec}, which must have the
1086 * same cipher type. The mode of these cipher contexts determines
1087 * the type of the transformation in the sense above: e.g., if
1088 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
1089 * then the transformation has type CBC resp. AEAD.
1090 * - The cipher keys are never stored explicitly but
1091 * are maintained within cipher_ctx_{enc/dec}.
1092 * - For stream/CBC transformations, the message digest contexts
1093 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
1094 * are unused for AEAD transformations.
1095 * - For stream/CBC transformations, the MAC keys are not stored explicitly
1096 * but maintained within md_ctx_{enc/dec}.
1097 * - The mac_enc and mac_dec fields are unused for EAD transformations.
1098 * - For transformations using an implicit IV maintained within
1099 * the transformation context, its contents are stored within
1100 * iv_{enc/dec}.
1101 * - The value of ivlen indicates the length of the IV.
1102 * This is redundant in case of stream/CBC transformations
1103 * which always use 0 resp. the cipher's block length as the
1104 * IV length, but is needed for AEAD ciphers and may be
1105 * different from the underlying cipher's block length
1106 * in this case.
1107 * - The field fixed_ivlen is nonzero for AEAD transformations only
1108 * and indicates the length of the static part of the IV which is
1109 * constant throughout the communication, and which is stored in
1110 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
1111 * - tls_version denotes the 2-byte TLS version
1112 * - For stream/CBC transformations, maclen denotes the length of the
1113 * authentication tag, while taglen is unused and 0.
1114 * - For AEAD transformations, taglen denotes the length of the
1115 * authentication tag, while maclen is unused and 0.
1116 * - For CBC transformations, encrypt_then_mac determines the
1117 * order of encryption and authentication. This field is unused
1118 * in other transformations.
1119 *
1120 */
1121 struct mbedtls_ssl_transform {
1122 /*
1123 * Session specific crypto layer
1124 */
1125 size_t minlen; /*!< min. ciphertext length */
1126 size_t ivlen; /*!< IV length */
1127 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
1128 size_t maclen; /*!< MAC(CBC) len */
1129 size_t taglen; /*!< TAG(AEAD) len */
1130
1131 unsigned char iv_enc[16]; /*!< IV (encryption) */
1132 unsigned char iv_dec[16]; /*!< IV (decryption) */
1133
1134 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1135
1136 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1137 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
1138 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
1139 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
1140 #else
1141 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
1142 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
1143 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1144
1145 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
1146 int encrypt_then_mac; /*!< flag for EtM activation */
1147 #endif
1148
1149 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
1150
1151 mbedtls_ssl_protocol_version tls_version;
1152
1153 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1154 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
1155 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
1156 psa_algorithm_t psa_alg; /*!< psa algorithm */
1157 #else
1158 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
1159 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
1160 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1161
1162 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1163 uint8_t in_cid_len;
1164 uint8_t out_cid_len;
1165 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
1166 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1167 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1168
1169 #if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
1170 /* We need the Hello random bytes in order to re-derive keys from the
1171 * Master Secret and other session info and for the keying material
1172 * exporter in TLS 1.2.
1173 * See ssl_tls12_populate_transform() */
1174 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
1175 MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
1176 /*!< ServerHello.random+ClientHello.random */
1177 #endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
1178 };
1179
1180 /*
1181 * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
1182 * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
1183 */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)1184 static inline int mbedtls_ssl_transform_uses_aead(
1185 const mbedtls_ssl_transform *transform)
1186 {
1187 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
1188 return transform->maclen == 0 && transform->taglen != 0;
1189 #else
1190 (void) transform;
1191 return 1;
1192 #endif
1193 }
1194
1195 /*
1196 * Internal representation of record frames
1197 *
1198 * Instances come in two flavors:
1199 * (1) Encrypted
1200 * These always have data_offset = 0
1201 * (2) Unencrypted
1202 * These have data_offset set to the amount of
1203 * pre-expansion during record protection. Concretely,
1204 * this is the length of the fixed part of the explicit IV
1205 * used for encryption, or 0 if no explicit IV is used
1206 * (e.g. for stream ciphers).
1207 *
1208 * The reason for the data_offset in the unencrypted case
1209 * is to allow for in-place conversion of an unencrypted to
1210 * an encrypted record. If the offset wasn't included, the
1211 * encrypted content would need to be shifted afterwards to
1212 * make space for the fixed IV.
1213 *
1214 */
1215 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
1216 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
1217 #else
1218 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
1219 #endif
1220
1221 typedef struct {
1222 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
1223 * In DTLS: The 2-byte epoch followed by
1224 * the 6-byte sequence number.
1225 * This is stored as a raw big endian byte array
1226 * as opposed to a uint64_t because we rarely
1227 * need to perform arithmetic on this, but do
1228 * need it as a Byte array for the purpose of
1229 * MAC computations. */
1230 uint8_t type; /* The record content type. */
1231 uint8_t ver[2]; /* SSL/TLS version as present on the wire.
1232 * Convert to internal presentation of versions
1233 * using mbedtls_ssl_read_version() and
1234 * mbedtls_ssl_write_version().
1235 * Keep wire-format for MAC computations. */
1236
1237 unsigned char *buf; /* Memory buffer enclosing the record content */
1238 size_t buf_len; /* Buffer length */
1239 size_t data_offset; /* Offset of record content */
1240 size_t data_len; /* Length of record content */
1241
1242 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1243 uint8_t cid_len; /* Length of the CID (0 if not present) */
1244 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
1245 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1246 } mbedtls_record;
1247
1248 #if defined(MBEDTLS_X509_CRT_PARSE_C)
1249 /*
1250 * List of certificate + private key pairs
1251 */
1252 struct mbedtls_ssl_key_cert {
1253 mbedtls_x509_crt *cert; /*!< cert */
1254 mbedtls_pk_context *key; /*!< private key */
1255 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
1256 };
1257 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1258
1259 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1260 /*
1261 * List of handshake messages kept around for resending
1262 */
1263 struct mbedtls_ssl_flight_item {
1264 unsigned char *p; /*!< message, including handshake headers */
1265 size_t len; /*!< length of p */
1266 unsigned char type; /*!< type of the message: handshake or CCS */
1267 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
1268 };
1269 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1270
1271 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1272 /**
1273 * \brief Given an SSL context and its associated configuration, write the TLS
1274 * 1.2 specific extensions of the ClientHello message.
1275 *
1276 * \param[in] ssl SSL context
1277 * \param[in] buf Base address of the buffer where to write the extensions
1278 * \param[in] end End address of the buffer where to write the extensions
1279 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
1280 * (<> 0) or not ( 0 ).
1281 * \param[out] out_len Length of the data written into the buffer \p buf
1282 */
1283 MBEDTLS_CHECK_RETURN_CRITICAL
1284 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
1285 unsigned char *buf,
1286 const unsigned char *end,
1287 int uses_ec,
1288 size_t *out_len);
1289 #endif
1290
1291 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
1292 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
1293
1294 /**
1295 * \brief Find the preferred hash for a given signature algorithm.
1296 *
1297 * \param[in] ssl SSL context
1298 * \param[in] sig_alg A signature algorithm identifier as defined in the
1299 * TLS 1.2 SignatureAlgorithm enumeration.
