132b31808SJens Wiklander /** 232b31808SJens Wiklander * \file ssl_misc.h 332b31808SJens Wiklander * 432b31808SJens Wiklander * \brief Internal functions shared by the SSL modules 532b31808SJens Wiklander */ 632b31808SJens Wiklander /* 732b31808SJens Wiklander * Copyright The Mbed TLS Contributors 8b0563631STom Van Eyck * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 932b31808SJens Wiklander */ 1032b31808SJens Wiklander #ifndef MBEDTLS_SSL_MISC_H 1132b31808SJens Wiklander #define MBEDTLS_SSL_MISC_H 1232b31808SJens Wiklander 1332b31808SJens Wiklander #include "mbedtls/build_info.h" 14*c3deb3d6SEtienne Carriere #include "common.h" 1532b31808SJens Wiklander 16b0563631STom Van Eyck #include "mbedtls/error.h" 17b0563631STom Van Eyck 1832b31808SJens Wiklander #include "mbedtls/ssl.h" 1932b31808SJens Wiklander #include "mbedtls/cipher.h" 2032b31808SJens Wiklander 2132b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2232b31808SJens Wiklander #include "psa/crypto.h" 23b0563631STom Van Eyck #include "psa_util_internal.h" 2432b31808SJens Wiklander #endif 2532b31808SJens Wiklander 26b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_MD5) 2732b31808SJens Wiklander #include "mbedtls/md5.h" 2832b31808SJens Wiklander #endif 2932b31808SJens Wiklander 30b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1) 3132b31808SJens Wiklander #include "mbedtls/sha1.h" 3232b31808SJens Wiklander #endif 3332b31808SJens Wiklander 34b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256) 3532b31808SJens Wiklander #include "mbedtls/sha256.h" 3632b31808SJens Wiklander #endif 3732b31808SJens Wiklander 38b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512) 3932b31808SJens Wiklander #include "mbedtls/sha512.h" 4032b31808SJens Wiklander #endif 4132b31808SJens Wiklander 4232b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 4332b31808SJens Wiklander !defined(MBEDTLS_USE_PSA_CRYPTO) 4432b31808SJens Wiklander #include "mbedtls/ecjpake.h" 4532b31808SJens Wiklander #endif 4632b31808SJens Wiklander 4732b31808SJens Wiklander #include "mbedtls/pk.h" 48b0563631STom Van Eyck #include "ssl_ciphersuites_internal.h" 49b0563631STom Van Eyck #include "x509_internal.h" 50b0563631STom Van Eyck #include "pk_internal.h" 51*c3deb3d6SEtienne Carriere 5232b31808SJens Wiklander 5332b31808SJens Wiklander /* Shorthand for restartable ECC */ 5432b31808SJens Wiklander #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 5532b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C) && \ 5632b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 5732b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 5832b31808SJens Wiklander #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED 5932b31808SJens Wiklander #endif 6032b31808SJens Wiklander 6132b31808SJens Wiklander #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 6232b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 6332b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 6432b31808SJens Wiklander #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 6532b31808SJens Wiklander 6632b31808SJens Wiklander /* Faked handshake message identity for HelloRetryRequest. */ 6732b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO) 6832b31808SJens Wiklander 6932b31808SJens Wiklander /* 7032b31808SJens Wiklander * Internal identity of handshake extensions 7132b31808SJens Wiklander */ 7232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 7332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 7432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 7532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 7632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 7732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 7832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 7932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 8032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 8132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 8232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ALPN 8 8332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SCT 9 8432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 8532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 8632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PADDING 12 8732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 8832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 8932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 9032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_COOKIE 16 9132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 9232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 9332b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 9432b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 9532b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 9632b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 9732b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 9832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 9932b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 10032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 10132b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 10232b31808SJens Wiklander #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28 10332b31808SJens Wiklander 10432b31808SJens Wiklander /* Utility for translating IANA extension type. */ 10532b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type); 10632b31808SJens Wiklander uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); 10732b31808SJens Wiklander /* Macros used to define mask constants */ 10832b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id)) 10932b31808SJens Wiklander /* Reset value of extension mask */ 11032b31808SJens Wiklander #define MBEDTLS_SSL_EXT_MASK_NONE 0 11132b31808SJens Wiklander 11232b31808SJens Wiklander /* In messages containing extension requests, we should ignore unrecognized 11332b31808SJens Wiklander * extensions. In messages containing extension responses, unrecognized 11432b31808SJens Wiklander * extensions should result in handshake abortion. Messages containing 11532b31808SJens Wiklander * extension requests include ClientHello, CertificateRequest and 11632b31808SJens Wiklander * NewSessionTicket. Messages containing extension responses include 11732b31808SJens Wiklander * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. 11832b31808SJens Wiklander * 11932b31808SJens Wiklander * RFC 8446 section 4.1.3 12032b31808SJens Wiklander * 12132b31808SJens Wiklander * The ServerHello MUST only include extensions which are required to establish 12232b31808SJens Wiklander * the cryptographic context and negotiate the protocol version. 12332b31808SJens Wiklander * 12432b31808SJens Wiklander * RFC 8446 section 4.2 12532b31808SJens Wiklander * 12632b31808SJens Wiklander * If an implementation receives an extension which it recognizes and which is 12732b31808SJens Wiklander * not specified for the message in which it appears, it MUST abort the handshake 12832b31808SJens Wiklander * with an "illegal_parameter" alert. 12932b31808SJens Wiklander */ 13032b31808SJens Wiklander 13132b31808SJens Wiklander /* Extensions that are not recognized by TLS 1.3 */ 13232b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ 13332b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \ 13432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \ 13532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \ 13632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \ 13732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \ 13832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED)) 13932b31808SJens Wiklander 14032b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ClientHello */ 14132b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ 14232b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 14332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 14432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 14532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 14632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 14732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 14832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 14932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \ 15032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \ 15132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 15232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 15332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PADDING) | \ 15432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 15532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 15632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \ 15732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 15832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 15932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \ 16032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 16132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \ 16232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 16332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \ 16432b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 16532b31808SJens Wiklander 16632b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ 16732b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ 16832b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 16932b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 17032b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 17132b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 17232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 17332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(ALPN) | \ 17432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 17532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 17632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 17732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) 17832b31808SJens Wiklander 17932b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ 18032b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ 18132b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 18232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 18332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT) | \ 18432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 18532b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \ 18632b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 18732b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 18832b31808SJens Wiklander 18932b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for Certificate */ 19032b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ 19132b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 19232b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SCT)) 19332b31808SJens Wiklander 19432b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ 19532b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ 19632b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 19732b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 19832b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 19932b31808SJens Wiklander 20032b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ 20132b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ 20232b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 20332b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 20432b31808SJens Wiklander MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 20532b31808SJens Wiklander 20632b31808SJens Wiklander /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ 20732b31808SJens Wiklander #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ 20832b31808SJens Wiklander (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 20932b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 21032b31808SJens Wiklander 21132b31808SJens Wiklander /* 21232b31808SJens Wiklander * Helper macros for function call with return check. 21332b31808SJens Wiklander */ 21432b31808SJens Wiklander /* 21532b31808SJens Wiklander * Exit when return non-zero value 21632b31808SJens Wiklander */ 21732b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK(f) \ 21832b31808SJens Wiklander do { \ 21932b31808SJens Wiklander ret = (f); \ 22032b31808SJens Wiklander if (ret != 0) \ 22132b31808SJens Wiklander { \ 22232b31808SJens Wiklander goto cleanup; \ 22332b31808SJens Wiklander } \ 22432b31808SJens Wiklander } while (0) 22532b31808SJens Wiklander /* 22632b31808SJens Wiklander * Exit when return negative value 22732b31808SJens Wiklander */ 22832b31808SJens Wiklander #define MBEDTLS_SSL_PROC_CHK_NEG(f) \ 22932b31808SJens Wiklander do { \ 23032b31808SJens Wiklander ret = (f); \ 23132b31808SJens Wiklander if (ret < 0) \ 23232b31808SJens Wiklander { \ 23332b31808SJens Wiklander goto cleanup; \ 23432b31808SJens Wiklander } \ 23532b31808SJens Wiklander } while (0) 23632b31808SJens Wiklander 23732b31808SJens Wiklander /* 23832b31808SJens Wiklander * DTLS retransmission states, see RFC 6347 4.2.4 23932b31808SJens Wiklander * 24032b31808SJens Wiklander * The SENDING state is merged in PREPARING for initial sends, 24132b31808SJens Wiklander * but is distinct for resends. 24232b31808SJens Wiklander * 24332b31808SJens Wiklander * Note: initial state is wrong for server, but is not used anyway. 24432b31808SJens Wiklander */ 24532b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_PREPARING 0 24632b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_SENDING 1 24732b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_WAITING 2 24832b31808SJens Wiklander #define MBEDTLS_SSL_RETRANS_FINISHED 3 24932b31808SJens Wiklander 25032b31808SJens Wiklander /* 25132b31808SJens Wiklander * Allow extra bytes for record, authentication and encryption overhead: 25232b31808SJens Wiklander * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). 25332b31808SJens Wiklander */ 25432b31808SJens Wiklander 25532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 25632b31808SJens Wiklander 25732b31808SJens Wiklander /* This macro determines whether CBC is supported. */ 258b0563631STom Van Eyck #if defined(MBEDTLS_SSL_HAVE_CBC) && \ 259b0563631STom Van Eyck (defined(MBEDTLS_SSL_HAVE_AES) || \ 260b0563631STom Van Eyck defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \ 261b0563631STom Van Eyck defined(MBEDTLS_SSL_HAVE_ARIA)) 26232b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC 26332b31808SJens Wiklander #endif 26432b31808SJens Wiklander 26532b31808SJens Wiklander /* This macro determines whether a ciphersuite using a 26632b31808SJens Wiklander * stream cipher can be used. */ 26732b31808SJens Wiklander #if defined(MBEDTLS_CIPHER_NULL_CIPHER) 26832b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM 26932b31808SJens Wiklander #endif 27032b31808SJens Wiklander 27132b31808SJens Wiklander /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ 27232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 27332b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_2) 27432b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC 27532b31808SJens Wiklander #endif 27632b31808SJens Wiklander 27732b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \ 27832b31808SJens Wiklander defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 27932b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_MAC 28032b31808SJens Wiklander #endif 28132b31808SJens Wiklander 28232b31808SJens Wiklander /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ 28332b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 28432b31808SJens Wiklander defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 28532b31808SJens Wiklander #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM 28632b31808SJens Wiklander #endif 28732b31808SJens Wiklander 28832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 28932b31808SJens Wiklander 29032b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 29132b31808SJens Wiklander /* Ciphersuites using HMAC */ 292b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384) 29332b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 294b0563631STom Van Eyck #elif defined(MBEDTLS_MD_CAN_SHA256) 29532b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 29632b31808SJens Wiklander #else 29732b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 29832b31808SJens Wiklander #endif 29932b31808SJens Wiklander #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 30032b31808SJens Wiklander /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 30132b31808SJens Wiklander #define MBEDTLS_SSL_MAC_ADD 16 30232b31808SJens Wiklander #endif 30332b31808SJens Wiklander 304b0563631STom Van Eyck #if defined(MBEDTLS_SSL_HAVE_CBC) 30532b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 256 30632b31808SJens Wiklander #else 30732b31808SJens Wiklander #define MBEDTLS_SSL_PADDING_ADD 0 30832b31808SJens Wiklander #endif 30932b31808SJens Wiklander 31032b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 31132b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 31232b31808SJens Wiklander #else 31332b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 31432b31808SJens Wiklander #endif 31532b31808SJens Wiklander 31632b31808SJens Wiklander #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \ 31732b31808SJens Wiklander MBEDTLS_SSL_MAC_ADD + \ 31832b31808SJens Wiklander MBEDTLS_SSL_PADDING_ADD + \ 31932b31808SJens Wiklander MBEDTLS_SSL_MAX_CID_EXPANSION \ 32032b31808SJens Wiklander ) 32132b31808SJens Wiklander 32232b31808SJens Wiklander #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 32332b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN)) 32432b31808SJens Wiklander 32532b31808SJens Wiklander #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 32632b31808SJens Wiklander (MBEDTLS_SSL_OUT_CONTENT_LEN)) 32732b31808SJens Wiklander 32832b31808SJens Wiklander /* The maximum number of buffered handshake messages. */ 32932b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 33032b31808SJens Wiklander 33132b31808SJens Wiklander /* Maximum length we can advertise as our max content length for 33232b31808SJens Wiklander RFC 6066 max_fragment_length extension negotiation purposes 33332b31808SJens Wiklander (the lesser of both sizes, if they are unequal.) 33432b31808SJens Wiklander */ 33532b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 33632b31808SJens Wiklander (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 33732b31808SJens Wiklander ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ 33832b31808SJens Wiklander : (MBEDTLS_SSL_IN_CONTENT_LEN) \ 33932b31808SJens Wiklander ) 34032b31808SJens Wiklander 34132b31808SJens Wiklander /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 34232b31808SJens Wiklander #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534 34332b31808SJens Wiklander 34432b31808SJens Wiklander /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 34532b31808SJens Wiklander #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2 34632b31808SJens Wiklander 34732b31808SJens Wiklander /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ 34832b31808SJens Wiklander #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 34932b31808SJens Wiklander 35032b31808SJens Wiklander #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 35132b31808SJens Wiklander 35232b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 35332b31808SJens Wiklander 35432b31808SJens Wiklander #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE 35532b31808SJens Wiklander 35632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 35732b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig) 35832b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF) 35932b31808SJens Wiklander #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) 36032b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 36132b31808SJens Wiklander 36232b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 36332b31808SJens Wiklander 36432b31808SJens Wiklander /* 36532b31808SJens Wiklander * Check that we obey the standard's message size bounds 36632b31808SJens Wiklander */ 36732b31808SJens Wiklander 36832b31808SJens Wiklander #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 36932b31808SJens Wiklander #error "Bad configuration - incoming record content too large." 37032b31808SJens Wiklander #endif 37132b31808SJens Wiklander 37232b31808SJens Wiklander #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 37332b31808SJens Wiklander #error "Bad configuration - outgoing record content too large." 37432b31808SJens Wiklander #endif 37532b31808SJens Wiklander 37632b31808SJens Wiklander #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 37732b31808SJens Wiklander #error "Bad configuration - incoming protected record payload too large." 37832b31808SJens Wiklander #endif 37932b31808SJens Wiklander 38032b31808SJens Wiklander #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 38132b31808SJens Wiklander #error "Bad configuration - outgoing protected record payload too large." 