1*32b31808SJens Wiklander /** 2*32b31808SJens Wiklander * \file ssl_misc.h 3*32b31808SJens Wiklander * 4*32b31808SJens Wiklander * \brief Internal functions shared by the SSL modules 5*32b31808SJens Wiklander */ 6*32b31808SJens Wiklander /* 7*32b31808SJens Wiklander * Copyright The Mbed TLS Contributors 8*32b31808SJens Wiklander * SPDX-License-Identifier: Apache-2.0 9*32b31808SJens Wiklander * 10*32b31808SJens Wiklander * Licensed under the Apache License, Version 2.0 (the "License"); you may 11*32b31808SJens Wiklander * not use this file except in compliance with the License. 12*32b31808SJens Wiklander * You may obtain a copy of the License at 13*32b31808SJens Wiklander * 14*32b31808SJens Wiklander * http://www.apache.org/licenses/LICENSE-2.0 15*32b31808SJens Wiklander * 16*32b31808SJens Wiklander * Unless required by applicable law or agreed to in writing, software 17*32b31808SJens Wiklander * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 18*32b31808SJens Wiklander * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 19*32b31808SJens Wiklander * See the License for the specific language governing permissions and 20*32b31808SJens Wiklander * limitations under the License. 21*32b31808SJens Wiklander */ 22*32b31808SJens Wiklander #ifndef MBEDTLS_SSL_MISC_H 23*32b31808SJens Wiklander #define MBEDTLS_SSL_MISC_H 24*32b31808SJens Wiklander 25*32b31808SJens Wiklander #include "mbedtls/build_info.h" 26*32b31808SJens Wiklander 27*32b31808SJens Wiklander #include "mbedtls/ssl.h" 28*32b31808SJens Wiklander #include "mbedtls/cipher.h" 29*32b31808SJens Wiklander 30*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 31*32b31808SJens Wiklander #include "psa/crypto.h" 32*32b31808SJens Wiklander #include "mbedtls/psa_util.h" 33*32b31808SJens Wiklander #include "hash_info.h" 34*32b31808SJens Wiklander #endif 35*32b31808SJens Wiklander #include "mbedtls/legacy_or_psa.h" 36*32b31808SJens Wiklander 37*32b31808SJens Wiklander #if defined(MBEDTLS_MD5_C) 38*32b31808SJens Wiklander #include "mbedtls/md5.h" 39*32b31808SJens Wiklander #endif 40*32b31808SJens Wiklander 41*32b31808SJens Wiklander #if defined(MBEDTLS_SHA1_C) 42*32b31808SJens Wiklander #include "mbedtls/sha1.h" 43*32b31808SJens Wiklander #endif 44*32b31808SJens Wiklander 45*32b31808SJens Wiklander #if defined(MBEDTLS_SHA256_C) 46*32b31808SJens Wiklander #include "mbedtls/sha256.h" 47*32b31808SJens Wiklander #endif 48*32b31808SJens Wiklander 49*32b31808SJens Wiklander #if defined(MBEDTLS_SHA512_C) 50*32b31808SJens Wiklander #include "mbedtls/sha512.h" 51*32b31808SJens Wiklander #endif 52*32b31808SJens Wiklander 53*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 54*32b31808SJens Wiklander !defined(MBEDTLS_USE_PSA_CRYPTO) 55*32b31808SJens Wiklander #include "mbedtls/ecjpake.h" 56*32b31808SJens Wiklander #endif 57*32b31808SJens Wiklander 58*32b31808SJens Wiklander #include "mbedtls/pk.h" 59*32b31808SJens Wiklander #include "common.h" 60*32b31808SJens Wiklander 61*32b31808SJens Wiklander /* Shorthand for restartable ECC */ 62*32b31808SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 63*32b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C) && \ 64*32b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 65*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 66*32b31808SJens Wiklander #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED 67*32b31808SJens Wiklander #endif 68*32b31808SJens Wiklander 69*32b31808SJens Wiklander #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 70*32b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 71*32b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 72*32b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 73*32b31808SJens Wiklander 74*32b31808SJens Wiklander /* Faked handshake message identity for HelloRetryRequest. */ 75*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO) 76*32b31808SJens Wiklander 77*32b31808SJens Wiklander /* 78*32b31808SJens Wiklander * Internal identity of handshake extensions 79*32b31808SJens Wiklander */ 80*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 81*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 82*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 83*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 84*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 85*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 86*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 87*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 88*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 89*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 90*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ALPN 8 91*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SCT 9 92*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 93*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 94*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PADDING 12 95*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 96*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 97*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 98*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_COOKIE 16 99*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 100*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 101*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 102*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 103*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 104*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 105*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 106*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 107*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 108*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 109*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 110*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28 111*32b31808SJens Wiklander 112*32b31808SJens Wiklander /* Utility for translating IANA extension type. */ 113*32b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type); 114*32b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); 115*32b31808SJens Wiklander /* Macros used to define mask constants */ 116*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id)) 117*32b31808SJens Wiklander /* Reset value of extension mask */ 118*32b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK_NONE 0 119*32b31808SJens Wiklander 120*32b31808SJens Wiklander /* In messages containing extension requests, we should ignore unrecognized 121*32b31808SJens Wiklander * extensions. In messages containing extension responses, unrecognized 122*32b31808SJens Wiklander * extensions should result in handshake abortion. Messages containing 123*32b31808SJens Wiklander * extension requests include ClientHello, CertificateRequest and 124*32b31808SJens Wiklander * NewSessionTicket. Messages containing extension responses include 125*32b31808SJens Wiklander * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. 126*32b31808SJens Wiklander * 127*32b31808SJens Wiklander * RFC 8446 section 4.1.3 128*32b31808SJens Wiklander * 129*32b31808SJens Wiklander * The ServerHello MUST only include extensions which are required to establish 130*32b31808SJens Wiklander * the cryptographic context and negotiate the protocol version. 131*32b31808SJens Wiklander * 132*32b31808SJens Wiklander * RFC 8446 section 4.2 133*32b31808SJens Wiklander * 134*32b31808SJens Wiklander * If an implementation receives an extension which it recognizes and which is 135*32b31808SJens Wiklander * not specified for the message in which it appears, it MUST abort the handshake 136*32b31808SJens Wiklander * with an "illegal_parameter" alert. 137*32b31808SJens Wiklander */ 138*32b31808SJens Wiklander 139*32b31808SJens Wiklander /* Extensions that are not recognized by TLS 1.3 */ 140*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ 141*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \ 142*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \ 143*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \ 144*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \ 145*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \ 146*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED)) 147*32b31808SJens Wiklander 148*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ClientHello */ 149*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ 150*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 151*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 152*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 153*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 154*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 155*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 156*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 157*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \ 158*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \ 159*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 160*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 161*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PADDING) | \ 162*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 163*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 164*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \ 165*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 166*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 167*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \ 168*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 169*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \ 170*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 171*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \ 172*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 173*32b31808SJens Wiklander 174*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ 175*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ 176*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 177*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 178*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 179*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 180*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 181*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \ 182*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 183*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 184*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 185*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) 186*32b31808SJens Wiklander 187*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ 188*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ 189*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 190*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 191*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \ 192*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 193*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \ 194*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 195*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 196*32b31808SJens Wiklander 197*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for Certificate */ 198*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ 199*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 200*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT)) 201*32b31808SJens Wiklander 202*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ 203*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ 204*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 205*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 206*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 207*32b31808SJens Wiklander 208*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ 209*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ 210*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 211*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 212*32b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 213*32b31808SJens Wiklander 214*32b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ 215*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ 216*32b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 217*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 218*32b31808SJens Wiklander 219*32b31808SJens Wiklander /* 220*32b31808SJens Wiklander * Helper macros for function call with return check. 221*32b31808SJens Wiklander */ 222*32b31808SJens Wiklander /* 223*32b31808SJens Wiklander * Exit when return non-zero value 224*32b31808SJens Wiklander */ 225*32b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK(f) \ 226*32b31808SJens Wiklander do { \ 227*32b31808SJens Wiklander ret = (f); \ 228*32b31808SJens Wiklander if (ret != 0) \ 229*32b31808SJens Wiklander { \ 230*32b31808SJens Wiklander goto cleanup; \ 231*32b31808SJens Wiklander } \ 232*32b31808SJens Wiklander } while (0) 233*32b31808SJens Wiklander /* 234*32b31808SJens Wiklander * Exit when return negative value 235*32b31808SJens Wiklander */ 236*32b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK_NEG(f) \ 237*32b31808SJens Wiklander do { \ 238*32b31808SJens Wiklander ret = (f); \ 239*32b31808SJens Wiklander if (ret < 0) \ 240*32b31808SJens Wiklander { \ 241*32b31808SJens Wiklander goto cleanup; \ 242*32b31808SJens Wiklander } \ 243*32b31808SJens Wiklander } while (0) 244*32b31808SJens Wiklander 245*32b31808SJens Wiklander /* 246*32b31808SJens Wiklander * DTLS retransmission states, see RFC 6347 4.2.4 247*32b31808SJens Wiklander * 248*32b31808SJens Wiklander * The SENDING state is merged in PREPARING for initial sends, 249*32b31808SJens Wiklander * but is distinct for resends. 250*32b31808SJens Wiklander * 251*32b31808SJens Wiklander * Note: initial state is wrong for server, but is not used anyway. 252*32b31808SJens Wiklander */ 253*32b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_PREPARING 0 254*32b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_SENDING 1 255*32b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_WAITING 2 256*32b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_FINISHED 3 257*32b31808SJens Wiklander 258*32b31808SJens Wiklander /* 259*32b31808SJens Wiklander * Allow extra bytes for record, authentication and encryption overhead: 260*32b31808SJens Wiklander * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). 261*32b31808SJens Wiklander */ 262*32b31808SJens Wiklander 263*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 264*32b31808SJens Wiklander 265*32b31808SJens Wiklander /* This macro determines whether CBC is supported. */ 266*32b31808SJens Wiklander #if defined(MBEDTLS_CIPHER_MODE_CBC) && \ 267*32b31808SJens Wiklander (defined(MBEDTLS_AES_C) || \ 268*32b31808SJens Wiklander defined(MBEDTLS_CAMELLIA_C) || \ 269*32b31808SJens Wiklander defined(MBEDTLS_ARIA_C) || \ 270*32b31808SJens Wiklander defined(MBEDTLS_DES_C)) 271*32b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC 272*32b31808SJens Wiklander #endif 273*32b31808SJens Wiklander 274*32b31808SJens Wiklander /* This macro determines whether a ciphersuite using a 275*32b31808SJens Wiklander * stream cipher can be used. */ 276*32b31808SJens Wiklander #if defined(MBEDTLS_CIPHER_NULL_CIPHER) 277*32b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM 278*32b31808SJens Wiklander #endif 279*32b31808SJens Wiklander 280*32b31808SJens Wiklander /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ 281*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 282*32b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2) 283*32b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC 284*32b31808SJens Wiklander #endif 285*32b31808SJens Wiklander 286*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \ 287*32b31808SJens Wiklander defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 288*32b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_MAC 289*32b31808SJens Wiklander #endif 290*32b31808SJens Wiklander 291*32b31808SJens Wiklander /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ 292*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 293*32b31808SJens Wiklander defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 294*32b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM 295*32b31808SJens Wiklander #endif 296*32b31808SJens Wiklander 297*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 298*32b31808SJens Wiklander 299*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 300*32b31808SJens Wiklander /* Ciphersuites using HMAC */ 301*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 302*32b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 303*32b31808SJens Wiklander #elif defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 304*32b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 305*32b31808SJens Wiklander #else 306*32b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 307*32b31808SJens Wiklander #endif 308*32b31808SJens Wiklander #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 309*32b31808SJens Wiklander /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 310*32b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 16 311*32b31808SJens Wiklander #endif 312*32b31808SJens Wiklander 313*32b31808SJens Wiklander #if defined(MBEDTLS_CIPHER_MODE_CBC) 314*32b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 256 315*32b31808SJens Wiklander #else 316*32b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 0 317*32b31808SJens Wiklander #endif 318*32b31808SJens Wiklander 319*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 320*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 321*32b31808SJens Wiklander #else 322*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 323*32b31808SJens Wiklander #endif 324*32b31808SJens Wiklander 325*32b31808SJens Wiklander #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \ 326*32b31808SJens Wiklander MBEDTLS_SSL_MAC_ADD + \ 327*32b31808SJens Wiklander MBEDTLS_SSL_PADDING_ADD + \ 328*32b31808SJens Wiklander MBEDTLS_SSL_MAX_CID_EXPANSION \ 329*32b31808SJens Wiklander ) 330*32b31808SJens Wiklander 331*32b31808SJens Wiklander #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 332*32b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN)) 333*32b31808SJens Wiklander 334*32b31808SJens Wiklander #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 335*32b31808SJens Wiklander (MBEDTLS_SSL_OUT_CONTENT_LEN)) 336*32b31808SJens Wiklander 337*32b31808SJens Wiklander /* The maximum number of buffered handshake messages. */ 338*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 339*32b31808SJens Wiklander 340*32b31808SJens Wiklander /* Maximum length we can advertise as our max content length for 341*32b31808SJens Wiklander RFC 6066 max_fragment_length extension negotiation purposes 342*32b31808SJens Wiklander (the lesser of both sizes, if they are unequal.) 