1300 *
1301 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
1302 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
1303 */
1304 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
1305 mbedtls_ssl_context *ssl,
1306 unsigned int sig_alg);
1307
1308 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
1309 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
1310
1311 /**
1312 * \brief Free referenced items in an SSL transform context and clear
1313 * memory
1314 *
1315 * \param transform SSL transform context
1316 */
1317 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
1318
1319 /**
1320 * \brief Free referenced items in an SSL handshake context and clear
1321 * memory
1322 *
1323 * \param ssl SSL context
1324 */
1325 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
1326
1327 /* set inbound transform of ssl context */
1328 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
1329 mbedtls_ssl_transform *transform);
1330
1331 /* set outbound transform of ssl context */
1332 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
1333 mbedtls_ssl_transform *transform);
1334
1335 MBEDTLS_CHECK_RETURN_CRITICAL
1336 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
1337 MBEDTLS_CHECK_RETURN_CRITICAL
1338 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
1339 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
1340
1341 #if defined(MBEDTLS_DEBUG_C)
1342 /* Declared in "ssl_debug_helpers.h". We can't include this file from
1343 * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
1344 * type definitions. TODO: split the type definitions and the helper
1345 * functions into different headers.
1346 */
1347 const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
1348 #endif
1349
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)1350 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
1351 mbedtls_ssl_states state)
1352 {
1353 MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
1354 ssl->state, mbedtls_ssl_states_str(ssl->state),
1355 (int) state, mbedtls_ssl_states_str(state)));
1356 ssl->state = (int) state;
1357 }
1358
mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context * ssl)1359 static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
1360 {
1361 mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
1362 }
1363
1364 MBEDTLS_CHECK_RETURN_CRITICAL
1365 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
1366
1367 MBEDTLS_CHECK_RETURN_CRITICAL
1368 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
1369
1370 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1371 MBEDTLS_CHECK_RETURN_CRITICAL
1372 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
1373 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1374
1375 MBEDTLS_CHECK_RETURN_CRITICAL
1376 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
1377 MBEDTLS_CHECK_RETURN_CRITICAL
1378 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
1379 MBEDTLS_CHECK_RETURN_CRITICAL
1380 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
1381
1382 /**
1383 * \brief Update record layer
1384 *
1385 * This function roughly separates the implementation
1386 * of the logic of (D)TLS from the implementation
1387 * of the secure transport.
1388 *
1389 * \param ssl The SSL context to use.
1390 * \param update_hs_digest This indicates if the handshake digest
1391 * should be automatically updated in case
1392 * a handshake message is found.
1393 *
1394 * \return 0 or non-zero error code.
1395 *
1396 * \note A clarification on what is called 'record layer' here
1397 * is in order, as many sensible definitions are possible:
1398 *
1399 * The record layer takes as input an untrusted underlying
1400 * transport (stream or datagram) and transforms it into
1401 * a serially multiplexed, secure transport, which
1402 * conceptually provides the following:
1403 *
1404 * (1) Three datagram based, content-agnostic transports
1405 * for handshake, alert and CCS messages.
1406 * (2) One stream- or datagram-based transport
1407 * for application data.
1408 * (3) Functionality for changing the underlying transform
1409 * securing the contents.
1410 *
1411 * The interface to this functionality is given as follows:
1412 *
1413 * a Updating
1414 * [Currently implemented by mbedtls_ssl_read_record]
1415 *
1416 * Check if and on which of the four 'ports' data is pending:
1417 * Nothing, a controlling datagram of type (1), or application
1418 * data (2). In any case data is present, internal buffers
1419 * provide access to the data for the user to process it.
1420 * Consumption of type (1) datagrams is done automatically
1421 * on the next update, invalidating that the internal buffers
1422 * for previous datagrams, while consumption of application
1423 * data (2) is user-controlled.
1424 *
1425 * b Reading of application data
1426 * [Currently manual adaption of ssl->in_offt pointer]
1427 *
1428 * As mentioned in the last paragraph, consumption of data
1429 * is different from the automatic consumption of control
1430 * datagrams (1) because application data is treated as a stream.
1431 *
1432 * c Tracking availability of application data
1433 * [Currently manually through decreasing ssl->in_msglen]
1434 *
1435 * For efficiency and to retain datagram semantics for
1436 * application data in case of DTLS, the record layer
1437 * provides functionality for checking how much application
1438 * data is still available in the internal buffer.
1439 *
1440 * d Changing the transformation securing the communication.
1441 *
1442 * Given an opaque implementation of the record layer in the
1443 * above sense, it should be possible to implement the logic
1444 * of (D)TLS on top of it without the need to know anything
1445 * about the record layer's internals. This is done e.g.
1446 * in all the handshake handling functions, and in the
1447 * application data reading function mbedtls_ssl_read.
1448 *
1449 * \note The above tries to give a conceptual picture of the
1450 * record layer, but the current implementation deviates
1451 * from it in some places. For example, our implementation of
1452 * the update functionality through mbedtls_ssl_read_record
1453 * discards datagrams depending on the current state, which
1454 * wouldn't fall under the record layer's responsibility
1455 * following the above definition.
1456 *
1457 */
1458 MBEDTLS_CHECK_RETURN_CRITICAL
1459 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
1460 unsigned update_hs_digest);
1461 MBEDTLS_CHECK_RETURN_CRITICAL
1462 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
1463
1464 /*
1465 * Write handshake message header
1466 */
1467 MBEDTLS_CHECK_RETURN_CRITICAL
1468 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
1469 unsigned char **buf, size_t *buf_len);
1470
1471 MBEDTLS_CHECK_RETURN_CRITICAL
1472 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
1473 int update_checksum,
1474 int force_flush);
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)1475 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
1476 {
1477 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
1478 }
1479
1480 /*
1481 * Write handshake message tail
1482 */
1483 MBEDTLS_CHECK_RETURN_CRITICAL
1484 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
1485 size_t buf_len, size_t msg_len);
1486
1487 MBEDTLS_CHECK_RETURN_CRITICAL
1488 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
1489 MBEDTLS_CHECK_RETURN_CRITICAL
1490 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
1491
1492 MBEDTLS_CHECK_RETURN_CRITICAL
1493 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
1494 MBEDTLS_CHECK_RETURN_CRITICAL
1495 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
1496
1497 MBEDTLS_CHECK_RETURN_CRITICAL
1498 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
1499 MBEDTLS_CHECK_RETURN_CRITICAL
1500 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
1501
1502 MBEDTLS_CHECK_RETURN_CRITICAL
1503 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
1504 MBEDTLS_CHECK_RETURN_CRITICAL
1505 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
1506
1507 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
1508 const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
1509
1510 /*
1511 * Update checksum of handshake messages.
