132b31808SJens Wiklander /**
232b31808SJens Wiklander * \file ssl_misc.h
332b31808SJens Wiklander *
432b31808SJens Wiklander * \brief Internal functions shared by the SSL modules
532b31808SJens Wiklander */
632b31808SJens Wiklander /*
732b31808SJens Wiklander * Copyright The Mbed TLS Contributors
8b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
932b31808SJens Wiklander */
1032b31808SJens Wiklander #ifndef MBEDTLS_SSL_MISC_H
1132b31808SJens Wiklander #define MBEDTLS_SSL_MISC_H
1232b31808SJens Wiklander
1332b31808SJens Wiklander #include "mbedtls/build_info.h"
14c3deb3d6SEtienne Carriere #include "common.h"
1532b31808SJens Wiklander
16b0563631STom Van Eyck #include "mbedtls/error.h"
17b0563631STom Van Eyck
1832b31808SJens Wiklander #include "mbedtls/ssl.h"
19*273a583eSThomas Bourgoin #include "mbedtls/debug.h"
20*273a583eSThomas Bourgoin #include "debug_internal.h"
21*273a583eSThomas Bourgoin
2232b31808SJens Wiklander #include "mbedtls/cipher.h"
2332b31808SJens Wiklander
2432b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
2532b31808SJens Wiklander #include "psa/crypto.h"
26b0563631STom Van Eyck #include "psa_util_internal.h"
2732b31808SJens Wiklander #endif
2832b31808SJens Wiklander
29b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_MD5)
3032b31808SJens Wiklander #include "mbedtls/md5.h"
3132b31808SJens Wiklander #endif
3232b31808SJens Wiklander
33b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1)
3432b31808SJens Wiklander #include "mbedtls/sha1.h"
3532b31808SJens Wiklander #endif
3632b31808SJens Wiklander
37b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256)
3832b31808SJens Wiklander #include "mbedtls/sha256.h"
3932b31808SJens Wiklander #endif
4032b31808SJens Wiklander
41b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512)
4232b31808SJens Wiklander #include "mbedtls/sha512.h"
4332b31808SJens Wiklander #endif
4432b31808SJens Wiklander
4532b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
4632b31808SJens Wiklander !defined(MBEDTLS_USE_PSA_CRYPTO)
4732b31808SJens Wiklander #include "mbedtls/ecjpake.h"
4832b31808SJens Wiklander #endif
4932b31808SJens Wiklander
5032b31808SJens Wiklander #include "mbedtls/pk.h"
51b0563631STom Van Eyck #include "ssl_ciphersuites_internal.h"
52b0563631STom Van Eyck #include "x509_internal.h"
53b0563631STom Van Eyck #include "pk_internal.h"
54c3deb3d6SEtienne Carriere
5532b31808SJens Wiklander
5632b31808SJens Wiklander /* Shorthand for restartable ECC */
5732b31808SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) && \
5832b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C) && \
5932b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
6032b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
6132b31808SJens Wiklander #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED
6232b31808SJens Wiklander #endif
6332b31808SJens Wiklander
6432b31808SJens Wiklander #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
6532b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
6632b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
6732b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
6832b31808SJens Wiklander
6932b31808SJens Wiklander /* Faked handshake message identity for HelloRetryRequest. */
7032b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO)
7132b31808SJens Wiklander
7232b31808SJens Wiklander /*
7332b31808SJens Wiklander * Internal identity of handshake extensions
7432b31808SJens Wiklander */
7532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0
7632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1
7732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1
7832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2
7932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3
8032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4
8132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4
8232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5
8332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6
8432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7
8532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ALPN 8
8632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SCT 9
8732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10
8832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11
8932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PADDING 12
9032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13
9132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14
9232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15
9332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_COOKIE 16
9432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17
9532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18
9632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19
9732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20
9832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21
9932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22
10032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23
10132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24
10232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25
10332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26
10432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27
10532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28
10632b31808SJens Wiklander
10732b31808SJens Wiklander /* Utility for translating IANA extension type. */
10832b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type);
10932b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
11032b31808SJens Wiklander /* Macros used to define mask constants */
11132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id))
11232b31808SJens Wiklander /* Reset value of extension mask */
11332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK_NONE 0
11432b31808SJens Wiklander
11532b31808SJens Wiklander /* In messages containing extension requests, we should ignore unrecognized
11632b31808SJens Wiklander * extensions. In messages containing extension responses, unrecognized
11732b31808SJens Wiklander * extensions should result in handshake abortion. Messages containing
11832b31808SJens Wiklander * extension requests include ClientHello, CertificateRequest and
11932b31808SJens Wiklander * NewSessionTicket. Messages containing extension responses include
12032b31808SJens Wiklander * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate.
12132b31808SJens Wiklander *
12232b31808SJens Wiklander * RFC 8446 section 4.1.3
12332b31808SJens Wiklander *
12432b31808SJens Wiklander * The ServerHello MUST only include extensions which are required to establish
12532b31808SJens Wiklander * the cryptographic context and negotiate the protocol version.
12632b31808SJens Wiklander *
12732b31808SJens Wiklander * RFC 8446 section 4.2
12832b31808SJens Wiklander *
12932b31808SJens Wiklander * If an implementation receives an extension which it recognizes and which is
13032b31808SJens Wiklander * not specified for the message in which it appears, it MUST abort the handshake
13132b31808SJens Wiklander * with an "illegal_parameter" alert.
13232b31808SJens Wiklander */
13332b31808SJens Wiklander
13432b31808SJens Wiklander /* Extensions that are not recognized by TLS 1.3 */
13532b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \
13632b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \
13732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \
13832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \
13932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \
14032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \
14132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED))
14232b31808SJens Wiklander
14332b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ClientHello */
14432b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \
14532b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
14632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
14732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
14832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
14932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
15032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
15132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
15232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \
15332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \
15432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
15532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
15632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PADDING) | \
15732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
15832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
15932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \
16032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
16132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \
16232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \
16332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
16432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \
16532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
16632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \
16732b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
16832b31808SJens Wiklander
16932b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */
17032b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \
17132b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \
17232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \
17332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \
17432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \
17532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \
17632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \
17732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \
17832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \
17932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
18032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT))
18132b31808SJens Wiklander
18232b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */
18332b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \
18432b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
18532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \
18632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \
18732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \
18832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \
18932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \
19032b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
19132b31808SJens Wiklander
19232b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for Certificate */
19332b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \
19432b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \
19532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT))
19632b31808SJens Wiklander
19732b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ServerHello */
19832b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \
19932b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
20032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \
20132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
20232b31808SJens Wiklander
20332b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */
20432b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \
20532b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \
20632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \
20732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS))
20832b31808SJens Wiklander
20932b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */
21032b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \
21132b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \
21232b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED)
21332b31808SJens Wiklander
21432b31808SJens Wiklander /*
21532b31808SJens Wiklander * Helper macros for function call with return check.
21632b31808SJens Wiklander */
21732b31808SJens Wiklander /*
21832b31808SJens Wiklander * Exit when return non-zero value
21932b31808SJens Wiklander */
22032b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK(f) \
22132b31808SJens Wiklander do { \
22232b31808SJens Wiklander ret = (f); \
22332b31808SJens Wiklander if (ret != 0) \
22432b31808SJens Wiklander { \
22532b31808SJens Wiklander goto cleanup; \
22632b31808SJens Wiklander } \
22732b31808SJens Wiklander } while (0)
22832b31808SJens Wiklander /*
22932b31808SJens Wiklander * Exit when return negative value
23032b31808SJens Wiklander */
23132b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK_NEG(f) \
23232b31808SJens Wiklander do { \
23332b31808SJens Wiklander ret = (f); \
23432b31808SJens Wiklander if (ret < 0) \
23532b31808SJens Wiklander { \
23632b31808SJens Wiklander goto cleanup; \
23732b31808SJens Wiklander } \
23832b31808SJens Wiklander } while (0)
23932b31808SJens Wiklander
24032b31808SJens Wiklander /*
24132b31808SJens Wiklander * DTLS retransmission states, see RFC 6347 4.2.4
24232b31808SJens Wiklander *
24332b31808SJens Wiklander * The SENDING state is merged in PREPARING for initial sends,
24432b31808SJens Wiklander * but is distinct for resends.
24532b31808SJens Wiklander *
24632b31808SJens Wiklander * Note: initial state is wrong for server, but is not used anyway.
24732b31808SJens Wiklander */
24832b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_PREPARING 0
24932b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_SENDING 1
25032b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_WAITING 2
25132b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_FINISHED 3
25232b31808SJens Wiklander
25332b31808SJens Wiklander /*
25432b31808SJens Wiklander * Allow extra bytes for record, authentication and encryption overhead:
25532b31808SJens Wiklander * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
25632b31808SJens Wiklander */
25732b31808SJens Wiklander
25832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
25932b31808SJens Wiklander
26032b31808SJens Wiklander /* This macro determines whether CBC is supported. */
261b0563631STom Van Eyck #if defined(MBEDTLS_SSL_HAVE_CBC) && \
262b0563631STom Van Eyck (defined(MBEDTLS_SSL_HAVE_AES) || \
263b0563631STom Van Eyck defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
264b0563631STom Van Eyck defined(MBEDTLS_SSL_HAVE_ARIA))
26532b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC
26632b31808SJens Wiklander #endif
26732b31808SJens Wiklander
26832b31808SJens Wiklander /* This macro determines whether a ciphersuite using a
26932b31808SJens Wiklander * stream cipher can be used. */
27032b31808SJens Wiklander #if defined(MBEDTLS_CIPHER_NULL_CIPHER)
27132b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM
27232b31808SJens Wiklander #endif
27332b31808SJens Wiklander
27432b31808SJens Wiklander /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */
27532b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
27632b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2)
27732b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC
27832b31808SJens Wiklander #endif
27932b31808SJens Wiklander
28032b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \
28132b31808SJens Wiklander defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC)
28232b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_MAC
28332b31808SJens Wiklander #endif
28432b31808SJens Wiklander
28532b31808SJens Wiklander /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */
28632b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \
28732b31808SJens Wiklander defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
28832b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM
28932b31808SJens Wiklander #endif
29032b31808SJens Wiklander
29132b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
29232b31808SJens Wiklander
29332b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
29432b31808SJens Wiklander /* Ciphersuites using HMAC */
295b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384)
29632b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
297b0563631STom Van Eyck #elif defined(MBEDTLS_MD_CAN_SHA256)
29832b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
29932b31808SJens Wiklander #else
30032b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
30132b31808SJens Wiklander #endif
30232b31808SJens Wiklander #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
30332b31808SJens Wiklander /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
30432b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 16
30532b31808SJens Wiklander #endif
30632b31808SJens Wiklander
307b0563631STom Van Eyck #if defined(MBEDTLS_SSL_HAVE_CBC)
30832b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 256
30932b31808SJens Wiklander #else
31032b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 0
31132b31808SJens Wiklander #endif
31232b31808SJens Wiklander
31332b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
31432b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY
31532b31808SJens Wiklander #else
31632b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION 0
31732b31808SJens Wiklander #endif
31832b31808SJens Wiklander
31932b31808SJens Wiklander #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \
32032b31808SJens Wiklander MBEDTLS_SSL_MAC_ADD + \
32132b31808SJens Wiklander MBEDTLS_SSL_PADDING_ADD + \
32232b31808SJens Wiklander MBEDTLS_SSL_MAX_CID_EXPANSION \
32332b31808SJens Wiklander )
32432b31808SJens Wiklander
32532b31808SJens Wiklander #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
32632b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN))
32732b31808SJens Wiklander
32832b31808SJens Wiklander #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
32932b31808SJens Wiklander (MBEDTLS_SSL_OUT_CONTENT_LEN))
33032b31808SJens Wiklander
33132b31808SJens Wiklander /* The maximum number of buffered handshake messages. */
33232b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BUFFERED_HS 4
33332b31808SJens Wiklander
33432b31808SJens Wiklander /* Maximum length we can advertise as our max content length for
33532b31808SJens Wiklander RFC 6066 max_fragment_length extension negotiation purposes
33632b31808SJens Wiklander (the lesser of both sizes, if they are unequal.)
33732b31808SJens Wiklander */
33832b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
33932b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
34032b31808SJens Wiklander ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \
34132b31808SJens Wiklander : (MBEDTLS_SSL_IN_CONTENT_LEN) \
34232b31808SJens Wiklander )
34332b31808SJens Wiklander
34432b31808SJens Wiklander /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
34532b31808SJens Wiklander #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534
34632b31808SJens Wiklander
34732b31808SJens Wiklander /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */
34832b31808SJens Wiklander #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2
34932b31808SJens Wiklander
35032b31808SJens Wiklander /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
35132b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
35232b31808SJens Wiklander
35332b31808SJens Wiklander #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
35432b31808SJens Wiklander
35532b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
35632b31808SJens Wiklander
35732b31808SJens Wiklander #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE
35832b31808SJens Wiklander
35932b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
36032b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig)
36132b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF)
36232b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8)
36332b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
36432b31808SJens Wiklander
36532b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
36632b31808SJens Wiklander
36732b31808SJens Wiklander /*
36832b31808SJens Wiklander * Check that we obey the standard's message size bounds
36932b31808SJens Wiklander */
37032b31808SJens Wiklander
37132b31808SJens Wiklander #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384
37232b31808SJens Wiklander #error "Bad configuration - incoming record content too large."
37332b31808SJens Wiklander #endif
37432b31808SJens Wiklander
37532b31808SJens Wiklander #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384
37632b31808SJens Wiklander #error "Bad configuration - outgoing record content too large."
37732b31808SJens Wiklander #endif
37832b31808SJens Wiklander
37932b31808SJens Wiklander #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048
38032b31808SJens Wiklander #error "Bad configuration - incoming protected record payload too large."
38132b31808SJens Wiklander #endif
38232b31808SJens Wiklander
38332b31808SJens Wiklander #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048
38432b31808SJens Wiklander #error "Bad configuration - outgoing protected record payload too large."
38532b31808SJens Wiklander #endif
38632b31808SJens Wiklander
38732b31808SJens Wiklander /* Calculate buffer sizes */
38832b31808SJens Wiklander
38932b31808SJens Wiklander /* Note: Even though the TLS record header is only 5 bytes
39032b31808SJens Wiklander long, we're internally using 8 bytes to store the
39132b31808SJens Wiklander implicit sequence number. */
39232b31808SJens Wiklander #define MBEDTLS_SSL_HEADER_LEN 13
39332b31808SJens Wiklander
39432b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
39532b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \
39632b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN))
39732b31808SJens Wiklander #else
39832b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \
39932b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \
40032b31808SJens Wiklander + (MBEDTLS_SSL_CID_IN_LEN_MAX))
40132b31808SJens Wiklander #endif
40232b31808SJens Wiklander
40332b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
40432b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \
40532b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN))
40632b31808SJens Wiklander #else
40732b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \
40832b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \
40932b31808SJens Wiklander + (MBEDTLS_SSL_CID_OUT_LEN_MAX))
41032b31808SJens Wiklander #endif
41132b31808SJens Wiklander
41232b31808SJens Wiklander #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32
41332b31808SJens Wiklander #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32
41432b31808SJens Wiklander
41532b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
41632b31808SJens Wiklander /**
41732b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for
41832b31808SJens Wiklander * the output buffer. For the client, this is the configured
41932b31808SJens Wiklander * value. For the server, it is the minimum of two - the
42032b31808SJens Wiklander * configured value and the negotiated one.
42132b31808SJens Wiklander *
42232b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len()
42332b31808SJens Wiklander * \sa mbedtls_ssl_get_max_out_record_payload()
42432b31808SJens Wiklander *
42532b31808SJens Wiklander * \param ssl SSL context
42632b31808SJens Wiklander *
42732b31808SJens Wiklander * \return Current maximum fragment length for the output buffer.
42832b31808SJens Wiklander */
42932b31808SJens Wiklander size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl);
43032b31808SJens Wiklander
43132b31808SJens Wiklander /**
43232b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for
43332b31808SJens Wiklander * the input buffer. This is the negotiated maximum fragment
43432b31808SJens Wiklander * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN.
43532b31808SJens Wiklander * If it is not defined either, the value is 2^14. This function
43632b31808SJens Wiklander * works as its predecessor, \c mbedtls_ssl_get_max_frag_len().
43732b31808SJens Wiklander *
43832b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len()
43932b31808SJens Wiklander * \sa mbedtls_ssl_get_max_in_record_payload()
44032b31808SJens Wiklander *
44132b31808SJens Wiklander * \param ssl SSL context
44232b31808SJens Wiklander *
44332b31808SJens Wiklander * \return Current maximum fragment length for the output buffer.
44432b31808SJens Wiklander */
44532b31808SJens Wiklander size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl);
44632b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
44732b31808SJens Wiklander
448b0563631STom Van Eyck #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
449b0563631STom Van Eyck /**
450b0563631STom Van Eyck * \brief Get the size limit in bytes for the protected outgoing records
451b0563631STom Van Eyck * as defined in RFC 8449
452b0563631STom Van Eyck *
453b0563631STom Van Eyck * \param ssl SSL context
454b0563631STom Van Eyck *
455b0563631STom Van Eyck * \return The size limit in bytes for the protected outgoing
456b0563631STom Van Eyck * records as defined in RFC 8449.
457b0563631STom Van Eyck */
458b0563631STom Van Eyck size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl);
459b0563631STom Van Eyck #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
460b0563631STom Van Eyck
46132b31808SJens Wiklander #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context * ctx)46232b31808SJens Wiklander static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx)
46332b31808SJens Wiklander {
46432b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
46532b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx)
46632b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
46732b31808SJens Wiklander + MBEDTLS_SSL_CID_OUT_LEN_MAX;
46832b31808SJens Wiklander #else
46932b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx)
47032b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
47132b31808SJens Wiklander #endif
47232b31808SJens Wiklander }
47332b31808SJens Wiklander
mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context * ctx)47432b31808SJens Wiklander static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx)
47532b31808SJens Wiklander {
47632b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
47732b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx)
47832b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD
47932b31808SJens Wiklander + MBEDTLS_SSL_CID_IN_LEN_MAX;
48032b31808SJens Wiklander #else
48132b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx)
48232b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD;
48332b31808SJens Wiklander #endif
48432b31808SJens Wiklander }
48532b31808SJens Wiklander #endif
48632b31808SJens Wiklander
48732b31808SJens Wiklander /*
48832b31808SJens Wiklander * TLS extension flags (for extensions with outgoing ServerHello content
48932b31808SJens Wiklander * that need it (e.g. for RENEGOTIATION_INFO the server already knows because
49032b31808SJens Wiklander * of state of the renegotiation flag, so no indicator is required)
49132b31808SJens Wiklander */
49232b31808SJens Wiklander #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
49332b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
49432b31808SJens Wiklander
49532b31808SJens Wiklander /**
49632b31808SJens Wiklander * \brief This function checks if the remaining size in a buffer is
49732b31808SJens Wiklander * greater or equal than a needed space.
