1 /** 2 * \file ssl_misc.h 3 * 4 * \brief Internal functions shared by the SSL modules 5 */ 6 /* 7 * Copyright The Mbed TLS Contributors 8 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later 9 */ 10 #ifndef MBEDTLS_SSL_MISC_H 11 #define MBEDTLS_SSL_MISC_H 12 13 #include "mbedtls/build_info.h" 14 #include "common.h" 15 16 #include "mbedtls/error.h" 17 18 #include "mbedtls/ssl.h" 19 #include "mbedtls/debug.h" 20 #include "debug_internal.h" 21 22 #include "mbedtls/cipher.h" 23 24 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 25 #include "psa/crypto.h" 26 #include "psa_util_internal.h" 27 #endif 28 29 #if defined(MBEDTLS_MD_CAN_MD5) 30 #include "mbedtls/md5.h" 31 #endif 32 33 #if defined(MBEDTLS_MD_CAN_SHA1) 34 #include "mbedtls/sha1.h" 35 #endif 36 37 #if defined(MBEDTLS_MD_CAN_SHA256) 38 #include "mbedtls/sha256.h" 39 #endif 40 41 #if defined(MBEDTLS_MD_CAN_SHA512) 42 #include "mbedtls/sha512.h" 43 #endif 44 45 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 46 !defined(MBEDTLS_USE_PSA_CRYPTO) 47 #include "mbedtls/ecjpake.h" 48 #endif 49 50 #include "mbedtls/pk.h" 51 #include "ssl_ciphersuites_internal.h" 52 #include "x509_internal.h" 53 #include "pk_internal.h" 54 55 56 /* Shorthand for restartable ECC */ 57 #if defined(MBEDTLS_ECP_RESTARTABLE) && \ 58 defined(MBEDTLS_SSL_CLI_C) && \ 59 defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 60 defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) 61 #define MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED 62 #endif 63 64 #define MBEDTLS_SSL_INITIAL_HANDSHAKE 0 65 #define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */ 66 #define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */ 67 #define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */ 68 69 /* Faked handshake message identity for HelloRetryRequest. */ 70 #define MBEDTLS_SSL_TLS1_3_HS_HELLO_RETRY_REQUEST (-MBEDTLS_SSL_HS_SERVER_HELLO) 71 72 /* 73 * Internal identity of handshake extensions 74 */ 75 #define MBEDTLS_SSL_EXT_ID_UNRECOGNIZED 0 76 #define MBEDTLS_SSL_EXT_ID_SERVERNAME 1 77 #define MBEDTLS_SSL_EXT_ID_SERVERNAME_HOSTNAME 1 78 #define MBEDTLS_SSL_EXT_ID_MAX_FRAGMENT_LENGTH 2 79 #define MBEDTLS_SSL_EXT_ID_STATUS_REQUEST 3 80 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_GROUPS 4 81 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_ELLIPTIC_CURVES 4 82 #define MBEDTLS_SSL_EXT_ID_SIG_ALG 5 83 #define MBEDTLS_SSL_EXT_ID_USE_SRTP 6 84 #define MBEDTLS_SSL_EXT_ID_HEARTBEAT 7 85 #define MBEDTLS_SSL_EXT_ID_ALPN 8 86 #define MBEDTLS_SSL_EXT_ID_SCT 9 87 #define MBEDTLS_SSL_EXT_ID_CLI_CERT_TYPE 10 88 #define MBEDTLS_SSL_EXT_ID_SERV_CERT_TYPE 11 89 #define MBEDTLS_SSL_EXT_ID_PADDING 12 90 #define MBEDTLS_SSL_EXT_ID_PRE_SHARED_KEY 13 91 #define MBEDTLS_SSL_EXT_ID_EARLY_DATA 14 92 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_VERSIONS 15 93 #define MBEDTLS_SSL_EXT_ID_COOKIE 16 94 #define MBEDTLS_SSL_EXT_ID_PSK_KEY_EXCHANGE_MODES 17 95 #define MBEDTLS_SSL_EXT_ID_CERT_AUTH 18 96 #define MBEDTLS_SSL_EXT_ID_OID_FILTERS 19 97 #define MBEDTLS_SSL_EXT_ID_POST_HANDSHAKE_AUTH 20 98 #define MBEDTLS_SSL_EXT_ID_SIG_ALG_CERT 21 99 #define MBEDTLS_SSL_EXT_ID_KEY_SHARE 22 100 #define MBEDTLS_SSL_EXT_ID_TRUNCATED_HMAC 23 101 #define MBEDTLS_SSL_EXT_ID_SUPPORTED_POINT_FORMATS 24 102 #define MBEDTLS_SSL_EXT_ID_ENCRYPT_THEN_MAC 25 103 #define MBEDTLS_SSL_EXT_ID_EXTENDED_MASTER_SECRET 26 104 #define MBEDTLS_SSL_EXT_ID_SESSION_TICKET 27 105 #define MBEDTLS_SSL_EXT_ID_RECORD_SIZE_LIMIT 28 106 107 /* Utility for translating IANA extension type. */ 108 uint32_t mbedtls_ssl_get_extension_id(unsigned int extension_type); 109 uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type); 110 /* Macros used to define mask constants */ 111 #define MBEDTLS_SSL_EXT_MASK(id) (1ULL << (MBEDTLS_SSL_EXT_ID_##id)) 112 /* Reset value of extension mask */ 113 #define MBEDTLS_SSL_EXT_MASK_NONE 0 114 115 /* In messages containing extension requests, we should ignore unrecognized 116 * extensions. In messages containing extension responses, unrecognized 117 * extensions should result in handshake abortion. Messages containing 118 * extension requests include ClientHello, CertificateRequest and 119 * NewSessionTicket. Messages containing extension responses include 120 * ServerHello, HelloRetryRequest, EncryptedExtensions and Certificate. 121 * 122 * RFC 8446 section 4.1.3 123 * 124 * The ServerHello MUST only include extensions which are required to establish 125 * the cryptographic context and negotiate the protocol version. 126 * 127 * RFC 8446 section 4.2 128 * 129 * If an implementation receives an extension which it recognizes and which is 130 * not specified for the message in which it appears, it MUST abort the handshake 131 * with an "illegal_parameter" alert. 132 */ 133 134 /* Extensions that are not recognized by TLS 1.3 */ 135 #define MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED \ 136 (MBEDTLS_SSL_EXT_MASK(SUPPORTED_POINT_FORMATS) | \ 137 MBEDTLS_SSL_EXT_MASK(ENCRYPT_THEN_MAC) | \ 138 MBEDTLS_SSL_EXT_MASK(EXTENDED_MASTER_SECRET) | \ 139 MBEDTLS_SSL_EXT_MASK(SESSION_TICKET) | \ 140 MBEDTLS_SSL_EXT_MASK(TRUNCATED_HMAC) | \ 141 MBEDTLS_SSL_EXT_MASK(UNRECOGNIZED)) 142 143 /* RFC 8446 section 4.2. Allowed extensions for ClientHello */ 144 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CH \ 145 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 146 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 147 MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 148 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 149 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 150 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 151 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 152 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 153 MBEDTLS_SSL_EXT_MASK(SCT) | \ 154 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 155 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 156 MBEDTLS_SSL_EXT_MASK(PADDING) | \ 157 MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 158 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 159 MBEDTLS_SSL_EXT_MASK(PSK_KEY_EXCHANGE_MODES) | \ 160 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 161 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 162 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS) | \ 163 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 164 MBEDTLS_SSL_EXT_MASK(POST_HANDSHAKE_AUTH) | \ 165 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 166 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT) | \ 167 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 168 169 /* RFC 8446 section 4.2. Allowed extensions for EncryptedExtensions */ 170 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_EE \ 171 (MBEDTLS_SSL_EXT_MASK(SERVERNAME) | \ 172 MBEDTLS_SSL_EXT_MASK(MAX_FRAGMENT_LENGTH) | \ 173 MBEDTLS_SSL_EXT_MASK(SUPPORTED_GROUPS) | \ 174 MBEDTLS_SSL_EXT_MASK(USE_SRTP) | \ 175 MBEDTLS_SSL_EXT_MASK(HEARTBEAT) | \ 176 MBEDTLS_SSL_EXT_MASK(ALPN) | \ 177 MBEDTLS_SSL_EXT_MASK(CLI_CERT_TYPE) | \ 178 MBEDTLS_SSL_EXT_MASK(SERV_CERT_TYPE) | \ 179 MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 180 MBEDTLS_SSL_EXT_MASK(RECORD_SIZE_LIMIT)) 181 182 /* RFC 8446 section 4.2. Allowed extensions for CertificateRequest */ 183 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR \ 184 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 185 MBEDTLS_SSL_EXT_MASK(SIG_ALG) | \ 186 MBEDTLS_SSL_EXT_MASK(SCT) | \ 187 MBEDTLS_SSL_EXT_MASK(CERT_AUTH) | \ 188 MBEDTLS_SSL_EXT_MASK(OID_FILTERS) | \ 189 MBEDTLS_SSL_EXT_MASK(SIG_ALG_CERT) | \ 190 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 191 192 /* RFC 8446 section 4.2. Allowed extensions for Certificate */ 193 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT \ 194 (MBEDTLS_SSL_EXT_MASK(STATUS_REQUEST) | \ 195 MBEDTLS_SSL_EXT_MASK(SCT)) 196 197 /* RFC 8446 section 4.2. Allowed extensions for ServerHello */ 198 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_SH \ 199 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 200 MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | \ 201 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 202 203 /* RFC 8446 section 4.2. Allowed extensions for HelloRetryRequest */ 204 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_HRR \ 205 (MBEDTLS_SSL_EXT_MASK(KEY_SHARE) | \ 206 MBEDTLS_SSL_EXT_MASK(COOKIE) | \ 207 MBEDTLS_SSL_EXT_MASK(SUPPORTED_VERSIONS)) 208 209 /* RFC 8446 section 4.2. Allowed extensions for NewSessionTicket */ 210 #define MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_NST \ 211 (MBEDTLS_SSL_EXT_MASK(EARLY_DATA) | \ 212 MBEDTLS_SSL_TLS1_3_EXT_MASK_UNRECOGNIZED) 213 214 /* 215 * Helper macros for function call with return check. 216 */ 217 /* 218 * Exit when return non-zero value 219 */ 220 #define MBEDTLS_SSL_PROC_CHK(f) \ 221 do { \ 222 ret = (f); \ 223 if (ret != 0) \ 224 { \ 225 goto cleanup; \ 226 } \ 227 } while (0) 228 /* 229 * Exit when return negative value 230 */ 231 #define MBEDTLS_SSL_PROC_CHK_NEG(f) \ 232 do { \ 233 ret = (f); \ 234 if (ret < 0) \ 235 { \ 236 goto cleanup; \ 237 } \ 238 } while (0) 239 240 /* 241 * DTLS retransmission states, see RFC 6347 4.2.4 242 * 243 * The SENDING state is merged in PREPARING for initial sends, 244 * but is distinct for resends. 245 * 246 * Note: initial state is wrong for server, but is not used anyway. 247 */ 248 #define MBEDTLS_SSL_RETRANS_PREPARING 0 249 #define MBEDTLS_SSL_RETRANS_SENDING 1 250 #define MBEDTLS_SSL_RETRANS_WAITING 2 251 #define MBEDTLS_SSL_RETRANS_FINISHED 3 252 253 /* 254 * Allow extra bytes for record, authentication and encryption overhead: 255 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256). 256 */ 257 258 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 259 260 /* This macro determines whether CBC is supported. */ 261 #if defined(MBEDTLS_SSL_HAVE_CBC) && \ 262 (defined(MBEDTLS_SSL_HAVE_AES) || \ 263 defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \ 264 defined(MBEDTLS_SSL_HAVE_ARIA)) 265 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC 266 #endif 267 268 /* This macro determines whether a ciphersuite using a 269 * stream cipher can be used. */ 270 #if defined(MBEDTLS_CIPHER_NULL_CIPHER) 271 #define MBEDTLS_SSL_SOME_SUITES_USE_STREAM 272 #endif 273 274 /* This macro determines whether the CBC construct used in TLS 1.2 is supported. */ 275 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 276 defined(MBEDTLS_SSL_PROTO_TLS1_2) 277 #define MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC 278 #endif 279 280 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_STREAM) || \ 281 defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) 282 #define MBEDTLS_SSL_SOME_SUITES_USE_MAC 283 #endif 284 285 /* This macro determines whether a ciphersuite uses Encrypt-then-MAC with CBC */ 286 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) && \ 287 defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 288 #define MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM 289 #endif 290 291 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 292 293 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 294 /* Ciphersuites using HMAC */ 295 #if defined(MBEDTLS_MD_CAN_SHA384) 296 #define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */ 297 #elif defined(MBEDTLS_MD_CAN_SHA256) 298 #define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */ 299 #else 300 #define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */ 301 #endif 302 #else /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 303 /* AEAD ciphersuites: GCM and CCM use a 128 bits tag */ 304 #define MBEDTLS_SSL_MAC_ADD 16 305 #endif 306 307 #if defined(MBEDTLS_SSL_HAVE_CBC) 308 #define MBEDTLS_SSL_PADDING_ADD 256 309 #else 310 #define MBEDTLS_SSL_PADDING_ADD 0 311 #endif 312 313 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 314 #define MBEDTLS_SSL_MAX_CID_EXPANSION MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 315 #else 316 #define MBEDTLS_SSL_MAX_CID_EXPANSION 0 317 #endif 318 319 #define MBEDTLS_SSL_PAYLOAD_OVERHEAD (MBEDTLS_MAX_IV_LENGTH + \ 320 MBEDTLS_SSL_MAC_ADD + \ 321 MBEDTLS_SSL_PADDING_ADD + \ 322 MBEDTLS_SSL_MAX_CID_EXPANSION \ 323 ) 324 325 #define MBEDTLS_SSL_IN_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 326 (MBEDTLS_SSL_IN_CONTENT_LEN)) 327 328 #define MBEDTLS_SSL_OUT_PAYLOAD_LEN (MBEDTLS_SSL_PAYLOAD_OVERHEAD + \ 329 (MBEDTLS_SSL_OUT_CONTENT_LEN)) 330 331 /* The maximum number of buffered handshake messages. */ 332 #define MBEDTLS_SSL_MAX_BUFFERED_HS 4 333 334 /* Maximum length we can advertise as our max content length for 335 RFC 6066 max_fragment_length extension negotiation purposes 336 (the lesser of both sizes, if they are unequal.) 337 */ 338 #define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \ 339 (MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \ 340 ? (MBEDTLS_SSL_OUT_CONTENT_LEN) \ 341 : (MBEDTLS_SSL_IN_CONTENT_LEN) \ 342 ) 343 344 /* Maximum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 345 #define MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN 65534 346 347 /* Minimum size in bytes of list in signature algorithms ext., RFC 5246/8446 */ 348 #define MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN 2 349 350 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ 351 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 352 353 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 354 355 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 356 357 #define MBEDTLS_TLS_SIG_NONE MBEDTLS_TLS1_3_SIG_NONE 358 359 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 360 #define MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(sig, hash) ((hash << 8) | sig) 361 #define MBEDTLS_SSL_TLS12_SIG_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg & 0xFF) 362 #define MBEDTLS_SSL_TLS12_HASH_ALG_FROM_SIG_AND_HASH_ALG(alg) (alg >> 8) 363 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 364 365 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 366 367 /* 368 * Check that we obey the standard's message size bounds 369 */ 370 371 #if MBEDTLS_SSL_IN_CONTENT_LEN > 16384 372 #error "Bad configuration - incoming record content too large." 373 #endif 374 375 #if MBEDTLS_SSL_OUT_CONTENT_LEN > 16384 376 #error "Bad configuration - outgoing record content too large." 377 #endif 378 379 #if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_IN_CONTENT_LEN + 2048 380 #error "Bad configuration - incoming protected record payload too large." 381 #endif 382 383 #if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN + 2048 384 #error "Bad configuration - outgoing protected record payload too large." 