38232b31808SJens Wiklander #endif 38332b31808SJens Wiklander 38432b31808SJens Wiklander /* Calculate buffer sizes */ 38532b31808SJens Wiklander 38632b31808SJens Wiklander /* Note: Even though the TLS record header is only 5 bytes 38732b31808SJens Wiklander long, we're internally using 8 bytes to store the 38832b31808SJens Wiklander implicit sequence number. */ 38932b31808SJens Wiklander #define MBEDTLS_SSL_HEADER_LEN 13 39032b31808SJens Wiklander 39132b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 39232b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \ 39332b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) 39432b31808SJens Wiklander #else 39532b31808SJens Wiklander #define MBEDTLS_SSL_IN_BUFFER_LEN \ 39632b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ 39732b31808SJens Wiklander + (MBEDTLS_SSL_CID_IN_LEN_MAX)) 39832b31808SJens Wiklander #endif 39932b31808SJens Wiklander 40032b31808SJens Wiklander #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 40132b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 40232b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) 40332b31808SJens Wiklander #else 40432b31808SJens Wiklander #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 40532b31808SJens Wiklander ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ 40632b31808SJens Wiklander + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) 40732b31808SJens Wiklander #endif 40832b31808SJens Wiklander 40932b31808SJens Wiklander #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 41032b31808SJens Wiklander #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 41132b31808SJens Wiklander 41232b31808SJens Wiklander #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 41332b31808SJens Wiklander /** 41432b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for 41532b31808SJens Wiklander * the output buffer. For the client, this is the configured 41632b31808SJens Wiklander * value. For the server, it is the minimum of two - the 41732b31808SJens Wiklander * configured value and the negotiated one. 41832b31808SJens Wiklander * 41932b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len() 42032b31808SJens Wiklander * \sa mbedtls_ssl_get_max_out_record_payload() 42132b31808SJens Wiklander * 42232b31808SJens Wiklander * \param ssl SSL context 42332b31808SJens Wiklander * 42432b31808SJens Wiklander * \return Current maximum fragment length for the output buffer. 42532b31808SJens Wiklander */ 42632b31808SJens Wiklander size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl); 42732b31808SJens Wiklander 42832b31808SJens Wiklander /** 42932b31808SJens Wiklander * \brief Return the maximum fragment length (payload, in bytes) for 43032b31808SJens Wiklander * the input buffer. This is the negotiated maximum fragment 43132b31808SJens Wiklander * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. 43232b31808SJens Wiklander * If it is not defined either, the value is 2^14. This function 43332b31808SJens Wiklander * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). 43432b31808SJens Wiklander * 43532b31808SJens Wiklander * \sa mbedtls_ssl_conf_max_frag_len() 43632b31808SJens Wiklander * \sa mbedtls_ssl_get_max_in_record_payload() 43732b31808SJens Wiklander * 43832b31808SJens Wiklander * \param ssl SSL context 43932b31808SJens Wiklander * 44032b31808SJens Wiklander * \return Current maximum fragment length for the output buffer. 44132b31808SJens Wiklander */ 44232b31808SJens Wiklander size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl); 44332b31808SJens Wiklander #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 44432b31808SJens Wiklander 445b0563631STom Van Eyck #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 446b0563631STom Van Eyck /** 447b0563631STom Van Eyck * \brief Get the size limit in bytes for the protected outgoing records 448b0563631STom Van Eyck * as defined in RFC 8449 449b0563631STom Van Eyck * 450b0563631STom Van Eyck * \param ssl SSL context 451b0563631STom Van Eyck * 452b0563631STom Van Eyck * \return The size limit in bytes for the protected outgoing 453b0563631STom Van Eyck * records as defined in RFC 8449. 454b0563631STom Van Eyck */ 455b0563631STom Van Eyck size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl); 456b0563631STom Van Eyck #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 457b0563631STom Van Eyck 45832b31808SJens Wiklander #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 45932b31808SJens Wiklander static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) 46032b31808SJens Wiklander { 46132b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 46232b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx) 46332b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 46432b31808SJens Wiklander + MBEDTLS_SSL_CID_OUT_LEN_MAX; 46532b31808SJens Wiklander #else 46632b31808SJens Wiklander return mbedtls_ssl_get_output_max_frag_len(ctx) 46732b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 46832b31808SJens Wiklander #endif 46932b31808SJens Wiklander } 47032b31808SJens Wiklander 47132b31808SJens Wiklander static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) 47232b31808SJens Wiklander { 47332b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 47432b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx) 47532b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 47632b31808SJens Wiklander + MBEDTLS_SSL_CID_IN_LEN_MAX; 47732b31808SJens Wiklander #else 47832b31808SJens Wiklander return mbedtls_ssl_get_input_max_frag_len(ctx) 47932b31808SJens Wiklander + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 48032b31808SJens Wiklander #endif 48132b31808SJens Wiklander } 48232b31808SJens Wiklander #endif 48332b31808SJens Wiklander 48432b31808SJens Wiklander /* 48532b31808SJens Wiklander * TLS extension flags (for extensions with outgoing ServerHello content 48632b31808SJens Wiklander * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 48732b31808SJens Wiklander * of state of the renegotiation flag, so no indicator is required) 48832b31808SJens Wiklander */ 48932b31808SJens Wiklander #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 49032b31808SJens Wiklander #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 49132b31808SJens Wiklander 49232b31808SJens Wiklander /** 49332b31808SJens Wiklander * \brief This function checks if the remaining size in a buffer is 49432b31808SJens Wiklander * greater or equal than a needed space. 49532b31808SJens Wiklander * 49632b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 49732b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 49832b31808SJens Wiklander * \param need Needed space in bytes. 49932b31808SJens Wiklander * 50032b31808SJens Wiklander * \return Zero if the needed space is available in the buffer, non-zero 50132b31808SJens Wiklander * otherwise. 50232b31808SJens Wiklander */ 50332b31808SJens Wiklander #if !defined(MBEDTLS_TEST_HOOKS) 50432b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 50532b31808SJens Wiklander const uint8_t *end, size_t need) 50632b31808SJens Wiklander { 50732b31808SJens Wiklander return (cur > end) || (need > (size_t) (end - cur)); 50832b31808SJens Wiklander } 50932b31808SJens Wiklander #else 51032b31808SJens Wiklander typedef struct { 51132b31808SJens Wiklander const uint8_t *cur; 51232b31808SJens Wiklander const uint8_t *end; 51332b31808SJens Wiklander size_t need; 51432b31808SJens Wiklander } mbedtls_ssl_chk_buf_ptr_args; 51532b31808SJens Wiklander 51632b31808SJens Wiklander void mbedtls_ssl_set_chk_buf_ptr_fail_args( 51732b31808SJens Wiklander const uint8_t *cur, const uint8_t *end, size_t need); 51832b31808SJens Wiklander void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void); 51932b31808SJens Wiklander 52032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 52132b31808SJens Wiklander int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args); 52232b31808SJens Wiklander 52332b31808SJens Wiklander static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 52432b31808SJens Wiklander const uint8_t *end, size_t need) 52532b31808SJens Wiklander { 52632b31808SJens Wiklander if ((cur > end) || (need > (size_t) (end - cur))) { 52732b31808SJens Wiklander mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need); 52832b31808SJens Wiklander return 1; 52932b31808SJens Wiklander } 53032b31808SJens Wiklander return 0; 53132b31808SJens Wiklander } 53232b31808SJens Wiklander #endif /* MBEDTLS_TEST_HOOKS */ 53332b31808SJens Wiklander 53432b31808SJens Wiklander /** 53532b31808SJens Wiklander * \brief This macro checks if the remaining size in a buffer is 53632b31808SJens Wiklander * greater or equal than a needed space. If it is not the case, 53732b31808SJens Wiklander * it returns an SSL_BUFFER_TOO_SMALL error. 53832b31808SJens Wiklander * 53932b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 54032b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 54132b31808SJens Wiklander * \param need Needed space in bytes. 54232b31808SJens Wiklander * 54332b31808SJens Wiklander */ 54432b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ 54532b31808SJens Wiklander do { \ 54632b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 54732b31808SJens Wiklander { \ 54832b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ 54932b31808SJens Wiklander } \ 55032b31808SJens Wiklander } while (0) 55132b31808SJens Wiklander 55232b31808SJens Wiklander /** 55332b31808SJens Wiklander * \brief This macro checks if the remaining length in an input buffer is 55432b31808SJens Wiklander * greater or equal than a needed length. If it is not the case, it 55532b31808SJens Wiklander * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a 55632b31808SJens Wiklander * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. 55732b31808SJens Wiklander * 55832b31808SJens Wiklander * This is a function-like macro. It is guaranteed to evaluate each 55932b31808SJens Wiklander * argument exactly once. 56032b31808SJens Wiklander * 56132b31808SJens Wiklander * \param cur Pointer to the current position in the buffer. 56232b31808SJens Wiklander * \param end Pointer to one past the end of the buffer. 56332b31808SJens Wiklander * \param need Needed length in bytes. 56432b31808SJens Wiklander * 56532b31808SJens Wiklander */ 56632b31808SJens Wiklander #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \ 56732b31808SJens Wiklander do { \ 56832b31808SJens Wiklander if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 56932b31808SJens Wiklander { \ 57032b31808SJens Wiklander MBEDTLS_SSL_DEBUG_MSG(1, \ 57132b31808SJens Wiklander ("missing input data in %s", __func__)); \ 57232b31808SJens Wiklander MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ 57332b31808SJens Wiklander MBEDTLS_ERR_SSL_DECODE_ERROR); \ 57432b31808SJens Wiklander return MBEDTLS_ERR_SSL_DECODE_ERROR; \ 57532b31808SJens Wiklander } \ 57632b31808SJens Wiklander } while (0) 57732b31808SJens Wiklander 57832b31808SJens Wiklander #ifdef __cplusplus 57932b31808SJens Wiklander extern "C" { 58032b31808SJens Wiklander #endif 58132b31808SJens Wiklander 58232b31808SJens Wiklander typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, 58332b31808SJens Wiklander const char *label, 58432b31808SJens Wiklander const unsigned char *random, size_t rlen, 58532b31808SJens Wiklander unsigned char *dstbuf, size_t dlen); 58632b31808SJens Wiklander 58732b31808SJens Wiklander /* cipher.h exports the maximum IV, key and block length from 58832b31808SJens Wiklander * all ciphers enabled in the config, regardless of whether those 58932b31808SJens Wiklander * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled 59032b31808SJens Wiklander * in the default configuration and uses 64 Byte keys, but it is 59132b31808SJens Wiklander * not used for record protection in SSL/TLS. 59232b31808SJens Wiklander * 59332b31808SJens Wiklander * In order to prevent unnecessary inflation of key structures, 59432b31808SJens Wiklander * we introduce SSL-specific variants of the max-{key,block,IV} 59532b31808SJens Wiklander * macros here which are meant to only take those ciphers into 59632b31808SJens Wiklander * account which can be negotiated in SSL/TLS. 59732b31808SJens Wiklander * 59832b31808SJens Wiklander * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH 59932b31808SJens Wiklander * in cipher.h are rough overapproximations of the real maxima, here 60032b31808SJens Wiklander * we content ourselves with replicating those overapproximations 60132b31808SJens Wiklander * for the maximum block and IV length, and excluding XTS from the 60232b31808SJens Wiklander * computation of the maximum key length. */ 60332b31808SJens Wiklander #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 60432b31808SJens Wiklander #define MBEDTLS_SSL_MAX_IV_LENGTH 16 60532b31808SJens Wiklander #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 60632b31808SJens Wiklander 60732b31808SJens Wiklander /** 60832b31808SJens Wiklander * \brief The data structure holding the cryptographic material (key and IV) 60932b31808SJens Wiklander * used for record protection in TLS 1.3. 61032b31808SJens Wiklander */ 61132b31808SJens Wiklander struct mbedtls_ssl_key_set { 61232b31808SJens Wiklander /*! The key for client->server records. */ 61332b31808SJens Wiklander unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 61432b31808SJens Wiklander /*! The key for server->client records. */ 61532b31808SJens Wiklander unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 61632b31808SJens Wiklander /*! The IV for client->server records. */ 61732b31808SJens Wiklander unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 61832b31808SJens Wiklander /*! The IV for server->client records. */ 61932b31808SJens Wiklander unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 62032b31808SJens Wiklander 62132b31808SJens Wiklander size_t key_len; /*!< The length of client_write_key and 62232b31808SJens Wiklander * server_write_key, in Bytes. */ 62332b31808SJens Wiklander size_t iv_len; /*!< The length of client_write_iv and 62432b31808SJens Wiklander * server_write_iv, in Bytes. */ 62532b31808SJens Wiklander }; 62632b31808SJens Wiklander typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; 62732b31808SJens Wiklander 62832b31808SJens Wiklander typedef struct { 62932b31808SJens Wiklander unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 63032b31808SJens Wiklander unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 63132b31808SJens Wiklander unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 63232b31808SJens Wiklander } mbedtls_ssl_tls13_early_secrets; 63332b31808SJens Wiklander 63432b31808SJens Wiklander typedef struct { 63532b31808SJens Wiklander unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 63632b31808SJens Wiklander unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 63732b31808SJens Wiklander } mbedtls_ssl_tls13_handshake_secrets; 63832b31808SJens Wiklander 63932b31808SJens Wiklander /* 64032b31808SJens Wiklander * This structure contains the parameters only needed during handshake. 64132b31808SJens Wiklander */ 64232b31808SJens Wiklander struct mbedtls_ssl_handshake_params { 64332b31808SJens Wiklander /* Frequently-used boolean or byte fields (placed early to take 64432b31808SJens Wiklander * advantage of smaller code size for indirect access on Arm Thumb) */ 64532b31808SJens Wiklander uint8_t resume; /*!< session resume indicator*/ 64632b31808SJens Wiklander uint8_t cli_exts; /*!< client extension presence*/ 64732b31808SJens Wiklander 64832b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 64932b31808SJens Wiklander uint8_t sni_authmode; /*!< authmode from SNI callback */ 65032b31808SJens Wiklander #endif 65132b31808SJens Wiklander 65232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) 65332b31808SJens Wiklander /* Flag indicating if a CertificateRequest message has been sent 65432b31808SJens Wiklander * to the client or not. */ 65532b31808SJens Wiklander uint8_t certificate_request_sent; 656b0563631STom Van Eyck #if defined(MBEDTLS_SSL_EARLY_DATA) 657b0563631STom Van Eyck /* Flag indicating if the server has accepted early data or not. */ 658b0563631STom Van Eyck uint8_t early_data_accepted; 659b0563631STom Van Eyck #endif 66032b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */ 66132b31808SJens Wiklander 66232b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 66332b31808SJens Wiklander uint8_t new_session_ticket; /*!< use NewSessionTicket? */ 66432b31808SJens Wiklander #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 66532b31808SJens Wiklander 66632b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 66732b31808SJens Wiklander /** Minimum TLS version to be negotiated. 66832b31808SJens Wiklander * 66932b31808SJens Wiklander * It is set up in the ClientHello writing preparation stage and used 67032b31808SJens Wiklander * throughout the ClientHello writing. Not relevant anymore as soon as 67132b31808SJens Wiklander * the protocol version has been negotiated thus as soon as the 67232b31808SJens Wiklander * ServerHello is received. 67332b31808SJens Wiklander * For a fresh handshake not linked to any previous handshake, it is 67432b31808SJens Wiklander * equal to the configured minimum minor version to be negotiated. When 67532b31808SJens Wiklander * renegotiating or resuming a session, it is equal to the previously 67632b31808SJens Wiklander * negotiated minor version. 67732b31808SJens Wiklander * 67832b31808SJens Wiklander * There is no maximum TLS version field in this handshake context. 67932b31808SJens Wiklander * From the start of the handshake, we need to define a current protocol 68032b31808SJens Wiklander * version for the record layer which we define as the maximum TLS 68132b31808SJens Wiklander * version to be negotiated. The `tls_version` field of the SSL context is 68232b31808SJens Wiklander * used to store this maximum value until it contains the actual 68332b31808SJens Wiklander * negotiated value. 68432b31808SJens Wiklander */ 68532b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version; 68632b31808SJens Wiklander #endif 68732b31808SJens Wiklander 68832b31808SJens Wiklander #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 68932b31808SJens Wiklander uint8_t extended_ms; /*!< use Extended Master Secret? */ 69032b31808SJens Wiklander #endif 69132b31808SJens Wiklander 69232b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 69332b31808SJens Wiklander uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ 69432b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 69532b31808SJens Wiklander 69632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 69732b31808SJens Wiklander unsigned char retransmit_state; /*!< Retransmission state */ 69832b31808SJens Wiklander #endif 69932b31808SJens Wiklander 70032b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 70132b31808SJens Wiklander unsigned char group_list_heap_allocated; 70232b31808SJens Wiklander unsigned char sig_algs_heap_allocated; 70332b31808SJens Wiklander #endif 70432b31808SJens Wiklander 70532b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 70632b31808SJens Wiklander uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ 70732b31808SJens Wiklander enum { /* this complements ssl->state with info on intra-state operations */ 70832b31808SJens Wiklander ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 70932b31808SJens Wiklander ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 71032b31808SJens Wiklander ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 71132b31808SJens Wiklander ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 71232b31808SJens Wiklander ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 71332b31808SJens Wiklander } ecrs_state; /*!< current (or last) operation */ 71432b31808SJens Wiklander mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 71532b31808SJens Wiklander size_t ecrs_n; /*!< place for saving a length */ 71632b31808SJens Wiklander #endif 71732b31808SJens Wiklander 71832b31808SJens Wiklander mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 71932b31808SJens Wiklander 72032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 72132b31808SJens Wiklander int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 72232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 72332b31808SJens Wiklander int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 72432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 72532b31808SJens Wiklander int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 72632b31808SJens Wiklander mbedtls_ssl_tls_prf_cb *tls_prf; 72732b31808SJens Wiklander 72832b31808SJens Wiklander /* 72932b31808SJens Wiklander * Handshake specific crypto variables 73032b31808SJens Wiklander */ 73132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 73232b31808SJens Wiklander uint8_t key_exchange_mode; /*!< Selected key exchange mode */ 73332b31808SJens Wiklander 734b0563631STom Van Eyck /** 735b0563631STom Van Eyck * Flag indicating if, in the course of the current handshake, an 736b0563631STom Van Eyck * HelloRetryRequest message has been sent by the server or received by 737b0563631STom Van Eyck * the client (<> 0) or not (0). 738b0563631STom Van Eyck */ 739b0563631STom Van Eyck uint8_t hello_retry_request_flag; 740b0563631STom Van Eyck 741b0563631STom Van Eyck #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 742b0563631STom Van Eyck /** 743b0563631STom Van Eyck * Flag indicating if, in the course of the current handshake, a dummy 744b0563631STom Van Eyck * change_cipher_spec (CCS) record has already been sent. Used to send only 745b0563631STom Van Eyck * one CCS per handshake while not complicating the handshake state 746b0563631STom Van Eyck * transitions for that purpose. 747b0563631STom Van Eyck */ 748b0563631STom Van Eyck uint8_t ccs_sent; 749b0563631STom Van Eyck #endif 75032b31808SJens Wiklander 75132b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) 75232b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 75332b31808SJens Wiklander uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ 75432b31808SJens Wiklander #endif 755b0563631STom Van Eyck /** selected_group of key_share extension in HelloRetryRequest message. */ 756b0563631STom Van Eyck uint16_t hrr_selected_group; 75732b31808SJens Wiklander #if defined(MBEDTLS_SSL_SESSION_TICKETS) 75832b31808SJens Wiklander uint16_t new_session_tickets_count; /*!