49832b31808SJens Wiklander *
49932b31808SJens Wiklander * \param cur Pointer to the current position in the buffer.
50032b31808SJens Wiklander * \param end Pointer to one past the end of the buffer.
50132b31808SJens Wiklander * \param need Needed space in bytes.
50232b31808SJens Wiklander *
50332b31808SJens Wiklander * \return Zero if the needed space is available in the buffer, non-zero
50432b31808SJens Wiklander * otherwise.
50532b31808SJens Wiklander */
50632b31808SJens Wiklander #if !defined(MBEDTLS_TEST_HOOKS)
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)50732b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
50832b31808SJens Wiklander const uint8_t *end, size_t need)
50932b31808SJens Wiklander {
51032b31808SJens Wiklander return (cur > end) || (need > (size_t) (end - cur));
51132b31808SJens Wiklander }
51232b31808SJens Wiklander #else
51332b31808SJens Wiklander typedef struct {
51432b31808SJens Wiklander const uint8_t *cur;
51532b31808SJens Wiklander const uint8_t *end;
51632b31808SJens Wiklander size_t need;
51732b31808SJens Wiklander } mbedtls_ssl_chk_buf_ptr_args;
51832b31808SJens Wiklander
51932b31808SJens Wiklander void mbedtls_ssl_set_chk_buf_ptr_fail_args(
52032b31808SJens Wiklander const uint8_t *cur, const uint8_t *end, size_t need);
52132b31808SJens Wiklander void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void);
52232b31808SJens Wiklander
52332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
52432b31808SJens Wiklander int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args);
52532b31808SJens Wiklander
mbedtls_ssl_chk_buf_ptr(const uint8_t * cur,const uint8_t * end,size_t need)52632b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur,
52732b31808SJens Wiklander const uint8_t *end, size_t need)
52832b31808SJens Wiklander {
52932b31808SJens Wiklander if ((cur > end) || (need > (size_t) (end - cur))) {
53032b31808SJens Wiklander mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need);
53132b31808SJens Wiklander return 1;
53232b31808SJens Wiklander }
53332b31808SJens Wiklander return 0;
53432b31808SJens Wiklander }
53532b31808SJens Wiklander #endif /* MBEDTLS_TEST_HOOKS */
53632b31808SJens Wiklander
53732b31808SJens Wiklander /**
53832b31808SJens Wiklander * \brief This macro checks if the remaining size in a buffer is
53932b31808SJens Wiklander * greater or equal than a needed space. If it is not the case,
54032b31808SJens Wiklander * it returns an SSL_BUFFER_TOO_SMALL error.
54132b31808SJens Wiklander *
54232b31808SJens Wiklander * \param cur Pointer to the current position in the buffer.
54332b31808SJens Wiklander * \param end Pointer to one past the end of the buffer.
54432b31808SJens Wiklander * \param need Needed space in bytes.
54532b31808SJens Wiklander *
54632b31808SJens Wiklander */
54732b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \
54832b31808SJens Wiklander do { \
54932b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
55032b31808SJens Wiklander { \
55132b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \
55232b31808SJens Wiklander } \
55332b31808SJens Wiklander } while (0)
55432b31808SJens Wiklander
55532b31808SJens Wiklander /**
55632b31808SJens Wiklander * \brief This macro checks if the remaining length in an input buffer is
55732b31808SJens Wiklander * greater or equal than a needed length. If it is not the case, it
55832b31808SJens Wiklander * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
55932b31808SJens Wiklander * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
56032b31808SJens Wiklander *
56132b31808SJens Wiklander * This is a function-like macro. It is guaranteed to evaluate each
56232b31808SJens Wiklander * argument exactly once.
56332b31808SJens Wiklander *
56432b31808SJens Wiklander * \param cur Pointer to the current position in the buffer.
56532b31808SJens Wiklander * \param end Pointer to one past the end of the buffer.
56632b31808SJens Wiklander * \param need Needed length in bytes.
56732b31808SJens Wiklander *
56832b31808SJens Wiklander */
56932b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \
57032b31808SJens Wiklander do { \
57132b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \
57232b31808SJens Wiklander { \
57332b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, \
57432b31808SJens Wiklander ("missing input data in %s", __func__)); \
57532b31808SJens Wiklander MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
57632b31808SJens Wiklander MBEDTLS_ERR_SSL_DECODE_ERROR); \
57732b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; \
57832b31808SJens Wiklander } \
57932b31808SJens Wiklander } while (0)
58032b31808SJens Wiklander
58132b31808SJens Wiklander #ifdef __cplusplus
58232b31808SJens Wiklander extern "C" {
58332b31808SJens Wiklander #endif
58432b31808SJens Wiklander
58532b31808SJens Wiklander typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen,
58632b31808SJens Wiklander const char *label,
58732b31808SJens Wiklander const unsigned char *random, size_t rlen,
58832b31808SJens Wiklander unsigned char *dstbuf, size_t dlen);
58932b31808SJens Wiklander
59032b31808SJens Wiklander /* cipher.h exports the maximum IV, key and block length from
59132b31808SJens Wiklander * all ciphers enabled in the config, regardless of whether those
59232b31808SJens Wiklander * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled
59332b31808SJens Wiklander * in the default configuration and uses 64 Byte keys, but it is
59432b31808SJens Wiklander * not used for record protection in SSL/TLS.
59532b31808SJens Wiklander *
59632b31808SJens Wiklander * In order to prevent unnecessary inflation of key structures,
59732b31808SJens Wiklander * we introduce SSL-specific variants of the max-{key,block,IV}
59832b31808SJens Wiklander * macros here which are meant to only take those ciphers into
59932b31808SJens Wiklander * account which can be negotiated in SSL/TLS.
60032b31808SJens Wiklander *
60132b31808SJens Wiklander * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH
60232b31808SJens Wiklander * in cipher.h are rough overapproximations of the real maxima, here
60332b31808SJens Wiklander * we content ourselves with replicating those overapproximations
60432b31808SJens Wiklander * for the maximum block and IV length, and excluding XTS from the
60532b31808SJens Wiklander * computation of the maximum key length. */
60632b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16
60732b31808SJens Wiklander #define MBEDTLS_SSL_MAX_IV_LENGTH 16
60832b31808SJens Wiklander #define MBEDTLS_SSL_MAX_KEY_LENGTH 32
60932b31808SJens Wiklander
61032b31808SJens Wiklander /**
61132b31808SJens Wiklander * \brief The data structure holding the cryptographic material (key and IV)
61232b31808SJens Wiklander * used for record protection in TLS 1.3.
61332b31808SJens Wiklander */
61432b31808SJens Wiklander struct mbedtls_ssl_key_set {
61532b31808SJens Wiklander /*! The key for client->server records. */
61632b31808SJens Wiklander unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
61732b31808SJens Wiklander /*! The key for server->client records. */
61832b31808SJens Wiklander unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH];
61932b31808SJens Wiklander /*! The IV for client->server records. */
62032b31808SJens Wiklander unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
62132b31808SJens Wiklander /*! The IV for server->client records. */
62232b31808SJens Wiklander unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH];
62332b31808SJens Wiklander
62432b31808SJens Wiklander size_t key_len; /*!< The length of client_write_key and
62532b31808SJens Wiklander * server_write_key, in Bytes. */
62632b31808SJens Wiklander size_t iv_len; /*!< The length of client_write_iv and
62732b31808SJens Wiklander * server_write_iv, in Bytes. */
62832b31808SJens Wiklander };
62932b31808SJens Wiklander typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set;
63032b31808SJens Wiklander
63132b31808SJens Wiklander typedef struct {
63232b31808SJens Wiklander unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE];
63332b31808SJens Wiklander unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
63432b31808SJens Wiklander unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
63532b31808SJens Wiklander } mbedtls_ssl_tls13_early_secrets;
63632b31808SJens Wiklander
63732b31808SJens Wiklander typedef struct {
63832b31808SJens Wiklander unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
63932b31808SJens Wiklander unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE];
64032b31808SJens Wiklander } mbedtls_ssl_tls13_handshake_secrets;
64132b31808SJens Wiklander
64232b31808SJens Wiklander /*
64332b31808SJens Wiklander * This structure contains the parameters only needed during handshake.
64432b31808SJens Wiklander */
64532b31808SJens Wiklander struct mbedtls_ssl_handshake_params {
64632b31808SJens Wiklander /* Frequently-used boolean or byte fields (placed early to take
64732b31808SJens Wiklander * advantage of smaller code size for indirect access on Arm Thumb) */
64832b31808SJens Wiklander uint8_t resume; /*!< session resume indicator*/
64932b31808SJens Wiklander uint8_t cli_exts; /*!< client extension presence*/
65032b31808SJens Wiklander
65132b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
65232b31808SJens Wiklander uint8_t sni_authmode; /*!< authmode from SNI callback */
65332b31808SJens Wiklander #endif
65432b31808SJens Wiklander
65532b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C)
65632b31808SJens Wiklander /* Flag indicating if a CertificateRequest message has been sent
65732b31808SJens Wiklander * to the client or not. */
65832b31808SJens Wiklander uint8_t certificate_request_sent;
659b0563631STom Van Eyck #if defined(MBEDTLS_SSL_EARLY_DATA)
660b0563631STom Van Eyck /* Flag indicating if the server has accepted early data or not. */
661b0563631STom Van Eyck uint8_t early_data_accepted;
662b0563631STom Van Eyck #endif
66332b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */
66432b31808SJens Wiklander
66532b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS)
66632b31808SJens Wiklander uint8_t new_session_ticket; /*!< use NewSessionTicket? */
66732b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */
66832b31808SJens Wiklander
66932b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C)
67032b31808SJens Wiklander /** Minimum TLS version to be negotiated.
67132b31808SJens Wiklander *
67232b31808SJens Wiklander * It is set up in the ClientHello writing preparation stage and used
67332b31808SJens Wiklander * throughout the ClientHello writing. Not relevant anymore as soon as
67432b31808SJens Wiklander * the protocol version has been negotiated thus as soon as the
67532b31808SJens Wiklander * ServerHello is received.
67632b31808SJens Wiklander * For a fresh handshake not linked to any previous handshake, it is
67732b31808SJens Wiklander * equal to the configured minimum minor version to be negotiated. When
67832b31808SJens Wiklander * renegotiating or resuming a session, it is equal to the previously
67932b31808SJens Wiklander * negotiated minor version.
68032b31808SJens Wiklander *
68132b31808SJens Wiklander * There is no maximum TLS version field in this handshake context.
68232b31808SJens Wiklander * From the start of the handshake, we need to define a current protocol
68332b31808SJens Wiklander * version for the record layer which we define as the maximum TLS
68432b31808SJens Wiklander * version to be negotiated. The `tls_version` field of the SSL context is
68532b31808SJens Wiklander * used to store this maximum value until it contains the actual
68632b31808SJens Wiklander * negotiated value.
68732b31808SJens Wiklander */
68832b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version;
68932b31808SJens Wiklander #endif
69032b31808SJens Wiklander
69132b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
69232b31808SJens Wiklander uint8_t extended_ms; /*!< use Extended Master Secret? */
69332b31808SJens Wiklander #endif
69432b31808SJens Wiklander
69532b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
69632b31808SJens Wiklander uint8_t async_in_progress; /*!< an asynchronous operation is in progress */
69732b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
69832b31808SJens Wiklander
69932b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
70032b31808SJens Wiklander unsigned char retransmit_state; /*!< Retransmission state */
70132b31808SJens Wiklander #endif
70232b31808SJens Wiklander
70332b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED)
70432b31808SJens Wiklander unsigned char group_list_heap_allocated;
70532b31808SJens Wiklander unsigned char sig_algs_heap_allocated;
70632b31808SJens Wiklander #endif
70732b31808SJens Wiklander
70832b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
70932b31808SJens Wiklander uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */
71032b31808SJens Wiklander enum { /* this complements ssl->state with info on intra-state operations */
71132b31808SJens Wiklander ssl_ecrs_none = 0, /*!< nothing going on (yet) */
71232b31808SJens Wiklander ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
71332b31808SJens Wiklander ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
71432b31808SJens Wiklander ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
71532b31808SJens Wiklander ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
71632b31808SJens Wiklander } ecrs_state; /*!< current (or last) operation */
71732b31808SJens Wiklander mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
71832b31808SJens Wiklander size_t ecrs_n; /*!< place for saving a length */
71932b31808SJens Wiklander #endif
72032b31808SJens Wiklander
72132b31808SJens Wiklander mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
72232b31808SJens Wiklander
72332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
72432b31808SJens Wiklander int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
72532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
72632b31808SJens Wiklander int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
72732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
72832b31808SJens Wiklander int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
72932b31808SJens Wiklander mbedtls_ssl_tls_prf_cb *tls_prf;
73032b31808SJens Wiklander
73132b31808SJens Wiklander /*
73232b31808SJens Wiklander * Handshake specific crypto variables
73332b31808SJens Wiklander */
73432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
73532b31808SJens Wiklander uint8_t key_exchange_mode; /*!< Selected key exchange mode */
73632b31808SJens Wiklander
737b0563631STom Van Eyck /**
738b0563631STom Van Eyck * Flag indicating if, in the course of the current handshake, an
739b0563631STom Van Eyck * HelloRetryRequest message has been sent by the server or received by
740b0563631STom Van Eyck * the client (<> 0) or not (0).
741b0563631STom Van Eyck */
742b0563631STom Van Eyck uint8_t hello_retry_request_flag;
743b0563631STom Van Eyck
744b0563631STom Van Eyck #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
745b0563631STom Van Eyck /**
746b0563631STom Van Eyck * Flag indicating if, in the course of the current handshake, a dummy
747b0563631STom Van Eyck * change_cipher_spec (CCS) record has already been sent. Used to send only
748b0563631STom Van Eyck * one CCS per handshake while not complicating the handshake state
749b0563631STom Van Eyck * transitions for that purpose.
750b0563631STom Van Eyck */
751b0563631STom Van Eyck uint8_t ccs_sent;
752b0563631STom Van Eyck #endif
75332b31808SJens Wiklander
75432b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C)
75532b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
75632b31808SJens Wiklander uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */
75732b31808SJens Wiklander #endif
758b0563631STom Van Eyck /** selected_group of key_share extension in HelloRetryRequest message. */
759b0563631STom Van Eyck uint16_t hrr_selected_group;
76032b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS)
76132b31808SJens Wiklander uint16_t new_session_tickets_count; /*!< number of session tickets */
76232b31808SJens Wiklander #endif
76332b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */
76432b31808SJens Wiklander
76532b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
76632b31808SJens Wiklander
76732b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
76832b31808SJens Wiklander uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
76932b31808SJens Wiklander #endif
77032b31808SJens Wiklander
77132b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED)
77232b31808SJens Wiklander const uint16_t *group_list;
77332b31808SJens Wiklander const uint16_t *sig_algs;
77432b31808SJens Wiklander #endif
77532b31808SJens Wiklander
77632b31808SJens Wiklander #if defined(MBEDTLS_DHM_C)
77732b31808SJens Wiklander mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
77832b31808SJens Wiklander #endif
77932b31808SJens Wiklander
780b0563631STom Van Eyck #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \
781b0563631STom Van Eyck defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED)
78232b31808SJens Wiklander mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
783b0563631STom Van Eyck #endif /* !MBEDTLS_USE_PSA_CRYPTO &&
784b0563631STom Van Eyck MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */
78532b31808SJens Wiklander
786b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED)
787b0563631STom Van Eyck psa_key_type_t xxdh_psa_type;
788b0563631STom Van Eyck size_t xxdh_psa_bits;
789b0563631STom Van Eyck mbedtls_svc_key_id_t xxdh_psa_privkey;
790b0563631STom Van Eyck uint8_t xxdh_psa_privkey_is_external;
791b0563631STom Van Eyck unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE];
792b0563631STom Van Eyck size_t xxdh_psa_peerkey_len;
793b0563631STom Van Eyck #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */
79432b31808SJens Wiklander
79532b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
79632b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
79732b31808SJens Wiklander psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */
79832b31808SJens Wiklander mbedtls_svc_key_id_t psa_pake_password;
79932b31808SJens Wiklander uint8_t psa_pake_ctx_is_ok;
80032b31808SJens Wiklander #else
80132b31808SJens Wiklander mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
80232b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */
80332b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C)
80432b31808SJens Wiklander unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
80532b31808SJens Wiklander size_t ecjpake_cache_len; /*!< Length of cached data */
80632b31808SJens Wiklander #endif
80732b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
80832b31808SJens Wiklander
809b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
810b0563631STom Van Eyck defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
81132b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
81232b31808SJens Wiklander uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
81332b31808SJens Wiklander #endif
81432b31808SJens Wiklander
81532b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
81632b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
81732b31808SJens Wiklander mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
81832b31808SJens Wiklander uint8_t psk_opaque_is_internal;
81932b31808SJens Wiklander #else
82032b31808SJens Wiklander unsigned char *psk; /*!< PSK from the callback */
82132b31808SJens Wiklander size_t psk_len; /*!< Length of PSK from callback */
82232b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */
82332b31808SJens Wiklander uint16_t selected_identity;
82432b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
82532b31808SJens Wiklander
82632b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
82732b31808SJens Wiklander mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
82832b31808SJens Wiklander #endif
82932b31808SJens Wiklander
83032b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C)
83132b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
83232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
83332b31808SJens Wiklander mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
83432b31808SJens Wiklander mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
83532b31808SJens Wiklander mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
83632b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
83732b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */
83832b31808SJens Wiklander
83932b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) && \
84032b31808SJens Wiklander !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
84132b31808SJens Wiklander mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
84232b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
84332b31808SJens Wiklander
84432b31808SJens Wiklander struct {
84532b31808SJens Wiklander size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
84632b31808SJens Wiklander * buffers used for message buffering. */
84732b31808SJens Wiklander
84832b31808SJens Wiklander uint8_t seen_ccs; /*!< Indicates if a CCS message has
84932b31808SJens Wiklander * been seen in the current flight. */
85032b31808SJens Wiklander
85132b31808SJens Wiklander struct mbedtls_ssl_hs_buffer {
85232b31808SJens Wiklander unsigned is_valid : 1;
85332b31808SJens Wiklander unsigned is_fragmented : 1;
85432b31808SJens Wiklander unsigned is_complete : 1;
85532b31808SJens Wiklander unsigned char *data;
85632b31808SJens Wiklander size_t data_len;
85732b31808SJens Wiklander } hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
85832b31808SJens Wiklander
85932b31808SJens Wiklander struct {
86032b31808SJens Wiklander unsigned char *data;
86132b31808SJens Wiklander size_t len;
86232b31808SJens Wiklander unsigned epoch;
86332b31808SJens Wiklander } future_record;
86432b31808SJens Wiklander
86532b31808SJens Wiklander } buffering;
86632b31808SJens Wiklander
86732b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && \
86832b31808SJens Wiklander (defined(MBEDTLS_SSL_PROTO_DTLS) || \
86932b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_3))
87032b31808SJens Wiklander unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS
87132b31808SJens Wiklander * HelloRetryRequest cookie for TLS 1.3 */
87232b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_TLS1_3)
87332b31808SJens Wiklander /* RFC 6347 page 15
87432b31808SJens Wiklander ...