343*32b31808SJens Wiklander */ 344*32b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 345*32b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 346*32b31808SJens Wiklander ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ 347*32b31808SJens Wiklander : (MBEDTLS_SSL_IN_CONTENT_LEN) \ 348*32b31808SJens Wiklander ) 349*32b31808SJens Wiklander 350*32b31808SJens Wiklander /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 351*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534 352*32b31808SJens Wiklander 353*32b31808SJens Wiklander /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 354*32b31808SJens Wiklander #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2 355*32b31808SJens Wiklander 356*32b31808SJens Wiklander /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ 357*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 358*32b31808SJens Wiklander 359*32b31808SJens Wiklander #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 360*32b31808SJens Wiklander 361*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 362*32b31808SJens Wiklander 363*32b31808SJens Wiklander #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE 364*32b31808SJens Wiklander 365*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 366*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig) 367*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF) 368*32b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) 369*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 370*32b31808SJens Wiklander 371*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 372*32b31808SJens Wiklander 373*32b31808SJens Wiklander /* 374*32b31808SJens Wiklander * Check that we obey the standard's message size bounds 375*32b31808SJens Wiklander */ 376*32b31808SJens Wiklander 377*32b31808SJens Wiklander #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 378*32b31808SJens Wiklander #error "Bad configuration - incoming record content too large." 379*32b31808SJens Wiklander #endif 380*32b31808SJens Wiklander 381*32b31808SJens Wiklander #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 382*32b31808SJens Wiklander #error "Bad configuration - outgoing record content too large." 383*32b31808SJens Wiklander #endif 384*32b31808SJens Wiklander 385*32b31808SJens Wiklander #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 386*32b31808SJens Wiklander #error "Bad configuration - incoming protected record payload too large." 387*32b31808SJens Wiklander #endif 388*32b31808SJens Wiklander 389*32b31808SJens Wiklander #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 390*32b31808SJens Wiklander #error "Bad configuration - outgoing protected record payload too large." 391*32b31808SJens Wiklander #endif 392*32b31808SJens Wiklander 393*32b31808SJens Wiklander /* Calculate buffer sizes */ 394*32b31808SJens Wiklander 395*32b31808SJens Wiklander /* Note: Even though the TLS record header is only 5 bytes 396*32b31808SJens Wiklander long, we're internally using 8 bytes to store the 397*32b31808SJens Wiklander implicit sequence number. */ 398*32b31808SJens Wiklander #define MBEDTLS_SSL_HEADER_LEN 13 399*32b31808SJens Wiklander 400*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 401*32b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \ 402*32b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) 403*32b31808SJens Wiklander #else 404*32b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \ 405*32b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ 406*32b31808SJens Wiklander + (MBEDTLS_SSL_CID_IN_LEN_MAX)) 407*32b31808SJens Wiklander #endif 408*32b31808SJens Wiklander 409*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 410*32b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 411*32b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) 412*32b31808SJens Wiklander #else 413*32b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 414*32b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ 415*32b31808SJens Wiklander + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) 416*32b31808SJens Wiklander #endif 417*32b31808SJens Wiklander 418*32b31808SJens Wiklander #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 419*32b31808SJens Wiklander #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 420*32b31808SJens Wiklander 421*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 422*32b31808SJens Wiklander /** 423*32b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for 424*32b31808SJens Wiklander * the output buffer. For the client, this is the configured 425*32b31808SJens Wiklander * value. For the server, it is the minimum of two - the 426*32b31808SJens Wiklander * configured value and the negotiated one. 427*32b31808SJens Wiklander * 428*32b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len() 429*32b31808SJens Wiklander * \sa mbedtls_ssl_get_max_out_record_payload() 430*32b31808SJens Wiklander * 431*32b31808SJens Wiklander * \param ssl SSL context 432*32b31808SJens Wiklander * 433*32b31808SJens Wiklander * \return Current maximum fragment length for the output buffer. 434*32b31808SJens Wiklander */ 435*32b31808SJens Wiklander size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl); 436*32b31808SJens Wiklander 437*32b31808SJens Wiklander /** 438*32b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for 439*32b31808SJens Wiklander * the input buffer. This is the negotiated maximum fragment 440*32b31808SJens Wiklander * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. 441*32b31808SJens Wiklander * If it is not defined either, the value is 2^14. This function 442*32b31808SJens Wiklander * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). 443*32b31808SJens Wiklander * 444*32b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len() 445*32b31808SJens Wiklander * \sa mbedtls_ssl_get_max_in_record_payload() 446*32b31808SJens Wiklander * 447*32b31808SJens Wiklander * \param ssl SSL context 448*32b31808SJens Wiklander * 449*32b31808SJens Wiklander * \return Current maximum fragment length for the output buffer. 450*32b31808SJens Wiklander */ 451*32b31808SJens Wiklander size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl); 452*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 453*32b31808SJens Wiklander 454*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 455*32b31808SJens Wiklander static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) 456*32b31808SJens Wiklander { 457*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 458*32b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx) 459*32b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 460*32b31808SJens Wiklander + MBEDTLS_SSL_CID_OUT_LEN_MAX; 461*32b31808SJens Wiklander #else 462*32b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx) 463*32b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 464*32b31808SJens Wiklander #endif 465*32b31808SJens Wiklander } 466*32b31808SJens Wiklander 467*32b31808SJens Wiklander static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) 468*32b31808SJens Wiklander { 469*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 470*32b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx) 471*32b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 472*32b31808SJens Wiklander + MBEDTLS_SSL_CID_IN_LEN_MAX; 473*32b31808SJens Wiklander #else 474*32b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx) 475*32b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 476*32b31808SJens Wiklander #endif 477*32b31808SJens Wiklander } 478*32b31808SJens Wiklander #endif 479*32b31808SJens Wiklander 480*32b31808SJens Wiklander /* 481*32b31808SJens Wiklander * TLS extension flags (for extensions with outgoing ServerHello content 482*32b31808SJens Wiklander * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 483*32b31808SJens Wiklander * of state of the renegotiation flag, so no indicator is required) 484*32b31808SJens Wiklander */ 485*32b31808SJens Wiklander #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 486*32b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 487*32b31808SJens Wiklander 488*32b31808SJens Wiklander /** 489*32b31808SJens Wiklander * \brief This function checks if the remaining size in a buffer is 490*32b31808SJens Wiklander * greater or equal than a needed space. 491*32b31808SJens Wiklander * 492*32b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 493*32b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 494*32b31808SJens Wiklander * \param need Needed space in bytes. 495*32b31808SJens Wiklander * 496*32b31808SJens Wiklander * \return Zero if the needed space is available in the buffer, non-zero 497*32b31808SJens Wiklander * otherwise. 498*32b31808SJens Wiklander */ 499*32b31808SJens Wiklander #if !defined(MBEDTLS_TEST_HOOKS) 500*32b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 501*32b31808SJens Wiklander const uint8_t *end, size_t need) 502*32b31808SJens Wiklander { 503*32b31808SJens Wiklander return (cur > end) || (need > (size_t) (end - cur)); 504*32b31808SJens Wiklander } 505*32b31808SJens Wiklander #else 506*32b31808SJens Wiklander typedef struct { 507*32b31808SJens Wiklander const uint8_t *cur; 508*32b31808SJens Wiklander const uint8_t *end; 509*32b31808SJens Wiklander size_t need; 510*32b31808SJens Wiklander } mbedtls_ssl_chk_buf_ptr_args; 511*32b31808SJens Wiklander 512*32b31808SJens Wiklander void mbedtls_ssl_set_chk_buf_ptr_fail_args( 513*32b31808SJens Wiklander const uint8_t *cur, const uint8_t *end, size_t need); 514*32b31808SJens Wiklander void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void); 515*32b31808SJens Wiklander 516*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 517*32b31808SJens Wiklander int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args); 518*32b31808SJens Wiklander 519*32b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 520*32b31808SJens Wiklander const uint8_t *end, size_t need) 521*32b31808SJens Wiklander { 522*32b31808SJens Wiklander if ((cur > end) || (need > (size_t) (end - cur))) { 523*32b31808SJens Wiklander mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need); 524*32b31808SJens Wiklander return 1; 525*32b31808SJens Wiklander } 526*32b31808SJens Wiklander return 0; 527*32b31808SJens Wiklander } 528*32b31808SJens Wiklander #endif /* MBEDTLS_TEST_HOOKS */ 529*32b31808SJens Wiklander 530*32b31808SJens Wiklander /** 531*32b31808SJens Wiklander * \brief This macro checks if the remaining size in a buffer is 532*32b31808SJens Wiklander * greater or equal than a needed space. If it is not the case, 533*32b31808SJens Wiklander * it returns an SSL_BUFFER_TOO_SMALL error. 534*32b31808SJens Wiklander * 535*32b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 536*32b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 537*32b31808SJens Wiklander * \param need Needed space in bytes. 538*32b31808SJens Wiklander * 539*32b31808SJens Wiklander */ 540*32b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ 541*32b31808SJens Wiklander do { \ 542*32b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 543*32b31808SJens Wiklander { \ 544*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ 545*32b31808SJens Wiklander } \ 546*32b31808SJens Wiklander } while (0) 547*32b31808SJens Wiklander 548*32b31808SJens Wiklander /** 549*32b31808SJens Wiklander * \brief This macro checks if the remaining length in an input buffer is 550*32b31808SJens Wiklander * greater or equal than a needed length. If it is not the case, it 551*32b31808SJens Wiklander * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a 552*32b31808SJens Wiklander * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. 553*32b31808SJens Wiklander * 554*32b31808SJens Wiklander * This is a function-like macro. It is guaranteed to evaluate each 555*32b31808SJens Wiklander * argument exactly once. 556*32b31808SJens Wiklander * 557*32b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 558*32b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 559*32b31808SJens Wiklander * \param need Needed length in bytes. 560*32b31808SJens Wiklander * 561*32b31808SJens Wiklander */ 562*32b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \ 563*32b31808SJens Wiklander do { \ 564*32b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 565*32b31808SJens Wiklander { \ 566*32b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, \ 567*32b31808SJens Wiklander ("missing input data in %s", __func__)); \ 568*32b31808SJens Wiklander MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ 569*32b31808SJens Wiklander MBEDTLS_ERR_SSL_DECODE_ERROR); \ 570*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; \ 571*32b31808SJens Wiklander } \ 572*32b31808SJens Wiklander } while (0) 573*32b31808SJens Wiklander 574*32b31808SJens Wiklander #ifdef __cplusplus 575*32b31808SJens Wiklander extern "C" { 576*32b31808SJens Wiklander #endif 577*32b31808SJens Wiklander 578*32b31808SJens Wiklander typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, 579*32b31808SJens Wiklander const char *label, 580*32b31808SJens Wiklander const unsigned char *random, size_t rlen, 581*32b31808SJens Wiklander unsigned char *dstbuf, size_t dlen); 582*32b31808SJens Wiklander 583*32b31808SJens Wiklander /* cipher.h exports the maximum IV, key and block length from 584*32b31808SJens Wiklander * all ciphers enabled in the config, regardless of whether those 585*32b31808SJens Wiklander * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled 586*32b31808SJens Wiklander * in the default configuration and uses 64 Byte keys, but it is 587*32b31808SJens Wiklander * not used for record protection in SSL/TLS. 588*32b31808SJens Wiklander * 589*32b31808SJens Wiklander * In order to prevent unnecessary inflation of key structures, 590*32b31808SJens Wiklander * we introduce SSL-specific variants of the max-{key,block,IV} 591*32b31808SJens Wiklander * macros here which are meant to only take those ciphers into 592*32b31808SJens Wiklander * account which can be negotiated in SSL/TLS. 593*32b31808SJens Wiklander * 594*32b31808SJens Wiklander * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH 595*32b31808SJens Wiklander * in cipher.h are rough overapproximations of the real maxima, here 596*32b31808SJens Wiklander * we content ourselves with replicating those overapproximations 597*32b31808SJens Wiklander * for the maximum block and IV length, and excluding XTS from the 598*32b31808SJens Wiklander * computation of the maximum key length. */ 599*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 600*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_IV_LENGTH 16 601*32b31808SJens Wiklander #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 602*32b31808SJens Wiklander 603*32b31808SJens Wiklander /** 604*32b31808SJens Wiklander * \brief The data structure holding the cryptographic material (key and IV) 605*32b31808SJens Wiklander * used for record protection in TLS 1.3. 606*32b31808SJens Wiklander */ 607*32b31808SJens Wiklander struct mbedtls_ssl_key_set { 608*32b31808SJens Wiklander /*! The key for client->server records. */ 609*32b31808SJens Wiklander unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 610*32b31808SJens Wiklander /*! The key for server->client records. */ 611*32b31808SJens Wiklander unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 612*32b31808SJens Wiklander /*! The IV for client->server records. */ 613*32b31808SJens Wiklander unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 614*32b31808SJens Wiklander /*! The IV for server->client records. */ 615*32b31808SJens Wiklander unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 616*32b31808SJens Wiklander 617*32b31808SJens Wiklander size_t key_len; /*!< The length of client_write_key and 618*32b31808SJens Wiklander * server_write_key, in Bytes. */ 619*32b31808SJens Wiklander size_t iv_len; /*!< The length of client_write_iv and 620*32b31808SJens Wiklander * server_write_iv, in Bytes. */ 621*32b31808SJens Wiklander }; 622*32b31808SJens Wiklander typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; 623*32b31808SJens Wiklander 624*32b31808SJens Wiklander typedef struct { 625*32b31808SJens Wiklander unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 626*32b31808SJens Wiklander unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 627*32b31808SJens Wiklander unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 628*32b31808SJens Wiklander } mbedtls_ssl_tls13_early_secrets; 629*32b31808SJens Wiklander 630*32b31808SJens Wiklander typedef struct { 631*32b31808SJens Wiklander unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 632*32b31808SJens Wiklander unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 633*32b31808SJens Wiklander } mbedtls_ssl_tls13_handshake_secrets; 634*32b31808SJens Wiklander 635*32b31808SJens Wiklander /* 636*32b31808SJens Wiklander * This structure contains the parameters only needed during handshake. 637*32b31808SJens Wiklander */ 638*32b31808SJens Wiklander struct mbedtls_ssl_handshake_params { 639*32b31808SJens Wiklander /* Frequently-used boolean or byte fields (placed early to take 640*32b31808SJens Wiklander * advantage of smaller code size for indirect access on Arm Thumb) */ 641*32b31808SJens Wiklander uint8_t resume; /*!< session resume indicator*/ 642*32b31808SJens Wiklander uint8_t cli_exts; /*!< client extension presence*/ 643*32b31808SJens Wiklander 644*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 645*32b31808SJens Wiklander uint8_t sni_authmode; /*!< authmode from SNI callback */ 646*32b31808SJens Wiklander #endif 647*32b31808SJens Wiklander 648*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) 649*32b31808SJens Wiklander /* Flag indicating if a CertificateRequest message has been sent 650*32b31808SJens Wiklander * to the client or not. */ 651*32b31808SJens Wiklander uint8_t certificate_request_sent; 652*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */ 653*32b31808SJens Wiklander 654*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 655*32b31808SJens Wiklander uint8_t new_session_ticket; /*!< use NewSessionTicket? */ 656*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 657*32b31808SJens Wiklander 658*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 659*32b31808SJens Wiklander /** Minimum TLS version to be negotiated. 660*32b31808SJens Wiklander * 661*32b31808SJens Wiklander * It is set up in the ClientHello writing preparation stage and used 662*32b31808SJens Wiklander * throughout the ClientHello writing. Not relevant anymore as soon as 663*32b31808SJens Wiklander * the protocol version has been negotiated thus as soon as the 664*32b31808SJens Wiklander * ServerHello is received. 665*32b31808SJens Wiklander * For a fresh handshake not linked to any previous handshake, it is 666*32b31808SJens Wiklander * equal to the configured minimum minor version to be negotiated. When 667*32b31808SJens Wiklander * renegotiating or resuming a session, it is equal to the previously 668*32b31808SJens Wiklander * negotiated minor version. 669*32b31808SJens Wiklander * 670*32b31808SJens Wiklander * There is no maximum TLS version field in this handshake context. 671*32b31808SJens Wiklander * From the start of the handshake, we need to define a current protocol 672*32b31808SJens Wiklander * version for the record layer which we define as the maximum TLS 673*32b31808SJens Wiklander * version to be negotiated. The `tls_version` field of the SSL context is 674*32b31808SJens Wiklander * used to store this maximum value until it contains the actual 675*32b31808SJens Wiklander * negotiated value. 676*32b31808SJens Wiklander */ 677*32b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version; 678*32b31808SJens Wiklander #endif 679*32b31808SJens Wiklander 680*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 681*32b31808SJens Wiklander uint8_t extended_ms; /*!< use Extended Master Secret? */ 682*32b31808SJens Wiklander #endif 683*32b31808SJens Wiklander 684*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 685*32b31808SJens Wiklander uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ 686*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 687*32b31808SJens Wiklander 688*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 689*32b31808SJens Wiklander unsigned char retransmit_state; /*!