1512 */
1513 MBEDTLS_CHECK_RETURN_CRITICAL
1514 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
1515 unsigned hs_type,
1516 unsigned char const *msg,
1517 size_t msg_len);
1518
1519 MBEDTLS_CHECK_RETURN_CRITICAL
1520 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
1521 unsigned hs_type,
1522 size_t total_hs_len);
1523
1524 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
1525 #if !defined(MBEDTLS_USE_PSA_CRYPTO)
1526 MBEDTLS_CHECK_RETURN_CRITICAL
1527 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
1528 mbedtls_key_exchange_type_t key_ex);
1529 #endif /* !MBEDTLS_USE_PSA_CRYPTO */
1530 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
1531
1532 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1533 #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
1534 MBEDTLS_CHECK_RETURN_CRITICAL
1535 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
1536 #endif
1537 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1538 /**
1539 * Get the first defined opaque PSK by order of precedence:
1540 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
1541 * callback
1542 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
1543 * Return an opaque PSK
1544 */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)1545 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
1546 const mbedtls_ssl_context *ssl)
1547 {
1548 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
1549 return ssl->handshake->psk_opaque;
1550 }
1551
1552 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
1553 return ssl->conf->psk_opaque;
1554 }
1555
1556 return MBEDTLS_SVC_KEY_ID_INIT;
1557 }
1558 #else
1559 /**
1560 * Get the first defined PSK by order of precedence:
1561 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
1562 * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
1563 * Return a code and update the pair (PSK, PSK length) passed to this function
1564 */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)1565 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
1566 const unsigned char **psk, size_t *psk_len)
1567 {
1568 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
1569 *psk = ssl->handshake->psk;
1570 *psk_len = ssl->handshake->psk_len;
1571 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
1572 *psk = ssl->conf->psk;
1573 *psk_len = ssl->conf->psk_len;
1574 } else {
1575 *psk = NULL;
1576 *psk_len = 0;
1577 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
1578 }
1579
1580 return 0;
1581 }
1582 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1583
1584 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1585
1586 #if defined(MBEDTLS_PK_C)
1587 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
1588 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
1589 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
1590 #endif
1591
1592 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
1593 unsigned char mbedtls_ssl_hash_from_md_alg(int md);
1594
1595 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1596 MBEDTLS_CHECK_RETURN_CRITICAL
1597 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
1598 #endif
1599
1600 MBEDTLS_CHECK_RETURN_CRITICAL
1601 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1602 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
1603 MBEDTLS_CHECK_RETURN_CRITICAL
1604 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1605 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
1606
1607 /**
1608 * \brief Return PSA EC info for the specified TLS ID.
1609 *
1610 * \param tls_id The TLS ID to look for
1611 * \param type If the TLD ID is supported, then proper \c psa_key_type_t
1612 * value is returned here. Can be NULL.
1613 * \param bits If the TLD ID is supported, then proper bit size is returned
1614 * here. Can be NULL.
1615 * \return PSA_SUCCESS if the TLS ID is supported,
1616 * PSA_ERROR_NOT_SUPPORTED otherwise
1617 *
1618 * \note If either \c family or \c bits parameters are NULL, then
1619 * the corresponding value is not returned.
1620 * The function can be called with both parameters as NULL
1621 * simply to check if a specific TLS ID is supported.
1622 */
1623 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
1624 psa_key_type_t *type,
1625 size_t *bits);
1626
1627 /**
1628 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
1629 *
1630 * \param tls_id The TLS ID to look for
1631 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
1632 * or MBEDTLS_ECP_DP_NONE otherwise
1633 */
1634 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
1635
1636 /**
1637 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
1638 *
1639 * \param grp_id The \c mbedtls_ecp_group_id ID to look for
1640 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
1641 * or 0 otherwise
1642 */
1643 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
1644
1645 #if defined(MBEDTLS_DEBUG_C)
1646 /**
1647 * \brief Return EC's name for the specified TLS ID.
1648 *
1649 * \param tls_id The TLS ID to look for
1650 * \return A pointer to a const string with the proper name. If TLS
1651 * ID is not supported, a NULL pointer is returned instead.
1652 */
1653 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
1654 #endif
1655
1656 #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)1657 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
1658 (const uint16_t srtp_profile_value)
1659 {
1660 switch (srtp_profile_value) {
1661 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
1662 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
1663 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
1664 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
1665 return srtp_profile_value;
1666 default: break;
1667 }
1668 return MBEDTLS_TLS_SRTP_UNSET;
1669 }
1670 #endif
1671
1672 #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)1673 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
1674 {
1675 mbedtls_ssl_key_cert *key_cert;
1676
1677 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1678 key_cert = ssl->handshake->key_cert;
1679 } else {
1680 key_cert = ssl->conf->key_cert;
1681 }
1682
1683 return key_cert == NULL ? NULL : key_cert->key;
1684 }
1685
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)1686 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
1687 {
1688 mbedtls_ssl_key_cert *key_cert;
1689
1690 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
1691 key_cert = ssl->handshake->key_cert;
1692 } else {
1693 key_cert = ssl->conf->key_cert;
1694 }
1695
1696 return key_cert == NULL ? NULL : key_cert->cert;
1697 }
1698
1699 /*
1700 * Verify a certificate.
1701 *
1702 * [in/out] ssl: misc. things read
1703 * ssl->session_negotiate->verify_result updated
1704 * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
1705 * [in] chain: the certificate chain to verify (ie the peer's chain)
1706 * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
1707 * for TLS 1.3, may be left NULL.
1708 * [in] rs_ctx: restart context if restartable ECC is in use;
1709 * leave NULL for no restartable behaviour.
1710 *
1711 * Return:
1712 * - 0 if the handshake should continue. Depending on the
1713 * authmode it means:
1714 * - REQUIRED: the certificate was found to be valid, trusted & acceptable.
1715 * ssl->session_negotiate->verify_result is 0.
1716 * - OPTIONAL: the certificate may or may not be acceptable, but
1717 * ssl->session_negotiate->verify_result was updated with the result.
1718 * - NONE: the certificate wasn't even checked.
1719 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
1720 * the certificate was found to be invalid/untrusted/unacceptable and the
1721 * handshake should be aborted (can only happen with REQUIRED).
1722 * - another error code if another error happened (out-of-memory, etc.)
1723 */
1724 MBEDTLS_CHECK_RETURN_CRITICAL
1725 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
1726 int authmode,
1727 mbedtls_x509_crt *chain,
1728 const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
1729 void *rs_ctx);
1730
1731 /*
1732 * Check usage of a certificate wrt usage extensions:
1733 * keyUsage and extendedKeyUsage.
1734 * (Note: nSCertType is deprecated and not standard, we don't check it.)
1735 *
1736 * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
1737 *
1738 * Note: recv_endpoint is the receiver's endpoint.
1739 *
1740 * Return 0 if everything is OK, -1 if not.