87532b31808SJens Wiklander opaque cookie<0..2^8-1>;
87632b31808SJens Wiklander ...
87732b31808SJens Wiklander */
87832b31808SJens Wiklander uint8_t cookie_len;
87932b31808SJens Wiklander #else
88032b31808SJens Wiklander /* RFC 8446 page 39
88132b31808SJens Wiklander ...
88232b31808SJens Wiklander opaque cookie<0..2^16-1>;
88332b31808SJens Wiklander ...
88432b31808SJens Wiklander If TLS1_3 is enabled, the max length is 2^16 - 1
88532b31808SJens Wiklander */
88632b31808SJens Wiklander uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length
88732b31808SJens Wiklander * TLS1_3: HelloRetryRequest cookie length */
88832b31808SJens Wiklander #endif
88932b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C &&
89032b31808SJens Wiklander ( MBEDTLS_SSL_PROTO_DTLS ||
89132b31808SJens Wiklander MBEDTLS_SSL_PROTO_TLS1_3 ) */
89232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS)
89332b31808SJens Wiklander unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */
89432b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */
89532b31808SJens Wiklander
89632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
89732b31808SJens Wiklander unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
89832b31808SJens Wiklander unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
89932b31808SJens Wiklander
90032b31808SJens Wiklander uint32_t retransmit_timeout; /*!< Current value of timeout */
90132b31808SJens Wiklander mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
90232b31808SJens Wiklander mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
90332b31808SJens Wiklander unsigned char *cur_msg_p; /*!< Position in current message */
90432b31808SJens Wiklander unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
90532b31808SJens Wiklander flight being received */
90632b31808SJens Wiklander mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
90732b31808SJens Wiklander resending messages */
90832b31808SJens Wiklander unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter
90932b31808SJens Wiklander for resending messages */
91032b31808SJens Wiklander
91132b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
91232b31808SJens Wiklander /* The state of CID configuration in this handshake. */
91332b31808SJens Wiklander
91432b31808SJens Wiklander uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension
91532b31808SJens Wiklander * has been negotiated. Possible values are
91632b31808SJens Wiklander * #MBEDTLS_SSL_CID_ENABLED and
91732b31808SJens Wiklander * #MBEDTLS_SSL_CID_DISABLED. */
91832b31808SJens Wiklander unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */
91932b31808SJens Wiklander uint8_t peer_cid_len; /*!< The length of
92032b31808SJens Wiklander * \c peer_cid. */
92132b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
92232b31808SJens Wiklander
92332b31808SJens Wiklander uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
92432b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */
92532b31808SJens Wiklander
92632b31808SJens Wiklander /*
92732b31808SJens Wiklander * Checksum contexts
92832b31808SJens Wiklander */
929b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256)
93032b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
93132b31808SJens Wiklander psa_hash_operation_t fin_sha256_psa;
93232b31808SJens Wiklander #else
93332b31808SJens Wiklander mbedtls_md_context_t fin_sha256;
93432b31808SJens Wiklander #endif
93532b31808SJens Wiklander #endif
936b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384)
93732b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
93832b31808SJens Wiklander psa_hash_operation_t fin_sha384_psa;
93932b31808SJens Wiklander #else
94032b31808SJens Wiklander mbedtls_md_context_t fin_sha384;
94132b31808SJens Wiklander #endif
94232b31808SJens Wiklander #endif
94332b31808SJens Wiklander
94432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
94532b31808SJens Wiklander uint16_t offered_group_id; /* The NamedGroup value for the group
94632b31808SJens Wiklander * that is being used for ephemeral
94732b31808SJens Wiklander * key exchange.
94832b31808SJens Wiklander *
94932b31808SJens Wiklander * On the client: Defaults to the first
95032b31808SJens Wiklander * entry in the client's group list,
95132b31808SJens Wiklander * but can be overwritten by the HRR. */
95232b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
95332b31808SJens Wiklander
95432b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C)
95532b31808SJens Wiklander uint8_t client_auth; /*!< used to check if CertificateRequest has been
95632b31808SJens Wiklander received from server side. If CertificateRequest
95732b31808SJens Wiklander has been received, Certificate and CertificateVerify
95832b31808SJens Wiklander should be sent to server */
95932b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C */
96032b31808SJens Wiklander /*
96132b31808SJens Wiklander * State-local variables used during the processing
96232b31808SJens Wiklander * of a specific handshake state.
96332b31808SJens Wiklander */
96432b31808SJens Wiklander union {
96532b31808SJens Wiklander /* Outgoing Finished message */
96632b31808SJens Wiklander struct {
96732b31808SJens Wiklander uint8_t preparation_done;
96832b31808SJens Wiklander
96932b31808SJens Wiklander /* Buffer holding digest of the handshake up to
97032b31808SJens Wiklander * but excluding the outgoing finished message. */
97132b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
97232b31808SJens Wiklander size_t digest_len;
97332b31808SJens Wiklander } finished_out;
97432b31808SJens Wiklander
97532b31808SJens Wiklander /* Incoming Finished message */
97632b31808SJens Wiklander struct {
97732b31808SJens Wiklander uint8_t preparation_done;
97832b31808SJens Wiklander
97932b31808SJens Wiklander /* Buffer holding digest of the handshake up to but
98032b31808SJens Wiklander * excluding the peer's incoming finished message. */
98132b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE];
98232b31808SJens Wiklander size_t digest_len;
98332b31808SJens Wiklander } finished_in;
98432b31808SJens Wiklander
98532b31808SJens Wiklander } state_local;
98632b31808SJens Wiklander
98732b31808SJens Wiklander /* End of state-local variables. */
98832b31808SJens Wiklander
98932b31808SJens Wiklander unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN +
99032b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN];
99132b31808SJens Wiklander /*!< random bytes */
99232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
99332b31808SJens Wiklander unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
99432b31808SJens Wiklander /*!< premaster secret */
99532b31808SJens Wiklander size_t pmslen; /*!< premaster length */
99632b31808SJens Wiklander #endif
99732b31808SJens Wiklander
99832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
99932b31808SJens Wiklander uint32_t sent_extensions; /*!< extensions sent by endpoint */
100032b31808SJens Wiklander uint32_t received_extensions; /*!< extensions received by endpoint */
100132b31808SJens Wiklander
100232b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
100332b31808SJens Wiklander unsigned char certificate_request_context_len;
100432b31808SJens Wiklander unsigned char *certificate_request_context;
100532b31808SJens Wiklander #endif
100632b31808SJens Wiklander
100732b31808SJens Wiklander /** TLS 1.3 transform for encrypted handshake messages. */
100832b31808SJens Wiklander mbedtls_ssl_transform *transform_handshake;
100932b31808SJens Wiklander union {
101032b31808SJens Wiklander unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE];
101132b31808SJens Wiklander unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE];
101232b31808SJens Wiklander unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE];
101332b31808SJens Wiklander } tls13_master_secrets;
101432b31808SJens Wiklander
101532b31808SJens Wiklander mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
101632b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA)
101732b31808SJens Wiklander /** TLS 1.3 transform for early data and handshake messages. */
101832b31808SJens Wiklander mbedtls_ssl_transform *transform_earlydata;
101932b31808SJens Wiklander #endif
102032b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
102132b31808SJens Wiklander
102232b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
102332b31808SJens Wiklander /** Asynchronous operation context. This field is meant for use by the
102432b31808SJens Wiklander * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
102532b31808SJens Wiklander * mbedtls_ssl_config::f_async_decrypt_start,
102632b31808SJens Wiklander * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
102732b31808SJens Wiklander * The library does not use it internally. */
102832b31808SJens Wiklander void *user_async_ctx;
102932b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
103032b31808SJens Wiklander
103132b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
103232b31808SJens Wiklander const unsigned char *sni_name; /*!< raw SNI */
103332b31808SJens Wiklander size_t sni_name_len; /*!< raw SNI len */
103432b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
103532b31808SJens Wiklander const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
103632b31808SJens Wiklander #endif
103732b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
103832b31808SJens Wiklander };
103932b31808SJens Wiklander
104032b31808SJens Wiklander typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
104132b31808SJens Wiklander
104232b31808SJens Wiklander /*
104332b31808SJens Wiklander * Representation of decryption/encryption transformations on records
104432b31808SJens Wiklander *
104532b31808SJens Wiklander * There are the following general types of record transformations:
104632b31808SJens Wiklander * - Stream transformations (TLS versions == 1.2 only)
104732b31808SJens Wiklander * Transformation adding a MAC and applying a stream-cipher
104832b31808SJens Wiklander * to the authenticated message.
104932b31808SJens Wiklander * - CBC block cipher transformations ([D]TLS versions == 1.2 only)
105032b31808SJens Wiklander * For TLS 1.2, no IV is generated at key extraction time, but every
105132b31808SJens Wiklander * encrypted record is explicitly prefixed by the IV with which it was
105232b31808SJens Wiklander * encrypted.
105332b31808SJens Wiklander * - AEAD transformations ([D]TLS versions == 1.2 only)
105432b31808SJens Wiklander * These come in two fundamentally different versions, the first one
105532b31808SJens Wiklander * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second
105632b31808SJens Wiklander * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3.
105732b31808SJens Wiklander * In the first transformation, the IV to be used for a record is obtained
105832b31808SJens Wiklander * as the concatenation of an explicit, static 4-byte IV and the 8-byte
105932b31808SJens Wiklander * record sequence number, and explicitly prepending this sequence number
106032b31808SJens Wiklander * to the encrypted record. In contrast, in the second transformation
106132b31808SJens Wiklander * the IV is obtained by XOR'ing a static IV obtained at key extraction
106232b31808SJens Wiklander * time with the 8-byte record sequence number, without prepending the
106332b31808SJens Wiklander * latter to the encrypted record.
106432b31808SJens Wiklander *
106532b31808SJens Wiklander * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext
106632b31808SJens Wiklander * which allows to add flexible length padding and to hide a record's true
106732b31808SJens Wiklander * content type.
106832b31808SJens Wiklander *
106932b31808SJens Wiklander * In addition to type and version, the following parameters are relevant:
107032b31808SJens Wiklander * - The symmetric cipher algorithm to be used.
107132b31808SJens Wiklander * - The (static) encryption/decryption keys for the cipher.
107232b31808SJens Wiklander * - For stream/CBC, the type of message digest to be used.
107332b31808SJens Wiklander * - For stream/CBC, (static) encryption/decryption keys for the digest.
107432b31808SJens Wiklander * - For AEAD transformations, the size (potentially 0) of an explicit,
107532b31808SJens Wiklander * random initialization vector placed in encrypted records.
107632b31808SJens Wiklander * - For some transformations (currently AEAD) an implicit IV. It is static
107732b31808SJens Wiklander * and (if present) is combined with the explicit IV in a transformation-
107832b31808SJens Wiklander * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3).
107932b31808SJens Wiklander * - For stream/CBC, a flag determining the order of encryption and MAC.
108032b31808SJens Wiklander * - The details of the transformation depend on the SSL/TLS version.
108132b31808SJens Wiklander * - The length of the authentication tag.
108232b31808SJens Wiklander *
108332b31808SJens Wiklander * The struct below refines this abstract view as follows:
108432b31808SJens Wiklander * - The cipher underlying the transformation is managed in
108532b31808SJens Wiklander * cipher contexts cipher_ctx_{enc/dec}, which must have the
108632b31808SJens Wiklander * same cipher type. The mode of these cipher contexts determines
108732b31808SJens Wiklander * the type of the transformation in the sense above: e.g., if
108832b31808SJens Wiklander * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM
108932b31808SJens Wiklander * then the transformation has type CBC resp. AEAD.
109032b31808SJens Wiklander * - The cipher keys are never stored explicitly but
109132b31808SJens Wiklander * are maintained within cipher_ctx_{enc/dec}.
109232b31808SJens Wiklander * - For stream/CBC transformations, the message digest contexts
109332b31808SJens Wiklander * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts
109432b31808SJens Wiklander * are unused for AEAD transformations.
109532b31808SJens Wiklander * - For stream/CBC transformations, the MAC keys are not stored explicitly
109632b31808SJens Wiklander * but maintained within md_ctx_{enc/dec}.
109732b31808SJens Wiklander * - The mac_enc and mac_dec fields are unused for EAD transformations.
109832b31808SJens Wiklander * - For transformations using an implicit IV maintained within
109932b31808SJens Wiklander * the transformation context, its contents are stored within
110032b31808SJens Wiklander * iv_{enc/dec}.
110132b31808SJens Wiklander * - The value of ivlen indicates the length of the IV.
110232b31808SJens Wiklander * This is redundant in case of stream/CBC transformations
110332b31808SJens Wiklander * which always use 0 resp. the cipher's block length as the
110432b31808SJens Wiklander * IV length, but is needed for AEAD ciphers and may be
110532b31808SJens Wiklander * different from the underlying cipher's block length
110632b31808SJens Wiklander * in this case.
110732b31808SJens Wiklander * - The field fixed_ivlen is nonzero for AEAD transformations only
110832b31808SJens Wiklander * and indicates the length of the static part of the IV which is
110932b31808SJens Wiklander * constant throughout the communication, and which is stored in
111032b31808SJens Wiklander * the first fixed_ivlen bytes of the iv_{enc/dec} arrays.
111132b31808SJens Wiklander * - tls_version denotes the 2-byte TLS version
111232b31808SJens Wiklander * - For stream/CBC transformations, maclen denotes the length of the
111332b31808SJens Wiklander * authentication tag, while taglen is unused and 0.
111432b31808SJens Wiklander * - For AEAD transformations, taglen denotes the length of the
111532b31808SJens Wiklander * authentication tag, while maclen is unused and 0.
111632b31808SJens Wiklander * - For CBC transformations, encrypt_then_mac determines the
111732b31808SJens Wiklander * order of encryption and authentication. This field is unused
111832b31808SJens Wiklander * in other transformations.
111932b31808SJens Wiklander *
112032b31808SJens Wiklander */
112132b31808SJens Wiklander struct mbedtls_ssl_transform {
112232b31808SJens Wiklander /*
112332b31808SJens Wiklander * Session specific crypto layer
112432b31808SJens Wiklander */
112532b31808SJens Wiklander size_t minlen; /*!< min. ciphertext length */
112632b31808SJens Wiklander size_t ivlen; /*!< IV length */
112732b31808SJens Wiklander size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
112832b31808SJens Wiklander size_t maclen; /*!< MAC(CBC) len */
112932b31808SJens Wiklander size_t taglen; /*!< TAG(AEAD) len */
113032b31808SJens Wiklander
113132b31808SJens Wiklander unsigned char iv_enc[16]; /*!< IV (encryption) */
113232b31808SJens Wiklander unsigned char iv_dec[16]; /*!< IV (decryption) */
113332b31808SJens Wiklander
113432b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
113532b31808SJens Wiklander
113632b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
113732b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */
113832b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */
113932b31808SJens Wiklander psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */
114032b31808SJens Wiklander #else
114132b31808SJens Wiklander mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
114232b31808SJens Wiklander mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
114332b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */
114432b31808SJens Wiklander
114532b31808SJens Wiklander #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
114632b31808SJens Wiklander int encrypt_then_mac; /*!< flag for EtM activation */
114732b31808SJens Wiklander #endif
114832b31808SJens Wiklander
114932b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
115032b31808SJens Wiklander
115132b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version;
115232b31808SJens Wiklander
115332b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
115432b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */
115532b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */
115632b31808SJens Wiklander psa_algorithm_t psa_alg; /*!< psa algorithm */
115732b31808SJens Wiklander #else
115832b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
115932b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
116032b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */
116132b31808SJens Wiklander
116232b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
116332b31808SJens Wiklander uint8_t in_cid_len;
116432b31808SJens Wiklander uint8_t out_cid_len;
116532b31808SJens Wiklander unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
116632b31808SJens Wiklander unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
116732b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
116832b31808SJens Wiklander
1169*273a583eSThomas Bourgoin #if defined(MBEDTLS_SSL_KEEP_RANDBYTES)
117032b31808SJens Wiklander /* We need the Hello random bytes in order to re-derive keys from the
1171*273a583eSThomas Bourgoin * Master Secret and other session info and for the keying material
1172*273a583eSThomas Bourgoin * exporter in TLS 1.2.