< Retransmission state */ 690*32b31808SJens Wiklander #endif 691*32b31808SJens Wiklander 692*32b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 693*32b31808SJens Wiklander unsigned char group_list_heap_allocated; 694*32b31808SJens Wiklander unsigned char sig_algs_heap_allocated; 695*32b31808SJens Wiklander #endif 696*32b31808SJens Wiklander 697*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 698*32b31808SJens Wiklander uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ 699*32b31808SJens Wiklander enum { /* this complements ssl->state with info on intra-state operations */ 700*32b31808SJens Wiklander ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 701*32b31808SJens Wiklander ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 702*32b31808SJens Wiklander ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 703*32b31808SJens Wiklander ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 704*32b31808SJens Wiklander ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 705*32b31808SJens Wiklander } ecrs_state; /*!< current (or last) operation */ 706*32b31808SJens Wiklander mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 707*32b31808SJens Wiklander size_t ecrs_n; /*!< place for saving a length */ 708*32b31808SJens Wiklander #endif 709*32b31808SJens Wiklander 710*32b31808SJens Wiklander mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 711*32b31808SJens Wiklander 712*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 713*32b31808SJens Wiklander int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 714*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 715*32b31808SJens Wiklander int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 716*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 717*32b31808SJens Wiklander int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 718*32b31808SJens Wiklander mbedtls_ssl_tls_prf_cb *tls_prf; 719*32b31808SJens Wiklander 720*32b31808SJens Wiklander /* 721*32b31808SJens Wiklander * Handshake specific crypto variables 722*32b31808SJens Wiklander */ 723*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 724*32b31808SJens Wiklander uint8_t key_exchange_mode; /*!< Selected key exchange mode */ 725*32b31808SJens Wiklander 726*32b31808SJens Wiklander /** Number of HelloRetryRequest messages received/sent from/to the server. */ 727*32b31808SJens Wiklander int hello_retry_request_count; 728*32b31808SJens Wiklander 729*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) 730*32b31808SJens Wiklander /** selected_group of key_share extension in HelloRetryRequest message. */ 731*32b31808SJens Wiklander uint16_t hrr_selected_group; 732*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 733*32b31808SJens Wiklander uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ 734*32b31808SJens Wiklander #endif 735*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 736*32b31808SJens Wiklander uint16_t new_session_tickets_count; /*!< number of session tickets */ 737*32b31808SJens Wiklander #endif 738*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */ 739*32b31808SJens Wiklander 740*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 741*32b31808SJens Wiklander 742*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 743*32b31808SJens Wiklander uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; 744*32b31808SJens Wiklander #endif 745*32b31808SJens Wiklander 746*32b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 747*32b31808SJens Wiklander const uint16_t *group_list; 748*32b31808SJens Wiklander const uint16_t *sig_algs; 749*32b31808SJens Wiklander #endif 750*32b31808SJens Wiklander 751*32b31808SJens Wiklander #if defined(MBEDTLS_DHM_C) 752*32b31808SJens Wiklander mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 753*32b31808SJens Wiklander #endif 754*32b31808SJens Wiklander 755*32b31808SJens Wiklander /* Adding guard for MBEDTLS_ECDSA_C to ensure no compile errors due 756*32b31808SJens Wiklander * to guards in client and server code. There is a gap in functionality that 757*32b31808SJens Wiklander * access to ecdh_ctx structure is needed for MBEDTLS_ECDSA_C which does not 758*32b31808SJens Wiklander * seem correct. 759*32b31808SJens Wiklander */ 760*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) 761*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) 762*32b31808SJens Wiklander mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 763*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 764*32b31808SJens Wiklander 765*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 766*32b31808SJens Wiklander psa_key_type_t ecdh_psa_type; 767*32b31808SJens Wiklander size_t ecdh_bits; 768*32b31808SJens Wiklander mbedtls_svc_key_id_t ecdh_psa_privkey; 769*32b31808SJens Wiklander uint8_t ecdh_psa_privkey_is_external; 770*32b31808SJens Wiklander unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; 771*32b31808SJens Wiklander size_t ecdh_psa_peerkey_len; 772*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 773*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ 774*32b31808SJens Wiklander 775*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 776*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 777*32b31808SJens Wiklander psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ 778*32b31808SJens Wiklander mbedtls_svc_key_id_t psa_pake_password; 779*32b31808SJens Wiklander uint8_t psa_pake_ctx_is_ok; 780*32b31808SJens Wiklander #else 781*32b31808SJens Wiklander mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 782*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 783*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 784*32b31808SJens Wiklander unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 785*32b31808SJens Wiklander size_t ecjpake_cache_len; /*!< Length of cached data */ 786*32b31808SJens Wiklander #endif 787*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 788*32b31808SJens Wiklander 789*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ 790*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 791*32b31808SJens Wiklander uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ 792*32b31808SJens Wiklander #endif 793*32b31808SJens Wiklander 794*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 795*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 796*32b31808SJens Wiklander mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ 797*32b31808SJens Wiklander uint8_t psk_opaque_is_internal; 798*32b31808SJens Wiklander #else 799*32b31808SJens Wiklander unsigned char *psk; /*!< PSK from the callback */ 800*32b31808SJens Wiklander size_t psk_len; /*!< Length of PSK from callback */ 801*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 802*32b31808SJens Wiklander uint16_t selected_identity; 803*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 804*32b31808SJens Wiklander 805*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 806*32b31808SJens Wiklander mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 807*32b31808SJens Wiklander #endif 808*32b31808SJens Wiklander 809*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 810*32b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 811*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 812*32b31808SJens Wiklander mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 813*32b31808SJens Wiklander mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 814*32b31808SJens Wiklander mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 815*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 816*32b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 817*32b31808SJens Wiklander 818*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 819*32b31808SJens Wiklander !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 820*32b31808SJens Wiklander mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 821*32b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 822*32b31808SJens Wiklander 823*32b31808SJens Wiklander struct { 824*32b31808SJens Wiklander size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 825*32b31808SJens Wiklander * buffers used for message buffering. */ 826*32b31808SJens Wiklander 827*32b31808SJens Wiklander uint8_t seen_ccs; /*!< Indicates if a CCS message has 828*32b31808SJens Wiklander * been seen in the current flight. */ 829*32b31808SJens Wiklander 830*32b31808SJens Wiklander struct mbedtls_ssl_hs_buffer { 831*32b31808SJens Wiklander unsigned is_valid : 1; 832*32b31808SJens Wiklander unsigned is_fragmented : 1; 833*32b31808SJens Wiklander unsigned is_complete : 1; 834*32b31808SJens Wiklander unsigned char *data; 835*32b31808SJens Wiklander size_t data_len; 836*32b31808SJens Wiklander } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 837*32b31808SJens Wiklander 838*32b31808SJens Wiklander struct { 839*32b31808SJens Wiklander unsigned char *data; 840*32b31808SJens Wiklander size_t len; 841*32b31808SJens Wiklander unsigned epoch; 842*32b31808SJens Wiklander } future_record; 843*32b31808SJens Wiklander 844*32b31808SJens Wiklander } buffering; 845*32b31808SJens Wiklander 846*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && \ 847*32b31808SJens Wiklander (defined(MBEDTLS_SSL_PROTO_DTLS) || \ 848*32b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_3)) 849*32b31808SJens Wiklander unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS 850*32b31808SJens Wiklander * HelloRetryRequest cookie for TLS 1.3 */ 851*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 852*32b31808SJens Wiklander /* RFC 6347 page 15 853*32b31808SJens Wiklander ... 854*32b31808SJens Wiklander opaque cookie<0..2^8-1>; 855*32b31808SJens Wiklander ... 856*32b31808SJens Wiklander */ 857*32b31808SJens Wiklander uint8_t cookie_len; 858*32b31808SJens Wiklander #else 859*32b31808SJens Wiklander /* RFC 8446 page 39 860*32b31808SJens Wiklander ... 861*32b31808SJens Wiklander opaque cookie<0..2^16-1>; 862*32b31808SJens Wiklander ... 863*32b31808SJens Wiklander If TLS1_3 is enabled, the max length is 2^16 - 1 864*32b31808SJens Wiklander */ 865*32b31808SJens Wiklander uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length 866*32b31808SJens Wiklander * TLS1_3: HelloRetryRequest cookie length */ 867*32b31808SJens Wiklander #endif 868*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C && 869*32b31808SJens Wiklander ( MBEDTLS_SSL_PROTO_DTLS || 870*32b31808SJens Wiklander MBEDTLS_SSL_PROTO_TLS1_3 ) */ 871*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) 872*32b31808SJens Wiklander unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ 873*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ 874*32b31808SJens Wiklander 875*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 876*32b31808SJens Wiklander unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 877*32b31808SJens Wiklander unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 878*32b31808SJens Wiklander 879*32b31808SJens Wiklander uint32_t retransmit_timeout; /*!< Current value of timeout */ 880*32b31808SJens Wiklander mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 881*32b31808SJens Wiklander mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 882*32b31808SJens Wiklander unsigned char *cur_msg_p; /*!< Position in current message */ 883*32b31808SJens Wiklander unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 884*32b31808SJens Wiklander flight being received */ 885*32b31808SJens Wiklander mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 886*32b31808SJens Wiklander resending messages */ 887*32b31808SJens Wiklander unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter 888*32b31808SJens Wiklander for resending messages */ 889*32b31808SJens Wiklander 890*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 891*32b31808SJens Wiklander /* The state of CID configuration in this handshake. */ 892*32b31808SJens Wiklander 893*32b31808SJens Wiklander uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 894*32b31808SJens Wiklander * has been negotiated. Possible values are 895*32b31808SJens Wiklander * #MBEDTLS_SSL_CID_ENABLED and 896*32b31808SJens Wiklander * #MBEDTLS_SSL_CID_DISABLED. */ 897*32b31808SJens Wiklander unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ 898*32b31808SJens Wiklander uint8_t peer_cid_len; /*!< The length of 899*32b31808SJens Wiklander * \c peer_cid. */ 900*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 901*32b31808SJens Wiklander 902*32b31808SJens Wiklander uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 903*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 904*32b31808SJens Wiklander 905*32b31808SJens Wiklander /* 906*32b31808SJens Wiklander * Checksum contexts 907*32b31808SJens Wiklander */ 908*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 909*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 910*32b31808SJens Wiklander psa_hash_operation_t fin_sha256_psa; 911*32b31808SJens Wiklander #else 912*32b31808SJens Wiklander mbedtls_md_context_t fin_sha256; 913*32b31808SJens Wiklander #endif 914*32b31808SJens Wiklander #endif 915*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 916*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 917*32b31808SJens Wiklander psa_hash_operation_t fin_sha384_psa; 918*32b31808SJens Wiklander #else 919*32b31808SJens Wiklander mbedtls_md_context_t fin_sha384; 920*32b31808SJens Wiklander #endif 921*32b31808SJens Wiklander #endif 922*32b31808SJens Wiklander 923*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 924*32b31808SJens Wiklander uint16_t offered_group_id; /* The NamedGroup value for the group 925*32b31808SJens Wiklander * that is being used for ephemeral 926*32b31808SJens Wiklander * key exchange. 927*32b31808SJens Wiklander * 928*32b31808SJens Wiklander * On the client: Defaults to the first 929*32b31808SJens Wiklander * entry in the client's group list, 930*32b31808SJens Wiklander * but can be overwritten by the HRR. */ 931*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 932*32b31808SJens Wiklander 933*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 934*32b31808SJens Wiklander uint8_t client_auth; /*!< used to check if CertificateRequest has been 935*32b31808SJens Wiklander received from server side. If CertificateRequest 936*32b31808SJens Wiklander has been received, Certificate and CertificateVerify 937*32b31808SJens Wiklander should be sent to server */ 938*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C */ 939*32b31808SJens Wiklander /* 940*32b31808SJens Wiklander * State-local variables used during the processing 941*32b31808SJens Wiklander * of a specific handshake state. 942*32b31808SJens Wiklander */ 943*32b31808SJens Wiklander union { 944*32b31808SJens Wiklander /* Outgoing Finished message */ 945*32b31808SJens Wiklander struct { 946*32b31808SJens Wiklander uint8_t preparation_done; 947*32b31808SJens Wiklander 948*32b31808SJens Wiklander /* Buffer holding digest of the handshake up to 949*32b31808SJens Wiklander * but excluding the outgoing finished message. */ 950*32b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 951*32b31808SJens Wiklander size_t digest_len; 952*32b31808SJens Wiklander } finished_out; 953*32b31808SJens Wiklander 954*32b31808SJens Wiklander /* Incoming Finished message */ 955*32b31808SJens Wiklander struct { 956*32b31808SJens Wiklander uint8_t preparation_done; 957*32b31808SJens Wiklander 958*32b31808SJens Wiklander /* Buffer holding digest of the handshake up to but 959*32b31808SJens Wiklander * excluding the peer's incoming finished message. */ 960*32b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 961*32b31808SJens Wiklander size_t digest_len; 962*32b31808SJens Wiklander } finished_in; 963*32b31808SJens Wiklander 964*32b31808SJens Wiklander } state_local; 965*32b31808SJens Wiklander 966*32b31808SJens Wiklander /* End of state-local variables. */ 967*32b31808SJens Wiklander 968*32b31808SJens Wiklander unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + 969*32b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 970*32b31808SJens Wiklander /*!< random bytes */ 971*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 972*32b31808SJens Wiklander unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 973*32b31808SJens Wiklander /*!< premaster secret */ 974*32b31808SJens Wiklander size_t pmslen; /*!< premaster length */ 975*32b31808SJens Wiklander #endif 976*32b31808SJens Wiklander 977*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 978*32b31808SJens Wiklander uint32_t sent_extensions; /*!< extensions sent by endpoint */ 979*32b31808SJens Wiklander uint32_t received_extensions; /*!< extensions received by endpoint */ 980*32b31808SJens Wiklander 981*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 982*32b31808SJens Wiklander unsigned char certificate_request_context_len; 983*32b31808SJens Wiklander unsigned char *certificate_request_context; 984*32b31808SJens Wiklander #endif 985*32b31808SJens Wiklander 986*32b31808SJens Wiklander /** TLS 1.3 transform for encrypted handshake messages. */ 987*32b31808SJens Wiklander mbedtls_ssl_transform *transform_handshake; 988*32b31808SJens Wiklander union { 989*32b31808SJens Wiklander unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 990*32b31808SJens Wiklander unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 991*32b31808SJens Wiklander unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 992*32b31808SJens Wiklander } tls13_master_secrets; 993*32b31808SJens Wiklander 994*32b31808SJens Wiklander mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; 995*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA) 996*32b31808SJens Wiklander /** TLS 1.3 transform for early data and handshake messages. */ 997*32b31808SJens Wiklander mbedtls_ssl_transform *transform_earlydata; 998*32b31808SJens Wiklander #endif 999*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1000*32b31808SJens Wiklander 1001*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 1002*32b31808SJens Wiklander /** Asynchronous operation context. This field is meant for use by the 1003*32b31808SJens Wiklander * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 1004*32b31808SJens Wiklander * mbedtls_ssl_config::f_async_decrypt_start, 1005*32b31808SJens Wiklander * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 1006*32b31808SJens Wiklander * The library does not use it internally. */ 1007*32b31808SJens Wiklander void *user_async_ctx; 1008*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1009*32b31808SJens Wiklander 1010*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1011*32b31808SJens Wiklander const unsigned char *sni_name; /*!< raw SNI */ 1012*32b31808SJens Wiklander size_t sni_name_len; /*!< raw SNI len */ 1013*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1014*32b31808SJens Wiklander const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */ 1015*32b31808SJens Wiklander #endif 1016*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1017*32b31808SJens Wiklander }; 1018*32b31808SJens Wiklander 1019*32b31808SJens Wiklander typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 1020*32b31808SJens Wiklander 1021*32b31808SJens Wiklander /* 1022*32b31808SJens Wiklander * Representation of decryption/encryption transformations on records 1023*32b31808SJens Wiklander * 1024*32b31808SJens Wiklander * There are the following general types of record transformations: 1025*32b31808SJens Wiklander * - Stream transformations (TLS versions == 1.2 only) 1026*32b31808SJens Wiklander * Transformation adding a MAC and applying a stream-cipher 1027*32b31808SJens Wiklander * to the authenticated message. 