385 #endif 386 387 /* Calculate buffer sizes */ 388 389 /* Note: Even though the TLS record header is only 5 bytes 390 long, we're internally using 8 bytes to store the 391 implicit sequence number. */ 392 #define MBEDTLS_SSL_HEADER_LEN 13 393 394 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 395 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 396 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN)) 397 #else 398 #define MBEDTLS_SSL_IN_BUFFER_LEN \ 399 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_IN_PAYLOAD_LEN) \ 400 + (MBEDTLS_SSL_CID_IN_LEN_MAX)) 401 #endif 402 403 #if !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 404 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 405 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN)) 406 #else 407 #define MBEDTLS_SSL_OUT_BUFFER_LEN \ 408 ((MBEDTLS_SSL_HEADER_LEN) + (MBEDTLS_SSL_OUT_PAYLOAD_LEN) \ 409 + (MBEDTLS_SSL_CID_OUT_LEN_MAX)) 410 #endif 411 412 #define MBEDTLS_CLIENT_HELLO_RANDOM_LEN 32 413 #define MBEDTLS_SERVER_HELLO_RANDOM_LEN 32 414 415 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH) 416 /** 417 * \brief Return the maximum fragment length (payload, in bytes) for 418 * the output buffer. For the client, this is the configured 419 * value. For the server, it is the minimum of two - the 420 * configured value and the negotiated one. 421 * 422 * \sa mbedtls_ssl_conf_max_frag_len() 423 * \sa mbedtls_ssl_get_max_out_record_payload() 424 * 425 * \param ssl SSL context 426 * 427 * \return Current maximum fragment length for the output buffer. 428 */ 429 size_t mbedtls_ssl_get_output_max_frag_len(const mbedtls_ssl_context *ssl); 430 431 /** 432 * \brief Return the maximum fragment length (payload, in bytes) for 433 * the input buffer. This is the negotiated maximum fragment 434 * length, or, if there is none, MBEDTLS_SSL_IN_CONTENT_LEN. 435 * If it is not defined either, the value is 2^14. This function 436 * works as its predecessor, \c mbedtls_ssl_get_max_frag_len(). 437 * 438 * \sa mbedtls_ssl_conf_max_frag_len() 439 * \sa mbedtls_ssl_get_max_in_record_payload() 440 * 441 * \param ssl SSL context 442 * 443 * \return Current maximum fragment length for the output buffer. 444 */ 445 size_t mbedtls_ssl_get_input_max_frag_len(const mbedtls_ssl_context *ssl); 446 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ 447 448 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 449 /** 450 * \brief Get the size limit in bytes for the protected outgoing records 451 * as defined in RFC 8449 452 * 453 * \param ssl SSL context 454 * 455 * \return The size limit in bytes for the protected outgoing 456 * records as defined in RFC 8449. 457 */ 458 size_t mbedtls_ssl_get_output_record_size_limit(const mbedtls_ssl_context *ssl); 459 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 460 461 #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) 462 static inline size_t mbedtls_ssl_get_output_buflen(const mbedtls_ssl_context *ctx) 463 { 464 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 465 return mbedtls_ssl_get_output_max_frag_len(ctx) 466 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 467 + MBEDTLS_SSL_CID_OUT_LEN_MAX; 468 #else 469 return mbedtls_ssl_get_output_max_frag_len(ctx) 470 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 471 #endif 472 } 473 474 static inline size_t mbedtls_ssl_get_input_buflen(const mbedtls_ssl_context *ctx) 475 { 476 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 477 return mbedtls_ssl_get_input_max_frag_len(ctx) 478 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD 479 + MBEDTLS_SSL_CID_IN_LEN_MAX; 480 #else 481 return mbedtls_ssl_get_input_max_frag_len(ctx) 482 + MBEDTLS_SSL_HEADER_LEN + MBEDTLS_SSL_PAYLOAD_OVERHEAD; 483 #endif 484 } 485 #endif 486 487 /* 488 * TLS extension flags (for extensions with outgoing ServerHello content 489 * that need it (e.g. for RENEGOTIATION_INFO the server already knows because 490 * of state of the renegotiation flag, so no indicator is required) 491 */ 492 #define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0) 493 #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1) 494 495 /** 496 * \brief This function checks if the remaining size in a buffer is 497 * greater or equal than a needed space. 498 * 499 * \param cur Pointer to the current position in the buffer. 500 * \param end Pointer to one past the end of the buffer. 501 * \param need Needed space in bytes. 502 * 503 * \return Zero if the needed space is available in the buffer, non-zero 504 * otherwise. 505 */ 506 #if !defined(MBEDTLS_TEST_HOOKS) 507 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 508 const uint8_t *end, size_t need) 509 { 510 return (cur > end) || (need > (size_t) (end - cur)); 511 } 512 #else 513 typedef struct { 514 const uint8_t *cur; 515 const uint8_t *end; 516 size_t need; 517 } mbedtls_ssl_chk_buf_ptr_args; 518 519 void mbedtls_ssl_set_chk_buf_ptr_fail_args( 520 const uint8_t *cur, const uint8_t *end, size_t need); 521 void mbedtls_ssl_reset_chk_buf_ptr_fail_args(void); 522 523 MBEDTLS_CHECK_RETURN_CRITICAL 524 int mbedtls_ssl_cmp_chk_buf_ptr_fail_args(mbedtls_ssl_chk_buf_ptr_args *args); 525 526 static inline int mbedtls_ssl_chk_buf_ptr(const uint8_t *cur, 527 const uint8_t *end, size_t need) 528 { 529 if ((cur > end) || (need > (size_t) (end - cur))) { 530 mbedtls_ssl_set_chk_buf_ptr_fail_args(cur, end, need); 531 return 1; 532 } 533 return 0; 534 } 535 #endif /* MBEDTLS_TEST_HOOKS */ 536 537 /** 538 * \brief This macro checks if the remaining size in a buffer is 539 * greater or equal than a needed space. If it is not the case, 540 * it returns an SSL_BUFFER_TOO_SMALL error. 541 * 542 * \param cur Pointer to the current position in the buffer. 543 * \param end Pointer to one past the end of the buffer. 544 * \param need Needed space in bytes. 545 * 546 */ 547 #define MBEDTLS_SSL_CHK_BUF_PTR(cur, end, need) \ 548 do { \ 549 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 550 { \ 551 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; \ 552 } \ 553 } while (0) 554 555 /** 556 * \brief This macro checks if the remaining length in an input buffer is 557 * greater or equal than a needed length. If it is not the case, it 558 * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a 559 * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. 560 * 561 * This is a function-like macro. It is guaranteed to evaluate each 562 * argument exactly once. 563 * 564 * \param cur Pointer to the current position in the buffer. 565 * \param end Pointer to one past the end of the buffer. 566 * \param need Needed length in bytes. 567 * 568 */ 569 #define MBEDTLS_SSL_CHK_BUF_READ_PTR(cur, end, need) \ 570 do { \ 571 if (mbedtls_ssl_chk_buf_ptr((cur), (end), (need)) != 0) \ 572 { \ 573 MBEDTLS_SSL_DEBUG_MSG(1, \ 574 ("missing input data in %s", __func__)); \ 575 MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ 576 MBEDTLS_ERR_SSL_DECODE_ERROR); \ 577 return MBEDTLS_ERR_SSL_DECODE_ERROR; \ 578 } \ 579 } while (0) 580 581 #ifdef __cplusplus 582 extern "C" { 583 #endif 584 585 typedef int mbedtls_ssl_tls_prf_cb(const unsigned char *secret, size_t slen, 586 const char *label, 587 const unsigned char *random, size_t rlen, 588 unsigned char *dstbuf, size_t dlen); 589 590 /* cipher.h exports the maximum IV, key and block length from 591 * all ciphers enabled in the config, regardless of whether those 592 * ciphers are actually usable in SSL/TLS. Notably, XTS is enabled 593 * in the default configuration and uses 64 Byte keys, but it is 594 * not used for record protection in SSL/TLS. 595 * 596 * In order to prevent unnecessary inflation of key structures, 597 * we introduce SSL-specific variants of the max-{key,block,IV} 598 * macros here which are meant to only take those ciphers into 599 * account which can be negotiated in SSL/TLS. 600 * 601 * Since the current definitions of MBEDTLS_MAX_{KEY|BLOCK|IV}_LENGTH 602 * in cipher.h are rough overapproximations of the real maxima, here 603 * we content ourselves with replicating those overapproximations 604 * for the maximum block and IV length, and excluding XTS from the 605 * computation of the maximum key length. */ 606 #define MBEDTLS_SSL_MAX_BLOCK_LENGTH 16 607 #define MBEDTLS_SSL_MAX_IV_LENGTH 16 608 #define MBEDTLS_SSL_MAX_KEY_LENGTH 32 609 610 /** 611 * \brief The data structure holding the cryptographic material (key and IV) 612 * used for record protection in TLS 1.3. 613 */ 614 struct mbedtls_ssl_key_set { 615 /*! The key for client->server records. */ 616 unsigned char client_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 617 /*! The key for server->client records. */ 618 unsigned char server_write_key[MBEDTLS_SSL_MAX_KEY_LENGTH]; 619 /*! The IV for client->server records. */ 620 unsigned char client_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 621 /*! The IV for server->client records. */ 622 unsigned char server_write_iv[MBEDTLS_SSL_MAX_IV_LENGTH]; 623 624 size_t key_len; /*!< The length of client_write_key and 625 * server_write_key, in Bytes. */ 626 size_t iv_len; /*!< The length of client_write_iv and 627 * server_write_iv, in Bytes. */ 628 }; 629 typedef struct mbedtls_ssl_key_set mbedtls_ssl_key_set; 630 631 typedef struct { 632 unsigned char binder_key[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 633 unsigned char client_early_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 634 unsigned char early_exporter_master_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 635 } mbedtls_ssl_tls13_early_secrets; 636 637 typedef struct { 638 unsigned char client_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 639 unsigned char server_handshake_traffic_secret[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 640 } mbedtls_ssl_tls13_handshake_secrets; 641 642 /* 643 * This structure contains the parameters only needed during handshake. 644 */ 645 struct mbedtls_ssl_handshake_params { 646 /* Frequently-used boolean or byte fields (placed early to take 647 * advantage of smaller code size for indirect access on Arm Thumb) */ 648 uint8_t resume; /*!< session resume indicator*/ 649 uint8_t cli_exts; /*!< client extension presence*/ 650 651 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 652 uint8_t sni_authmode; /*!< authmode from SNI callback */ 653 #endif 654 655 #if defined(MBEDTLS_SSL_SRV_C) 656 /* Flag indicating if a CertificateRequest message has been sent 657 * to the client or not. */ 658 uint8_t certificate_request_sent; 659 #if defined(MBEDTLS_SSL_EARLY_DATA) 660 /* Flag indicating if the server has accepted early data or not. */ 661 uint8_t early_data_accepted; 662 #endif 663 #endif /* MBEDTLS_SSL_SRV_C */ 664 665 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 666 uint8_t new_session_ticket; /*!< use NewSessionTicket? */ 667 #endif /* MBEDTLS_SSL_SESSION_TICKETS */ 668 669 #if defined(MBEDTLS_SSL_CLI_C) 670 /** Minimum TLS version to be negotiated. 671 * 672 * It is set up in the ClientHello writing preparation stage and used 673 * throughout the ClientHello writing. Not relevant anymore as soon as 674 * the protocol version has been negotiated thus as soon as the 675 * ServerHello is received. 676 * For a fresh handshake not linked to any previous handshake, it is 677 * equal to the configured minimum minor version to be negotiated. When 678 * renegotiating or resuming a session, it is equal to the previously 679 * negotiated minor version. 680 * 681 * There is no maximum TLS version field in this handshake context. 682 * From the start of the handshake, we need to define a current protocol 683 * version for the record layer which we define as the maximum TLS 684 * version to be negotiated. The `tls_version` field of the SSL context is 685 * used to store this maximum value until it contains the actual 686 * negotiated value. 687 */ 688 mbedtls_ssl_protocol_version min_tls_version; 689 #endif 690 691 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) 692 uint8_t extended_ms; /*!< use Extended Master Secret? */ 693 #endif 694 695 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 696 uint8_t async_in_progress; /*!< an asynchronous operation is in progress */ 697 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 698 699 #if defined(MBEDTLS_SSL_PROTO_DTLS) 700 unsigned char retransmit_state; /*!< Retransmission state */ 701 #endif 702 703 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 704 unsigned char group_list_heap_allocated; 705 unsigned char sig_algs_heap_allocated; 706 #endif 707 708 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 709 uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ 710 enum { /* this complements ssl->state with info on intra-state operations */ 711 ssl_ecrs_none = 0, /*!< nothing going on (yet) */ 712 ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */ 713 ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */ 714 ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */ 715 ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */ 716 } ecrs_state; /*!< current (or last) operation */ 717 mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */ 718 size_t ecrs_n; /*!< place for saving a length */ 719 #endif 720 721 mbedtls_ssl_ciphersuite_t const *ciphersuite_info; 722 723 MBEDTLS_CHECK_RETURN_CRITICAL 724 int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t); 725 MBEDTLS_CHECK_RETURN_CRITICAL 726 int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *); 727 MBEDTLS_CHECK_RETURN_CRITICAL 728 int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int); 729 mbedtls_ssl_tls_prf_cb *tls_prf; 730 731 /* 732 * Handshake specific crypto variables 733 */ 734 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 735 uint8_t key_exchange_mode; /*!< Selected key exchange mode */ 736 737 /** 738 * Flag indicating if, in the course of the current handshake, an 739 * HelloRetryRequest message has been sent by the server or received by 740 * the client (<> 0) or not (0). 741 */ 742 uint8_t hello_retry_request_flag; 743 744 #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) 745 /** 746 * Flag indicating if, in the course of the current handshake, a dummy 747 * change_cipher_spec (CCS) record has already been sent. Used to send only 748 * one CCS per handshake while not complicating the handshake state 749 * transitions for that purpose. 750 */ 751 uint8_t ccs_sent; 752 #endif 753 754 #if defined(MBEDTLS_SSL_SRV_C) 755 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 756 uint8_t tls13_kex_modes; /*!< Key exchange modes supported by the client */ 757 #endif 758 /** selected_group of key_share extension in HelloRetryRequest message. */ 759 uint16_t hrr_selected_group; 760 #if defined(MBEDTLS_SSL_SESSION_TICKETS) 761 uint16_t new_session_tickets_count; /*!