1173*273a583eSThomas Bourgoin * See ssl_tls12_populate_transform() */
117432b31808SJens Wiklander unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN +
117532b31808SJens Wiklander MBEDTLS_CLIENT_HELLO_RANDOM_LEN];
117632b31808SJens Wiklander /*!< ServerHello.random+ClientHello.random */
1177*273a583eSThomas Bourgoin #endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */
117832b31808SJens Wiklander };
117932b31808SJens Wiklander
118032b31808SJens Wiklander /*
118132b31808SJens Wiklander * Return 1 if the transform uses an AEAD cipher, 0 otherwise.
118232b31808SJens Wiklander * Equivalently, return 0 if a separate MAC is used, 1 otherwise.
118332b31808SJens Wiklander */
mbedtls_ssl_transform_uses_aead(const mbedtls_ssl_transform * transform)118432b31808SJens Wiklander static inline int mbedtls_ssl_transform_uses_aead(
118532b31808SJens Wiklander const mbedtls_ssl_transform *transform)
118632b31808SJens Wiklander {
118732b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
118832b31808SJens Wiklander return transform->maclen == 0 && transform->taglen != 0;
118932b31808SJens Wiklander #else
119032b31808SJens Wiklander (void) transform;
119132b31808SJens Wiklander return 1;
119232b31808SJens Wiklander #endif
119332b31808SJens Wiklander }
119432b31808SJens Wiklander
119532b31808SJens Wiklander /*
119632b31808SJens Wiklander * Internal representation of record frames
119732b31808SJens Wiklander *
119832b31808SJens Wiklander * Instances come in two flavors:
119932b31808SJens Wiklander * (1) Encrypted
120032b31808SJens Wiklander * These always have data_offset = 0
120132b31808SJens Wiklander * (2) Unencrypted
120232b31808SJens Wiklander * These have data_offset set to the amount of
120332b31808SJens Wiklander * pre-expansion during record protection. Concretely,
120432b31808SJens Wiklander * this is the length of the fixed part of the explicit IV
120532b31808SJens Wiklander * used for encryption, or 0 if no explicit IV is used
120632b31808SJens Wiklander * (e.g. for stream ciphers).
120732b31808SJens Wiklander *
120832b31808SJens Wiklander * The reason for the data_offset in the unencrypted case
120932b31808SJens Wiklander * is to allow for in-place conversion of an unencrypted to
121032b31808SJens Wiklander * an encrypted record. If the offset wasn't included, the
121132b31808SJens Wiklander * encrypted content would need to be shifted afterwards to
121232b31808SJens Wiklander * make space for the fixed IV.
121332b31808SJens Wiklander *
121432b31808SJens Wiklander */
121532b31808SJens Wiklander #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX
121632b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX
121732b31808SJens Wiklander #else
121832b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX
121932b31808SJens Wiklander #endif
122032b31808SJens Wiklander
122132b31808SJens Wiklander typedef struct {
122232b31808SJens Wiklander uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number.
122332b31808SJens Wiklander * In DTLS: The 2-byte epoch followed by
122432b31808SJens Wiklander * the 6-byte sequence number.
122532b31808SJens Wiklander * This is stored as a raw big endian byte array
122632b31808SJens Wiklander * as opposed to a uint64_t because we rarely
122732b31808SJens Wiklander * need to perform arithmetic on this, but do
122832b31808SJens Wiklander * need it as a Byte array for the purpose of
122932b31808SJens Wiklander * MAC computations. */
123032b31808SJens Wiklander uint8_t type; /* The record content type. */
123132b31808SJens Wiklander uint8_t ver[2]; /* SSL/TLS version as present on the wire.
123232b31808SJens Wiklander * Convert to internal presentation of versions
123332b31808SJens Wiklander * using mbedtls_ssl_read_version() and
123432b31808SJens Wiklander * mbedtls_ssl_write_version().
123532b31808SJens Wiklander * Keep wire-format for MAC computations. */
123632b31808SJens Wiklander
123732b31808SJens Wiklander unsigned char *buf; /* Memory buffer enclosing the record content */
123832b31808SJens Wiklander size_t buf_len; /* Buffer length */
123932b31808SJens Wiklander size_t data_offset; /* Offset of record content */
124032b31808SJens Wiklander size_t data_len; /* Length of record content */
124132b31808SJens Wiklander
124232b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
124332b31808SJens Wiklander uint8_t cid_len; /* Length of the CID (0 if not present) */
124432b31808SJens Wiklander unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */
124532b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
124632b31808SJens Wiklander } mbedtls_record;
124732b31808SJens Wiklander
124832b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C)
124932b31808SJens Wiklander /*
125032b31808SJens Wiklander * List of certificate + private key pairs
125132b31808SJens Wiklander */
125232b31808SJens Wiklander struct mbedtls_ssl_key_cert {
125332b31808SJens Wiklander mbedtls_x509_crt *cert; /*!< cert */
125432b31808SJens Wiklander mbedtls_pk_context *key; /*!< private key */
125532b31808SJens Wiklander mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
125632b31808SJens Wiklander };
125732b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */
125832b31808SJens Wiklander
125932b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
126032b31808SJens Wiklander /*
126132b31808SJens Wiklander * List of handshake messages kept around for resending
126232b31808SJens Wiklander */
126332b31808SJens Wiklander struct mbedtls_ssl_flight_item {
126432b31808SJens Wiklander unsigned char *p; /*!< message, including handshake headers */
126532b31808SJens Wiklander size_t len; /*!< length of p */
126632b31808SJens Wiklander unsigned char type; /*!< type of the message: handshake or CCS */
126732b31808SJens Wiklander mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
126832b31808SJens Wiklander };
126932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */
127032b31808SJens Wiklander
127132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
127232b31808SJens Wiklander /**
127332b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS
127432b31808SJens Wiklander * 1.2 specific extensions of the ClientHello message.
127532b31808SJens Wiklander *
127632b31808SJens Wiklander * \param[in] ssl SSL context
127732b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions
127832b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions
127932b31808SJens Wiklander * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve
128032b31808SJens Wiklander * (<> 0) or not ( 0 ).
128132b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf
128232b31808SJens Wiklander */
128332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
128432b31808SJens Wiklander int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
128532b31808SJens Wiklander unsigned char *buf,
128632b31808SJens Wiklander const unsigned char *end,
128732b31808SJens Wiklander int uses_ec,
128832b31808SJens Wiklander size_t *out_len);
128932b31808SJens Wiklander #endif
129032b31808SJens Wiklander
129132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
129232b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
129332b31808SJens Wiklander
129432b31808SJens Wiklander /**
129532b31808SJens Wiklander * \brief Find the preferred hash for a given signature algorithm.
129632b31808SJens Wiklander *
129732b31808SJens Wiklander * \param[in] ssl SSL context
129832b31808SJens Wiklander * \param[in] sig_alg A signature algorithm identifier as defined in the
129932b31808SJens Wiklander * TLS 1.2 SignatureAlgorithm enumeration.
130032b31808SJens Wiklander *
130132b31808SJens Wiklander * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm
130232b31808SJens Wiklander * identifier as defined in the TLS 1.2 HashAlgorithm enumeration.
130332b31808SJens Wiklander */
130432b31808SJens Wiklander unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg(
130532b31808SJens Wiklander mbedtls_ssl_context *ssl,
130632b31808SJens Wiklander unsigned int sig_alg);
130732b31808SJens Wiklander
130832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
130932b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
131032b31808SJens Wiklander
131132b31808SJens Wiklander /**
131232b31808SJens Wiklander * \brief Free referenced items in an SSL transform context and clear
131332b31808SJens Wiklander * memory
131432b31808SJens Wiklander *
131532b31808SJens Wiklander * \param transform SSL transform context
131632b31808SJens Wiklander */
131732b31808SJens Wiklander void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform);
131832b31808SJens Wiklander
131932b31808SJens Wiklander /**
132032b31808SJens Wiklander * \brief Free referenced items in an SSL handshake context and clear
132132b31808SJens Wiklander * memory
132232b31808SJens Wiklander *
132332b31808SJens Wiklander * \param ssl SSL context
132432b31808SJens Wiklander */
132532b31808SJens Wiklander void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl);
132632b31808SJens Wiklander
132732b31808SJens Wiklander /* set inbound transform of ssl context */
132832b31808SJens Wiklander void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl,
132932b31808SJens Wiklander mbedtls_ssl_transform *transform);
133032b31808SJens Wiklander
133132b31808SJens Wiklander /* set outbound transform of ssl context */
133232b31808SJens Wiklander void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl,
133332b31808SJens Wiklander mbedtls_ssl_transform *transform);
133432b31808SJens Wiklander
133532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
133632b31808SJens Wiklander int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl);
133732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
133832b31808SJens Wiklander int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl);
133932b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl);
1340*273a583eSThomas Bourgoin
1341*273a583eSThomas Bourgoin #if defined(MBEDTLS_DEBUG_C)
1342*273a583eSThomas Bourgoin /* Declared in "ssl_debug_helpers.h". We can't include this file from
1343*273a583eSThomas Bourgoin * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some
1344*273a583eSThomas Bourgoin * type definitions. TODO: split the type definitions and the helper
1345*273a583eSThomas Bourgoin * functions into different headers.
1346*273a583eSThomas Bourgoin */
1347*273a583eSThomas Bourgoin const char *mbedtls_ssl_states_str(mbedtls_ssl_states state);
1348*273a583eSThomas Bourgoin #endif
1349*273a583eSThomas Bourgoin
mbedtls_ssl_handshake_set_state(mbedtls_ssl_context * ssl,mbedtls_ssl_states state)135032b31808SJens Wiklander static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl,
135132b31808SJens Wiklander mbedtls_ssl_states state)
135232b31808SJens Wiklander {
1353*273a583eSThomas Bourgoin MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)",
1354*273a583eSThomas Bourgoin ssl->state, mbedtls_ssl_states_str(ssl->state),
1355*273a583eSThomas Bourgoin (int) state, mbedtls_ssl_states_str(state)));
135632b31808SJens Wiklander ssl->state = (int) state;
135732b31808SJens Wiklander }
135832b31808SJens Wiklander
mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context * ssl)1359*273a583eSThomas Bourgoin static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl)
1360*273a583eSThomas Bourgoin {
1361*273a583eSThomas Bourgoin mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1);
1362*273a583eSThomas Bourgoin }
1363*273a583eSThomas Bourgoin
136432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
136532b31808SJens Wiklander int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
136632b31808SJens Wiklander
136732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
136832b31808SJens Wiklander int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
136932b31808SJens Wiklander
137032b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
137132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
137232b31808SJens Wiklander int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl);
137332b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
137432b31808SJens Wiklander
137532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
137632b31808SJens Wiklander int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
137732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
137832b31808SJens Wiklander int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
137932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
138032b31808SJens Wiklander int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
138132b31808SJens Wiklander
138232b31808SJens Wiklander /**
138332b31808SJens Wiklander * \brief Update record layer
138432b31808SJens Wiklander *
138532b31808SJens Wiklander * This function roughly separates the implementation
138632b31808SJens Wiklander * of the logic of (D)TLS from the implementation
138732b31808SJens Wiklander * of the secure transport.
138832b31808SJens Wiklander *
138932b31808SJens Wiklander * \param ssl The SSL context to use.
139032b31808SJens Wiklander * \param update_hs_digest This indicates if the handshake digest
139132b31808SJens Wiklander * should be automatically updated in case
139232b31808SJens Wiklander * a handshake message is found.
139332b31808SJens Wiklander *
139432b31808SJens Wiklander * \return 0 or non-zero error code.
139532b31808SJens Wiklander *
139632b31808SJens Wiklander * \note A clarification on what is called 'record layer' here
139732b31808SJens Wiklander * is in order, as many sensible definitions are possible:
139832b31808SJens Wiklander *
139932b31808SJens Wiklander * The record layer takes as input an untrusted underlying
140032b31808SJens Wiklander * transport (stream or datagram) and transforms it into
140132b31808SJens Wiklander * a serially multiplexed, secure transport, which
140232b31808SJens Wiklander * conceptually provides the following:
140332b31808SJens Wiklander *
140432b31808SJens Wiklander * (1) Three datagram based, content-agnostic transports
140532b31808SJens Wiklander * for handshake, alert and CCS messages.
140632b31808SJens Wiklander * (2) One stream- or datagram-based transport
140732b31808SJens Wiklander * for application data.
140832b31808SJens Wiklander * (3) Functionality for changing the underlying transform
140932b31808SJens Wiklander * securing the contents.
141032b31808SJens Wiklander *
141132b31808SJens Wiklander * The interface to this functionality is given as follows:
141232b31808SJens Wiklander *
141332b31808SJens Wiklander * a Updating
141432b31808SJens Wiklander * [Currently implemented by mbedtls_ssl_read_record]
141532b31808SJens Wiklander *
141632b31808SJens Wiklander * Check if and on which of the four 'ports' data is pending:
141732b31808SJens Wiklander * Nothing, a controlling datagram of type (1), or application
141832b31808SJens Wiklander * data (2). In any case data is present, internal buffers
141932b31808SJens Wiklander * provide access to the data for the user to process it.
142032b31808SJens Wiklander * Consumption of type (1) datagrams is done automatically
142132b31808SJens Wiklander * on the next update, invalidating that the internal buffers
142232b31808SJens Wiklander * for previous datagrams, while consumption of application
142332b31808SJens Wiklander * data (2) is user-controlled.
142432b31808SJens Wiklander *
142532b31808SJens Wiklander * b Reading of application data
142632b31808SJens Wiklander * [Currently manual adaption of ssl->in_offt pointer]
142732b31808SJens Wiklander *
142832b31808SJens Wiklander * As mentioned in the last paragraph, consumption of data
142932b31808SJens Wiklander * is different from the automatic consumption of control
143032b31808SJens Wiklander * datagrams (1) because application data is treated as a stream.
143132b31808SJens Wiklander *
143232b31808SJens Wiklander * c Tracking availability of application data
143332b31808SJens Wiklander * [Currently manually through decreasing ssl->in_msglen]
143432b31808SJens Wiklander *
143532b31808SJens Wiklander * For efficiency and to retain datagram semantics for
143632b31808SJens Wiklander * application data in case of DTLS, the record layer
143732b31808SJens Wiklander * provides functionality for checking how much application
143832b31808SJens Wiklander * data is still available in the internal buffer.
143932b31808SJens Wiklander *
144032b31808SJens Wiklander * d Changing the transformation securing the communication.
144132b31808SJens Wiklander *
144232b31808SJens Wiklander * Given an opaque implementation of the record layer in the
144332b31808SJens Wiklander * above sense, it should be possible to implement the logic
144432b31808SJens Wiklander * of (D)TLS on top of it without the need to know anything
144532b31808SJens Wiklander * about the record layer's internals. This is done e.g.
144632b31808SJens Wiklander * in all the handshake handling functions, and in the
144732b31808SJens Wiklander * application data reading function mbedtls_ssl_read.
144832b31808SJens Wiklander *
144932b31808SJens Wiklander * \note The above tries to give a conceptual picture of the
145032b31808SJens Wiklander * record layer, but the current implementation deviates
145132b31808SJens Wiklander * from it in some places. For example, our implementation of
145232b31808SJens Wiklander * the update functionality through mbedtls_ssl_read_record
145332b31808SJens Wiklander * discards datagrams depending on the current state, which
145432b31808SJens Wiklander * wouldn't fall under the record layer's responsibility
145532b31808SJens Wiklander * following the above definition.
145632b31808SJens Wiklander *
145732b31808SJens Wiklander */
145832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
145932b31808SJens Wiklander int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl,
146032b31808SJens Wiklander unsigned update_hs_digest);
146132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
146232b31808SJens Wiklander int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want);
146332b31808SJens Wiklander
146432b31808SJens Wiklander /*
146532b31808SJens Wiklander * Write handshake message header
146632b31808SJens Wiklander */
146732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
1468b0563631STom Van Eyck int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type,
146932b31808SJens Wiklander unsigned char **buf, size_t *buf_len);
147032b31808SJens Wiklander
147132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
147232b31808SJens Wiklander int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl,
147332b31808SJens Wiklander int update_checksum,
147432b31808SJens Wiklander int force_flush);
mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context * ssl)147532b31808SJens Wiklander static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl)
147632b31808SJens Wiklander {
147732b31808SJens Wiklander return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */);
147832b31808SJens Wiklander }
147932b31808SJens Wiklander
148032b31808SJens Wiklander /*
148132b31808SJens Wiklander * Write handshake message tail
148232b31808SJens Wiklander */
148332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
148432b31808SJens Wiklander int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl,
148532b31808SJens Wiklander size_t buf_len, size_t msg_len);
148632b31808SJens Wiklander
148732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
148832b31808SJens Wiklander int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush);
148932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
149032b31808SJens Wiklander int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl);
149132b31808SJens Wiklander
149232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
149332b31808SJens Wiklander int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl);
149432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
149532b31808SJens Wiklander int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl);
149632b31808SJens Wiklander
149732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
149832b31808SJens Wiklander int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl);
149932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
150032b31808SJens Wiklander int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl);
150132b31808SJens Wiklander
150232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
150332b31808SJens Wiklander int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl);
150432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
150532b31808SJens Wiklander int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl);
150632b31808SJens Wiklander
150732b31808SJens Wiklander void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
150832b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info);
150932b31808SJens Wiklander
151032b31808SJens Wiklander /*
151132b31808SJens Wiklander * Update checksum of handshake messages.