1741 */
1742 MBEDTLS_CHECK_RETURN_CRITICAL
1743 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
1744 const mbedtls_ssl_ciphersuite_t *ciphersuite,
1745 int recv_endpoint,
1746 mbedtls_ssl_protocol_version tls_version,
1747 uint32_t *flags);
1748 #endif /* MBEDTLS_X509_CRT_PARSE_C */
1749
1750 void mbedtls_ssl_write_version(unsigned char version[2], int transport,
1751 mbedtls_ssl_protocol_version tls_version);
1752 uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
1753 int transport);
1754
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)1755 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
1756 {
1757 #if !defined(MBEDTLS_SSL_PROTO_DTLS)
1758 ((void) ssl);
1759 #endif
1760
1761 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1762 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1763 return 13;
1764 } else
1765 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1766 {
1767 return 5;
1768 }
1769 }
1770
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)1771 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
1772 {
1773 return (size_t) (ssl->out_iv - ssl->out_hdr);
1774 }
1775
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)1776 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
1777 {
1778 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1779 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1780 return 12;
1781 }
1782 #else
1783 ((void) ssl);
1784 #endif
1785 return 4;
1786 }
1787
1788 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1789 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
1790 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
1791 MBEDTLS_CHECK_RETURN_CRITICAL
1792 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
1793 MBEDTLS_CHECK_RETURN_CRITICAL
1794 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
1795 #endif
1796
1797 /* Visible for testing purposes only */
1798 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1799 MBEDTLS_CHECK_RETURN_CRITICAL
1800 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
1801 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
1802 #endif
1803
1804 MBEDTLS_CHECK_RETURN_CRITICAL
1805 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
1806 const mbedtls_ssl_session *src);
1807
1808 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1809 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
1810 MBEDTLS_CHECK_RETURN_CRITICAL
1811 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
1812 unsigned char *hash, size_t *hashlen,
1813 unsigned char *data, size_t data_len,
1814 mbedtls_md_type_t md_alg);
1815 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1816
1817 #ifdef __cplusplus
1818 }
1819 #endif
1820
1821 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
1822 MBEDTLS_CHECK_RETURN_CRITICAL
1823 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
1824 mbedtls_ssl_transform *transform,
1825 mbedtls_record *rec,
1826 int (*f_rng)(void *, unsigned char *, size_t),
1827 void *p_rng);
1828 MBEDTLS_CHECK_RETURN_CRITICAL
1829 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
1830 mbedtls_ssl_transform *transform,
1831 mbedtls_record *rec);
1832
1833 /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)1834 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
1835 {
1836 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1837 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1838 return 2;
1839 }
1840 #else
1841 ((void) ssl);
1842 #endif
1843 return 0;
1844 }
1845
1846 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1847 MBEDTLS_CHECK_RETURN_CRITICAL
1848 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
1849 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1850
1851 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
1852 MBEDTLS_CHECK_RETURN_CRITICAL
1853 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
1854
1855 void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
1856 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1857 void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
1858 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
1859 mbedtls_ssl_transform *transform);
1860
1861 MBEDTLS_CHECK_RETURN_CRITICAL
1862 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
1863 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
1864 int partial);
1865
1866 /*
1867 * Send pending alert
1868 */
1869 MBEDTLS_CHECK_RETURN_CRITICAL
1870 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
1871
1872 /*
1873 * Set pending fatal alert flag.
1874 */
1875 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
1876 unsigned char alert_type,
1877 int alert_reason);
1878
1879 /* Alias of mbedtls_ssl_pend_fatal_alert */
1880 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
1881 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
1882
1883 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
1884 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
1885 #endif
1886
1887 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
1888
1889 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1890 MBEDTLS_CHECK_RETURN_CRITICAL
1891 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
1892 #endif /* MBEDTLS_SSL_RENEGOTIATION */
1893
1894 #if defined(MBEDTLS_SSL_PROTO_DTLS)
1895 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
1896 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
1897 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
1898 #endif /* MBEDTLS_SSL_PROTO_DTLS */
1899
1900 /**
1901 * ssl utils functions for checking configuration.
1902 */
1903
1904 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)1905 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
1906 {
1907 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
1908 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1909 }
1910
1911 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1912
1913 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)1914 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
1915 {
1916 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1917 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
1918 }
1919
1920 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
1921
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)1922 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
1923 {
1924 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1925 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
1926 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
1927 #else
1928 ((void) conf);
1929 return 0;
1930 #endif
1931 }
1932
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)1933 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
1934 {
1935 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
1936 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
1937 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
1938 #else
1939 ((void) conf);
1940 return 0;
1941 #endif
1942 }
1943
1944 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)1945 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
1946 {
1947 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
1948 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
1949 }
1950 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
1951
1952 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1953
1954 /** \brief Initialize the PSA crypto subsystem if necessary.
1955 *
1956 * Call this function before doing any cryptography in a TLS 1.3 handshake.
1957 *
1958 * This is necessary in Mbed TLS 3.x for backward compatibility.
1959 * Up to Mbed TLS 3.5, in the default configuration, you could perform
1960 * a TLS connection with default parameters without having called
1961 * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and
1962 * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if
1963 * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default
1964 * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled
1965 * by default, and the TLS 1.3 layer uses PSA crypto. This means that
1966 * applications that are not otherwise using PSA crypto and that worked
1967 * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to
1968 * a peer that supports TLS 1.3. See
1969 * https://github.com/Mbed-TLS/mbedtls/issues/9072
1970 */
1971 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl);
1972
1973 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
1974 MBEDTLS_SERVER_HELLO_RANDOM_LEN];
1975 MBEDTLS_CHECK_RETURN_CRITICAL
1976 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
1977 MBEDTLS_CHECK_RETURN_CRITICAL
1978 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
1979 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
1980
1981 /**
1982 * \brief Given an SSL context and its associated configuration, write the TLS
1983 * 1.3 specific extensions of the ClientHello message.
1984 *
1985 * \param[in] ssl SSL context
1986 * \param[in] buf Base address of the buffer where to write the extensions
1987 * \param[in] end End address of the buffer where to write the extensions
1988 * \param[out] out_len Length of the data written into the buffer \p buf
1989 */
1990 MBEDTLS_CHECK_RETURN_CRITICAL
1991 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
1992 unsigned char *buf,
1993 unsigned char *end,
1994 size_t *out_len);
1995
1996 /**
1997 * \brief TLS 1.3 client side state machine entry
1998 *
1999 * \param ssl SSL context
2000 */
2001 MBEDTLS_CHECK_RETURN_CRITICAL
2002 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
2003
2004 /**
2005 * \brief TLS 1.3 server side state machine entry
2006 *
2007 * \param ssl SSL context
2008 */
2009 MBEDTLS_CHECK_RETURN_CRITICAL
2010 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
2011
2012
2013 /*
2014 * Helper functions around key exchange modes.
2015 */
mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context * ssl,int kex_mode_mask)2016 static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
2017 int kex_mode_mask)
2018 {
2019 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
2020 }
2021
mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context * ssl)2022 static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
2023 {
2024 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
2025 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
2026 }
2027
mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)2028 static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
2029 {
2030 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
2031 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
2032 }
2033
mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context * ssl)2034 static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
2035 {
2036 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
2037 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
2038 }
2039
mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context * ssl)2040 static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
2041 {
2042 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
2043 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2044 }
2045
mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context * ssl)2046 static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
2047 {
2048 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
2049 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2050 }
2051
2052 #if defined(MBEDTLS_SSL_SRV_C) && \
2053 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2054 /**
2055 * Given a list of key exchange modes, check if at least one of them is
2056 * supported by peer.
2057 *
2058 * \param[in] ssl SSL context
2059 * \param kex_modes_mask Mask of the key exchange modes to check
2060 *
2061 * \return Non-zero if at least one of the key exchange modes is supported by
2062 * the peer, otherwise \c 0.
2063 */
mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context * ssl,int kex_modes_mask)2064 static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
2065 int kex_modes_mask)
2066 {
2067 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
2068 }
2069
mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context * ssl)2070 static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
2071 {
2072 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2073 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
2074 }
2075
mbedtls_ssl_tls13_is_psk_ephemeral_supported(mbedtls_ssl_context * ssl)2076 static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
2077 mbedtls_ssl_context *ssl)
2078 {
2079 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2080 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
2081 }
2082
mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context * ssl)2083 static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
2084 {
2085 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2086 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
2087 }
2088
mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context * ssl)2089 static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
2090 {
2091 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2092 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2093 }
2094
mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context * ssl)2095 static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
2096 {
2097 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
2098 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2099 }
2100 #endif /* MBEDTLS_SSL_SRV_C &&
2101 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2102
2103 /*
2104 * Helper functions for extensions checking.