< number of session tickets */ 762 #endif 763 #endif /* MBEDTLS_SSL_SRV_C */ 764 765 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 766 767 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 768 uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; 769 #endif 770 771 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 772 const uint16_t *group_list; 773 const uint16_t *sig_algs; 774 #endif 775 776 #if defined(MBEDTLS_DHM_C) 777 mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */ 778 #endif 779 780 #if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ 781 defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) 782 mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */ 783 #endif /* !MBEDTLS_USE_PSA_CRYPTO && 784 MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED */ 785 786 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED) 787 psa_key_type_t xxdh_psa_type; 788 size_t xxdh_psa_bits; 789 mbedtls_svc_key_id_t xxdh_psa_privkey; 790 uint8_t xxdh_psa_privkey_is_external; 791 unsigned char xxdh_psa_peerkey[PSA_EXPORT_PUBLIC_KEY_MAX_SIZE]; 792 size_t xxdh_psa_peerkey_len; 793 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_XXDH_PSA_ANY_ENABLED */ 794 795 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 796 #if defined(MBEDTLS_USE_PSA_CRYPTO) 797 psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ 798 mbedtls_svc_key_id_t psa_pake_password; 799 uint8_t psa_pake_ctx_is_ok; 800 #else 801 mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ 802 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 803 #if defined(MBEDTLS_SSL_CLI_C) 804 unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ 805 size_t ecjpake_cache_len; /*!< Length of cached data */ 806 #endif 807 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ 808 809 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \ 810 defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \ 811 defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) 812 uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */ 813 #endif 814 815 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 816 #if defined(MBEDTLS_USE_PSA_CRYPTO) 817 mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ 818 uint8_t psk_opaque_is_internal; 819 #else 820 unsigned char *psk; /*!< PSK from the callback */ 821 size_t psk_len; /*!< Length of PSK from callback */ 822 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 823 uint16_t selected_identity; 824 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 825 826 #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) 827 mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */ 828 #endif 829 830 #if defined(MBEDTLS_X509_CRT_PARSE_C) 831 mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */ 832 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 833 mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */ 834 mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */ 835 mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */ 836 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 837 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 838 839 #if defined(MBEDTLS_X509_CRT_PARSE_C) && \ 840 !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) 841 mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */ 842 #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ 843 844 struct { 845 size_t total_bytes_buffered; /*!< Cumulative size of heap allocated 846 * buffers used for message buffering. */ 847 848 uint8_t seen_ccs; /*!< Indicates if a CCS message has 849 * been seen in the current flight. */ 850 851 struct mbedtls_ssl_hs_buffer { 852 unsigned is_valid : 1; 853 unsigned is_fragmented : 1; 854 unsigned is_complete : 1; 855 unsigned char *data; 856 size_t data_len; 857 } hs[MBEDTLS_SSL_MAX_BUFFERED_HS]; 858 859 struct { 860 unsigned char *data; 861 size_t len; 862 unsigned epoch; 863 } future_record; 864 865 } buffering; 866 867 #if defined(MBEDTLS_SSL_CLI_C) && \ 868 (defined(MBEDTLS_SSL_PROTO_DTLS) || \ 869 defined(MBEDTLS_SSL_PROTO_TLS1_3)) 870 unsigned char *cookie; /*!< HelloVerifyRequest cookie for DTLS 871 * HelloRetryRequest cookie for TLS 1.3 */ 872 #if !defined(MBEDTLS_SSL_PROTO_TLS1_3) 873 /* RFC 6347 page 15 874 ... 875 opaque cookie<0..2^8-1>; 876 ... 877 */ 878 uint8_t cookie_len; 879 #else 880 /* RFC 8446 page 39 881 ... 882 opaque cookie<0..2^16-1>; 883 ... 884 If TLS1_3 is enabled, the max length is 2^16 - 1 885 */ 886 uint16_t cookie_len; /*!< DTLS: HelloVerifyRequest cookie length 887 * TLS1_3: HelloRetryRequest cookie length */ 888 #endif 889 #endif /* MBEDTLS_SSL_CLI_C && 890 ( MBEDTLS_SSL_PROTO_DTLS || 891 MBEDTLS_SSL_PROTO_TLS1_3 ) */ 892 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_PROTO_DTLS) 893 unsigned char cookie_verify_result; /*!< Srv: flag for sending a cookie */ 894 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_SSL_PROTO_DTLS */ 895 896 #if defined(MBEDTLS_SSL_PROTO_DTLS) 897 unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ 898 unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ 899 900 uint32_t retransmit_timeout; /*!< Current value of timeout */ 901 mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ 902 mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ 903 unsigned char *cur_msg_p; /*!< Position in current message */ 904 unsigned int in_flight_start_seq; /*!< Minimum message sequence in the 905 flight being received */ 906 mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for 907 resending messages */ 908 unsigned char alt_out_ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /*!< Alternative record epoch/counter 909 for resending messages */ 910 911 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 912 /* The state of CID configuration in this handshake. */ 913 914 uint8_t cid_in_use; /*!< This indicates whether the use of the CID extension 915 * has been negotiated. Possible values are 916 * #MBEDTLS_SSL_CID_ENABLED and 917 * #MBEDTLS_SSL_CID_DISABLED. */ 918 unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; /*! The peer's CID */ 919 uint8_t peer_cid_len; /*!< The length of 920 * \c peer_cid. */ 921 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 922 923 uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */ 924 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 925 926 /* 927 * Checksum contexts 928 */ 929 #if defined(MBEDTLS_MD_CAN_SHA256) 930 #if defined(MBEDTLS_USE_PSA_CRYPTO) 931 psa_hash_operation_t fin_sha256_psa; 932 #else 933 mbedtls_md_context_t fin_sha256; 934 #endif 935 #endif 936 #if defined(MBEDTLS_MD_CAN_SHA384) 937 #if defined(MBEDTLS_USE_PSA_CRYPTO) 938 psa_hash_operation_t fin_sha384_psa; 939 #else 940 mbedtls_md_context_t fin_sha384; 941 #endif 942 #endif 943 944 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 945 uint16_t offered_group_id; /* The NamedGroup value for the group 946 * that is being used for ephemeral 947 * key exchange. 948 * 949 * On the client: Defaults to the first 950 * entry in the client's group list, 951 * but can be overwritten by the HRR. */ 952 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 953 954 #if defined(MBEDTLS_SSL_CLI_C) 955 uint8_t client_auth; /*!< used to check if CertificateRequest has been 956 received from server side. If CertificateRequest 957 has been received, Certificate and CertificateVerify 958 should be sent to server */ 959 #endif /* MBEDTLS_SSL_CLI_C */ 960 /* 961 * State-local variables used during the processing 962 * of a specific handshake state. 963 */ 964 union { 965 /* Outgoing Finished message */ 966 struct { 967 uint8_t preparation_done; 968 969 /* Buffer holding digest of the handshake up to 970 * but excluding the outgoing finished message. */ 971 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 972 size_t digest_len; 973 } finished_out; 974 975 /* Incoming Finished message */ 976 struct { 977 uint8_t preparation_done; 978 979 /* Buffer holding digest of the handshake up to but 980 * excluding the peer's incoming finished message. */ 981 unsigned char digest[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 982 size_t digest_len; 983 } finished_in; 984 985 } state_local; 986 987 /* End of state-local variables. */ 988 989 unsigned char randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN + 990 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 991 /*!< random bytes */ 992 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 993 unsigned char premaster[MBEDTLS_PREMASTER_SIZE]; 994 /*!< premaster secret */ 995 size_t pmslen; /*!< premaster length */ 996 #endif 997 998 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 999 uint32_t sent_extensions; /*!< extensions sent by endpoint */ 1000 uint32_t received_extensions; /*!< extensions received by endpoint */ 1001 1002 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 1003 unsigned char certificate_request_context_len; 1004 unsigned char *certificate_request_context; 1005 #endif 1006 1007 /** TLS 1.3 transform for encrypted handshake messages. */ 1008 mbedtls_ssl_transform *transform_handshake; 1009 union { 1010 unsigned char early[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1011 unsigned char handshake[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1012 unsigned char app[MBEDTLS_TLS1_3_MD_MAX_SIZE]; 1013 } tls13_master_secrets; 1014 1015 mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets; 1016 #if defined(MBEDTLS_SSL_EARLY_DATA) 1017 /** TLS 1.3 transform for early data and handshake messages. */ 1018 mbedtls_ssl_transform *transform_earlydata; 1019 #endif 1020 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1021 1022 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) 1023 /** Asynchronous operation context. This field is meant for use by the 1024 * asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start, 1025 * mbedtls_ssl_config::f_async_decrypt_start, 1026 * mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel). 1027 * The library does not use it internally. */ 1028 void *user_async_ctx; 1029 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ 1030 1031 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 1032 const unsigned char *sni_name; /*!< raw SNI */ 1033 size_t sni_name_len; /*!< raw SNI len */ 1034 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) 1035 const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */ 1036 #endif 1037 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 1038 }; 1039 1040 typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer; 1041 1042 /* 1043 * Representation of decryption/encryption transformations on records 1044 * 1045 * There are the following general types of record transformations: 1046 * - Stream transformations (TLS versions == 1.2 only) 1047 * Transformation adding a MAC and applying a stream-cipher 1048 * to the authenticated message. 1049 * - CBC block cipher transformations ([D]TLS versions == 1.2 only) 1050 * For TLS 1.2, no IV is generated at key extraction time, but every 1051 * encrypted record is explicitly prefixed by the IV with which it was 1052 * encrypted. 1053 * - AEAD transformations ([D]TLS versions == 1.2 only) 1054 * These come in two fundamentally different versions, the first one 1055 * used in TLS 1.2, excluding ChaChaPoly ciphersuites, and the second 1056 * one used for ChaChaPoly ciphersuites in TLS 1.2 as well as for TLS 1.3. 1057 * In the first transformation, the IV to be used for a record is obtained 1058 * as the concatenation of an explicit, static 4-byte IV and the 8-byte 1059 * record sequence number, and explicitly prepending this sequence number 1060 * to the encrypted record. In contrast, in the second transformation 1061 * the IV is obtained by XOR'ing a static IV obtained at key extraction 1062 * time with the 8-byte record sequence number, without prepending the 1063 * latter to the encrypted record. 1064 * 1065 * Additionally, DTLS 1.2 + CID as well as TLS 1.3 use an inner plaintext 1066 * which allows to add flexible length padding and to hide a record's true 1067 * content type. 1068 * 1069 * In addition to type and version, the following parameters are relevant: 1070 * - The symmetric cipher algorithm to be used. 1071 * - The (static) encryption/decryption keys for the cipher. 1072 * - For stream/CBC, the type of message digest to be used. 1073 * - For stream/CBC, (static) encryption/decryption keys for the digest. 1074 * - For AEAD transformations, the size (potentially 0) of an explicit, 1075 * random initialization vector placed in encrypted records. 1076 * - For some transformations (currently AEAD) an implicit IV. It is static 1077 * and (if present) is combined with the explicit IV in a transformation- 1078 * -dependent way (e.g. appending in TLS 1.2 and XOR'ing in TLS 1.3). 1079 * - For stream/CBC, a flag determining the order of encryption and MAC. 1080 * - The details of the transformation depend on the SSL/TLS version. 1081 * - The length of the authentication tag. 1082 * 1083 * The struct below refines this abstract view as follows: 1084 * - The cipher underlying the transformation is managed in 1085 * cipher contexts cipher_ctx_{enc/dec}, which must have the 1086 * same cipher type. The mode of these cipher contexts determines 1087 * the type of the transformation in the sense above: e.g., if 1088 * the type is MBEDTLS_CIPHER_AES_256_CBC resp. MBEDTLS_CIPHER_AES_192_GCM 1089 * then the transformation has type CBC resp. AEAD. 1090 * - The cipher keys are never stored explicitly but 1091 * are maintained within cipher_ctx_{enc/dec}. 1092 * - For stream/CBC transformations, the message digest contexts 1093 * used for the MAC's are stored in md_ctx_{enc/dec}. These contexts 1094 * are unused for AEAD transformations. 1095 * - For stream/CBC transformations, the MAC keys are not stored explicitly 1096 * but maintained within md_ctx_{enc/dec}. 1097 * - The mac_enc and mac_dec fields are unused for EAD transformations. 1098 * - For transformations using an implicit IV maintained within 1099 * the transformation context, its contents are stored within 1100 * iv_{enc/dec}. 1101 * - The value of ivlen indicates the length of the IV. 1102 * This is redundant in case of stream/CBC transformations 1103 * which always use 0 resp. the cipher's block length as the 1104 * IV length, but is needed for AEAD ciphers and may be 1105 * different from the underlying cipher's block length 1106 * in this case. 1107 * - The field fixed_ivlen is nonzero for AEAD transformations only 1108 * and indicates the length of the static part of the IV which is 1109 * constant throughout the communication, and which is stored in 1110 * the first fixed_ivlen bytes of the iv_{enc/dec} arrays. 