1028*32b31808SJens Wiklander * - CBC block cipher transformations ([D]TLS versions == 1.2 only) 1029*32b31808SJens Wiklander * For TLS 1.2, no IV is generated at key extraction time, but every 1030*32b31808SJens Wiklander * encrypted record is explicitly prefixed by the IV with which it was 1031*32b31808SJens Wiklander * encrypted. 1032*32b31808SJens Wiklander * - AEAD transformations ([D]TLS versions == 1.2 only) 1033*32b31808SJens Wiklander * These come in two fundamentally different versions, the first one 1034*32b31808SJens Wiklander * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 1035*32b31808SJens Wiklander * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 1036*32b31808SJens Wiklander * In the first transformation, the IV to be used for a record is obtained 1037*32b31808SJens Wiklander * as the concatenation of an explicit, static 4-byte IV and the 8-byte 1038*32b31808SJens Wiklander * record sequence number, and explicitly prepending this sequence number 1039*32b31808SJens Wiklander * to the encrypted record. In contrast, in the second transformation 1040*32b31808SJens Wiklander * the IV is obtained by XOR'ing a static IV obtained at key extraction 1041*32b31808SJens Wiklander * time with the 8-byte record sequence number, without prepending the 1042*32b31808SJens Wiklander * latter to the encrypted record. 1043*32b31808SJens Wiklander * 1044*32b31808SJens Wiklander * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext 1045*32b31808SJens Wiklander * which allows to add flexible length padding and to hide a record's true 1046*32b31808SJens Wiklander * content type. 1047*32b31808SJens Wiklander * 1048*32b31808SJens Wiklander * In addition to type and version, the following parameters are relevant: 1049*32b31808SJens Wiklander * - The symmetric cipher algorithm to be used. 1050*32b31808SJens Wiklander * - The (static) encryption/decryption keys for the cipher. 1051*32b31808SJens Wiklander * - For stream/CBC, the type of message digest to be used. 1052*32b31808SJens Wiklander * - For stream/CBC, (static) encryption/decryption keys for the digest. 1053*32b31808SJens Wiklander * - For AEAD transformations, the size (potentially 0) of an explicit, 1054*32b31808SJens Wiklander * random initialization vector placed in encrypted records. 1055*32b31808SJens Wiklander * - For some transformations (currently AEAD) an implicit IV. It is static 1056*32b31808SJens Wiklander * and (if present) is combined with the explicit IV in a transformation- 1057*32b31808SJens Wiklander * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 1058*32b31808SJens Wiklander * - For stream/CBC, a flag determining the order of encryption and MAC. 1059*32b31808SJens Wiklander * - The details of the transformation depend on the SSL/TLS version. 1060*32b31808SJens Wiklander * - The length of the authentication tag. 1061*32b31808SJens Wiklander * 1062*32b31808SJens Wiklander * The struct below refines this abstract view as follows: 1063*32b31808SJens Wiklander * - The cipher underlying the transformation is managed in 1064*32b31808SJens Wiklander * cipher contexts cipher_ctx_{enc/dec}, which must have the 1065*32b31808SJens Wiklander * same cipher type. The mode of these cipher contexts determines 1066*32b31808SJens Wiklander * the type of the transformation in the sense above: e.g., if 1067*32b31808SJens Wiklander * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 1068*32b31808SJens Wiklander * then the transformation has type CBC resp. AEAD. 1069*32b31808SJens Wiklander * - The cipher keys are never stored explicitly but 1070*32b31808SJens Wiklander * are maintained within cipher_ctx_{enc/dec}. 1071*32b31808SJens Wiklander * - For stream/CBC transformations, the message digest contexts 1072*32b31808SJens Wiklander * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 1073*32b31808SJens Wiklander * are unused for AEAD transformations. 1074*32b31808SJens Wiklander * - For stream/CBC transformations, the MAC keys are not stored explicitly 1075*32b31808SJens Wiklander * but maintained within md_ctx_{enc/dec}. 1076*32b31808SJens Wiklander * - The mac_enc and mac_dec fields are unused for EAD transformations. 1077*32b31808SJens Wiklander * - For transformations using an implicit IV maintained within 1078*32b31808SJens Wiklander * the transformation context, its contents are stored within 1079*32b31808SJens Wiklander * iv_{enc/dec}. 1080*32b31808SJens Wiklander * - The value of ivlen indicates the length of the IV. 1081*32b31808SJens Wiklander * This is redundant in case of stream/CBC transformations 1082*32b31808SJens Wiklander * which always use 0 resp. the cipher's block length as the 1083*32b31808SJens Wiklander * IV length, but is needed for AEAD ciphers and may be 1084*32b31808SJens Wiklander * different from the underlying cipher's block length 1085*32b31808SJens Wiklander * in this case. 1086*32b31808SJens Wiklander * - The field fixed_ivlen is nonzero for AEAD transformations only 1087*32b31808SJens Wiklander * and indicates the length of the static part of the IV which is 1088*32b31808SJens Wiklander * constant throughout the communication, and which is stored in 1089*32b31808SJens Wiklander * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 1090*32b31808SJens Wiklander * - tls_version denotes the 2-byte TLS version 1091*32b31808SJens Wiklander * - For stream/CBC transformations, maclen denotes the length of the 1092*32b31808SJens Wiklander * authentication tag, while taglen is unused and 0. 1093*32b31808SJens Wiklander * - For AEAD transformations, taglen denotes the length of the 1094*32b31808SJens Wiklander * authentication tag, while maclen is unused and 0. 1095*32b31808SJens Wiklander * - For CBC transformations, encrypt_then_mac determines the 1096*32b31808SJens Wiklander * order of encryption and authentication. This field is unused 1097*32b31808SJens Wiklander * in other transformations. 1098*32b31808SJens Wiklander * 1099*32b31808SJens Wiklander */ 1100*32b31808SJens Wiklander struct mbedtls_ssl_transform { 1101*32b31808SJens Wiklander /* 1102*32b31808SJens Wiklander * Session specific crypto layer 1103*32b31808SJens Wiklander */ 1104*32b31808SJens Wiklander size_t minlen; /*!< min. ciphertext length */ 1105*32b31808SJens Wiklander size_t ivlen; /*!< IV length */ 1106*32b31808SJens Wiklander size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 1107*32b31808SJens Wiklander size_t maclen; /*!< MAC(CBC) len */ 1108*32b31808SJens Wiklander size_t taglen; /*!< TAG(AEAD) len */ 1109*32b31808SJens Wiklander 1110*32b31808SJens Wiklander unsigned char iv_enc[16]; /*!< IV (encryption) */ 1111*32b31808SJens Wiklander unsigned char iv_dec[16]; /*!< IV (decryption) */ 1112*32b31808SJens Wiklander 1113*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1114*32b31808SJens Wiklander 1115*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 1116*32b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */ 1117*32b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */ 1118*32b31808SJens Wiklander psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */ 1119*32b31808SJens Wiklander #else 1120*32b31808SJens Wiklander mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 1121*32b31808SJens Wiklander mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 1122*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1123*32b31808SJens Wiklander 1124*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1125*32b31808SJens Wiklander int encrypt_then_mac; /*!< flag for EtM activation */ 1126*32b31808SJens Wiklander #endif 1127*32b31808SJens Wiklander 1128*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 1129*32b31808SJens Wiklander 1130*32b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version; 1131*32b31808SJens Wiklander 1132*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 1133*32b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ 1134*32b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */ 1135*32b31808SJens Wiklander psa_algorithm_t psa_alg; /*!< psa algorithm */ 1136*32b31808SJens Wiklander #else 1137*32b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 1138*32b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 1139*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1140*32b31808SJens Wiklander 1141*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1142*32b31808SJens Wiklander uint8_t in_cid_len; 1143*32b31808SJens Wiklander uint8_t out_cid_len; 1144*32b31808SJens Wiklander unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 1145*32b31808SJens Wiklander unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; 1146*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1147*32b31808SJens Wiklander 1148*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 1149*32b31808SJens Wiklander /* We need the Hello random bytes in order to re-derive keys from the 1150*32b31808SJens Wiklander * Master Secret and other session info, 1151*32b31808SJens Wiklander * see ssl_tls12_populate_transform() */ 1152*32b31808SJens Wiklander unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + 1153*32b31808SJens Wiklander MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 1154*32b31808SJens Wiklander /*!< ServerHello.random+ClientHello.random */ 1155*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 1156*32b31808SJens Wiklander }; 1157*32b31808SJens Wiklander 1158*32b31808SJens Wiklander /* 1159*32b31808SJens Wiklander * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 1160*32b31808SJens Wiklander * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 1161*32b31808SJens Wiklander */ 1162*32b31808SJens Wiklander static inline int mbedtls_ssl_transform_uses_aead( 1163*32b31808SJens Wiklander const mbedtls_ssl_transform *transform) 1164*32b31808SJens Wiklander { 1165*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1166*32b31808SJens Wiklander return transform->maclen == 0 && transform->taglen != 0; 1167*32b31808SJens Wiklander #else 1168*32b31808SJens Wiklander (void) transform; 1169*32b31808SJens Wiklander return 1; 1170*32b31808SJens Wiklander #endif 1171*32b31808SJens Wiklander } 1172*32b31808SJens Wiklander 1173*32b31808SJens Wiklander /* 1174*32b31808SJens Wiklander * Internal representation of record frames 1175*32b31808SJens Wiklander * 1176*32b31808SJens Wiklander * Instances come in two flavors: 1177*32b31808SJens Wiklander * (1) Encrypted 1178*32b31808SJens Wiklander * These always have data_offset = 0 1179*32b31808SJens Wiklander * (2) Unencrypted 1180*32b31808SJens Wiklander * These have data_offset set to the amount of 1181*32b31808SJens Wiklander * pre-expansion during record protection. Concretely, 1182*32b31808SJens Wiklander * this is the length of the fixed part of the explicit IV 1183*32b31808SJens Wiklander * used for encryption, or 0 if no explicit IV is used 1184*32b31808SJens Wiklander * (e.g. for stream ciphers). 1185*32b31808SJens Wiklander * 1186*32b31808SJens Wiklander * The reason for the data_offset in the unencrypted case 1187*32b31808SJens Wiklander * is to allow for in-place conversion of an unencrypted to 1188*32b31808SJens Wiklander * an encrypted record. If the offset wasn't included, the 1189*32b31808SJens Wiklander * encrypted content would need to be shifted afterwards to 1190*32b31808SJens Wiklander * make space for the fixed IV. 1191*32b31808SJens Wiklander * 1192*32b31808SJens Wiklander */ 1193*32b31808SJens Wiklander #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 1194*32b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 1195*32b31808SJens Wiklander #else 1196*32b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 1197*32b31808SJens Wiklander #endif 1198*32b31808SJens Wiklander 1199*32b31808SJens Wiklander typedef struct { 1200*32b31808SJens Wiklander uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. 1201*32b31808SJens Wiklander * In DTLS: The 2-byte epoch followed by 1202*32b31808SJens Wiklander * the 6-byte sequence number. 1203*32b31808SJens Wiklander * This is stored as a raw big endian byte array 1204*32b31808SJens Wiklander * as opposed to a uint64_t because we rarely 1205*32b31808SJens Wiklander * need to perform arithmetic on this, but do 1206*32b31808SJens Wiklander * need it as a Byte array for the purpose of 1207*32b31808SJens Wiklander * MAC computations. */ 1208*32b31808SJens Wiklander uint8_t type; /* The record content type. */ 1209*32b31808SJens Wiklander uint8_t ver[2]; /* SSL/TLS version as present on the wire. 1210*32b31808SJens Wiklander * Convert to internal presentation of versions 1211*32b31808SJens Wiklander * using mbedtls_ssl_read_version() and 1212*32b31808SJens Wiklander * mbedtls_ssl_write_version(). 1213*32b31808SJens Wiklander * Keep wire-format for MAC computations. */ 1214*32b31808SJens Wiklander 1215*32b31808SJens Wiklander unsigned char *buf; /* Memory buffer enclosing the record content */ 1216*32b31808SJens Wiklander size_t buf_len; /* Buffer length */ 1217*32b31808SJens Wiklander size_t data_offset; /* Offset of record content */ 1218*32b31808SJens Wiklander size_t data_len; /* Length of record content */ 1219*32b31808SJens Wiklander 1220*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1221*32b31808SJens Wiklander uint8_t cid_len; /* Length of the CID (0 if not present) */ 1222*32b31808SJens Wiklander unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ 1223*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1224*32b31808SJens Wiklander } mbedtls_record; 1225*32b31808SJens Wiklander 1226*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 1227*32b31808SJens Wiklander /* 1228*32b31808SJens Wiklander * List of certificate + private key pairs 1229*32b31808SJens Wiklander */ 1230*32b31808SJens Wiklander struct mbedtls_ssl_key_cert { 1231*32b31808SJens Wiklander mbedtls_x509_crt *cert; /*!< cert */ 1232*32b31808SJens Wiklander mbedtls_pk_context *key; /*!< private key */ 1233*32b31808SJens Wiklander mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 1234*32b31808SJens Wiklander }; 1235*32b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1236*32b31808SJens Wiklander 1237*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1238*32b31808SJens Wiklander /* 1239*32b31808SJens Wiklander * List of handshake messages kept around for resending 1240*32b31808SJens Wiklander */ 1241*32b31808SJens Wiklander struct mbedtls_ssl_flight_item { 1242*32b31808SJens Wiklander unsigned char *p; /*!< message, including handshake headers */ 1243*32b31808SJens Wiklander size_t len; /*!< length of p */ 1244*32b31808SJens Wiklander unsigned char type; /*!< type of the message: handshake or CCS */ 1245*32b31808SJens Wiklander mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 1246*32b31808SJens Wiklander }; 1247*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1248*32b31808SJens Wiklander 1249*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1250*32b31808SJens Wiklander /** 1251*32b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 1252*32b31808SJens Wiklander * 1.2 specific extensions of the ClientHello message. 1253*32b31808SJens Wiklander * 1254*32b31808SJens Wiklander * \param[in] ssl SSL context 1255*32b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions 1256*32b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions 1257*32b31808SJens Wiklander * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve 1258*32b31808SJens Wiklander * (<> 0) or not ( 0 ). 1259*32b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf 1260*32b31808SJens Wiklander */ 1261*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1262*32b31808SJens Wiklander int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 1263*32b31808SJens Wiklander unsigned char *buf, 1264*32b31808SJens Wiklander const unsigned char *end, 1265*32b31808SJens Wiklander int uses_ec, 1266*32b31808SJens Wiklander size_t *out_len); 1267*32b31808SJens Wiklander #endif 1268*32b31808SJens Wiklander 1269*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1270*32b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1271*32b31808SJens Wiklander 1272*32b31808SJens Wiklander /** 1273*32b31808SJens Wiklander * \brief Find the preferred hash for a given signature algorithm. 1274*32b31808SJens Wiklander * 1275*32b31808SJens Wiklander * \param[in] ssl SSL context 1276*32b31808SJens Wiklander * \param[in] sig_alg A signature algorithm identifier as defined in the 1277*32b31808SJens Wiklander * TLS 1.2 SignatureAlgorithm enumeration. 1278*32b31808SJens Wiklander * 1279*32b31808SJens Wiklander * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm 1280*32b31808SJens Wiklander * identifier as defined in the TLS 1.2 HashAlgorithm enumeration. 1281*32b31808SJens Wiklander */ 1282*32b31808SJens Wiklander unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1283*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 1284*32b31808SJens Wiklander unsigned int sig_alg); 1285*32b31808SJens Wiklander 1286*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 1287*32b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1288*32b31808SJens Wiklander 1289*32b31808SJens Wiklander /** 1290*32b31808SJens Wiklander * \brief Free referenced items in an SSL transform context and clear 1291*32b31808SJens Wiklander * memory 1292*32b31808SJens Wiklander * 1293*32b31808SJens Wiklander * \param transform SSL transform context 1294*32b31808SJens Wiklander */ 1295*32b31808SJens Wiklander void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); 1296*32b31808SJens Wiklander 1297*32b31808SJens Wiklander /** 1298*32b31808SJens Wiklander * \brief Free referenced items in an SSL handshake context and clear 1299*32b31808SJens Wiklander * memory 1300*32b31808SJens Wiklander * 1301*32b31808SJens Wiklander * \param ssl SSL context 1302*32b31808SJens Wiklander */ 1303*32b31808SJens Wiklander void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); 1304*32b31808SJens Wiklander 1305*32b31808SJens Wiklander /* set inbound transform of ssl context */ 1306*32b31808SJens Wiklander void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl, 1307*32b31808SJens Wiklander mbedtls_ssl_transform *transform); 1308*32b31808SJens Wiklander 1309*32b31808SJens Wiklander /* set outbound transform of ssl context */ 1310*32b31808SJens Wiklander void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl, 1311*32b31808SJens Wiklander mbedtls_ssl_transform *transform); 1312*32b31808SJens Wiklander 1313*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1314*32b31808SJens Wiklander int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); 1315*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1316*32b31808SJens Wiklander int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); 1317*32b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); 1318*32b31808SJens Wiklander static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, 1319*32b31808SJens Wiklander mbedtls_ssl_states state) 1320*32b31808SJens Wiklander { 1321*32b31808SJens Wiklander ssl->state = (int) state; 1322*32b31808SJens Wiklander } 1323*32b31808SJens Wiklander 1324*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1325*32b31808SJens Wiklander int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); 1326*32b31808SJens Wiklander 1327*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1328*32b31808SJens Wiklander int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); 1329*32b31808SJens Wiklander 1330*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1331*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1332*32b31808SJens Wiklander int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); 1333*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1334*32b31808SJens Wiklander 1335*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1336*32b31808SJens Wiklander int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); 1337*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1338*32b31808SJens Wiklander int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); 1339*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1340*32b31808SJens Wiklander int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); 1341*32b31808SJens Wiklander 1342*32b31808SJens Wiklander /** 1343*32b31808SJens Wiklander * \brief Update record layer 1344*32b31808SJens Wiklander * 1345*32b31808SJens Wiklander * This function roughly separates the implementation 1346*32b31808SJens Wiklander * of the logic of (D)TLS from the implementation 1347*32b31808SJens Wiklander * of the secure transport. 