< number of session tickets */ 75932b31808SJens Wiklander #endif 76032b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C */ 76132b31808SJens Wiklander 76232b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 76332b31808SJens Wiklander 76432b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 76532b31808SJens Wiklander uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; 76632b31808SJens Wiklander #endif 76732b31808SJens Wiklander 76832b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 76932b31808SJens Wiklander const uint16_t *group_list; 77032b31808SJens Wiklander const uint16_t *sig_algs; 77132b31808SJens Wiklander #endif 77232b31808SJens Wiklander 77332b31808SJens Wiklander #if defined(MBEDTLS_DHM_C) 77432b31808SJens Wiklander mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 77532b31808SJens Wiklander #endif 77632b31808SJens Wiklander 777b0563631STom Van Eyck #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 778b0563631STom Van Eyck defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 77932b31808SJens Wiklander mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 780b0563631STom Van Eyck #endif /* !MBEDTLS_USE_PSA_CRYPTO && 781b0563631STom Van Eyck MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */ 78232b31808SJens Wiklander 783b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 784b0563631STom Van Eyck psa_key_type_t xxdh_psa_type; 785b0563631STom Van Eyck size_t xxdh_psa_bits; 786b0563631STom Van Eyck mbedtls_svc_key_id_t xxdh_psa_privkey; 787b0563631STom Van Eyck uint8_t xxdh_psa_privkey_is_external; 788b0563631STom Van Eyck unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 789b0563631STom Van Eyck size_t xxdh_psa_peerkey_len; 790b0563631STom Van Eyck #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 79132b31808SJens Wiklander 79232b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 79332b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 79432b31808SJens Wiklander psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ 79532b31808SJens Wiklander mbedtls_svc_key_id_t psa_pake_password; 79632b31808SJens Wiklander uint8_t psa_pake_ctx_is_ok; 79732b31808SJens Wiklander #else 79832b31808SJens Wiklander mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 79932b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 80032b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 80132b31808SJens Wiklander unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 80232b31808SJens Wiklander size_t ecjpake_cache_len; /*!< Length of cached data */ 80332b31808SJens Wiklander #endif 80432b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 80532b31808SJens Wiklander 806b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 807b0563631STom Van Eyck defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \ 80832b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 80932b31808SJens Wiklander uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ 81032b31808SJens Wiklander #endif 81132b31808SJens Wiklander 81232b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 81332b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 81432b31808SJens Wiklander mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ 81532b31808SJens Wiklander uint8_t psk_opaque_is_internal; 81632b31808SJens Wiklander #else 81732b31808SJens Wiklander unsigned char *psk; /*!< PSK from the callback */ 81832b31808SJens Wiklander size_t psk_len; /*!< Length of PSK from callback */ 81932b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 82032b31808SJens Wiklander uint16_t selected_identity; 82132b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 82232b31808SJens Wiklander 82332b31808SJens Wiklander #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 82432b31808SJens Wiklander mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 82532b31808SJens Wiklander #endif 82632b31808SJens Wiklander 82732b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 82832b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 82932b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 83032b31808SJens Wiklander mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 83132b31808SJens Wiklander mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 83232b31808SJens Wiklander mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 83332b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 83432b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 83532b31808SJens Wiklander 83632b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 83732b31808SJens Wiklander !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 83832b31808SJens Wiklander mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 83932b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 84032b31808SJens Wiklander 84132b31808SJens Wiklander struct { 84232b31808SJens Wiklander size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 84332b31808SJens Wiklander * buffers used for message buffering. */ 84432b31808SJens Wiklander 84532b31808SJens Wiklander uint8_t seen_ccs; /*!< Indicates if a CCS message has 84632b31808SJens Wiklander * been seen in the current flight. */ 84732b31808SJens Wiklander 84832b31808SJens Wiklander struct mbedtls_ssl_hs_buffer { 84932b31808SJens Wiklander unsigned is_valid : 1; 85032b31808SJens Wiklander unsigned is_fragmented : 1; 85132b31808SJens Wiklander unsigned is_complete : 1; 85232b31808SJens Wiklander unsigned char *data; 85332b31808SJens Wiklander size_t data_len; 85432b31808SJens Wiklander } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 85532b31808SJens Wiklander 85632b31808SJens Wiklander struct { 85732b31808SJens Wiklander unsigned char *data; 85832b31808SJens Wiklander size_t len; 85932b31808SJens Wiklander unsigned epoch; 86032b31808SJens Wiklander } future_record; 86132b31808SJens Wiklander 86232b31808SJens Wiklander } buffering; 86332b31808SJens Wiklander 86432b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && \ 86532b31808SJens Wiklander (defined(MBEDTLS_SSL_PROTO_DTLS) || \ 86632b31808SJens Wiklander defined(MBEDTLS_SSL_PROTO_TLS1_3)) 86732b31808SJens Wiklander unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS 86832b31808SJens Wiklander * HelloRetryRequest cookie for TLS 1.3 */ 86932b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 87032b31808SJens Wiklander /* RFC 6347 page 15 87132b31808SJens Wiklander ... 87232b31808SJens Wiklander opaque cookie<0..2^8-1>; 87332b31808SJens Wiklander ... 87432b31808SJens Wiklander */ 87532b31808SJens Wiklander uint8_t cookie_len; 87632b31808SJens Wiklander #else 87732b31808SJens Wiklander /* RFC 8446 page 39 87832b31808SJens Wiklander ... 87932b31808SJens Wiklander opaque cookie<0..2^16-1>; 88032b31808SJens Wiklander ... 88132b31808SJens Wiklander If TLS1_3 is enabled, the max length is 2^16 - 1 88232b31808SJens Wiklander */ 88332b31808SJens Wiklander uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length 88432b31808SJens Wiklander * TLS1_3: HelloRetryRequest cookie length */ 88532b31808SJens Wiklander #endif 88632b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C && 88732b31808SJens Wiklander ( MBEDTLS_SSL_PROTO_DTLS || 88832b31808SJens Wiklander MBEDTLS_SSL_PROTO_TLS1_3 ) */ 88932b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) 89032b31808SJens Wiklander unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ 89132b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ 89232b31808SJens Wiklander 89332b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 89432b31808SJens Wiklander unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 89532b31808SJens Wiklander unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 89632b31808SJens Wiklander 89732b31808SJens Wiklander uint32_t retransmit_timeout; /*!< Current value of timeout */ 89832b31808SJens Wiklander mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 89932b31808SJens Wiklander mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 90032b31808SJens Wiklander unsigned char *cur_msg_p; /*!< Position in current message */ 90132b31808SJens Wiklander unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 90232b31808SJens Wiklander flight being received */ 90332b31808SJens Wiklander mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 90432b31808SJens Wiklander resending messages */ 90532b31808SJens Wiklander unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter 90632b31808SJens Wiklander for resending messages */ 90732b31808SJens Wiklander 90832b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 90932b31808SJens Wiklander /* The state of CID configuration in this handshake. */ 91032b31808SJens Wiklander 91132b31808SJens Wiklander uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 91232b31808SJens Wiklander * has been negotiated. Possible values are 91332b31808SJens Wiklander * #MBEDTLS_SSL_CID_ENABLED and 91432b31808SJens Wiklander * #MBEDTLS_SSL_CID_DISABLED. */ 91532b31808SJens Wiklander unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ 91632b31808SJens Wiklander uint8_t peer_cid_len; /*!< The length of 91732b31808SJens Wiklander * \c peer_cid. */ 91832b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 91932b31808SJens Wiklander 92032b31808SJens Wiklander uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 92132b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 92232b31808SJens Wiklander 92332b31808SJens Wiklander /* 92432b31808SJens Wiklander * Checksum contexts 92532b31808SJens Wiklander */ 926b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256) 92732b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 92832b31808SJens Wiklander psa_hash_operation_t fin_sha256_psa; 92932b31808SJens Wiklander #else 93032b31808SJens Wiklander mbedtls_md_context_t fin_sha256; 93132b31808SJens Wiklander #endif 93232b31808SJens Wiklander #endif 933b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384) 93432b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 93532b31808SJens Wiklander psa_hash_operation_t fin_sha384_psa; 93632b31808SJens Wiklander #else 93732b31808SJens Wiklander mbedtls_md_context_t fin_sha384; 93832b31808SJens Wiklander #endif 93932b31808SJens Wiklander #endif 94032b31808SJens Wiklander 94132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 94232b31808SJens Wiklander uint16_t offered_group_id; /* The NamedGroup value for the group 94332b31808SJens Wiklander * that is being used for ephemeral 94432b31808SJens Wiklander * key exchange. 94532b31808SJens Wiklander * 94632b31808SJens Wiklander * On the client: Defaults to the first 94732b31808SJens Wiklander * entry in the client's group list, 94832b31808SJens Wiklander * but can be overwritten by the HRR. */ 94932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 95032b31808SJens Wiklander 95132b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) 95232b31808SJens Wiklander uint8_t client_auth; /*!< used to check if CertificateRequest has been 95332b31808SJens Wiklander received from server side. If CertificateRequest 95432b31808SJens Wiklander has been received, Certificate and CertificateVerify 95532b31808SJens Wiklander should be sent to server */ 95632b31808SJens Wiklander #endif /* MBEDTLS_SSL_CLI_C */ 95732b31808SJens Wiklander /* 95832b31808SJens Wiklander * State-local variables used during the processing 95932b31808SJens Wiklander * of a specific handshake state. 96032b31808SJens Wiklander */ 96132b31808SJens Wiklander union { 96232b31808SJens Wiklander /* Outgoing Finished message */ 96332b31808SJens Wiklander struct { 96432b31808SJens Wiklander uint8_t preparation_done; 96532b31808SJens Wiklander 96632b31808SJens Wiklander /* Buffer holding digest of the handshake up to 96732b31808SJens Wiklander * but excluding the outgoing finished message. */ 96832b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 96932b31808SJens Wiklander size_t digest_len; 97032b31808SJens Wiklander } finished_out; 97132b31808SJens Wiklander 97232b31808SJens Wiklander /* Incoming Finished message */ 97332b31808SJens Wiklander struct { 97432b31808SJens Wiklander uint8_t preparation_done; 97532b31808SJens Wiklander 97632b31808SJens Wiklander /* Buffer holding digest of the handshake up to but 97732b31808SJens Wiklander * excluding the peer's incoming finished message. */ 97832b31808SJens Wiklander unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 97932b31808SJens Wiklander size_t digest_len; 98032b31808SJens Wiklander } finished_in; 98132b31808SJens Wiklander 98232b31808SJens Wiklander } state_local; 98332b31808SJens Wiklander 98432b31808SJens Wiklander /* End of state-local variables. */ 98532b31808SJens Wiklander 98632b31808SJens Wiklander unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + 98732b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 98832b31808SJens Wiklander /*!< random bytes */ 98932b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 99032b31808SJens Wiklander unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 99132b31808SJens Wiklander /*!< premaster secret */ 99232b31808SJens Wiklander size_t pmslen; /*!< premaster length */ 99332b31808SJens Wiklander #endif 99432b31808SJens Wiklander 99532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 99632b31808SJens Wiklander uint32_t sent_extensions; /*!< extensions sent by endpoint */ 99732b31808SJens Wiklander uint32_t received_extensions; /*!< extensions received by endpoint */ 99832b31808SJens Wiklander 99932b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 100032b31808SJens Wiklander unsigned char certificate_request_context_len; 100132b31808SJens Wiklander unsigned char *certificate_request_context; 100232b31808SJens Wiklander #endif 100332b31808SJens Wiklander 100432b31808SJens Wiklander /** TLS 1.3 transform for encrypted handshake messages. */ 100532b31808SJens Wiklander mbedtls_ssl_transform *transform_handshake; 100632b31808SJens Wiklander union { 100732b31808SJens Wiklander unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 100832b31808SJens Wiklander unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 100932b31808SJens Wiklander unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 101032b31808SJens Wiklander } tls13_master_secrets; 101132b31808SJens Wiklander 101232b31808SJens Wiklander mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; 101332b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA) 101432b31808SJens Wiklander /** TLS 1.3 transform for early data and handshake messages. */ 101532b31808SJens Wiklander mbedtls_ssl_transform *transform_earlydata; 101632b31808SJens Wiklander #endif 101732b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 101832b31808SJens Wiklander 101932b31808SJens Wiklander #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 102032b31808SJens Wiklander /** Asynchronous operation context. This field is meant for use by the 102132b31808SJens Wiklander * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 102232b31808SJens Wiklander * mbedtls_ssl_config::f_async_decrypt_start, 102332b31808SJens Wiklander * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 102432b31808SJens Wiklander * The library does not use it internally. */ 102532b31808SJens Wiklander void *user_async_ctx; 102632b31808SJens Wiklander #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 102732b31808SJens Wiklander 102832b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 102932b31808SJens Wiklander const unsigned char *sni_name; /*!< raw SNI */ 103032b31808SJens Wiklander size_t sni_name_len; /*!< raw SNI len */ 103132b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 103232b31808SJens Wiklander const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */ 103332b31808SJens Wiklander #endif 103432b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 103532b31808SJens Wiklander }; 103632b31808SJens Wiklander 103732b31808SJens Wiklander typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 103832b31808SJens Wiklander 103932b31808SJens Wiklander /* 104032b31808SJens Wiklander * Representation of decryption/encryption transformations on records 104132b31808SJens Wiklander * 104232b31808SJens Wiklander * There are the following general types of record transformations: 104332b31808SJens Wiklander * - Stream transformations (TLS versions == 1.2 only) 104432b31808SJens Wiklander * Transformation adding a MAC and applying a stream-cipher 104532b31808SJens Wiklander * to the authenticated message. 104632b31808SJens Wiklander * - CBC block cipher transformations ([D]TLS versions == 1.2 only) 104732b31808SJens Wiklander * For TLS 1.2, no IV is generated at key extraction time, but every 104832b31808SJens Wiklander * encrypted record is explicitly prefixed by the IV with which it was 104932b31808SJens Wiklander * encrypted. 105032b31808SJens Wiklander * - AEAD transformations ([D]TLS versions == 1.2 only) 105132b31808SJens Wiklander * These come in two fundamentally different versions, the first one 105232b31808SJens Wiklander * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 105332b31808SJens Wiklander * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 105432b31808SJens Wiklander * In the first transformation, the IV to be used for a record is obtained 105532b31808SJens Wiklander * as the concatenation of an explicit, static 4-byte IV and the 8-byte 105632b31808SJens Wiklander * record sequence number, and explicitly prepending this sequence number 105732b31808SJens Wiklander * to the encrypted record. In contrast, in the second transformation 105832b31808SJens Wiklander * the IV is obtained by XOR'ing a static IV obtained at key extraction 105932b31808SJens Wiklander * time with the 8-byte record sequence number, without prepending the 106032b31808SJens Wiklander * latter to the encrypted record. 106132b31808SJens Wiklander * 106232b31808SJens Wiklander * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext 106332b31808SJens Wiklander * which allows to add flexible length padding and to hide a record's true 106432b31808SJens Wiklander * content type. 106532b31808SJens Wiklander * 106632b31808SJens Wiklander * In addition to type and version, the following parameters are relevant: 106732b31808SJens Wiklander * - The symmetric cipher algorithm to be used. 106832b31808SJens Wiklander * - The (static) encryption/decryption keys for the cipher. 106932b31808SJens Wiklander * - For stream/CBC, the type of message digest to be used. 107032b31808SJens Wiklander * - For stream/CBC, (static) encryption/decryption keys for the digest. 107132b31808SJens Wiklander * - For AEAD transformations, the size (potentially 0) of an explicit, 107232b31808SJens Wiklander * random initialization vector placed in encrypted records. 107332b31808SJens Wiklander * - For some transformations (currently AEAD) an implicit IV. It is static 107432b31808SJens Wiklander * and (if present) is combined with the explicit IV in a transformation- 107532b31808SJens Wiklander * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 107632b31808SJens Wiklander * - For stream/CBC, a flag determining the order of encryption and MAC. 107732b31808SJens Wiklander * - The details of the transformation depend on the SSL/TLS version. 107832b31808SJens Wiklander * - The length of the authentication tag. 107932b31808SJens Wiklander * 108032b31808SJens Wiklander * The struct below refines this abstract view as follows: 108132b31808SJens Wiklander * - The cipher underlying the transformation is managed in 108232b31808SJens Wiklander * cipher contexts cipher_ctx_{enc/dec}, which must have the 108332b31808SJens Wiklander * same cipher type. The mode of these cipher contexts determines 108432b31808SJens Wiklander * the type of the transformation in the sense above: e.g., if 108532b31808SJens Wiklander * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 108632b31808SJens Wiklander * then the transformation has type CBC resp. AEAD. 108732b31808SJens Wiklander * - The cipher keys are never stored explicitly but 108832b31808SJens Wiklander * are maintained within cipher_ctx_{enc/dec}. 108932b31808SJens Wiklander * - For stream/CBC transformations, the message digest contexts 109032b31808SJens Wiklander * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 109132b31808SJens Wiklander * are unused for AEAD transformations. 109232b31808SJens Wiklander * - For stream/CBC transformations, the MAC keys are not stored explicitly 109332b31808SJens Wiklander * but maintained within md_ctx_{enc/dec}. 109432b31808SJens Wiklander * - The mac_enc and mac_dec fields are unused for EAD transformations. 109532b31808SJens Wiklander * - For transformations using an implicit IV maintained within 109632b31808SJens Wiklander * the transformation context, its contents are stored within 109732b31808SJens Wiklander * iv_{enc/dec}. 109832b31808SJens Wiklander * - The value of ivlen indicates the length of the IV. 109932b31808SJens Wiklander * This is redundant in case of stream/CBC transformations 110032b31808SJens Wiklander * which always use 0 resp. the cipher's block length as the 110132b31808SJens Wiklander * IV length, but is needed for AEAD ciphers and may be 110232b31808SJens Wiklander * different from the underlying cipher's block length 110332b31808SJens Wiklander * in this case. 110432b31808SJens Wiklander * - The field fixed_ivlen is nonzero for AEAD transformations only 110532b31808SJens Wiklander * and indicates the length of the static part of the IV which is 110632b31808SJens Wiklander * constant throughout the communication, and which is stored in 110732b31808SJens Wiklander * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 110832b31808SJens Wiklander * - tls_version denotes the 2-byte TLS version 110932b31808SJens Wiklander * - For stream/CBC transformations, maclen denotes the length of the 111032b31808SJens Wiklander * authentication tag, while taglen is unused and 0. 111132b31808SJens Wiklander * - For AEAD transformations, taglen denotes the length of the 111232b31808SJens Wiklander * authentication tag, while maclen is unused and 0. 111332b31808SJens Wiklander * - For CBC transformations, encrypt_then_mac determines the 111432b31808SJens Wiklander * order of encryption and authentication. This field is unused 111532b31808SJens Wiklander * in other transformations. 111632b31808SJens Wiklander * 111732b31808SJens Wiklander */ 111832b31808SJens Wiklander struct mbedtls_ssl_transform { 111932b31808SJens Wiklander /* 112032b31808SJens Wiklander * Session specific crypto layer 112132b31808SJens Wiklander */ 112232b31808SJens Wiklander size_t minlen; /*!< min. ciphertext length */ 112332b31808SJens Wiklander size_t ivlen; /*!< IV length */ 112432b31808SJens Wiklander size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 112532b31808SJens Wiklander size_t maclen; /*!< MAC(CBC) len */ 112632b31808SJens Wiklander size_t taglen; /*!< TAG(AEAD) len */ 112732b31808SJens Wiklander 112832b31808SJens Wiklander unsigned char iv_enc[16]; /*!< IV (encryption) */ 112932b31808SJens Wiklander unsigned char iv_dec[16]; /*!