1111 * - tls_version denotes the 2-byte TLS version 1112 * - For stream/CBC transformations, maclen denotes the length of the 1113 * authentication tag, while taglen is unused and 0. 1114 * - For AEAD transformations, taglen denotes the length of the 1115 * authentication tag, while maclen is unused and 0. 1116 * - For CBC transformations, encrypt_then_mac determines the 1117 * order of encryption and authentication. This field is unused 1118 * in other transformations. 1119 * 1120 */ 1121 struct mbedtls_ssl_transform { 1122 /* 1123 * Session specific crypto layer 1124 */ 1125 size_t minlen; /*!< min. ciphertext length */ 1126 size_t ivlen; /*!< IV length */ 1127 size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */ 1128 size_t maclen; /*!< MAC(CBC) len */ 1129 size_t taglen; /*!< TAG(AEAD) len */ 1130 1131 unsigned char iv_enc[16]; /*!< IV (encryption) */ 1132 unsigned char iv_dec[16]; /*!< IV (decryption) */ 1133 1134 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1135 1136 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1137 mbedtls_svc_key_id_t psa_mac_enc; /*!< MAC (encryption) */ 1138 mbedtls_svc_key_id_t psa_mac_dec; /*!< MAC (decryption) */ 1139 psa_algorithm_t psa_mac_alg; /*!< psa MAC algorithm */ 1140 #else 1141 mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */ 1142 mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */ 1143 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1144 1145 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) 1146 int encrypt_then_mac; /*!< flag for EtM activation */ 1147 #endif 1148 1149 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ 1150 1151 mbedtls_ssl_protocol_version tls_version; 1152 1153 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1154 mbedtls_svc_key_id_t psa_key_enc; /*!< psa encryption key */ 1155 mbedtls_svc_key_id_t psa_key_dec; /*!< psa decryption key */ 1156 psa_algorithm_t psa_alg; /*!< psa algorithm */ 1157 #else 1158 mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */ 1159 mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */ 1160 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1161 1162 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1163 uint8_t in_cid_len; 1164 uint8_t out_cid_len; 1165 unsigned char in_cid[MBEDTLS_SSL_CID_IN_LEN_MAX]; 1166 unsigned char out_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX]; 1167 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1168 1169 #if defined(MBEDTLS_SSL_KEEP_RANDBYTES) 1170 /* We need the Hello random bytes in order to re-derive keys from the 1171 * Master Secret and other session info and for the keying material 1172 * exporter in TLS 1.2. 1173 * See ssl_tls12_populate_transform() */ 1174 unsigned char randbytes[MBEDTLS_SERVER_HELLO_RANDOM_LEN + 1175 MBEDTLS_CLIENT_HELLO_RANDOM_LEN]; 1176 /*!< ServerHello.random+ClientHello.random */ 1177 #endif /* defined(MBEDTLS_SSL_KEEP_RANDBYTES) */ 1178 }; 1179 1180 /* 1181 * Return 1 if the transform uses an AEAD cipher, 0 otherwise. 1182 * Equivalently, return 0 if a separate MAC is used, 1 otherwise. 1183 */ 1184 static inline int mbedtls_ssl_transform_uses_aead( 1185 const mbedtls_ssl_transform *transform) 1186 { 1187 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 1188 return transform->maclen == 0 && transform->taglen != 0; 1189 #else 1190 (void) transform; 1191 return 1; 1192 #endif 1193 } 1194 1195 /* 1196 * Internal representation of record frames 1197 * 1198 * Instances come in two flavors: 1199 * (1) Encrypted 1200 * These always have data_offset = 0 1201 * (2) Unencrypted 1202 * These have data_offset set to the amount of 1203 * pre-expansion during record protection. Concretely, 1204 * this is the length of the fixed part of the explicit IV 1205 * used for encryption, or 0 if no explicit IV is used 1206 * (e.g. for stream ciphers). 1207 * 1208 * The reason for the data_offset in the unencrypted case 1209 * is to allow for in-place conversion of an unencrypted to 1210 * an encrypted record. If the offset wasn't included, the 1211 * encrypted content would need to be shifted afterwards to 1212 * make space for the fixed IV. 1213 * 1214 */ 1215 #if MBEDTLS_SSL_CID_OUT_LEN_MAX > MBEDTLS_SSL_CID_IN_LEN_MAX 1216 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_OUT_LEN_MAX 1217 #else 1218 #define MBEDTLS_SSL_CID_LEN_MAX MBEDTLS_SSL_CID_IN_LEN_MAX 1219 #endif 1220 1221 typedef struct { 1222 uint8_t ctr[MBEDTLS_SSL_SEQUENCE_NUMBER_LEN]; /* In TLS: The implicit record sequence number. 1223 * In DTLS: The 2-byte epoch followed by 1224 * the 6-byte sequence number. 1225 * This is stored as a raw big endian byte array 1226 * as opposed to a uint64_t because we rarely 1227 * need to perform arithmetic on this, but do 1228 * need it as a Byte array for the purpose of 1229 * MAC computations. */ 1230 uint8_t type; /* The record content type. */ 1231 uint8_t ver[2]; /* SSL/TLS version as present on the wire. 1232 * Convert to internal presentation of versions 1233 * using mbedtls_ssl_read_version() and 1234 * mbedtls_ssl_write_version(). 1235 * Keep wire-format for MAC computations. */ 1236 1237 unsigned char *buf; /* Memory buffer enclosing the record content */ 1238 size_t buf_len; /* Buffer length */ 1239 size_t data_offset; /* Offset of record content */ 1240 size_t data_len; /* Length of record content */ 1241 1242 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) 1243 uint8_t cid_len; /* Length of the CID (0 if not present) */ 1244 unsigned char cid[MBEDTLS_SSL_CID_LEN_MAX]; /* The CID */ 1245 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ 1246 } mbedtls_record; 1247 1248 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1249 /* 1250 * List of certificate + private key pairs 1251 */ 1252 struct mbedtls_ssl_key_cert { 1253 mbedtls_x509_crt *cert; /*!< cert */ 1254 mbedtls_pk_context *key; /*!< private key */ 1255 mbedtls_ssl_key_cert *next; /*!< next key/cert pair */ 1256 }; 1257 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1258 1259 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1260 /* 1261 * List of handshake messages kept around for resending 1262 */ 1263 struct mbedtls_ssl_flight_item { 1264 unsigned char *p; /*!< message, including handshake headers */ 1265 size_t len; /*!< length of p */ 1266 unsigned char type; /*!< type of the message: handshake or CCS */ 1267 mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */ 1268 }; 1269 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1270 1271 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1272 /** 1273 * \brief Given an SSL context and its associated configuration, write the TLS 1274 * 1.2 specific extensions of the ClientHello message. 1275 * 1276 * \param[in] ssl SSL context 1277 * \param[in] buf Base address of the buffer where to write the extensions 1278 * \param[in] end End address of the buffer where to write the extensions 1279 * \param uses_ec Whether one proposed ciphersuite uses an elliptic curve 1280 * (<> 0) or not ( 0 ). 1281 * \param[out] out_len Length of the data written into the buffer \p buf 1282 */ 1283 MBEDTLS_CHECK_RETURN_CRITICAL 1284 int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl, 1285 unsigned char *buf, 1286 const unsigned char *end, 1287 int uses_ec, 1288 size_t *out_len); 1289 #endif 1290 1291 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ 1292 defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) 1293 1294 /** 1295 * \brief Find the preferred hash for a given signature algorithm. 1296 * 1297 * \param[in] ssl SSL context 1298 * \param[in] sig_alg A signature algorithm identifier as defined in the 1299 * TLS 1.2 SignatureAlgorithm enumeration. 1300 * 1301 * \return The preferred hash algorithm for \p sig_alg. It is a hash algorithm 1302 * identifier as defined in the TLS 1.2 HashAlgorithm enumeration. 1303 */ 1304 unsigned int mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg( 1305 mbedtls_ssl_context *ssl, 1306 unsigned int sig_alg); 1307 1308 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && 1309 MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ 1310 1311 /** 1312 * \brief Free referenced items in an SSL transform context and clear 1313 * memory 1314 * 1315 * \param transform SSL transform context 1316 */ 1317 void mbedtls_ssl_transform_free(mbedtls_ssl_transform *transform); 1318 1319 /** 1320 * \brief Free referenced items in an SSL handshake context and clear 1321 * memory 1322 * 1323 * \param ssl SSL context 1324 */ 1325 void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl); 1326 1327 /* set inbound transform of ssl context */ 1328 void mbedtls_ssl_set_inbound_transform(mbedtls_ssl_context *ssl, 1329 mbedtls_ssl_transform *transform); 1330 1331 /* set outbound transform of ssl context */ 1332 void mbedtls_ssl_set_outbound_transform(mbedtls_ssl_context *ssl, 1333 mbedtls_ssl_transform *transform); 1334 1335 MBEDTLS_CHECK_RETURN_CRITICAL 1336 int mbedtls_ssl_handshake_client_step(mbedtls_ssl_context *ssl); 1337 MBEDTLS_CHECK_RETURN_CRITICAL 1338 int mbedtls_ssl_handshake_server_step(mbedtls_ssl_context *ssl); 1339 void mbedtls_ssl_handshake_wrapup(mbedtls_ssl_context *ssl); 1340 1341 #if defined(MBEDTLS_DEBUG_C) 1342 /* Declared in "ssl_debug_helpers.h". We can't include this file from 1343 * "ssl_misc.h" because it includes "ssl_misc.h" because it needs some 1344 * type definitions. TODO: split the type definitions and the helper 1345 * functions into different headers. 1346 */ 1347 const char *mbedtls_ssl_states_str(mbedtls_ssl_states state); 1348 #endif 1349 1350 static inline void mbedtls_ssl_handshake_set_state(mbedtls_ssl_context *ssl, 1351 mbedtls_ssl_states state) 1352 { 1353 MBEDTLS_SSL_DEBUG_MSG(3, ("handshake state: %d (%s) -> %d (%s)", 1354 ssl->state, mbedtls_ssl_states_str(ssl->state), 1355 (int) state, mbedtls_ssl_states_str(state))); 1356 ssl->state = (int) state; 1357 } 1358 1359 static inline void mbedtls_ssl_handshake_increment_state(mbedtls_ssl_context *ssl) 1360 { 1361 mbedtls_ssl_handshake_set_state(ssl, ssl->state + 1); 1362 } 1363 1364 MBEDTLS_CHECK_RETURN_CRITICAL 1365 int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl); 1366 1367 MBEDTLS_CHECK_RETURN_CRITICAL 1368 int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl); 1369 1370 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1371 MBEDTLS_CHECK_RETURN_CRITICAL 1372 int mbedtls_ssl_derive_keys(mbedtls_ssl_context *ssl); 1373 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1374 1375 MBEDTLS_CHECK_RETURN_CRITICAL 1376 int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl); 1377 MBEDTLS_CHECK_RETURN_CRITICAL 1378 int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl); 1379 MBEDTLS_CHECK_RETURN_CRITICAL 1380 int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl); 1381 1382 /** 1383 * \brief Update record layer 1384 * 1385 * This function roughly separates the implementation 1386 * of the logic of (D)TLS from the implementation 1387 * of the secure transport. 1388 * 1389 * \param ssl The SSL context to use. 1390 * \param update_hs_digest This indicates if the handshake digest 1391 * should be automatically updated in case 1392 * a handshake message is found. 1393 * 1394 * \return 0 or non-zero error code. 1395 * 1396 * \note A clarification on what is called 'record layer' here 1397 * is in order, as many sensible definitions are possible: 1398 * 1399 * The record layer takes as input an untrusted underlying 1400 * transport (stream or datagram) and transforms it into 1401 * a serially multiplexed, secure transport, which 1402 * conceptually provides the following: 1403 * 1404 * (1) Three datagram based, content-agnostic transports 1405 * for handshake, alert and CCS messages. 1406 * (2) One stream- or datagram-based transport 1407 * for application data. 1408 * (3) Functionality for changing the underlying transform 1409 * securing the contents. 1410 * 1411 * The interface to this functionality is given as follows: 1412 * 1413 * a Updating 1414 * [Currently implemented by mbedtls_ssl_read_record] 1415 * 1416 * Check if and on which of the four 'ports' data is pending: 1417 * Nothing, a controlling datagram of type (1), or application 1418 * data (2). In any case data is present, internal buffers 1419 * provide access to the data for the user to process it. 1420 * Consumption of type (1) datagrams is done automatically 1421 * on the next update, invalidating that the internal buffers 1422 * for previous datagrams, while consumption of application 1423 * data (2) is user-controlled. 1424 * 1425 * b Reading of application data 1426 * [Currently manual adaption of ssl->in_offt pointer] 1427 * 1428 * As mentioned in the last paragraph, consumption of data 1429 * is different from the automatic consumption of control 1430 * datagrams (1) because application data is treated as a stream. 1431 * 1432 * c Tracking availability of application data 1433 * [Currently manually through decreasing ssl->in_msglen] 1434 * 1435 * For efficiency and to retain datagram semantics for 1436 * application data in case of DTLS, the record layer 1437 * provides functionality for checking how much application 1438 * data is still available in the internal buffer. 1439 * 1440 * d Changing the transformation securing the communication. 1441 * 1442 * Given an opaque implementation of the record layer in the 1443 * above sense, it should be possible to implement the logic 1444 * of (D)TLS on top of it without the need to know anything 1445 * about the record layer's internals. This is done e.g. 1446 * in all the handshake handling functions, and in the 1447 * application data reading function mbedtls_ssl_read. 1448 * 1449 * \note The above tries to give a conceptual picture of the 1450 * record layer, but the current implementation deviates 1451 * from it in some places. For example, our implementation of 1452 * the update functionality through mbedtls_ssl_read_record 1453 * discards datagrams depending on the current state, which 1454 * wouldn't fall under the record layer's responsibility 1455 * following the above definition. 