2105 */
2106
2107 MBEDTLS_CHECK_RETURN_CRITICAL
2108 int mbedtls_ssl_tls13_check_received_extension(
2109 mbedtls_ssl_context *ssl,
2110 int hs_msg_type,
2111 unsigned int received_extension_type,
2112 uint32_t hs_msg_allowed_extensions_mask);
2113
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)2114 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
2115 mbedtls_ssl_context *ssl, unsigned int extension_type)
2116 {
2117 ssl->handshake->sent_extensions |=
2118 mbedtls_ssl_get_extension_mask(extension_type);
2119 }
2120
2121 /*
2122 * Helper functions to check the selected key exchange mode.
2123 */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)2124 static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
2125 mbedtls_ssl_context *ssl, int kex_mask)
2126 {
2127 return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
2128 }
2129
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)2130 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
2131 mbedtls_ssl_context *ssl)
2132 {
2133 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2134 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
2135 }
2136
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)2137 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
2138 mbedtls_ssl_context *ssl)
2139 {
2140 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
2141 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
2142 }
2143
2144 /*
2145 * Fetch TLS 1.3 handshake message header
2146 */
2147 MBEDTLS_CHECK_RETURN_CRITICAL
2148 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
2149 unsigned hs_type,
2150 unsigned char **buf,
2151 size_t *buf_len);
2152
2153 /**
2154 * \brief Detect if a list of extensions contains a supported_versions
2155 * extension or not.
2156 *
2157 * \param[in] ssl SSL context
2158 * \param[in] buf Address of the first byte of the extensions vector.
2159 * \param[in] end End of the buffer containing the list of extensions.
2160 * \param[out] supported_versions_data If the extension is present, address of
2161 * its first byte of data, NULL otherwise.
2162 * \param[out] supported_versions_data_end If the extension is present, address
2163 * of the first byte immediately
2164 * following the extension data, NULL
2165 * otherwise.
2166 * \return 0 if the list of extensions does not contain a supported_versions
2167 * extension.
2168 * \return 1 if the list of extensions contains a supported_versions
2169 * extension.
2170 * \return A negative value if an error occurred while parsing the
2171 * extensions.
2172 */
2173 MBEDTLS_CHECK_RETURN_CRITICAL
2174 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
2175 mbedtls_ssl_context *ssl,
2176 const unsigned char *buf, const unsigned char *end,
2177 const unsigned char **supported_versions_data,
2178 const unsigned char **supported_versions_data_end);
2179
2180 /*
2181 * Handler of TLS 1.3 server certificate message
2182 */
2183 MBEDTLS_CHECK_RETURN_CRITICAL
2184 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
2185
2186 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2187 /*
2188 * Handler of TLS 1.3 write Certificate message
2189 */
2190 MBEDTLS_CHECK_RETURN_CRITICAL
2191 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
2192
2193 /*
2194 * Handler of TLS 1.3 write Certificate Verify message
2195 */
2196 MBEDTLS_CHECK_RETURN_CRITICAL
2197 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
2198
2199 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2200
2201 /*
2202 * Generic handler of Certificate Verify
2203 */
2204 MBEDTLS_CHECK_RETURN_CRITICAL
2205 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
2206
2207 /*
2208 * Write of dummy-CCS's for middlebox compatibility
2209 */
2210 MBEDTLS_CHECK_RETURN_CRITICAL
2211 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
2212
2213 MBEDTLS_CHECK_RETURN_CRITICAL
2214 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
2215
2216 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2217 MBEDTLS_CHECK_RETURN_CRITICAL
2218 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
2219 mbedtls_ssl_context *ssl,
2220 uint16_t named_group,
2221 unsigned char *buf,
2222 unsigned char *end,
2223 size_t *out_len);
2224 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2225
2226 #if defined(MBEDTLS_SSL_EARLY_DATA)
2227 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
2228 int in_new_session_ticket,
2229 unsigned char *buf,
2230 const unsigned char *end,
2231 size_t *out_len);
2232
2233 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
2234 size_t early_data_len);
2235
2236 typedef enum {
2237 /*
2238 * The client has not sent the first ClientHello yet, the negotiation of early
2239 * data has not started yet.
2240 */
2241 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
2242
2243 /*
2244 * In its ClientHello, the client has not included an early data indication
2245 * extension.
2246 */
2247 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
2248
2249 /*
2250 * The client has sent an early data indication extension in its first
2251 * ClientHello, it has not received the response (ServerHello or
2252 * HelloRetryRequest) from the server yet. The transform to protect early data
2253 * is not set either as for middlebox compatibility a dummy CCS may have to be
2254 * sent in clear. Early data cannot be sent to the server yet.
2255 */
2256 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
2257
2258 /*
2259 * The client has sent an early data indication extension in its first
2260 * ClientHello, it has not received the response (ServerHello or
2261 * HelloRetryRequest) from the server yet. The transform to protect early data
2262 * has been set and early data can be written now.
2263 */
2264 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
2265
2266 /*
2267 * The client has indicated the use of early data and the server has accepted
2268 * it.
2269 */
2270 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
2271
2272 /*
2273 * The client has indicated the use of early data but the server has rejected
2274 * it.
2275 */
2276 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
2277
2278 /*
2279 * The client has sent an early data indication extension in its first
2280 * ClientHello, the server has accepted them and the client has received the
2281 * server Finished message. It cannot send early data to the server anymore.
2282 */
2283 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
2284
2285 } mbedtls_ssl_early_data_state;
2286 #endif /* MBEDTLS_SSL_EARLY_DATA */
2287
2288 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2289
2290 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2291 /*
2292 * Write Signature Algorithm extension
2293 */
2294 MBEDTLS_CHECK_RETURN_CRITICAL
2295 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
2296 const unsigned char *end, size_t *out_len);
2297 /*
2298 * Parse TLS Signature Algorithm extension
2299 */
2300 MBEDTLS_CHECK_RETURN_CRITICAL
2301 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
2302 const unsigned char *buf,
2303 const unsigned char *end);
2304 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2305
2306 /* Get handshake transcript */
2307 MBEDTLS_CHECK_RETURN_CRITICAL
2308 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
2309 const mbedtls_md_type_t md,
2310 unsigned char *dst,
2311 size_t dst_len,
2312 size_t *olen);
2313
2314 /*
2315 * Return supported groups.
2316 *
2317 * In future, invocations can be changed to ssl->conf->group_list
2318 * when mbedtls_ssl_conf_curves() is deleted.
2319 *
2320 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
2321 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
2322 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
2323 *
2324 */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)2325 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
2326 {
2327 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
2328 return ssl->conf->group_list;
2329 #else
2330 if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
2331 return ssl->handshake->group_list;
2332 } else {
2333 return ssl->conf->group_list;
2334 }
2335 #endif
2336 }
2337
2338 /*
2339 * Helper functions for NamedGroup.