< IV (decryption) */ 113032b31808SJens Wiklander 113132b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 113232b31808SJens Wiklander 113332b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 113432b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */ 113532b31808SJens Wiklander mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */ 113632b31808SJens Wiklander psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */ 113732b31808SJens Wiklander #else 113832b31808SJens Wiklander mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 113932b31808SJens Wiklander mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 114032b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 114132b31808SJens Wiklander 114232b31808SJens Wiklander #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 114332b31808SJens Wiklander int encrypt_then_mac; /*!< flag for EtM activation */ 114432b31808SJens Wiklander #endif 114532b31808SJens Wiklander 114632b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 114732b31808SJens Wiklander 114832b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version; 114932b31808SJens Wiklander 115032b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 115132b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ 115232b31808SJens Wiklander mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */ 115332b31808SJens Wiklander psa_algorithm_t psa_alg; /*!< psa algorithm */ 115432b31808SJens Wiklander #else 115532b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 115632b31808SJens Wiklander mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 115732b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 115832b31808SJens Wiklander 115932b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 116032b31808SJens Wiklander uint8_t in_cid_len; 116132b31808SJens Wiklander uint8_t out_cid_len; 116232b31808SJens Wiklander unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 116332b31808SJens Wiklander unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; 116432b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 116532b31808SJens Wiklander 116632b31808SJens Wiklander #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) 116732b31808SJens Wiklander /* We need the Hello random bytes in order to re-derive keys from the 116832b31808SJens Wiklander * Master Secret and other session info, 116932b31808SJens Wiklander * see ssl_tls12_populate_transform() */ 117032b31808SJens Wiklander unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + 117132b31808SJens Wiklander MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 117232b31808SJens Wiklander /*!< ServerHello.random+ClientHello.random */ 117332b31808SJens Wiklander #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */ 117432b31808SJens Wiklander }; 117532b31808SJens Wiklander 117632b31808SJens Wiklander /* 117732b31808SJens Wiklander * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 117832b31808SJens Wiklander * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 117932b31808SJens Wiklander */ 118032b31808SJens Wiklander static inline int mbedtls_ssl_transform_uses_aead( 118132b31808SJens Wiklander const mbedtls_ssl_transform *transform) 118232b31808SJens Wiklander { 118332b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 118432b31808SJens Wiklander return transform->maclen == 0 && transform->taglen != 0; 118532b31808SJens Wiklander #else 118632b31808SJens Wiklander (void) transform; 118732b31808SJens Wiklander return 1; 118832b31808SJens Wiklander #endif 118932b31808SJens Wiklander } 119032b31808SJens Wiklander 119132b31808SJens Wiklander /* 119232b31808SJens Wiklander * Internal representation of record frames 119332b31808SJens Wiklander * 119432b31808SJens Wiklander * Instances come in two flavors: 119532b31808SJens Wiklander * (1) Encrypted 119632b31808SJens Wiklander * These always have data_offset = 0 119732b31808SJens Wiklander * (2) Unencrypted 119832b31808SJens Wiklander * These have data_offset set to the amount of 119932b31808SJens Wiklander * pre-expansion during record protection. Concretely, 120032b31808SJens Wiklander * this is the length of the fixed part of the explicit IV 120132b31808SJens Wiklander * used for encryption, or 0 if no explicit IV is used 120232b31808SJens Wiklander * (e.g. for stream ciphers). 120332b31808SJens Wiklander * 120432b31808SJens Wiklander * The reason for the data_offset in the unencrypted case 120532b31808SJens Wiklander * is to allow for in-place conversion of an unencrypted to 120632b31808SJens Wiklander * an encrypted record. If the offset wasn't included, the 120732b31808SJens Wiklander * encrypted content would need to be shifted afterwards to 120832b31808SJens Wiklander * make space for the fixed IV. 120932b31808SJens Wiklander * 121032b31808SJens Wiklander */ 121132b31808SJens Wiklander #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 121232b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 121332b31808SJens Wiklander #else 121432b31808SJens Wiklander #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 121532b31808SJens Wiklander #endif 121632b31808SJens Wiklander 121732b31808SJens Wiklander typedef struct { 121832b31808SJens Wiklander uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. 121932b31808SJens Wiklander * In DTLS: The 2-byte epoch followed by 122032b31808SJens Wiklander * the 6-byte sequence number. 122132b31808SJens Wiklander * This is stored as a raw big endian byte array 122232b31808SJens Wiklander * as opposed to a uint64_t because we rarely 122332b31808SJens Wiklander * need to perform arithmetic on this, but do 122432b31808SJens Wiklander * need it as a Byte array for the purpose of 122532b31808SJens Wiklander * MAC computations. */ 122632b31808SJens Wiklander uint8_t type; /* The record content type. */ 122732b31808SJens Wiklander uint8_t ver[2]; /* SSL/TLS version as present on the wire. 122832b31808SJens Wiklander * Convert to internal presentation of versions 122932b31808SJens Wiklander * using mbedtls_ssl_read_version() and 123032b31808SJens Wiklander * mbedtls_ssl_write_version(). 123132b31808SJens Wiklander * Keep wire-format for MAC computations. */ 123232b31808SJens Wiklander 123332b31808SJens Wiklander unsigned char *buf; /* Memory buffer enclosing the record content */ 123432b31808SJens Wiklander size_t buf_len; /* Buffer length */ 123532b31808SJens Wiklander size_t data_offset; /* Offset of record content */ 123632b31808SJens Wiklander size_t data_len; /* Length of record content */ 123732b31808SJens Wiklander 123832b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 123932b31808SJens Wiklander uint8_t cid_len; /* Length of the CID (0 if not present) */ 124032b31808SJens Wiklander unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ 124132b31808SJens Wiklander #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 124232b31808SJens Wiklander } mbedtls_record; 124332b31808SJens Wiklander 124432b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 124532b31808SJens Wiklander /* 124632b31808SJens Wiklander * List of certificate + private key pairs 124732b31808SJens Wiklander */ 124832b31808SJens Wiklander struct mbedtls_ssl_key_cert { 124932b31808SJens Wiklander mbedtls_x509_crt *cert; /*!< cert */ 125032b31808SJens Wiklander mbedtls_pk_context *key; /*!< private key */ 125132b31808SJens Wiklander mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 125232b31808SJens Wiklander }; 125332b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 125432b31808SJens Wiklander 125532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 125632b31808SJens Wiklander /* 125732b31808SJens Wiklander * List of handshake messages kept around for resending 125832b31808SJens Wiklander */ 125932b31808SJens Wiklander struct mbedtls_ssl_flight_item { 126032b31808SJens Wiklander unsigned char *p; /*!< message, including handshake headers */ 126132b31808SJens Wiklander size_t len; /*!< length of p */ 126232b31808SJens Wiklander unsigned char type; /*!< type of the message: handshake or CCS */ 126332b31808SJens Wiklander mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 126432b31808SJens Wiklander }; 126532b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 126632b31808SJens Wiklander 126732b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 126832b31808SJens Wiklander /** 126932b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 127032b31808SJens Wiklander * 1.2 specific extensions of the ClientHello message. 127132b31808SJens Wiklander * 127232b31808SJens Wiklander * \param[in] ssl SSL context 127332b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions 127432b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions 127532b31808SJens Wiklander * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve 127632b31808SJens Wiklander * (<> 0) or not ( 0 ). 127732b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf 127832b31808SJens Wiklander */ 127932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 128032b31808SJens Wiklander int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 128132b31808SJens Wiklander unsigned char *buf, 128232b31808SJens Wiklander const unsigned char *end, 128332b31808SJens Wiklander int uses_ec, 128432b31808SJens Wiklander size_t *out_len); 128532b31808SJens Wiklander #endif 128632b31808SJens Wiklander 128732b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 128832b31808SJens Wiklander defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 128932b31808SJens Wiklander 129032b31808SJens Wiklander /** 129132b31808SJens Wiklander * \brief Find the preferred hash for a given signature algorithm. 129232b31808SJens Wiklander * 129332b31808SJens Wiklander * \param[in] ssl SSL context 129432b31808SJens Wiklander * \param[in] sig_alg A signature algorithm identifier as defined in the 129532b31808SJens Wiklander * TLS 1.2 SignatureAlgorithm enumeration. 129632b31808SJens Wiklander * 129732b31808SJens Wiklander * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm 129832b31808SJens Wiklander * identifier as defined in the TLS 1.2 HashAlgorithm enumeration. 129932b31808SJens Wiklander */ 130032b31808SJens Wiklander unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 130132b31808SJens Wiklander mbedtls_ssl_context *ssl, 130232b31808SJens Wiklander unsigned int sig_alg); 130332b31808SJens Wiklander 130432b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 130532b31808SJens Wiklander MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 130632b31808SJens Wiklander 130732b31808SJens Wiklander /** 130832b31808SJens Wiklander * \brief Free referenced items in an SSL transform context and clear 130932b31808SJens Wiklander * memory 131032b31808SJens Wiklander * 131132b31808SJens Wiklander * \param transform SSL transform context 131232b31808SJens Wiklander */ 131332b31808SJens Wiklander void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); 131432b31808SJens Wiklander 131532b31808SJens Wiklander /** 131632b31808SJens Wiklander * \brief Free referenced items in an SSL handshake context and clear 131732b31808SJens Wiklander * memory 131832b31808SJens Wiklander * 131932b31808SJens Wiklander * \param ssl SSL context 132032b31808SJens Wiklander */ 132132b31808SJens Wiklander void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); 132232b31808SJens Wiklander 132332b31808SJens Wiklander /* set inbound transform of ssl context */ 132432b31808SJens Wiklander void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl, 132532b31808SJens Wiklander mbedtls_ssl_transform *transform); 132632b31808SJens Wiklander 132732b31808SJens Wiklander /* set outbound transform of ssl context */ 132832b31808SJens Wiklander void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl, 132932b31808SJens Wiklander mbedtls_ssl_transform *transform); 133032b31808SJens Wiklander 133132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 133232b31808SJens Wiklander int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); 133332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 133432b31808SJens Wiklander int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); 133532b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); 133632b31808SJens Wiklander static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, 133732b31808SJens Wiklander mbedtls_ssl_states state) 133832b31808SJens Wiklander { 133932b31808SJens Wiklander ssl->state = (int) state; 134032b31808SJens Wiklander } 134132b31808SJens Wiklander 134232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 134332b31808SJens Wiklander int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); 134432b31808SJens Wiklander 134532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 134632b31808SJens Wiklander int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); 134732b31808SJens Wiklander 134832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 134932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 135032b31808SJens Wiklander int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); 135132b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 135232b31808SJens Wiklander 135332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 135432b31808SJens Wiklander int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); 135532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 135632b31808SJens Wiklander int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); 135732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 135832b31808SJens Wiklander int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); 135932b31808SJens Wiklander 136032b31808SJens Wiklander /** 136132b31808SJens Wiklander * \brief Update record layer 136232b31808SJens Wiklander * 136332b31808SJens Wiklander * This function roughly separates the implementation 136432b31808SJens Wiklander * of the logic of (D)TLS from the implementation 136532b31808SJens Wiklander * of the secure transport. 136632b31808SJens Wiklander * 136732b31808SJens Wiklander * \param ssl The SSL context to use. 136832b31808SJens Wiklander * \param update_hs_digest This indicates if the handshake digest 136932b31808SJens Wiklander * should be automatically updated in case 137032b31808SJens Wiklander * a handshake message is found. 137132b31808SJens Wiklander * 137232b31808SJens Wiklander * \return 0 or non-zero error code. 137332b31808SJens Wiklander * 137432b31808SJens Wiklander * \note A clarification on what is called 'record layer' here 137532b31808SJens Wiklander * is in order, as many sensible definitions are possible: 137632b31808SJens Wiklander * 137732b31808SJens Wiklander * The record layer takes as input an untrusted underlying 137832b31808SJens Wiklander * transport (stream or datagram) and transforms it into 137932b31808SJens Wiklander * a serially multiplexed, secure transport, which 138032b31808SJens Wiklander * conceptually provides the following: 138132b31808SJens Wiklander * 138232b31808SJens Wiklander * (1) Three datagram based, content-agnostic transports 138332b31808SJens Wiklander * for handshake, alert and CCS messages. 138432b31808SJens Wiklander * (2) One stream- or datagram-based transport 138532b31808SJens Wiklander * for application data. 138632b31808SJens Wiklander * (3) Functionality for changing the underlying transform 138732b31808SJens Wiklander * securing the contents. 138832b31808SJens Wiklander * 138932b31808SJens Wiklander * The interface to this functionality is given as follows: 139032b31808SJens Wiklander * 139132b31808SJens Wiklander * a Updating 139232b31808SJens Wiklander * [Currently implemented by mbedtls_ssl_read_record] 139332b31808SJens Wiklander * 139432b31808SJens Wiklander * Check if and on which of the four 'ports' data is pending: 139532b31808SJens Wiklander * Nothing, a controlling datagram of type (1), or application 139632b31808SJens Wiklander * data (2). In any case data is present, internal buffers 139732b31808SJens Wiklander * provide access to the data for the user to process it. 139832b31808SJens Wiklander * Consumption of type (1) datagrams is done automatically 139932b31808SJens Wiklander * on the next update, invalidating that the internal buffers 140032b31808SJens Wiklander * for previous datagrams, while consumption of application 140132b31808SJens Wiklander * data (2) is user-controlled. 140232b31808SJens Wiklander * 140332b31808SJens Wiklander * b Reading of application data 140432b31808SJens Wiklander * [Currently manual adaption of ssl->in_offt pointer] 140532b31808SJens Wiklander * 140632b31808SJens Wiklander * As mentioned in the last paragraph, consumption of data 140732b31808SJens Wiklander * is different from the automatic consumption of control 140832b31808SJens Wiklander * datagrams (1) because application data is treated as a stream. 140932b31808SJens Wiklander * 141032b31808SJens Wiklander * c Tracking availability of application data 141132b31808SJens Wiklander * [Currently manually through decreasing ssl->in_msglen] 141232b31808SJens Wiklander * 141332b31808SJens Wiklander * For efficiency and to retain datagram semantics for 141432b31808SJens Wiklander * application data in case of DTLS, the record layer 141532b31808SJens Wiklander * provides functionality for checking how much application 141632b31808SJens Wiklander * data is still available in the internal buffer. 141732b31808SJens Wiklander * 141832b31808SJens Wiklander * d Changing the transformation securing the communication. 141932b31808SJens Wiklander * 142032b31808SJens Wiklander * Given an opaque implementation of the record layer in the 142132b31808SJens Wiklander * above sense, it should be possible to implement the logic 142232b31808SJens Wiklander * of (D)TLS on top of it without the need to know anything 142332b31808SJens Wiklander * about the record layer's internals. This is done e.g. 142432b31808SJens Wiklander * in all the handshake handling functions, and in the 142532b31808SJens Wiklander * application data reading function mbedtls_ssl_read. 142632b31808SJens Wiklander * 142732b31808SJens Wiklander * \note The above tries to give a conceptual picture of the 142832b31808SJens Wiklander * record layer, but the current implementation deviates 142932b31808SJens Wiklander * from it in some places. For example, our implementation of 143032b31808SJens Wiklander * the update functionality through mbedtls_ssl_read_record 143132b31808SJens Wiklander * discards datagrams depending on the current state, which 143232b31808SJens Wiklander * wouldn't fall under the record layer's responsibility 143332b31808SJens Wiklander * following the above definition. 143432b31808SJens Wiklander * 143532b31808SJens Wiklander */ 143632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 143732b31808SJens Wiklander int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, 143832b31808SJens Wiklander unsigned update_hs_digest); 143932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 144032b31808SJens Wiklander int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); 144132b31808SJens Wiklander 144232b31808SJens Wiklander /* 144332b31808SJens Wiklander * Write handshake message header 144432b31808SJens Wiklander */ 144532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 1446b0563631STom Van Eyck int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type, 144732b31808SJens Wiklander unsigned char **buf, size_t *buf_len); 144832b31808SJens Wiklander 144932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 145032b31808SJens Wiklander int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, 145132b31808SJens Wiklander int update_checksum, 145232b31808SJens Wiklander int force_flush); 145332b31808SJens Wiklander static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) 145432b31808SJens Wiklander { 145532b31808SJens Wiklander return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); 145632b31808SJens Wiklander } 145732b31808SJens Wiklander 145832b31808SJens Wiklander /* 145932b31808SJens Wiklander * Write handshake message tail 146032b31808SJens Wiklander */ 146132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 146232b31808SJens Wiklander int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl, 146332b31808SJens Wiklander size_t buf_len, size_t msg_len); 146432b31808SJens Wiklander 146532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 146632b31808SJens Wiklander int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush); 146732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 146832b31808SJens Wiklander int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); 146932b31808SJens Wiklander 147032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 147132b31808SJens Wiklander int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); 147232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 147332b31808SJens Wiklander int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); 147432b31808SJens Wiklander 147532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 147632b31808SJens Wiklander int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); 147732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 147832b31808SJens Wiklander int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); 147932b31808SJens Wiklander 148032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 148132b31808SJens Wiklander int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); 148232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 148332b31808SJens Wiklander int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); 148432b31808SJens Wiklander 148532b31808SJens Wiklander void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 148632b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite_info); 148732b31808SJens Wiklander 148832b31808SJens Wiklander /* 148932b31808SJens Wiklander * Update checksum of handshake messages. 