1456 * 1457 */ 1458 MBEDTLS_CHECK_RETURN_CRITICAL 1459 int mbedtls_ssl_read_record(mbedtls_ssl_context *ssl, 1460 unsigned update_hs_digest); 1461 MBEDTLS_CHECK_RETURN_CRITICAL 1462 int mbedtls_ssl_fetch_input(mbedtls_ssl_context *ssl, size_t nb_want); 1463 1464 /* 1465 * Write handshake message header 1466 */ 1467 MBEDTLS_CHECK_RETURN_CRITICAL 1468 int mbedtls_ssl_start_handshake_msg(mbedtls_ssl_context *ssl, unsigned char hs_type, 1469 unsigned char **buf, size_t *buf_len); 1470 1471 MBEDTLS_CHECK_RETURN_CRITICAL 1472 int mbedtls_ssl_write_handshake_msg_ext(mbedtls_ssl_context *ssl, 1473 int update_checksum, 1474 int force_flush); 1475 static inline int mbedtls_ssl_write_handshake_msg(mbedtls_ssl_context *ssl) 1476 { 1477 return mbedtls_ssl_write_handshake_msg_ext(ssl, 1 /* update checksum */, 1 /* force flush */); 1478 } 1479 1480 /* 1481 * Write handshake message tail 1482 */ 1483 MBEDTLS_CHECK_RETURN_CRITICAL 1484 int mbedtls_ssl_finish_handshake_msg(mbedtls_ssl_context *ssl, 1485 size_t buf_len, size_t msg_len); 1486 1487 MBEDTLS_CHECK_RETURN_CRITICAL 1488 int mbedtls_ssl_write_record(mbedtls_ssl_context *ssl, int force_flush); 1489 MBEDTLS_CHECK_RETURN_CRITICAL 1490 int mbedtls_ssl_flush_output(mbedtls_ssl_context *ssl); 1491 1492 MBEDTLS_CHECK_RETURN_CRITICAL 1493 int mbedtls_ssl_parse_certificate(mbedtls_ssl_context *ssl); 1494 MBEDTLS_CHECK_RETURN_CRITICAL 1495 int mbedtls_ssl_write_certificate(mbedtls_ssl_context *ssl); 1496 1497 MBEDTLS_CHECK_RETURN_CRITICAL 1498 int mbedtls_ssl_parse_change_cipher_spec(mbedtls_ssl_context *ssl); 1499 MBEDTLS_CHECK_RETURN_CRITICAL 1500 int mbedtls_ssl_write_change_cipher_spec(mbedtls_ssl_context *ssl); 1501 1502 MBEDTLS_CHECK_RETURN_CRITICAL 1503 int mbedtls_ssl_parse_finished(mbedtls_ssl_context *ssl); 1504 MBEDTLS_CHECK_RETURN_CRITICAL 1505 int mbedtls_ssl_write_finished(mbedtls_ssl_context *ssl); 1506 1507 void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl, 1508 const mbedtls_ssl_ciphersuite_t *ciphersuite_info); 1509 1510 /* 1511 * Update checksum of handshake messages. 1512 */ 1513 MBEDTLS_CHECK_RETURN_CRITICAL 1514 int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl, 1515 unsigned hs_type, 1516 unsigned char const *msg, 1517 size_t msg_len); 1518 1519 MBEDTLS_CHECK_RETURN_CRITICAL 1520 int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl, 1521 unsigned hs_type, 1522 size_t total_hs_len); 1523 1524 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) 1525 #if !defined(MBEDTLS_USE_PSA_CRYPTO) 1526 MBEDTLS_CHECK_RETURN_CRITICAL 1527 int mbedtls_ssl_psk_derive_premaster(mbedtls_ssl_context *ssl, 1528 mbedtls_key_exchange_type_t key_ex); 1529 #endif /* !MBEDTLS_USE_PSA_CRYPTO */ 1530 #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ 1531 1532 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) 1533 #if defined(MBEDTLS_SSL_CLI_C) || defined(MBEDTLS_SSL_SRV_C) 1534 MBEDTLS_CHECK_RETURN_CRITICAL 1535 int mbedtls_ssl_conf_has_static_psk(mbedtls_ssl_config const *conf); 1536 #endif 1537 #if defined(MBEDTLS_USE_PSA_CRYPTO) 1538 /** 1539 * Get the first defined opaque PSK by order of precedence: 1540 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk_opaque() in the PSK 1541 * callback 1542 * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() 1543 * Return an opaque PSK 1544 */ 1545 static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( 1546 const mbedtls_ssl_context *ssl) 1547 { 1548 if (!mbedtls_svc_key_id_is_null(ssl->handshake->psk_opaque)) { 1549 return ssl->handshake->psk_opaque; 1550 } 1551 1552 if (!mbedtls_svc_key_id_is_null(ssl->conf->psk_opaque)) { 1553 return ssl->conf->psk_opaque; 1554 } 1555 1556 return MBEDTLS_SVC_KEY_ID_INIT; 1557 } 1558 #else 1559 /** 1560 * Get the first defined PSK by order of precedence: 1561 * 1. handshake PSK set by \c mbedtls_ssl_set_hs_psk() in the PSK callback 1562 * 2. static PSK configured by \c mbedtls_ssl_conf_psk() 1563 * Return a code and update the pair (PSK, PSK length) passed to this function 1564 */ 1565 static inline int mbedtls_ssl_get_psk(const mbedtls_ssl_context *ssl, 1566 const unsigned char **psk, size_t *psk_len) 1567 { 1568 if (ssl->handshake->psk != NULL && ssl->handshake->psk_len > 0) { 1569 *psk = ssl->handshake->psk; 1570 *psk_len = ssl->handshake->psk_len; 1571 } else if (ssl->conf->psk != NULL && ssl->conf->psk_len > 0) { 1572 *psk = ssl->conf->psk; 1573 *psk_len = ssl->conf->psk_len; 1574 } else { 1575 *psk = NULL; 1576 *psk_len = 0; 1577 return MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED; 1578 } 1579 1580 return 0; 1581 } 1582 #endif /* MBEDTLS_USE_PSA_CRYPTO */ 1583 1584 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ 1585 1586 #if defined(MBEDTLS_PK_C) 1587 unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk); 1588 unsigned char mbedtls_ssl_sig_from_pk_alg(mbedtls_pk_type_t type); 1589 mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig); 1590 #endif 1591 1592 mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash); 1593 unsigned char mbedtls_ssl_hash_from_md_alg(int md); 1594 1595 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1596 MBEDTLS_CHECK_RETURN_CRITICAL 1597 int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md); 1598 #endif 1599 1600 MBEDTLS_CHECK_RETURN_CRITICAL 1601 int mbedtls_ssl_check_curve_tls_id(const mbedtls_ssl_context *ssl, uint16_t tls_id); 1602 #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) 1603 MBEDTLS_CHECK_RETURN_CRITICAL 1604 int mbedtls_ssl_check_curve(const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id); 1605 #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ 1606 1607 /** 1608 * \brief Return PSA EC info for the specified TLS ID. 1609 * 1610 * \param tls_id The TLS ID to look for 1611 * \param type If the TLD ID is supported, then proper \c psa_key_type_t 1612 * value is returned here. Can be NULL. 1613 * \param bits If the TLD ID is supported, then proper bit size is returned 1614 * here. Can be NULL. 1615 * \return PSA_SUCCESS if the TLS ID is supported, 1616 * PSA_ERROR_NOT_SUPPORTED otherwise 1617 * 1618 * \note If either \c family or \c bits parameters are NULL, then 1619 * the corresponding value is not returned. 1620 * The function can be called with both parameters as NULL 1621 * simply to check if a specific TLS ID is supported. 1622 */ 1623 int mbedtls_ssl_get_psa_curve_info_from_tls_id(uint16_t tls_id, 1624 psa_key_type_t *type, 1625 size_t *bits); 1626 1627 /** 1628 * \brief Return \c mbedtls_ecp_group_id for the specified TLS ID. 1629 * 1630 * \param tls_id The TLS ID to look for 1631 * \return Proper \c mbedtls_ecp_group_id if the TLS ID is supported, 1632 * or MBEDTLS_ECP_DP_NONE otherwise 1633 */ 1634 mbedtls_ecp_group_id mbedtls_ssl_get_ecp_group_id_from_tls_id(uint16_t tls_id); 1635 1636 /** 1637 * \brief Return TLS ID for the specified \c mbedtls_ecp_group_id. 1638 * 1639 * \param grp_id The \c mbedtls_ecp_group_id ID to look for 1640 * \return Proper TLS ID if the \c mbedtls_ecp_group_id is supported, 1641 * or 0 otherwise 1642 */ 1643 uint16_t mbedtls_ssl_get_tls_id_from_ecp_group_id(mbedtls_ecp_group_id grp_id); 1644 1645 #if defined(MBEDTLS_DEBUG_C) 1646 /** 1647 * \brief Return EC's name for the specified TLS ID. 1648 * 1649 * \param tls_id The TLS ID to look for 1650 * \return A pointer to a const string with the proper name. If TLS 1651 * ID is not supported, a NULL pointer is returned instead. 1652 */ 1653 const char *mbedtls_ssl_get_curve_name_from_tls_id(uint16_t tls_id); 1654 #endif 1655 1656 #if defined(MBEDTLS_SSL_DTLS_SRTP) 1657 static inline mbedtls_ssl_srtp_profile mbedtls_ssl_check_srtp_profile_value 1658 (const uint16_t srtp_profile_value) 1659 { 1660 switch (srtp_profile_value) { 1661 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80: 1662 case MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32: 1663 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80: 1664 case MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32: 1665 return srtp_profile_value; 1666 default: break; 1667 } 1668 return MBEDTLS_TLS_SRTP_UNSET; 1669 } 1670 #endif 1671 1672 #if defined(MBEDTLS_X509_CRT_PARSE_C) 1673 static inline mbedtls_pk_context *mbedtls_ssl_own_key(mbedtls_ssl_context *ssl) 1674 { 1675 mbedtls_ssl_key_cert *key_cert; 1676 1677 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1678 key_cert = ssl->handshake->key_cert; 1679 } else { 1680 key_cert = ssl->conf->key_cert; 1681 } 1682 1683 return key_cert == NULL ? NULL : key_cert->key; 1684 } 1685 1686 static inline mbedtls_x509_crt *mbedtls_ssl_own_cert(mbedtls_ssl_context *ssl) 1687 { 1688 mbedtls_ssl_key_cert *key_cert; 1689 1690 if (ssl->handshake != NULL && ssl->handshake->key_cert != NULL) { 1691 key_cert = ssl->handshake->key_cert; 1692 } else { 1693 key_cert = ssl->conf->key_cert; 1694 } 1695 1696 return key_cert == NULL ? NULL : key_cert->cert; 1697 } 1698 1699 /* 1700 * Verify a certificate. 1701 * 1702 * [in/out] ssl: misc. things read 1703 * ssl->session_negotiate->verify_result updated 1704 * [in] authmode: one of MBEDTLS_SSL_VERIFY_{NONE,OPTIONAL,REQUIRED} 1705 * [in] chain: the certificate chain to verify (ie the peer's chain) 1706 * [in] ciphersuite_info: For TLS 1.2, this session's ciphersuite; 1707 * for TLS 1.3, may be left NULL. 1708 * [in] rs_ctx: restart context if restartable ECC is in use; 1709 * leave NULL for no restartable behaviour. 1710 * 1711 * Return: 1712 * - 0 if the handshake should continue. Depending on the 1713 * authmode it means: 1714 * - REQUIRED: the certificate was found to be valid, trusted & acceptable. 1715 * ssl->session_negotiate->verify_result is 0. 1716 * - OPTIONAL: the certificate may or may not be acceptable, but 1717 * ssl->session_negotiate->verify_result was updated with the result. 1718 * - NONE: the certificate wasn't even checked. 1719 * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED or MBEDTLS_ERR_SSL_BAD_CERTIFICATE if 1720 * the certificate was found to be invalid/untrusted/unacceptable and the 1721 * handshake should be aborted (can only happen with REQUIRED). 1722 * - another error code if another error happened (out-of-memory, etc.) 1723 */ 1724 MBEDTLS_CHECK_RETURN_CRITICAL 1725 int mbedtls_ssl_verify_certificate(mbedtls_ssl_context *ssl, 1726 int authmode, 1727 mbedtls_x509_crt *chain, 1728 const mbedtls_ssl_ciphersuite_t *ciphersuite_info, 1729 void *rs_ctx); 1730 1731 /* 1732 * Check usage of a certificate wrt usage extensions: 1733 * keyUsage and extendedKeyUsage. 1734 * (Note: nSCertType is deprecated and not standard, we don't check it.) 1735 * 1736 * Note: if tls_version is 1.3, ciphersuite is ignored and can be NULL. 1737 * 1738 * Note: recv_endpoint is the receiver's endpoint. 1739 * 1740 * Return 0 if everything is OK, -1 if not. 1741 */ 1742 MBEDTLS_CHECK_RETURN_CRITICAL 1743 int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, 1744 const mbedtls_ssl_ciphersuite_t *ciphersuite, 1745 int recv_endpoint, 1746 mbedtls_ssl_protocol_version tls_version, 1747 uint32_t *flags); 1748 #endif /* MBEDTLS_X509_CRT_PARSE_C */ 1749 1750 void mbedtls_ssl_write_version(unsigned char version[2], int transport, 1751 mbedtls_ssl_protocol_version tls_version); 1752 uint16_t mbedtls_ssl_read_version(const unsigned char version[2], 1753 int transport); 1754 1755 static inline size_t mbedtls_ssl_in_hdr_len(const mbedtls_ssl_context *ssl) 1756 { 1757 #if !defined(MBEDTLS_SSL_PROTO_DTLS) 1758 ((void) ssl); 1759 #endif 1760 1761 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1762 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1763 return 13; 1764 } else 1765 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1766 { 1767 return 5; 1768 } 1769 } 1770 1771 static inline size_t mbedtls_ssl_out_hdr_len(const mbedtls_ssl_context *ssl) 1772 { 1773 return (size_t) (ssl->out_iv - ssl->out_hdr); 1774 } 1775 1776 static inline size_t mbedtls_ssl_hs_hdr_len(const mbedtls_ssl_context *ssl) 1777 { 1778 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1779 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1780 return 12; 1781 } 1782 #else 1783 ((void) ssl); 1784 #endif 1785 return 4; 1786 } 1787 1788 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1789 void mbedtls_ssl_send_flight_completed(mbedtls_ssl_context *ssl); 1790 void mbedtls_ssl_recv_flight_completed(mbedtls_ssl_context *ssl); 1791 MBEDTLS_CHECK_RETURN_CRITICAL 1792 int mbedtls_ssl_resend(mbedtls_ssl_context *ssl); 1793 MBEDTLS_CHECK_RETURN_CRITICAL 1794 int mbedtls_ssl_flight_transmit(mbedtls_ssl_context *ssl); 1795 #endif 1796 1797 /* Visible for testing purposes only */ 1798 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1799 MBEDTLS_CHECK_RETURN_CRITICAL 1800 int mbedtls_ssl_dtls_replay_check(mbedtls_ssl_context const *ssl); 1801 void mbedtls_ssl_dtls_replay_update(mbedtls_ssl_context *ssl); 1802 #endif 1803 1804 MBEDTLS_CHECK_RETURN_CRITICAL 1805 int mbedtls_ssl_session_copy(mbedtls_ssl_session *dst, 1806 const mbedtls_ssl_session *src); 1807 1808 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1809 /* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */ 1810 MBEDTLS_CHECK_RETURN_CRITICAL 1811 int mbedtls_ssl_get_key_exchange_md_tls1_2(mbedtls_ssl_context *ssl, 1812 unsigned char *hash, size_t *hashlen, 1813 unsigned char *data, size_t data_len, 1814 mbedtls_md_type_t md_alg); 1815 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1816 1817 #ifdef __cplusplus 1818 } 1819 #endif 1820 1821 void mbedtls_ssl_transform_init(mbedtls_ssl_transform *transform); 1822 MBEDTLS_CHECK_RETURN_CRITICAL 1823 int mbedtls_ssl_encrypt_buf(mbedtls_ssl_context *ssl, 1824 mbedtls_ssl_transform *transform, 1825 mbedtls_record *rec, 1826 int (*f_rng)(void *, unsigned char *, size_t), 1827 void *p_rng); 1828 MBEDTLS_CHECK_RETURN_CRITICAL 1829 int mbedtls_ssl_decrypt_buf(mbedtls_ssl_context const *ssl, 1830 mbedtls_ssl_transform *transform, 1831 mbedtls_record *rec); 1832 1833 /* Length of the "epoch" field in the record header */ 1834 static inline size_t mbedtls_ssl_ep_len(const mbedtls_ssl_context *ssl) 1835 { 1836 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1837 if (ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) { 1838 return 2; 1839 } 1840 #else 1841 ((void) ssl); 1842 #endif 1843 return 0; 1844 } 1845 1846 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1847 MBEDTLS_CHECK_RETURN_CRITICAL 1848 int mbedtls_ssl_resend_hello_request(mbedtls_ssl_context *ssl); 1849 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1850 1851 void mbedtls_ssl_set_timer(mbedtls_ssl_context *ssl, uint32_t millisecs); 1852 MBEDTLS_CHECK_RETURN_CRITICAL 1853 int mbedtls_ssl_check_timer(mbedtls_ssl_context *ssl); 1854 1855 void mbedtls_ssl_reset_in_pointers(mbedtls_ssl_context *ssl); 1856 void mbedtls_ssl_update_in_pointers(mbedtls_ssl_context *ssl); 1857 void mbedtls_ssl_reset_out_pointers(mbedtls_ssl_context *ssl); 1858 void mbedtls_ssl_update_out_pointers(mbedtls_ssl_context *ssl, 1859 mbedtls_ssl_transform *transform); 1860 1861 MBEDTLS_CHECK_RETURN_CRITICAL 1862 int mbedtls_ssl_session_reset_int(mbedtls_ssl_context *ssl, int partial); 1863 void mbedtls_ssl_session_reset_msg_layer(mbedtls_ssl_context *ssl, 1864 int partial); 1865 1866 /* 1867 * Send pending alert 1868 */ 1869 MBEDTLS_CHECK_RETURN_CRITICAL 1870 int mbedtls_ssl_handle_pending_alert(mbedtls_ssl_context *ssl); 1871 1872 /* 1873 * Set pending fatal alert flag. 1874 */ 1875 void mbedtls_ssl_pend_fatal_alert(mbedtls_ssl_context *ssl, 1876 unsigned char alert_type, 1877 int alert_reason); 1878 1879 /* Alias of mbedtls_ssl_pend_fatal_alert */ 1880 #define MBEDTLS_SSL_PEND_FATAL_ALERT(type, user_return_value) \ 1881 mbedtls_ssl_pend_fatal_alert(ssl, type, user_return_value) 1882 1883 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY) 1884 void mbedtls_ssl_dtls_replay_reset(mbedtls_ssl_context *ssl); 1885 #endif 1886 1887 void mbedtls_ssl_handshake_wrapup_free_hs_transform(mbedtls_ssl_context *ssl); 1888 1889 #if defined(MBEDTLS_SSL_RENEGOTIATION) 1890 MBEDTLS_CHECK_RETURN_CRITICAL 1891 int mbedtls_ssl_start_renegotiation(mbedtls_ssl_context *ssl); 1892 #endif /* MBEDTLS_SSL_RENEGOTIATION */ 1893 1894 #if defined(MBEDTLS_SSL_PROTO_DTLS) 1895 size_t mbedtls_ssl_get_current_mtu(const mbedtls_ssl_context *ssl); 1896 void mbedtls_ssl_buffering_free(mbedtls_ssl_context *ssl); 1897 void mbedtls_ssl_flight_free(mbedtls_ssl_flight_item *flight); 1898 #endif /* MBEDTLS_SSL_PROTO_DTLS */ 1899 1900 /** 1901 * ssl utils functions for checking configuration. 