1348*32b31808SJens Wiklander * 1349*32b31808SJens Wiklander * \param ssl The SSL context to use. 1350*32b31808SJens Wiklander * \param update_hs_digest This indicates if the handshake digest 1351*32b31808SJens Wiklander * should be automatically updated in case 1352*32b31808SJens Wiklander * a handshake message is found. 1353*32b31808SJens Wiklander * 1354*32b31808SJens Wiklander * \return 0 or non-zero error code. 1355*32b31808SJens Wiklander * 1356*32b31808SJens Wiklander * \note A clarification on what is called 'record layer' here 1357*32b31808SJens Wiklander * is in order, as many sensible definitions are possible: 1358*32b31808SJens Wiklander * 1359*32b31808SJens Wiklander * The record layer takes as input an untrusted underlying 1360*32b31808SJens Wiklander * transport (stream or datagram) and transforms it into 1361*32b31808SJens Wiklander * a serially multiplexed, secure transport, which 1362*32b31808SJens Wiklander * conceptually provides the following: 1363*32b31808SJens Wiklander * 1364*32b31808SJens Wiklander * (1) Three datagram based, content-agnostic transports 1365*32b31808SJens Wiklander * for handshake, alert and CCS messages. 1366*32b31808SJens Wiklander * (2) One stream- or datagram-based transport 1367*32b31808SJens Wiklander * for application data. 1368*32b31808SJens Wiklander * (3) Functionality for changing the underlying transform 1369*32b31808SJens Wiklander * securing the contents. 1370*32b31808SJens Wiklander * 1371*32b31808SJens Wiklander * The interface to this functionality is given as follows: 1372*32b31808SJens Wiklander * 1373*32b31808SJens Wiklander * a Updating 1374*32b31808SJens Wiklander * [Currently implemented by mbedtls_ssl_read_record] 1375*32b31808SJens Wiklander * 1376*32b31808SJens Wiklander * Check if and on which of the four 'ports' data is pending: 1377*32b31808SJens Wiklander * Nothing, a controlling datagram of type (1), or application 1378*32b31808SJens Wiklander * data (2). In any case data is present, internal buffers 1379*32b31808SJens Wiklander * provide access to the data for the user to process it. 1380*32b31808SJens Wiklander * Consumption of type (1) datagrams is done automatically 1381*32b31808SJens Wiklander * on the next update, invalidating that the internal buffers 1382*32b31808SJens Wiklander * for previous datagrams, while consumption of application 1383*32b31808SJens Wiklander * data (2) is user-controlled. 1384*32b31808SJens Wiklander * 1385*32b31808SJens Wiklander * b Reading of application data 1386*32b31808SJens Wiklander * [Currently manual adaption of ssl->in_offt pointer] 1387*32b31808SJens Wiklander * 1388*32b31808SJens Wiklander * As mentioned in the last paragraph, consumption of data 1389*32b31808SJens Wiklander * is different from the automatic consumption of control 1390*32b31808SJens Wiklander * datagrams (1) because application data is treated as a stream. 1391*32b31808SJens Wiklander * 1392*32b31808SJens Wiklander * c Tracking availability of application data 1393*32b31808SJens Wiklander * [Currently manually through decreasing ssl->in_msglen] 1394*32b31808SJens Wiklander * 1395*32b31808SJens Wiklander * For efficiency and to retain datagram semantics for 1396*32b31808SJens Wiklander * application data in case of DTLS, the record layer 1397*32b31808SJens Wiklander * provides functionality for checking how much application 1398*32b31808SJens Wiklander * data is still available in the internal buffer. 1399*32b31808SJens Wiklander * 1400*32b31808SJens Wiklander * d Changing the transformation securing the communication. 1401*32b31808SJens Wiklander * 1402*32b31808SJens Wiklander * Given an opaque implementation of the record layer in the 1403*32b31808SJens Wiklander * above sense, it should be possible to implement the logic 1404*32b31808SJens Wiklander * of (D)TLS on top of it without the need to know anything 1405*32b31808SJens Wiklander * about the record layer's internals. This is done e.g. 1406*32b31808SJens Wiklander * in all the handshake handling functions, and in the 1407*32b31808SJens Wiklander * application data reading function mbedtls_ssl_read. 1408*32b31808SJens Wiklander * 1409*32b31808SJens Wiklander * \note The above tries to give a conceptual picture of the 1410*32b31808SJens Wiklander * record layer, but the current implementation deviates 1411*32b31808SJens Wiklander * from it in some places. For example, our implementation of 1412*32b31808SJens Wiklander * the update functionality through mbedtls_ssl_read_record 1413*32b31808SJens Wiklander * discards datagrams depending on the current state, which 1414*32b31808SJens Wiklander * wouldn't fall under the record layer's responsibility 1415*32b31808SJens Wiklander * following the above definition. 1416*32b31808SJens Wiklander * 1417*32b31808SJens Wiklander */ 1418*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1419*32b31808SJens Wiklander int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, 1420*32b31808SJens Wiklander unsigned update_hs_digest); 1421*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1422*32b31808SJens Wiklander int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); 1423*32b31808SJens Wiklander 1424*32b31808SJens Wiklander /* 1425*32b31808SJens Wiklander * Write handshake message header 1426*32b31808SJens Wiklander */ 1427*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1428*32b31808SJens Wiklander int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned hs_type, 1429*32b31808SJens Wiklander unsigned char **buf, size_t *buf_len); 1430*32b31808SJens Wiklander 1431*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1432*32b31808SJens Wiklander int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, 1433*32b31808SJens Wiklander int update_checksum, 1434*32b31808SJens Wiklander int force_flush); 1435*32b31808SJens Wiklander static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) 1436*32b31808SJens Wiklander { 1437*32b31808SJens Wiklander return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); 1438*32b31808SJens Wiklander } 1439*32b31808SJens Wiklander 1440*32b31808SJens Wiklander /* 1441*32b31808SJens Wiklander * Write handshake message tail 1442*32b31808SJens Wiklander */ 1443*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1444*32b31808SJens Wiklander int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl, 1445*32b31808SJens Wiklander size_t buf_len, size_t msg_len); 1446*32b31808SJens Wiklander 1447*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1448*32b31808SJens Wiklander int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush); 1449*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1450*32b31808SJens Wiklander int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); 1451*32b31808SJens Wiklander 1452*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1453*32b31808SJens Wiklander int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); 1454*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1455*32b31808SJens Wiklander int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); 1456*32b31808SJens Wiklander 1457*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1458*32b31808SJens Wiklander int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); 1459*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1460*32b31808SJens Wiklander int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); 1461*32b31808SJens Wiklander 1462*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1463*32b31808SJens Wiklander int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); 1464*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1465*32b31808SJens Wiklander int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); 1466*32b31808SJens Wiklander 1467*32b31808SJens Wiklander void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 1468*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info); 1469*32b31808SJens Wiklander 1470*32b31808SJens Wiklander /* 1471*32b31808SJens Wiklander * Update checksum of handshake messages. 1472*32b31808SJens Wiklander */ 1473*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1474*32b31808SJens Wiklander int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 1475*32b31808SJens Wiklander unsigned hs_type, 1476*32b31808SJens Wiklander unsigned char const *msg, 1477*32b31808SJens Wiklander size_t msg_len); 1478*32b31808SJens Wiklander 1479*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1480*32b31808SJens Wiklander int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 1481*32b31808SJens Wiklander unsigned hs_type, 1482*32b31808SJens Wiklander size_t total_hs_len); 1483*32b31808SJens Wiklander 1484*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 1485*32b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) 1486*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1487*32b31808SJens Wiklander int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, 1488*32b31808SJens Wiklander mbedtls_key_exchange_type_t key_ex); 1489*32b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 1490*32b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 1491*32b31808SJens Wiklander 1492*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1493*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 1494*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1495*32b31808SJens Wiklander int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); 1496*32b31808SJens Wiklander #endif 1497*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 1498*32b31808SJens Wiklander /** 1499*32b31808SJens Wiklander * Get the first defined opaque PSK by order of precedence: 1500*32b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK 1501*32b31808SJens Wiklander * callback 1502*32b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() 1503*32b31808SJens Wiklander * Return an opaque PSK 1504*32b31808SJens Wiklander */ 1505*32b31808SJens Wiklander static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( 1506*32b31808SJens Wiklander const mbedtls_ssl_context *ssl) 1507*32b31808SJens Wiklander { 1508*32b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 1509*32b31808SJens Wiklander return ssl->handshake->psk_opaque; 1510*32b31808SJens Wiklander } 1511*32b31808SJens Wiklander 1512*32b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { 1513*32b31808SJens Wiklander return ssl->conf->psk_opaque; 1514*32b31808SJens Wiklander } 1515*32b31808SJens Wiklander 1516*32b31808SJens Wiklander return MBEDTLS_SVC_KEY_ID_INIT; 1517*32b31808SJens Wiklander } 1518*32b31808SJens Wiklander #else 1519*32b31808SJens Wiklander /** 1520*32b31808SJens Wiklander * Get the first defined PSK by order of precedence: 1521*32b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 1522*32b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk() 1523*32b31808SJens Wiklander * Return a code and update the pair (PSK, PSK length) passed to this function 1524*32b31808SJens Wiklander */ 1525*32b31808SJens Wiklander static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, 1526*32b31808SJens Wiklander const unsigned char **psk, size_t *psk_len) 1527*32b31808SJens Wiklander { 1528*32b31808SJens Wiklander if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { 1529*32b31808SJens Wiklander *psk = ssl->handshake->psk; 1530*32b31808SJens Wiklander *psk_len = ssl->handshake->psk_len; 1531*32b31808SJens Wiklander } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { 1532*32b31808SJens Wiklander *psk = ssl->conf->psk; 1533*32b31808SJens Wiklander *psk_len = ssl->conf->psk_len; 1534*32b31808SJens Wiklander } else { 1535*32b31808SJens Wiklander *psk = NULL; 1536*32b31808SJens Wiklander *psk_len = 0; 1537*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 1538*32b31808SJens Wiklander } 1539*32b31808SJens Wiklander 1540*32b31808SJens Wiklander return 0; 1541*32b31808SJens Wiklander } 1542*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1543*32b31808SJens Wiklander 1544*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 1545*32b31808SJens Wiklander 1546*32b31808SJens Wiklander #if defined(MBEDTLS_PK_C) 1547*32b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); 1548*32b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); 1549*32b31808SJens Wiklander mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); 1550*32b31808SJens Wiklander #endif 1551*32b31808SJens Wiklander 1552*32b31808SJens Wiklander mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); 1553*32b31808SJens Wiklander unsigned char mbedtls_ssl_hash_from_md_alg(int md); 1554*32b31808SJens Wiklander 1555*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1556*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1557*32b31808SJens Wiklander int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); 1558*32b31808SJens Wiklander #endif 1559*32b31808SJens Wiklander 1560*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1561*32b31808SJens Wiklander int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); 1562*32b31808SJens Wiklander #if defined(MBEDTLS_ECP_C) 1563*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1564*32b31808SJens Wiklander int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); 1565*32b31808SJens Wiklander #endif 1566*32b31808SJens Wiklander 1567*32b31808SJens Wiklander /** 1568*32b31808SJens Wiklander * \brief Return PSA EC info for the specified TLS ID. 1569*32b31808SJens Wiklander * 1570*32b31808SJens Wiklander * \param tls_id The TLS ID to look for 1571*32b31808SJens Wiklander * \param family If the TLD ID is supported, then proper \c psa_ecc_family_t 1572*32b31808SJens Wiklander * value is returned here. Can be NULL. 1573*32b31808SJens Wiklander * \param bits If the TLD ID is supported, then proper bit size is returned 1574*32b31808SJens Wiklander * here. Can be NULL. 1575*32b31808SJens Wiklander * \return PSA_SUCCESS if the TLS ID is supported, 1576*32b31808SJens Wiklander * PSA_ERROR_NOT_SUPPORTED otherwise 1577*32b31808SJens Wiklander * 1578*32b31808SJens Wiklander * \note If either \c family or \c bits parameters are NULL, then 1579*32b31808SJens Wiklander * the corresponding value is not returned. 1580*32b31808SJens Wiklander * The function can be called with both parameters as NULL 1581*32b31808SJens Wiklander * simply to check if a specific TLS ID is supported. 1582*32b31808SJens Wiklander */ 1583*32b31808SJens Wiklander int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 1584*32b31808SJens Wiklander psa_ecc_family_t *family, 1585*32b31808SJens Wiklander size_t *bits); 1586*32b31808SJens Wiklander 1587*32b31808SJens Wiklander /** 1588*32b31808SJens Wiklander * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID. 1589*32b31808SJens Wiklander * 1590*32b31808SJens Wiklander * \param tls_id The TLS ID to look for 1591*32b31808SJens Wiklander * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported, 1592*32b31808SJens Wiklander * or MBEDTLS_ECP_DP_NONE otherwise 1593*32b31808SJens Wiklander */ 1594*32b31808SJens Wiklander mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id); 1595*32b31808SJens Wiklander 1596*32b31808SJens Wiklander /** 1597*32b31808SJens Wiklander * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id. 1598*32b31808SJens Wiklander * 1599*32b31808SJens Wiklander * \param grp_id The \c mbedtls_ecp_group_id ID to look for 1600*32b31808SJens Wiklander * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported, 1601*32b31808SJens Wiklander * or 0 otherwise 1602*32b31808SJens Wiklander */ 1603*32b31808SJens Wiklander uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id); 1604*32b31808SJens Wiklander 1605*32b31808SJens Wiklander #if defined(MBEDTLS_DEBUG_C) 1606*32b31808SJens Wiklander /** 1607*32b31808SJens Wiklander * \brief Return EC's name for the specified TLS ID. 1608*32b31808SJens Wiklander * 1609*32b31808SJens Wiklander * \param tls_id The TLS ID to look for 1610*32b31808SJens Wiklander * \return A pointer to a const string with the proper name. If TLS 1611*32b31808SJens Wiklander * ID is not supported, a NULL pointer is returned instead. 1612*32b31808SJens Wiklander */ 1613*32b31808SJens Wiklander const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id); 1614*32b31808SJens Wiklander #endif 1615*32b31808SJens Wiklander 1616*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) 1617*32b31808SJens Wiklander static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value 1618*32b31808SJens Wiklander (const uint16_t srtp_profile_value) 1619*32b31808SJens Wiklander { 1620*32b31808SJens Wiklander switch (srtp_profile_value) { 1621*32b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 1622*32b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 1623*32b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 1624*32b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 1625*32b31808SJens Wiklander return srtp_profile_value; 1626*32b31808SJens Wiklander default: break; 1627*32b31808SJens Wiklander } 1628*32b31808SJens Wiklander return MBEDTLS_TLS_SRTP_UNSET; 1629*32b31808SJens Wiklander } 1630*32b31808SJens Wiklander #endif 1631*32b31808SJens Wiklander 1632*32b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 1633*32b31808SJens Wiklander static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) 1634*32b31808SJens Wiklander { 1635*32b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; 1636*32b31808SJens Wiklander 1637*32b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1638*32b31808SJens Wiklander key_cert = ssl->handshake->key_cert; 1639*32b31808SJens Wiklander } else { 1640*32b31808SJens Wiklander key_cert = ssl->conf->key_cert; 1641*32b31808SJens Wiklander } 1642*32b31808SJens Wiklander 1643*32b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->key; 1644*32b31808SJens Wiklander } 1645*32b31808SJens Wiklander 1646*32b31808SJens Wiklander static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) 1647*32b31808SJens Wiklander { 1648*32b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; 1649*32b31808SJens Wiklander 1650*32b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1651*32b31808SJens Wiklander key_cert = ssl->handshake->key_cert; 1652*32b31808SJens Wiklander } else { 1653*32b31808SJens Wiklander key_cert = ssl->conf->key_cert; 1654*32b31808SJens Wiklander } 1655*32b31808SJens Wiklander 1656*32b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->cert; 1657*32b31808SJens Wiklander } 1658*32b31808SJens Wiklander 1659*32b31808SJens Wiklander /* 1660*32b31808SJens Wiklander * Check usage of a certificate wrt extensions: 1661*32b31808SJens Wiklander * keyUsage, extendedKeyUsage (later), and nSCertType (later). 1662*32b31808SJens Wiklander * 1663*32b31808SJens Wiklander * Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we 1664*32b31808SJens Wiklander * check a cert we received from them)! 