149032b31808SJens Wiklander */ 149132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 149232b31808SJens Wiklander int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 149332b31808SJens Wiklander unsigned hs_type, 149432b31808SJens Wiklander unsigned char const *msg, 149532b31808SJens Wiklander size_t msg_len); 149632b31808SJens Wiklander 149732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 149832b31808SJens Wiklander int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 149932b31808SJens Wiklander unsigned hs_type, 150032b31808SJens Wiklander size_t total_hs_len); 150132b31808SJens Wiklander 150232b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 150332b31808SJens Wiklander #if !defined(MBEDTLS_USE_PSA_CRYPTO) 150432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 150532b31808SJens Wiklander int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, 150632b31808SJens Wiklander mbedtls_key_exchange_type_t key_ex); 150732b31808SJens Wiklander #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 150832b31808SJens Wiklander #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 150932b31808SJens Wiklander 151032b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1511cb034002SJerome Forissier #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C) 151232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 151332b31808SJens Wiklander int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); 151432b31808SJens Wiklander #endif 151532b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) 151632b31808SJens Wiklander /** 151732b31808SJens Wiklander * Get the first defined opaque PSK by order of precedence: 151832b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK 151932b31808SJens Wiklander * callback 152032b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() 152132b31808SJens Wiklander * Return an opaque PSK 152232b31808SJens Wiklander */ 152332b31808SJens Wiklander static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( 152432b31808SJens Wiklander const mbedtls_ssl_context *ssl) 152532b31808SJens Wiklander { 152632b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 152732b31808SJens Wiklander return ssl->handshake->psk_opaque; 152832b31808SJens Wiklander } 152932b31808SJens Wiklander 153032b31808SJens Wiklander if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { 153132b31808SJens Wiklander return ssl->conf->psk_opaque; 153232b31808SJens Wiklander } 153332b31808SJens Wiklander 153432b31808SJens Wiklander return MBEDTLS_SVC_KEY_ID_INIT; 153532b31808SJens Wiklander } 153632b31808SJens Wiklander #else 153732b31808SJens Wiklander /** 153832b31808SJens Wiklander * Get the first defined PSK by order of precedence: 153932b31808SJens Wiklander * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 154032b31808SJens Wiklander * 2. static PSK configured by \c mbedtls_ssl_conf_psk() 154132b31808SJens Wiklander * Return a code and update the pair (PSK, PSK length) passed to this function 154232b31808SJens Wiklander */ 154332b31808SJens Wiklander static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, 154432b31808SJens Wiklander const unsigned char **psk, size_t *psk_len) 154532b31808SJens Wiklander { 154632b31808SJens Wiklander if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { 154732b31808SJens Wiklander *psk = ssl->handshake->psk; 154832b31808SJens Wiklander *psk_len = ssl->handshake->psk_len; 154932b31808SJens Wiklander } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { 155032b31808SJens Wiklander *psk = ssl->conf->psk; 155132b31808SJens Wiklander *psk_len = ssl->conf->psk_len; 155232b31808SJens Wiklander } else { 155332b31808SJens Wiklander *psk = NULL; 155432b31808SJens Wiklander *psk_len = 0; 155532b31808SJens Wiklander return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 155632b31808SJens Wiklander } 155732b31808SJens Wiklander 155832b31808SJens Wiklander return 0; 155932b31808SJens Wiklander } 156032b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO */ 156132b31808SJens Wiklander 156232b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 156332b31808SJens Wiklander 156432b31808SJens Wiklander #if defined(MBEDTLS_PK_C) 156532b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); 156632b31808SJens Wiklander unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); 156732b31808SJens Wiklander mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); 156832b31808SJens Wiklander #endif 156932b31808SJens Wiklander 157032b31808SJens Wiklander mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); 157132b31808SJens Wiklander unsigned char mbedtls_ssl_hash_from_md_alg(int md); 157232b31808SJens Wiklander 157332b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 157432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 157532b31808SJens Wiklander int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); 157632b31808SJens Wiklander #endif 157732b31808SJens Wiklander 157832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 157932b31808SJens Wiklander int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); 1580b0563631STom Van Eyck #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 158132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 158232b31808SJens Wiklander int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); 1583b0563631STom Van Eyck #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 158432b31808SJens Wiklander 158532b31808SJens Wiklander /** 158632b31808SJens Wiklander * \brief Return PSA EC info for the specified TLS ID. 158732b31808SJens Wiklander * 158832b31808SJens Wiklander * \param tls_id The TLS ID to look for 1589b0563631STom Van Eyck * \param type If the TLD ID is supported, then proper \c psa_key_type_t 159032b31808SJens Wiklander * value is returned here. Can be NULL. 159132b31808SJens Wiklander * \param bits If the TLD ID is supported, then proper bit size is returned 159232b31808SJens Wiklander * here. Can be NULL. 159332b31808SJens Wiklander * \return PSA_SUCCESS if the TLS ID is supported, 159432b31808SJens Wiklander * PSA_ERROR_NOT_SUPPORTED otherwise 159532b31808SJens Wiklander * 159632b31808SJens Wiklander * \note If either \c family or \c bits parameters are NULL, then 159732b31808SJens Wiklander * the corresponding value is not returned. 159832b31808SJens Wiklander * The function can be called with both parameters as NULL 159932b31808SJens Wiklander * simply to check if a specific TLS ID is supported. 160032b31808SJens Wiklander */ 160132b31808SJens Wiklander int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 1602b0563631STom Van Eyck psa_key_type_t *type, 160332b31808SJens Wiklander size_t *bits); 160432b31808SJens Wiklander 160532b31808SJens Wiklander /** 160632b31808SJens Wiklander * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID. 160732b31808SJens Wiklander * 160832b31808SJens Wiklander * \param tls_id The TLS ID to look for 160932b31808SJens Wiklander * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported, 161032b31808SJens Wiklander * or MBEDTLS_ECP_DP_NONE otherwise 161132b31808SJens Wiklander */ 161232b31808SJens Wiklander mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id); 161332b31808SJens Wiklander 161432b31808SJens Wiklander /** 161532b31808SJens Wiklander * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id. 161632b31808SJens Wiklander * 161732b31808SJens Wiklander * \param grp_id The \c mbedtls_ecp_group_id ID to look for 161832b31808SJens Wiklander * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported, 161932b31808SJens Wiklander * or 0 otherwise 162032b31808SJens Wiklander */ 162132b31808SJens Wiklander uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id); 162232b31808SJens Wiklander 162332b31808SJens Wiklander #if defined(MBEDTLS_DEBUG_C) 162432b31808SJens Wiklander /** 162532b31808SJens Wiklander * \brief Return EC's name for the specified TLS ID. 162632b31808SJens Wiklander * 162732b31808SJens Wiklander * \param tls_id The TLS ID to look for 162832b31808SJens Wiklander * \return A pointer to a const string with the proper name. If TLS 162932b31808SJens Wiklander * ID is not supported, a NULL pointer is returned instead. 163032b31808SJens Wiklander */ 163132b31808SJens Wiklander const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id); 163232b31808SJens Wiklander #endif 163332b31808SJens Wiklander 163432b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_SRTP) 163532b31808SJens Wiklander static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value 163632b31808SJens Wiklander (const uint16_t srtp_profile_value) 163732b31808SJens Wiklander { 163832b31808SJens Wiklander switch (srtp_profile_value) { 163932b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 164032b31808SJens Wiklander case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 164132b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 164232b31808SJens Wiklander case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 164332b31808SJens Wiklander return srtp_profile_value; 164432b31808SJens Wiklander default: break; 164532b31808SJens Wiklander } 164632b31808SJens Wiklander return MBEDTLS_TLS_SRTP_UNSET; 164732b31808SJens Wiklander } 164832b31808SJens Wiklander #endif 164932b31808SJens Wiklander 165032b31808SJens Wiklander #if defined(MBEDTLS_X509_CRT_PARSE_C) 165132b31808SJens Wiklander static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) 165232b31808SJens Wiklander { 165332b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; 165432b31808SJens Wiklander 165532b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 165632b31808SJens Wiklander key_cert = ssl->handshake->key_cert; 165732b31808SJens Wiklander } else { 165832b31808SJens Wiklander key_cert = ssl->conf->key_cert; 165932b31808SJens Wiklander } 166032b31808SJens Wiklander 166132b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->key; 166232b31808SJens Wiklander } 166332b31808SJens Wiklander 166432b31808SJens Wiklander static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) 166532b31808SJens Wiklander { 166632b31808SJens Wiklander mbedtls_ssl_key_cert *key_cert; 166732b31808SJens Wiklander 166832b31808SJens Wiklander if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 166932b31808SJens Wiklander key_cert = ssl->handshake->key_cert; 167032b31808SJens Wiklander } else { 167132b31808SJens Wiklander key_cert = ssl->conf->key_cert; 167232b31808SJens Wiklander } 167332b31808SJens Wiklander 167432b31808SJens Wiklander return key_cert == NULL ? NULL : key_cert->cert; 167532b31808SJens Wiklander } 167632b31808SJens Wiklander 167732b31808SJens Wiklander /* 1678cb034002SJerome Forissier * Verify a certificate. 167932b31808SJens Wiklander * 1680cb034002SJerome Forissier * [in/out] ssl: misc. things read 1681cb034002SJerome Forissier * ssl->session_negotiate->verify_result updated 1682cb034002SJerome Forissier * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED} 1683cb034002SJerome Forissier * [in] chain: the certificate chain to verify (ie the peer's chain) 1684cb034002SJerome Forissier * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite; 1685cb034002SJerome Forissier * for TLS 1.3, may be left NULL. 1686cb034002SJerome Forissier * [in] rs_ctx: restart context if restartable ECC is in use; 1687cb034002SJerome Forissier * leave NULL for no restartable behaviour. 1688cb034002SJerome Forissier * 1689cb034002SJerome Forissier * Return: 1690cb034002SJerome Forissier * - 0 if the handshake should continue. Depending on the 1691cb034002SJerome Forissier * authmode it means: 1692cb034002SJerome Forissier * - REQUIRED: the certificate was found to be valid, trusted & acceptable. 1693cb034002SJerome Forissier * ssl->session_negotiate->verify_result is 0. 1694cb034002SJerome Forissier * - OPTIONAL: the certificate may or may not be acceptable, but 1695cb034002SJerome Forissier * ssl->session_negotiate->verify_result was updated with the result. 1696cb034002SJerome Forissier * - NONE: the certificate wasn't even checked. 1697cb034002SJerome Forissier * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if 1698cb034002SJerome Forissier * the certificate was found to be invalid/untrusted/unacceptable and the 1699cb034002SJerome Forissier * handshake should be aborted (can only happen with REQUIRED). 1700cb034002SJerome Forissier * - another error code if another error happened (out-of-memory, etc.) 1701cb034002SJerome Forissier */ 1702cb034002SJerome Forissier MBEDTLS_CHECK_RETURN_CRITICAL 1703cb034002SJerome Forissier int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, 1704cb034002SJerome Forissier int authmode, 1705cb034002SJerome Forissier mbedtls_x509_crt *chain, 1706cb034002SJerome Forissier const mbedtls_ssl_ciphersuite_t *ciphersuite_info, 1707cb034002SJerome Forissier void *rs_ctx); 1708cb034002SJerome Forissier 1709cb034002SJerome Forissier /* 1710cb034002SJerome Forissier * Check usage of a certificate wrt usage extensions: 1711cb034002SJerome Forissier * keyUsage and extendedKeyUsage. 1712cb034002SJerome Forissier * (Note: nSCertType is deprecated and not standard, we don't check it.) 1713cb034002SJerome Forissier * 1714cb034002SJerome Forissier * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL. 1715cb034002SJerome Forissier * 1716cb034002SJerome Forissier * Note: recv_endpoint is the receiver's endpoint. 171732b31808SJens Wiklander * 171832b31808SJens Wiklander * Return 0 if everything is OK, -1 if not. 171932b31808SJens Wiklander */ 172032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 172132b31808SJens Wiklander int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 172232b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *ciphersuite, 1723cb034002SJerome Forissier int recv_endpoint, 1724cb034002SJerome Forissier mbedtls_ssl_protocol_version tls_version, 172532b31808SJens Wiklander uint32_t *flags); 172632b31808SJens Wiklander #endif /* MBEDTLS_X509_CRT_PARSE_C */ 172732b31808SJens Wiklander 172832b31808SJens Wiklander void mbedtls_ssl_write_version(unsigned char version[2], int transport, 172932b31808SJens Wiklander mbedtls_ssl_protocol_version tls_version); 173032b31808SJens Wiklander uint16_t mbedtls_ssl_read_version(const unsigned char version[2], 173132b31808SJens Wiklander int transport); 173232b31808SJens Wiklander 173332b31808SJens Wiklander static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) 173432b31808SJens Wiklander { 173532b31808SJens Wiklander #if !defined(MBEDTLS_SSL_PROTO_DTLS) 173632b31808SJens Wiklander ((void) ssl); 173732b31808SJens Wiklander #endif 173832b31808SJens Wiklander 173932b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 174032b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 174132b31808SJens Wiklander return 13; 174232b31808SJens Wiklander } else 174332b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 174432b31808SJens Wiklander { 174532b31808SJens Wiklander return 5; 174632b31808SJens Wiklander } 174732b31808SJens Wiklander } 174832b31808SJens Wiklander 174932b31808SJens Wiklander static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) 175032b31808SJens Wiklander { 175132b31808SJens Wiklander return (size_t) (ssl->out_iv - ssl->out_hdr); 175232b31808SJens Wiklander } 175332b31808SJens Wiklander 175432b31808SJens Wiklander static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) 175532b31808SJens Wiklander { 175632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 175732b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 175832b31808SJens Wiklander return 12; 175932b31808SJens Wiklander } 176032b31808SJens Wiklander #else 176132b31808SJens Wiklander ((void) ssl); 176232b31808SJens Wiklander #endif 176332b31808SJens Wiklander return 4; 176432b31808SJens Wiklander } 176532b31808SJens Wiklander 176632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 176732b31808SJens Wiklander void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); 176832b31808SJens Wiklander void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); 176932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 177032b31808SJens Wiklander int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); 177132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 177232b31808SJens Wiklander int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); 177332b31808SJens Wiklander #endif 177432b31808SJens Wiklander 177532b31808SJens Wiklander /* Visible for testing purposes only */ 177632b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 177732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 177832b31808SJens Wiklander int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); 177932b31808SJens Wiklander void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); 178032b31808SJens Wiklander #endif 178132b31808SJens Wiklander 178232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 178332b31808SJens Wiklander int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 178432b31808SJens Wiklander const mbedtls_ssl_session *src); 178532b31808SJens Wiklander 178632b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 178732b31808SJens Wiklander /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 178832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 178932b31808SJens Wiklander int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 179032b31808SJens Wiklander unsigned char *hash, size_t *hashlen, 179132b31808SJens Wiklander unsigned char *data, size_t data_len, 179232b31808SJens Wiklander mbedtls_md_type_t md_alg); 179332b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 179432b31808SJens Wiklander 179532b31808SJens Wiklander #ifdef __cplusplus 179632b31808SJens Wiklander } 179732b31808SJens Wiklander #endif 179832b31808SJens Wiklander 179932b31808SJens Wiklander void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); 180032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 180132b31808SJens Wiklander int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, 180232b31808SJens Wiklander mbedtls_ssl_transform *transform, 180332b31808SJens Wiklander mbedtls_record *rec, 180432b31808SJens Wiklander int (*f_rng)(void *, unsigned char *, size_t), 180532b31808SJens Wiklander void *p_rng); 180632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 180732b31808SJens Wiklander int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, 180832b31808SJens Wiklander mbedtls_ssl_transform *transform, 180932b31808SJens Wiklander mbedtls_record *rec); 181032b31808SJens Wiklander 181132b31808SJens Wiklander /* Length of the "epoch" field in the record header */ 181232b31808SJens Wiklander static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) 181332b31808SJens Wiklander { 181432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 181532b31808SJens Wiklander if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 181632b31808SJens Wiklander return 2; 181732b31808SJens Wiklander } 181832b31808SJens Wiklander #else 181932b31808SJens Wiklander ((void) ssl); 182032b31808SJens Wiklander #endif 182132b31808SJens Wiklander return 0; 182232b31808SJens Wiklander } 182332b31808SJens Wiklander 182432b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 182532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 182632b31808SJens Wiklander int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); 182732b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 182832b31808SJens Wiklander 182932b31808SJens Wiklander void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); 183032b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 183132b31808SJens Wiklander int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); 183232b31808SJens Wiklander 1833*c3deb3d6SEtienne Carriere void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); 1834*c3deb3d6SEtienne Carriere void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); 1835*c3deb3d6SEtienne Carriere void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); 183632b31808SJens Wiklander void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, 183732b31808SJens Wiklander mbedtls_ssl_transform *transform); 183832b31808SJens Wiklander 183932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 184032b31808SJens Wiklander int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); 184132b31808SJens Wiklander void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 184232b31808SJens Wiklander int partial); 184332b31808SJens Wiklander 184432b31808SJens Wiklander /* 184532b31808SJens Wiklander * Send pending alert 184632b31808SJens Wiklander */ 184732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 184832b31808SJens Wiklander int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl); 184932b31808SJens Wiklander 185032b31808SJens Wiklander /* 185132b31808SJens Wiklander * Set pending fatal alert flag. 185232b31808SJens Wiklander */ 185332b31808SJens Wiklander void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl, 185432b31808SJens Wiklander unsigned char alert_type, 185532b31808SJens Wiklander int alert_reason); 185632b31808SJens Wiklander 185732b31808SJens Wiklander /* Alias of mbedtls_ssl_pend_fatal_alert */ 185832b31808SJens Wiklander #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \ 185932b31808SJens Wiklander mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value) 186032b31808SJens Wiklander 186132b31808SJens Wiklander #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 186232b31808SJens Wiklander void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); 186332b31808SJens Wiklander #endif 186432b31808SJens Wiklander 186532b31808SJens Wiklander void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); 186632b31808SJens Wiklander 186732b31808SJens Wiklander #if defined(MBEDTLS_SSL_RENEGOTIATION) 186832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 186932b31808SJens Wiklander int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); 187032b31808SJens Wiklander #endif /* MBEDTLS_SSL_RENEGOTIATION */ 187132b31808SJens Wiklander 187232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_DTLS) 187332b31808SJens Wiklander size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); 187432b31808SJens Wiklander void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); 187532b31808SJens Wiklander void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); 187632b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_DTLS */ 187732b31808SJens Wiklander 187832b31808SJens Wiklander /** 187932b31808SJens Wiklander * ssl utils functions for checking configuration. 