1902 */ 1903 1904 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1905 static inline int mbedtls_ssl_conf_is_tls13_only(const mbedtls_ssl_config *conf) 1906 { 1907 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 && 1908 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1909 } 1910 1911 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 1912 1913 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1914 static inline int mbedtls_ssl_conf_is_tls12_only(const mbedtls_ssl_config *conf) 1915 { 1916 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1917 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_2; 1918 } 1919 1920 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 1921 1922 static inline int mbedtls_ssl_conf_is_tls13_enabled(const mbedtls_ssl_config *conf) 1923 { 1924 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1925 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && 1926 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_3; 1927 #else 1928 ((void) conf); 1929 return 0; 1930 #endif 1931 } 1932 1933 static inline int mbedtls_ssl_conf_is_tls12_enabled(const mbedtls_ssl_config *conf) 1934 { 1935 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 1936 return conf->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_2 && 1937 conf->max_tls_version >= MBEDTLS_SSL_VERSION_TLS1_2; 1938 #else 1939 ((void) conf); 1940 return 0; 1941 #endif 1942 } 1943 1944 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 1945 static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13(const mbedtls_ssl_config *conf) 1946 { 1947 return conf->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_2 && 1948 conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3; 1949 } 1950 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3 */ 1951 1952 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 1953 1954 /** \brief Initialize the PSA crypto subsystem if necessary. 1955 * 1956 * Call this function before doing any cryptography in a TLS 1.3 handshake. 1957 * 1958 * This is necessary in Mbed TLS 3.x for backward compatibility. 1959 * Up to Mbed TLS 3.5, in the default configuration, you could perform 1960 * a TLS connection with default parameters without having called 1961 * psa_crypto_init(), since the TLS layer only supported TLS 1.2 and 1962 * did not use PSA crypto. (TLS 1.2 only uses PSA crypto if 1963 * MBEDTLS_USE_PSA_CRYPTO is enabled, which is not the case in the default 1964 * configuration.) Starting with Mbed TLS 3.6.0, TLS 1.3 is enabled 1965 * by default, and the TLS 1.3 layer uses PSA crypto. This means that 1966 * applications that are not otherwise using PSA crypto and that worked 1967 * with Mbed TLS 3.5 started failing in TLS 3.6.0 if they connected to 1968 * a peer that supports TLS 1.3. See 1969 * https://github.com/Mbed-TLS/mbedtls/issues/9072 1970 */ 1971 int mbedtls_ssl_tls13_crypto_init(mbedtls_ssl_context *ssl); 1972 1973 extern const uint8_t mbedtls_ssl_tls13_hello_retry_request_magic[ 1974 MBEDTLS_SERVER_HELLO_RANDOM_LEN]; 1975 MBEDTLS_CHECK_RETURN_CRITICAL 1976 int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl); 1977 MBEDTLS_CHECK_RETURN_CRITICAL 1978 int mbedtls_ssl_tls13_write_finished_message(mbedtls_ssl_context *ssl); 1979 void mbedtls_ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl); 1980 1981 /** 1982 * \brief Given an SSL context and its associated configuration, write the TLS 1983 * 1.3 specific extensions of the ClientHello message. 1984 * 1985 * \param[in] ssl SSL context 1986 * \param[in] buf Base address of the buffer where to write the extensions 1987 * \param[in] end End address of the buffer where to write the extensions 1988 * \param[out] out_len Length of the data written into the buffer \p buf 1989 */ 1990 MBEDTLS_CHECK_RETURN_CRITICAL 1991 int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, 1992 unsigned char *buf, 1993 unsigned char *end, 1994 size_t *out_len); 1995 1996 /** 1997 * \brief TLS 1.3 client side state machine entry 1998 * 1999 * \param ssl SSL context 2000 */ 2001 MBEDTLS_CHECK_RETURN_CRITICAL 2002 int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl); 2003 2004 /** 2005 * \brief TLS 1.3 server side state machine entry 2006 * 2007 * \param ssl SSL context 2008 */ 2009 MBEDTLS_CHECK_RETURN_CRITICAL 2010 int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl); 2011 2012 2013 /* 2014 * Helper functions around key exchange modes. 2015 */ 2016 static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context *ssl, 2017 int kex_mode_mask) 2018 { 2019 return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0; 2020 } 2021 2022 static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl) 2023 { 2024 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2025 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 2026 } 2027 2028 static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl) 2029 { 2030 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2031 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 2032 } 2033 2034 static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl) 2035 { 2036 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2037 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 2038 } 2039 2040 static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl) 2041 { 2042 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2043 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2044 } 2045 2046 static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl) 2047 { 2048 return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl, 2049 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2050 } 2051 2052 #if defined(MBEDTLS_SSL_SRV_C) && \ 2053 defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2054 /** 2055 * Given a list of key exchange modes, check if at least one of them is 2056 * supported by peer. 2057 * 2058 * \param[in] ssl SSL context 2059 * \param kex_modes_mask Mask of the key exchange modes to check 2060 * 2061 * \return Non-zero if at least one of the key exchange modes is supported by 2062 * the peer, otherwise \c 0. 2063 */ 2064 static inline int mbedtls_ssl_tls13_is_kex_mode_supported(mbedtls_ssl_context *ssl, 2065 int kex_modes_mask) 2066 { 2067 return (ssl->handshake->tls13_kex_modes & kex_modes_mask) != 0; 2068 } 2069 2070 static inline int mbedtls_ssl_tls13_is_psk_supported(mbedtls_ssl_context *ssl) 2071 { 2072 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2073 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK); 2074 } 2075 2076 static inline int mbedtls_ssl_tls13_is_psk_ephemeral_supported( 2077 mbedtls_ssl_context *ssl) 2078 { 2079 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2080 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL); 2081 } 2082 2083 static inline int mbedtls_ssl_tls13_is_ephemeral_supported(mbedtls_ssl_context *ssl) 2084 { 2085 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2086 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL); 2087 } 2088 2089 static inline int mbedtls_ssl_tls13_is_some_ephemeral_supported(mbedtls_ssl_context *ssl) 2090 { 2091 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2092 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2093 } 2094 2095 static inline int mbedtls_ssl_tls13_is_some_psk_supported(mbedtls_ssl_context *ssl) 2096 { 2097 return mbedtls_ssl_tls13_is_kex_mode_supported(ssl, 2098 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2099 } 2100 #endif /* MBEDTLS_SSL_SRV_C && 2101 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2102 2103 /* 2104 * Helper functions for extensions checking. 2105 */ 2106 2107 MBEDTLS_CHECK_RETURN_CRITICAL 2108 int mbedtls_ssl_tls13_check_received_extension( 2109 mbedtls_ssl_context *ssl, 2110 int hs_msg_type, 2111 unsigned int received_extension_type, 2112 uint32_t hs_msg_allowed_extensions_mask); 2113 2114 static inline void mbedtls_ssl_tls13_set_hs_sent_ext_mask( 2115 mbedtls_ssl_context *ssl, unsigned int extension_type) 2116 { 2117 ssl->handshake->sent_extensions |= 2118 mbedtls_ssl_get_extension_mask(extension_type); 2119 } 2120 2121 /* 2122 * Helper functions to check the selected key exchange mode. 2123 */ 2124 static inline int mbedtls_ssl_tls13_key_exchange_mode_check( 2125 mbedtls_ssl_context *ssl, int kex_mask) 2126 { 2127 return (ssl->handshake->key_exchange_mode & kex_mask) != 0; 2128 } 2129 2130 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_psk( 2131 mbedtls_ssl_context *ssl) 2132 { 2133 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2134 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL); 2135 } 2136 2137 static inline int mbedtls_ssl_tls13_key_exchange_mode_with_ephemeral( 2138 mbedtls_ssl_context *ssl) 2139 { 2140 return mbedtls_ssl_tls13_key_exchange_mode_check(ssl, 2141 MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL); 2142 } 2143 2144 /* 2145 * Fetch TLS 1.3 handshake message header 2146 */ 2147 MBEDTLS_CHECK_RETURN_CRITICAL 2148 int mbedtls_ssl_tls13_fetch_handshake_msg(mbedtls_ssl_context *ssl, 2149 unsigned hs_type, 2150 unsigned char **buf, 2151 size_t *buf_len); 2152 2153 /** 2154 * \brief Detect if a list of extensions contains a supported_versions 2155 * extension or not. 2156 * 2157 * \param[in] ssl SSL context 2158 * \param[in] buf Address of the first byte of the extensions vector. 2159 * \param[in] end End of the buffer containing the list of extensions. 2160 * \param[out] supported_versions_data If the extension is present, address of 2161 * its first byte of data, NULL otherwise. 2162 * \param[out] supported_versions_data_end If the extension is present, address 2163 * of the first byte immediately 2164 * following the extension data, NULL 2165 * otherwise. 2166 * \return 0 if the list of extensions does not contain a supported_versions 2167 * extension. 2168 * \return 1 if the list of extensions contains a supported_versions 2169 * extension. 2170 * \return A negative value if an error occurred while parsing the 2171 * extensions. 2172 */ 2173 MBEDTLS_CHECK_RETURN_CRITICAL 2174 int mbedtls_ssl_tls13_is_supported_versions_ext_present_in_exts( 2175 mbedtls_ssl_context *ssl, 2176 const unsigned char *buf, const unsigned char *end, 2177 const unsigned char **supported_versions_data, 2178 const unsigned char **supported_versions_data_end); 2179 2180 /* 2181 * Handler of TLS 1.3 server certificate message 2182 */ 2183 MBEDTLS_CHECK_RETURN_CRITICAL 2184 int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl); 2185 2186 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2187 /* 2188 * Handler of TLS 1.3 write Certificate message 2189 */ 2190 MBEDTLS_CHECK_RETURN_CRITICAL 2191 int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl); 2192 2193 /* 2194 * Handler of TLS 1.3 write Certificate Verify message 2195 */ 2196 MBEDTLS_CHECK_RETURN_CRITICAL 2197 int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl); 2198 2199 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2200 2201 /* 2202 * Generic handler of Certificate Verify 2203 */ 2204 MBEDTLS_CHECK_RETURN_CRITICAL 2205 int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl); 2206 2207 /* 2208 * Write of dummy-CCS's for middlebox compatibility 2209 */ 2210 MBEDTLS_CHECK_RETURN_CRITICAL 2211 int mbedtls_ssl_tls13_write_change_cipher_spec(mbedtls_ssl_context *ssl); 2212 2213 MBEDTLS_CHECK_RETURN_CRITICAL 2214 int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl); 2215 2216 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 2217 MBEDTLS_CHECK_RETURN_CRITICAL 2218 int mbedtls_ssl_tls13_generate_and_write_xxdh_key_exchange( 2219 mbedtls_ssl_context *ssl, 2220 uint16_t named_group, 2221 unsigned char *buf, 2222 unsigned char *end, 2223 size_t *out_len); 2224 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 2225 2226 #if defined(MBEDTLS_SSL_EARLY_DATA) 2227 int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, 2228 int in_new_session_ticket, 2229 unsigned char *buf, 2230 const unsigned char *end, 2231 size_t *out_len); 2232 2233 int mbedtls_ssl_tls13_check_early_data_len(mbedtls_ssl_context *ssl, 2234 size_t early_data_len); 2235 2236 typedef enum { 2237 /* 2238 * The client has not sent the first ClientHello yet, the negotiation of early 2239 * data has not started yet. 2240 */ 2241 MBEDTLS_SSL_EARLY_DATA_STATE_IDLE, 2242 2243 /* 2244 * In its ClientHello, the client has not included an early data indication 2245 * extension. 2246 */ 2247 MBEDTLS_SSL_EARLY_DATA_STATE_NO_IND_SENT, 2248 2249 /* 2250 * The client has sent an early data indication extension in its first 2251 * ClientHello, it has not received the response (ServerHello or 2252 * HelloRetryRequest) from the server yet. The transform to protect early data 2253 * is not set either as for middlebox compatibility a dummy CCS may have to be 2254 * sent in clear. Early data cannot be sent to the server yet. 2255 */ 2256 MBEDTLS_SSL_EARLY_DATA_STATE_IND_SENT, 2257 2258 /* 2259 * The client has sent an early data indication extension in its first 2260 * ClientHello, it has not received the response (ServerHello or 2261 * HelloRetryRequest) from the server yet. The transform to protect early data 2262 * has been set and early data can be written now. 2263 */ 2264 MBEDTLS_SSL_EARLY_DATA_STATE_CAN_WRITE, 2265 2266 /* 2267 * The client has indicated the use of early data and the server has accepted 2268 * it. 2269 */ 2270 MBEDTLS_SSL_EARLY_DATA_STATE_ACCEPTED, 2271 2272 /* 2273 * The client has indicated the use of early data but the server has rejected 2274 * it. 2275 */ 2276 MBEDTLS_SSL_EARLY_DATA_STATE_REJECTED, 2277 2278 /* 2279 * The client has sent an early data indication extension in its first 2280 * ClientHello, the server has accepted them and the client has received the 2281 * server Finished message. It cannot send early data to the server anymore. 