151232b31808SJens Wiklander */
151332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
151432b31808SJens Wiklander int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
151532b31808SJens Wiklander unsigned hs_type,
151632b31808SJens Wiklander unsigned char const *msg,
151732b31808SJens Wiklander size_t msg_len);
151832b31808SJens Wiklander
151932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
152032b31808SJens Wiklander int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
152132b31808SJens Wiklander unsigned hs_type,
152232b31808SJens Wiklander size_t total_hs_len);
152332b31808SJens Wiklander
152432b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
152532b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO)
152632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
152732b31808SJens Wiklander int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl,
152832b31808SJens Wiklander mbedtls_key_exchange_type_t key_ex);
152932b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */
153032b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
153132b31808SJens Wiklander
153232b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1533cb034002SJerome Forissier #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C)
153432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
153532b31808SJens Wiklander int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf);
153632b31808SJens Wiklander #endif
153732b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO)
153832b31808SJens Wiklander /**
153932b31808SJens Wiklander * Get the first defined opaque PSK by order of precedence:
154032b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK
154132b31808SJens Wiklander * callback
154232b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
154332b31808SJens Wiklander * Return an opaque PSK
154432b31808SJens Wiklander */
mbedtls_ssl_get_opaque_psk(const mbedtls_ssl_context * ssl)154532b31808SJens Wiklander static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk(
154632b31808SJens Wiklander const mbedtls_ssl_context *ssl)
154732b31808SJens Wiklander {
154832b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) {
154932b31808SJens Wiklander return ssl->handshake->psk_opaque;
155032b31808SJens Wiklander }
155132b31808SJens Wiklander
155232b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) {
155332b31808SJens Wiklander return ssl->conf->psk_opaque;
155432b31808SJens Wiklander }
155532b31808SJens Wiklander
155632b31808SJens Wiklander return MBEDTLS_SVC_KEY_ID_INIT;
155732b31808SJens Wiklander }
155832b31808SJens Wiklander #else
155932b31808SJens Wiklander /**
156032b31808SJens Wiklander * Get the first defined PSK by order of precedence:
156132b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback
156232b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk()
156332b31808SJens Wiklander * Return a code and update the pair (PSK, PSK length) passed to this function
156432b31808SJens Wiklander */
mbedtls_ssl_get_psk(const mbedtls_ssl_context * ssl,const unsigned char ** psk,size_t * psk_len)156532b31808SJens Wiklander static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl,
156632b31808SJens Wiklander const unsigned char **psk, size_t *psk_len)
156732b31808SJens Wiklander {
156832b31808SJens Wiklander if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) {
156932b31808SJens Wiklander *psk = ssl->handshake->psk;
157032b31808SJens Wiklander *psk_len = ssl->handshake->psk_len;
157132b31808SJens Wiklander } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) {
157232b31808SJens Wiklander *psk = ssl->conf->psk;
157332b31808SJens Wiklander *psk_len = ssl->conf->psk_len;
157432b31808SJens Wiklander } else {
157532b31808SJens Wiklander *psk = NULL;
157632b31808SJens Wiklander *psk_len = 0;
157732b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED;
157832b31808SJens Wiklander }
157932b31808SJens Wiklander
158032b31808SJens Wiklander return 0;
158132b31808SJens Wiklander }
158232b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */
158332b31808SJens Wiklander
158432b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
158532b31808SJens Wiklander
158632b31808SJens Wiklander #if defined(MBEDTLS_PK_C)
158732b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk);
158832b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type);
158932b31808SJens Wiklander mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig);
159032b31808SJens Wiklander #endif
159132b31808SJens Wiklander
159232b31808SJens Wiklander mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash);
159332b31808SJens Wiklander unsigned char mbedtls_ssl_hash_from_md_alg(int md);
159432b31808SJens Wiklander
159532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
159632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
159732b31808SJens Wiklander int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md);
159832b31808SJens Wiklander #endif
159932b31808SJens Wiklander
160032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
160132b31808SJens Wiklander int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id);
1602b0563631STom Van Eyck #if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
160332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
160432b31808SJens Wiklander int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id);
1605b0563631STom Van Eyck #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
160632b31808SJens Wiklander
160732b31808SJens Wiklander /**
160832b31808SJens Wiklander * \brief Return PSA EC info for the specified TLS ID.
160932b31808SJens Wiklander *
161032b31808SJens Wiklander * \param tls_id The TLS ID to look for
1611b0563631STom Van Eyck * \param type If the TLD ID is supported, then proper \c psa_key_type_t
161232b31808SJens Wiklander * value is returned here. Can be NULL.
161332b31808SJens Wiklander * \param bits If the TLD ID is supported, then proper bit size is returned
161432b31808SJens Wiklander * here. Can be NULL.
161532b31808SJens Wiklander * \return PSA_SUCCESS if the TLS ID is supported,
161632b31808SJens Wiklander * PSA_ERROR_NOT_SUPPORTED otherwise
161732b31808SJens Wiklander *
161832b31808SJens Wiklander * \note If either \c family or \c bits parameters are NULL, then
161932b31808SJens Wiklander * the corresponding value is not returned.
162032b31808SJens Wiklander * The function can be called with both parameters as NULL
162132b31808SJens Wiklander * simply to check if a specific TLS ID is supported.
162232b31808SJens Wiklander */
162332b31808SJens Wiklander int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id,
1624b0563631STom Van Eyck psa_key_type_t *type,
162532b31808SJens Wiklander size_t *bits);
162632b31808SJens Wiklander
162732b31808SJens Wiklander /**
162832b31808SJens Wiklander * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID.
162932b31808SJens Wiklander *
163032b31808SJens Wiklander * \param tls_id The TLS ID to look for
163132b31808SJens Wiklander * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported,
163232b31808SJens Wiklander * or MBEDTLS_ECP_DP_NONE otherwise
163332b31808SJens Wiklander */
163432b31808SJens Wiklander mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id);
163532b31808SJens Wiklander
163632b31808SJens Wiklander /**
163732b31808SJens Wiklander * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id.
163832b31808SJens Wiklander *
163932b31808SJens Wiklander * \param grp_id The \c mbedtls_ecp_group_id ID to look for
164032b31808SJens Wiklander * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported,
164132b31808SJens Wiklander * or 0 otherwise
164232b31808SJens Wiklander */
164332b31808SJens Wiklander uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id);
164432b31808SJens Wiklander
164532b31808SJens Wiklander #if defined(MBEDTLS_DEBUG_C)
164632b31808SJens Wiklander /**
164732b31808SJens Wiklander * \brief Return EC's name for the specified TLS ID.
164832b31808SJens Wiklander *
164932b31808SJens Wiklander * \param tls_id The TLS ID to look for
165032b31808SJens Wiklander * \return A pointer to a const string with the proper name. If TLS
165132b31808SJens Wiklander * ID is not supported, a NULL pointer is returned instead.
165232b31808SJens Wiklander */
165332b31808SJens Wiklander const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id);
165432b31808SJens Wiklander #endif
165532b31808SJens Wiklander
165632b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP)
mbedtls_ssl_check_srtp_profile_value(const uint16_t srtp_profile_value)165732b31808SJens Wiklander static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value
165832b31808SJens Wiklander (const uint16_t srtp_profile_value)
165932b31808SJens Wiklander {
166032b31808SJens Wiklander switch (srtp_profile_value) {
166132b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80:
166232b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32:
166332b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80:
166432b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32:
166532b31808SJens Wiklander return srtp_profile_value;
166632b31808SJens Wiklander default: break;
166732b31808SJens Wiklander }
166832b31808SJens Wiklander return MBEDTLS_TLS_SRTP_UNSET;
166932b31808SJens Wiklander }
167032b31808SJens Wiklander #endif
167132b31808SJens Wiklander
167232b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_own_key(mbedtls_ssl_context * ssl)167332b31808SJens Wiklander static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl)
167432b31808SJens Wiklander {
167532b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert;
167632b31808SJens Wiklander
167732b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
167832b31808SJens Wiklander key_cert = ssl->handshake->key_cert;
167932b31808SJens Wiklander } else {
168032b31808SJens Wiklander key_cert = ssl->conf->key_cert;
168132b31808SJens Wiklander }
168232b31808SJens Wiklander
168332b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->key;
168432b31808SJens Wiklander }
168532b31808SJens Wiklander
mbedtls_ssl_own_cert(mbedtls_ssl_context * ssl)168632b31808SJens Wiklander static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl)
168732b31808SJens Wiklander {
168832b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert;
168932b31808SJens Wiklander
169032b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) {
169132b31808SJens Wiklander key_cert = ssl->handshake->key_cert;
169232b31808SJens Wiklander } else {
169332b31808SJens Wiklander key_cert = ssl->conf->key_cert;
169432b31808SJens Wiklander }
169532b31808SJens Wiklander
169632b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->cert;
169732b31808SJens Wiklander }
169832b31808SJens Wiklander
169932b31808SJens Wiklander /*
1700cb034002SJerome Forissier * Verify a certificate.
170132b31808SJens Wiklander *
1702cb034002SJerome Forissier * [in/out] ssl: misc. things read
1703cb034002SJerome Forissier * ssl->session_negotiate->verify_result updated
1704cb034002SJerome Forissier * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED}
1705cb034002SJerome Forissier * [in] chain: the certificate chain to verify (ie the peer's chain)
1706cb034002SJerome Forissier * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite;
1707cb034002SJerome Forissier * for TLS 1.3, may be left NULL.
1708cb034002SJerome Forissier * [in] rs_ctx: restart context if restartable ECC is in use;
1709cb034002SJerome Forissier * leave NULL for no restartable behaviour.
1710cb034002SJerome Forissier *
1711cb034002SJerome Forissier * Return:
1712cb034002SJerome Forissier * - 0 if the handshake should continue. Depending on the
1713cb034002SJerome Forissier * authmode it means:
1714cb034002SJerome Forissier * - REQUIRED: the certificate was found to be valid, trusted & acceptable.
1715cb034002SJerome Forissier * ssl->session_negotiate->verify_result is 0.
1716cb034002SJerome Forissier * - OPTIONAL: the certificate may or may not be acceptable, but
1717cb034002SJerome Forissier * ssl->session_negotiate->verify_result was updated with the result.
1718cb034002SJerome Forissier * - NONE: the certificate wasn't even checked.
1719cb034002SJerome Forissier * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if
1720cb034002SJerome Forissier * the certificate was found to be invalid/untrusted/unacceptable and the
1721cb034002SJerome Forissier * handshake should be aborted (can only happen with REQUIRED).
1722cb034002SJerome Forissier * - another error code if another error happened (out-of-memory, etc.)
1723cb034002SJerome Forissier */
1724cb034002SJerome Forissier MBEDTLS_CHECK_RETURN_CRITICAL
1725cb034002SJerome Forissier int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl,
1726cb034002SJerome Forissier int authmode,
1727cb034002SJerome Forissier mbedtls_x509_crt *chain,
1728cb034002SJerome Forissier const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
1729cb034002SJerome Forissier void *rs_ctx);
1730cb034002SJerome Forissier
1731cb034002SJerome Forissier /*
1732cb034002SJerome Forissier * Check usage of a certificate wrt usage extensions:
1733cb034002SJerome Forissier * keyUsage and extendedKeyUsage.
1734cb034002SJerome Forissier * (Note: nSCertType is deprecated and not standard, we don't check it.)
1735cb034002SJerome Forissier *
1736cb034002SJerome Forissier * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL.
1737cb034002SJerome Forissier *
1738cb034002SJerome Forissier * Note: recv_endpoint is the receiver's endpoint.
173932b31808SJens Wiklander *
174032b31808SJens Wiklander * Return 0 if everything is OK, -1 if not.
174132b31808SJens Wiklander */
174232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
174332b31808SJens Wiklander int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
174432b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite,
1745cb034002SJerome Forissier int recv_endpoint,
1746cb034002SJerome Forissier mbedtls_ssl_protocol_version tls_version,
174732b31808SJens Wiklander uint32_t *flags);
174832b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */
174932b31808SJens Wiklander
175032b31808SJens Wiklander void mbedtls_ssl_write_version(unsigned char version[2], int transport,
175132b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version);
175232b31808SJens Wiklander uint16_t mbedtls_ssl_read_version(const unsigned char version[2],
175332b31808SJens Wiklander int transport);
175432b31808SJens Wiklander
mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context * ssl)175532b31808SJens Wiklander static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl)
175632b31808SJens Wiklander {
175732b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_DTLS)
175832b31808SJens Wiklander ((void) ssl);
175932b31808SJens Wiklander #endif
176032b31808SJens Wiklander
176132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
176232b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
176332b31808SJens Wiklander return 13;
176432b31808SJens Wiklander } else
176532b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */
176632b31808SJens Wiklander {
176732b31808SJens Wiklander return 5;
176832b31808SJens Wiklander }
176932b31808SJens Wiklander }
177032b31808SJens Wiklander
mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context * ssl)177132b31808SJens Wiklander static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl)
177232b31808SJens Wiklander {
177332b31808SJens Wiklander return (size_t) (ssl->out_iv - ssl->out_hdr);
177432b31808SJens Wiklander }
177532b31808SJens Wiklander
mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context * ssl)177632b31808SJens Wiklander static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl)
177732b31808SJens Wiklander {
177832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
177932b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
178032b31808SJens Wiklander return 12;
178132b31808SJens Wiklander }
178232b31808SJens Wiklander #else
178332b31808SJens Wiklander ((void) ssl);
178432b31808SJens Wiklander #endif
178532b31808SJens Wiklander return 4;
178632b31808SJens Wiklander }
178732b31808SJens Wiklander
178832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
178932b31808SJens Wiklander void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl);
179032b31808SJens Wiklander void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl);
179132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
179232b31808SJens Wiklander int mbedtls_ssl_resend(mbedtls_ssl_context *ssl);
179332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
179432b31808SJens Wiklander int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl);
179532b31808SJens Wiklander #endif
179632b31808SJens Wiklander
179732b31808SJens Wiklander /* Visible for testing purposes only */
179832b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
179932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
180032b31808SJens Wiklander int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl);
180132b31808SJens Wiklander void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl);
180232b31808SJens Wiklander #endif
180332b31808SJens Wiklander
180432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
180532b31808SJens Wiklander int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst,
180632b31808SJens Wiklander const mbedtls_ssl_session *src);
180732b31808SJens Wiklander
180832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
180932b31808SJens Wiklander /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
181032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
181132b31808SJens Wiklander int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl,
181232b31808SJens Wiklander unsigned char *hash, size_t *hashlen,
181332b31808SJens Wiklander unsigned char *data, size_t data_len,
181432b31808SJens Wiklander mbedtls_md_type_t md_alg);
181532b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
181632b31808SJens Wiklander
181732b31808SJens Wiklander #ifdef __cplusplus
181832b31808SJens Wiklander }
181932b31808SJens Wiklander #endif
182032b31808SJens Wiklander
182132b31808SJens Wiklander void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform);
182232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
182332b31808SJens Wiklander int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl,
182432b31808SJens Wiklander mbedtls_ssl_transform *transform,
182532b31808SJens Wiklander mbedtls_record *rec,
182632b31808SJens Wiklander int (*f_rng)(void *, unsigned char *, size_t),
182732b31808SJens Wiklander void *p_rng);
182832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
182932b31808SJens Wiklander int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl,
183032b31808SJens Wiklander mbedtls_ssl_transform *transform,
183132b31808SJens Wiklander mbedtls_record *rec);
183232b31808SJens Wiklander
183332b31808SJens Wiklander /* Length of the "epoch" field in the record header */
mbedtls_ssl_ep_len(const mbedtls_ssl_context * ssl)183432b31808SJens Wiklander static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl)
183532b31808SJens Wiklander {
183632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
183732b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
183832b31808SJens Wiklander return 2;
183932b31808SJens Wiklander }
184032b31808SJens Wiklander #else
184132b31808SJens Wiklander ((void) ssl);
184232b31808SJens Wiklander #endif
184332b31808SJens Wiklander return 0;
184432b31808SJens Wiklander }
184532b31808SJens Wiklander
184632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
184732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
184832b31808SJens Wiklander int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl);
184932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */
185032b31808SJens Wiklander
185132b31808SJens Wiklander void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs);
185232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
185332b31808SJens Wiklander int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl);
185432b31808SJens Wiklander
1855c3deb3d6SEtienne Carriere void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl);
1856c3deb3d6SEtienne Carriere void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl);
1857c3deb3d6SEtienne Carriere void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl);
185832b31808SJens Wiklander void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl,
185932b31808SJens Wiklander mbedtls_ssl_transform *transform);
186032b31808SJens Wiklander
186132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
186232b31808SJens Wiklander int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial);
186332b31808SJens Wiklander void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl,
186432b31808SJens Wiklander int partial);
186532b31808SJens Wiklander
186632b31808SJens Wiklander /*
186732b31808SJens Wiklander * Send pending alert
186832b31808SJens Wiklander */
186932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
187032b31808SJens Wiklander int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl);
187132b31808SJens Wiklander
187232b31808SJens Wiklander /*
187332b31808SJens Wiklander * Set pending fatal alert flag.
187432b31808SJens Wiklander */
187532b31808SJens Wiklander void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl,
187632b31808SJens Wiklander unsigned char alert_type,
187732b31808SJens Wiklander int alert_reason);
187832b31808SJens Wiklander
187932b31808SJens Wiklander /* Alias of mbedtls_ssl_pend_fatal_alert */
188032b31808SJens Wiklander #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \
188132b31808SJens Wiklander mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value)
188232b31808SJens Wiklander
188332b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
188432b31808SJens Wiklander void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl);
188532b31808SJens Wiklander #endif
188632b31808SJens Wiklander
188732b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl);
188832b31808SJens Wiklander
188932b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION)
189032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
189132b31808SJens Wiklander int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl);
189232b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */
189332b31808SJens Wiklander
189432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS)
189532b31808SJens Wiklander size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl);
189632b31808SJens Wiklander void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl);
189732b31808SJens Wiklander void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight);
189832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */
189932b31808SJens Wiklander
190032b31808SJens Wiklander /**
190132b31808SJens Wiklander * ssl utils functions for checking configuration.