188032b31808SJens Wiklander */ 188132b31808SJens Wiklander 188232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 188332b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf) 188432b31808SJens Wiklander { 188532b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 188632b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 188732b31808SJens Wiklander } 188832b31808SJens Wiklander 188932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 189032b31808SJens Wiklander 189132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 189232b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf) 189332b31808SJens Wiklander { 189432b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 189532b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2; 189632b31808SJens Wiklander } 189732b31808SJens Wiklander 189832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 189932b31808SJens Wiklander 190032b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf) 190132b31808SJens Wiklander { 190232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 190332b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 190432b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3; 190532b31808SJens Wiklander #else 190632b31808SJens Wiklander ((void) conf); 190732b31808SJens Wiklander return 0; 190832b31808SJens Wiklander #endif 190932b31808SJens Wiklander } 191032b31808SJens Wiklander 191132b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf) 191232b31808SJens Wiklander { 191332b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 191432b31808SJens Wiklander return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 && 191532b31808SJens Wiklander conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2; 191632b31808SJens Wiklander #else 191732b31808SJens Wiklander ((void) conf); 191832b31808SJens Wiklander return 0; 191932b31808SJens Wiklander #endif 192032b31808SJens Wiklander } 192132b31808SJens Wiklander 192232b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 192332b31808SJens Wiklander static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf) 192432b31808SJens Wiklander { 192532b31808SJens Wiklander return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 192632b31808SJens Wiklander conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 192732b31808SJens Wiklander } 192832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ 192932b31808SJens Wiklander 193032b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1931cb034002SJerome Forissier 1932cb034002SJerome Forissier /** \brief Initialize the PSA crypto subsystem if necessary. 1933cb034002SJerome Forissier * 1934cb034002SJerome Forissier * Call this function before doing any cryptography in a TLS 1.3 handshake. 1935cb034002SJerome Forissier * 1936cb034002SJerome Forissier * This is necessary in Mbed TLS 3.x for backward compatibility. 1937cb034002SJerome Forissier * Up to Mbed TLS 3.5, in the default configuration, you could perform 1938cb034002SJerome Forissier * a TLS connection with default parameters without having called 1939cb034002SJerome Forissier * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and 1940cb034002SJerome Forissier * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if 1941cb034002SJerome Forissier * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default 1942cb034002SJerome Forissier * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled 1943cb034002SJerome Forissier * by default, and the TLS 1.3 layer uses PSA crypto. This means that 1944cb034002SJerome Forissier * applications that are not otherwise using PSA crypto and that worked 1945cb034002SJerome Forissier * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to 1946cb034002SJerome Forissier * a peer that supports TLS 1.3. See 1947cb034002SJerome Forissier * https://github.com/Mbed-TLS/mbedtls/issues/9072 1948cb034002SJerome Forissier */ 1949cb034002SJerome Forissier int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl); 1950cb034002SJerome Forissier 195132b31808SJens Wiklander extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 195232b31808SJens Wiklander MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 195332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 195432b31808SJens Wiklander int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl); 195532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 195632b31808SJens Wiklander int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl); 195732b31808SJens Wiklander void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl); 195832b31808SJens Wiklander 195932b31808SJens Wiklander /** 196032b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 196132b31808SJens Wiklander * 1.3 specific extensions of the ClientHello message. 196232b31808SJens Wiklander * 196332b31808SJens Wiklander * \param[in] ssl SSL context 196432b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extensions 196532b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extensions 196632b31808SJens Wiklander * \param[out] out_len Length of the data written into the buffer \p buf 196732b31808SJens Wiklander */ 196832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 196932b31808SJens Wiklander int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, 197032b31808SJens Wiklander unsigned char *buf, 197132b31808SJens Wiklander unsigned char *end, 197232b31808SJens Wiklander size_t *out_len); 197332b31808SJens Wiklander 197432b31808SJens Wiklander /** 197532b31808SJens Wiklander * \brief TLS 1.3 client side state machine entry 197632b31808SJens Wiklander * 197732b31808SJens Wiklander * \param ssl SSL context 197832b31808SJens Wiklander */ 197932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 198032b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl); 198132b31808SJens Wiklander 198232b31808SJens Wiklander /** 198332b31808SJens Wiklander * \brief TLS 1.3 server side state machine entry 198432b31808SJens Wiklander * 198532b31808SJens Wiklander * \param ssl SSL context 198632b31808SJens Wiklander */ 198732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 198832b31808SJens Wiklander int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl); 198932b31808SJens Wiklander 199032b31808SJens Wiklander 199132b31808SJens Wiklander /* 199232b31808SJens Wiklander * Helper functions around key exchange modes. 199332b31808SJens Wiklander */ 1994b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl, 199532b31808SJens Wiklander int kex_mode_mask) 199632b31808SJens Wiklander { 199732b31808SJens Wiklander return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; 199832b31808SJens Wiklander } 199932b31808SJens Wiklander 2000b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl) 200132b31808SJens Wiklander { 2002b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 200332b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 200432b31808SJens Wiklander } 200532b31808SJens Wiklander 2006b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) 200732b31808SJens Wiklander { 2008b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 200932b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 201032b31808SJens Wiklander } 201132b31808SJens Wiklander 2012b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl) 201332b31808SJens Wiklander { 2014b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 201532b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 201632b31808SJens Wiklander } 201732b31808SJens Wiklander 2018b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 201932b31808SJens Wiklander { 2020b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 202132b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 202232b31808SJens Wiklander } 202332b31808SJens Wiklander 2024b0563631STom Van Eyck static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl) 202532b31808SJens Wiklander { 2026b0563631STom Van Eyck return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 202732b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 202832b31808SJens Wiklander } 202932b31808SJens Wiklander 203032b31808SJens Wiklander #if defined(MBEDTLS_SSL_SRV_C) && \ 203132b31808SJens Wiklander defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 203232b31808SJens Wiklander /** 203332b31808SJens Wiklander * Given a list of key exchange modes, check if at least one of them is 2034b0563631STom Van Eyck * supported by peer. 203532b31808SJens Wiklander * 203632b31808SJens Wiklander * \param[in] ssl SSL context 203732b31808SJens Wiklander * \param kex_modes_mask Mask of the key exchange modes to check 203832b31808SJens Wiklander * 2039b0563631STom Van Eyck * \return Non-zero if at least one of the key exchange modes is supported by 2040b0563631STom Van Eyck * the peer, otherwise \c 0. 204132b31808SJens Wiklander */ 2042b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl, 204332b31808SJens Wiklander int kex_modes_mask) 204432b31808SJens Wiklander { 2045b0563631STom Van Eyck return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0; 204632b31808SJens Wiklander } 204732b31808SJens Wiklander 2048b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl) 204932b31808SJens Wiklander { 2050b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 205132b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 205232b31808SJens Wiklander } 205332b31808SJens Wiklander 2054b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported( 205532b31808SJens Wiklander mbedtls_ssl_context *ssl) 205632b31808SJens Wiklander { 2057b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 205832b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 205932b31808SJens Wiklander } 206032b31808SJens Wiklander 2061b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl) 206232b31808SJens Wiklander { 2063b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 206432b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 206532b31808SJens Wiklander } 206632b31808SJens Wiklander 2067b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl) 206832b31808SJens Wiklander { 2069b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 207032b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 207132b31808SJens Wiklander } 207232b31808SJens Wiklander 2073b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl) 207432b31808SJens Wiklander { 2075b0563631STom Van Eyck return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 207632b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 207732b31808SJens Wiklander } 207832b31808SJens Wiklander #endif /* MBEDTLS_SSL_SRV_C && 207932b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 208032b31808SJens Wiklander 208132b31808SJens Wiklander /* 208232b31808SJens Wiklander * Helper functions for extensions checking. 208332b31808SJens Wiklander */ 208432b31808SJens Wiklander 208532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 208632b31808SJens Wiklander int mbedtls_ssl_tls13_check_received_extension( 208732b31808SJens Wiklander mbedtls_ssl_context *ssl, 208832b31808SJens Wiklander int hs_msg_type, 208932b31808SJens Wiklander unsigned int received_extension_type, 209032b31808SJens Wiklander uint32_t hs_msg_allowed_extensions_mask); 209132b31808SJens Wiklander 209232b31808SJens Wiklander static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( 209332b31808SJens Wiklander mbedtls_ssl_context *ssl, unsigned int extension_type) 209432b31808SJens Wiklander { 209532b31808SJens Wiklander ssl->handshake->sent_extensions |= 209632b31808SJens Wiklander mbedtls_ssl_get_extension_mask(extension_type); 209732b31808SJens Wiklander } 209832b31808SJens Wiklander 209932b31808SJens Wiklander /* 210032b31808SJens Wiklander * Helper functions to check the selected key exchange mode. 210132b31808SJens Wiklander */ 210232b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_check( 210332b31808SJens Wiklander mbedtls_ssl_context *ssl, int kex_mask) 210432b31808SJens Wiklander { 210532b31808SJens Wiklander return (ssl->handshake->key_exchange_mode & kex_mask) != 0; 210632b31808SJens Wiklander } 210732b31808SJens Wiklander 210832b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( 210932b31808SJens Wiklander mbedtls_ssl_context *ssl) 211032b31808SJens Wiklander { 211132b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 211232b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 211332b31808SJens Wiklander } 211432b31808SJens Wiklander 211532b31808SJens Wiklander static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( 211632b31808SJens Wiklander mbedtls_ssl_context *ssl) 211732b31808SJens Wiklander { 211832b31808SJens Wiklander return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 211932b31808SJens Wiklander MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 212032b31808SJens Wiklander } 212132b31808SJens Wiklander 212232b31808SJens Wiklander /* 212332b31808SJens Wiklander * Fetch TLS 1.3 handshake message header 212432b31808SJens Wiklander */ 212532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 212632b31808SJens Wiklander int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 212732b31808SJens Wiklander unsigned hs_type, 212832b31808SJens Wiklander unsigned char **buf, 212932b31808SJens Wiklander size_t *buf_len); 213032b31808SJens Wiklander 2131b0563631STom Van Eyck /** 2132b0563631STom Van Eyck * \brief Detect if a list of extensions contains a supported_versions 2133b0563631STom Van Eyck * extension or not. 2134b0563631STom Van Eyck * 2135b0563631STom Van Eyck * \param[in] ssl SSL context 2136b0563631STom Van Eyck * \param[in] buf Address of the first byte of the extensions vector. 2137b0563631STom Van Eyck * \param[in] end End of the buffer containing the list of extensions. 2138b0563631STom Van Eyck * \param[out] supported_versions_data If the extension is present, address of 2139b0563631STom Van Eyck * its first byte of data, NULL otherwise. 2140b0563631STom Van Eyck * \param[out] supported_versions_data_end If the extension is present, address 2141b0563631STom Van Eyck * of the first byte immediately 2142b0563631STom Van Eyck * following the extension data, NULL 2143b0563631STom Van Eyck * otherwise. 2144b0563631STom Van Eyck * \return 0 if the list of extensions does not contain a supported_versions 2145b0563631STom Van Eyck * extension. 2146b0563631STom Van Eyck * \return 1 if the list of extensions contains a supported_versions 2147b0563631STom Van Eyck * extension. 2148b0563631STom Van Eyck * \return A negative value if an error occurred while parsing the 2149b0563631STom Van Eyck * extensions. 2150b0563631STom Van Eyck */ 2151b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL 2152b0563631STom Van Eyck int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( 2153b0563631STom Van Eyck mbedtls_ssl_context *ssl, 2154b0563631STom Van Eyck const unsigned char *buf, const unsigned char *end, 2155b0563631STom Van Eyck const unsigned char **supported_versions_data, 2156b0563631STom Van Eyck const unsigned char **supported_versions_data_end); 2157b0563631STom Van Eyck 215832b31808SJens Wiklander /* 215932b31808SJens Wiklander * Handler of TLS 1.3 server certificate message 216032b31808SJens Wiklander */ 216132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 216232b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl); 216332b31808SJens Wiklander 216432b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 216532b31808SJens Wiklander /* 216632b31808SJens Wiklander * Handler of TLS 1.3 write Certificate message 216732b31808SJens Wiklander */ 216832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 216932b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl); 217032b31808SJens Wiklander 217132b31808SJens Wiklander /* 217232b31808SJens Wiklander * Handler of TLS 1.3 write Certificate Verify message 217332b31808SJens Wiklander */ 217432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 217532b31808SJens Wiklander int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl); 217632b31808SJens Wiklander 217732b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 217832b31808SJens Wiklander 217932b31808SJens Wiklander /* 218032b31808SJens Wiklander * Generic handler of Certificate Verify 218132b31808SJens Wiklander */ 218232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 218332b31808SJens Wiklander int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); 218432b31808SJens Wiklander 218532b31808SJens Wiklander /* 218632b31808SJens Wiklander * Write of dummy-CCS's for middlebox compatibility 218732b31808SJens Wiklander */ 218832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 218932b31808SJens Wiklander int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl); 219032b31808SJens Wiklander 219132b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 219232b31808SJens Wiklander int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl); 219332b31808SJens Wiklander 2194b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 219532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2196b0563631STom Van Eyck int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange( 219732b31808SJens Wiklander mbedtls_ssl_context *ssl, 219832b31808SJens Wiklander uint16_t named_group, 219932b31808SJens Wiklander unsigned char *buf, 220032b31808SJens Wiklander unsigned char *end, 220132b31808SJens Wiklander size_t *out_len); 2202b0563631STom Van Eyck #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 220332b31808SJens Wiklander 220432b31808SJens Wiklander #if defined(MBEDTLS_SSL_EARLY_DATA) 220532b31808SJens Wiklander int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 2206b0563631STom Van Eyck int in_new_session_ticket, 220732b31808SJens Wiklander unsigned char *buf, 220832b31808SJens Wiklander const unsigned char *end, 220932b31808SJens Wiklander size_t *out_len); 2210b0563631STom Van Eyck 2211b0563631STom Van Eyck int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, 2212b0563631STom Van Eyck size_t early_data_len); 2213b0563631STom Van Eyck 2214b0563631STom Van Eyck typedef enum { 2215b0563631STom Van Eyck /* 2216b0563631STom Van Eyck * The client has not sent the first ClientHello yet, the negotiation of early 2217b0563631STom Van Eyck * data has not started yet. 2218b0563631STom Van Eyck */ 2219b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_IDLE, 2220b0563631STom Van Eyck 2221b0563631STom Van Eyck /* 2222b0563631STom Van Eyck * In its ClientHello, the client has not included an early data indication 2223b0563631STom Van Eyck * extension. 2224b0563631STom Van Eyck */ 2225b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT, 2226b0563631STom Van Eyck 2227b0563631STom Van Eyck /* 2228b0563631STom Van Eyck * The client has sent an early data indication extension in its first 2229b0563631STom Van Eyck * ClientHello, it has not received the response (ServerHello or 2230b0563631STom Van Eyck * HelloRetryRequest) from the server yet. The transform to protect early data 2231b0563631STom Van Eyck * is not set either as for middlebox compatibility a dummy CCS may have to be 2232b0563631STom Van Eyck * sent in clear. Early data cannot be sent to the server yet. 2233b0563631STom Van Eyck */ 2234b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT, 2235b0563631STom Van Eyck 2236b0563631STom Van Eyck /* 2237b0563631STom Van Eyck * The client has sent an early data indication extension in its first 2238b0563631STom Van Eyck * ClientHello, it has not received the response (ServerHello or 2239b0563631STom Van Eyck * HelloRetryRequest) from the server yet. The transform to protect early data 2240b0563631STom Van Eyck * has been set and early data can be written now. 2241b0563631STom Van Eyck */ 2242b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, 2243b0563631STom Van Eyck 2244b0563631STom Van Eyck /* 2245b0563631STom Van Eyck * The client has indicated the use of early data and the server has accepted 2246b0563631STom Van Eyck * it. 2247b0563631STom Van Eyck */ 2248b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED, 2249b0563631STom Van Eyck 2250b0563631STom Van Eyck /* 2251b0563631STom Van Eyck * The client has indicated the use of early data but the server has rejected 2252b0563631STom Van Eyck * it. 2253b0563631STom Van Eyck */ 2254b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED, 2255b0563631STom Van Eyck 2256b0563631STom Van Eyck /* 2257b0563631STom Van Eyck * The client has sent an early data indication extension in its first 2258b0563631STom Van Eyck * ClientHello, the server has accepted them and the client has received the 2259b0563631STom Van Eyck * server Finished message. It cannot send early data to the server anymore. 2260b0563631STom Van Eyck */ 2261b0563631STom Van Eyck MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED, 2262b0563631STom Van Eyck 2263b0563631STom Van Eyck } mbedtls_ssl_early_data_state; 226432b31808SJens Wiklander #endif /* MBEDTLS_SSL_EARLY_DATA */ 226532b31808SJens Wiklander 226632b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 226732b31808SJens Wiklander 226832b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 226932b31808SJens Wiklander /* 227032b31808SJens Wiklander * Write Signature Algorithm extension 227132b31808SJens Wiklander */ 227232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 227332b31808SJens Wiklander int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 227432b31808SJens Wiklander const unsigned char *end, size_t *out_len); 227532b31808SJens Wiklander /* 227632b31808SJens Wiklander * Parse TLS Signature Algorithm extension 227732b31808SJens Wiklander */ 227832b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 227932b31808SJens Wiklander int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 228032b31808SJens Wiklander const unsigned char *buf, 228132b31808SJens Wiklander const unsigned char *end); 228232b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 228332b31808SJens Wiklander 228432b31808SJens Wiklander /* Get handshake transcript */ 228532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 228632b31808SJens Wiklander int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 228732b31808SJens Wiklander const mbedtls_md_type_t md, 228832b31808SJens Wiklander unsigned char *dst, 228932b31808SJens Wiklander size_t dst_len, 229032b31808SJens Wiklander size_t *olen); 229132b31808SJens Wiklander 229232b31808SJens Wiklander /* 229332b31808SJens Wiklander * Return supported groups. 