2340 */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)2341 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
2342 {
2343 /*
2344 * RFC 8422 section 5.1.1
2345 */
2346 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2347 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
2348 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
2349 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
2350 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
2351 /* Below deprecated curves should be removed with notice to users */
2352 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
2353 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
2354 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
2355 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
2356 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
2357 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2358 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2359 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
2360 }
2361
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)2362 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
2363 {
2364 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
2365 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
2366 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
2367 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
2368 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
2369 }
2370
mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)2371 static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
2372 {
2373 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
2374 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
2375 }
2376
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)2377 static inline int mbedtls_ssl_named_group_is_offered(
2378 const mbedtls_ssl_context *ssl, uint16_t named_group)
2379 {
2380 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
2381
2382 if (group_list == NULL) {
2383 return 0;
2384 }
2385
2386 for (; *group_list != 0; group_list++) {
2387 if (*group_list == named_group) {
2388 return 1;
2389 }
2390 }
2391
2392 return 0;
2393 }
2394
mbedtls_ssl_named_group_is_supported(uint16_t named_group)2395 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
2396 {
2397 #if defined(PSA_WANT_ALG_ECDH)
2398 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
2399 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
2400 MBEDTLS_ECP_DP_NONE) {
2401 return 1;
2402 }
2403 }
2404 #endif
2405 #if defined(PSA_WANT_ALG_FFDH)
2406 if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
2407 return 1;
2408 }
2409 #endif
2410 #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
2411 (void) named_group;
2412 #endif
2413 return 0;
2414 }
2415
2416 /*
2417 * Return supported signature algorithms.
2418 *
2419 * In future, invocations can be changed to ssl->conf->sig_algs when
2420 * mbedtls_ssl_conf_sig_hashes() is deleted.
2421 *
2422 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
2423 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
2424 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
2425 * been more recently invoked.
2426 *
2427 */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)2428 static inline const void *mbedtls_ssl_get_sig_algs(
2429 const mbedtls_ssl_context *ssl)
2430 {
2431 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2432
2433 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2434 if (ssl->handshake != NULL &&
2435 ssl->handshake->sig_algs_heap_allocated == 1 &&
2436 ssl->handshake->sig_algs != NULL) {
2437 return ssl->handshake->sig_algs;
2438 }
2439 #endif
2440 return ssl->conf->sig_algs;
2441
2442 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2443
2444 ((void) ssl);
2445 return NULL;
2446 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2447 }
2448
2449 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)2450 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
2451 uint16_t own_sig_alg)
2452 {
2453 const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
2454 if (sig_alg == NULL) {
2455 return 0;
2456 }
2457
2458 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2459 if (*sig_alg == own_sig_alg) {
2460 return 1;
2461 }
2462 }
2463 return 0;
2464 }
2465
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)2466 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2467 const uint16_t sig_alg)
2468 {
2469 switch (sig_alg) {
2470 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2471 #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
2472 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
2473 break;
2474 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2475 #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
2476 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
2477 break;
2478 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2479 #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
2480 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
2481 break;
2482 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
2483 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
2484
2485 #if defined(MBEDTLS_PKCS1_V21)
2486 #if defined(PSA_WANT_ALG_SHA_256)
2487 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2488 break;
2489 #endif /* PSA_WANT_ALG_SHA_256 */
2490 #if defined(PSA_WANT_ALG_SHA_384)
2491 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2492 break;
2493 #endif /* PSA_WANT_ALG_SHA_384 */
2494 #if defined(PSA_WANT_ALG_SHA_512)
2495 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2496 break;
2497 #endif /* PSA_WANT_ALG_SHA_512 */
2498 #endif /* MBEDTLS_PKCS1_V21 */
2499 default:
2500 return 0;
2501 }
2502 return 1;
2503
2504 }
2505
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)2506 static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
2507 const uint16_t sig_alg)
2508 {
2509 switch (sig_alg) {
2510 #if defined(MBEDTLS_PKCS1_V15)
2511 #if defined(MBEDTLS_MD_CAN_SHA256)
2512 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
2513 break;
2514 #endif /* MBEDTLS_MD_CAN_SHA256 */
2515 #if defined(MBEDTLS_MD_CAN_SHA384)
2516 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
2517 break;
2518 #endif /* MBEDTLS_MD_CAN_SHA384 */
2519 #if defined(MBEDTLS_MD_CAN_SHA512)
2520 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
2521 break;
2522 #endif /* MBEDTLS_MD_CAN_SHA512 */
2523 #endif /* MBEDTLS_PKCS1_V15 */
2524 default:
2525 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
2526 sig_alg);
2527 }
2528 return 1;
2529 }
2530
2531 MBEDTLS_CHECK_RETURN_CRITICAL
2532 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
2533 mbedtls_pk_context *key);
2534 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
2535
2536 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)2537 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
2538 uint16_t proposed_sig_alg)
2539 {
2540 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
2541 if (sig_alg == NULL) {
2542 return 0;
2543 }
2544
2545 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
2546 if (*sig_alg == proposed_sig_alg) {
2547 return 1;
2548 }
2549 }
2550 return 0;
2551 }
2552
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)2553 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
2554 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
2555 {
2556 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
2557 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
2558
2559 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
2560 return 0;
2561 }
2562
2563 switch (sig_alg) {
2564 #if defined(MBEDTLS_PKCS1_V21)
2565 #if defined(MBEDTLS_MD_CAN_SHA256)
2566 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
2567 *md_alg = MBEDTLS_MD_SHA256;
2568 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2569 break;
2570 #endif /* MBEDTLS_MD_CAN_SHA256 */
2571 #if defined(MBEDTLS_MD_CAN_SHA384)
2572 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
2573 *md_alg = MBEDTLS_MD_SHA384;
2574 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2575 break;
2576 #endif /* MBEDTLS_MD_CAN_SHA384 */
2577 #if defined(MBEDTLS_MD_CAN_SHA512)
2578 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
2579 *md_alg = MBEDTLS_MD_SHA512;
2580 *pk_type = MBEDTLS_PK_RSASSA_PSS;
2581 break;
2582 #endif /* MBEDTLS_MD_CAN_SHA512 */
2583 #endif /* MBEDTLS_PKCS1_V21 */
2584 default:
2585 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2586 }
2587 return 0;
2588 }
2589
2590 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)2591 static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
2592 const uint16_t sig_alg)
2593 {
2594 /* High byte is hash */
2595 unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
2596 unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
2597
2598 switch (hash) {
2599 #if defined(MBEDTLS_MD_CAN_MD5)
2600 case MBEDTLS_SSL_HASH_MD5:
2601 break;
2602 #endif
2603
2604 #if defined(MBEDTLS_MD_CAN_SHA1)
2605 case MBEDTLS_SSL_HASH_SHA1:
2606 break;
2607 #endif
2608
2609 #if defined(MBEDTLS_MD_CAN_SHA224)
2610 case MBEDTLS_SSL_HASH_SHA224:
2611 break;
2612 #endif
2613
2614 #if defined(MBEDTLS_MD_CAN_SHA256)
2615 case MBEDTLS_SSL_HASH_SHA256:
2616 break;
2617 #endif
2618
2619 #if defined(MBEDTLS_MD_CAN_SHA384)
2620 case MBEDTLS_SSL_HASH_SHA384:
2621 break;
2622 #endif
2623
2624 #if defined(MBEDTLS_MD_CAN_SHA512)
2625 case MBEDTLS_SSL_HASH_SHA512:
2626 break;
2627 #endif
2628
2629 default:
2630 return 0;
2631 }
2632
2633 switch (sig) {
2634 #if defined(MBEDTLS_RSA_C)
2635 case MBEDTLS_SSL_SIG_RSA:
2636 break;
2637 #endif
2638
2639 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
2640 case MBEDTLS_SSL_SIG_ECDSA:
2641 break;
2642 #endif
2643
2644 default:
2645 return 0;
2646 }
2647
2648 return 1;
2649 }
2650 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2651
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)2652 static inline int mbedtls_ssl_sig_alg_is_supported(
2653 const mbedtls_ssl_context *ssl,
2654 const uint16_t sig_alg)
2655 {
2656
2657 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
2658 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
2659 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
2660 }
2661 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
2662
2663 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
2664 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
2665 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
2666 }
2667 #endif
2668 ((void) ssl);
2669 ((void) sig_alg);
2670 return 0;
2671 }
2672 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2673
2674 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2675 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
2676 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
2677 * guaranteed to not be a valid PSA algorithm identifier.