2282 */ 2283 MBEDTLS_SSL_EARLY_DATA_STATE_SERVER_FINISHED_RECEIVED, 2284 2285 } mbedtls_ssl_early_data_state; 2286 #endif /* MBEDTLS_SSL_EARLY_DATA */ 2287 2288 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 2289 2290 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2291 /* 2292 * Write Signature Algorithm extension 2293 */ 2294 MBEDTLS_CHECK_RETURN_CRITICAL 2295 int mbedtls_ssl_write_sig_alg_ext(mbedtls_ssl_context *ssl, unsigned char *buf, 2296 const unsigned char *end, size_t *out_len); 2297 /* 2298 * Parse TLS Signature Algorithm extension 2299 */ 2300 MBEDTLS_CHECK_RETURN_CRITICAL 2301 int mbedtls_ssl_parse_sig_alg_ext(mbedtls_ssl_context *ssl, 2302 const unsigned char *buf, 2303 const unsigned char *end); 2304 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2305 2306 /* Get handshake transcript */ 2307 MBEDTLS_CHECK_RETURN_CRITICAL 2308 int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl, 2309 const mbedtls_md_type_t md, 2310 unsigned char *dst, 2311 size_t dst_len, 2312 size_t *olen); 2313 2314 /* 2315 * Return supported groups. 2316 * 2317 * In future, invocations can be changed to ssl->conf->group_list 2318 * when mbedtls_ssl_conf_curves() is deleted. 2319 * 2320 * ssl->handshake->group_list is either a translation of curve_list to IANA TLS group 2321 * identifiers when mbedtls_ssl_conf_curves() has been used, or a pointer to 2322 * ssl->conf->group_list when mbedtls_ssl_conf_groups() has been more recently invoked. 2323 * 2324 */ 2325 static inline const void *mbedtls_ssl_get_groups(const mbedtls_ssl_context *ssl) 2326 { 2327 #if defined(MBEDTLS_DEPRECATED_REMOVED) || !defined(MBEDTLS_ECP_C) 2328 return ssl->conf->group_list; 2329 #else 2330 if ((ssl->handshake != NULL) && (ssl->handshake->group_list != NULL)) { 2331 return ssl->handshake->group_list; 2332 } else { 2333 return ssl->conf->group_list; 2334 } 2335 #endif 2336 } 2337 2338 /* 2339 * Helper functions for NamedGroup. 2340 */ 2341 static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) 2342 { 2343 /* 2344 * RFC 8422 section 5.1.1 2345 */ 2346 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2347 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1 || 2348 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1 || 2349 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || 2350 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || 2351 /* Below deprecated curves should be removed with notice to users */ 2352 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || 2353 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || 2354 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || 2355 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || 2356 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || 2357 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2358 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2359 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1; 2360 } 2361 2362 static inline int mbedtls_ssl_tls13_named_group_is_ecdhe(uint16_t named_group) 2363 { 2364 return named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X25519 || 2365 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || 2366 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || 2367 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1 || 2368 named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448; 2369 } 2370 2371 static inline int mbedtls_ssl_tls13_named_group_is_ffdh(uint16_t named_group) 2372 { 2373 return named_group >= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE2048 && 2374 named_group <= MBEDTLS_SSL_IANA_TLS_GROUP_FFDHE8192; 2375 } 2376 2377 static inline int mbedtls_ssl_named_group_is_offered( 2378 const mbedtls_ssl_context *ssl, uint16_t named_group) 2379 { 2380 const uint16_t *group_list = mbedtls_ssl_get_groups(ssl); 2381 2382 if (group_list == NULL) { 2383 return 0; 2384 } 2385 2386 for (; *group_list != 0; group_list++) { 2387 if (*group_list == named_group) { 2388 return 1; 2389 } 2390 } 2391 2392 return 0; 2393 } 2394 2395 static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) 2396 { 2397 #if defined(PSA_WANT_ALG_ECDH) 2398 if (mbedtls_ssl_tls13_named_group_is_ecdhe(named_group)) { 2399 if (mbedtls_ssl_get_ecp_group_id_from_tls_id(named_group) != 2400 MBEDTLS_ECP_DP_NONE) { 2401 return 1; 2402 } 2403 } 2404 #endif 2405 #if defined(PSA_WANT_ALG_FFDH) 2406 if (mbedtls_ssl_tls13_named_group_is_ffdh(named_group)) { 2407 return 1; 2408 } 2409 #endif 2410 #if !defined(PSA_WANT_ALG_ECDH) && !defined(PSA_WANT_ALG_FFDH) 2411 (void) named_group; 2412 #endif 2413 return 0; 2414 } 2415 2416 /* 2417 * Return supported signature algorithms. 2418 * 2419 * In future, invocations can be changed to ssl->conf->sig_algs when 2420 * mbedtls_ssl_conf_sig_hashes() is deleted. 2421 * 2422 * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS 2423 * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been 2424 * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has 2425 * been more recently invoked. 2426 * 2427 */ 2428 static inline const void *mbedtls_ssl_get_sig_algs( 2429 const mbedtls_ssl_context *ssl) 2430 { 2431 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2432 2433 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2434 if (ssl->handshake != NULL && 2435 ssl->handshake->sig_algs_heap_allocated == 1 && 2436 ssl->handshake->sig_algs != NULL) { 2437 return ssl->handshake->sig_algs; 2438 } 2439 #endif 2440 return ssl->conf->sig_algs; 2441 2442 #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2443 2444 ((void) ssl); 2445 return NULL; 2446 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2447 } 2448 2449 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2450 static inline int mbedtls_ssl_sig_alg_is_received(const mbedtls_ssl_context *ssl, 2451 uint16_t own_sig_alg) 2452 { 2453 const uint16_t *sig_alg = ssl->handshake->received_sig_algs; 2454 if (sig_alg == NULL) { 2455 return 0; 2456 } 2457 2458 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2459 if (*sig_alg == own_sig_alg) { 2460 return 1; 2461 } 2462 } 2463 return 0; 2464 } 2465 2466 static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2467 const uint16_t sig_alg) 2468 { 2469 switch (sig_alg) { 2470 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME) 2471 #if defined(PSA_WANT_ALG_SHA_256) && defined(PSA_WANT_ECC_SECP_R1_256) 2472 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256: 2473 break; 2474 #endif /* PSA_WANT_ALG_SHA_256 && MBEDTLS_ECP_DP_SECP256R1_ENABLED */ 2475 #if defined(PSA_WANT_ALG_SHA_384) && defined(PSA_WANT_ECC_SECP_R1_384) 2476 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384: 2477 break; 2478 #endif /* PSA_WANT_ALG_SHA_384 && MBEDTLS_ECP_DP_SECP384R1_ENABLED */ 2479 #if defined(PSA_WANT_ALG_SHA_512) && defined(PSA_WANT_ECC_SECP_R1_521) 2480 case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512: 2481 break; 2482 #endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */ 2483 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */ 2484 2485 #if defined(MBEDTLS_PKCS1_V21) 2486 #if defined(PSA_WANT_ALG_SHA_256) 2487 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2488 break; 2489 #endif /* PSA_WANT_ALG_SHA_256 */ 2490 #if defined(PSA_WANT_ALG_SHA_384) 2491 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2492 break; 2493 #endif /* PSA_WANT_ALG_SHA_384 */ 2494 #if defined(PSA_WANT_ALG_SHA_512) 2495 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2496 break; 2497 #endif /* PSA_WANT_ALG_SHA_512 */ 2498 #endif /* MBEDTLS_PKCS1_V21 */ 2499 default: 2500 return 0; 2501 } 2502 return 1; 2503 2504 } 2505 2506 static inline int mbedtls_ssl_tls13_sig_alg_is_supported( 2507 const uint16_t sig_alg) 2508 { 2509 switch (sig_alg) { 2510 #if defined(MBEDTLS_PKCS1_V15) 2511 #if defined(MBEDTLS_MD_CAN_SHA256) 2512 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256: 2513 break; 2514 #endif /* MBEDTLS_MD_CAN_SHA256 */ 2515 #if defined(MBEDTLS_MD_CAN_SHA384) 2516 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384: 2517 break; 2518 #endif /* MBEDTLS_MD_CAN_SHA384 */ 2519 #if defined(MBEDTLS_MD_CAN_SHA512) 2520 case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512: 2521 break; 2522 #endif /* MBEDTLS_MD_CAN_SHA512 */ 2523 #endif /* MBEDTLS_PKCS1_V15 */ 2524 default: 2525 return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported( 2526 sig_alg); 2527 } 2528 return 1; 2529 } 2530 2531 MBEDTLS_CHECK_RETURN_CRITICAL 2532 int mbedtls_ssl_tls13_check_sig_alg_cert_key_match(uint16_t sig_alg, 2533 mbedtls_pk_context *key); 2534 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */ 2535 2536 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) 2537 static inline int mbedtls_ssl_sig_alg_is_offered(const mbedtls_ssl_context *ssl, 2538 uint16_t proposed_sig_alg) 2539 { 2540 const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs(ssl); 2541 if (sig_alg == NULL) { 2542 return 0; 2543 } 2544 2545 for (; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++) { 2546 if (*sig_alg == proposed_sig_alg) { 2547 return 1; 2548 } 2549 } 2550 return 0; 2551 } 2552 2553 static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg( 2554 uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg) 2555 { 2556 *pk_type = mbedtls_ssl_pk_alg_from_sig(sig_alg & 0xff); 2557 *md_alg = mbedtls_ssl_md_alg_from_hash((sig_alg >> 8) & 0xff); 2558 2559 if (*pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE) { 2560 return 0; 2561 } 2562 2563 switch (sig_alg) { 2564 #if defined(MBEDTLS_PKCS1_V21) 2565 #if defined(MBEDTLS_MD_CAN_SHA256) 2566 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256: 2567 *md_alg = MBEDTLS_MD_SHA256; 2568 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2569 break; 2570 #endif /* MBEDTLS_MD_CAN_SHA256 */ 2571 #if defined(MBEDTLS_MD_CAN_SHA384) 2572 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384: 2573 *md_alg = MBEDTLS_MD_SHA384; 2574 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2575 break; 2576 #endif /* MBEDTLS_MD_CAN_SHA384 */ 2577 #if defined(MBEDTLS_MD_CAN_SHA512) 2578 case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512: 2579 *md_alg = MBEDTLS_MD_SHA512; 2580 *pk_type = MBEDTLS_PK_RSASSA_PSS; 2581 break; 2582 #endif /* MBEDTLS_MD_CAN_SHA512 */ 2583 #endif /* MBEDTLS_PKCS1_V21 */ 2584 default: 2585 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2586 } 2587 return 0; 2588 } 2589 2590 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2591 static inline int mbedtls_ssl_tls12_sig_alg_is_supported( 2592 const uint16_t sig_alg) 2593 { 2594 /* High byte is hash */ 2595 unsigned char hash = MBEDTLS_BYTE_1(sig_alg); 2596 unsigned char sig = MBEDTLS_BYTE_0(sig_alg); 2597 2598 switch (hash) { 2599 #if defined(MBEDTLS_MD_CAN_MD5) 2600 case MBEDTLS_SSL_HASH_MD5: 2601 break; 2602 #endif 2603 2604 #if defined(MBEDTLS_MD_CAN_SHA1) 2605 case MBEDTLS_SSL_HASH_SHA1: 2606 break; 2607 #endif 2608 2609 #if defined(MBEDTLS_MD_CAN_SHA224) 2610 case MBEDTLS_SSL_HASH_SHA224: 2611 break; 2612 #endif 2613 2614 #if defined(MBEDTLS_MD_CAN_SHA256) 2615 case MBEDTLS_SSL_HASH_SHA256: 2616 break; 2617 #endif 2618 2619 #if defined(MBEDTLS_MD_CAN_SHA384) 2620 case MBEDTLS_SSL_HASH_SHA384: 2621 break; 2622 #endif 2623 2624 #if defined(MBEDTLS_MD_CAN_SHA512) 2625 case MBEDTLS_SSL_HASH_SHA512: 2626 break; 2627 #endif 2628 2629 default: 2630 return 0; 2631 } 2632 2633 switch (sig) { 2634 #if defined(MBEDTLS_RSA_C) 2635 case MBEDTLS_SSL_SIG_RSA: 2636 break; 2637 #endif 2638 2639 #if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) 2640 case MBEDTLS_SSL_SIG_ECDSA: 2641 break; 2642 #endif 2643 2644 default: 2645 return 0; 2646 } 2647 2648 return 1; 2649 } 2650 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2651 2652 static inline int mbedtls_ssl_sig_alg_is_supported( 2653 const mbedtls_ssl_context *ssl, 2654 const uint16_t sig_alg) 2655 { 2656 2657 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 2658 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_2) { 2659 return mbedtls_ssl_tls12_sig_alg_is_supported(sig_alg); 2660 } 2661 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 2662 2663 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) 2664 if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) { 2665 return mbedtls_ssl_tls13_sig_alg_is_supported(sig_alg); 2666 } 2667 #endif 2668 ((void) ssl); 2669 ((void) sig_alg); 2670 return 0; 2671 } 2672 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ 2673 2674 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) 2675 /* Corresponding PSA algorithm for MBEDTLS_CIPHER_NULL. 2676 * Same value is used for PSA_ALG_CATEGORY_CIPHER, hence it is 2677 * guaranteed to not be a valid PSA algorithm identifier. 2678 */ 2679 #define MBEDTLS_SSL_NULL_CIPHER 0x04000000 2680 2681 /** 2682 * \brief Translate mbedtls cipher type/taglen pair to psa: 2683 * algorithm, key type and key size. 2684 * 2685 * \param mbedtls_cipher_type [in] given mbedtls cipher type 2686 * \param taglen [in] given tag length 2687 * 0 - default tag length 2688 * \param alg [out] corresponding PSA alg 2689 * There is no corresponding PSA 2690 * alg for MBEDTLS_CIPHER_NULL, so 2691 * in this case MBEDTLS_SSL_NULL_CIPHER 2692 * is returned via this parameter 2693 * \param key_type [out] corresponding PSA key type 2694 * \param key_size [out] corresponding PSA key size 2695 * 2696 * \return PSA_SUCCESS on success or PSA_ERROR_NOT_SUPPORTED if 2697 * conversion is not supported. 