190232b31808SJens Wiklander */
190332b31808SJens Wiklander
190432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config * conf)190532b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf)
190632b31808SJens Wiklander {
190732b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
190832b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
190932b31808SJens Wiklander }
191032b31808SJens Wiklander
191132b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
191232b31808SJens Wiklander
191332b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config * conf)191432b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf)
191532b31808SJens Wiklander {
191632b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
191732b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2;
191832b31808SJens Wiklander }
191932b31808SJens Wiklander
192032b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
192132b31808SJens Wiklander
mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config * conf)192232b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf)
192332b31808SJens Wiklander {
192432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
192532b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 &&
192632b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3;
192732b31808SJens Wiklander #else
192832b31808SJens Wiklander ((void) conf);
192932b31808SJens Wiklander return 0;
193032b31808SJens Wiklander #endif
193132b31808SJens Wiklander }
193232b31808SJens Wiklander
mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config * conf)193332b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf)
193432b31808SJens Wiklander {
193532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
193632b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 &&
193732b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2;
193832b31808SJens Wiklander #else
193932b31808SJens Wiklander ((void) conf);
194032b31808SJens Wiklander return 0;
194132b31808SJens Wiklander #endif
194232b31808SJens Wiklander }
194332b31808SJens Wiklander
194432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config * conf)194532b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf)
194632b31808SJens Wiklander {
194732b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 &&
194832b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3;
194932b31808SJens Wiklander }
195032b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */
195132b31808SJens Wiklander
195232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1953cb034002SJerome Forissier
1954cb034002SJerome Forissier /** \brief Initialize the PSA crypto subsystem if necessary.
1955cb034002SJerome Forissier *
1956cb034002SJerome Forissier * Call this function before doing any cryptography in a TLS 1.3 handshake.
1957cb034002SJerome Forissier *
1958cb034002SJerome Forissier * This is necessary in Mbed TLS 3.x for backward compatibility.
1959cb034002SJerome Forissier * Up to Mbed TLS 3.5, in the default configuration, you could perform
1960cb034002SJerome Forissier * a TLS connection with default parameters without having called
1961cb034002SJerome Forissier * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and
1962cb034002SJerome Forissier * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if
1963cb034002SJerome Forissier * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default
1964cb034002SJerome Forissier * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled
1965cb034002SJerome Forissier * by default, and the TLS 1.3 layer uses PSA crypto. This means that
1966cb034002SJerome Forissier * applications that are not otherwise using PSA crypto and that worked
1967cb034002SJerome Forissier * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to
1968cb034002SJerome Forissier * a peer that supports TLS 1.3. See
1969cb034002SJerome Forissier * https://github.com/Mbed-TLS/mbedtls/issues/9072
1970cb034002SJerome Forissier */
1971cb034002SJerome Forissier int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl);
1972cb034002SJerome Forissier
197332b31808SJens Wiklander extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[
197432b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN];
197532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
197632b31808SJens Wiklander int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl);
197732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
197832b31808SJens Wiklander int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl);
197932b31808SJens Wiklander void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl);
198032b31808SJens Wiklander
198132b31808SJens Wiklander /**
198232b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS
198332b31808SJens Wiklander * 1.3 specific extensions of the ClientHello message.
198432b31808SJens Wiklander *
198532b31808SJens Wiklander * \param[in] ssl SSL context
198632b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions
198732b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions
198832b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf
198932b31808SJens Wiklander */
199032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
199132b31808SJens Wiklander int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
199232b31808SJens Wiklander unsigned char *buf,
199332b31808SJens Wiklander unsigned char *end,
199432b31808SJens Wiklander size_t *out_len);
199532b31808SJens Wiklander
199632b31808SJens Wiklander /**
199732b31808SJens Wiklander * \brief TLS 1.3 client side state machine entry
199832b31808SJens Wiklander *
199932b31808SJens Wiklander * \param ssl SSL context
200032b31808SJens Wiklander */
200132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
200232b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl);
200332b31808SJens Wiklander
200432b31808SJens Wiklander /**
200532b31808SJens Wiklander * \brief TLS 1.3 server side state machine entry
200632b31808SJens Wiklander *
200732b31808SJens Wiklander * \param ssl SSL context
200832b31808SJens Wiklander */
200932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
201032b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl);
201132b31808SJens Wiklander
201232b31808SJens Wiklander
201332b31808SJens Wiklander /*
201432b31808SJens Wiklander * Helper functions around key exchange modes.
201532b31808SJens Wiklander */
mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context * ssl,int kex_mode_mask)2016b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl,
201732b31808SJens Wiklander int kex_mode_mask)
201832b31808SJens Wiklander {
201932b31808SJens Wiklander return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
202032b31808SJens Wiklander }
202132b31808SJens Wiklander
mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context * ssl)2022b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
202332b31808SJens Wiklander {
2024b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
202532b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
202632b31808SJens Wiklander }
202732b31808SJens Wiklander
mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context * ssl)2028b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
202932b31808SJens Wiklander {
2030b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
203132b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
203232b31808SJens Wiklander }
203332b31808SJens Wiklander
mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context * ssl)2034b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
203532b31808SJens Wiklander {
2036b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
203732b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
203832b31808SJens Wiklander }
203932b31808SJens Wiklander
mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context * ssl)2040b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
204132b31808SJens Wiklander {
2042b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
204332b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
204432b31808SJens Wiklander }
204532b31808SJens Wiklander
mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context * ssl)2046b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
204732b31808SJens Wiklander {
2048b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
204932b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
205032b31808SJens Wiklander }
205132b31808SJens Wiklander
205232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && \
205332b31808SJens Wiklander defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
205432b31808SJens Wiklander /**
205532b31808SJens Wiklander * Given a list of key exchange modes, check if at least one of them is
2056b0563631STom Van Eyck * supported by peer.
205732b31808SJens Wiklander *
205832b31808SJens Wiklander * \param[in] ssl SSL context
205932b31808SJens Wiklander * \param kex_modes_mask Mask of the key exchange modes to check
206032b31808SJens Wiklander *
2061b0563631STom Van Eyck * \return Non-zero if at least one of the key exchange modes is supported by
2062b0563631STom Van Eyck * the peer, otherwise \c 0.
206332b31808SJens Wiklander */
mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context * ssl,int kex_modes_mask)2064b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl,
206532b31808SJens Wiklander int kex_modes_mask)
206632b31808SJens Wiklander {
2067b0563631STom Van Eyck return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0;
206832b31808SJens Wiklander }
206932b31808SJens Wiklander
mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context * ssl)2070b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl)
207132b31808SJens Wiklander {
2072b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
207332b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
207432b31808SJens Wiklander }
207532b31808SJens Wiklander
mbedtls_ssl_tls13_is_psk_ephemeral_supported(mbedtls_ssl_context * ssl)2076b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported(
207732b31808SJens Wiklander mbedtls_ssl_context *ssl)
207832b31808SJens Wiklander {
2079b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
208032b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
208132b31808SJens Wiklander }
208232b31808SJens Wiklander
mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context * ssl)2083b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl)
208432b31808SJens Wiklander {
2085b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
208632b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
208732b31808SJens Wiklander }
208832b31808SJens Wiklander
mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context * ssl)2089b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl)
209032b31808SJens Wiklander {
2091b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
209232b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
209332b31808SJens Wiklander }
209432b31808SJens Wiklander
mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context * ssl)2095b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl)
209632b31808SJens Wiklander {
2097b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl,
209832b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
209932b31808SJens Wiklander }
210032b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C &&
210132b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
210232b31808SJens Wiklander
210332b31808SJens Wiklander /*
210432b31808SJens Wiklander * Helper functions for extensions checking.
210532b31808SJens Wiklander */
210632b31808SJens Wiklander
210732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
210832b31808SJens Wiklander int mbedtls_ssl_tls13_check_received_extension(
210932b31808SJens Wiklander mbedtls_ssl_context *ssl,
211032b31808SJens Wiklander int hs_msg_type,
211132b31808SJens Wiklander unsigned int received_extension_type,
211232b31808SJens Wiklander uint32_t hs_msg_allowed_extensions_mask);
211332b31808SJens Wiklander
mbedtls_ssl_tls13_set_hs_sent_ext_mask(mbedtls_ssl_context * ssl,unsigned int extension_type)211432b31808SJens Wiklander static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask(
211532b31808SJens Wiklander mbedtls_ssl_context *ssl, unsigned int extension_type)
211632b31808SJens Wiklander {
211732b31808SJens Wiklander ssl->handshake->sent_extensions |=
211832b31808SJens Wiklander mbedtls_ssl_get_extension_mask(extension_type);
211932b31808SJens Wiklander }
212032b31808SJens Wiklander
212132b31808SJens Wiklander /*
212232b31808SJens Wiklander * Helper functions to check the selected key exchange mode.
212332b31808SJens Wiklander */
mbedtls_ssl_tls13_key_exchange_mode_check(mbedtls_ssl_context * ssl,int kex_mask)212432b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_check(
212532b31808SJens Wiklander mbedtls_ssl_context *ssl, int kex_mask)
212632b31808SJens Wiklander {
212732b31808SJens Wiklander return (ssl->handshake->key_exchange_mode & kex_mask) != 0;
212832b31808SJens Wiklander }
212932b31808SJens Wiklander
mbedtls_ssl_tls13_key_exchange_mode_with_psk(mbedtls_ssl_context * ssl)213032b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk(
213132b31808SJens Wiklander mbedtls_ssl_context *ssl)
213232b31808SJens Wiklander {
213332b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
213432b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
213532b31808SJens Wiklander }
213632b31808SJens Wiklander
mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(mbedtls_ssl_context * ssl)213732b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral(
213832b31808SJens Wiklander mbedtls_ssl_context *ssl)
213932b31808SJens Wiklander {
214032b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl,
214132b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
214232b31808SJens Wiklander }
214332b31808SJens Wiklander
214432b31808SJens Wiklander /*
214532b31808SJens Wiklander * Fetch TLS 1.3 handshake message header
214632b31808SJens Wiklander */
214732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
214832b31808SJens Wiklander int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl,
214932b31808SJens Wiklander unsigned hs_type,
215032b31808SJens Wiklander unsigned char **buf,
215132b31808SJens Wiklander size_t *buf_len);
215232b31808SJens Wiklander
2153b0563631STom Van Eyck /**
2154b0563631STom Van Eyck * \brief Detect if a list of extensions contains a supported_versions
2155b0563631STom Van Eyck * extension or not.
2156b0563631STom Van Eyck *
2157b0563631STom Van Eyck * \param[in] ssl SSL context
2158b0563631STom Van Eyck * \param[in] buf Address of the first byte of the extensions vector.
2159b0563631STom Van Eyck * \param[in] end End of the buffer containing the list of extensions.
2160b0563631STom Van Eyck * \param[out] supported_versions_data If the extension is present, address of
2161b0563631STom Van Eyck * its first byte of data, NULL otherwise.
2162b0563631STom Van Eyck * \param[out] supported_versions_data_end If the extension is present, address
2163b0563631STom Van Eyck * of the first byte immediately
2164b0563631STom Van Eyck * following the extension data, NULL
2165b0563631STom Van Eyck * otherwise.
2166b0563631STom Van Eyck * \return 0 if the list of extensions does not contain a supported_versions
2167b0563631STom Van Eyck * extension.
2168b0563631STom Van Eyck * \return 1 if the list of extensions contains a supported_versions
2169b0563631STom Van Eyck * extension.
2170b0563631STom Van Eyck * \return A negative value if an error occurred while parsing the
2171b0563631STom Van Eyck * extensions.
2172b0563631STom Van Eyck */
2173b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL
2174b0563631STom Van Eyck int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts(
2175b0563631STom Van Eyck mbedtls_ssl_context *ssl,
2176b0563631STom Van Eyck const unsigned char *buf, const unsigned char *end,
2177b0563631STom Van Eyck const unsigned char **supported_versions_data,
2178b0563631STom Van Eyck const unsigned char **supported_versions_data_end);
2179b0563631STom Van Eyck
218032b31808SJens Wiklander /*
218132b31808SJens Wiklander * Handler of TLS 1.3 server certificate message
218232b31808SJens Wiklander */
218332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
218432b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl);
218532b31808SJens Wiklander
218632b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
218732b31808SJens Wiklander /*
218832b31808SJens Wiklander * Handler of TLS 1.3 write Certificate message
218932b31808SJens Wiklander */
219032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
219132b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl);
219232b31808SJens Wiklander
219332b31808SJens Wiklander /*
219432b31808SJens Wiklander * Handler of TLS 1.3 write Certificate Verify message
219532b31808SJens Wiklander */
219632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
219732b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl);
219832b31808SJens Wiklander
219932b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
220032b31808SJens Wiklander
220132b31808SJens Wiklander /*
220232b31808SJens Wiklander * Generic handler of Certificate Verify
220332b31808SJens Wiklander */
220432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
220532b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl);
220632b31808SJens Wiklander
220732b31808SJens Wiklander /*
220832b31808SJens Wiklander * Write of dummy-CCS's for middlebox compatibility
220932b31808SJens Wiklander */
221032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
221132b31808SJens Wiklander int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl);
221232b31808SJens Wiklander
221332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
221432b31808SJens Wiklander int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl);
221532b31808SJens Wiklander
2216b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
221732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
2218b0563631STom Van Eyck int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange(
221932b31808SJens Wiklander mbedtls_ssl_context *ssl,
222032b31808SJens Wiklander uint16_t named_group,
222132b31808SJens Wiklander unsigned char *buf,
222232b31808SJens Wiklander unsigned char *end,
222332b31808SJens Wiklander size_t *out_len);
2224b0563631STom Van Eyck #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
222532b31808SJens Wiklander
222632b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA)
222732b31808SJens Wiklander int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl,
2228b0563631STom Van Eyck int in_new_session_ticket,
222932b31808SJens Wiklander unsigned char *buf,
223032b31808SJens Wiklander const unsigned char *end,
223132b31808SJens Wiklander size_t *out_len);
2232b0563631STom Van Eyck
2233b0563631STom Van Eyck int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl,
2234b0563631STom Van Eyck size_t early_data_len);
2235b0563631STom Van Eyck
2236b0563631STom Van Eyck typedef enum {
2237b0563631STom Van Eyck /*
2238b0563631STom Van Eyck * The client has not sent the first ClientHello yet, the negotiation of early
2239b0563631STom Van Eyck * data has not started yet.
2240b0563631STom Van Eyck */
2241b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_IDLE,
2242b0563631STom Van Eyck
2243b0563631STom Van Eyck /*
2244b0563631STom Van Eyck * In its ClientHello, the client has not included an early data indication
2245b0563631STom Van Eyck * extension.
2246b0563631STom Van Eyck */
2247b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT,
2248b0563631STom Van Eyck
2249b0563631STom Van Eyck /*
2250b0563631STom Van Eyck * The client has sent an early data indication extension in its first
2251b0563631STom Van Eyck * ClientHello, it has not received the response (ServerHello or
2252b0563631STom Van Eyck * HelloRetryRequest) from the server yet. The transform to protect early data
2253b0563631STom Van Eyck * is not set either as for middlebox compatibility a dummy CCS may have to be
2254b0563631STom Van Eyck * sent in clear. Early data cannot be sent to the server yet.
2255b0563631STom Van Eyck */
2256b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT,
2257b0563631STom Van Eyck
2258b0563631STom Van Eyck /*
2259b0563631STom Van Eyck * The client has sent an early data indication extension in its first
2260b0563631STom Van Eyck * ClientHello, it has not received the response (ServerHello or
2261b0563631STom Van Eyck * HelloRetryRequest) from the server yet. The transform to protect early data
2262b0563631STom Van Eyck * has been set and early data can be written now.
2263b0563631STom Van Eyck */
2264b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE,
2265b0563631STom Van Eyck
2266b0563631STom Van Eyck /*
2267b0563631STom Van Eyck * The client has indicated the use of early data and the server has accepted
2268b0563631STom Van Eyck * it.
2269b0563631STom Van Eyck */
2270b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED,
2271b0563631STom Van Eyck
2272b0563631STom Van Eyck /*
2273b0563631STom Van Eyck * The client has indicated the use of early data but the server has rejected
2274b0563631STom Van Eyck * it.
2275b0563631STom Van Eyck */
2276b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED,
2277b0563631STom Van Eyck
2278b0563631STom Van Eyck /*
2279b0563631STom Van Eyck * The client has sent an early data indication extension in its first
2280b0563631STom Van Eyck * ClientHello, the server has accepted them and the client has received the
2281b0563631STom Van Eyck * server Finished message. It cannot send early data to the server anymore.
2282b0563631STom Van Eyck */
2283b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED,
2284b0563631STom Van Eyck
2285b0563631STom Van Eyck } mbedtls_ssl_early_data_state;
228632b31808SJens Wiklander #endif /* MBEDTLS_SSL_EARLY_DATA */
228732b31808SJens Wiklander
228832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
228932b31808SJens Wiklander
229032b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
229132b31808SJens Wiklander /*
229232b31808SJens Wiklander * Write Signature Algorithm extension
229332b31808SJens Wiklander */
229432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
229532b31808SJens Wiklander int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf,
229632b31808SJens Wiklander const unsigned char *end, size_t *out_len);
229732b31808SJens Wiklander /*
229832b31808SJens Wiklander * Parse TLS Signature Algorithm extension
229932b31808SJens Wiklander */
230032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
230132b31808SJens Wiklander int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl,
230232b31808SJens Wiklander const unsigned char *buf,
230332b31808SJens Wiklander const unsigned char *end);
230432b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
230532b31808SJens Wiklander
230632b31808SJens Wiklander /* Get handshake transcript */
230732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
230832b31808SJens Wiklander int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
230932b31808SJens Wiklander const mbedtls_md_type_t md,
231032b31808SJens Wiklander unsigned char *dst,
231132b31808SJens Wiklander size_t dst_len,
231232b31808SJens Wiklander size_t *olen);
231332b31808SJens Wiklander
231432b31808SJens Wiklander /*
231532b31808SJens Wiklander * Return supported groups.
231632b31808SJens Wiklander *
231732b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->group_list
231832b31808SJens Wiklander * when mbedtls_ssl_conf_curves() is deleted.
231932b31808SJens Wiklander *
232032b31808SJens Wiklander * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group
232132b31808SJens Wiklander * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to
232232b31808SJens Wiklander * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked.
232332b31808SJens Wiklander *
232432b31808SJens Wiklander */
mbedtls_ssl_get_groups(const mbedtls_ssl_context * ssl)232532b31808SJens Wiklander static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl)
232632b31808SJens Wiklander {
232732b31808SJens Wiklander #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C)
232832b31808SJens Wiklander return ssl->conf->group_list;
232932b31808SJens Wiklander #else
233032b31808SJens Wiklander if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) {
233132b31808SJens Wiklander return ssl->handshake->group_list;
233232b31808SJens Wiklander } else {
233332b31808SJens Wiklander return ssl->conf->group_list;
233432b31808SJens Wiklander }
233532b31808SJens Wiklander #endif
233632b31808SJens Wiklander }
233732b31808SJens Wiklander
233832b31808SJens Wiklander /*
233932b31808SJens Wiklander * Helper functions for NamedGroup.