2678 */
2679 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
2680
2681 /**
2682 * \brief Translate mbedtls cipher type/taglen pair to psa:
2683 * algorithm, key type and key size.
2684 *
2685 * \param mbedtls_cipher_type [in] given mbedtls cipher type
2686 * \param taglen [in] given tag length
2687 * 0 - default tag length
2688 * \param alg [out] corresponding PSA alg
2689 * There is no corresponding PSA
2690 * alg for MBEDTLS_CIPHER_NULL, so
2691 * in this case MBEDTLS_SSL_NULL_CIPHER
2692 * is returned via this parameter
2693 * \param key_type [out] corresponding PSA key type
2694 * \param key_size [out] corresponding PSA key size
2695 *
2696 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
2697 * conversion is not supported.
2698 */
2699 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
2700 size_t taglen,
2701 psa_algorithm_t *alg,
2702 psa_key_type_t *key_type,
2703 size_t *key_size);
2704
2705 #if !defined(MBEDTLS_DEPRECATED_REMOVED)
2706 /**
2707 * \brief Convert given PSA status to mbedtls error code.
2708 *
2709 * \param status [in] given PSA status
2710 *
2711 * \return corresponding mbedtls error code
2712 */
psa_ssl_status_to_mbedtls(psa_status_t status)2713 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
2714 {
2715 switch (status) {
2716 case PSA_SUCCESS:
2717 return 0;
2718 case PSA_ERROR_INSUFFICIENT_MEMORY:
2719 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
2720 case PSA_ERROR_NOT_SUPPORTED:
2721 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
2722 case PSA_ERROR_INVALID_SIGNATURE:
2723 return MBEDTLS_ERR_SSL_INVALID_MAC;
2724 case PSA_ERROR_INVALID_ARGUMENT:
2725 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
2726 case PSA_ERROR_BAD_STATE:
2727 return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
2728 case PSA_ERROR_BUFFER_TOO_SMALL:
2729 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
2730 default:
2731 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
2732 }
2733 }
2734 #endif /* !MBEDTLS_DEPRECATED_REMOVED */
2735 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
2736
2737 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
2738 defined(MBEDTLS_USE_PSA_CRYPTO)
2739
2740 typedef enum {
2741 MBEDTLS_ECJPAKE_ROUND_ONE,
2742 MBEDTLS_ECJPAKE_ROUND_TWO
2743 } mbedtls_ecjpake_rounds_t;
2744
2745 /**
2746 * \brief Parse the provided input buffer for getting the first round
2747 * of key exchange. This code is common between server and client
2748 *
2749 * \param pake_ctx [in] the PAKE's operation/context structure
2750 * \param buf [in] input buffer to parse
2751 * \param len [in] length of the input buffer
2752 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2753 * MBEDTLS_ECJPAKE_ROUND_TWO
2754 *
2755 * \return 0 on success or a negative error code in case of failure
2756 */
2757 int mbedtls_psa_ecjpake_read_round(
2758 psa_pake_operation_t *pake_ctx,
2759 const unsigned char *buf,
2760 size_t len, mbedtls_ecjpake_rounds_t round);
2761
2762 /**
2763 * \brief Write the first round of key exchange into the provided output
2764 * buffer. This code is common between server and client
2765 *
2766 * \param pake_ctx [in] the PAKE's operation/context structure
2767 * \param buf [out] the output buffer in which data will be written to
2768 * \param len [in] length of the output buffer
2769 * \param olen [out] the length of the data really written on the buffer
2770 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
2771 * MBEDTLS_ECJPAKE_ROUND_TWO
2772 *
2773 * \return 0 on success or a negative error code in case of failure
2774 */
2775 int mbedtls_psa_ecjpake_write_round(
2776 psa_pake_operation_t *pake_ctx,
2777 unsigned char *buf,
2778 size_t len, size_t *olen,
2779 mbedtls_ecjpake_rounds_t round);
2780
2781 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
2782
2783 /**
2784 * \brief TLS record protection modes
2785 */
2786 typedef enum {
2787 MBEDTLS_SSL_MODE_STREAM = 0,
2788 MBEDTLS_SSL_MODE_CBC,
2789 MBEDTLS_SSL_MODE_CBC_ETM,
2790 MBEDTLS_SSL_MODE_AEAD
2791 } mbedtls_ssl_mode_t;
2792
2793 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
2794 const mbedtls_ssl_transform *transform);
2795
2796 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
2797 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2798 int encrypt_then_mac,
2799 const mbedtls_ssl_ciphersuite_t *suite);
2800 #else
2801 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
2802 const mbedtls_ssl_ciphersuite_t *suite);
2803 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
2804
2805 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
2806
2807 MBEDTLS_CHECK_RETURN_CRITICAL
2808 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
2809 const unsigned char *buf,
2810 size_t buf_len);
2811
2812 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
2813
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)2814 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
2815 mbedtls_ssl_context *ssl, int cipher_suite)
2816 {
2817 const int *ciphersuite_list = ssl->conf->ciphersuite_list;
2818
2819 /* Check whether we have offered this ciphersuite */
2820 for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
2821 if (ciphersuite_list[i] == cipher_suite) {
2822 return 1;
2823 }
2824 }
2825 return 0;
2826 }
2827
2828 /**
2829 * \brief Validate cipher suite against config in SSL context.
2830 *
2831 * \param ssl SSL context
2832 * \param suite_info Cipher suite to validate
2833 * \param min_tls_version Minimal TLS version to accept a cipher suite
2834 * \param max_tls_version Maximal TLS version to accept a cipher suite
2835 *
2836 * \return 0 if valid, negative value otherwise.
2837 */
2838 MBEDTLS_CHECK_RETURN_CRITICAL
2839 int mbedtls_ssl_validate_ciphersuite(
2840 const mbedtls_ssl_context *ssl,
2841 const mbedtls_ssl_ciphersuite_t *suite_info,
2842 mbedtls_ssl_protocol_version min_tls_version,
2843 mbedtls_ssl_protocol_version max_tls_version);
2844
2845 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2846 MBEDTLS_CHECK_RETURN_CRITICAL
2847 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
2848 const unsigned char *buf,
2849 const unsigned char *end);
2850 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2851
2852 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
2853 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
2854 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
2855
2856 MBEDTLS_CHECK_RETURN_CRITICAL
2857 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
2858 const unsigned char *buf,
2859 const unsigned char *end);
2860
2861 MBEDTLS_CHECK_RETURN_CRITICAL
2862 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
2863 unsigned char *buf,
2864 const unsigned char *end,
2865 size_t *out_len);
2866 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
2867
2868 #if defined(MBEDTLS_SSL_ALPN)
2869 MBEDTLS_CHECK_RETURN_CRITICAL
2870 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
2871 const unsigned char *buf,
2872 const unsigned char *end);
2873
2874
2875 MBEDTLS_CHECK_RETURN_CRITICAL
2876 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
2877 unsigned char *buf,
2878 unsigned char *end,
2879 size_t *out_len);
2880 #endif /* MBEDTLS_SSL_ALPN */
2881
2882 #if defined(MBEDTLS_TEST_HOOKS)
2883 int mbedtls_ssl_check_dtls_clihlo_cookie(
2884 mbedtls_ssl_context *ssl,
2885 const unsigned char *cli_id, size_t cli_id_len,
2886 const unsigned char *in, size_t in_len,
2887 unsigned char *obuf, size_t buf_len, size_t *olen);
2888 #endif
2889
2890 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
2891 /**
2892 * \brief Given an SSL context and its associated configuration, write the TLS
2893 * 1.3 specific Pre-Shared key extension.