2698 */ 2699 psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type, 2700 size_t taglen, 2701 psa_algorithm_t *alg, 2702 psa_key_type_t *key_type, 2703 size_t *key_size); 2704 2705 #if !defined(MBEDTLS_DEPRECATED_REMOVED) 2706 /** 2707 * \brief Convert given PSA status to mbedtls error code. 2708 * 2709 * \param status [in] given PSA status 2710 * 2711 * \return corresponding mbedtls error code 2712 */ 2713 static inline MBEDTLS_DEPRECATED int psa_ssl_status_to_mbedtls(psa_status_t status) 2714 { 2715 switch (status) { 2716 case PSA_SUCCESS: 2717 return 0; 2718 case PSA_ERROR_INSUFFICIENT_MEMORY: 2719 return MBEDTLS_ERR_SSL_ALLOC_FAILED; 2720 case PSA_ERROR_NOT_SUPPORTED: 2721 return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; 2722 case PSA_ERROR_INVALID_SIGNATURE: 2723 return MBEDTLS_ERR_SSL_INVALID_MAC; 2724 case PSA_ERROR_INVALID_ARGUMENT: 2725 return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; 2726 case PSA_ERROR_BAD_STATE: 2727 return MBEDTLS_ERR_SSL_INTERNAL_ERROR; 2728 case PSA_ERROR_BUFFER_TOO_SMALL: 2729 return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL; 2730 default: 2731 return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED; 2732 } 2733 } 2734 #endif /* !MBEDTLS_DEPRECATED_REMOVED */ 2735 #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ 2736 2737 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ 2738 defined(MBEDTLS_USE_PSA_CRYPTO) 2739 2740 typedef enum { 2741 MBEDTLS_ECJPAKE_ROUND_ONE, 2742 MBEDTLS_ECJPAKE_ROUND_TWO 2743 } mbedtls_ecjpake_rounds_t; 2744 2745 /** 2746 * \brief Parse the provided input buffer for getting the first round 2747 * of key exchange. This code is common between server and client 2748 * 2749 * \param pake_ctx [in] the PAKE's operation/context structure 2750 * \param buf [in] input buffer to parse 2751 * \param len [in] length of the input buffer 2752 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2753 * MBEDTLS_ECJPAKE_ROUND_TWO 2754 * 2755 * \return 0 on success or a negative error code in case of failure 2756 */ 2757 int mbedtls_psa_ecjpake_read_round( 2758 psa_pake_operation_t *pake_ctx, 2759 const unsigned char *buf, 2760 size_t len, mbedtls_ecjpake_rounds_t round); 2761 2762 /** 2763 * \brief Write the first round of key exchange into the provided output 2764 * buffer. This code is common between server and client 2765 * 2766 * \param pake_ctx [in] the PAKE's operation/context structure 2767 * \param buf [out] the output buffer in which data will be written to 2768 * \param len [in] length of the output buffer 2769 * \param olen [out] the length of the data really written on the buffer 2770 * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or 2771 * MBEDTLS_ECJPAKE_ROUND_TWO 2772 * 2773 * \return 0 on success or a negative error code in case of failure 2774 */ 2775 int mbedtls_psa_ecjpake_write_round( 2776 psa_pake_operation_t *pake_ctx, 2777 unsigned char *buf, 2778 size_t len, size_t *olen, 2779 mbedtls_ecjpake_rounds_t round); 2780 2781 #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO 2782 2783 /** 2784 * \brief TLS record protection modes 2785 */ 2786 typedef enum { 2787 MBEDTLS_SSL_MODE_STREAM = 0, 2788 MBEDTLS_SSL_MODE_CBC, 2789 MBEDTLS_SSL_MODE_CBC_ETM, 2790 MBEDTLS_SSL_MODE_AEAD 2791 } mbedtls_ssl_mode_t; 2792 2793 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_transform( 2794 const mbedtls_ssl_transform *transform); 2795 2796 #if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM) 2797 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2798 int encrypt_then_mac, 2799 const mbedtls_ssl_ciphersuite_t *suite); 2800 #else 2801 mbedtls_ssl_mode_t mbedtls_ssl_get_mode_from_ciphersuite( 2802 const mbedtls_ssl_ciphersuite_t *suite); 2803 #endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM */ 2804 2805 #if defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_FFDH) 2806 2807 MBEDTLS_CHECK_RETURN_CRITICAL 2808 int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl, 2809 const unsigned char *buf, 2810 size_t buf_len); 2811 2812 #endif /* PSA_WANT_ALG_ECDH || PSA_WANT_ALG_FFDH */ 2813 2814 static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( 2815 mbedtls_ssl_context *ssl, int cipher_suite) 2816 { 2817 const int *ciphersuite_list = ssl->conf->ciphersuite_list; 2818 2819 /* Check whether we have offered this ciphersuite */ 2820 for (size_t i = 0; ciphersuite_list[i] != 0; i++) { 2821 if (ciphersuite_list[i] == cipher_suite) { 2822 return 1; 2823 } 2824 } 2825 return 0; 2826 } 2827 2828 /** 2829 * \brief Validate cipher suite against config in SSL context. 2830 * 2831 * \param ssl SSL context 2832 * \param suite_info Cipher suite to validate 2833 * \param min_tls_version Minimal TLS version to accept a cipher suite 2834 * \param max_tls_version Maximal TLS version to accept a cipher suite 2835 * 2836 * \return 0 if valid, negative value otherwise. 2837 */ 2838 MBEDTLS_CHECK_RETURN_CRITICAL 2839 int mbedtls_ssl_validate_ciphersuite( 2840 const mbedtls_ssl_context *ssl, 2841 const mbedtls_ssl_ciphersuite_t *suite_info, 2842 mbedtls_ssl_protocol_version min_tls_version, 2843 mbedtls_ssl_protocol_version max_tls_version); 2844 2845 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2846 MBEDTLS_CHECK_RETURN_CRITICAL 2847 int mbedtls_ssl_parse_server_name_ext(mbedtls_ssl_context *ssl, 2848 const unsigned char *buf, 2849 const unsigned char *end); 2850 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2851 2852 #if defined(MBEDTLS_SSL_RECORD_SIZE_LIMIT) 2853 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH (2) 2854 #define MBEDTLS_SSL_RECORD_SIZE_LIMIT_MIN (64) /* As defined in RFC 8449 */ 2855 2856 MBEDTLS_CHECK_RETURN_CRITICAL 2857 int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl, 2858 const unsigned char *buf, 2859 const unsigned char *end); 2860 2861 MBEDTLS_CHECK_RETURN_CRITICAL 2862 int mbedtls_ssl_tls13_write_record_size_limit_ext(mbedtls_ssl_context *ssl, 2863 unsigned char *buf, 2864 const unsigned char *end, 2865 size_t *out_len); 2866 #endif /* MBEDTLS_SSL_RECORD_SIZE_LIMIT */ 2867 2868 #if defined(MBEDTLS_SSL_ALPN) 2869 MBEDTLS_CHECK_RETURN_CRITICAL 2870 int mbedtls_ssl_parse_alpn_ext(mbedtls_ssl_context *ssl, 2871 const unsigned char *buf, 2872 const unsigned char *end); 2873 2874 2875 MBEDTLS_CHECK_RETURN_CRITICAL 2876 int mbedtls_ssl_write_alpn_ext(mbedtls_ssl_context *ssl, 2877 unsigned char *buf, 2878 unsigned char *end, 2879 size_t *out_len); 2880 #endif /* MBEDTLS_SSL_ALPN */ 2881 2882 #if defined(MBEDTLS_TEST_HOOKS) 2883 int mbedtls_ssl_check_dtls_clihlo_cookie( 2884 mbedtls_ssl_context *ssl, 2885 const unsigned char *cli_id, size_t cli_id_len, 2886 const unsigned char *in, size_t in_len, 2887 unsigned char *obuf, size_t buf_len, size_t *olen); 2888 #endif 2889 2890 #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED) 2891 /** 2892 * \brief Given an SSL context and its associated configuration, write the TLS 2893 * 1.3 specific Pre-Shared key extension. 2894 * 2895 * \param[in] ssl SSL context 2896 * \param[in] buf Base address of the buffer where to write the extension 2897 * \param[in] end End address of the buffer where to write the extension 2898 * \param[out] out_len Length in bytes of the Pre-Shared key extension: data 2899 * written into the buffer \p buf by this function plus 2900 * the length of the binders to be written. 2901 * \param[out] binders_len Length of the binders to be written at the end of 2902 * the extension. 2903 */ 2904 MBEDTLS_CHECK_RETURN_CRITICAL 2905 int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( 2906 mbedtls_ssl_context *ssl, 2907 unsigned char *buf, unsigned char *end, 2908 size_t *out_len, size_t *binders_len); 2909 2910 /** 2911 * \brief Given an SSL context and its associated configuration, write the TLS 2912 * 1.3 specific Pre-Shared key extension binders at the end of the 2913 * ClientHello. 2914 * 2915 * \param[in] ssl SSL context 2916 * \param[in] buf Base address of the buffer where to write the binders 2917 * \param[in] end End address of the buffer where to write the binders 2918 */ 2919 MBEDTLS_CHECK_RETURN_CRITICAL 2920 int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext( 2921 mbedtls_ssl_context *ssl, 2922 unsigned char *buf, unsigned char *end); 2923 #endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */ 2924 2925 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) 2926 /** Get the host name from the SSL context. 2927 * 2928 * \param[in] ssl SSL context 2929 * 2930 * \return The \p hostname pointer from the SSL context. 2931 * \c NULL if mbedtls_ssl_set_hostname() has never been called on 2932 * \p ssl or if it was last called with \p NULL. 2933 */ 2934 const char *mbedtls_ssl_get_hostname_pointer(const mbedtls_ssl_context *ssl); 2935 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ 2936 2937 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ 2938 defined(MBEDTLS_SSL_SESSION_TICKETS) && \ 2939 defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && \ 2940 defined(MBEDTLS_SSL_CLI_C) 2941 MBEDTLS_CHECK_RETURN_CRITICAL 2942 int mbedtls_ssl_session_set_hostname(mbedtls_ssl_session *session, 2943 const char *hostname); 2944 #endif 2945 2946 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_EARLY_DATA) && \ 2947 defined(MBEDTLS_SSL_ALPN) 2948 MBEDTLS_CHECK_RETURN_CRITICAL 2949 int mbedtls_ssl_session_set_ticket_alpn(mbedtls_ssl_session *session, 2950 const char *alpn); 2951 #endif 2952 2953 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && defined(MBEDTLS_SSL_SESSION_TICKETS) 2954 2955 #define MBEDTLS_SSL_TLS1_3_MAX_ALLOWED_TICKET_LIFETIME (604800) 2956 2957 static inline unsigned int mbedtls_ssl_tls13_session_get_ticket_flags( 2958 mbedtls_ssl_session *session, unsigned int flags) 2959 { 2960 return session->ticket_flags & 2961 (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 2962 } 2963 2964 /** 2965 * Check if at least one of the given flags is set in 2966 * the session ticket. See the definition of 2967 * `MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK` to get all 2968 * permitted flags. 2969 */ 2970 static inline int mbedtls_ssl_tls13_session_ticket_has_flags( 2971 mbedtls_ssl_session *session, unsigned int flags) 2972 { 2973 return mbedtls_ssl_tls13_session_get_ticket_flags(session, flags) != 0; 2974 } 2975 2976 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk( 2977 mbedtls_ssl_session *session) 2978 { 2979 return mbedtls_ssl_tls13_session_ticket_has_flags( 2980 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_RESUMPTION); 2981 } 2982 2983 static inline int mbedtls_ssl_tls13_session_ticket_allow_psk_ephemeral( 2984 mbedtls_ssl_session *session) 2985 { 2986 return mbedtls_ssl_tls13_session_ticket_has_flags( 2987 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_PSK_EPHEMERAL_RESUMPTION); 2988 } 2989 2990 static inline unsigned int mbedtls_ssl_tls13_session_ticket_allow_early_data( 2991 mbedtls_ssl_session *session) 2992 { 2993 return mbedtls_ssl_tls13_session_ticket_has_flags( 2994 session, MBEDTLS_SSL_TLS1_3_TICKET_ALLOW_EARLY_DATA); 2995 } 2996 2997 static inline void mbedtls_ssl_tls13_session_set_ticket_flags( 2998 mbedtls_ssl_session *session, unsigned int flags) 2999 { 3000 session->ticket_flags |= (flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 3001 } 3002 3003 static inline void mbedtls_ssl_tls13_session_clear_ticket_flags( 3004 mbedtls_ssl_session *session, unsigned int flags) 3005 { 3006 session->ticket_flags &= ~(flags & MBEDTLS_SSL_TLS1_3_TICKET_FLAGS_MASK); 3007 } 3008 3009 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ 3010 3011 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C) 3012 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT 0 3013 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT 1 3014 3015 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK \ 3016 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_BIT) 3017 #define MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK \ 3018 (1 << MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_BIT) 3019 3020 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) 3021 static inline int mbedtls_ssl_conf_get_session_tickets( 3022 const mbedtls_ssl_config *conf) 3023 { 3024 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_2_MASK ? 3025 MBEDTLS_SSL_SESSION_TICKETS_ENABLED : 3026 MBEDTLS_SSL_SESSION_TICKETS_DISABLED; 3027 } 3028 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ 3029 3030 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) 3031 static inline int mbedtls_ssl_conf_is_signal_new_session_tickets_enabled( 3032 const mbedtls_ssl_config *conf) 3033 { 3034 return conf->session_tickets & MBEDTLS_SSL_SESSION_TICKETS_TLS1_3_MASK ? 3035 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_ENABLED : 3036 MBEDTLS_SSL_TLS1_3_SIGNAL_NEW_SESSION_TICKETS_DISABLED; 3037 } 3038 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ 3039 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */ 3040 3041 #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) 3042 int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); 3043 #endif 3044 3045 #if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) 3046 3047 /** Compute the HMAC of variable-length data with constant flow. 3048 * 3049 * This function computes the HMAC of the concatenation of \p add_data and \p 3050 * data, and does with a code flow and memory access pattern that does not 3051 * depend on \p data_len_secret, but only on \p min_data_len and \p 3052 * max_data_len. In particular, this function always reads exactly \p 3053 * max_data_len bytes from \p data. 3054 * 3055 * \param ctx The HMAC context. It must have keys configured 3056 * with mbedtls_md_hmac_starts() and use one of the 3057 * following hashes: SHA-384, SHA-256, SHA-1 or MD-5. 3058 * It is reset using mbedtls_md_hmac_reset() after 3059 * the computation is complete to prepare for the 3060 * next computation. 3061 * \param add_data The first part of the message whose HMAC is being 3062 * calculated. This must point to a readable buffer 3063 * of \p add_data_len bytes. 3064 * \param add_data_len The length of \p add_data in bytes. 3065 * \param data The buffer containing the second part of the 3066 * message. This must point to a readable buffer 3067 * of \p max_data_len bytes. 3068 * \param data_len_secret The length of the data to process in \p data. 3069 * This must be no less than \p min_data_len and no 3070 * greater than \p max_data_len. 3071 * \param min_data_len The minimal length of the second part of the 3072 * message, read from \p data. 3073 * \param max_data_len The maximal length of the second part of the 3074 * message, read from \p data. 3075 * \param output The HMAC will be written here. This must point to 3076 * a writable buffer of sufficient size to hold the 3077 * HMAC value. 3078 * 3079 * \retval 0 on success. 3080 * \retval #MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED 3081 * The hardware accelerator failed. 3082 */ 3083 #if defined(MBEDTLS_USE_PSA_CRYPTO) 3084 int mbedtls_ct_hmac(mbedtls_svc_key_id_t key, 3085 psa_algorithm_t mac_alg, 3086 const unsigned char *add_data, 3087 size_t add_data_len, 3088 const unsigned char *data, 3089 size_t data_len_secret, 3090 size_t min_data_len, 3091 size_t max_data_len, 3092 unsigned char *output); 3093 #else 3094 int mbedtls_ct_hmac(mbedtls_md_context_t *ctx, 3095 const unsigned char *add_data, 3096 size_t add_data_len, 3097 const unsigned char *data, 3098 size_t data_len_secret, 3099 size_t min_data_len, 3100 size_t max_data_len, 3101 unsigned char *output); 3102 #endif /* defined(MBEDTLS_USE_PSA_CRYPTO) */ 3103 #endif /* MBEDTLS_TEST_HOOKS && defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) */ 3104 3105 #endif /* ssl_misc.h */ 3106