229432b31808SJens Wiklander * 229532b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->group_list 229632b31808SJens Wiklander * when mbedtls_ssl_conf_curves() is deleted. 229732b31808SJens Wiklander * 229832b31808SJens Wiklander * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group 229932b31808SJens Wiklander * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to 230032b31808SJens Wiklander * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. 230132b31808SJens Wiklander * 230232b31808SJens Wiklander */ 230332b31808SJens Wiklander static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) 230432b31808SJens Wiklander { 230532b31808SJens Wiklander #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) 230632b31808SJens Wiklander return ssl->conf->group_list; 230732b31808SJens Wiklander #else 230832b31808SJens Wiklander if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { 230932b31808SJens Wiklander return ssl->handshake->group_list; 231032b31808SJens Wiklander } else { 231132b31808SJens Wiklander return ssl->conf->group_list; 231232b31808SJens Wiklander } 231332b31808SJens Wiklander #endif 231432b31808SJens Wiklander } 231532b31808SJens Wiklander 231632b31808SJens Wiklander /* 231732b31808SJens Wiklander * Helper functions for NamedGroup. 231832b31808SJens Wiklander */ 231932b31808SJens Wiklander static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) 232032b31808SJens Wiklander { 232132b31808SJens Wiklander /* 232232b31808SJens Wiklander * RFC 8422 section 5.1.1 232332b31808SJens Wiklander */ 232432b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 232532b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 || 232632b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 || 232732b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || 232832b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || 232932b31808SJens Wiklander /* Below deprecated curves should be removed with notice to users */ 233032b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || 233132b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || 233232b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || 233332b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || 233432b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || 233532b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 233632b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 233732b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1; 233832b31808SJens Wiklander } 233932b31808SJens Wiklander 234032b31808SJens Wiklander static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group) 234132b31808SJens Wiklander { 234232b31808SJens Wiklander return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 234332b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 234432b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 234532b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || 234632b31808SJens Wiklander named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448; 234732b31808SJens Wiklander } 234832b31808SJens Wiklander 2349b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group) 235032b31808SJens Wiklander { 235132b31808SJens Wiklander return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && 235232b31808SJens Wiklander named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192; 235332b31808SJens Wiklander } 235432b31808SJens Wiklander 235532b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_offered( 235632b31808SJens Wiklander const mbedtls_ssl_context *ssl, uint16_t named_group) 235732b31808SJens Wiklander { 235832b31808SJens Wiklander const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 235932b31808SJens Wiklander 236032b31808SJens Wiklander if (group_list == NULL) { 236132b31808SJens Wiklander return 0; 236232b31808SJens Wiklander } 236332b31808SJens Wiklander 236432b31808SJens Wiklander for (; *group_list != 0; group_list++) { 236532b31808SJens Wiklander if (*group_list == named_group) { 236632b31808SJens Wiklander return 1; 236732b31808SJens Wiklander } 236832b31808SJens Wiklander } 236932b31808SJens Wiklander 237032b31808SJens Wiklander return 0; 237132b31808SJens Wiklander } 237232b31808SJens Wiklander 237332b31808SJens Wiklander static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) 237432b31808SJens Wiklander { 2375b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH) 237632b31808SJens Wiklander if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 237732b31808SJens Wiklander if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) != 237832b31808SJens Wiklander MBEDTLS_ECP_DP_NONE) { 237932b31808SJens Wiklander return 1; 238032b31808SJens Wiklander } 238132b31808SJens Wiklander } 2382b0563631STom Van Eyck #endif 2383b0563631STom Van Eyck #if defined(PSA_WANT_ALG_FFDH) 2384b0563631STom Van Eyck if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) { 2385b0563631STom Van Eyck return 1; 2386b0563631STom Van Eyck } 2387b0563631STom Van Eyck #endif 2388b0563631STom Van Eyck #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH) 2389b0563631STom Van Eyck (void) named_group; 2390b0563631STom Van Eyck #endif 239132b31808SJens Wiklander return 0; 239232b31808SJens Wiklander } 239332b31808SJens Wiklander 239432b31808SJens Wiklander /* 239532b31808SJens Wiklander * Return supported signature algorithms. 239632b31808SJens Wiklander * 239732b31808SJens Wiklander * In future, invocations can be changed to ssl->conf->sig_algs when 239832b31808SJens Wiklander * mbedtls_ssl_conf_sig_hashes() is deleted. 239932b31808SJens Wiklander * 240032b31808SJens Wiklander * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS 240132b31808SJens Wiklander * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been 240232b31808SJens Wiklander * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has 240332b31808SJens Wiklander * been more recently invoked. 240432b31808SJens Wiklander * 240532b31808SJens Wiklander */ 240632b31808SJens Wiklander static inline const void *mbedtls_ssl_get_sig_algs( 240732b31808SJens Wiklander const mbedtls_ssl_context *ssl) 240832b31808SJens Wiklander { 240932b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 241032b31808SJens Wiklander 241132b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 241232b31808SJens Wiklander if (ssl->handshake != NULL && 241332b31808SJens Wiklander ssl->handshake->sig_algs_heap_allocated == 1 && 241432b31808SJens Wiklander ssl->handshake->sig_algs != NULL) { 241532b31808SJens Wiklander return ssl->handshake->sig_algs; 241632b31808SJens Wiklander } 241732b31808SJens Wiklander #endif 241832b31808SJens Wiklander return ssl->conf->sig_algs; 241932b31808SJens Wiklander 242032b31808SJens Wiklander #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 242132b31808SJens Wiklander 242232b31808SJens Wiklander ((void) ssl); 242332b31808SJens Wiklander return NULL; 242432b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 242532b31808SJens Wiklander } 242632b31808SJens Wiklander 242732b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 242832b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl, 242932b31808SJens Wiklander uint16_t own_sig_alg) 243032b31808SJens Wiklander { 243132b31808SJens Wiklander const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 243232b31808SJens Wiklander if (sig_alg == NULL) { 243332b31808SJens Wiklander return 0; 243432b31808SJens Wiklander } 243532b31808SJens Wiklander 243632b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 243732b31808SJens Wiklander if (*sig_alg == own_sig_alg) { 243832b31808SJens Wiklander return 1; 243932b31808SJens Wiklander } 244032b31808SJens Wiklander } 244132b31808SJens Wiklander return 0; 244232b31808SJens Wiklander } 244332b31808SJens Wiklander 244432b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 244532b31808SJens Wiklander const uint16_t sig_alg) 244632b31808SJens Wiklander { 244732b31808SJens Wiklander switch (sig_alg) { 244832b31808SJens Wiklander #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2449b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256) 245032b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 245132b31808SJens Wiklander break; 245232b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 2453b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384) 245432b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 245532b31808SJens Wiklander break; 245632b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 2457b0563631STom Van Eyck #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521) 245832b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 245932b31808SJens Wiklander break; 246032b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 246132b31808SJens Wiklander #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 246232b31808SJens Wiklander 246332b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21) 246432b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_256) 246532b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 246632b31808SJens Wiklander break; 246732b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_256 */ 246832b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_384) 246932b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 247032b31808SJens Wiklander break; 247132b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_384 */ 247232b31808SJens Wiklander #if defined(PSA_WANT_ALG_SHA_512) 247332b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 247432b31808SJens Wiklander break; 247532b31808SJens Wiklander #endif /* PSA_WANT_ALG_SHA_512 */ 247632b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */ 247732b31808SJens Wiklander default: 247832b31808SJens Wiklander return 0; 247932b31808SJens Wiklander } 248032b31808SJens Wiklander return 1; 248132b31808SJens Wiklander 248232b31808SJens Wiklander } 248332b31808SJens Wiklander 248432b31808SJens Wiklander static inline int mbedtls_ssl_tls13_sig_alg_is_supported( 248532b31808SJens Wiklander const uint16_t sig_alg) 248632b31808SJens Wiklander { 248732b31808SJens Wiklander switch (sig_alg) { 248832b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V15) 2489b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256) 249032b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 249132b31808SJens Wiklander break; 2492b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA256 */ 2493b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384) 249432b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 249532b31808SJens Wiklander break; 2496b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA384 */ 2497b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512) 249832b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 249932b31808SJens Wiklander break; 2500b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA512 */ 250132b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V15 */ 250232b31808SJens Wiklander default: 250332b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 250432b31808SJens Wiklander sig_alg); 250532b31808SJens Wiklander } 250632b31808SJens Wiklander return 1; 250732b31808SJens Wiklander } 250832b31808SJens Wiklander 250932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 251032b31808SJens Wiklander int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 251132b31808SJens Wiklander mbedtls_pk_context *key); 251232b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 251332b31808SJens Wiklander 251432b31808SJens Wiklander #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 251532b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, 251632b31808SJens Wiklander uint16_t proposed_sig_alg) 251732b31808SJens Wiklander { 251832b31808SJens Wiklander const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 251932b31808SJens Wiklander if (sig_alg == NULL) { 252032b31808SJens Wiklander return 0; 252132b31808SJens Wiklander } 252232b31808SJens Wiklander 252332b31808SJens Wiklander for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 252432b31808SJens Wiklander if (*sig_alg == proposed_sig_alg) { 252532b31808SJens Wiklander return 1; 252632b31808SJens Wiklander } 252732b31808SJens Wiklander } 252832b31808SJens Wiklander return 0; 252932b31808SJens Wiklander } 253032b31808SJens Wiklander 253132b31808SJens Wiklander static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 253232b31808SJens Wiklander uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) 253332b31808SJens Wiklander { 253432b31808SJens Wiklander *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); 253532b31808SJens Wiklander *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); 253632b31808SJens Wiklander 253732b31808SJens Wiklander if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { 253832b31808SJens Wiklander return 0; 253932b31808SJens Wiklander } 254032b31808SJens Wiklander 254132b31808SJens Wiklander switch (sig_alg) { 254232b31808SJens Wiklander #if defined(MBEDTLS_PKCS1_V21) 2543b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256) 254432b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 254532b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA256; 254632b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 254732b31808SJens Wiklander break; 2548b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA256 */ 2549b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384) 255032b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 255132b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA384; 255232b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 255332b31808SJens Wiklander break; 2554b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA384 */ 2555b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512) 255632b31808SJens Wiklander case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 255732b31808SJens Wiklander *md_alg = MBEDTLS_MD_SHA512; 255832b31808SJens Wiklander *pk_type = MBEDTLS_PK_RSASSA_PSS; 255932b31808SJens Wiklander break; 2560b0563631STom Van Eyck #endif /* MBEDTLS_MD_CAN_SHA512 */ 256132b31808SJens Wiklander #endif /* MBEDTLS_PKCS1_V21 */ 256232b31808SJens Wiklander default: 256332b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 256432b31808SJens Wiklander } 256532b31808SJens Wiklander return 0; 256632b31808SJens Wiklander } 256732b31808SJens Wiklander 256832b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 256932b31808SJens Wiklander static inline int mbedtls_ssl_tls12_sig_alg_is_supported( 257032b31808SJens Wiklander const uint16_t sig_alg) 257132b31808SJens Wiklander { 257232b31808SJens Wiklander /* High byte is hash */ 257332b31808SJens Wiklander unsigned char hash = MBEDTLS_BYTE_1(sig_alg); 257432b31808SJens Wiklander unsigned char sig = MBEDTLS_BYTE_0(sig_alg); 257532b31808SJens Wiklander 257632b31808SJens Wiklander switch (hash) { 2577b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_MD5) 257832b31808SJens Wiklander case MBEDTLS_SSL_HASH_MD5: 257932b31808SJens Wiklander break; 258032b31808SJens Wiklander #endif 258132b31808SJens Wiklander 2582b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA1) 258332b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA1: 258432b31808SJens Wiklander break; 258532b31808SJens Wiklander #endif 258632b31808SJens Wiklander 2587b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA224) 258832b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA224: 258932b31808SJens Wiklander break; 259032b31808SJens Wiklander #endif 259132b31808SJens Wiklander 2592b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA256) 259332b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA256: 259432b31808SJens Wiklander break; 259532b31808SJens Wiklander #endif 259632b31808SJens Wiklander 2597b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA384) 259832b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA384: 259932b31808SJens Wiklander break; 260032b31808SJens Wiklander #endif 260132b31808SJens Wiklander 2602b0563631STom Van Eyck #if defined(MBEDTLS_MD_CAN_SHA512) 260332b31808SJens Wiklander case MBEDTLS_SSL_HASH_SHA512: 260432b31808SJens Wiklander break; 260532b31808SJens Wiklander #endif 260632b31808SJens Wiklander 260732b31808SJens Wiklander default: 260832b31808SJens Wiklander return 0; 260932b31808SJens Wiklander } 261032b31808SJens Wiklander 261132b31808SJens Wiklander switch (sig) { 261232b31808SJens Wiklander #if defined(MBEDTLS_RSA_C) 261332b31808SJens Wiklander case MBEDTLS_SSL_SIG_RSA: 261432b31808SJens Wiklander break; 261532b31808SJens Wiklander #endif 261632b31808SJens Wiklander 2617b0563631STom Van Eyck #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 261832b31808SJens Wiklander case MBEDTLS_SSL_SIG_ECDSA: 261932b31808SJens Wiklander break; 262032b31808SJens Wiklander #endif 262132b31808SJens Wiklander 262232b31808SJens Wiklander default: 262332b31808SJens Wiklander return 0; 262432b31808SJens Wiklander } 262532b31808SJens Wiklander 262632b31808SJens Wiklander return 1; 262732b31808SJens Wiklander } 262832b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 262932b31808SJens Wiklander 263032b31808SJens Wiklander static inline int mbedtls_ssl_sig_alg_is_supported( 263132b31808SJens Wiklander const mbedtls_ssl_context *ssl, 263232b31808SJens Wiklander const uint16_t sig_alg) 263332b31808SJens Wiklander { 263432b31808SJens Wiklander 263532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 263632b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 263732b31808SJens Wiklander return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg); 263832b31808SJens Wiklander } 263932b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 264032b31808SJens Wiklander 264132b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 264232b31808SJens Wiklander if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 264332b31808SJens Wiklander return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg); 264432b31808SJens Wiklander } 264532b31808SJens Wiklander #endif 264632b31808SJens Wiklander ((void) ssl); 264732b31808SJens Wiklander ((void) sig_alg); 264832b31808SJens Wiklander return 0; 264932b31808SJens Wiklander } 265032b31808SJens Wiklander #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 265132b31808SJens Wiklander 265232b31808SJens Wiklander #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 265332b31808SJens Wiklander /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. 265432b31808SJens Wiklander * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is 265532b31808SJens Wiklander * guaranteed to not be a valid PSA algorithm identifier. 265632b31808SJens Wiklander */ 265732b31808SJens Wiklander #define MBEDTLS_SSL_NULL_CIPHER 0x04000000 265832b31808SJens Wiklander 265932b31808SJens Wiklander /** 266032b31808SJens Wiklander * \brief Translate mbedtls cipher type/taglen pair to psa: 266132b31808SJens Wiklander * algorithm, key type and key size. 266232b31808SJens Wiklander * 266332b31808SJens Wiklander * \param mbedtls_cipher_type [in] given mbedtls cipher type 266432b31808SJens Wiklander * \param taglen [in] given tag length 266532b31808SJens Wiklander * 0 - default tag length 266632b31808SJens Wiklander * \param alg [out] corresponding PSA alg 266732b31808SJens Wiklander * There is no corresponding PSA 266832b31808SJens Wiklander * alg for MBEDTLS_CIPHER_NULL, so 266932b31808SJens Wiklander * in this case MBEDTLS_SSL_NULL_CIPHER 267032b31808SJens Wiklander * is returned via this parameter 267132b31808SJens Wiklander * \param key_type [out] corresponding PSA key type 267232b31808SJens Wiklander * \param key_size [out] corresponding PSA key size 267332b31808SJens Wiklander * 267432b31808SJens Wiklander * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if 267532b31808SJens Wiklander * conversion is not supported. 