234032b31808SJens Wiklander */
mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)234132b31808SJens Wiklander static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group)
234232b31808SJens Wiklander {
234332b31808SJens Wiklander /*
234432b31808SJens Wiklander * RFC 8422 section 5.1.1
234532b31808SJens Wiklander */
234632b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
234732b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 ||
234832b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 ||
234932b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 ||
235032b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 ||
235132b31808SJens Wiklander /* Below deprecated curves should be removed with notice to users */
235232b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 ||
235332b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 ||
235432b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 ||
235532b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 ||
235632b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 ||
235732b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
235832b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
235932b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1;
236032b31808SJens Wiklander }
236132b31808SJens Wiklander
mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)236232b31808SJens Wiklander static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group)
236332b31808SJens Wiklander {
236432b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 ||
236532b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 ||
236632b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 ||
236732b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 ||
236832b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448;
236932b31808SJens Wiklander }
237032b31808SJens Wiklander
mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)2371b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group)
237232b31808SJens Wiklander {
237332b31808SJens Wiklander return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 &&
237432b31808SJens Wiklander named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192;
237532b31808SJens Wiklander }
237632b31808SJens Wiklander
mbedtls_ssl_named_group_is_offered(const mbedtls_ssl_context * ssl,uint16_t named_group)237732b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_offered(
237832b31808SJens Wiklander const mbedtls_ssl_context *ssl, uint16_t named_group)
237932b31808SJens Wiklander {
238032b31808SJens Wiklander const uint16_t *group_list = mbedtls_ssl_get_groups(ssl);
238132b31808SJens Wiklander
238232b31808SJens Wiklander if (group_list == NULL) {
238332b31808SJens Wiklander return 0;
238432b31808SJens Wiklander }
238532b31808SJens Wiklander
238632b31808SJens Wiklander for (; *group_list != 0; group_list++) {
238732b31808SJens Wiklander if (*group_list == named_group) {
238832b31808SJens Wiklander return 1;
238932b31808SJens Wiklander }
239032b31808SJens Wiklander }
239132b31808SJens Wiklander
239232b31808SJens Wiklander return 0;
239332b31808SJens Wiklander }
239432b31808SJens Wiklander
mbedtls_ssl_named_group_is_supported(uint16_t named_group)239532b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group)
239632b31808SJens Wiklander {
2397b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH)
239832b31808SJens Wiklander if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) {
239932b31808SJens Wiklander if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) !=
240032b31808SJens Wiklander MBEDTLS_ECP_DP_NONE) {
240132b31808SJens Wiklander return 1;
240232b31808SJens Wiklander }
240332b31808SJens Wiklander }
2404b0563631STom Van Eyck #endif
2405b0563631STom Van Eyck #if defined(PSA_WANT_ALG_FFDH)
2406b0563631STom Van Eyck if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) {
2407b0563631STom Van Eyck return 1;
2408b0563631STom Van Eyck }
2409b0563631STom Van Eyck #endif
2410b0563631STom Van Eyck #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH)
2411b0563631STom Van Eyck (void) named_group;
2412b0563631STom Van Eyck #endif
241332b31808SJens Wiklander return 0;
241432b31808SJens Wiklander }
241532b31808SJens Wiklander
241632b31808SJens Wiklander /*
241732b31808SJens Wiklander * Return supported signature algorithms.
241832b31808SJens Wiklander *
241932b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->sig_algs when
242032b31808SJens Wiklander * mbedtls_ssl_conf_sig_hashes() is deleted.
242132b31808SJens Wiklander *
242232b31808SJens Wiklander * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS
242332b31808SJens Wiklander * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been
242432b31808SJens Wiklander * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has
242532b31808SJens Wiklander * been more recently invoked.
242632b31808SJens Wiklander *
242732b31808SJens Wiklander */
mbedtls_ssl_get_sig_algs(const mbedtls_ssl_context * ssl)242832b31808SJens Wiklander static inline const void *mbedtls_ssl_get_sig_algs(
242932b31808SJens Wiklander const mbedtls_ssl_context *ssl)
243032b31808SJens Wiklander {
243132b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
243232b31808SJens Wiklander
243332b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED)
243432b31808SJens Wiklander if (ssl->handshake != NULL &&
243532b31808SJens Wiklander ssl->handshake->sig_algs_heap_allocated == 1 &&
243632b31808SJens Wiklander ssl->handshake->sig_algs != NULL) {
243732b31808SJens Wiklander return ssl->handshake->sig_algs;
243832b31808SJens Wiklander }
243932b31808SJens Wiklander #endif
244032b31808SJens Wiklander return ssl->conf->sig_algs;
244132b31808SJens Wiklander
244232b31808SJens Wiklander #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
244332b31808SJens Wiklander
244432b31808SJens Wiklander ((void) ssl);
244532b31808SJens Wiklander return NULL;
244632b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
244732b31808SJens Wiklander }
244832b31808SJens Wiklander
244932b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context * ssl,uint16_t own_sig_alg)245032b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl,
245132b31808SJens Wiklander uint16_t own_sig_alg)
245232b31808SJens Wiklander {
245332b31808SJens Wiklander const uint16_t *sig_alg = ssl->handshake->received_sig_algs;
245432b31808SJens Wiklander if (sig_alg == NULL) {
245532b31808SJens Wiklander return 0;
245632b31808SJens Wiklander }
245732b31808SJens Wiklander
245832b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
245932b31808SJens Wiklander if (*sig_alg == own_sig_alg) {
246032b31808SJens Wiklander return 1;
246132b31808SJens Wiklander }
246232b31808SJens Wiklander }
246332b31808SJens Wiklander return 0;
246432b31808SJens Wiklander }
246532b31808SJens Wiklander
mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(const uint16_t sig_alg)246632b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
246732b31808SJens Wiklander const uint16_t sig_alg)
246832b31808SJens Wiklander {
246932b31808SJens Wiklander switch (sig_alg) {
247032b31808SJens Wiklander #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2471b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256)
247232b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
247332b31808SJens Wiklander break;
247432b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */
2475b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384)
247632b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384:
247732b31808SJens Wiklander break;
247832b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */
2479b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521)
248032b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
248132b31808SJens Wiklander break;
248232b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
248332b31808SJens Wiklander #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
248432b31808SJens Wiklander
248532b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
248632b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_256)
248732b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
248832b31808SJens Wiklander break;
248932b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 */
249032b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_384)
249132b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
249232b31808SJens Wiklander break;
249332b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 */
249432b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_512)
249532b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
249632b31808SJens Wiklander break;
249732b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 */
249832b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
249932b31808SJens Wiklander default:
250032b31808SJens Wiklander return 0;
250132b31808SJens Wiklander }
250232b31808SJens Wiklander return 1;
250332b31808SJens Wiklander
250432b31808SJens Wiklander }
250532b31808SJens Wiklander
mbedtls_ssl_tls13_sig_alg_is_supported(const uint16_t sig_alg)250632b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
250732b31808SJens Wiklander const uint16_t sig_alg)
250832b31808SJens Wiklander {
250932b31808SJens Wiklander switch (sig_alg) {
251032b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V15)
2511b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256)
251232b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
251332b31808SJens Wiklander break;
2514b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA256 */
2515b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384)
251632b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
251732b31808SJens Wiklander break;
2518b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA384 */
2519b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512)
252032b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
252132b31808SJens Wiklander break;
2522b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA512 */
252332b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */
252432b31808SJens Wiklander default:
252532b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
252632b31808SJens Wiklander sig_alg);
252732b31808SJens Wiklander }
252832b31808SJens Wiklander return 1;
252932b31808SJens Wiklander }
253032b31808SJens Wiklander
253132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
253232b31808SJens Wiklander int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg,
253332b31808SJens Wiklander mbedtls_pk_context *key);
253432b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
253532b31808SJens Wiklander
253632b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context * ssl,uint16_t proposed_sig_alg)253732b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl,
253832b31808SJens Wiklander uint16_t proposed_sig_alg)
253932b31808SJens Wiklander {
254032b31808SJens Wiklander const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl);
254132b31808SJens Wiklander if (sig_alg == NULL) {
254232b31808SJens Wiklander return 0;
254332b31808SJens Wiklander }
254432b31808SJens Wiklander
254532b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) {
254632b31808SJens Wiklander if (*sig_alg == proposed_sig_alg) {
254732b31808SJens Wiklander return 1;
254832b31808SJens Wiklander }
254932b31808SJens Wiklander }
255032b31808SJens Wiklander return 0;
255132b31808SJens Wiklander }
255232b31808SJens Wiklander
mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(uint16_t sig_alg,mbedtls_pk_type_t * pk_type,mbedtls_md_type_t * md_alg)255332b31808SJens Wiklander static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
255432b31808SJens Wiklander uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg)
255532b31808SJens Wiklander {
255632b31808SJens Wiklander *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff);
255732b31808SJens Wiklander *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff);
255832b31808SJens Wiklander
255932b31808SJens Wiklander if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) {
256032b31808SJens Wiklander return 0;
256132b31808SJens Wiklander }
256232b31808SJens Wiklander
256332b31808SJens Wiklander switch (sig_alg) {
256432b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21)
2565b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256)
256632b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
256732b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA256;
256832b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS;
256932b31808SJens Wiklander break;
2570b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA256 */
2571b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384)
257232b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
257332b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA384;
257432b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS;
257532b31808SJens Wiklander break;
2576b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA384 */
2577b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512)
257832b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
257932b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA512;
258032b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS;
258132b31808SJens Wiklander break;
2582b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA512 */
258332b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */
258432b31808SJens Wiklander default:
258532b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
258632b31808SJens Wiklander }
258732b31808SJens Wiklander return 0;
258832b31808SJens Wiklander }
258932b31808SJens Wiklander
259032b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_tls12_sig_alg_is_supported(const uint16_t sig_alg)259132b31808SJens Wiklander static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
259232b31808SJens Wiklander const uint16_t sig_alg)
259332b31808SJens Wiklander {
259432b31808SJens Wiklander /* High byte is hash */
259532b31808SJens Wiklander unsigned char hash = MBEDTLS_BYTE_1(sig_alg);
259632b31808SJens Wiklander unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
259732b31808SJens Wiklander
259832b31808SJens Wiklander switch (hash) {
2599b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_MD5)
260032b31808SJens Wiklander case MBEDTLS_SSL_HASH_MD5:
260132b31808SJens Wiklander break;
260232b31808SJens Wiklander #endif
260332b31808SJens Wiklander
2604b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1)
260532b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA1:
260632b31808SJens Wiklander break;
260732b31808SJens Wiklander #endif
260832b31808SJens Wiklander
2609b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA224)
261032b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA224:
261132b31808SJens Wiklander break;
261232b31808SJens Wiklander #endif
261332b31808SJens Wiklander
2614b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256)
261532b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA256:
261632b31808SJens Wiklander break;
261732b31808SJens Wiklander #endif
261832b31808SJens Wiklander
2619b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384)
262032b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA384:
262132b31808SJens Wiklander break;
262232b31808SJens Wiklander #endif
262332b31808SJens Wiklander
2624b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512)
262532b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA512:
262632b31808SJens Wiklander break;
262732b31808SJens Wiklander #endif
262832b31808SJens Wiklander
262932b31808SJens Wiklander default:
263032b31808SJens Wiklander return 0;
263132b31808SJens Wiklander }
263232b31808SJens Wiklander
263332b31808SJens Wiklander switch (sig) {
263432b31808SJens Wiklander #if defined(MBEDTLS_RSA_C)
263532b31808SJens Wiklander case MBEDTLS_SSL_SIG_RSA:
263632b31808SJens Wiklander break;
263732b31808SJens Wiklander #endif
263832b31808SJens Wiklander
2639b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
264032b31808SJens Wiklander case MBEDTLS_SSL_SIG_ECDSA:
264132b31808SJens Wiklander break;
264232b31808SJens Wiklander #endif
264332b31808SJens Wiklander
264432b31808SJens Wiklander default:
264532b31808SJens Wiklander return 0;
264632b31808SJens Wiklander }
264732b31808SJens Wiklander
264832b31808SJens Wiklander return 1;
264932b31808SJens Wiklander }
265032b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
265132b31808SJens Wiklander
mbedtls_ssl_sig_alg_is_supported(const mbedtls_ssl_context * ssl,const uint16_t sig_alg)265232b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_supported(
265332b31808SJens Wiklander const mbedtls_ssl_context *ssl,
265432b31808SJens Wiklander const uint16_t sig_alg)
265532b31808SJens Wiklander {
265632b31808SJens Wiklander
265732b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
265832b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) {
265932b31808SJens Wiklander return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg);
266032b31808SJens Wiklander }
266132b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
266232b31808SJens Wiklander
266332b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
266432b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
266532b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg);
266632b31808SJens Wiklander }
266732b31808SJens Wiklander #endif
266832b31808SJens Wiklander ((void) ssl);
266932b31808SJens Wiklander ((void) sig_alg);
267032b31808SJens Wiklander return 0;
267132b31808SJens Wiklander }
267232b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
267332b31808SJens Wiklander
267432b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
267532b31808SJens Wiklander /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL.
267632b31808SJens Wiklander * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is
267732b31808SJens Wiklander * guaranteed to not be a valid PSA algorithm identifier.
267832b31808SJens Wiklander */
267932b31808SJens Wiklander #define MBEDTLS_SSL_NULL_CIPHER 0x04000000
268032b31808SJens Wiklander
268132b31808SJens Wiklander /**
268232b31808SJens Wiklander * \brief Translate mbedtls cipher type/taglen pair to psa:
268332b31808SJens Wiklander * algorithm, key type and key size.
268432b31808SJens Wiklander *
268532b31808SJens Wiklander * \param mbedtls_cipher_type [in] given mbedtls cipher type
268632b31808SJens Wiklander * \param taglen [in] given tag length
268732b31808SJens Wiklander * 0 - default tag length
268832b31808SJens Wiklander * \param alg [out] corresponding PSA alg
268932b31808SJens Wiklander * There is no corresponding PSA
269032b31808SJens Wiklander * alg for MBEDTLS_CIPHER_NULL, so
269132b31808SJens Wiklander * in this case MBEDTLS_SSL_NULL_CIPHER
269232b31808SJens Wiklander * is returned via this parameter
269332b31808SJens Wiklander * \param key_type [out] corresponding PSA key type
269432b31808SJens Wiklander * \param key_size [out] corresponding PSA key size
269532b31808SJens Wiklander *
269632b31808SJens Wiklander * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if
269732b31808SJens Wiklander * conversion is not supported.
269832b31808SJens Wiklander */
269932b31808SJens Wiklander psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type,
270032b31808SJens Wiklander size_t taglen,
270132b31808SJens Wiklander psa_algorithm_t *alg,
270232b31808SJens Wiklander psa_key_type_t *key_type,
270332b31808SJens Wiklander size_t *key_size);
270432b31808SJens Wiklander
270532b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED)
270632b31808SJens Wiklander /**
270732b31808SJens Wiklander * \brief Convert given PSA status to mbedtls error code.