1665*32b31808SJens Wiklander * 1666*32b31808SJens Wiklander * Return 0 if everything is OK, -1 if not. 1667*32b31808SJens Wiklander */ 1668*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1669*32b31808SJens Wiklander int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 1670*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite, 1671*32b31808SJens Wiklander int cert_endpoint, 1672*32b31808SJens Wiklander uint32_t *flags); 1673*32b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1674*32b31808SJens Wiklander 1675*32b31808SJens Wiklander void mbedtls_ssl_write_version(unsigned char version[2], int transport, 1676*32b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version); 1677*32b31808SJens Wiklander uint16_t mbedtls_ssl_read_version(const unsigned char version[2], 1678*32b31808SJens Wiklander int transport); 1679*32b31808SJens Wiklander 1680*32b31808SJens Wiklander static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) 1681*32b31808SJens Wiklander { 1682*32b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_DTLS) 1683*32b31808SJens Wiklander ((void) ssl); 1684*32b31808SJens Wiklander #endif 1685*32b31808SJens Wiklander 1686*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1687*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1688*32b31808SJens Wiklander return 13; 1689*32b31808SJens Wiklander } else 1690*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1691*32b31808SJens Wiklander { 1692*32b31808SJens Wiklander return 5; 1693*32b31808SJens Wiklander } 1694*32b31808SJens Wiklander } 1695*32b31808SJens Wiklander 1696*32b31808SJens Wiklander static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) 1697*32b31808SJens Wiklander { 1698*32b31808SJens Wiklander return (size_t) (ssl->out_iv - ssl->out_hdr); 1699*32b31808SJens Wiklander } 1700*32b31808SJens Wiklander 1701*32b31808SJens Wiklander static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) 1702*32b31808SJens Wiklander { 1703*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1704*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1705*32b31808SJens Wiklander return 12; 1706*32b31808SJens Wiklander } 1707*32b31808SJens Wiklander #else 1708*32b31808SJens Wiklander ((void) ssl); 1709*32b31808SJens Wiklander #endif 1710*32b31808SJens Wiklander return 4; 1711*32b31808SJens Wiklander } 1712*32b31808SJens Wiklander 1713*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1714*32b31808SJens Wiklander void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); 1715*32b31808SJens Wiklander void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); 1716*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1717*32b31808SJens Wiklander int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); 1718*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1719*32b31808SJens Wiklander int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); 1720*32b31808SJens Wiklander #endif 1721*32b31808SJens Wiklander 1722*32b31808SJens Wiklander /* Visible for testing purposes only */ 1723*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1724*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1725*32b31808SJens Wiklander int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); 1726*32b31808SJens Wiklander void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); 1727*32b31808SJens Wiklander #endif 1728*32b31808SJens Wiklander 1729*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1730*32b31808SJens Wiklander int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 1731*32b31808SJens Wiklander const mbedtls_ssl_session *src); 1732*32b31808SJens Wiklander 1733*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1734*32b31808SJens Wiklander /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 1735*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1736*32b31808SJens Wiklander int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 1737*32b31808SJens Wiklander unsigned char *hash, size_t *hashlen, 1738*32b31808SJens Wiklander unsigned char *data, size_t data_len, 1739*32b31808SJens Wiklander mbedtls_md_type_t md_alg); 1740*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1741*32b31808SJens Wiklander 1742*32b31808SJens Wiklander #ifdef __cplusplus 1743*32b31808SJens Wiklander } 1744*32b31808SJens Wiklander #endif 1745*32b31808SJens Wiklander 1746*32b31808SJens Wiklander void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); 1747*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1748*32b31808SJens Wiklander int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, 1749*32b31808SJens Wiklander mbedtls_ssl_transform *transform, 1750*32b31808SJens Wiklander mbedtls_record *rec, 1751*32b31808SJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 1752*32b31808SJens Wiklander void *p_rng); 1753*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1754*32b31808SJens Wiklander int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, 1755*32b31808SJens Wiklander mbedtls_ssl_transform *transform, 1756*32b31808SJens Wiklander mbedtls_record *rec); 1757*32b31808SJens Wiklander 1758*32b31808SJens Wiklander /* Length of the "epoch" field in the record header */ 1759*32b31808SJens Wiklander static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) 1760*32b31808SJens Wiklander { 1761*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1762*32b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1763*32b31808SJens Wiklander return 2; 1764*32b31808SJens Wiklander } 1765*32b31808SJens Wiklander #else 1766*32b31808SJens Wiklander ((void) ssl); 1767*32b31808SJens Wiklander #endif 1768*32b31808SJens Wiklander return 0; 1769*32b31808SJens Wiklander } 1770*32b31808SJens Wiklander 1771*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1772*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1773*32b31808SJens Wiklander int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); 1774*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1775*32b31808SJens Wiklander 1776*32b31808SJens Wiklander void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); 1777*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1778*32b31808SJens Wiklander int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); 1779*32b31808SJens Wiklander 1780*32b31808SJens Wiklander void mbedtls_ssl_reset_in_out_pointers(mbedtls_ssl_context *ssl); 1781*32b31808SJens Wiklander void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, 1782*32b31808SJens Wiklander mbedtls_ssl_transform *transform); 1783*32b31808SJens Wiklander void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); 1784*32b31808SJens Wiklander 1785*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1786*32b31808SJens Wiklander int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); 1787*32b31808SJens Wiklander void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1788*32b31808SJens Wiklander int partial); 1789*32b31808SJens Wiklander 1790*32b31808SJens Wiklander /* 1791*32b31808SJens Wiklander * Send pending alert 1792*32b31808SJens Wiklander */ 1793*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1794*32b31808SJens Wiklander int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl); 1795*32b31808SJens Wiklander 1796*32b31808SJens Wiklander /* 1797*32b31808SJens Wiklander * Set pending fatal alert flag. 1798*32b31808SJens Wiklander */ 1799*32b31808SJens Wiklander void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl, 1800*32b31808SJens Wiklander unsigned char alert_type, 1801*32b31808SJens Wiklander int alert_reason); 1802*32b31808SJens Wiklander 1803*32b31808SJens Wiklander /* Alias of mbedtls_ssl_pend_fatal_alert */ 1804*32b31808SJens Wiklander #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \ 1805*32b31808SJens Wiklander mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value) 1806*32b31808SJens Wiklander 1807*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1808*32b31808SJens Wiklander void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); 1809*32b31808SJens Wiklander #endif 1810*32b31808SJens Wiklander 1811*32b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); 1812*32b31808SJens Wiklander 1813*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 1814*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1815*32b31808SJens Wiklander int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); 1816*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1817*32b31808SJens Wiklander 1818*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 1819*32b31808SJens Wiklander size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); 1820*32b31808SJens Wiklander void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); 1821*32b31808SJens Wiklander void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); 1822*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1823*32b31808SJens Wiklander 1824*32b31808SJens Wiklander /** 1825*32b31808SJens Wiklander * ssl utils functions for checking configuration. 1826*32b31808SJens Wiklander */ 1827*32b31808SJens Wiklander 1828*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1829*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf) 1830*32b31808SJens Wiklander { 1831*32b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1832*32b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1833*32b31808SJens Wiklander } 1834*32b31808SJens Wiklander 1835*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1836*32b31808SJens Wiklander 1837*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1838*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf) 1839*32b31808SJens Wiklander { 1840*32b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1841*32b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2; 1842*32b31808SJens Wiklander } 1843*32b31808SJens Wiklander 1844*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1845*32b31808SJens Wiklander 1846*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf) 1847*32b31808SJens Wiklander { 1848*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1849*32b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 1850*32b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3; 1851*32b31808SJens Wiklander #else 1852*32b31808SJens Wiklander ((void) conf); 1853*32b31808SJens Wiklander return 0; 1854*32b31808SJens Wiklander #endif 1855*32b31808SJens Wiklander } 1856*32b31808SJens Wiklander 1857*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf) 1858*32b31808SJens Wiklander { 1859*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1860*32b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 && 1861*32b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2; 1862*32b31808SJens Wiklander #else 1863*32b31808SJens Wiklander ((void) conf); 1864*32b31808SJens Wiklander return 0; 1865*32b31808SJens Wiklander #endif 1866*32b31808SJens Wiklander } 1867*32b31808SJens Wiklander 1868*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1869*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf) 1870*32b31808SJens Wiklander { 1871*32b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1872*32b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1873*32b31808SJens Wiklander } 1874*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ 1875*32b31808SJens Wiklander 1876*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1877*32b31808SJens Wiklander extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 1878*32b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 1879*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1880*32b31808SJens Wiklander int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl); 1881*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1882*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl); 1883*32b31808SJens Wiklander void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl); 1884*32b31808SJens Wiklander 1885*32b31808SJens Wiklander /** 1886*32b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 1887*32b31808SJens Wiklander * 1.3 specific extensions of the ClientHello message. 1888*32b31808SJens Wiklander * 1889*32b31808SJens Wiklander * \param[in] ssl SSL context 1890*32b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions 1891*32b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions 1892*32b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf 1893*32b31808SJens Wiklander */ 1894*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1895*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, 1896*32b31808SJens Wiklander unsigned char *buf, 1897*32b31808SJens Wiklander unsigned char *end, 1898*32b31808SJens Wiklander size_t *out_len); 1899*32b31808SJens Wiklander 1900*32b31808SJens Wiklander /** 1901*32b31808SJens Wiklander * \brief TLS 1.3 client side state machine entry 1902*32b31808SJens Wiklander * 1903*32b31808SJens Wiklander * \param ssl SSL context 1904*32b31808SJens Wiklander */ 1905*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1906*32b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl); 1907*32b31808SJens Wiklander 1908*32b31808SJens Wiklander /** 1909*32b31808SJens Wiklander * \brief TLS 1.3 server side state machine entry 1910*32b31808SJens Wiklander * 1911*32b31808SJens Wiklander * \param ssl SSL context 1912*32b31808SJens Wiklander */ 1913*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1914*32b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl); 1915*32b31808SJens Wiklander 1916*32b31808SJens Wiklander 1917*32b31808SJens Wiklander /* 1918*32b31808SJens Wiklander * Helper functions around key exchange modes. 1919*32b31808SJens Wiklander */ 1920*32b31808SJens Wiklander static inline unsigned mbedtls_ssl_conf_tls13_check_kex_modes(mbedtls_ssl_context *ssl, 1921*32b31808SJens Wiklander int kex_mode_mask) 1922*32b31808SJens Wiklander { 1923*32b31808SJens Wiklander return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; 1924*32b31808SJens Wiklander } 1925*32b31808SJens Wiklander 1926*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl) 1927*32b31808SJens Wiklander { 1928*32b31808SJens Wiklander return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1929*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 1930*32b31808SJens Wiklander } 1931*32b31808SJens Wiklander 1932*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) 1933*32b31808SJens Wiklander { 1934*32b31808SJens Wiklander return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1935*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 1936*32b31808SJens Wiklander } 1937*32b31808SJens Wiklander 1938*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) 1939*32b31808SJens Wiklander { 1940*32b31808SJens Wiklander return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1941*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 1942*32b31808SJens Wiklander } 1943*32b31808SJens Wiklander 1944*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 1945*32b31808SJens Wiklander { 1946*32b31808SJens Wiklander return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1947*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 1948*32b31808SJens Wiklander } 1949*32b31808SJens Wiklander 1950*32b31808SJens Wiklander static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) 1951*32b31808SJens Wiklander { 1952*32b31808SJens Wiklander return mbedtls_ssl_conf_tls13_check_kex_modes(ssl, 1953*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 1954*32b31808SJens Wiklander } 1955*32b31808SJens Wiklander 1956*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && \ 1957*32b31808SJens Wiklander defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 1958*32b31808SJens Wiklander /** 1959*32b31808SJens Wiklander * Given a list of key exchange modes, check if at least one of them is 1960*32b31808SJens Wiklander * supported. 1961*32b31808SJens Wiklander * 1962*32b31808SJens Wiklander * \param[in] ssl SSL context 1963*32b31808SJens Wiklander * \param kex_modes_mask Mask of the key exchange modes to check 1964*32b31808SJens Wiklander * 1965*32b31808SJens Wiklander * \return 0 if at least one of the key exchange modes is supported, 1966*32b31808SJens Wiklander * !=0 otherwise. 1967*32b31808SJens Wiklander */ 1968*32b31808SJens Wiklander static inline unsigned mbedtls_ssl_tls13_check_kex_modes(mbedtls_ssl_context *ssl, 1969*32b31808SJens Wiklander int kex_modes_mask) 1970*32b31808SJens Wiklander { 1971*32b31808SJens Wiklander return (ssl->handshake->tls13_kex_modes & kex_modes_mask) == 0; 1972*32b31808SJens Wiklander } 1973*32b31808SJens Wiklander 1974*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_psk_enabled(mbedtls_ssl_context *ssl) 1975*32b31808SJens Wiklander { 1976*32b31808SJens Wiklander return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1977*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 1978*32b31808SJens Wiklander } 1979*32b31808SJens Wiklander 1980*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_psk_ephemeral_enabled( 1981*32b31808SJens Wiklander mbedtls_ssl_context *ssl) 1982*32b31808SJens Wiklander { 1983*32b31808SJens Wiklander return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1984*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 1985*32b31808SJens Wiklander } 1986*32b31808SJens Wiklander 1987*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl) 1988*32b31808SJens Wiklander { 1989*32b31808SJens Wiklander return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1990*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 1991*32b31808SJens Wiklander } 1992*32b31808SJens Wiklander 1993*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 1994*32b31808SJens Wiklander { 1995*32b31808SJens Wiklander return !mbedtls_ssl_tls13_check_kex_modes(ssl, 1996*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 1997*32b31808SJens Wiklander } 1998*32b31808SJens Wiklander 1999*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_some_psk_enabled(mbedtls_ssl_context *ssl) 2000*32b31808SJens Wiklander { 2001*32b31808SJens Wiklander return !mbedtls_ssl_tls13_check_kex_modes(ssl, 2002*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2003*32b31808SJens Wiklander } 2004*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && 2005*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2006*32b31808SJens Wiklander 2007*32b31808SJens Wiklander /* 2008*32b31808SJens Wiklander * Helper functions for extensions checking. 