2894 *
2895 * \param[in] ssl SSL context
2896 * \param[in] buf Base address of the buffer where to write the extension
2897 * \param[in] end End address of the buffer where to write the extension
2898 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
2899 * written into the buffer \p buf by this function plus
2900 * the length of the binders to be written.
2901 * \param[out] binders_len Length of the binders to be written at the end of
2902 * the extension.
2903 */
2904 MBEDTLS_CHECK_RETURN_CRITICAL
2905 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
2906 mbedtls_ssl_context *ssl,
2907 unsigned char *buf, unsigned char *end,
2908 size_t *out_len, size_t *binders_len);
2909
2910 /**
2911 * \brief Given an SSL context and its associated configuration, write the TLS
2912 * 1.3 specific Pre-Shared key extension binders at the end of the
2913 * ClientHello.
2914 *
2915 * \param[in] ssl SSL context
2916 * \param[in] buf Base address of the buffer where to write the binders
2917 * \param[in] end End address of the buffer where to write the binders
2918 */
2919 MBEDTLS_CHECK_RETURN_CRITICAL
2920 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
2921 mbedtls_ssl_context *ssl,
2922 unsigned char *buf, unsigned char *end);
2923 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
2924
2925 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2926 /** Get the host name from the SSL context.
2927 *
2928 * \param[in] ssl SSL context
2929 *
2930 * \return The \p hostname pointer from the SSL context.
2931 * \c NULL if mbedtls_ssl_set_hostname() has never been called on
2932 * \p ssl or if it was last called with \p NULL.
2933 */
2934 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
2935 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2936
2937 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
2938 defined(MBEDTLS_SSL_SESSION_TICKETS) && \
2939 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
2940 defined(MBEDTLS_SSL_CLI_C)
2941 MBEDTLS_CHECK_RETURN_CRITICAL
2942 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
2943 const char *hostname);
2944 #endif
2945
2946 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
2947 defined(MBEDTLS_SSL_ALPN)
2948 MBEDTLS_CHECK_RETURN_CRITICAL
2949 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
2950 const char *alpn);
2951 #endif
2952
2953 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
2954
2955 #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
2956
mbedtls_ssl_tls13_session_get_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2957 static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
2958 mbedtls_ssl_session *session, unsigned int flags)
2959 {
2960 return session->ticket_flags &
2961 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
2962 }
2963
2964 /**
2965 * Check if at least one of the given flags is set in
2966 * the session ticket. See the definition of
2967 * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
2968 * permitted flags.
2969 */
mbedtls_ssl_tls13_session_ticket_has_flags(mbedtls_ssl_session * session,unsigned int flags)2970 static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
2971 mbedtls_ssl_session *session, unsigned int flags)
2972 {
2973 return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
2974 }
2975
mbedtls_ssl_tls13_session_ticket_allow_psk(mbedtls_ssl_session * session)2976 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
2977 mbedtls_ssl_session *session)
2978 {
2979 return mbedtls_ssl_tls13_session_ticket_has_flags(
2980 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
2981 }
2982
mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(mbedtls_ssl_session * session)2983 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
2984 mbedtls_ssl_session *session)
2985 {
2986 return mbedtls_ssl_tls13_session_ticket_has_flags(
2987 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
2988 }
2989
mbedtls_ssl_tls13_session_ticket_allow_early_data(mbedtls_ssl_session * session)2990 static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
2991 mbedtls_ssl_session *session)
2992 {
2993 return mbedtls_ssl_tls13_session_ticket_has_flags(
2994 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2995 }
2996
mbedtls_ssl_tls13_session_set_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2997 static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
2998 mbedtls_ssl_session *session, unsigned int flags)
2999 {
3000 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
3001 }
3002
mbedtls_ssl_tls13_session_clear_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)3003 static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
3004 mbedtls_ssl_session *session, unsigned int flags)
3005 {
3006 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
3007 }
3008
3009 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
3010
3011 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3012 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
3013 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
3014
3015 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
3016 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
3017 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
3018 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
3019
3020 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config * conf)3021 static inline int mbedtls_ssl_conf_get_session_tickets(
3022 const mbedtls_ssl_config *conf)
3023 {
3024 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
3025 MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
3026 MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
3027 }
3028 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3029
3030 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(const mbedtls_ssl_config * conf)3031 static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(
3032 const mbedtls_ssl_config *conf)
3033 {
3034 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
3035 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED :
3036 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED;
3037 }
3038 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3039 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3040
3041 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
3042 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
3043 #endif
3044
3045 #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
3046
3047 /** Compute the HMAC of variable-length data with constant flow.
3048 *
3049 * This function computes the HMAC of the concatenation of \p add_data and \p
3050 * data, and does with a code flow and memory access pattern that does not
3051 * depend on \p data_len_secret, but only on \p min_data_len and \p
3052 * max_data_len. In particular, this function always reads exactly \p
3053 * max_data_len bytes from \p data.
3054 *
3055 * \param ctx The HMAC context. It must have keys configured
3056 * with mbedtls_md_hmac_starts() and use one of the
3057 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
3058 * It is reset using mbedtls_md_hmac_reset() after
3059 * the computation is complete to prepare for the
3060 * next computation.
3061 * \param add_data The first part of the message whose HMAC is being
3062 * calculated. This must point to a readable buffer
3063 * of \p add_data_len bytes.
3064 * \param add_data_len The length of \p add_data in bytes.
3065 * \param data The buffer containing the second part of the
3066 * message. This must point to a readable buffer
3067 * of \p max_data_len bytes.
3068 * \param data_len_secret The length of the data to process in \p data.
3069 * This must be no less than \p min_data_len and no
3070 * greater than \p max_data_len.
3071 * \param min_data_len The minimal length of the second part of the
3072 * message, read from \p data.
3073 * \param max_data_len The maximal length of the second part of the
3074 * message, read from \p data.
3075 * \param output The HMAC will be written here. This must point to
3076 * a writable buffer of sufficient size to hold the
3077 * HMAC value.
3078 *
3079 * \retval 0 on success.
3080 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
3081 * The hardware accelerator failed.
3082 */
3083 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3084 int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
3085 psa_algorithm_t mac_alg,
3086 const unsigned char *add_data,
3087 size_t add_data_len,
3088 const unsigned char *data,
3089 size_t data_len_secret,
3090 size_t min_data_len,
3091 size_t max_data_len,
3092 unsigned char *output);
3093 #else
3094 int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
3095 const unsigned char *add_data,
3096 size_t add_data_len,
3097 const unsigned char *data,
3098 size_t data_len_secret,
3099 size_t min_data_len,
3100 size_t max_data_len,
3101 unsigned char *output);
3102 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
3103 #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
3104
3105 #endif /* ssl_misc.h */
3106