270832b31808SJens Wiklander *
270932b31808SJens Wiklander * \param status [in] given PSA status
271032b31808SJens Wiklander *
271132b31808SJens Wiklander * \return corresponding mbedtls error code
271232b31808SJens Wiklander */
psa_ssl_status_to_mbedtls(psa_status_t status)271332b31808SJens Wiklander static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status)
271432b31808SJens Wiklander {
271532b31808SJens Wiklander switch (status) {
271632b31808SJens Wiklander case PSA_SUCCESS:
271732b31808SJens Wiklander return 0;
271832b31808SJens Wiklander case PSA_ERROR_INSUFFICIENT_MEMORY:
271932b31808SJens Wiklander return MBEDTLS_ERR_SSL_ALLOC_FAILED;
272032b31808SJens Wiklander case PSA_ERROR_NOT_SUPPORTED:
272132b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
272232b31808SJens Wiklander case PSA_ERROR_INVALID_SIGNATURE:
272332b31808SJens Wiklander return MBEDTLS_ERR_SSL_INVALID_MAC;
272432b31808SJens Wiklander case PSA_ERROR_INVALID_ARGUMENT:
272532b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
272632b31808SJens Wiklander case PSA_ERROR_BAD_STATE:
272732b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
272832b31808SJens Wiklander case PSA_ERROR_BUFFER_TOO_SMALL:
272932b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
273032b31808SJens Wiklander default:
273132b31808SJens Wiklander return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
273232b31808SJens Wiklander }
273332b31808SJens Wiklander }
273432b31808SJens Wiklander #endif /* !MBEDTLS_DEPRECATED_REMOVED */
273532b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
273632b31808SJens Wiklander
273732b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
273832b31808SJens Wiklander defined(MBEDTLS_USE_PSA_CRYPTO)
273932b31808SJens Wiklander
274032b31808SJens Wiklander typedef enum {
274132b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_ONE,
274232b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_TWO
274332b31808SJens Wiklander } mbedtls_ecjpake_rounds_t;
274432b31808SJens Wiklander
274532b31808SJens Wiklander /**
274632b31808SJens Wiklander * \brief Parse the provided input buffer for getting the first round
274732b31808SJens Wiklander * of key exchange. This code is common between server and client
274832b31808SJens Wiklander *
274932b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure
275032b31808SJens Wiklander * \param buf [in] input buffer to parse
275132b31808SJens Wiklander * \param len [in] length of the input buffer
275232b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
275332b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO
275432b31808SJens Wiklander *
275532b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure
275632b31808SJens Wiklander */
275732b31808SJens Wiklander int mbedtls_psa_ecjpake_read_round(
275832b31808SJens Wiklander psa_pake_operation_t *pake_ctx,
275932b31808SJens Wiklander const unsigned char *buf,
276032b31808SJens Wiklander size_t len, mbedtls_ecjpake_rounds_t round);
276132b31808SJens Wiklander
276232b31808SJens Wiklander /**
276332b31808SJens Wiklander * \brief Write the first round of key exchange into the provided output
276432b31808SJens Wiklander * buffer. This code is common between server and client
276532b31808SJens Wiklander *
276632b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure
276732b31808SJens Wiklander * \param buf [out] the output buffer in which data will be written to
276832b31808SJens Wiklander * \param len [in] length of the output buffer
276932b31808SJens Wiklander * \param olen [out] the length of the data really written on the buffer
277032b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or
277132b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO
277232b31808SJens Wiklander *
277332b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure
277432b31808SJens Wiklander */
277532b31808SJens Wiklander int mbedtls_psa_ecjpake_write_round(
277632b31808SJens Wiklander psa_pake_operation_t *pake_ctx,
277732b31808SJens Wiklander unsigned char *buf,
277832b31808SJens Wiklander size_t len, size_t *olen,
277932b31808SJens Wiklander mbedtls_ecjpake_rounds_t round);
278032b31808SJens Wiklander
278132b31808SJens Wiklander #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO
278232b31808SJens Wiklander
278332b31808SJens Wiklander /**
278432b31808SJens Wiklander * \brief TLS record protection modes
278532b31808SJens Wiklander */
278632b31808SJens Wiklander typedef enum {
278732b31808SJens Wiklander MBEDTLS_SSL_MODE_STREAM = 0,
278832b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC,
278932b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC_ETM,
279032b31808SJens Wiklander MBEDTLS_SSL_MODE_AEAD
279132b31808SJens Wiklander } mbedtls_ssl_mode_t;
279232b31808SJens Wiklander
279332b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform(
279432b31808SJens Wiklander const mbedtls_ssl_transform *transform);
279532b31808SJens Wiklander
279632b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM)
279732b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
279832b31808SJens Wiklander int encrypt_then_mac,
279932b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite);
280032b31808SJens Wiklander #else
280132b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite(
280232b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite);
280332b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */
280432b31808SJens Wiklander
2805b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH)
280632b31808SJens Wiklander
280732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
2808b0563631STom Van Eyck int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
280932b31808SJens Wiklander const unsigned char *buf,
281032b31808SJens Wiklander size_t buf_len);
281132b31808SJens Wiklander
2812b0563631STom Van Eyck #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */
281332b31808SJens Wiklander
mbedtls_ssl_tls13_cipher_suite_is_offered(mbedtls_ssl_context * ssl,int cipher_suite)281432b31808SJens Wiklander static inline int mbedtls_ssl_tls13_cipher_suite_is_offered(
281532b31808SJens Wiklander mbedtls_ssl_context *ssl, int cipher_suite)
281632b31808SJens Wiklander {
281732b31808SJens Wiklander const int *ciphersuite_list = ssl->conf->ciphersuite_list;
281832b31808SJens Wiklander
281932b31808SJens Wiklander /* Check whether we have offered this ciphersuite */
282032b31808SJens Wiklander for (size_t i = 0; ciphersuite_list[i] != 0; i++) {
282132b31808SJens Wiklander if (ciphersuite_list[i] == cipher_suite) {
282232b31808SJens Wiklander return 1;
282332b31808SJens Wiklander }
282432b31808SJens Wiklander }
282532b31808SJens Wiklander return 0;
282632b31808SJens Wiklander }
282732b31808SJens Wiklander
282832b31808SJens Wiklander /**
282932b31808SJens Wiklander * \brief Validate cipher suite against config in SSL context.
283032b31808SJens Wiklander *
283132b31808SJens Wiklander * \param ssl SSL context
283232b31808SJens Wiklander * \param suite_info Cipher suite to validate
283332b31808SJens Wiklander * \param min_tls_version Minimal TLS version to accept a cipher suite
283432b31808SJens Wiklander * \param max_tls_version Maximal TLS version to accept a cipher suite
283532b31808SJens Wiklander *
283632b31808SJens Wiklander * \return 0 if valid, negative value otherwise.
283732b31808SJens Wiklander */
283832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
283932b31808SJens Wiklander int mbedtls_ssl_validate_ciphersuite(
284032b31808SJens Wiklander const mbedtls_ssl_context *ssl,
284132b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite_info,
284232b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version,
284332b31808SJens Wiklander mbedtls_ssl_protocol_version max_tls_version);
284432b31808SJens Wiklander
284532b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
284632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
284732b31808SJens Wiklander int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl,
284832b31808SJens Wiklander const unsigned char *buf,
284932b31808SJens Wiklander const unsigned char *end);
285032b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
285132b31808SJens Wiklander
285232b31808SJens Wiklander #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT)
285332b31808SJens Wiklander #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2)
2854b0563631STom Van Eyck #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */
285532b31808SJens Wiklander
285632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
285732b31808SJens Wiklander int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
285832b31808SJens Wiklander const unsigned char *buf,
285932b31808SJens Wiklander const unsigned char *end);
2860b0563631STom Van Eyck
2861b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL
2862b0563631STom Van Eyck int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl,
2863b0563631STom Van Eyck unsigned char *buf,
2864b0563631STom Van Eyck const unsigned char *end,
2865b0563631STom Van Eyck size_t *out_len);
286632b31808SJens Wiklander #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */
286732b31808SJens Wiklander
286832b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN)
286932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
287032b31808SJens Wiklander int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl,
287132b31808SJens Wiklander const unsigned char *buf,
287232b31808SJens Wiklander const unsigned char *end);
287332b31808SJens Wiklander
287432b31808SJens Wiklander
287532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
287632b31808SJens Wiklander int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
287732b31808SJens Wiklander unsigned char *buf,
287832b31808SJens Wiklander unsigned char *end,
287932b31808SJens Wiklander size_t *out_len);
288032b31808SJens Wiklander #endif /* MBEDTLS_SSL_ALPN */
288132b31808SJens Wiklander
288232b31808SJens Wiklander #if defined(MBEDTLS_TEST_HOOKS)
288332b31808SJens Wiklander int mbedtls_ssl_check_dtls_clihlo_cookie(
288432b31808SJens Wiklander mbedtls_ssl_context *ssl,
288532b31808SJens Wiklander const unsigned char *cli_id, size_t cli_id_len,
288632b31808SJens Wiklander const unsigned char *in, size_t in_len,
288732b31808SJens Wiklander unsigned char *obuf, size_t buf_len, size_t *olen);
288832b31808SJens Wiklander #endif
288932b31808SJens Wiklander
289032b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
289132b31808SJens Wiklander /**
289232b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS
289332b31808SJens Wiklander * 1.3 specific Pre-Shared key extension.
289432b31808SJens Wiklander *
289532b31808SJens Wiklander * \param[in] ssl SSL context
289632b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extension
289732b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extension
289832b31808SJens Wiklander * \param[out] out_len Length in bytes of the Pre-Shared key extension: data
289932b31808SJens Wiklander * written into the buffer \p buf by this function plus
290032b31808SJens Wiklander * the length of the binders to be written.
290132b31808SJens Wiklander * \param[out] binders_len Length of the binders to be written at the end of
290232b31808SJens Wiklander * the extension.
290332b31808SJens Wiklander */
290432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
290532b31808SJens Wiklander int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
290632b31808SJens Wiklander mbedtls_ssl_context *ssl,
290732b31808SJens Wiklander unsigned char *buf, unsigned char *end,
290832b31808SJens Wiklander size_t *out_len, size_t *binders_len);
290932b31808SJens Wiklander
291032b31808SJens Wiklander /**
291132b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS
291232b31808SJens Wiklander * 1.3 specific Pre-Shared key extension binders at the end of the
291332b31808SJens Wiklander * ClientHello.
291432b31808SJens Wiklander *
291532b31808SJens Wiklander * \param[in] ssl SSL context
291632b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the binders
291732b31808SJens Wiklander * \param[in] end End address of the buffer where to write the binders
291832b31808SJens Wiklander */
291932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
292032b31808SJens Wiklander int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
292132b31808SJens Wiklander mbedtls_ssl_context *ssl,
292232b31808SJens Wiklander unsigned char *buf, unsigned char *end);
292332b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
292432b31808SJens Wiklander
2925c3deb3d6SEtienne Carriere #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
2926c3deb3d6SEtienne Carriere /** Get the host name from the SSL context.
2927c3deb3d6SEtienne Carriere *
2928c3deb3d6SEtienne Carriere * \param[in] ssl SSL context
2929c3deb3d6SEtienne Carriere *
2930c3deb3d6SEtienne Carriere * \return The \p hostname pointer from the SSL context.
2931c3deb3d6SEtienne Carriere * \c NULL if mbedtls_ssl_set_hostname() has never been called on
2932c3deb3d6SEtienne Carriere * \p ssl or if it was last called with \p NULL.
2933c3deb3d6SEtienne Carriere */
2934c3deb3d6SEtienne Carriere const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl);
2935c3deb3d6SEtienne Carriere #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
2936c3deb3d6SEtienne Carriere
293732b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
293832b31808SJens Wiklander defined(MBEDTLS_SSL_SESSION_TICKETS) && \
293932b31808SJens Wiklander defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \
294032b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C)
294132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL
294232b31808SJens Wiklander int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session,
294332b31808SJens Wiklander const char *hostname);
294432b31808SJens Wiklander #endif
294532b31808SJens Wiklander
2946b0563631STom Van Eyck #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \
2947b0563631STom Van Eyck defined(MBEDTLS_SSL_ALPN)
2948b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL
2949b0563631STom Van Eyck int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session,
2950b0563631STom Van Eyck const char *alpn);
2951b0563631STom Van Eyck #endif
2952b0563631STom Van Eyck
295332b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS)
2954b0563631STom Van Eyck
2955b0563631STom Van Eyck #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800)
2956b0563631STom Van Eyck
mbedtls_ssl_tls13_session_get_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2957b0563631STom Van Eyck static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags(
295832b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags)
295932b31808SJens Wiklander {
296032b31808SJens Wiklander return session->ticket_flags &
296132b31808SJens Wiklander (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
296232b31808SJens Wiklander }
296332b31808SJens Wiklander
2964b0563631STom Van Eyck /**
2965b0563631STom Van Eyck * Check if at least one of the given flags is set in
2966b0563631STom Van Eyck * the session ticket. See the definition of
2967b0563631STom Van Eyck * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all
2968b0563631STom Van Eyck * permitted flags.
2969b0563631STom Van Eyck */
mbedtls_ssl_tls13_session_ticket_has_flags(mbedtls_ssl_session * session,unsigned int flags)2970b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_has_flags(
2971b0563631STom Van Eyck mbedtls_ssl_session *session, unsigned int flags)
2972b0563631STom Van Eyck {
2973b0563631STom Van Eyck return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0;
2974b0563631STom Van Eyck }
2975b0563631STom Van Eyck
mbedtls_ssl_tls13_session_ticket_allow_psk(mbedtls_ssl_session * session)2976b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_allow_psk(
2977b0563631STom Van Eyck mbedtls_ssl_session *session)
2978b0563631STom Van Eyck {
2979b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags(
2980b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION);
2981b0563631STom Van Eyck }
2982b0563631STom Van Eyck
mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(mbedtls_ssl_session * session)2983b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral(
2984b0563631STom Van Eyck mbedtls_ssl_session *session)
2985b0563631STom Van Eyck {
2986b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags(
2987b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION);
2988b0563631STom Van Eyck }
2989b0563631STom Van Eyck
mbedtls_ssl_tls13_session_ticket_allow_early_data(mbedtls_ssl_session * session)2990b0563631STom Van Eyck static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data(
2991b0563631STom Van Eyck mbedtls_ssl_session *session)
2992b0563631STom Van Eyck {
2993b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags(
2994b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA);
2995b0563631STom Van Eyck }
2996b0563631STom Van Eyck
mbedtls_ssl_tls13_session_set_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)2997b0563631STom Van Eyck static inline void mbedtls_ssl_tls13_session_set_ticket_flags(
299832b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags)
299932b31808SJens Wiklander {
300032b31808SJens Wiklander session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
300132b31808SJens Wiklander }
300232b31808SJens Wiklander
mbedtls_ssl_tls13_session_clear_ticket_flags(mbedtls_ssl_session * session,unsigned int flags)3003b0563631STom Van Eyck static inline void mbedtls_ssl_tls13_session_clear_ticket_flags(
300432b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags)
300532b31808SJens Wiklander {
300632b31808SJens Wiklander session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK);
300732b31808SJens Wiklander }
3008cb034002SJerome Forissier
300932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */
301032b31808SJens Wiklander
3011cb034002SJerome Forissier #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
3012cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0
3013cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1
3014cb034002SJerome Forissier
3015cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \
3016cb034002SJerome Forissier (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT)
3017cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \
3018cb034002SJerome Forissier (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT)
3019cb034002SJerome Forissier
3020c3deb3d6SEtienne Carriere #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_conf_get_session_tickets(const mbedtls_ssl_config * conf)3021cb034002SJerome Forissier static inline int mbedtls_ssl_conf_get_session_tickets(
3022cb034002SJerome Forissier const mbedtls_ssl_config *conf)
3023cb034002SJerome Forissier {
3024cb034002SJerome Forissier return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ?
3025cb034002SJerome Forissier MBEDTLS_SSL_SESSION_TICKETS_ENABLED :
3026cb034002SJerome Forissier MBEDTLS_SSL_SESSION_TICKETS_DISABLED;
3027cb034002SJerome Forissier }
3028c3deb3d6SEtienne Carriere #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
3029cb034002SJerome Forissier
3030cb034002SJerome Forissier #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(const mbedtls_ssl_config * conf)3031cb034002SJerome Forissier static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled(
3032cb034002SJerome Forissier const mbedtls_ssl_config *conf)
3033cb034002SJerome Forissier {
3034cb034002SJerome Forissier return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ?
3035cb034002SJerome Forissier MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED :
3036cb034002SJerome Forissier MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED;
3037cb034002SJerome Forissier }
3038cb034002SJerome Forissier #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3039cb034002SJerome Forissier #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
3040cb034002SJerome Forissier
304132b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
304232b31808SJens Wiklander int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl);
304332b31808SJens Wiklander #endif
304432b31808SJens Wiklander
3045b0563631STom Van Eyck #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
3046b0563631STom Van Eyck
3047b0563631STom Van Eyck /** Compute the HMAC of variable-length data with constant flow.
3048b0563631STom Van Eyck *
3049b0563631STom Van Eyck * This function computes the HMAC of the concatenation of \p add_data and \p
3050b0563631STom Van Eyck * data, and does with a code flow and memory access pattern that does not
3051b0563631STom Van Eyck * depend on \p data_len_secret, but only on \p min_data_len and \p
3052b0563631STom Van Eyck * max_data_len. In particular, this function always reads exactly \p
3053b0563631STom Van Eyck * max_data_len bytes from \p data.
3054b0563631STom Van Eyck *
3055b0563631STom Van Eyck * \param ctx The HMAC context. It must have keys configured
3056b0563631STom Van Eyck * with mbedtls_md_hmac_starts() and use one of the
3057b0563631STom Van Eyck * following hashes: SHA-384, SHA-256, SHA-1 or MD-5.
3058b0563631STom Van Eyck * It is reset using mbedtls_md_hmac_reset() after
3059b0563631STom Van Eyck * the computation is complete to prepare for the
3060b0563631STom Van Eyck * next computation.
3061b0563631STom Van Eyck * \param add_data The first part of the message whose HMAC is being
3062b0563631STom Van Eyck * calculated. This must point to a readable buffer
3063b0563631STom Van Eyck * of \p add_data_len bytes.
3064b0563631STom Van Eyck * \param add_data_len The length of \p add_data in bytes.
3065b0563631STom Van Eyck * \param data The buffer containing the second part of the
3066b0563631STom Van Eyck * message. This must point to a readable buffer
3067b0563631STom Van Eyck * of \p max_data_len bytes.
3068b0563631STom Van Eyck * \param data_len_secret The length of the data to process in \p data.
3069b0563631STom Van Eyck * This must be no less than \p min_data_len and no
3070b0563631STom Van Eyck * greater than \p max_data_len.
3071b0563631STom Van Eyck * \param min_data_len The minimal length of the second part of the
3072b0563631STom Van Eyck * message, read from \p data.
3073b0563631STom Van Eyck * \param max_data_len The maximal length of the second part of the
3074b0563631STom Van Eyck * message, read from \p data.
3075b0563631STom Van Eyck * \param output The HMAC will be written here. This must point to
3076b0563631STom Van Eyck * a writable buffer of sufficient size to hold the
3077b0563631STom Van Eyck * HMAC value.
3078b0563631STom Van Eyck *
3079b0563631STom Van Eyck * \retval 0 on success.
3080b0563631STom Van Eyck * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED
3081b0563631STom Van Eyck * The hardware accelerator failed.
3082b0563631STom Van Eyck */
3083b0563631STom Van Eyck #if defined(MBEDTLS_USE_PSA_CRYPTO)
3084b0563631STom Van Eyck int mbedtls_ct_hmac(mbedtls_svc_key_id_t key,
3085b0563631STom Van Eyck psa_algorithm_t mac_alg,
3086b0563631STom Van Eyck const unsigned char *add_data,
3087b0563631STom Van Eyck size_t add_data_len,
3088b0563631STom Van Eyck const unsigned char *data,
3089b0563631STom Van Eyck size_t data_len_secret,
3090b0563631STom Van Eyck size_t min_data_len,
3091b0563631STom Van Eyck size_t max_data_len,
3092b0563631STom Van Eyck unsigned char *output);
3093b0563631STom Van Eyck #else
3094b0563631STom Van Eyck int mbedtls_ct_hmac(mbedtls_md_context_t *ctx,
3095b0563631STom Van Eyck const unsigned char *add_data,
3096b0563631STom Van Eyck size_t add_data_len,
3097b0563631STom Van Eyck const unsigned char *data,
3098b0563631STom Van Eyck size_t data_len_secret,
3099b0563631STom Van Eyck size_t min_data_len,
3100b0563631STom Van Eyck size_t max_data_len,
3101b0563631STom Van Eyck unsigned char *output);
3102b0563631STom Van Eyck #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */
3103b0563631STom Van Eyck #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */
3104b0563631STom Van Eyck
310532b31808SJens Wiklander #endif /* ssl_misc.h */
3106