2009*32b31808SJens Wiklander */ 2010*32b31808SJens Wiklander 2011*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2012*32b31808SJens Wiklander int mbedtls_ssl_tls13_check_received_extension( 2013*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 2014*32b31808SJens Wiklander int hs_msg_type, 2015*32b31808SJens Wiklander unsigned int received_extension_type, 2016*32b31808SJens Wiklander uint32_t hs_msg_allowed_extensions_mask); 2017*32b31808SJens Wiklander 2018*32b31808SJens Wiklander static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( 2019*32b31808SJens Wiklander mbedtls_ssl_context *ssl, unsigned int extension_type) 2020*32b31808SJens Wiklander { 2021*32b31808SJens Wiklander ssl->handshake->sent_extensions |= 2022*32b31808SJens Wiklander mbedtls_ssl_get_extension_mask(extension_type); 2023*32b31808SJens Wiklander } 2024*32b31808SJens Wiklander 2025*32b31808SJens Wiklander /* 2026*32b31808SJens Wiklander * Helper functions to check the selected key exchange mode. 2027*32b31808SJens Wiklander */ 2028*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_check( 2029*32b31808SJens Wiklander mbedtls_ssl_context *ssl, int kex_mask) 2030*32b31808SJens Wiklander { 2031*32b31808SJens Wiklander return (ssl->handshake->key_exchange_mode & kex_mask) != 0; 2032*32b31808SJens Wiklander } 2033*32b31808SJens Wiklander 2034*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( 2035*32b31808SJens Wiklander mbedtls_ssl_context *ssl) 2036*32b31808SJens Wiklander { 2037*32b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2038*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2039*32b31808SJens Wiklander } 2040*32b31808SJens Wiklander 2041*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( 2042*32b31808SJens Wiklander mbedtls_ssl_context *ssl) 2043*32b31808SJens Wiklander { 2044*32b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2045*32b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2046*32b31808SJens Wiklander } 2047*32b31808SJens Wiklander 2048*32b31808SJens Wiklander /* 2049*32b31808SJens Wiklander * Fetch TLS 1.3 handshake message header 2050*32b31808SJens Wiklander */ 2051*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2052*32b31808SJens Wiklander int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 2053*32b31808SJens Wiklander unsigned hs_type, 2054*32b31808SJens Wiklander unsigned char **buf, 2055*32b31808SJens Wiklander size_t *buf_len); 2056*32b31808SJens Wiklander 2057*32b31808SJens Wiklander /* 2058*32b31808SJens Wiklander * Handler of TLS 1.3 server certificate message 2059*32b31808SJens Wiklander */ 2060*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2061*32b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl); 2062*32b31808SJens Wiklander 2063*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2064*32b31808SJens Wiklander /* 2065*32b31808SJens Wiklander * Handler of TLS 1.3 write Certificate message 2066*32b31808SJens Wiklander */ 2067*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2068*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl); 2069*32b31808SJens Wiklander 2070*32b31808SJens Wiklander /* 2071*32b31808SJens Wiklander * Handler of TLS 1.3 write Certificate Verify message 2072*32b31808SJens Wiklander */ 2073*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2074*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl); 2075*32b31808SJens Wiklander 2076*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2077*32b31808SJens Wiklander 2078*32b31808SJens Wiklander /* 2079*32b31808SJens Wiklander * Generic handler of Certificate Verify 2080*32b31808SJens Wiklander */ 2081*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2082*32b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); 2083*32b31808SJens Wiklander 2084*32b31808SJens Wiklander /* 2085*32b31808SJens Wiklander * Write of dummy-CCS's for middlebox compatibility 2086*32b31808SJens Wiklander */ 2087*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2088*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl); 2089*32b31808SJens Wiklander 2090*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2091*32b31808SJens Wiklander int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl); 2092*32b31808SJens Wiklander 2093*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) 2094*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2095*32b31808SJens Wiklander int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange( 2096*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 2097*32b31808SJens Wiklander uint16_t named_group, 2098*32b31808SJens Wiklander unsigned char *buf, 2099*32b31808SJens Wiklander unsigned char *end, 2100*32b31808SJens Wiklander size_t *out_len); 2101*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C */ 2102*32b31808SJens Wiklander 2103*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA) 2104*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 2105*32b31808SJens Wiklander unsigned char *buf, 2106*32b31808SJens Wiklander const unsigned char *end, 2107*32b31808SJens Wiklander size_t *out_len); 2108*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_EARLY_DATA */ 2109*32b31808SJens Wiklander 2110*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2111*32b31808SJens Wiklander 2112*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2113*32b31808SJens Wiklander /* 2114*32b31808SJens Wiklander * Write Signature Algorithm extension 2115*32b31808SJens Wiklander */ 2116*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2117*32b31808SJens Wiklander int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 2118*32b31808SJens Wiklander const unsigned char *end, size_t *out_len); 2119*32b31808SJens Wiklander /* 2120*32b31808SJens Wiklander * Parse TLS Signature Algorithm extension 2121*32b31808SJens Wiklander */ 2122*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2123*32b31808SJens Wiklander int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 2124*32b31808SJens Wiklander const unsigned char *buf, 2125*32b31808SJens Wiklander const unsigned char *end); 2126*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2127*32b31808SJens Wiklander 2128*32b31808SJens Wiklander /* Get handshake transcript */ 2129*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2130*32b31808SJens Wiklander int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 2131*32b31808SJens Wiklander const mbedtls_md_type_t md, 2132*32b31808SJens Wiklander unsigned char *dst, 2133*32b31808SJens Wiklander size_t dst_len, 2134*32b31808SJens Wiklander size_t *olen); 2135*32b31808SJens Wiklander 2136*32b31808SJens Wiklander /* 2137*32b31808SJens Wiklander * Return supported groups. 2138*32b31808SJens Wiklander * 2139*32b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->group_list 2140*32b31808SJens Wiklander * when mbedtls_ssl_conf_curves() is deleted. 2141*32b31808SJens Wiklander * 2142*32b31808SJens Wiklander * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group 2143*32b31808SJens Wiklander * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to 2144*32b31808SJens Wiklander * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. 2145*32b31808SJens Wiklander * 2146*32b31808SJens Wiklander */ 2147*32b31808SJens Wiklander static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) 2148*32b31808SJens Wiklander { 2149*32b31808SJens Wiklander #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) 2150*32b31808SJens Wiklander return ssl->conf->group_list; 2151*32b31808SJens Wiklander #else 2152*32b31808SJens Wiklander if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { 2153*32b31808SJens Wiklander return ssl->handshake->group_list; 2154*32b31808SJens Wiklander } else { 2155*32b31808SJens Wiklander return ssl->conf->group_list; 2156*32b31808SJens Wiklander } 2157*32b31808SJens Wiklander #endif 2158*32b31808SJens Wiklander } 2159*32b31808SJens Wiklander 2160*32b31808SJens Wiklander /* 2161*32b31808SJens Wiklander * Helper functions for NamedGroup. 2162*32b31808SJens Wiklander */ 2163*32b31808SJens Wiklander static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) 2164*32b31808SJens Wiklander { 2165*32b31808SJens Wiklander /* 2166*32b31808SJens Wiklander * RFC 8422 section 5.1.1 2167*32b31808SJens Wiklander */ 2168*32b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2169*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 || 2170*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 || 2171*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || 2172*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || 2173*32b31808SJens Wiklander /* Below deprecated curves should be removed with notice to users */ 2174*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || 2175*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || 2176*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || 2177*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || 2178*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || 2179*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2180*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2181*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1; 2182*32b31808SJens Wiklander } 2183*32b31808SJens Wiklander 2184*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group) 2185*32b31808SJens Wiklander { 2186*32b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2187*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2188*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2189*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || 2190*32b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448; 2191*32b31808SJens Wiklander } 2192*32b31808SJens Wiklander 2193*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_named_group_is_dhe(uint16_t named_group) 2194*32b31808SJens Wiklander { 2195*32b31808SJens Wiklander return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && 2196*32b31808SJens Wiklander named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192; 2197*32b31808SJens Wiklander } 2198*32b31808SJens Wiklander 2199*32b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_offered( 2200*32b31808SJens Wiklander const mbedtls_ssl_context *ssl, uint16_t named_group) 2201*32b31808SJens Wiklander { 2202*32b31808SJens Wiklander const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2203*32b31808SJens Wiklander 2204*32b31808SJens Wiklander if (group_list == NULL) { 2205*32b31808SJens Wiklander return 0; 2206*32b31808SJens Wiklander } 2207*32b31808SJens Wiklander 2208*32b31808SJens Wiklander for (; *group_list != 0; group_list++) { 2209*32b31808SJens Wiklander if (*group_list == named_group) { 2210*32b31808SJens Wiklander return 1; 2211*32b31808SJens Wiklander } 2212*32b31808SJens Wiklander } 2213*32b31808SJens Wiklander 2214*32b31808SJens Wiklander return 0; 2215*32b31808SJens Wiklander } 2216*32b31808SJens Wiklander 2217*32b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) 2218*32b31808SJens Wiklander { 2219*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) 2220*32b31808SJens Wiklander if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 2221*32b31808SJens Wiklander if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) != 2222*32b31808SJens Wiklander MBEDTLS_ECP_DP_NONE) { 2223*32b31808SJens Wiklander return 1; 2224*32b31808SJens Wiklander } 2225*32b31808SJens Wiklander } 2226*32b31808SJens Wiklander #else 2227*32b31808SJens Wiklander ((void) named_group); 2228*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C */ 2229*32b31808SJens Wiklander return 0; 2230*32b31808SJens Wiklander } 2231*32b31808SJens Wiklander 2232*32b31808SJens Wiklander /* 2233*32b31808SJens Wiklander * Return supported signature algorithms. 2234*32b31808SJens Wiklander * 2235*32b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->sig_algs when 2236*32b31808SJens Wiklander * mbedtls_ssl_conf_sig_hashes() is deleted. 2237*32b31808SJens Wiklander * 2238*32b31808SJens Wiklander * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS 2239*32b31808SJens Wiklander * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been 2240*32b31808SJens Wiklander * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has 2241*32b31808SJens Wiklander * been more recently invoked. 2242*32b31808SJens Wiklander * 2243*32b31808SJens Wiklander */ 2244*32b31808SJens Wiklander static inline const void *mbedtls_ssl_get_sig_algs( 2245*32b31808SJens Wiklander const mbedtls_ssl_context *ssl) 2246*32b31808SJens Wiklander { 2247*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2248*32b31808SJens Wiklander 2249*32b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2250*32b31808SJens Wiklander if (ssl->handshake != NULL && 2251*32b31808SJens Wiklander ssl->handshake->sig_algs_heap_allocated == 1 && 2252*32b31808SJens Wiklander ssl->handshake->sig_algs != NULL) { 2253*32b31808SJens Wiklander return ssl->handshake->sig_algs; 2254*32b31808SJens Wiklander } 2255*32b31808SJens Wiklander #endif 2256*32b31808SJens Wiklander return ssl->conf->sig_algs; 2257*32b31808SJens Wiklander 2258*32b31808SJens Wiklander #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2259*32b31808SJens Wiklander 2260*32b31808SJens Wiklander ((void) ssl); 2261*32b31808SJens Wiklander return NULL; 2262*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2263*32b31808SJens Wiklander } 2264*32b31808SJens Wiklander 2265*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2266*32b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl, 2267*32b31808SJens Wiklander uint16_t own_sig_alg) 2268*32b31808SJens Wiklander { 2269*32b31808SJens Wiklander const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 2270*32b31808SJens Wiklander if (sig_alg == NULL) { 2271*32b31808SJens Wiklander return 0; 2272*32b31808SJens Wiklander } 2273*32b31808SJens Wiklander 2274*32b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2275*32b31808SJens Wiklander if (*sig_alg == own_sig_alg) { 2276*32b31808SJens Wiklander return 1; 2277*32b31808SJens Wiklander } 2278*32b31808SJens Wiklander } 2279*32b31808SJens Wiklander return 0; 2280*32b31808SJens Wiklander } 2281*32b31808SJens Wiklander 2282*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2283*32b31808SJens Wiklander const uint16_t sig_alg) 2284*32b31808SJens Wiklander { 2285*32b31808SJens Wiklander switch (sig_alg) { 2286*32b31808SJens Wiklander #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2287*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) 2288*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 2289*32b31808SJens Wiklander break; 2290*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 2291*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_384) && defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED) 2292*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 2293*32b31808SJens Wiklander break; 2294*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 2295*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_512) && defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) 2296*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 2297*32b31808SJens Wiklander break; 2298*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 2299*32b31808SJens Wiklander #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 2300*32b31808SJens Wiklander 2301*32b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21) 2302*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_256) 2303*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2304*32b31808SJens Wiklander break; 2305*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 */ 2306*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_384) 2307*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2308*32b31808SJens Wiklander break; 2309*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 */ 2310*32b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_512) 2311*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2312*32b31808SJens Wiklander break; 2313*32b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 */ 2314*32b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */ 2315*32b31808SJens Wiklander default: 2316*32b31808SJens Wiklander return 0; 2317*32b31808SJens Wiklander } 2318*32b31808SJens Wiklander return 1; 2319*32b31808SJens Wiklander 2320*32b31808SJens Wiklander } 2321*32b31808SJens Wiklander 2322*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_is_supported( 2323*32b31808SJens Wiklander const uint16_t sig_alg) 2324*32b31808SJens Wiklander { 2325*32b31808SJens Wiklander switch (sig_alg) { 2326*32b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V15) 2327*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2328*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 2329*32b31808SJens Wiklander break; 2330*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2331*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2332*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 2333*32b31808SJens Wiklander break; 2334*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2335*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2336*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 2337*32b31808SJens Wiklander break; 2338*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2339*32b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */ 2340*32b31808SJens Wiklander default: 2341*32b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2342*32b31808SJens Wiklander sig_alg); 2343*32b31808SJens Wiklander } 2344*32b31808SJens Wiklander return 1; 2345*32b31808SJens Wiklander } 2346*32b31808SJens Wiklander 2347*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2348*32b31808SJens Wiklander int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 2349*32b31808SJens Wiklander mbedtls_pk_context *key); 2350*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2351*32b31808SJens Wiklander 2352*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2353*32b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, 2354*32b31808SJens Wiklander uint16_t proposed_sig_alg) 2355*32b31808SJens Wiklander { 2356*32b31808SJens Wiklander const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2357*32b31808SJens Wiklander if (sig_alg == NULL) { 2358*32b31808SJens Wiklander return 0; 2359*32b31808SJens Wiklander } 2360*32b31808SJens Wiklander 2361*32b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2362*32b31808SJens Wiklander if (*sig_alg == proposed_sig_alg) { 2363*32b31808SJens Wiklander return 1; 2364*32b31808SJens Wiklander } 2365*32b31808SJens Wiklander } 2366*32b31808SJens Wiklander return 0; 2367*32b31808SJens Wiklander } 2368*32b31808SJens Wiklander 2369*32b31808SJens Wiklander static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 2370*32b31808SJens Wiklander uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) 2371*32b31808SJens Wiklander { 2372*32b31808SJens Wiklander *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); 2373*32b31808SJens Wiklander *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); 2374*32b31808SJens Wiklander 2375*32b31808SJens Wiklander if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { 2376*32b31808SJens Wiklander return 0; 2377*32b31808SJens Wiklander } 2378*32b31808SJens Wiklander 2379*32b31808SJens Wiklander switch (sig_alg) { 2380*32b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21) 2381*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2382*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2383*32b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA256; 2384*32b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 2385*32b31808SJens Wiklander break; 2386*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2387*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2388*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2389*32b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA384; 2390*32b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 2391*32b31808SJens Wiklander break; 2392*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2393*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2394*32b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2395*32b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA512; 2396*32b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 2397*32b31808SJens Wiklander break; 2398*32b31808SJens Wiklander #endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */ 2399*32b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */ 2400*32b31808SJens Wiklander default: 2401*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2402*32b31808SJens Wiklander } 2403*32b31808SJens Wiklander return 0; 2404*32b31808SJens Wiklander } 2405*32b31808SJens Wiklander 2406*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2407*32b31808SJens Wiklander static inline int mbedtls_ssl_tls12_sig_alg_is_supported( 2408*32b31808SJens Wiklander const uint16_t sig_alg) 2409*32b31808SJens Wiklander { 2410*32b31808SJens Wiklander /* High byte is hash */ 2411*32b31808SJens Wiklander unsigned char hash = MBEDTLS_BYTE_1(sig_alg); 2412*32b31808SJens Wiklander unsigned char