267632b31808SJens Wiklander */ 267732b31808SJens Wiklander psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 267832b31808SJens Wiklander size_t taglen, 267932b31808SJens Wiklander psa_algorithm_t *alg, 268032b31808SJens Wiklander psa_key_type_t *key_type, 268132b31808SJens Wiklander size_t *key_size); 268232b31808SJens Wiklander 268332b31808SJens Wiklander #if !defined(MBEDTLS_DEPRECATED_REMOVED) 268432b31808SJens Wiklander /** 268532b31808SJens Wiklander * \brief Convert given PSA status to mbedtls error code. 268632b31808SJens Wiklander * 268732b31808SJens Wiklander * \param status [in] given PSA status 268832b31808SJens Wiklander * 268932b31808SJens Wiklander * \return corresponding mbedtls error code 269032b31808SJens Wiklander */ 269132b31808SJens Wiklander static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) 269232b31808SJens Wiklander { 269332b31808SJens Wiklander switch (status) { 269432b31808SJens Wiklander case PSA_SUCCESS: 269532b31808SJens Wiklander return 0; 269632b31808SJens Wiklander case PSA_ERROR_INSUFFICIENT_MEMORY: 269732b31808SJens Wiklander return MBEDTLS_ERR_SSL_ALLOC_FAILED; 269832b31808SJens Wiklander case PSA_ERROR_NOT_SUPPORTED: 269932b31808SJens Wiklander return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 270032b31808SJens Wiklander case PSA_ERROR_INVALID_SIGNATURE: 270132b31808SJens Wiklander return MBEDTLS_ERR_SSL_INVALID_MAC; 270232b31808SJens Wiklander case PSA_ERROR_INVALID_ARGUMENT: 270332b31808SJens Wiklander return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 270432b31808SJens Wiklander case PSA_ERROR_BAD_STATE: 270532b31808SJens Wiklander return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 270632b31808SJens Wiklander case PSA_ERROR_BUFFER_TOO_SMALL: 270732b31808SJens Wiklander return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 270832b31808SJens Wiklander default: 270932b31808SJens Wiklander return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 271032b31808SJens Wiklander } 271132b31808SJens Wiklander } 271232b31808SJens Wiklander #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 271332b31808SJens Wiklander #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 271432b31808SJens Wiklander 271532b31808SJens Wiklander #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 271632b31808SJens Wiklander defined(MBEDTLS_USE_PSA_CRYPTO) 271732b31808SJens Wiklander 271832b31808SJens Wiklander typedef enum { 271932b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_ONE, 272032b31808SJens Wiklander MBEDTLS_ECJPAKE_ROUND_TWO 272132b31808SJens Wiklander } mbedtls_ecjpake_rounds_t; 272232b31808SJens Wiklander 272332b31808SJens Wiklander /** 272432b31808SJens Wiklander * \brief Parse the provided input buffer for getting the first round 272532b31808SJens Wiklander * of key exchange. This code is common between server and client 272632b31808SJens Wiklander * 272732b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure 272832b31808SJens Wiklander * \param buf [in] input buffer to parse 272932b31808SJens Wiklander * \param len [in] length of the input buffer 273032b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 273132b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO 273232b31808SJens Wiklander * 273332b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure 273432b31808SJens Wiklander */ 273532b31808SJens Wiklander int mbedtls_psa_ecjpake_read_round( 273632b31808SJens Wiklander psa_pake_operation_t *pake_ctx, 273732b31808SJens Wiklander const unsigned char *buf, 273832b31808SJens Wiklander size_t len, mbedtls_ecjpake_rounds_t round); 273932b31808SJens Wiklander 274032b31808SJens Wiklander /** 274132b31808SJens Wiklander * \brief Write the first round of key exchange into the provided output 274232b31808SJens Wiklander * buffer. This code is common between server and client 274332b31808SJens Wiklander * 274432b31808SJens Wiklander * \param pake_ctx [in] the PAKE's operation/context structure 274532b31808SJens Wiklander * \param buf [out] the output buffer in which data will be written to 274632b31808SJens Wiklander * \param len [in] length of the output buffer 274732b31808SJens Wiklander * \param olen [out] the length of the data really written on the buffer 274832b31808SJens Wiklander * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 274932b31808SJens Wiklander * MBEDTLS_ECJPAKE_ROUND_TWO 275032b31808SJens Wiklander * 275132b31808SJens Wiklander * \return 0 on success or a negative error code in case of failure 275232b31808SJens Wiklander */ 275332b31808SJens Wiklander int mbedtls_psa_ecjpake_write_round( 275432b31808SJens Wiklander psa_pake_operation_t *pake_ctx, 275532b31808SJens Wiklander unsigned char *buf, 275632b31808SJens Wiklander size_t len, size_t *olen, 275732b31808SJens Wiklander mbedtls_ecjpake_rounds_t round); 275832b31808SJens Wiklander 275932b31808SJens Wiklander #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 276032b31808SJens Wiklander 276132b31808SJens Wiklander /** 276232b31808SJens Wiklander * \brief TLS record protection modes 276332b31808SJens Wiklander */ 276432b31808SJens Wiklander typedef enum { 276532b31808SJens Wiklander MBEDTLS_SSL_MODE_STREAM = 0, 276632b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC, 276732b31808SJens Wiklander MBEDTLS_SSL_MODE_CBC_ETM, 276832b31808SJens Wiklander MBEDTLS_SSL_MODE_AEAD 276932b31808SJens Wiklander } mbedtls_ssl_mode_t; 277032b31808SJens Wiklander 277132b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 277232b31808SJens Wiklander const mbedtls_ssl_transform *transform); 277332b31808SJens Wiklander 277432b31808SJens Wiklander #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 277532b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 277632b31808SJens Wiklander int encrypt_then_mac, 277732b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite); 277832b31808SJens Wiklander #else 277932b31808SJens Wiklander mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 278032b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite); 278132b31808SJens Wiklander #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 278232b31808SJens Wiklander 2783b0563631STom Van Eyck #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 278432b31808SJens Wiklander 278532b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 2786b0563631STom Van Eyck int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl, 278732b31808SJens Wiklander const unsigned char *buf, 278832b31808SJens Wiklander size_t buf_len); 278932b31808SJens Wiklander 2790b0563631STom Van Eyck #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 279132b31808SJens Wiklander 279232b31808SJens Wiklander static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( 279332b31808SJens Wiklander mbedtls_ssl_context *ssl, int cipher_suite) 279432b31808SJens Wiklander { 279532b31808SJens Wiklander const int *ciphersuite_list = ssl->conf->ciphersuite_list; 279632b31808SJens Wiklander 279732b31808SJens Wiklander /* Check whether we have offered this ciphersuite */ 279832b31808SJens Wiklander for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 279932b31808SJens Wiklander if (ciphersuite_list[i] == cipher_suite) { 280032b31808SJens Wiklander return 1; 280132b31808SJens Wiklander } 280232b31808SJens Wiklander } 280332b31808SJens Wiklander return 0; 280432b31808SJens Wiklander } 280532b31808SJens Wiklander 280632b31808SJens Wiklander /** 280732b31808SJens Wiklander * \brief Validate cipher suite against config in SSL context. 280832b31808SJens Wiklander * 280932b31808SJens Wiklander * \param ssl SSL context 281032b31808SJens Wiklander * \param suite_info Cipher suite to validate 281132b31808SJens Wiklander * \param min_tls_version Minimal TLS version to accept a cipher suite 281232b31808SJens Wiklander * \param max_tls_version Maximal TLS version to accept a cipher suite 281332b31808SJens Wiklander * 281432b31808SJens Wiklander * \return 0 if valid, negative value otherwise. 281532b31808SJens Wiklander */ 281632b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 281732b31808SJens Wiklander int mbedtls_ssl_validate_ciphersuite( 281832b31808SJens Wiklander const mbedtls_ssl_context *ssl, 281932b31808SJens Wiklander const mbedtls_ssl_ciphersuite_t *suite_info, 282032b31808SJens Wiklander mbedtls_ssl_protocol_version min_tls_version, 282132b31808SJens Wiklander mbedtls_ssl_protocol_version max_tls_version); 282232b31808SJens Wiklander 282332b31808SJens Wiklander #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 282432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 282532b31808SJens Wiklander int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 282632b31808SJens Wiklander const unsigned char *buf, 282732b31808SJens Wiklander const unsigned char *end); 282832b31808SJens Wiklander #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 282932b31808SJens Wiklander 283032b31808SJens Wiklander #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 283132b31808SJens Wiklander #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2) 2832b0563631STom Van Eyck #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */ 283332b31808SJens Wiklander 283432b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 283532b31808SJens Wiklander int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 283632b31808SJens Wiklander const unsigned char *buf, 283732b31808SJens Wiklander const unsigned char *end); 2838b0563631STom Van Eyck 2839b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL 2840b0563631STom Van Eyck int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl, 2841b0563631STom Van Eyck unsigned char *buf, 2842b0563631STom Van Eyck const unsigned char *end, 2843b0563631STom Van Eyck size_t *out_len); 284432b31808SJens Wiklander #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 284532b31808SJens Wiklander 284632b31808SJens Wiklander #if defined(MBEDTLS_SSL_ALPN) 284732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 284832b31808SJens Wiklander int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 284932b31808SJens Wiklander const unsigned char *buf, 285032b31808SJens Wiklander const unsigned char *end); 285132b31808SJens Wiklander 285232b31808SJens Wiklander 285332b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 285432b31808SJens Wiklander int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 285532b31808SJens Wiklander unsigned char *buf, 285632b31808SJens Wiklander unsigned char *end, 285732b31808SJens Wiklander size_t *out_len); 285832b31808SJens Wiklander #endif /* MBEDTLS_SSL_ALPN */ 285932b31808SJens Wiklander 286032b31808SJens Wiklander #if defined(MBEDTLS_TEST_HOOKS) 286132b31808SJens Wiklander int mbedtls_ssl_check_dtls_clihlo_cookie( 286232b31808SJens Wiklander mbedtls_ssl_context *ssl, 286332b31808SJens Wiklander const unsigned char *cli_id, size_t cli_id_len, 286432b31808SJens Wiklander const unsigned char *in, size_t in_len, 286532b31808SJens Wiklander unsigned char *obuf, size_t buf_len, size_t *olen); 286632b31808SJens Wiklander #endif 286732b31808SJens Wiklander 286832b31808SJens Wiklander #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 286932b31808SJens Wiklander /** 287032b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 287132b31808SJens Wiklander * 1.3 specific Pre-Shared key extension. 287232b31808SJens Wiklander * 287332b31808SJens Wiklander * \param[in] ssl SSL context 287432b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the extension 287532b31808SJens Wiklander * \param[in] end End address of the buffer where to write the extension 287632b31808SJens Wiklander * \param[out] out_len Length in bytes of the Pre-Shared key extension: data 287732b31808SJens Wiklander * written into the buffer \p buf by this function plus 287832b31808SJens Wiklander * the length of the binders to be written. 287932b31808SJens Wiklander * \param[out] binders_len Length of the binders to be written at the end of 288032b31808SJens Wiklander * the extension. 288132b31808SJens Wiklander */ 288232b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 288332b31808SJens Wiklander int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 288432b31808SJens Wiklander mbedtls_ssl_context *ssl, 288532b31808SJens Wiklander unsigned char *buf, unsigned char *end, 288632b31808SJens Wiklander size_t *out_len, size_t *binders_len); 288732b31808SJens Wiklander 288832b31808SJens Wiklander /** 288932b31808SJens Wiklander * \brief Given an SSL context and its associated configuration, write the TLS 289032b31808SJens Wiklander * 1.3 specific Pre-Shared key extension binders at the end of the 289132b31808SJens Wiklander * ClientHello. 289232b31808SJens Wiklander * 289332b31808SJens Wiklander * \param[in] ssl SSL context 289432b31808SJens Wiklander * \param[in] buf Base address of the buffer where to write the binders 289532b31808SJens Wiklander * \param[in] end End address of the buffer where to write the binders 289632b31808SJens Wiklander */ 289732b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 289832b31808SJens Wiklander int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 289932b31808SJens Wiklander mbedtls_ssl_context *ssl, 290032b31808SJens Wiklander unsigned char *buf, unsigned char *end); 290132b31808SJens Wiklander #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 290232b31808SJens Wiklander 2903*c3deb3d6SEtienne Carriere #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2904*c3deb3d6SEtienne Carriere /** Get the host name from the SSL context. 2905*c3deb3d6SEtienne Carriere * 2906*c3deb3d6SEtienne Carriere * \param[in] ssl SSL context 2907*c3deb3d6SEtienne Carriere * 2908*c3deb3d6SEtienne Carriere * \return The \p hostname pointer from the SSL context. 2909*c3deb3d6SEtienne Carriere * \c NULL if mbedtls_ssl_set_hostname() has never been called on 2910*c3deb3d6SEtienne Carriere * \p ssl or if it was last called with \p NULL. 2911*c3deb3d6SEtienne Carriere */ 2912*c3deb3d6SEtienne Carriere const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl); 2913*c3deb3d6SEtienne Carriere #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2914*c3deb3d6SEtienne Carriere 291532b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 291632b31808SJens Wiklander defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 291732b31808SJens Wiklander defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 291832b31808SJens Wiklander defined(MBEDTLS_SSL_CLI_C) 291932b31808SJens Wiklander MBEDTLS_CHECK_RETURN_CRITICAL 292032b31808SJens Wiklander int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 292132b31808SJens Wiklander const char *hostname); 292232b31808SJens Wiklander #endif 292332b31808SJens Wiklander 2924b0563631STom Van Eyck #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 2925b0563631STom Van Eyck defined(MBEDTLS_SSL_ALPN) 2926b0563631STom Van Eyck MBEDTLS_CHECK_RETURN_CRITICAL 2927b0563631STom Van Eyck int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 2928b0563631STom Van Eyck const char *alpn); 2929b0563631STom Van Eyck #endif 2930b0563631STom Van Eyck 293132b31808SJens Wiklander #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 2932b0563631STom Van Eyck 2933b0563631STom Van Eyck #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800) 2934b0563631STom Van Eyck 2935b0563631STom Van Eyck static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags( 293632b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 293732b31808SJens Wiklander { 293832b31808SJens Wiklander return session->ticket_flags & 293932b31808SJens Wiklander (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 294032b31808SJens Wiklander } 294132b31808SJens Wiklander 2942b0563631STom Van Eyck /** 2943b0563631STom Van Eyck * Check if at least one of the given flags is set in 2944b0563631STom Van Eyck * the session ticket. See the definition of 2945b0563631STom Van Eyck * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all 2946b0563631STom Van Eyck * permitted flags. 2947b0563631STom Van Eyck */ 2948b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_has_flags( 2949b0563631STom Van Eyck mbedtls_ssl_session *session, unsigned int flags) 2950b0563631STom Van Eyck { 2951b0563631STom Van Eyck return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0; 2952b0563631STom Van Eyck } 2953b0563631STom Van Eyck 2954b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_allow_psk( 2955b0563631STom Van Eyck mbedtls_ssl_session *session) 2956b0563631STom Van Eyck { 2957b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags( 2958b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION); 2959b0563631STom Van Eyck } 2960b0563631STom Van Eyck 2961b0563631STom Van Eyck static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral( 2962b0563631STom Van Eyck mbedtls_ssl_session *session) 2963b0563631STom Van Eyck { 2964b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags( 2965b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION); 2966b0563631STom Van Eyck } 2967b0563631STom Van Eyck 2968b0563631STom Van Eyck static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data( 2969b0563631STom Van Eyck mbedtls_ssl_session *session) 2970b0563631STom Van Eyck { 2971b0563631STom Van Eyck return mbedtls_ssl_tls13_session_ticket_has_flags( 2972b0563631STom Van Eyck session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); 2973b0563631STom Van Eyck } 2974b0563631STom Van Eyck 2975b0563631STom Van Eyck static inline void mbedtls_ssl_tls13_session_set_ticket_flags( 297632b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 297732b31808SJens Wiklander { 297832b31808SJens Wiklander session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 297932b31808SJens Wiklander } 298032b31808SJens Wiklander 2981b0563631STom Van Eyck static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( 298232b31808SJens Wiklander mbedtls_ssl_session *session, unsigned int flags) 298332b31808SJens Wiklander { 298432b31808SJens Wiklander session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 298532b31808SJens Wiklander } 2986cb034002SJerome Forissier 298732b31808SJens Wiklander #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 298832b31808SJens Wiklander 2989cb034002SJerome Forissier #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 2990cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0 2991cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1 2992cb034002SJerome Forissier 2993cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \ 2994cb034002SJerome Forissier (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT) 2995cb034002SJerome Forissier #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \ 2996cb034002SJerome Forissier (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT) 2997cb034002SJerome Forissier 2998*c3deb3d6SEtienne Carriere #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2999cb034002SJerome Forissier static inline int mbedtls_ssl_conf_get_session_tickets( 3000cb034002SJerome Forissier const mbedtls_ssl_config *conf) 3001cb034002SJerome Forissier { 3002cb034002SJerome Forissier return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ? 3003cb034002SJerome Forissier MBEDTLS_SSL_SESSION_TICKETS_ENABLED : 3004cb034002SJerome Forissier MBEDTLS_SSL_SESSION_TICKETS_DISABLED; 3005cb034002SJerome Forissier } 3006*c3deb3d6SEtienne Carriere #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3007cb034002SJerome Forissier 3008cb034002SJerome Forissier #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3009cb034002SJerome Forissier static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled( 3010cb034002SJerome Forissier const mbedtls_ssl_config *conf) 3011cb034002SJerome Forissier { 3012cb034002SJerome Forissier return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ? 3013cb034002SJerome Forissier MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED : 3014cb034002SJerome Forissier MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED; 3015cb034002SJerome Forissier } 3016cb034002SJerome Forissier #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3017cb034002SJerome Forissier #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3018cb034002SJerome Forissier 301932b31808SJens Wiklander #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 302032b31808SJens Wiklander int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); 302132b31808SJens Wiklander #endif 302232b31808SJens Wiklander 3023b0563631STom Van Eyck #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 3024b0563631STom Van Eyck 3025b0563631STom Van Eyck /** Compute the HMAC of variable-length data with constant flow. 3026b0563631STom Van Eyck * 3027b0563631STom Van Eyck * This function computes the HMAC of the concatenation of \p add_data and \p 3028b0563631STom Van Eyck * data, and does with a code flow and memory access pattern that does not 3029b0563631STom Van Eyck * depend on \p data_len_secret, but only on \p min_data_len and \p 3030b0563631STom Van Eyck * max_data_len. In particular, this function always reads exactly \p 3031b0563631STom Van Eyck * max_data_len bytes from \p data. 3032b0563631STom Van Eyck * 3033b0563631STom Van Eyck * \param ctx The HMAC context. It must have keys configured 3034b0563631STom Van Eyck * with mbedtls_md_hmac_starts() and use one of the 3035b0563631STom Van Eyck * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. 3036b0563631STom Van Eyck * It is reset using mbedtls_md_hmac_reset() after 3037b0563631STom Van Eyck * the computation is complete to prepare for the 3038b0563631STom Van Eyck * next computation. 3039b0563631STom Van Eyck * \param add_data The first part of the message whose HMAC is being 3040b0563631STom Van Eyck * calculated. This must point to a readable buffer 3041b0563631STom Van Eyck * of \p add_data_len bytes. 3042b0563631STom Van Eyck * \param add_data_len The length of \p add_data in bytes. 3043b0563631STom Van Eyck * \param data The buffer containing the second part of the 3044b0563631STom Van Eyck * message. This must point to a readable buffer 3045b0563631STom Van Eyck * of \p max_data_len bytes. 3046b0563631STom Van Eyck * \param data_len_secret The length of the data to process in \p data. 3047b0563631STom Van Eyck * This must be no less than \p min_data_len and no 3048b0563631STom Van Eyck * greater than \p max_data_len. 3049b0563631STom Van Eyck * \param min_data_len The minimal length of the second part of the 3050b0563631STom Van Eyck * message, read from \p data. 3051b0563631STom Van Eyck * \param max_data_len The maximal length of the second part of the 3052b0563631STom Van Eyck * message, read from \p data. 3053b0563631STom Van Eyck * \param output The HMAC will be written here. This must point to 3054b0563631STom Van Eyck * a writable buffer of sufficient size to hold the 3055b0563631STom Van Eyck * HMAC value. 3056b0563631STom Van Eyck * 3057b0563631STom Van Eyck * \retval 0 on success. 3058b0563631STom Van Eyck * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED 3059b0563631STom Van Eyck * The hardware accelerator failed. 3060b0563631STom Van Eyck */ 3061b0563631STom Van Eyck #if defined(MBEDTLS_USE_PSA_CRYPTO) 3062b0563631STom Van Eyck int mbedtls_ct_hmac(mbedtls_svc_key_id_t key, 3063b0563631STom Van Eyck psa_algorithm_t mac_alg, 3064b0563631STom Van Eyck const unsigned char *add_data, 3065b0563631STom Van Eyck size_t add_data_len, 3066b0563631STom Van Eyck const unsigned char *data, 3067b0563631STom Van Eyck size_t data_len_secret, 3068b0563631STom Van Eyck size_t min_data_len, 3069b0563631STom Van Eyck size_t max_data_len, 3070b0563631STom Van Eyck unsigned char *output); 3071b0563631STom Van Eyck #else 3072b0563631STom Van Eyck int mbedtls_ct_hmac(mbedtls_md_context_t *ctx, 3073b0563631STom Van Eyck const unsigned char *add_data, 3074b0563631STom Van Eyck size_t add_data_len, 3075b0563631STom Van Eyck const unsigned char *data, 3076b0563631STom Van Eyck size_t data_len_secret, 3077b0563631STom Van Eyck size_t min_data_len, 3078b0563631STom Van Eyck size_t max_data_len, 3079b0563631STom Van Eyck unsigned char *output); 3080b0563631STom Van Eyck #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */ 3081b0563631STom Van Eyck #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */ 3082b0563631STom Van Eyck 308332b31808SJens Wiklander #endif /* ssl_misc.h */ 3084