sig = MBEDTLS_BYTE_0(sig_alg); 2413*32b31808SJens Wiklander 2414*32b31808SJens Wiklander switch (hash) { 2415*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2416*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_MD5: 2417*32b31808SJens Wiklander break; 2418*32b31808SJens Wiklander #endif 2419*32b31808SJens Wiklander 2420*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2421*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA1: 2422*32b31808SJens Wiklander break; 2423*32b31808SJens Wiklander #endif 2424*32b31808SJens Wiklander 2425*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2426*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA224: 2427*32b31808SJens Wiklander break; 2428*32b31808SJens Wiklander #endif 2429*32b31808SJens Wiklander 2430*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2431*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA256: 2432*32b31808SJens Wiklander break; 2433*32b31808SJens Wiklander #endif 2434*32b31808SJens Wiklander 2435*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2436*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA384: 2437*32b31808SJens Wiklander break; 2438*32b31808SJens Wiklander #endif 2439*32b31808SJens Wiklander 2440*32b31808SJens Wiklander #if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA) 2441*32b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA512: 2442*32b31808SJens Wiklander break; 2443*32b31808SJens Wiklander #endif 2444*32b31808SJens Wiklander 2445*32b31808SJens Wiklander default: 2446*32b31808SJens Wiklander return 0; 2447*32b31808SJens Wiklander } 2448*32b31808SJens Wiklander 2449*32b31808SJens Wiklander switch (sig) { 2450*32b31808SJens Wiklander #if defined(MBEDTLS_RSA_C) 2451*32b31808SJens Wiklander case MBEDTLS_SSL_SIG_RSA: 2452*32b31808SJens Wiklander break; 2453*32b31808SJens Wiklander #endif 2454*32b31808SJens Wiklander 2455*32b31808SJens Wiklander #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2456*32b31808SJens Wiklander case MBEDTLS_SSL_SIG_ECDSA: 2457*32b31808SJens Wiklander break; 2458*32b31808SJens Wiklander #endif 2459*32b31808SJens Wiklander 2460*32b31808SJens Wiklander default: 2461*32b31808SJens Wiklander return 0; 2462*32b31808SJens Wiklander } 2463*32b31808SJens Wiklander 2464*32b31808SJens Wiklander return 1; 2465*32b31808SJens Wiklander } 2466*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2467*32b31808SJens Wiklander 2468*32b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_supported( 2469*32b31808SJens Wiklander const mbedtls_ssl_context *ssl, 2470*32b31808SJens Wiklander const uint16_t sig_alg) 2471*32b31808SJens Wiklander { 2472*32b31808SJens Wiklander 2473*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2474*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2475*32b31808SJens Wiklander return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg); 2476*32b31808SJens Wiklander } 2477*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2478*32b31808SJens Wiklander 2479*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2480*32b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2481*32b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg); 2482*32b31808SJens Wiklander } 2483*32b31808SJens Wiklander #endif 2484*32b31808SJens Wiklander ((void) ssl); 2485*32b31808SJens Wiklander ((void) sig_alg); 2486*32b31808SJens Wiklander return 0; 2487*32b31808SJens Wiklander } 2488*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2489*32b31808SJens Wiklander 2490*32b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2491*32b31808SJens Wiklander /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. 2492*32b31808SJens Wiklander * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is 2493*32b31808SJens Wiklander * guaranteed to not be a valid PSA algorithm identifier. 2494*32b31808SJens Wiklander */ 2495*32b31808SJens Wiklander #define MBEDTLS_SSL_NULL_CIPHER 0x04000000 2496*32b31808SJens Wiklander 2497*32b31808SJens Wiklander /** 2498*32b31808SJens Wiklander * \brief Translate mbedtls cipher type/taglen pair to psa: 2499*32b31808SJens Wiklander * algorithm, key type and key size. 2500*32b31808SJens Wiklander * 2501*32b31808SJens Wiklander * \param mbedtls_cipher_type [in] given mbedtls cipher type 2502*32b31808SJens Wiklander * \param taglen [in] given tag length 2503*32b31808SJens Wiklander * 0 - default tag length 2504*32b31808SJens Wiklander * \param alg [out] corresponding PSA alg 2505*32b31808SJens Wiklander * There is no corresponding PSA 2506*32b31808SJens Wiklander * alg for MBEDTLS_CIPHER_NULL, so 2507*32b31808SJens Wiklander * in this case MBEDTLS_SSL_NULL_CIPHER 2508*32b31808SJens Wiklander * is returned via this parameter 2509*32b31808SJens Wiklander * \param key_type [out] corresponding PSA key type 2510*32b31808SJens Wiklander * \param key_size [out] corresponding PSA key size 2511*32b31808SJens Wiklander * 2512*32b31808SJens Wiklander * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if 2513*32b31808SJens Wiklander * conversion is not supported. 2514*32b31808SJens Wiklander */ 2515*32b31808SJens Wiklander psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2516*32b31808SJens Wiklander size_t taglen, 2517*32b31808SJens Wiklander psa_algorithm_t *alg, 2518*32b31808SJens Wiklander psa_key_type_t *key_type, 2519*32b31808SJens Wiklander size_t *key_size); 2520*32b31808SJens Wiklander 2521*32b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2522*32b31808SJens Wiklander /** 2523*32b31808SJens Wiklander * \brief Convert given PSA status to mbedtls error code. 2524*32b31808SJens Wiklander * 2525*32b31808SJens Wiklander * \param status [in] given PSA status 2526*32b31808SJens Wiklander * 2527*32b31808SJens Wiklander * \return corresponding mbedtls error code 2528*32b31808SJens Wiklander */ 2529*32b31808SJens Wiklander static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) 2530*32b31808SJens Wiklander { 2531*32b31808SJens Wiklander switch (status) { 2532*32b31808SJens Wiklander case PSA_SUCCESS: 2533*32b31808SJens Wiklander return 0; 2534*32b31808SJens Wiklander case PSA_ERROR_INSUFFICIENT_MEMORY: 2535*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2536*32b31808SJens Wiklander case PSA_ERROR_NOT_SUPPORTED: 2537*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2538*32b31808SJens Wiklander case PSA_ERROR_INVALID_SIGNATURE: 2539*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INVALID_MAC; 2540*32b31808SJens Wiklander case PSA_ERROR_INVALID_ARGUMENT: 2541*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2542*32b31808SJens Wiklander case PSA_ERROR_BAD_STATE: 2543*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2544*32b31808SJens Wiklander case PSA_ERROR_BUFFER_TOO_SMALL: 2545*32b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2546*32b31808SJens Wiklander default: 2547*32b31808SJens Wiklander return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 2548*32b31808SJens Wiklander } 2549*32b31808SJens Wiklander } 2550*32b31808SJens Wiklander #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2551*32b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2552*32b31808SJens Wiklander 2553*32b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 2554*32b31808SJens Wiklander defined(MBEDTLS_USE_PSA_CRYPTO) 2555*32b31808SJens Wiklander 2556*32b31808SJens Wiklander typedef enum { 2557*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_ONE, 2558*32b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_TWO 2559*32b31808SJens Wiklander } mbedtls_ecjpake_rounds_t; 2560*32b31808SJens Wiklander 2561*32b31808SJens Wiklander /** 2562*32b31808SJens Wiklander * \brief Parse the provided input buffer for getting the first round 2563*32b31808SJens Wiklander * of key exchange. This code is common between server and client 2564*32b31808SJens Wiklander * 2565*32b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure 2566*32b31808SJens Wiklander * \param buf [in] input buffer to parse 2567*32b31808SJens Wiklander * \param len [in] length of the input buffer 2568*32b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2569*32b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO 2570*32b31808SJens Wiklander * 2571*32b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure 2572*32b31808SJens Wiklander */ 2573*32b31808SJens Wiklander int mbedtls_psa_ecjpake_read_round( 2574*32b31808SJens Wiklander psa_pake_operation_t *pake_ctx, 2575*32b31808SJens Wiklander const unsigned char *buf, 2576*32b31808SJens Wiklander size_t len, mbedtls_ecjpake_rounds_t round); 2577*32b31808SJens Wiklander 2578*32b31808SJens Wiklander /** 2579*32b31808SJens Wiklander * \brief Write the first round of key exchange into the provided output 2580*32b31808SJens Wiklander * buffer. This code is common between server and client 2581*32b31808SJens Wiklander * 2582*32b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure 2583*32b31808SJens Wiklander * \param buf [out] the output buffer in which data will be written to 2584*32b31808SJens Wiklander * \param len [in] length of the output buffer 2585*32b31808SJens Wiklander * \param olen [out] the length of the data really written on the buffer 2586*32b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2587*32b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO 2588*32b31808SJens Wiklander * 2589*32b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure 2590*32b31808SJens Wiklander */ 2591*32b31808SJens Wiklander int mbedtls_psa_ecjpake_write_round( 2592*32b31808SJens Wiklander psa_pake_operation_t *pake_ctx, 2593*32b31808SJens Wiklander unsigned char *buf, 2594*32b31808SJens Wiklander size_t len, size_t *olen, 2595*32b31808SJens Wiklander mbedtls_ecjpake_rounds_t round); 2596*32b31808SJens Wiklander 2597*32b31808SJens Wiklander #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 2598*32b31808SJens Wiklander 2599*32b31808SJens Wiklander /** 2600*32b31808SJens Wiklander * \brief TLS record protection modes 2601*32b31808SJens Wiklander */ 2602*32b31808SJens Wiklander typedef enum { 2603*32b31808SJens Wiklander MBEDTLS_SSL_MODE_STREAM = 0, 2604*32b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC, 2605*32b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC_ETM, 2606*32b31808SJens Wiklander MBEDTLS_SSL_MODE_AEAD 2607*32b31808SJens Wiklander } mbedtls_ssl_mode_t; 2608*32b31808SJens Wiklander 2609*32b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2610*32b31808SJens Wiklander const mbedtls_ssl_transform *transform); 2611*32b31808SJens Wiklander 2612*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2613*32b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2614*32b31808SJens Wiklander int encrypt_then_mac, 2615*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite); 2616*32b31808SJens Wiklander #else 2617*32b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2618*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite); 2619*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2620*32b31808SJens Wiklander 2621*32b31808SJens Wiklander #if defined(MBEDTLS_ECDH_C) 2622*32b31808SJens Wiklander 2623*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2624*32b31808SJens Wiklander int mbedtls_ssl_tls13_read_public_ecdhe_share(mbedtls_ssl_context *ssl, 2625*32b31808SJens Wiklander const unsigned char *buf, 2626*32b31808SJens Wiklander size_t buf_len); 2627*32b31808SJens Wiklander 2628*32b31808SJens Wiklander #endif /* MBEDTLS_ECDH_C */ 2629*32b31808SJens Wiklander 2630*32b31808SJens Wiklander static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( 2631*32b31808SJens Wiklander mbedtls_ssl_context *ssl, int cipher_suite) 2632*32b31808SJens Wiklander { 2633*32b31808SJens Wiklander const int *ciphersuite_list = ssl->conf->ciphersuite_list; 2634*32b31808SJens Wiklander 2635*32b31808SJens Wiklander /* Check whether we have offered this ciphersuite */ 2636*32b31808SJens Wiklander for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 2637*32b31808SJens Wiklander if (ciphersuite_list[i] == cipher_suite) { 2638*32b31808SJens Wiklander return 1; 2639*32b31808SJens Wiklander } 2640*32b31808SJens Wiklander } 2641*32b31808SJens Wiklander return 0; 2642*32b31808SJens Wiklander } 2643*32b31808SJens Wiklander 2644*32b31808SJens Wiklander /** 2645*32b31808SJens Wiklander * \brief Validate cipher suite against config in SSL context. 2646*32b31808SJens Wiklander * 2647*32b31808SJens Wiklander * \param ssl SSL context 2648*32b31808SJens Wiklander * \param suite_info Cipher suite to validate 2649*32b31808SJens Wiklander * \param min_tls_version Minimal TLS version to accept a cipher suite 2650*32b31808SJens Wiklander * \param max_tls_version Maximal TLS version to accept a cipher suite 2651*32b31808SJens Wiklander * 2652*32b31808SJens Wiklander * \return 0 if valid, negative value otherwise. 2653*32b31808SJens Wiklander */ 2654*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2655*32b31808SJens Wiklander int mbedtls_ssl_validate_ciphersuite( 2656*32b31808SJens Wiklander const mbedtls_ssl_context *ssl, 2657*32b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite_info, 2658*32b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version, 2659*32b31808SJens Wiklander mbedtls_ssl_protocol_version max_tls_version); 2660*32b31808SJens Wiklander 2661*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2662*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2663*32b31808SJens Wiklander int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 2664*32b31808SJens Wiklander const unsigned char *buf, 2665*32b31808SJens Wiklander const unsigned char *end); 2666*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2667*32b31808SJens Wiklander 2668*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2669*32b31808SJens Wiklander #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2) 2670*32b31808SJens Wiklander #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) 2671*32b31808SJens Wiklander 2672*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2673*32b31808SJens Wiklander int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 2674*32b31808SJens Wiklander const unsigned char *buf, 2675*32b31808SJens Wiklander const unsigned char *end); 2676*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 2677*32b31808SJens Wiklander 2678*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 2679*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2680*32b31808SJens Wiklander int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 2681*32b31808SJens Wiklander const unsigned char *buf, 2682*32b31808SJens Wiklander const unsigned char *end); 2683*32b31808SJens Wiklander 2684*32b31808SJens Wiklander 2685*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2686*32b31808SJens Wiklander int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 2687*32b31808SJens Wiklander unsigned char *buf, 2688*32b31808SJens Wiklander unsigned char *end, 2689*32b31808SJens Wiklander size_t *out_len); 2690*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_ALPN */ 2691*32b31808SJens Wiklander 2692*32b31808SJens Wiklander #if defined(MBEDTLS_TEST_HOOKS) 2693*32b31808SJens Wiklander int mbedtls_ssl_check_dtls_clihlo_cookie( 2694*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 2695*32b31808SJens Wiklander const unsigned char *cli_id, size_t cli_id_len, 2696*32b31808SJens Wiklander const unsigned char *in, size_t in_len, 2697*32b31808SJens Wiklander unsigned char *obuf, size_t buf_len, size_t *olen); 2698*32b31808SJens Wiklander #endif 2699*32b31808SJens Wiklander 2700*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2701*32b31808SJens Wiklander /** 2702*32b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 2703*32b31808SJens Wiklander * 1.3 specific Pre-Shared key extension. 2704*32b31808SJens Wiklander * 2705*32b31808SJens Wiklander * \param[in] ssl SSL context 2706*32b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extension 2707*32b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extension 2708*32b31808SJens Wiklander * \param[out] out_len Length in bytes of the Pre-Shared key extension: data 2709*32b31808SJens Wiklander * written into the buffer \p buf by this function plus 2710*32b31808SJens Wiklander * the length of the binders to be written. 2711*32b31808SJens Wiklander * \param[out] binders_len Length of the binders to be written at the end of 2712*32b31808SJens Wiklander * the extension. 2713*32b31808SJens Wiklander */ 2714*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2715*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 2716*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 2717*32b31808SJens Wiklander unsigned char *buf, unsigned char *end, 2718*32b31808SJens Wiklander size_t *out_len, size_t *binders_len); 2719*32b31808SJens Wiklander 2720*32b31808SJens Wiklander /** 2721*32b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 2722*32b31808SJens Wiklander * 1.3 specific Pre-Shared key extension binders at the end of the 2723*32b31808SJens Wiklander * ClientHello. 2724*32b31808SJens Wiklander * 2725*32b31808SJens Wiklander * \param[in] ssl SSL context 2726*32b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the binders 2727*32b31808SJens Wiklander * \param[in] end End address of the buffer where to write the binders 2728*32b31808SJens Wiklander */ 2729*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2730*32b31808SJens Wiklander int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 2731*32b31808SJens Wiklander mbedtls_ssl_context *ssl, 2732*32b31808SJens Wiklander unsigned char *buf, unsigned char *end); 2733*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2734*32b31808SJens Wiklander 2735*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 2736*32b31808SJens Wiklander defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 2737*32b31808SJens Wiklander defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 2738*32b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C) 2739*32b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2740*32b31808SJens Wiklander int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 2741*32b31808SJens Wiklander const char *hostname); 2742*32b31808SJens Wiklander #endif 2743*32b31808SJens Wiklander 2744*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 2745*32b31808SJens Wiklander static inline unsigned int mbedtls_ssl_session_get_ticket_flags( 2746*32b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 2747*32b31808SJens Wiklander { 2748*32b31808SJens Wiklander return session->ticket_flags & 2749*32b31808SJens Wiklander (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2750*32b31808SJens Wiklander } 2751*32b31808SJens Wiklander 2752*32b31808SJens Wiklander static inline void mbedtls_ssl_session_set_ticket_flags( 2753*32b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 2754*32b31808SJens Wiklander { 2755*32b31808SJens Wiklander session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2756*32b31808SJens Wiklander } 2757*32b31808SJens Wiklander 2758*32b31808SJens Wiklander static inline void mbedtls_ssl_session_clear_ticket_flags( 2759*32b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 2760*32b31808SJens Wiklander { 2761*32b31808SJens Wiklander session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2762*32b31808SJens Wiklander } 2763*32b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 2764*32b31808SJens Wiklander 2765*32b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 2766*32b31808SJens Wiklander int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); 2767*32b31808SJens Wiklander #endif 2768*32b31808SJens Wiklander 2769*32b31808SJens Wiklander #endif /* ssl_misc.h */ 2770